server/tun-slip.c: Fix signed/unsigned char mismatch.

[tripe] / server / keyexch.c

diff --git a/server/keyexch.c b/server/keyexch.c
index c2f035d47e082b3c2a77b93e62347a2df2cca43b..d26ac787378aa6658ca0517d7f83ab73a1822174 100644 (file)
--- a/server/keyexch.c
+++ b/server/keyexch.c
@@ -75,13 +75,6 @@
  *     Switch received.  Committed; send data; move to @KXS_SWITCH@.
  */
 
-/*----- Tunable parameters ------------------------------------------------*/
-
-#define T_VALID MIN(2)                 /* Challenge validity period */
-#define T_RETRY SEC(10)                        /* Challenge retransmit interval */
-
-#define VALIDP(kx, now) ((now) < (kx)->t_valid)
-
 /*----- Static tables -----------------------------------------------------*/
 
 static const char *const pkname[] = {
@@ -90,9 +83,21 @@ static const char *const pkname[] = {
 
 /*----- Various utilities -------------------------------------------------*/
 
+/* --- @VALIDP@ --- *
+ *
+ * Arguments:  @const keyexch *kx@ = key exchange state
+ *             @time_t now@ = current time in seconds
+ *
+ * Returns:    Whether the challenge in the key-exchange state is still
+ *             valid or should be regenerated.
+ */
+
+#define VALIDP(kx, now) ((now) < (kx)->t_valid)
+
 /* --- @hashge@ --- *
  *
  * Arguments:  @ghash *h@ = pointer to hash context
+ *             @group *g@ = pointer to group
  *             @ge *x@ = pointer to group element
  *
  * Returns:    ---
@@ -101,11 +106,12 @@ static const char *const pkname[] = {
  *             @buf_t@.
  */
 
-static void hashge(ghash *h, ge *x)
+static void hashge(ghash *h, group *g, ge *x)
 {
   buf b;
+
   buf_init(&b, buf_t, sizeof(buf_t));
-  G_TOBUF(gg, &b, x);
+  G_TOBUF(g, &b, x);
   assert(BOK(&b));
   GH_HASH(h, BBASE(&b), BLEN(&b));
 }
@@ -115,6 +121,7 @@ static void hashge(ghash *h, ge *x)
  * Arguments:  @buf *b@ = output buffer
  *             @mp *x@ = the plaintext integer
  *             @size_t n@ = the expected size of the plaintext
+ *             @gcipher *mgfc@ = mask-generating function to use
  *             @const octet *k@ = pointer to key material
  *             @size_t ksz@ = size of the key
  *
@@ -124,23 +131,24 @@ static void hashge(ghash *h, ge *x)
  *             it's a random oracle thing rather than an encryption thing.
  */
 
-static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz)
+static octet *mpmask(buf *b, mp *x, size_t n,
+                    const gccipher *mgfc, const octet *k, size_t ksz)
 {
   gcipher *mgf;
   octet *p;
 
   if ((p = buf_get(b, n)) == 0)
     return (0);
-  mgf = GC_INIT(algs.mgf, k, ksz);
+  mgf = GC_INIT(mgfc, k, ksz);
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-    trace(T_CRYPTO, "masking index = %s", mpstr(x));
-    trace_block(T_CRYPTO, "masking key", k, ksz);
+    trace(T_CRYPTO, "crypto: masking index = %s", mpstr(x));
+    trace_block(T_CRYPTO, "crypto: masking key", k, ksz);
   }))
   mp_storeb(x, buf_t, n);
   GC_ENCRYPT(mgf, buf_t, p, n);
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-    trace_block(T_CRYPTO, "index plaintext", buf_t, n);
-    trace_block(T_CRYPTO, "masked ciphertext", p, n);
+    trace_block(T_CRYPTO, "crypto: index plaintext", buf_t, n);
+    trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
   }))
   GC_DESTROY(mgf);
   return (p);
@@ -151,6 +159,7 @@ static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz)
  * Arguments:  @mp *d@ = the output integer
  *             @const octet *p@ = pointer to the ciphertext
  *             @size_t n@ = the size of the ciphertext
+ *             @gcipher *mgfc@ = mask-generating function to use
  *             @const octet *k@ = pointer to key material
  *             @size_t ksz@ = size of the key
  *
@@ -160,20 +169,20 @@ static octet *mpmask(buf *b, mp *x, size_t n, const octet *k, size_t ksz)
  */
 
 static mp *mpunmask(mp *d, const octet *p, size_t n,
-                   const octet *k, size_t ksz)
+                   const gccipher *mgfc, const octet *k, size_t ksz)
 {
   gcipher *mgf;
 
-  mgf = GC_INIT(algs.mgf, k, ksz);
+  mgf = GC_INIT(mgfc, k, ksz);
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-    trace_block(T_CRYPTO, "unmasking key", k, ksz);
-    trace_block(T_CRYPTO, "masked ciphertext", p, n);
+    trace_block(T_CRYPTO, "crypto: unmasking key", k, ksz);
+    trace_block(T_CRYPTO, "crypto: masked ciphertext", p, n);
   }))
   GC_DECRYPT(mgf, p, buf_t, n);
   d = mp_loadb(d, buf_t, n);
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-    trace_block(T_CRYPTO, "index plaintext", buf_t, n);
-    trace(T_CRYPTO, "unmasked index = %s", mpstr(d));
+    trace_block(T_CRYPTO, "crypto: index plaintext", buf_t, n);
+    trace(T_CRYPTO, "crypto: unmasked index = %s", mpstr(d));
   }))
   GC_DESTROY(mgf);
   return (d);
@@ -181,7 +190,8 @@ static mp *mpunmask(mp *d, const octet *p, size_t n,
 
