Pull-Merge of latest changes from main repo

briar-core/src/org/briarproject/crypto/AuthenticatedCipherImpl.java

@@ -20,7 +20,7 @@ class AuthenticatedCipherImpl implements AuthenticatedCipher {
 		this.macLength = macLength;
 	}
 
-	public int doFinal(byte[] input, int inputOff, int len, byte[] output,
+	public int process(byte[] input, int inputOff, int len, byte[] output,
 			int outputOff) throws GeneralSecurityException {
 		int processed = 0;
 		if(len != 0) {
@@ -38,7 +38,7 @@ class AuthenticatedCipherImpl implements AuthenticatedCipher {
 
 	public void init(boolean encrypt, SecretKey key, byte[] iv, byte[] aad)
 			throws GeneralSecurityException {
-		KeyParameter k = new KeyParameter(key.getEncoded());
+		KeyParameter k = new KeyParameter(key.getBytes());
 		AEADParameters params = new AEADParameters(k, macLength * 8, iv, aad);
 		try {
 			cipher.init(encrypt, params);

briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java

@@ -7,8 +7,6 @@ import static org.briarproject.crypto.EllipticCurveConstants.P;
 import static org.briarproject.crypto.EllipticCurveConstants.PARAMETERS;
 import static org.briarproject.util.ByteUtils.MAX_32_BIT_UNSIGNED;
 
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
 import java.util.ArrayList;
@@ -31,6 +29,7 @@ import org.briarproject.api.crypto.SecretKey;
 import org.briarproject.api.crypto.Signature;
 import org.briarproject.api.system.SeedProvider;
 import org.briarproject.util.ByteUtils;
+import org.briarproject.util.StringUtils;
 import org.spongycastle.crypto.AsymmetricCipherKeyPair;
 import org.spongycastle.crypto.BlockCipher;
 import org.spongycastle.crypto.CipherParameters;
@@ -44,11 +43,11 @@ import org.spongycastle.crypto.generators.PKCS5S2ParametersGenerator;
 import org.spongycastle.crypto.macs.HMac;
 import org.spongycastle.crypto.modes.AEADBlockCipher;
 import org.spongycastle.crypto.modes.GCMBlockCipher;
+import org.spongycastle.crypto.modes.gcm.BasicGCMMultiplier;
 import org.spongycastle.crypto.params.ECKeyGenerationParameters;
 import org.spongycastle.crypto.params.ECPrivateKeyParameters;
 import org.spongycastle.crypto.params.ECPublicKeyParameters;
 import org.spongycastle.crypto.params.KeyParameter;
-import org.spongycastle.util.Strings;
 
 class CryptoComponentImpl implements CryptoComponent {
 
@@ -114,7 +113,7 @@ class CryptoComponentImpl implements CryptoComponent {
 	public SecretKey generateSecretKey() {
 		byte[] b = new byte[CIPHER_KEY_BYTES];
 		secureRandom.nextBytes(b);
-		return new SecretKeyImpl(b);
+		return new SecretKey(b);
 	}
 
 	public MessageDigest getMessageDigest() {
@@ -188,8 +187,6 @@ class CryptoComponentImpl implements CryptoComponent {
 		int[] codes = new int[2];
 		codes[0] = ByteUtils.readUint(alice, CODE_BITS);
 		codes[1] = ByteUtils.readUint(bob, CODE_BITS);
-		ByteUtils.erase(alice);
-		ByteUtils.erase(bob);
 		return codes;
 	}
 
@@ -223,9 +220,7 @@ class CryptoComponentImpl implements CryptoComponent {
 		byte[] raw = deriveSharedSecret(ourPriv, theirPub);
 		// Derive the cooked secret from the raw secret using the
 		// concatenation KDF
-		byte[] cooked = concatenationKdf(raw, MASTER, aliceInfo, bobInfo);
-		ByteUtils.erase(raw);
-		return cooked;
+		return concatenationKdf(raw, MASTER, aliceInfo, bobInfo);
 	}
 
 	// Package access for testing
@@ -296,12 +291,16 @@ class CryptoComponentImpl implements CryptoComponent {
 	}
 
 	private SecretKey deriveKey(byte[] secret, byte[] label, long context) {
-		byte[] key = counterModeKdf(secret, label, context);
-		return new SecretKeyImpl(key);
+		return new SecretKey(counterModeKdf(secret, label, context));
 	}
 
 	public AuthenticatedCipher getFrameCipher() {
-		AEADBlockCipher a = new GCMBlockCipher(new AESLightEngine());
+		return getAuthenticatedCipher();
+	}
+
+	private AuthenticatedCipher getAuthenticatedCipher() {
+		AEADBlockCipher a = new GCMBlockCipher(new AESLightEngine(),
+				new BasicGCMMultiplier());
 		return new AuthenticatedCipherImpl(a, MAC_BYTES);
 	}
 
@@ -313,21 +312,19 @@ class CryptoComponentImpl implements CryptoComponent {
 		ByteUtils.writeUint32(streamNumber, tag, 0);
 		BlockCipher cipher = new AESLightEngine();
 		assert cipher.getBlockSize() == TAG_LENGTH;
-		KeyParameter k = new KeyParameter(tagKey.getEncoded());
+		KeyParameter k = new KeyParameter(tagKey.getBytes());
 		cipher.init(true, k);
 		cipher.processBlock(tag, 0, tag, 0);
-		ByteUtils.erase(k.getKey());
 	}
 
-	public byte[] encryptWithPassword(byte[] input, char[] password) {
+	public byte[] encryptWithPassword(byte[] input, String password) {
 		// Generate a random salt
 		byte[] salt = new byte[PBKDF_SALT_BYTES];
 		secureRandom.nextBytes(salt);
 		// Calibrate the KDF
 		int iterations = chooseIterationCount(PBKDF_TARGET_MILLIS);
 		// Derive the key from the password
-		byte[] keyBytes = pbkdf2(password, salt, iterations);
-		SecretKey key = new SecretKeyImpl(keyBytes);
+		SecretKey key = new SecretKey(pbkdf2(password, salt, iterations));
 		// Generate a random IV
 		byte[] iv = new byte[STORAGE_IV_BYTES];
 		secureRandom.nextBytes(iv);
@@ -338,22 +335,18 @@ class CryptoComponentImpl implements CryptoComponent {
 		ByteUtils.writeUint32(iterations, output, salt.length);
 		System.arraycopy(iv, 0, output, salt.length + 4, iv.length);
 		// Initialise the cipher and encrypt the plaintext
+		AuthenticatedCipher cipher = getAuthenticatedCipher();
 		try {
-			AEADBlockCipher a = new GCMBlockCipher(new AESLightEngine());
-			AuthenticatedCipher cipher = new AuthenticatedCipherImpl(a,
-					MAC_BYTES);
 			cipher.init(true, key, iv, null);
 			int outputOff = salt.length + 4 + iv.length;
-			cipher.doFinal(input, 0, input.length, output, outputOff);
+			cipher.process(input, 0, input.length, output, outputOff);
 			return output;
 		} catch(GeneralSecurityException e) {
 			throw new RuntimeException(e);
-		} finally {
-			key.erase();
 		}
 	}
 
-	public byte[] decryptWithPassword(byte[] input, char[] password) {
+	public byte[] decryptWithPassword(byte[] input, String password) {
 		// The input contains the salt, iterations, IV, ciphertext and MAC
 		if(input.length < PBKDF_SALT_BYTES + 4 + STORAGE_IV_BYTES + MAC_BYTES)
 			return null; // Invalid
@@ -365,16 +358,12 @@ class CryptoComponentImpl implements CryptoComponent {
 		byte[] iv = new byte[STORAGE_IV_BYTES];
 		System.arraycopy(input, salt.length + 4, iv, 0, iv.length);
 		// Derive the key from the password
-		byte[] keyBytes = pbkdf2(password, salt, (int) iterations);
-		SecretKey key = new SecretKeyImpl(keyBytes);
+		SecretKey key = new SecretKey(pbkdf2(password, salt, (int) iterations));
 		// Initialise the cipher
-		AuthenticatedCipher cipher;
+		AuthenticatedCipher cipher = getAuthenticatedCipher();
 		try {
-			AEADBlockCipher a = new GCMBlockCipher(new AESLightEngine());
-			cipher = new AuthenticatedCipherImpl(a, MAC_BYTES);
 			cipher.init(false, key, iv, null);
 		} catch(GeneralSecurityException e) {
-			key.erase();
 			throw new RuntimeException(e);
 		}
 		// Try to decrypt the ciphertext (may be invalid)
@@ -382,12 +371,10 @@ class CryptoComponentImpl implements CryptoComponent {
 			int inputOff = salt.length + 4 + iv.length;
 			int inputLen = input.length - inputOff;
 			byte[] output = new byte[inputLen - MAC_BYTES];
-			cipher.doFinal(input, inputOff, inputLen, output, 0);
+			cipher.process(input, inputOff, inputLen, output, 0);
 			return output;
 		} catch(GeneralSecurityException e) {
-			return null; // Invalid
-		} finally {
-			key.erase();
+			return null; // Invalid ciphertext
 		}
 	}
 
@@ -417,7 +404,6 @@ class CryptoComponentImpl implements CryptoComponent {
 		// The secret is the first CIPHER_KEY_BYTES bytes of the hash
 		byte[] output = new byte[CIPHER_KEY_BYTES];
 		System.arraycopy(hash, 0, output, 0, output.length);
-		ByteUtils.erase(hash);
 		return output;
 	}
 
@@ -447,20 +433,17 @@ class CryptoComponentImpl implements CryptoComponent {
 		prf.update((byte) CIPHER_KEY_BYTES); // Output length
 		prf.doFinal(mac, 0);
 		System.arraycopy(mac, 0, output, 0, output.length);
-		ByteUtils.erase(mac);
-		ByteUtils.erase(k.getKey());
 		return output;
 	}
 
 	// Password-based key derivation function - see PKCS#5 v2.1, section 5.2
-	private byte[] pbkdf2(char[] password, byte[] salt, int iterations) {
-		byte[] utf8 = toUtf8ByteArray(password);
+	private byte[] pbkdf2(String password, byte[] salt, int iterations) {
+		byte[] utf8 = StringUtils.toUtf8(password);
 		Digest digest = new SHA384Digest();
 		PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest);
 		gen.init(utf8, salt, iterations);
 		int keyLengthInBits = CIPHER_KEY_BYTES * 8;
 		CipherParameters p = gen.generateDerivedParameters(keyLengthInBits);
-		ByteUtils.erase(utf8);
 		return ((KeyParameter) p).getKey();
 	}
 
@@ -512,18 +495,4 @@ class CryptoComponentImpl implements CryptoComponent {
 		if(size % 2 == 1) return list.get(size / 2);
 		return list.get(size / 2 - 1) + list.get(size / 2) / 2;
 	}
-
-	private byte[] toUtf8ByteArray(char[] c) {
-		ByteArrayOutputStream out = new ByteArrayOutputStream();
-		try {
-			Strings.toUTF8ByteArray(c, out);
-			byte[] utf8 = out.toByteArray();
-			// Erase the output stream's buffer
-			out.reset();
-			out.write(new byte[utf8.length]);
-			return utf8;
-		} catch(IOException e) {
-			throw new RuntimeException(e);
-		}
-	}
 }

briar-core/src/org/briarproject/crypto/CryptoModule.java

@@ -14,6 +14,8 @@ import javax.inject.Singleton;
 import org.briarproject.api.crypto.CryptoComponent;
 import org.briarproject.api.crypto.CryptoExecutor;
 import org.briarproject.api.crypto.PasswordStrengthEstimator;
+import org.briarproject.api.crypto.StreamDecrypterFactory;
+import org.briarproject.api.crypto.StreamEncrypterFactory;
 import org.briarproject.api.lifecycle.LifecycleManager;
 
 import com.google.inject.AbstractModule;
@@ -44,6 +46,8 @@ public class CryptoModule extends AbstractModule {
 				CryptoComponentImpl.class).in(Singleton.class);
 		bind(PasswordStrengthEstimator.class).to(
 				PasswordStrengthEstimatorImpl.class);
+		bind(StreamDecrypterFactory.class).to(StreamDecrypterFactoryImpl.class);
+		bind(StreamEncrypterFactory.class).to(StreamEncrypterFactoryImpl.class);
 	}
 
 	@Provides @Singleton @CryptoExecutor

briar-core/src/org/briarproject/crypto/FrameEncoder.java

@@ -1,44 +1,33 @@
-package org.briarproject.transport;
+package org.briarproject.crypto;
 
-import static org.briarproject.api.transport.TransportConstants.AAD_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.IV_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
 import static org.briarproject.util.ByteUtils.MAX_32_BIT_UNSIGNED;
 
 import org.briarproject.util.ByteUtils;
 
 class FrameEncoder {
 
-	static void encodeIv(byte[] iv, long frameNumber) {
+	static void encodeIv(byte[] iv, long frameNumber, boolean header) {
 		if(iv.length < IV_LENGTH) throw new IllegalArgumentException();
 		if(frameNumber < 0 || frameNumber > MAX_32_BIT_UNSIGNED)
 			throw new IllegalArgumentException();
 		ByteUtils.writeUint32(frameNumber, iv, 0);
-		for(int i = 4; i < IV_LENGTH; i++) iv[i] = 0;
-	}
-
-	static void encodeAad(byte[] aad, long frameNumber, int plaintextLength) {
-		if(aad.length < AAD_LENGTH) throw new IllegalArgumentException();
-		if(frameNumber < 0 || frameNumber > MAX_32_BIT_UNSIGNED)
-			throw new IllegalArgumentException();
-		if(plaintextLength < HEADER_LENGTH)
-			throw new IllegalArgumentException();
-		if(plaintextLength > MAX_FRAME_LENGTH - MAC_LENGTH)
-			throw new IllegalArgumentException();
-		ByteUtils.writeUint32(frameNumber, aad, 0);
-		ByteUtils.writeUint16(plaintextLength, aad, 4);
+		if(header) iv[4] = 1;
+		else iv[4] = 0;
+		for(int i = 5; i < IV_LENGTH; i++) iv[i] = 0;
 	}
 
 	static void encodeHeader(byte[] header, boolean finalFrame,
-			int payloadLength) {
+			int payloadLength, int paddingLength) {
 		if(header.length < HEADER_LENGTH) throw new IllegalArgumentException();
-		if(payloadLength < 0)
-			throw new IllegalArgumentException();
-		if(payloadLength > MAX_FRAME_LENGTH - HEADER_LENGTH - MAC_LENGTH)
+		if(payloadLength < 0) throw new IllegalArgumentException();
+		if(paddingLength < 0) throw new IllegalArgumentException();
+		if(payloadLength + paddingLength > MAX_PAYLOAD_LENGTH)
 			throw new IllegalArgumentException();
 		ByteUtils.writeUint16(payloadLength, header, 0);
+		ByteUtils.writeUint16(paddingLength, header, 2);
 		if(finalFrame) header[0] |= 0x80;
 	}
 
@@ -51,4 +40,9 @@ class FrameEncoder {
 		if(header.length < HEADER_LENGTH) throw new IllegalArgumentException();
 		return ByteUtils.readUint16(header, 0) & 0x7FFF;
 	}
+
+	static int getPaddingLength(byte[] header) {
+		if(header.length < HEADER_LENGTH) throw new IllegalArgumentException();
+		return ByteUtils.readUint16(header, 2);
+	}
 }

briar-core/src/org/briarproject/crypto/PasswordStrengthEstimatorImpl.java

@@ -13,9 +13,10 @@ class PasswordStrengthEstimatorImpl implements PasswordStrengthEstimator {
 	private static final double STRONG = Math.log(Math.pow(LOWER + UPPER +
 			DIGIT + OTHER, 10));
 
-	public float estimateStrength(char[] password) {
+	public float estimateStrength(String password) {
 		HashSet<Character> unique = new HashSet<Character>();
-		for(char c : password) unique.add(c);
+		int length = password.length();
+		for(int i = 0; i < length; i++) unique.add(password.charAt(i));
 		boolean lower = false, upper = false, digit = false, other = false;
 		for(char c : unique) {
 			if(Character.isLowerCase(c)) lower = true;

briar-core/src/org/briarproject/crypto/SecretKeyImpl.java

@@ -1,48 +0,0 @@
-package org.briarproject.crypto;
-
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
-
-import org.briarproject.api.crypto.SecretKey;
-import org.briarproject.util.ByteUtils;
-
-class SecretKeyImpl implements SecretKey {
-
-	private final byte[] key;
-
-	private boolean erased = false;
-	
-	private final Lock synchLock = new ReentrantLock();
-
-	SecretKeyImpl(byte[] key) {
-		this.key = key;
-	}
-
-	public byte[] getEncoded() {
-		synchLock.lock();
-		try{
-			if(erased) throw new IllegalStateException();
-			return key;
-		}
-		finally{
-			synchLock.unlock();
-		}
-
-	}
-
-	public SecretKey copy() {
-		return new SecretKeyImpl(key.clone());
-	}
-
-	public void erase() {
-		synchLock.lock();
-		try{
-			if(erased) throw new IllegalStateException();
-			ByteUtils.erase(key);
-			erased = true;
-		}
-		finally{
-			synchLock.unlock();
-		}
-	}
-}

briar-core/src/org/briarproject/crypto/StreamDecrypterFactoryImpl.java

@@ -0,0 +1,40 @@
+package org.briarproject.crypto;
+
+import java.io.InputStream;
+
+import javax.inject.Inject;
+
+import org.briarproject.api.crypto.CryptoComponent;
+import org.briarproject.api.crypto.SecretKey;
+import org.briarproject.api.crypto.StreamDecrypter;
+import org.briarproject.api.crypto.StreamDecrypterFactory;
+import org.briarproject.api.transport.StreamContext;
+
+class StreamDecrypterFactoryImpl implements StreamDecrypterFactory {
+
+	private final CryptoComponent crypto;
+
+	@Inject
+	StreamDecrypterFactoryImpl(CryptoComponent crypto) {
+		this.crypto = crypto;
+	}
+
+	public StreamDecrypter createStreamDecrypter(InputStream in,
+			StreamContext ctx) {
+		// Derive the frame key
+		byte[] secret = ctx.getSecret();
+		long streamNumber = ctx.getStreamNumber();
+		boolean alice = !ctx.getAlice();
+		SecretKey frameKey = crypto.deriveFrameKey(secret, streamNumber, alice);
+		// Create the decrypter
+		return new StreamDecrypterImpl(in, crypto.getFrameCipher(), frameKey);
+	}
+
+	public StreamDecrypter createInvitationStreamDecrypter(InputStream in,
+			byte[] secret, boolean alice) {
+		// Derive the frame key
+		SecretKey frameKey = crypto.deriveFrameKey(secret, 0, alice);
+		// Create the decrypter
+		return new StreamDecrypterImpl(in, crypto.getFrameCipher(), frameKey);
+	}
+}

briar-core/src/org/briarproject/crypto/StreamDecrypterImpl.java

@@ -0,0 +1,97 @@
+package org.briarproject.crypto;
+
+import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.IV_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
+
+import java.io.EOFException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+
+import org.briarproject.api.FormatException;
+import org.briarproject.api.crypto.AuthenticatedCipher;
+import org.briarproject.api.crypto.SecretKey;
+import org.briarproject.api.crypto.StreamDecrypter;
+
+class StreamDecrypterImpl implements StreamDecrypter {
+
+	private final InputStream in;
+	private final AuthenticatedCipher frameCipher;
+	private final SecretKey frameKey;
+	private final byte[] iv, aad, header, ciphertext;
+
+	private long frameNumber;
+	private boolean finalFrame;
+
+	StreamDecrypterImpl(InputStream in, AuthenticatedCipher frameCipher,
+			SecretKey frameKey) {
+		this.in = in;
+		this.frameCipher = frameCipher;
+		this.frameKey = frameKey;
+		iv = new byte[IV_LENGTH];
+		aad = new byte[IV_LENGTH];
+		header = new byte[HEADER_LENGTH];
+		ciphertext = new byte[MAX_FRAME_LENGTH];
+		frameNumber = 0;
+		finalFrame = false;
+	}
+
+	public int readFrame(byte[] payload) throws IOException {
+		if(payload.length < MAX_PAYLOAD_LENGTH)
+			throw new IllegalArgumentException();
+		if(finalFrame) return -1;
+		// Read the header
+		int offset = 0;
+		while(offset < HEADER_LENGTH) {
+			int read = in.read(ciphertext, offset, HEADER_LENGTH - offset);
+			if(read == -1) throw new EOFException();
+			offset += read;
+		}
+		// Decrypt and authenticate the header
+		FrameEncoder.encodeIv(iv, frameNumber, true);
+		FrameEncoder.encodeIv(aad, frameNumber, true);
+		try {
+			frameCipher.init(false, frameKey, iv, aad);
+			int decrypted = frameCipher.process(ciphertext, 0, HEADER_LENGTH,
+					header, 0);
+			if(decrypted != HEADER_LENGTH - MAC_LENGTH)
+				throw new RuntimeException();
+		} catch(GeneralSecurityException e) {
+			throw new FormatException();
+		}
+		// Decode and validate the header
+		finalFrame = FrameEncoder.isFinalFrame(header);
+		int payloadLength = FrameEncoder.getPayloadLength(header);
+		int paddingLength = FrameEncoder.getPaddingLength(header);
+		if(payloadLength + paddingLength > MAX_PAYLOAD_LENGTH)
+			throw new FormatException();
+		// Read the payload and padding
+		int frameLength = HEADER_LENGTH + payloadLength + paddingLength
+				+ MAC_LENGTH;
+		while(offset < frameLength) {
+			int read = in.read(ciphertext, offset, frameLength - offset);
+			if(read == -1) throw new EOFException();
+			offset += read;
+		}
+		// Decrypt and authenticate the payload and padding
+		FrameEncoder.encodeIv(iv, frameNumber, false);
+		FrameEncoder.encodeIv(aad, frameNumber, false);
+		try {
+			frameCipher.init(false, frameKey, iv, aad);
+			int decrypted = frameCipher.process(ciphertext, HEADER_LENGTH,
+					payloadLength + paddingLength + MAC_LENGTH, payload, 0);
+			if(decrypted != payloadLength + paddingLength)
+				throw new RuntimeException();
+		} catch(GeneralSecurityException e) {
+			throw new FormatException();
+		}
+		// If there's any padding it must be all zeroes
+		for(int i = 0; i < paddingLength; i++)
+			if(payload[payloadLength + i] != 0) throw new FormatException();
+		frameNumber++;
+		return payloadLength;
+	}
+}