 /* --- @hashcheck@ --- *
  *
- * Arguments:  @ge *kpub@ = sender's public key
+ * Arguments:  @keyexch *kx@ = pointer to key-exchange block
+ *             @ge *kpub@ = sender's public key
  *             @ge *cc@ = receiver's challenge
  *             @ge *c@ = sender's challenge
  *             @ge *y@ = reply to sender's challenge
@@ -198,23 +208,24 @@ static mp *mpunmask(mp *d, const octet *p, size_t n,
  *             key-exchange is deniable.
  */
 
-static const octet *hashcheck(ge *kpub, ge *cc, ge *c, ge *y)
+static const octet *hashcheck(keyexch *kx, ge *kpub, ge *cc, ge *c, ge *y)
 {
-  ghash *h = GH_INIT(algs.h);
+  ghash *h = GH_INIT(kx->kpriv->algs.h);
+  group *g = kx->kpriv->g;
 
   HASH_STRING(h, "tripe-expected-reply");
-  hashge(h, kpub);
-  hashge(h, cc);
-  hashge(h, c);
-  hashge(h, y);
+  hashge(h, g, kpub);
+  hashge(h, g, cc);
+  hashge(h, g, c);
+  hashge(h, g, y);
   GH_DONE(h, buf_t);
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-    trace(T_CRYPTO, "computing challenge check hash");
-    trace(T_CRYPTO, "public key = %s", gestr(gg, kpub));
-    trace(T_CRYPTO, "receiver challenge = %s", gestr(gg, cc));
-    trace(T_CRYPTO, "sender challenge = %s", gestr(gg, c));
-    trace(T_CRYPTO, "sender reply = %s", gestr(gg, y));
-    trace_block(T_CRYPTO, "hash output", buf_t, algs.hashsz);
+    trace(T_CRYPTO, "crypto: computing challenge check hash");
+    trace(T_CRYPTO, "crypto: public key = %s", gestr(g, kpub));
+    trace(T_CRYPTO, "crypto: receiver challenge = %s", gestr(g, cc));
+    trace(T_CRYPTO, "crypto: sender challenge = %s", gestr(g, c));
+    trace(T_CRYPTO, "crypto: sender reply = %s", gestr(g, y));
+    trace_block(T_CRYPTO, "crypto: hash output", buf_t, kx->kpriv->algs.hashsz);
   }))
   GH_DESTROY(h);
   return (buf_t);
@@ -234,10 +245,11 @@ static const octet *hashcheck(ge *kpub, ge *cc, ge *c, ge *y)
 
 static void sendchallenge(keyexch *kx, buf *b, ge *c, const octet *hc)
 {
-  G_TOBUF(gg, b, kx->c);
-  buf_put(b, hc, algs.hashsz);
-  mpmask(b, kx->alpha, indexsz,
-        hashcheck(kpub, c, kx->c, kx->rx), algs.hashsz);
+  G_TOBUF(kx->kpriv->g, b, kx->c);
+  buf_put(b, hc, kx->kpriv->algs.hashsz);
+  mpmask(b, kx->alpha, kx->kpriv->indexsz, kx->kpriv->algs.mgf,
+        hashcheck(kx, kx->kpriv->kpub, c, kx->c, kx->rx),
+        kx->kpriv->algs.hashsz);
 }
 
 /* --- @timer@ --- *
@@ -261,24 +273,102 @@ static void timer(struct timeval *tv, void *v)
 /* --- @settimer@ --- *
  *
  * Arguments:  @keyexch *kx@ = pointer to key exchange context
- *             @time_t t@ = when to set the timer for
+ *             @struct timeval *tv@ = when to set the timer for
  *
  * Returns:    ---
  *
  * Use:                Sets the timer for the next key exchange attempt.
  */
 
-static void settimer(keyexch *kx, time_t t)
+static void settimer(keyexch *kx, struct timeval *tv)
 {
-  struct timeval tv;
-  if (kx->f & KXF_TIMER)
-    sel_rmtimer(&kx->t);
-  tv.tv_sec = t;
-  tv.tv_usec = 0;
-  sel_addtimer(&sel, &kx->t, &tv, timer, kx);
+  if (kx->f & KXF_TIMER) sel_rmtimer(&kx->t);
+  sel_addtimer(&sel, &kx->t, tv, timer, kx);
   kx->f |= KXF_TIMER;
 }
 
+/* --- @f2tv@ --- *
+ *
+ * Arguments:  @struct timeval *tv@ = where to write the timeval
+ *             @double t@ = a time as a floating point number
+ *
+ * Returns:    ---
+ *
+ * Use:                Converts a floating-point time into a timeval.
+ */
+
+static void f2tv(struct timeval *tv, double t)
+{
+  tv->tv_sec = t;
+  tv->tv_usec = (t - tv->tv_sec)*MILLION;
+}
+
+/* --- @wobble@ --- *
+ *
+ * Arguments:  @double t@ = a time interval
+ *
+ * Returns:    The same time interval, with a random error applied.
+ */
+
+static double wobble(double t)
+{
+  uint32 r = rand_global.ops->word(&rand_global);
+  double w = (r/F_2P32) - 0.5;
+  return (t + t*w*T_WOBBLE);
+}
+
+/* --- @rs_time@ --- *
+ *
+ * Arguments:  @retry *rs@ = current retry state
+ *             @struct timeval *tv@ = where to write the result
+ *             @const struct timeval *now@ = current time, or null
+ *
+ * Returns:    ---
+ *
+ * Use:                Computes a time at which to retry sending a key-exchange
+ *             packet.  This algorithm is subject to change, but it's
+ *             currently a capped exponential backoff, slightly randomized
+ *             to try to keep clients from hammering a server that's only
+ *             just woken up.
+ *
+ *             If @now@ is null then the function works out the time for
+ *             itself.
+ */
+
+static void rs_time(retry *rs, struct timeval *tv, const struct timeval *now)
+{
+  double t;
+  struct timeval rtv;
+
+  if (!rs->t)
+    t = SEC(2);
+  else {
+    t = (rs->t * 5)/4;
+    if (t > MIN(5)) t = MIN(5);
+  }
+  rs->t = t;
+
+  if (!now) {
+    now = tv;
+    gettimeofday(tv, 0);
+  }
+  f2tv(&rtv, wobble(t));
+  TV_ADD(tv, now, &rtv);
+}
+
+/* --- @retry_reset@ --- *
+ *
+ * Arguments:  @retry *rs@ = retry state
+ *
+ * Returns:    --
+ *
+ * Use:                Resets a retry state to indicate that progress has been
+ *             made.  Also useful for initializing the state in the first
+ *             place.
+ */
+
+static void rs_reset(retry *rs) { rs->t = 0; }
+
 /*----- Challenge management ----------------------------------------------*/
 