briar-core/src/org/briarproject/crypto/StreamEncrypterFactoryImpl.java

@@ -0,0 +1,48 @@
+package org.briarproject.crypto;
+
+import static org.briarproject.api.transport.TransportConstants.TAG_LENGTH;
+
+import java.io.OutputStream;
+
+import javax.inject.Inject;
+
+import org.briarproject.api.crypto.CryptoComponent;
+import org.briarproject.api.crypto.SecretKey;
+import org.briarproject.api.crypto.StreamEncrypter;
+import org.briarproject.api.crypto.StreamEncrypterFactory;
+import org.briarproject.api.transport.StreamContext;
+
+class StreamEncrypterFactoryImpl implements StreamEncrypterFactory {
+
+	private final CryptoComponent crypto;
+
+	@Inject
+	StreamEncrypterFactoryImpl(CryptoComponent crypto) {
+		this.crypto = crypto;
+	}
+
+	public StreamEncrypter createStreamEncrypter(OutputStream out,
+			StreamContext ctx) {
+		byte[] secret = ctx.getSecret();
+		long streamNumber = ctx.getStreamNumber();
+		boolean alice = ctx.getAlice();
+		// Encode the tag
+		byte[] tag = new byte[TAG_LENGTH];
+		SecretKey tagKey = crypto.deriveTagKey(secret, alice);
+		crypto.encodeTag(tag, tagKey, streamNumber);
+		// Derive the frame key
+		SecretKey frameKey = crypto.deriveFrameKey(secret, streamNumber, alice);
+		// Create the encrypter
+		return new StreamEncrypterImpl(out, crypto.getFrameCipher(), frameKey,
+				tag);
+	}
+
+	public StreamEncrypter createInvitationStreamEncrypter(OutputStream out,
+			byte[] secret, boolean alice) {
+		// Derive the frame key
+		SecretKey frameKey = crypto.deriveFrameKey(secret, 0, alice);
+		// Create the encrypter
+		return new StreamEncrypterImpl(out, crypto.getFrameCipher(), frameKey,
+				null);
+	}
+}

briar-core/src/org/briarproject/crypto/StreamEncrypterImpl.java

@@ -0,0 +1,97 @@
+package org.briarproject.crypto;
+
+import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.IV_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
+import static org.briarproject.util.ByteUtils.MAX_32_BIT_UNSIGNED;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.security.GeneralSecurityException;
+
+import org.briarproject.api.crypto.AuthenticatedCipher;
+import org.briarproject.api.crypto.SecretKey;
+import org.briarproject.api.crypto.StreamEncrypter;
+
+class StreamEncrypterImpl implements StreamEncrypter {
+
+	private final OutputStream out;
+	private final AuthenticatedCipher frameCipher;
+	private final SecretKey frameKey;
+	private final byte[] tag, iv, aad, plaintext, ciphertext;
+
+	private long frameNumber;
+	private boolean writeTag;
+
+	StreamEncrypterImpl(OutputStream out, AuthenticatedCipher frameCipher,
+			SecretKey frameKey, byte[] tag) {
+		this.out = out;
+		this.frameCipher = frameCipher;
+		this.frameKey = frameKey;
+		this.tag = tag;
+		iv = new byte[IV_LENGTH];
+		aad = new byte[IV_LENGTH];
+		plaintext = new byte[HEADER_LENGTH + MAX_PAYLOAD_LENGTH];
+		ciphertext = new byte[MAX_FRAME_LENGTH];
+		frameNumber = 0;
+		writeTag = (tag != null);
+	}
+
+	public void writeFrame(byte[] payload, int payloadLength,
+			int paddingLength, boolean finalFrame) throws IOException {
+		if(payloadLength + paddingLength > MAX_PAYLOAD_LENGTH)
+			throw new IllegalArgumentException();
+		// Don't allow the frame counter to wrap
+		if(frameNumber > MAX_32_BIT_UNSIGNED) throw new IOException();
+		// Write the tag if required
+		if(writeTag) {
+			out.write(tag, 0, tag.length);
+			writeTag = false;
+		}
+		// Encode the header
+		FrameEncoder.encodeHeader(plaintext, finalFrame, payloadLength,
+				paddingLength);
+		// Encrypt and authenticate the header
+		FrameEncoder.encodeIv(iv, frameNumber, true);
+		FrameEncoder.encodeIv(aad, frameNumber, true);
+		try {
+			frameCipher.init(true, frameKey, iv, aad);
+			int encrypted = frameCipher.process(plaintext, 0,
+					HEADER_LENGTH - MAC_LENGTH, ciphertext, 0);
+			if(encrypted != HEADER_LENGTH) throw new RuntimeException();
+		} catch(GeneralSecurityException badCipher) {
+			throw new RuntimeException(badCipher);
+		}
+		// Combine the payload and padding
+		System.arraycopy(payload, 0, plaintext, HEADER_LENGTH, payloadLength);
+		for(int i = 0; i < paddingLength; i++)
+			plaintext[HEADER_LENGTH + payloadLength + i] = 0;
+		// Encrypt and authenticate the payload and padding
+		FrameEncoder.encodeIv(iv, frameNumber, false);
+		FrameEncoder.encodeIv(aad, frameNumber, false);
+		try {
+			frameCipher.init(true, frameKey, iv, aad);
+			int encrypted = frameCipher.process(plaintext, HEADER_LENGTH,
+					payloadLength + paddingLength, ciphertext, HEADER_LENGTH);
+			if(encrypted != payloadLength + paddingLength + MAC_LENGTH)
+				throw new RuntimeException();
+		} catch(GeneralSecurityException badCipher) {
+			throw new RuntimeException(badCipher);
+		}
+		// Write the frame
+		out.write(ciphertext, 0, HEADER_LENGTH + payloadLength + paddingLength
+				+ MAC_LENGTH);
+		frameNumber++;
+	}
+
+	public void flush() throws IOException {
+		// Write the tag if required
+		if(writeTag) {
+			out.write(tag, 0, tag.length);
+			writeTag = false;
+		}
+		out.flush();
+	}
+}

briar-core/src/org/briarproject/db/Database.java

@@ -152,7 +152,7 @@ interface Database<T> {
 	 * <p>
 	 * Locking: write.
 	 */
-	boolean addTransport(T txn, TransportId t, long maxLatency)
+	boolean addTransport(T txn, TransportId t, int maxLatency)
 			throws DbException;
 
 	/**
@@ -460,7 +460,7 @@ interface Database<T> {
 	 * <p>
 	 * Locking: write.
 	 */
-	RetentionUpdate getRetentionUpdate(T txn, ContactId c, long maxLatency)
+	RetentionUpdate getRetentionUpdate(T txn, ContactId c, int maxLatency)
 			throws DbException;
 
 	/**
@@ -499,7 +499,7 @@ interface Database<T> {
 	 * Locking: write.
 	 */
 	SubscriptionUpdate getSubscriptionUpdate(T txn, ContactId c,
-			long maxLatency) throws DbException;
+			int maxLatency) throws DbException;
 
 	/**
 	 * Returns a collection of transport acks for the given contact, or null if
@@ -511,11 +511,11 @@ interface Database<T> {
 			throws DbException;
 
 	/**
-	 * Returns the maximum latencies of all local transports.
+	 * Returns the maximum latencies of all supported transports.
 	 * <p>
 	 * Locking: read.
 	 */
-	Map<TransportId, Long> getTransportLatencies(T txn) throws DbException;
+	Map<TransportId, Integer> getTransportLatencies(T txn) throws DbException;
 
 	/**
 	 * Returns a collection of transport updates for the given contact and
@@ -525,7 +525,7 @@ interface Database<T> {
 	 * Locking: write.
 	 */
 	Collection<TransportUpdate> getTransportUpdates(T txn, ContactId c,
-			long maxLatency) throws DbException;
+			int maxLatency) throws DbException;
 
 	/**
 	 * Returns the number of unread messages in each subscribed group.
@@ -798,6 +798,6 @@ interface Database<T> {
 	 * <p>
 	 * Locking: write.
 	 */
-	void updateExpiryTime(T txn, ContactId c, MessageId m, long maxLatency)
+	void updateExpiryTime(T txn, ContactId c, MessageId m, int maxLatency)
 			throws DbException;
 }

briar-core/src/org/briarproject/db/DatabaseComponentImpl.java

@@ -314,7 +314,7 @@ DatabaseCleaner.Callback {
 		}
 	}
 
-	public boolean addTransport(TransportId t, long maxLatency)
+	public boolean addTransport(TransportId t, int maxLatency)
 			throws DbException {
 		boolean added;
 		lock.writeLock().lock();
@@ -357,7 +357,7 @@ DatabaseCleaner.Callback {
 	}
 
 	public Collection<byte[]> generateBatch(ContactId c, int maxLength,
-			long maxLatency) throws DbException {
+			int maxLatency) throws DbException {
 		Collection<MessageId> ids;
 		List<byte[]> messages = new ArrayList<byte[]>();
 		lock.writeLock().lock();
@@ -384,7 +384,7 @@ DatabaseCleaner.Callback {
 		return Collections.unmodifiableList(messages);
 	}
 
-	public Offer generateOffer(ContactId c, int maxMessages, long maxLatency)
+	public Offer generateOffer(ContactId c, int maxMessages, int maxLatency)
 			throws DbException {
 		Collection<MessageId> ids;
 		lock.writeLock().lock();
@@ -432,7 +432,7 @@ DatabaseCleaner.Callback {
 	}
 
 	public Collection<byte[]> generateRequestedBatch(ContactId c, int maxLength,
-			long maxLatency) throws DbException {
+			int maxLatency) throws DbException {
 		Collection<MessageId> ids;
 		List<byte[]> messages = new ArrayList<byte[]>();
 		lock.writeLock().lock();
@@ -478,7 +478,7 @@ DatabaseCleaner.Callback {
 		}
 	}
 
-	public RetentionUpdate generateRetentionUpdate(ContactId c, long maxLatency)
+	public RetentionUpdate generateRetentionUpdate(ContactId c, int maxLatency)
 			throws DbException {
 		lock.writeLock().lock();
 		try {
@@ -519,7 +519,7 @@ DatabaseCleaner.Callback {
 	}
 
 	public SubscriptionUpdate generateSubscriptionUpdate(ContactId c,
-			long maxLatency) throws DbException {
+			int maxLatency) throws DbException {
 		lock.writeLock().lock();
 		try {
 			T txn = db.startTransaction();
@@ -560,7 +560,7 @@ DatabaseCleaner.Callback {
 	}
 
 	public Collection<TransportUpdate> generateTransportUpdates(ContactId c,
-			long maxLatency) throws DbException {
+			int maxLatency) throws DbException {
 		lock.writeLock().lock();
 		try {
 			T txn = db.startTransaction();
@@ -932,12 +932,13 @@ DatabaseCleaner.Callback {
 		}
 	}
 
-	public Map<TransportId, Long> getTransportLatencies() throws DbException {
+	public Map<TransportId, Integer> getTransportLatencies()
+			throws DbException {
 		lock.readLock().lock();
 		try {
 			T txn = db.startTransaction();
 			try {
-				Map<TransportId, Long> latencies =
+				Map<TransportId, Integer> latencies =
 						db.getTransportLatencies(txn);
 				db.commitTransaction(txn);
 				return latencies;

briar-core/src/org/briarproject/db/ExponentialBackoff.java

@@ -11,13 +11,12 @@ class ExponentialBackoff {
 	 * transmissions increases exponentially. If the expiry time would
 	 * be greater than Long.MAX_VALUE, Long.MAX_VALUE is returned.
 	 */
-	static long calculateExpiry(long now, long maxLatency, int txCount) {
+	static long calculateExpiry(long now, int maxLatency, int txCount) {
 		if(now < 0) throw new IllegalArgumentException();
 		if(maxLatency <= 0) throw new IllegalArgumentException();
 		if(txCount < 0) throw new IllegalArgumentException();
 		// The maximum round-trip time is twice the maximum latency
-		long roundTrip = maxLatency * 2;
-		if(roundTrip < 0) return Long.MAX_VALUE;
+		long roundTrip = maxLatency * 2L;
 		// The interval between transmissions is roundTrip * 2 ^ txCount
 		for(int i = 0; i < txCount; i++) {
 			roundTrip <<= 1;

briar-core/src/org/briarproject/db/H2Database.java

@@ -81,34 +81,18 @@ class H2Database extends JdbcDatabase {
 		}
 	}
 
+	@Override
 	protected Connection createConnection() throws SQLException {
 		byte[] key = config.getEncryptionKey();
 		if(key == null) throw new IllegalStateException();
-		char[] password = encodePassword(key);
 		Properties props = new Properties();
 		props.setProperty("user", "user");
-		props.put("password", password);
-		try {
-			return DriverManager.getConnection(url, props);
-		} finally {
-			for(int i = 0; i < password.length; i++) password[i] = 0;
-		}
-	}
-
-	private char[] encodePassword(byte[] key) {
-		// The database password is the hex-encoded key
-		char[] hex = StringUtils.toHexChars(key);
-		// Separate the database password from the user password with a space
-		char[] user = "password".toCharArray();
-		char[] combined = new char[hex.length + 1 + user.length];
-		System.arraycopy(hex, 0, combined, 0, hex.length);
-		combined[hex.length] = ' ';
-		System.arraycopy(user, 0, combined, hex.length + 1, user.length);
-		// Erase the hex-encoded key
-		for(int i = 0; i < hex.length; i++) hex[i] = 0;
-		return combined;
+		// Separate the file password from the user password with a space
+		props.put("password", StringUtils.toHexString(key) + " password");
+		return DriverManager.getConnection(url, props);
 	}
 
+	@Override
 	protected void flushBuffersToDisk(Statement s) throws SQLException {
 		// FIXME: Remove this after implementing BTPv2?
 		s.execute("CHECKPOINT SYNC");

briar-core/src/org/briarproject/db/JdbcDatabase.java

@@ -65,8 +65,8 @@ import org.briarproject.api.transport.TemporarySecret;
  */
 abstract class JdbcDatabase implements Database<Connection> {
 
-	private static final int SCHEMA_VERSION = 6;
-	private static final int MIN_SCHEMA_VERSION = 5;
+	private static final int SCHEMA_VERSION = 7;
+	private static final int MIN_SCHEMA_VERSION = 7;
 
 	private static final String CREATE_SETTINGS =
 			"CREATE TABLE settings"
@@ -216,7 +216,7 @@ abstract class JdbcDatabase implements Database<Connection> {
 	private static final String CREATE_TRANSPORTS =
 			"CREATE TABLE transports"
 					+ " (transportId VARCHAR NOT NULL,"
-					+ " maxLatency BIGINT NOT NULL,"
+					+ " maxLatency INT NOT NULL,"
 					+ " PRIMARY KEY (transportId))";
 
 	private static final String CREATE_TRANSPORT_CONFIGS =
@@ -897,7 +897,7 @@ abstract class JdbcDatabase implements Database<Connection> {
 		}
 	}
 
-	public boolean addTransport(Connection txn, TransportId t, long maxLatency)
+	public boolean addTransport(Connection txn, TransportId t, int maxLatency)
 			throws DbException {
 		PreparedStatement ps = null;
 		ResultSet rs = null;
@@ -2055,7 +2055,7 @@ abstract class JdbcDatabase implements Database<Connection> {
 	}
 
 	public RetentionUpdate getRetentionUpdate(Connection txn, ContactId c,
-			long maxLatency) throws DbException {
+			int maxLatency) throws DbException {
 		long now = clock.currentTimeMillis();
 		PreparedStatement ps = null;
 		ResultSet rs = null;
@@ -2233,7 +2233,7 @@ abstract class JdbcDatabase implements Database<Connection> {
 	}
 
 	public SubscriptionUpdate getSubscriptionUpdate(Connection txn, ContactId c,
-			long maxLatency) throws DbException {
+			int maxLatency) throws DbException {
 		long now = clock.currentTimeMillis();
 		PreparedStatement ps = null;
 		ResultSet rs = null;
@@ -2327,7 +2327,7 @@ abstract class JdbcDatabase implements Database<Connection> {
 		}
 	}
 
-	public Map<TransportId, Long> getTransportLatencies(Connection txn)
+	public Map<TransportId, Integer> getTransportLatencies(Connection txn)
 			throws DbException {
 		PreparedStatement ps = null;
 		ResultSet rs = null;
@@ -2335,10 +2335,11 @@ abstract class JdbcDatabase implements Database<Connection> {
 			String sql = "SELECT transportId, maxLatency FROM transports";
 			ps = txn.prepareStatement(sql);
 			rs = ps.executeQuery();
-			Map<TransportId, Long> latencies = new HashMap<TransportId, Long>();
+			Map<TransportId, Integer> latencies =
+					new HashMap<TransportId, Integer>();
 			while(rs.next()){
 				TransportId id = new TransportId(rs.getString(1));
-				latencies.put(id, rs.getLong(2));
+				latencies.put(id, rs.getInt(2));
 			}
 			rs.close();
 			ps.close();
@@ -2351,7 +2352,7 @@ abstract class JdbcDatabase implements Database<Connection> {
 	}
 
 	public Collection<TransportUpdate> getTransportUpdates(Connection txn,
-			ContactId c, long maxLatency) throws DbException {
+			ContactId c, int maxLatency) throws DbException {
 		long now = clock.currentTimeMillis();
 		PreparedStatement ps = null;
 		ResultSet rs = null;
@@ -3332,7 +3333,7 @@ abstract class JdbcDatabase implements Database<Connection> {
 	}
 
 	public void updateExpiryTime(Connection txn, ContactId c, MessageId m,
-			long maxLatency) throws DbException {
+			int maxLatency) throws DbException {
 		PreparedStatement ps = null;
 		ResultSet rs = null;
 		try {

briar-core/src/org/briarproject/invitation/AliceConnector.java

@@ -29,9 +29,7 @@ import org.briarproject.api.serial.ReaderFactory;
 import org.briarproject.api.serial.Writer;
 import org.briarproject.api.serial.WriterFactory;
 import org.briarproject.api.system.Clock;
-import org.briarproject.api.transport.StreamReader;
 import org.briarproject.api.transport.StreamReaderFactory;
-import org.briarproject.api.transport.StreamWriter;
 import org.briarproject.api.transport.StreamWriterFactory;
 
 /** A connection thread for the peer being Alice in the invitation protocol. */
@@ -51,9 +49,9 @@ class AliceConnector extends Connector {
 			Map<TransportId, TransportProperties> localProps,
 			PseudoRandom random) {
 		super(crypto, db, readerFactory, writerFactory, streamReaderFactory,
-				streamWriterFactory, authorFactory, groupFactory,
-				keyManager, connectionManager, clock, reuseConnection, group,
-				plugin, localAuthor, localProps, random);
+				streamWriterFactory, authorFactory, groupFactory, keyManager,
+				connectionManager, clock, reuseConnection, group, plugin,
+				localAuthor, localProps, random);
 	}
 
 	@Override
@@ -130,15 +128,16 @@ class AliceConnector extends Connector {
 		// Confirmation succeeded - upgrade to a secure connection
 		if(LOG.isLoggable(INFO))
 			LOG.info(pluginName + " confirmation succeeded");
-		int maxFrameLength = conn.getReader().getMaxFrameLength();
-		StreamReader streamReader =
+		// Create the readers
+		InputStream streamReader =
 				streamReaderFactory.createInvitationStreamReader(in,
-						maxFrameLength, secret, false); // Bob's stream
-		r = readerFactory.createReader(streamReader.getInputStream());
-		StreamWriter streamWriter =
+						secret, false); // Bob's stream
+		r = readerFactory.createReader(streamReader);
+		// Create the writers
+		OutputStream streamWriter =
 				streamWriterFactory.createInvitationStreamWriter(out,
-						maxFrameLength, secret, true); // Alice's stream
-		w = writerFactory.createWriter(streamWriter.getOutputStream());
+						secret, true); // Alice's stream
+		w = writerFactory.createWriter(streamWriter);
 		// Derive the invitation nonces
 		byte[][] nonces = crypto.deriveInvitationNonces(secret);
 		byte[] aliceNonce = nonces[0], bobNonce = nonces[1];

briar-core/src/org/briarproject/invitation/BobConnector.java

@@ -29,9 +29,7 @@ import org.briarproject.api.serial.ReaderFactory;
 import org.briarproject.api.serial.Writer;
 import org.briarproject.api.serial.WriterFactory;
 import org.briarproject.api.system.Clock;
-import org.briarproject.api.transport.StreamReader;
 import org.briarproject.api.transport.StreamReaderFactory;
-import org.briarproject.api.transport.StreamWriter;
 import org.briarproject.api.transport.StreamWriterFactory;
 