 /* --- Notes on challenge management --- *
@@ -307,8 +397,8 @@ static void kxc_destroy(kxchal *kxc)
 {
   if (kxc->f & KXF_TIMER)
     sel_rmtimer(&kxc->t);
-  G_DESTROY(gg, kxc->c);
-  G_DESTROY(gg, kxc->r);
+  G_DESTROY(kxc->kx->kpriv->g, kxc->c);
+  G_DESTROY(kxc->kx->kpriv->g, kxc->r);
   ks_drop(kxc->ks);
   DESTROY(kxc);
 }
@@ -357,12 +447,13 @@ static kxchal *kxc_new(keyexch *kx)
   /* --- Fill in the new structure --- */
 
   kxc = CREATE(kxchal);
-  kxc->c = G_CREATE(gg);
-  kxc->r = G_CREATE(gg);
+  kxc->c = G_CREATE(kx->kpriv->g);
+  kxc->r = G_CREATE(kx->kpriv->g);
   kxc->ks = 0;
   kxc->kx = kx;
   kxc->f = 0;
   kx->r[i] = kxc;
+  rs_reset(&kxc->rs);
   return (kxc);
 }
 
@@ -381,7 +472,7 @@ static kxchal *kxc_bychal(keyexch *kx, ge *c)
   unsigned i;
 
   for (i = 0; i < kx->nr; i++) {
-    if (G_EQ(gg, c, kx->r[i]->c))
+    if (G_EQ(kx->kpriv->g, c, kx->r[i]->c))
       return (kx->r[i]);
   }
   return (0);
@@ -402,7 +493,7 @@ static kxchal *kxc_byhc(keyexch *kx, const octet *hc)
   unsigned i;
 
   for (i = 0; i < kx->nr; i++) {
-    if (memcmp(hc, kx->r[i]->hc, algs.hashsz) == 0)
+    if (memcmp(hc, kx->r[i]->hc, kx->kpriv->algs.hashsz) == 0)
       return (kx->r[i]);
   }
   return (0);
@@ -440,7 +531,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc)
   T( trace(T_KEYEXCH, "keyexch: sending reply to `%s'", p_name(kx->p)); )
   sendchallenge(kx, b, kxc->c, kxc->hc);
   buf_init(&bb, buf_i, sizeof(buf_i));
-  G_TORAW(gg, &bb, kxc->r);
+  G_TORAW(kx->kpriv->g, &bb, kxc->r);
   buf_flip(&bb);
   ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_REPLY, &bb, b);
 
@@ -457,7 +548,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc)
   if (kxc->f & KXF_TIMER)
     sel_rmtimer(&kxc->t);
   gettimeofday(&tv, 0);
-  tv.tv_sec += T_RETRY;
+  rs_time(&kxc->rs, &tv, &tv);
   sel_addtimer(&sel, &kxc->t, &tv, kxc_timer, kxc);
   kxc->f |= KXF_TIMER;
 }
@@ -477,7 +568,7 @@ static void kxc_answer(keyexch *kx, kxchal *kxc)
 static int doprechallenge(keyexch *kx, buf *b)
 {
   stats *st = p_stats(kx->p);
-  ge *c = G_CREATE(gg);
+  ge *c = G_CREATE(kx->kpriv->g);
   ghash *h;
 
   /* --- Ensure that we're in a sensible state --- */
@@ -489,19 +580,19 @@ static int doprechallenge(keyexch *kx, buf *b)
 
   /* --- Unpack the packet --- */
 
-  if (G_FROMBUF(gg, b, c) || BLEFT(b))
+  if (G_FROMBUF(kx->kpriv->g, b, c) || BLEFT(b))
     goto bad;
 
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-    trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
+    trace(T_CRYPTO, "crypto: challenge = %s", gestr(kx->kpriv->g, c));
   }))
 
   /* --- Send out a full challenge by return --- */
 
   b = p_txstart(kx->p, MSG_KEYEXCH | KX_CHAL);
-  h = GH_INIT(algs.h);
+  h = GH_INIT(kx->kpriv->algs.h);
   HASH_STRING(h, "tripe-cookie");
-  hashge(h, c);
+  hashge(h, kx->kpriv->g, c);
   sendchallenge(kx, b, c, GH_DONE(h, 0));
   GH_DESTROY(h);
   st->n_kxout++;
@@ -510,11 +601,11 @@ static int doprechallenge(keyexch *kx, buf *b)
 
   /* --- Done --- */
 
-  G_DESTROY(gg, c);
+  G_DESTROY(kx->kpriv->g, c);
   return (0);
 
 bad:
-  if (c) G_DESTROY(gg, c);
+  if (c) G_DESTROY(kx->kpriv->g, c);
   return (-1);
 }
 