 /** A connection thread for the peer being Bob in the invitation protocol. */
@@ -51,9 +49,9 @@ class BobConnector extends Connector {
 			Map<TransportId, TransportProperties> localProps,
 			PseudoRandom random) {
 		super(crypto, db, readerFactory, writerFactory, streamReaderFactory,
-				streamWriterFactory, authorFactory, groupFactory,
-				keyManager, connectionManager, clock, reuseConnection, group,
-				plugin, localAuthor, localProps, random);
+				streamWriterFactory, authorFactory, groupFactory, keyManager,
+				connectionManager, clock, reuseConnection, group, plugin,
+				localAuthor, localProps, random);
 	}
 
 	@Override
@@ -130,15 +128,16 @@ class BobConnector extends Connector {
 		// Confirmation succeeded - upgrade to a secure connection
 		if(LOG.isLoggable(INFO))
 			LOG.info(pluginName + " confirmation succeeded");
-		int maxFrameLength = conn.getReader().getMaxFrameLength();
-		StreamReader streamReader =
+		// Create the readers
+		InputStream streamReader =
 				streamReaderFactory.createInvitationStreamReader(in,
-						maxFrameLength, secret, true); // Alice's stream
-		r = readerFactory.createReader(streamReader.getInputStream());
-		StreamWriter streamWriter =
+						secret, true); // Alice's stream
+		r = readerFactory.createReader(streamReader);
+		// Create the writers
+		OutputStream streamWriter =
 				streamWriterFactory.createInvitationStreamWriter(out,
-						maxFrameLength, secret, false); // Bob's stream
-		w = writerFactory.createWriter(streamWriter.getOutputStream());
+						secret, false); // Bob's stream
+		w = writerFactory.createWriter(streamWriter);
 		// Derive the nonces
 		byte[][] nonces = crypto.deriveInvitationNonces(secret);
 		byte[] aliceNonce = nonces[0], bobNonce = nonces[1];

briar-core/src/org/briarproject/invitation/Connector.java

@@ -285,7 +285,7 @@ abstract class Connector extends Thread {
 		db.setRemoteProperties(contactId, remoteProps);
 		// Create an endpoint for each transport shared with the contact
 		List<TransportId> ids = new ArrayList<TransportId>();
-		Map<TransportId, Long> latencies = db.getTransportLatencies();
+		Map<TransportId, Integer> latencies = db.getTransportLatencies();
 		for(TransportId id : localProps.keySet()) {
 			if(latencies.containsKey(id) && remoteProps.containsKey(id))
 				ids.add(id);
@@ -296,7 +296,7 @@ abstract class Connector extends Thread {
 		for(int i = 0; i < size; i++) {
 			TransportId id = ids.get(i);
 			Endpoint ep = new Endpoint(contactId, id, epoch, alice);
-			long maxLatency = latencies.get(id);
+			int maxLatency = latencies.get(id);
 			try {
 				db.addEndpoint(ep);
 			} catch(NoSuchTransportException e) {

briar-core/src/org/briarproject/messaging/DuplexOutgoingSession.java

@@ -1,11 +1,11 @@
 package org.briarproject.messaging;
 
+import static java.util.concurrent.TimeUnit.MILLISECONDS;
 import static java.util.logging.Level.INFO;
 import static java.util.logging.Level.WARNING;
 import static org.briarproject.api.messaging.MessagingConstants.MAX_PACKET_LENGTH;
 
 import java.io.IOException;
-import java.io.OutputStream;
 import java.util.Collection;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.Executor;
@@ -36,7 +36,6 @@ import org.briarproject.api.messaging.Ack;
 import org.briarproject.api.messaging.MessagingSession;
 import org.briarproject.api.messaging.Offer;
 import org.briarproject.api.messaging.PacketWriter;
-import org.briarproject.api.messaging.PacketWriterFactory;
 import org.briarproject.api.messaging.Request;
 import org.briarproject.api.messaging.RetentionAck;
 import org.briarproject.api.messaging.RetentionUpdate;
@@ -44,16 +43,18 @@ import org.briarproject.api.messaging.SubscriptionAck;
 import org.briarproject.api.messaging.SubscriptionUpdate;
 import org.briarproject.api.messaging.TransportAck;
 import org.briarproject.api.messaging.TransportUpdate;
+import org.briarproject.api.system.Clock;
 
 /**
  * An outgoing {@link org.briarproject.api.messaging.MessagingSession
  * MessagingSession} suitable for duplex transports. The session offers
  * messages before sending them, keeps its output stream open when there are no
- * more packets to send, and reacts to events that make packets available to
- * send.
+ * packets to send, and reacts to events that make packets available to send.
  */
 class DuplexOutgoingSession implements MessagingSession, EventListener {
 
+	// Check for retransmittable packets once every 60 seconds
+	private static final int RETX_QUERY_INTERVAL = 60 * 1000;
 	private static final Logger LOG =
 			Logger.getLogger(DuplexOutgoingSession.class.getName());
 
@@ -65,27 +66,32 @@ class DuplexOutgoingSession implements MessagingSession, EventListener {
 	private final DatabaseComponent db;
 	private final Executor dbExecutor;
 	private final EventBus eventBus;
+	private final Clock clock;
 	private final ContactId contactId;
 	private final TransportId transportId;
-	private final long maxLatency;
-	private final OutputStream out;
+	private final int maxLatency, maxIdleTime;
 	private final PacketWriter packetWriter;
 	private final BlockingQueue<ThrowingRunnable<IOException>> writerTasks;
 
+	// The following must only be accessed on the writer thread
+	private long nextKeepalive = 0, nextRetxQuery = 0;
+	private boolean dataToFlush = true;
+
 	private volatile boolean interrupted = false;
 
 	DuplexOutgoingSession(DatabaseComponent db, Executor dbExecutor,
-			EventBus eventBus, PacketWriterFactory packetWriterFactory,
-			ContactId contactId, TransportId transportId, long maxLatency,
-			OutputStream out) {
+			EventBus eventBus, Clock clock, ContactId contactId,
+			TransportId transportId, int maxLatency, int maxIdleTime,
+			PacketWriter packetWriter) {
 		this.db = db;
 		this.dbExecutor = dbExecutor;
 		this.eventBus = eventBus;
+		this.clock = clock;
 		this.contactId = contactId;
 		this.transportId = transportId;
 		this.maxLatency = maxLatency;
-		this.out = out;
-		packetWriter = packetWriterFactory.createPacketWriter(out);
+		this.maxIdleTime = maxIdleTime;
+		this.packetWriter = packetWriter;
 		writerTasks = new LinkedBlockingQueue<ThrowingRunnable<IOException>>();
 	}
 
@@ -103,16 +109,50 @@ class DuplexOutgoingSession implements MessagingSession, EventListener {
 			dbExecutor.execute(new GenerateBatch());
 			dbExecutor.execute(new GenerateOffer());
 			dbExecutor.execute(new GenerateRequest());
+			long now = clock.currentTimeMillis();
+			nextKeepalive = now + maxIdleTime;
+			nextRetxQuery = now + RETX_QUERY_INTERVAL;
 			// Write packets until interrupted
 			try {
 				while(!interrupted) {
-					// Flush the stream if it's going to be idle
-					if(writerTasks.isEmpty()) out.flush();
-					ThrowingRunnable<IOException> task = writerTasks.take();
-					if(task == CLOSE) break;
-					task.run();
+					// Work out how long we should wait for a packet
+					now = clock.currentTimeMillis();
+					long wait = Math.min(nextKeepalive, nextRetxQuery) - now;
+					if(wait < 0) wait = 0;
+					// Flush any unflushed data if we're going to wait
+					if(wait > 0 && dataToFlush && writerTasks.isEmpty()) {
+						packetWriter.flush();
+						dataToFlush = false;
+						nextKeepalive = now + maxIdleTime;
+					}
+					// Wait for a packet
+					ThrowingRunnable<IOException> task = writerTasks.poll(wait,
+							MILLISECONDS);
+					if(task == null) {
+						now = clock.currentTimeMillis();
+						if(now >= nextRetxQuery) {
+							// Check for retransmittable packets
+							dbExecutor.execute(new GenerateTransportUpdates());
+							dbExecutor.execute(new GenerateSubscriptionUpdate());
+							dbExecutor.execute(new GenerateRetentionUpdate());
+							dbExecutor.execute(new GenerateBatch());
+							dbExecutor.execute(new GenerateOffer());
+							nextRetxQuery = now + RETX_QUERY_INTERVAL;
+						}
+						if(now >= nextKeepalive) {
+							// Flush the stream to keep it alive
+							packetWriter.flush();
+							dataToFlush = false;
+							nextKeepalive = now + maxIdleTime;
+						}
+					} else if(task == CLOSE) {
+						break;
+					} else {
+						task.run();
+						dataToFlush = true;
+					}
 				}
-				out.flush();
+				if(dataToFlush) packetWriter.flush();
 			} catch(InterruptedException e) {
 				LOG.info("Interrupted while waiting for a packet to write");
 				Thread.currentThread().interrupt();

briar-core/src/org/briarproject/messaging/IncomingSession.java

@@ -3,7 +3,6 @@ package org.briarproject.messaging;
 import static java.util.logging.Level.WARNING;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.security.GeneralSecurityException;
 import java.util.concurrent.Executor;
 import java.util.logging.Logger;
@@ -25,7 +24,6 @@ import org.briarproject.api.messaging.MessageVerifier;
 import org.briarproject.api.messaging.MessagingSession;
 import org.briarproject.api.messaging.Offer;
 import org.briarproject.api.messaging.PacketReader;
-import org.briarproject.api.messaging.PacketReaderFactory;
 import org.briarproject.api.messaging.Request;
 import org.briarproject.api.messaging.RetentionAck;
 import org.briarproject.api.messaging.RetentionUpdate;
@@ -56,9 +54,8 @@ class IncomingSession implements MessagingSession, EventListener {
 
 	IncomingSession(DatabaseComponent db, Executor dbExecutor,
 			Executor cryptoExecutor, EventBus eventBus,
-			MessageVerifier messageVerifier,
-			PacketReaderFactory packetReaderFactory, ContactId contactId,
-			TransportId transportId, InputStream in) {
+			MessageVerifier messageVerifier, ContactId contactId,
+			TransportId transportId, PacketReader packetReader) {
 		this.db = db;
 		this.dbExecutor = dbExecutor;
 		this.cryptoExecutor = cryptoExecutor;
@@ -66,7 +63,7 @@ class IncomingSession implements MessagingSession, EventListener {
 		this.messageVerifier = messageVerifier;
 		this.contactId = contactId;
 		this.transportId = transportId;
-		packetReader = packetReaderFactory.createPacketReader(in);
+		this.packetReader = packetReader;
 	}
 
 	public void run() throws IOException {

briar-core/src/org/briarproject/messaging/MessagingSessionFactoryImpl.java

@@ -15,8 +15,11 @@ import org.briarproject.api.event.EventBus;
 import org.briarproject.api.messaging.MessageVerifier;
 import org.briarproject.api.messaging.MessagingSession;
 import org.briarproject.api.messaging.MessagingSessionFactory;
+import org.briarproject.api.messaging.PacketReader;
 import org.briarproject.api.messaging.PacketReaderFactory;
+import org.briarproject.api.messaging.PacketWriter;
 import org.briarproject.api.messaging.PacketWriterFactory;
+import org.briarproject.api.system.Clock;
 
 class MessagingSessionFactoryImpl implements MessagingSessionFactory {
 
@@ -24,6 +27,7 @@ class MessagingSessionFactoryImpl implements MessagingSessionFactory {
 	private final Executor dbExecutor, cryptoExecutor;
 	private final MessageVerifier messageVerifier;
 	private final EventBus eventBus;
+	private final Clock clock;
 	private final PacketReaderFactory packetReaderFactory;
 	private final PacketWriterFactory packetWriterFactory;
 