@@ -532,9 +623,12 @@ bad:
 
 static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
 {
-  ge *c = G_CREATE(gg);
-  ge *r = G_CREATE(gg);
-  ge *cc = G_CREATE(gg);
+  group *g = kx->kpriv->g;
+  const algswitch *algs = &kx->kpriv->algs;
+  size_t ixsz = kx->kpriv->indexsz;
+  ge *c = G_CREATE(g);
+  ge *r = G_CREATE(g);
+  ge *cc = G_CREATE(g);
   const octet *hc, *ck;
   size_t x, y, z;
   mp *cv = 0;
@@ -545,21 +639,21 @@ static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
 
   /* --- Unpack the packet --- */
 
-  if (G_FROMBUF(gg, b, c) ||
-      (hc = buf_get(b, algs.hashsz)) == 0 ||
-      (ck = buf_get(b, indexsz)) == 0) {
+  if (G_FROMBUF(g, b, c) ||
+      (hc = buf_get(b, algs->hashsz)) == 0 ||
+      (ck = buf_get(b, ixsz)) == 0) {
     a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
     goto bad;
   }
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-    trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, c));
-    trace_block(T_CRYPTO, "crypto: cookie", hc, algs.hashsz);
-    trace_block(T_CRYPTO, "crypto: check-value", ck, indexsz);
+    trace(T_CRYPTO, "crypto: challenge = %s", gestr(g, c));
+    trace_block(T_CRYPTO, "crypto: cookie", hc, algs->hashsz);
+    trace_block(T_CRYPTO, "crypto: check-value", ck, ixsz);
   }))
 
   /* --- Discard a packet with an invalid cookie --- */
 
-  if (hc && memcmp(hc, kx->hc, algs.hashsz) != 0) {
+  if (hc && memcmp(hc, kx->hc, algs->hashsz) != 0) {
     a_warn("KX", "?PEER", kx->p, "incorrect", "cookie", A_END);
     goto bad;
   }
@@ -573,97 +667,96 @@ static kxchal *respond(keyexch *kx, unsigned msg, buf *b)
    */
 
   if ((kxc = kxc_bychal(kx, c)) != 0) {
-    h = GH_INIT(algs.h);
+    h = GH_INIT(algs->h);
     HASH_STRING(h, "tripe-check-hash");
-    GH_HASH(h, ck, indexsz);
-    ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs.hashsz);
+    GH_HASH(h, ck, ixsz);
+    ok = !memcmp(kxc->ck, GH_DONE(h, 0), algs->hashsz);
     GH_DESTROY(h);
     if (!ok) goto badcheck;
   } else {
 
     /* --- Compute the reply, and check the magic --- */
 
-    G_EXP(gg, r, c, kpriv);
-    cv = mpunmask(MP_NEW, ck, indexsz,
-                 hashcheck(kx->kpub, kx->c, c, r), algs.hashsz);
+    G_EXP(g, r, c, kx->kpriv->kpriv);
+    cv = mpunmask(MP_NEW, ck, ixsz, algs->mgf,
+                 hashcheck(kx, kx->kpub->kpub, kx->c, c, r),
+                 algs->hashsz);
     IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-      trace(T_CRYPTO, "crypto: computed reply = %s", gestr(gg, r));
+      trace(T_CRYPTO, "crypto: computed reply = %s", gestr(g, r));
       trace(T_CRYPTO, "crypto: recovered log = %s", mpstr(cv));
     }))
-    if (MP_CMP(cv, >, gg->r) ||
-       (G_EXP(gg, cc, gg->g, cv), !G_EQ(gg, c, cc)))
+    if (MP_CMP(cv, >, g->r) ||
+       (G_EXP(g, cc, g->g, cv),
+        !G_EQ(g, c, cc)))
       goto badcheck;
 
     /* --- Fill in a new challenge block --- */
 
     kxc = kxc_new(kx);
-    G_COPY(gg, kxc->c, c);
-    G_COPY(gg, kxc->r, r);
+    G_COPY(g, kxc->c, c);
+    G_COPY(g, kxc->r, r);
 
-    h = GH_INIT(algs.h);
-    HASH_STRING(h, "tripe-check-hash");
-    GH_HASH(h, ck, indexsz);
-    GH_DONE(h, kxc->ck);
-    GH_DESTROY(h);
+    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-check-hash");
+    GH_HASH(h, ck, ixsz);
+    GH_DONE(h, kxc->ck); GH_DESTROY(h);
 
-    h = GH_INIT(algs.h);
-    HASH_STRING(h, "tripe-cookie");
-    hashge(h, kxc->c);
-    GH_DONE(h, kxc->hc);
-    GH_DESTROY(h);
+    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-cookie");
+    hashge(h, g, kxc->c);
+    GH_DONE(h, kxc->hc); GH_DESTROY(h);
 
     IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-      trace_block(T_CRYPTO, "crypto: computed cookie", kxc->hc, algs.hashsz);
+      trace_block(T_CRYPTO, "crypto: computed cookie",
+                 kxc->hc, algs->hashsz);
     }))
 
     /* --- Work out the shared key --- */
 
-    G_EXP(gg, r, c, kx->alpha);
+    G_EXP(g, r, c, kx->alpha);
     IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-      trace(T_CRYPTO, "crypto: shared secret = %s", gestr(gg, r));
+      trace(T_CRYPTO, "crypto: shared secret = %s", gestr(g, r));
     }))
 
     /* --- Compute the switch messages --- */
 
-    h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
-    hashge(h, kx->c); hashge(h, kxc->c);
+    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-request");
+    hashge(h, g, kx->c); hashge(h, g, kxc->c);
     GH_DONE(h, kxc->hswrq_out); GH_DESTROY(h);
-    h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
-    hashge(h, kx->c); hashge(h, kxc->c);
+    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-confirm");
+    hashge(h, g, kx->c); hashge(h, g, kxc->c);
     GH_DONE(h, kxc->hswok_out); GH_DESTROY(h);
 
-    h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-request");
-    hashge(h, kxc->c); hashge(h, kx->c);
+    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-request");
+    hashge(h, g, kxc->c); hashge(h, g, kx->c);
     GH_DONE(h, kxc->hswrq_in); GH_DESTROY(h);
-    h = GH_INIT(algs.h); HASH_STRING(h, "tripe-switch-confirm");
-    hashge(h, kxc->c); hashge(h, kx->c);
+    h = GH_INIT(algs->h); HASH_STRING(h, "tripe-switch-confirm");
+    hashge(h, g, kxc->c); hashge(h, g, kx->c);
     GH_DONE(h, kxc->hswok_in); GH_DESTROY(h);
 
     IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
       trace_block(T_CRYPTO, "crypto: outbound switch request",
-                 kxc->hswrq_out, algs.hashsz);
+                 kxc->hswrq_out, algs->hashsz);
       trace_block(T_CRYPTO, "crypto: outbound switch confirm",
-                 kxc->hswok_out, algs.hashsz);
+                 kxc->hswok_out, algs->hashsz);
       trace_block(T_CRYPTO, "crypto: inbound switch request",
-                 kxc->hswrq_in, algs.hashsz);
+                 kxc->hswrq_in, algs->hashsz);
       trace_block(T_CRYPTO, "crypto: inbound switch confirm",
-                 kxc->hswok_in, algs.hashsz);
+                 kxc->hswok_in, algs->hashsz);
     }))
 
     /* --- Create a new symmetric keyset --- */
 
     buf_init(&bb, buf_o, sizeof(buf_o));
-    G_TOBUF(gg, &bb, kx->c); x = BLEN(&bb);
-    G_TOBUF(gg, &bb, kxc->c); y = BLEN(&bb);
-    G_TOBUF(gg, &bb, r); z = BLEN(&bb);
+    G_TOBUF(g, &bb, kx->c); x = BLEN(&bb);
+    G_TOBUF(g, &bb, kxc->c); y = BLEN(&bb);
+    G_TOBUF(g, &bb, r); z = BLEN(&bb);
     assert(BOK(&bb));
 
     kxc->ks = ks_gen(BBASE(&bb), x, y, z, kx->p);
   }
 
-  G_DESTROY(gg, c);
-  G_DESTROY(gg, cc);
-  G_DESTROY(gg, r);
+  G_DESTROY(g, c);
+  G_DESTROY(g, cc);
+  G_DESTROY(g, r);
   mp_drop(cv);
   return (kxc);
 
@@ -671,9 +764,9 @@ badcheck:
   a_warn("KX", "?PEER", kx->p, "bad-expected-reply-log", A_END);
   goto bad;
 bad:
-  G_DESTROY(gg, c);
-  G_DESTROY(gg, cc);
-  G_DESTROY(gg, r);
+  G_DESTROY(g, c);
+  G_DESTROY(g, cc);
+  G_DESTROY(g, r);
   mp_drop(cv);
   return (0);
 }
@@ -724,6 +817,7 @@ static void resend(keyexch *kx)
   kxchal *kxc;
   buf bb;
   stats *st = p_stats(kx->p);
+  struct timeval tv;
   buf *b;
 
   switch (kx->s) {
@@ -731,18 +825,18 @@ static void resend(keyexch *kx)
       T( trace(T_KEYEXCH, "keyexch: sending prechallenge to `%s'",
               p_name(kx->p)); )
       b = p_txstart(kx->p, MSG_KEYEXCH | KX_PRECHAL);
-      G_TOBUF(gg, b, kx->c);
+      G_TOBUF(kx->kpriv->g, b, kx->c);
       break;
     case KXS_COMMIT:
       T( trace(T_KEYEXCH, "keyexch: sending switch request to `%s'",
               p_name(kx->p)); )
       kxc = kx->r[0];
       b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCH);
-      buf_put(b, kx->hc, algs.hashsz);
-      buf_put(b, kxc->hc, algs.hashsz);
+      buf_put(b, kx->hc, kx->kpriv->algs.hashsz);
+      buf_put(b, kxc->hc, kx->kpriv->algs.hashsz);
       buf_init(&bb, buf_i, sizeof(buf_i));
-      G_TORAW(gg, &bb, kxc->r);
-      buf_put(&bb, kxc->hswrq_out, algs.hashsz);
+      G_TORAW(kx->kpriv->g, &bb, kxc->r);
+      buf_put(&bb, kxc->hswrq_out, kx->kpriv->algs.hashsz);
       buf_flip(&bb);
       ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCH, &bb, b);
       break;
@@ -752,7 +846,7 @@ static void resend(keyexch *kx)
       kxc = kx->r[0];
       b = p_txstart(kx->p, MSG_KEYEXCH | KX_SWITCHOK);
       buf_init(&bb, buf_i, sizeof(buf_i));
-      buf_put(&bb, kxc->hswok_out, algs.hashsz);
+      buf_put(&bb, kxc->hswok_out, kx->kpriv->algs.hashsz);
       buf_flip(&bb);
       ks_encrypt(kxc->ks, MSG_KEYEXCH | KX_SWITCHOK, &bb, b);
       break;
@@ -766,8 +860,10 @@ static void resend(keyexch *kx)
     p_txend(kx->p);
   }
 
-  if (kx->s < KXS_SWITCH)
-    settimer(kx, time(0) + T_RETRY);
+  if (kx->s < KXS_SWITCH) {
+    rs_time(&kx->rs, &tv, 0);
+    settimer(kx, &tv);
+  }
 }
 