@@ -31,7 +35,7 @@ class MessagingSessionFactoryImpl implements MessagingSessionFactory {
 	MessagingSessionFactoryImpl(DatabaseComponent db,
 			@DatabaseExecutor Executor dbExecutor,
 			@CryptoExecutor Executor cryptoExecutor,
-			MessageVerifier messageVerifier, EventBus eventBus,
+			MessageVerifier messageVerifier, EventBus eventBus, Clock clock,
 			PacketReaderFactory packetReaderFactory,
 			PacketWriterFactory packetWriterFactory) {
 		this.db = db;
@@ -39,21 +43,29 @@ class MessagingSessionFactoryImpl implements MessagingSessionFactory {
 		this.cryptoExecutor = cryptoExecutor;
 		this.messageVerifier = messageVerifier;
 		this.eventBus = eventBus;
+		this.clock = clock;
 		this.packetReaderFactory = packetReaderFactory;
 		this.packetWriterFactory = packetWriterFactory;
 	}
 
 	public MessagingSession createIncomingSession(ContactId c, TransportId t,
 			InputStream in) {
+		PacketReader packetReader = packetReaderFactory.createPacketReader(in);
 		return new IncomingSession(db, dbExecutor, cryptoExecutor, eventBus,
-				messageVerifier, packetReaderFactory, c, t, in);
+				messageVerifier, c, t, packetReader);
 	}
 
-	public MessagingSession createOutgoingSession(ContactId c, TransportId t,
-			long maxLatency, boolean duplex, OutputStream out) {
-		if(duplex) return new DuplexOutgoingSession(db, dbExecutor, eventBus,
-				packetWriterFactory, c, t, maxLatency, out);
-		else return new SimplexOutgoingSession(db, dbExecutor, eventBus,
-				packetWriterFactory, c, t, maxLatency, out);
+	public MessagingSession createSimplexOutgoingSession(ContactId c,
+			TransportId t, int maxLatency, OutputStream out) {
+		PacketWriter packetWriter = packetWriterFactory.createPacketWriter(out);
+		return new SimplexOutgoingSession(db, dbExecutor, eventBus, c, t,
+				maxLatency, packetWriter);
+	}
+
+	public MessagingSession createDuplexOutgoingSession(ContactId c,
+			TransportId t, int maxLatency, int maxIdleTime, OutputStream out) {
+		PacketWriter packetWriter = packetWriterFactory.createPacketWriter(out);
+		return new DuplexOutgoingSession(db, dbExecutor, eventBus, clock, c, t,
+				maxLatency, maxIdleTime, packetWriter);
 	}
 }

briar-core/src/org/briarproject/messaging/PacketWriterImpl.java

@@ -143,4 +143,8 @@ class PacketWriterImpl implements PacketWriter {
 		w.writeInteger(u.getVersion());
 		w.writeStructEnd();
 	}
+
+	public void flush() throws IOException {
+		out.flush();
+	}
 }

briar-core/src/org/briarproject/messaging/SimplexOutgoingSession.java

@@ -5,7 +5,6 @@ import static java.util.logging.Level.WARNING;
 import static org.briarproject.api.messaging.MessagingConstants.MAX_PACKET_LENGTH;
 
 import java.io.IOException;
-import java.io.OutputStream;
 import java.util.Collection;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.Executor;
@@ -26,7 +25,6 @@ import org.briarproject.api.event.TransportRemovedEvent;
 import org.briarproject.api.messaging.Ack;
 import org.briarproject.api.messaging.MessagingSession;
 import org.briarproject.api.messaging.PacketWriter;
-import org.briarproject.api.messaging.PacketWriterFactory;
 import org.briarproject.api.messaging.RetentionAck;
 import org.briarproject.api.messaging.RetentionUpdate;
 import org.briarproject.api.messaging.SubscriptionAck;
@@ -55,8 +53,7 @@ class SimplexOutgoingSession implements MessagingSession, EventListener {
 	private final EventBus eventBus;
 	private final ContactId contactId;
 	private final TransportId transportId;
-	private final long maxLatency;
-	private final OutputStream out;
+	private final int maxLatency;
 	private final PacketWriter packetWriter;
 	private final AtomicInteger outstandingQueries;
 	private final BlockingQueue<ThrowingRunnable<IOException>> writerTasks;
@@ -64,17 +61,15 @@ class SimplexOutgoingSession implements MessagingSession, EventListener {
 	private volatile boolean interrupted = false;
 
 	SimplexOutgoingSession(DatabaseComponent db, Executor dbExecutor,
-			EventBus eventBus, PacketWriterFactory packetWriterFactory,
-			ContactId contactId, TransportId transportId, long maxLatency,
-			OutputStream out) {
+			EventBus eventBus, ContactId contactId, TransportId transportId,
+			int maxLatency, PacketWriter packetWriter) {
 		this.db = db;
 		this.dbExecutor = dbExecutor;
 		this.eventBus = eventBus;
 		this.contactId = contactId;
 		this.transportId = transportId;
 		this.maxLatency = maxLatency;
-		this.out = out;
-		packetWriter = packetWriterFactory.createPacketWriter(out);
+		this.packetWriter = packetWriter;
 		outstandingQueries = new AtomicInteger(8); // One per type of packet
 		writerTasks = new LinkedBlockingQueue<ThrowingRunnable<IOException>>();
 	}
@@ -98,7 +93,7 @@ class SimplexOutgoingSession implements MessagingSession, EventListener {
 					if(task == CLOSE) break;
 					task.run();
 				}
-				out.flush();
+				packetWriter.flush();
 			} catch(InterruptedException e) {
 				LOG.info("Interrupted while waiting for a packet to write");
 				Thread.currentThread().interrupt();

briar-core/src/org/briarproject/plugins/ConnectionManagerImpl.java

@@ -6,6 +6,7 @@ import static org.briarproject.api.transport.TransportConstants.TAG_LENGTH;
 import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.OutputStream;
 import java.util.concurrent.Executor;
 import java.util.logging.Logger;
 
@@ -24,12 +25,9 @@ import org.briarproject.api.plugins.TransportConnectionReader;
 import org.briarproject.api.plugins.TransportConnectionWriter;
 import org.briarproject.api.plugins.duplex.DuplexTransportConnection;
 import org.briarproject.api.transport.StreamContext;
-import org.briarproject.api.transport.StreamReader;
 import org.briarproject.api.transport.StreamReaderFactory;
-import org.briarproject.api.transport.StreamWriter;
 import org.briarproject.api.transport.StreamWriterFactory;
 import org.briarproject.api.transport.TagRecogniser;
-import org.briarproject.util.ByteUtils;
 
 class ConnectionManagerImpl implements ConnectionManager {
 
@@ -96,28 +94,28 @@ class ConnectionManagerImpl implements ConnectionManager {
 
 	private MessagingSession createIncomingSession(StreamContext ctx,
 			TransportConnectionReader r) throws IOException {
-		try {
-			StreamReader streamReader = streamReaderFactory.createStreamReader(
-					r.getInputStream(), r.getMaxFrameLength(), ctx);
-			return messagingSessionFactory.createIncomingSession(
-					ctx.getContactId(), ctx.getTransportId(),
-					streamReader.getInputStream());
-		} finally {
-			ByteUtils.erase(ctx.getSecret());
-		}
+		InputStream streamReader = streamReaderFactory.createStreamReader(
+				r.getInputStream(), ctx);
+		return messagingSessionFactory.createIncomingSession(
+				ctx.getContactId(), ctx.getTransportId(), streamReader);
 	}
 
-	private MessagingSession createOutgoingSession(StreamContext ctx,
-			TransportConnectionWriter w, boolean duplex) throws IOException {
-		try {
-			StreamWriter streamWriter = streamWriterFactory.createStreamWriter(
-					w.getOutputStream(), w.getMaxFrameLength(), ctx);
-			return messagingSessionFactory.createOutgoingSession(
-					ctx.getContactId(), ctx.getTransportId(), w.getMaxLatency(),
-					duplex, streamWriter.getOutputStream());
-		} finally {
-			ByteUtils.erase(ctx.getSecret());
-		}
+	private MessagingSession createSimplexOutgoingSession(StreamContext ctx,
+			TransportConnectionWriter w) throws IOException {
+		OutputStream streamWriter = streamWriterFactory.createStreamWriter(
+				w.getOutputStream(), ctx);
+		return messagingSessionFactory.createSimplexOutgoingSession(
+				ctx.getContactId(), ctx.getTransportId(), w.getMaxLatency(),
+				streamWriter);
+	}
+
+	private MessagingSession createDuplexOutgoingSession(StreamContext ctx,
+			TransportConnectionWriter w) throws IOException {
+		OutputStream streamWriter = streamWriterFactory.createStreamWriter(
+				w.getOutputStream(), ctx);
+		return messagingSessionFactory.createDuplexOutgoingSession(
+				ctx.getContactId(), ctx.getTransportId(), w.getMaxLatency(),
+				w.getMaxIdleTime(), streamWriter);
 	}
 
 	private class ManageIncomingSimplexConnection implements Runnable {
@@ -199,7 +197,7 @@ class ConnectionManagerImpl implements ConnectionManager {
 			connectionRegistry.registerConnection(contactId, transportId);
 			try {
 				// Create and run the outgoing session
-				createOutgoingSession(ctx, writer, false).run();
+				createSimplexOutgoingSession(ctx, writer).run();
 				disposeWriter(false);
 			} catch(IOException e) {
 				if(LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
@@ -287,7 +285,7 @@ class ConnectionManagerImpl implements ConnectionManager {
 			}
 			try {
 				// Create and run the outgoing session
-				outgoingSession = createOutgoingSession(ctx, writer, true);
+				outgoingSession = createDuplexOutgoingSession(ctx, writer);
 				outgoingSession.run();
 				disposeWriter(false);
 			} catch(IOException e) {
@@ -353,7 +351,7 @@ class ConnectionManagerImpl implements ConnectionManager {
 			});
 			try {
 				// Create and run the outgoing session
-				outgoingSession = createOutgoingSession(ctx, writer, true);
+				outgoingSession = createDuplexOutgoingSession(ctx, writer);
 				outgoingSession.run();
 				disposeWriter(false);
 			} catch(IOException e) {

briar-core/src/org/briarproject/plugins/file/FilePlugin.java

@@ -28,8 +28,7 @@ public abstract class FilePlugin implements SimplexPlugin {
 	protected final Executor ioExecutor;
 	protected final FileUtils fileUtils;
 	protected final SimplexPluginCallback callback;
-	protected final int maxFrameLength;
-	protected final long maxLatency;
+	protected final int maxLatency;
 
 	protected volatile boolean running = false;
 