 /* --- @decryptrest@ --- *
@@ -792,6 +888,7 @@ static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b)
     a_warn("KX", "?PEER", kx->p, "decrypt-failed", "%s", pkname[msg], A_END);
     return (-1);
   }
+  if (!BOK(&bb)) return (-1);
   buf_init(b, BBASE(&bb), BLEN(&bb));
   return (0);
 }
@@ -810,25 +907,26 @@ static int decryptrest(keyexch *kx, kxchal *kxc, unsigned msg, buf *b)
 
 static int checkresponse(keyexch *kx, unsigned msg, buf *b)
 {
-  ge *r = G_CREATE(gg);
+  group *g = kx->kpriv->g;
+  ge *r = G_CREATE(g);
 
-  if (G_FROMRAW(gg, b, r)) {
+  if (G_FROMRAW(g, b, r)) {
     a_warn("KX", "?PEER", kx->p, "invalid", "%s", pkname[msg], A_END);
     goto bad;
   }
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-    trace(T_CRYPTO, "crypto: reply = %s", gestr(gg, r));
+    trace(T_CRYPTO, "crypto: reply = %s", gestr(g, r));
   }))
-  if (!G_EQ(gg, r, kx->rx)) {
+  if (!G_EQ(g, r, kx->rx)) {
     a_warn("KX", "?PEER", kx->p, "incorrect", "response", A_END);
     goto bad;
   }
 
-  G_DESTROY(gg, r);
+  G_DESTROY(g, r);
   return (0);
 
 bad:
-  G_DESTROY(gg, r);
+  G_DESTROY(g, r);
   return (-1);
 }
 
@@ -907,8 +1005,13 @@ bad:
 static void kxfinish(keyexch *kx)
 {
   kxchal *kxc = kx->r[0];
+  struct timeval now, tv;
+
   ks_activate(kxc->ks);
-  settimer(kx, ks_tregen(kxc->ks));
+  gettimeofday(&now, 0);
+  f2tv(&tv, wobble(T_REGEN));
+  TV_ADD(&tv, &now, &tv);
+  settimer(kx, &tv);
   kx->s = KXS_SWITCH;
   a_notify("KXDONE", "?PEER", kx->p, A_END);
   p_stats(kx->p)->t_kx = time(0);
@@ -926,34 +1029,35 @@ static void kxfinish(keyexch *kx)
 
 static int doswitch(keyexch *kx, buf *b)
 {
+  size_t hsz = kx->kpriv->algs.hashsz;
   const octet *hc_in, *hc_out, *hswrq;
   kxchal *kxc;
 
-  if ((hc_in = buf_get(b, algs.hashsz)) == 0 ||
-      (hc_out = buf_get(b, algs.hashsz)) == 0) {
+  if ((hc_in = buf_get(b, hsz)) == 0 ||
+      (hc_out = buf_get(b, hsz)) == 0) {
     a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
     goto bad;
   }
   IF_TRACING(T_KEYEXCH, IF_TRACING(T_CRYPTO, {
-    trace_block(T_CRYPTO, "crypto: challenge", hc_in, algs.hashsz);
-    trace_block(T_CRYPTO, "crypto: cookie", hc_out, algs.hashsz);
+    trace_block(T_CRYPTO, "crypto: challenge", hc_in, hsz);
+    trace_block(T_CRYPTO, "crypto: cookie", hc_out, hsz);
   }))
   if ((kxc = kxc_byhc(kx, hc_in)) == 0 ||
-      memcmp(hc_out, kx->hc, algs.hashsz) != 0) {
+      memcmp(hc_out, kx->hc, hsz) != 0) {
     a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
     goto bad;
   }
   if (decryptrest(kx, kxc, KX_SWITCH, b) ||
       checkresponse(kx, KX_SWITCH, b))
     goto bad;
-  if ((hswrq = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
+  if ((hswrq = buf_get(b, hsz)) == 0 || BLEFT(b)) {
     a_warn("KX", "?PEER", kx->p, "invalid", "switch-rq", A_END);
     goto bad;
   }
   IF_TRACING(T_KEYEXCH, {
-    trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, algs.hashsz);
+    trace_block(T_CRYPTO, "crypto: switch request hash", hswrq, hsz);
   })
-  if (memcmp(hswrq, kxc->hswrq_in, algs.hashsz) != 0) {
+  if (memcmp(hswrq, kxc->hswrq_in, hsz) != 0) {
     a_warn("KX", "?PEER", kx->p, "incorrect", "switch-rq", A_END);
     goto bad;
   }
@@ -980,6 +1084,7 @@ bad:
 
 static int doswitchok(keyexch *kx, buf *b)
 {
+  size_t hsz = kx->kpriv->algs.hashsz;
   const octet *hswok;
   kxchal *kxc;
   buf bb;
@@ -992,15 +1097,15 @@ static int doswitchok(keyexch *kx, buf *b)
   buf_init(&bb, buf_o, sizeof(buf_o));
   if (decryptrest(kx, kxc, KX_SWITCHOK, b))
     goto bad;
-  if ((hswok = buf_get(b, algs.hashsz)) == 0 || BLEFT(b)) {
+  if ((hswok = buf_get(b, hsz)) == 0 || BLEFT(b)) {
     a_warn("KX", "?PEER", kx->p, "invalid", "switch-ok", A_END);
     goto bad;
   }
   IF_TRACING(T_KEYEXCH, {
     trace_block(T_CRYPTO, "crypto: switch confirmation hash",
-               hswok, algs.hashsz);
+               hswok, hsz);
   })
-  if (memcmp(hswok, kxc->hswok_in, algs.hashsz) != 0) {
+  if (memcmp(hswok, kxc->hswok_in, hsz) != 0) {
     a_warn("KX", "?PEER", kx->p, "incorrect", "switch-ok", A_END);
     goto bad;
   }
@@ -1040,8 +1145,8 @@ static void stop(keyexch *kx)
   for (i = 0; i < kx->nr; i++)
     kxc_destroy(kx->r[i]);
   mp_drop(kx->alpha);
-  G_DESTROY(gg, kx->c);
-  G_DESTROY(gg, kx->rx);
+  G_DESTROY(kx->kpriv->g, kx->c);
+  G_DESTROY(kx->kpriv->g, kx->rx);
   kx->t_valid = 0;
   kx->f |= KXF_DEAD;
   kx->f &= ~KXF_TIMER;
@@ -1060,21 +1165,23 @@ static void stop(keyexch *kx)
 
 static void start(keyexch *kx, time_t now)
 {
+  algswitch *algs = &kx->kpriv->algs;
+  group *g = kx->kpriv->g;
   ghash *h;
 
   assert(kx->f & KXF_DEAD);
 
   kx->f &= ~(KXF_DEAD | KXF_CORK);
   kx->nr = 0;
-  kx->alpha = mprand_range(MP_NEW, gg->r, &rand_global, 0);
-  kx->c = G_CREATE(gg); G_EXP(gg, kx->c, gg->g, kx->alpha);
-  kx->rx = G_CREATE(gg); G_EXP(gg, kx->rx, kx->kpub, kx->alpha);
+  kx->alpha = mprand_range(MP_NEW, g->r, &rand_global, 0);
+  kx->c = G_CREATE(g); G_EXP(g, kx->c, g->g, kx->alpha);
+  kx->rx = G_CREATE(g); G_EXP(g, kx->rx, kx->kpub->kpub, kx->alpha);
   kx->s = KXS_CHAL;
   kx->t_valid = now + T_VALID;
 
-  h = GH_INIT(algs.h);
+  h = GH_INIT(algs->h);
   HASH_STRING(h, "tripe-cookie");
-  hashge(h, kx->c);
+  hashge(h, g, kx->c);
   GH_DONE(h, kx->hc);
   GH_DESTROY(h);
 
@@ -1082,9 +1189,10 @@ static void start(keyexch *kx, time_t now)
     trace(T_KEYEXCH, "keyexch: creating new challenge");
     IF_TRACING(T_CRYPTO, {
       trace(T_CRYPTO, "crypto: secret = %s", mpstr(kx->alpha));
-      trace(T_CRYPTO, "crypto: challenge = %s", gestr(gg, kx->c));
-      trace(T_CRYPTO, "crypto: expected response = %s", gestr(gg, kx->rx));
-      trace_block(T_CRYPTO, "crypto: challenge cookie", kx->hc, algs.hashsz);
+      trace(T_CRYPTO, "crypto: challenge = %s", gestr(g, kx->c));
+      trace(T_CRYPTO, "crypto: expected response = %s", gestr(g, kx->rx));
+      trace_block(T_CRYPTO, "crypto: challenge cookie",
+                 kx->hc, algs->hashsz);
     })
   })
 }
@@ -1102,13 +1210,17 @@ static void start(keyexch *kx, time_t now)
 static int checkpub(keyexch *kx)
 {
   time_t now;
+  unsigned f = 0;
+
   if (kx->f & KXF_DEAD)
     return (-1);
   now = time(0);
-  if (KEY_EXPIRED(now, kx->texp_kpub)) {
+  if (KEY_EXPIRED(now, kx->kpriv->t_exp)) f |= 1;
+  if (KEY_EXPIRED(now, kx->kpub->t_exp)) f |= 2;
+  if (f) {
     stop(kx);
-    a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
-    G_COPY(gg, kx->kpub, gg->i);
+    if (f & 1) a_warn("KX", "?PEER", kx->p, "private-key-expired", A_END);
+    if (f & 2) a_warn("KX", "?PEER", kx->p, "public-key-expired", A_END);
     kx->f &= ~KXF_PUBKEY;
     return (-1);
   }
@@ -1155,23 +1267,26 @@ void kx_start(keyexch *kx, int forcep)
 
 void kx_message(keyexch *kx, unsigned msg, buf *b)
 {
-  time_t now = time(0);
+  struct timeval now, tv;
   stats *st = p_stats(kx->p);
   size_t sz = BSZ(b);
   int rc;
 
+  gettimeofday(&now, 0);
+  rs_reset(&kx->rs);
   if (kx->f & KXF_CORK) {
-    start(kx, now);
-    settimer(kx, now + T_RETRY);
+    start(kx, now.tv_sec);
+    rs_time(&kx->rs, &tv, &now);
+    settimer(kx, &tv);
     a_notify("KXSTART", A_END);
   }
 
   if (checkpub(kx))
     return;
 
-  if (!VALIDP(kx, now)) {
+  if (!VALIDP(kx, now.tv_sec)) {
     stop(kx);
-    start(kx, now);
+    start(kx, now.tv_sec);
   }
   T( trace(T_KEYEXCH, "keyexch: processing %s packet from `%s'",
           msg < KX_NMSG ? pkname[msg] : "unknown", p_name(kx->p)); )
@@ -1218,7 +1333,8 @@ void kx_message(keyexch *kx, unsigned msg, buf *b)
 void kx_free(keyexch *kx)
 {
   stop(kx);
-  G_DESTROY(gg, kx->kpub);
+  km_unref(kx->kpub);
+  km_unref(kx->kpriv);
 }
 