@@ -39,21 +38,19 @@ public abstract class FilePlugin implements SimplexPlugin {
 	protected abstract void readerFinished(File f);
 
 	protected FilePlugin(Executor ioExecutor, FileUtils fileUtils,
-			SimplexPluginCallback callback, int maxFrameLength,
-			long maxLatency) {
+			SimplexPluginCallback callback, int maxLatency) {
 		this.ioExecutor = ioExecutor;
 		this.fileUtils = fileUtils;
 		this.callback = callback;
-		this.maxFrameLength = maxFrameLength;
 		this.maxLatency = maxLatency;
 	}
 
-	public int getMaxFrameLength() {
-		return maxFrameLength;
+	public int getMaxLatency() {
+		return maxLatency;
 	}
 
-	public long getMaxLatency() {
-		return maxLatency;
+	public int getMaxIdleTime() {
+		return Integer.MAX_VALUE; // We don't need keepalives
 	}
 
 	public boolean isRunning() {

briar-core/src/org/briarproject/plugins/file/FileTransportReader.java

@@ -24,10 +24,6 @@ class FileTransportReader implements TransportConnectionReader {
 		this.plugin = plugin;
 	}
 
-	public int getMaxFrameLength() {
-		return plugin.getMaxFrameLength();
-	}
-
 	public long getMaxLatency() {
 		return plugin.getMaxLatency();
 	}

briar-core/src/org/briarproject/plugins/file/FileTransportWriter.java

@@ -27,12 +27,12 @@ class FileTransportWriter implements TransportConnectionWriter {
 		this.plugin = plugin;
 	}
 
-	public int getMaxFrameLength() {
-		return plugin.getMaxFrameLength();
+	public int getMaxLatency() {
+		return plugin.getMaxLatency();
 	}
 
-	public long getMaxLatency() {
-		return plugin.getMaxLatency();
+	public int getMaxIdleTime() {
+		return plugin.getMaxIdleTime();
 	}
 
 	public long getCapacity() {

briar-core/src/org/briarproject/plugins/tcp/LanTcpPlugin.java

@@ -17,9 +17,8 @@ class LanTcpPlugin extends TcpPlugin {
 	static final TransportId ID = new TransportId("lan");
 
 	LanTcpPlugin(Executor ioExecutor, DuplexPluginCallback callback,
-			int maxFrameLength, long maxLatency, long pollingInterval) {
-		super(ioExecutor, callback, maxFrameLength, maxLatency,
-				pollingInterval);
+			int maxLatency, int maxIdleTime, int pollingInterval) {
+		super(ioExecutor, callback, maxLatency, maxIdleTime, pollingInterval);
 	}
 
 	public TransportId getId() {

briar-core/src/org/briarproject/plugins/tcp/LanTcpPluginFactory.java

@@ -9,9 +9,9 @@ import org.briarproject.api.plugins.duplex.DuplexPluginFactory;
 
 public class LanTcpPluginFactory implements DuplexPluginFactory {
 
-	private static final int MAX_FRAME_LENGTH = 1024;
-	private static final long MAX_LATENCY = 60 * 1000; // 1 minute
-	private static final long POLLING_INTERVAL = 60 * 1000; // 1 minute
+	private static final int MAX_LATENCY = 30 * 1000; // 30 seconds
+	private static final int MAX_IDLE_TIME = 30 * 1000; // 30 seconds
+	private static final int POLLING_INTERVAL = 3 * 60 * 1000; // 3 minutes
 
 	private final Executor ioExecutor;
 
@@ -24,7 +24,7 @@ public class LanTcpPluginFactory implements DuplexPluginFactory {
 	}
 
 	public DuplexPlugin createPlugin(DuplexPluginCallback callback) {
-		return new LanTcpPlugin(ioExecutor, callback, MAX_FRAME_LENGTH,
-				MAX_LATENCY, POLLING_INTERVAL);
+		return new LanTcpPlugin(ioExecutor, callback,  MAX_LATENCY,
+				MAX_IDLE_TIME, POLLING_INTERVAL);
 	}
 }

briar-core/src/org/briarproject/plugins/tcp/TcpPlugin.java

@@ -37,8 +37,7 @@ abstract class TcpPlugin implements DuplexPlugin {
 
 	protected final Executor ioExecutor;
 	protected final DuplexPluginCallback callback;
-	protected final int maxFrameLength;
-	protected final long maxLatency, pollingInterval;
+	protected final int maxLatency, maxIdleTime, pollingInterval, socketTimeout;
 
 	protected volatile boolean running = false;
 	protected volatile ServerSocket socket = null;
@@ -53,22 +52,25 @@ abstract class TcpPlugin implements DuplexPlugin {
 	protected abstract boolean isConnectable(InetSocketAddress remote);
 
 	protected TcpPlugin(Executor ioExecutor, DuplexPluginCallback callback,
-			int maxFrameLength, long maxLatency, long pollingInterval) {
+			int maxLatency, int maxIdleTime, int pollingInterval) {
 		this.ioExecutor = ioExecutor;
 		this.callback = callback;
-		this.maxFrameLength = maxFrameLength;
 		this.maxLatency = maxLatency;
+		this.maxIdleTime = maxIdleTime;
 		this.pollingInterval = pollingInterval;
+		if(maxIdleTime > Integer.MAX_VALUE / 2)
+			socketTimeout = Integer.MAX_VALUE;
+		else socketTimeout = maxIdleTime * 2;
 	}
 
-	public int getMaxFrameLength() {
-		return maxFrameLength;
-	}
-
-	public long getMaxLatency() {
+	public int getMaxLatency() {
 		return maxLatency;
 	}
 
+	public int getMaxIdleTime() {
+		return maxIdleTime;
+	}
+
 	public boolean start() {
 		running = true;
 		bind();
@@ -136,6 +138,7 @@ abstract class TcpPlugin implements DuplexPlugin {
 			Socket s;
 			try {
 				s = socket.accept();
+				s.setSoTimeout(socketTimeout);
 			} catch(IOException e) {
 				// This is expected when the socket is closed
 				if(LOG.isLoggable(INFO)) LOG.info(e.toString());
@@ -161,7 +164,7 @@ abstract class TcpPlugin implements DuplexPlugin {
 		return true;
 	}
 
-	public long getPollingInterval() {
+	public int getPollingInterval() {
 		return pollingInterval;
 	}
 
@@ -195,6 +198,7 @@ abstract class TcpPlugin implements DuplexPlugin {
 		try {
 			if(LOG.isLoggable(INFO)) LOG.info("Connecting to " + remote);
 			s.connect(remote);
+			s.setSoTimeout(socketTimeout);
 			if(LOG.isLoggable(INFO)) LOG.info("Connected to " + remote);
 			return new TcpTransportConnection(this, s);
 		} catch(IOException e) {

briar-core/src/org/briarproject/plugins/tcp/TcpTransportConnection.java

@@ -38,10 +38,6 @@ class TcpTransportConnection implements DuplexTransportConnection {
 
 	private class Reader implements TransportConnectionReader {
 
-		public int getMaxFrameLength() {
-			return plugin.getMaxFrameLength();
-		}
-
 		public long getMaxLatency() {
 			return plugin.getMaxLatency();
 		}
@@ -59,12 +55,12 @@ class TcpTransportConnection implements DuplexTransportConnection {
 
 	private class Writer implements TransportConnectionWriter {
 
-		public int getMaxFrameLength() {
-			return plugin.getMaxFrameLength();
+		public int getMaxLatency() {
+			return plugin.getMaxLatency();
 		}
 
-		public long getMaxLatency() {
-			return plugin.getMaxLatency();
+		public int getMaxIdleTime() {
+			return plugin.getMaxIdleTime();
 		}
 
 		public long getCapacity() {

briar-core/src/org/briarproject/plugins/tcp/WanTcpPlugin.java

@@ -20,11 +20,10 @@ class WanTcpPlugin extends TcpPlugin {
 
 	private volatile MappingResult mappingResult;
 
-	WanTcpPlugin(Executor ioExecutor, DuplexPluginCallback callback,
-			int maxFrameLength, long maxLatency, long pollingInterval,
-			PortMapper portMapper) {
-		super(ioExecutor, callback, maxFrameLength, maxLatency,
-				pollingInterval);
+	WanTcpPlugin(Executor ioExecutor, PortMapper portMapper,
+			DuplexPluginCallback callback, int maxLatency, int maxIdleTime,
+			int pollingInterval) {
+		super(ioExecutor, callback, maxLatency, maxIdleTime, pollingInterval);
 		this.portMapper = portMapper;
 	}
 

briar-core/src/org/briarproject/plugins/tcp/WanTcpPluginFactory.java

@@ -10,9 +10,9 @@ import org.briarproject.api.plugins.duplex.DuplexPluginFactory;
 
 public class WanTcpPluginFactory implements DuplexPluginFactory {
 
-	private static final int MAX_FRAME_LENGTH = 1024;
-	private static final long MAX_LATENCY = 60 * 1000; // 1 minute
-	private static final long POLLING_INTERVAL = 5 * 60 * 1000; // 5 minutes
+	private static final int MAX_LATENCY = 30 * 1000; // 30 seconds
+	private static final int MAX_IDLE_TIME = 30 * 1000; // 30 seconds
+	private static final int POLLING_INTERVAL = 5 * 60 * 1000; // 5 minutes
 
 	private final Executor ioExecutor;
 	private final ShutdownManager shutdownManager;
@@ -28,8 +28,7 @@ public class WanTcpPluginFactory implements DuplexPluginFactory {
 	}
 
 	public DuplexPlugin createPlugin(DuplexPluginCallback callback) {
-		return new WanTcpPlugin(ioExecutor, callback, MAX_FRAME_LENGTH,
-				MAX_LATENCY, POLLING_INTERVAL,
-				new PortMapperImpl(shutdownManager));
+		return new WanTcpPlugin(ioExecutor, new PortMapperImpl(shutdownManager),
+				callback, MAX_LATENCY, MAX_IDLE_TIME, POLLING_INTERVAL);
 	}
 }

briar-core/src/org/briarproject/transport/FrameReader.java

@@ -1,12 +0,0 @@
-package org.briarproject.transport;
-
-import java.io.IOException;
-
-interface FrameReader {
-
-	/**
-	 * Reads a frame into the given buffer and returns its payload length, or
-	 * -1 if no more frames can be read from the connection.
-	 */
-	int readFrame(byte[] frame) throws IOException;
-}

briar-core/src/org/briarproject/transport/FrameWriter.java

@@ -1,13 +0,0 @@
-package org.briarproject.transport;
-
-import java.io.IOException;
-
-interface FrameWriter {
-
-	/** Writes the given frame. */
-	void writeFrame(byte[] frame, int payloadLength, boolean finalFrame)
-			throws IOException;
-
-	/** Flushes the stream. */
-	void flush() throws IOException;
-}