 /* --- @kx_newkeys@ --- *
@@ -1235,13 +1351,111 @@ void kx_free(keyexch *kx)
 
 void kx_newkeys(keyexch *kx)
 {
-  if (km_getpubkey(p_name(kx->p), kx->kpub, &kx->texp_kpub))
-    return;
+  kdata *kpriv, *kpub;
+  unsigned i;
+  int switchp;
+  time_t now = time(0);
+
+  T( trace(T_KEYEXCH, "keyexch: checking new keys for `%s'",
+          p_name(kx->p)); )
+
+  /* --- Find out whether we can use new keys --- *
+   *
+   * Try each available combination of new and old, public and private,
+   * except both old (which is status quo anyway).  The selection is encoded
+   * in @i@, with bit 0 for the private key and bit 1 for public key; a set
+   * bit means to use the old value, and a clear bit means to use the new
+   * one.
+   *
+   * This means that we currently prefer `old private and new public' over
+   * `new private and old public'.  I'm not sure which way round this should
+   * actually be.
+   */
+
+  for (i = 0; i < 3; i++) {
+
+    /* --- Select the keys we're going to examine --- *
+     *
+     * If we're meant to have a new key and don't, then skip this
+     * combination.
+     */
+
+    T( trace(T_KEYEXCH, "keyexch: checking %s private, %s public",
+            i & 1 ? "old" : "new", i & 2 ? "old" : "new"); )
+
+    if (i & 1) kpriv = kx->kpriv;
+    else if (kx->kpriv->kn->kd != kx->kpriv) kpriv = kx->kpriv->kn->kd;
+    else {
+      T( trace(T_KEYEXCH, "keyexch: private key unchanged, skipping"); )
+      continue;
+    }
+
+    if (i & 2) kpub = kx->kpub;
+    else if (kx->kpub->kn->kd != kx->kpub) kpub = kx->kpub->kn->kd;
+    else {
+      T( trace(T_KEYEXCH, "keyexch: public key unchanged, skipping"); )
+      continue;
+    }
+
+    /* --- Skip if either key is expired --- *
+     *
+     * We're not going to get far with expired keys, and this simplifies the
+     * logic below.
+     */
+
+    if (KEY_EXPIRED(now, kx->kpriv->t_exp) ||
+       KEY_EXPIRED(now, kx->kpub->t_exp)) {
+      T( trace(T_KEYEXCH, "keyexch: %s expired, skipping",
+              !KEY_EXPIRED(now, kx->kpriv->t_exp) ? "public key" :
+              !KEY_EXPIRED(now, kx->kpub->t_exp) ? "private key" :
+              "both keys"); )
+      continue;
+    }
+
+    /* --- If the groups don't match then we can't use this pair --- */
+
+    if (!km_samealgsp(kpriv, kpub)) {
+      T( trace(T_KEYEXCH, "keyexch: peer `%s' group mismatch; "
+              "%s priv `%s' and %s pub `%s'", p_name(kx->p),
+              i & 1 ? "old" : "new", km_tag(kx->kpriv),
+              i & 2 ? "old" : "new", km_tag(kx->kpub)); )
+      continue;
+    }
+    goto newkeys;
+  }
+  T( trace(T_KEYEXCH, "keyexch: peer `%s' continuing with old keys",
+          p_name(kx->p)); )
+  return;
+
+  /* --- We've chosen new keys --- *
+   *
+   * Switch the new ones into place.  Neither of the keys we're switching to
+   * is expired (we checked that above), so we should just crank everything
+   * up.
+   *
+   * A complication arises: we don't really want to force a new key exchange
+   * unless we have to.  If the group is unchanged, and we're currently
+   * running OK, then we should just let things lie.
+   */
+
+newkeys:
+  switchp = ((kx->f & KXF_DEAD) ||
+            kx->s != KXS_SWITCH ||
+            !group_samep(kx->kpriv->g, kpriv->g));
+
+  T( trace(T_KEYEXCH, "keyexch: peer `%s' adopting "
+          "%s priv `%s' and %s pub `%s'; %sforcing exchange", p_name(kx->p),
+          i & 1 ? "old" : "new", km_tag(kx->kpriv),
+          i & 2 ? "old" : "new", km_tag(kx->kpub),
+          switchp ? "" : "not "); )
+
+  if (switchp) stop(kx);
+  km_ref(kpriv); km_unref(kx->kpriv); kx->kpriv = kpriv;
+  km_ref(kpub);  km_unref(kx->kpub);  kx->kpub  = kpub;
   kx->f |= KXF_PUBKEY;
-  if ((kx->f & KXF_DEAD) || kx->s != KXS_SWITCH) {
+  if (switchp) {
     T( trace(T_KEYEXCH, "keyexch: restarting key negotiation with `%s'",
             p_name(kx->p)); )
-    stop(kx);
     start(kx, time(0));
     resend(kx);
   }
@@ -1263,20 +1477,33 @@ void kx_newkeys(keyexch *kx)
 
 int kx_init(keyexch *kx, peer *p, keyset **ks, unsigned f)
 {
+  if ((kx->kpriv = km_findpriv(p_privtag(p))) == 0) goto fail_0;
+  if ((kx->kpub = km_findpub(p_tag(p))) == 0) goto fail_1;
+  if (!group_samep(kx->kpriv->g, kx->kpub->g)) {
+    a_warn("KX", "?PEER", kx->p, "group-mismatch",
+          "local-private-key", "%s", p_privtag(p),
+          "peer-public-key", "%s", p_tag(p),
+          A_END);
+    goto fail_2;
+  }
+
   kx->ks = ks;
   kx->p = p;
-  kx->kpub = G_CREATE(gg);
-  if (km_getpubkey(p_name(p), kx->kpub, &kx->texp_kpub)) {
-    G_DESTROY(gg, kx->kpub);
-    return (-1);
-  }
   kx->f = KXF_DEAD | KXF_PUBKEY | f;
+  rs_reset(&kx->rs);
   if (!(kx->f & KXF_CORK)) {
     start(kx, time(0));
     resend(kx);
     /* Don't notify here: the ADD message hasn't gone out yet. */
   }
   return (0);
+
+fail_2:
+  km_unref(kx->kpub);
+fail_1:
+  km_unref(kx->kpriv);
+fail_0:
+  return (-1);
 }
 
 /*----- That's all, folks -------------------------------------------------*/