briar-core/src/org/briarproject/transport/IncomingEncryptionLayer.java

@@ -1,83 +0,0 @@
-package org.briarproject.transport;
-
-import static org.briarproject.api.transport.TransportConstants.AAD_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.IV_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
-
-import java.io.EOFException;
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.GeneralSecurityException;
-
-import org.briarproject.api.FormatException;
-import org.briarproject.api.crypto.AuthenticatedCipher;
-import org.briarproject.api.crypto.SecretKey;
-
-class IncomingEncryptionLayer implements FrameReader {
-
-	private final InputStream in;
-	private final AuthenticatedCipher frameCipher;
-	private final SecretKey frameKey;
-	private final byte[] iv, aad, ciphertext;
-	private final int frameLength;
-
-	private long frameNumber;
-	private boolean finalFrame;
-
-	IncomingEncryptionLayer(InputStream in, AuthenticatedCipher frameCipher,
-			SecretKey frameKey, int frameLength) {
-		this.in = in;
-		this.frameCipher = frameCipher;
-		this.frameKey = frameKey;
-		this.frameLength = frameLength;
-		iv = new byte[IV_LENGTH];
-		aad = new byte[AAD_LENGTH];
-		ciphertext = new byte[frameLength];
-		frameNumber = 0;
-		finalFrame = false;
-	}
-
-	public int readFrame(byte[] frame) throws IOException {
-		if(finalFrame) return -1;
-		// Read the frame
-		int ciphertextLength = 0;
-		try {
-			while(ciphertextLength < frameLength) {
-				int read = in.read(ciphertext, ciphertextLength,
-						frameLength - ciphertextLength);
-				if(read == -1) break; // We'll check the length later
-				ciphertextLength += read;
-			}
-		} catch(IOException e) {
-			frameKey.erase();
-			throw e;
-		}
-		int plaintextLength = ciphertextLength - MAC_LENGTH;
-		if(plaintextLength < HEADER_LENGTH) throw new EOFException();
-		// Decrypt and authenticate the frame
-		FrameEncoder.encodeIv(iv, frameNumber);
-		FrameEncoder.encodeAad(aad, frameNumber, plaintextLength);
-		try {
-			frameCipher.init(false, frameKey, iv, aad);
-			int decrypted = frameCipher.doFinal(ciphertext, 0, ciphertextLength,
-					frame, 0);
-			if(decrypted != plaintextLength) throw new RuntimeException();
-		} catch(GeneralSecurityException e) {
-			throw new FormatException();
-		}
-		// Decode and validate the header
-		finalFrame = FrameEncoder.isFinalFrame(frame);
-		if(!finalFrame && ciphertextLength < frameLength)
-			throw new FormatException();
-		int payloadLength = FrameEncoder.getPayloadLength(frame);
-		if(payloadLength > plaintextLength - HEADER_LENGTH)
-			throw new FormatException();
-		// If there's any padding it must be all zeroes
-		for(int i = HEADER_LENGTH + payloadLength; i < plaintextLength; i++) {
-			if(frame[i] != 0) throw new FormatException();
-		}
-		frameNumber++;
-		return payloadLength;
-	}
-}

briar-core/src/org/briarproject/transport/KeyManagerImpl.java

@@ -35,7 +35,6 @@ import org.briarproject.api.transport.Endpoint;
 import org.briarproject.api.transport.StreamContext;
 import org.briarproject.api.transport.TagRecogniser;
 import org.briarproject.api.transport.TemporarySecret;
-import org.briarproject.util.ByteUtils;
 
 // FIXME: Don't make alien calls with a lock held
 class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
@@ -52,7 +51,7 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 	private final Clock clock;
 	private final Timer timer;
 
-	private final Map<TransportId, Long> maxLatencies;
+	private final Map<TransportId, Integer> maxLatencies;
 	private final Map<EndpointKey, TemporarySecret> oldSecrets;
 	private final Map<EndpointKey, TemporarySecret> currentSecrets;
 	private final Map<EndpointKey, TemporarySecret> newSecrets;
@@ -69,7 +68,7 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 		this.tagRecogniser = tagRecogniser;
 		this.clock = clock;
 		this.timer = timer;
-		maxLatencies = new HashMap<TransportId, Long>();
+		maxLatencies = new HashMap<TransportId, Integer>();
 		oldSecrets = new HashMap<EndpointKey, TemporarySecret>();
 		currentSecrets = new HashMap<EndpointKey, TemporarySecret>();
 		newSecrets = new HashMap<EndpointKey, TemporarySecret>();
@@ -124,10 +123,9 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 		Collection<TemporarySecret> dead = new ArrayList<TemporarySecret>();
 		for(TemporarySecret s : secrets) {
 			// Discard the secret if the transport has been removed
-			Long maxLatency = maxLatencies.get(s.getTransportId());
+			Integer maxLatency = maxLatencies.get(s.getTransportId());
 			if(maxLatency == null) {
 				LOG.info("Discarding obsolete secret");
-				ByteUtils.erase(s.getSecret());
 				continue;
 			}
 			long rotation = maxLatency + MAX_CLOCK_DIFFERENCE;
@@ -151,7 +149,7 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 		return dead;
 	}
 
-	// Replaces and erases the given secrets and returns any secrets created
+	// Replaces the given secrets and returns any secrets created
 	private Collection<TemporarySecret> replaceDeadSecrets(long now,
 			Collection<TemporarySecret> dead) {
 		// If there are several dead secrets for an endpoint, use the newest
@@ -164,18 +162,16 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 				// There's no other secret for this endpoint
 				newest.put(k, s);
 			} else if(exists.getPeriod() < s.getPeriod()) {
-				// There's an older secret - erase it and use this one instead
-				ByteUtils.erase(exists.getSecret());
+				// There's an older secret - use this one instead
 				newest.put(k, s);
 			} else {
-				// There's a newer secret - erase this one
-				ByteUtils.erase(s.getSecret());
+				// There's a newer secret - keep using it
 			}
 		}
 		Collection<TemporarySecret> created = new ArrayList<TemporarySecret>();
 		for(Entry<EndpointKey, TemporarySecret> e : newest.entrySet()) {
 			TemporarySecret s = e.getValue();
-			Long maxLatency = maxLatencies.get(s.getTransportId());
+			Integer maxLatency = maxLatencies.get(s.getTransportId());
 			if(maxLatency == null) throw new IllegalStateException();
 			// Work out which rotation period we're in
 			long elapsed = now - s.getEpoch();
@@ -186,34 +182,23 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 				throw new IllegalStateException();
 			// Derive the old, current and new secrets
 			byte[] b1 = s.getSecret();
-			for(long p = s.getPeriod() + 1; p < period; p++) {
-				byte[] temp = crypto.deriveNextSecret(b1, p);
-				ByteUtils.erase(b1);
-				b1 = temp;
-			}
+			for(long p = s.getPeriod() + 1; p < period; p++)
+				b1 = crypto.deriveNextSecret(b1, p);
 			byte[] b2 = crypto.deriveNextSecret(b1, period);
 			byte[] b3 = crypto.deriveNextSecret(b2, period + 1);
-			// Add the secrets to their respective maps - copies may already
-			// exist, in which case erase the new copies (the old copies are
-			// referenced by the connection recogniser)
+			// Add the secrets to their respective maps if not already present
 			EndpointKey k = e.getKey();
-			if(oldSecrets.containsKey(k)) {
-				ByteUtils.erase(b1);
-			} else {
+			if(!oldSecrets.containsKey(k)) {
 				TemporarySecret s1 = new TemporarySecret(s, period - 1, b1);
 				oldSecrets.put(k, s1);
 				created.add(s1);
 			}
-			if(currentSecrets.containsKey(k)) {
-				ByteUtils.erase(b2);
-			} else {
+			if(!currentSecrets.containsKey(k)) {
 				TemporarySecret s2 = new TemporarySecret(s, period, b2);
 				currentSecrets.put(k, s2);
 				created.add(s2);
 			}
-			if(newSecrets.containsKey(k)) {
-				ByteUtils.erase(b3);
-			} else {
+			if(!newSecrets.containsKey(k)) {
 				TemporarySecret s3 = new TemporarySecret(s, period + 1, b3);
 				newSecrets.put(k, s3);
 				created.add(s3);
@@ -229,9 +214,9 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 			timer.cancel();
 			tagRecogniser.removeSecrets();
 			maxLatencies.clear();
-			removeAndEraseSecrets(oldSecrets);
-			removeAndEraseSecrets(currentSecrets);
-			removeAndEraseSecrets(newSecrets);
+			oldSecrets.clear();
+			currentSecrets.clear();
+			newSecrets.clear();
 			return true;
 		}
 		finally{
@@ -239,11 +224,6 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 		}
 	}
 
-	private void removeAndEraseSecrets(Map<?, TemporarySecret> m) {
-		for(TemporarySecret s : m.values()) ByteUtils.erase(s.getSecret());
-		m.clear();
-	}
-
 	public StreamContext getStreamContext(ContactId c,
 			TransportId t) {
 		synchLock.lock();
@@ -264,8 +244,7 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 				if(LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
 				return null;
 			}
-			// Clone the secret - the original will be erased
-			byte[] secret = s.getSecret().clone();
+		byte[] secret = s.getSecret();
 			return new StreamContext(c, t, secret, streamNumber, s.getAlice());
 		}
 		finally{
@@ -273,7 +252,7 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 		}
 	}
 
-	public void endpointAdded(Endpoint ep, long maxLatency,
+	public synchronized void endpointAdded(Endpoint ep, int maxLatency,
 			byte[] initialSecret) {
 		synchLock.lock();
 		try{
@@ -285,11 +264,8 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 			if(period < 1) throw new IllegalStateException();
 			// Derive the old, current and new secrets
 			byte[] b1 = initialSecret;
-			for(long p = 0; p < period; p++) {
-				byte[] temp = crypto.deriveNextSecret(b1, p);
-				ByteUtils.erase(b1);
-				b1 = temp;
-			}
+			for(long p = 0; p < period; p++)
+				b1 = crypto.deriveNextSecret(b1, p);
 			byte[] b2 = crypto.deriveNextSecret(b1, period);
 			byte[] b3 = crypto.deriveNextSecret(b2, period + 1);
 			TemporarySecret s1 = new TemporarySecret(ep, period - 1, b1);
@@ -370,27 +346,16 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 		}
 	}
 
-	private void removeAndEraseSecrets(ContactId c, Map<?, TemporarySecret> m) {
+	private void removeSecrets(ContactId c, Map<?, TemporarySecret> m) {
 		Iterator<TemporarySecret> it = m.values().iterator();
-		while(it.hasNext()) {
-			TemporarySecret s = it.next();
-			if(s.getContactId().equals(c)) {
-				ByteUtils.erase(s.getSecret());
-				it.remove();
-			}
-		}
+		while(it.hasNext())
+			if(it.next().getContactId().equals(c)) it.remove();
 	}
 
-	private void removeAndEraseSecrets(TransportId t,
-			Map<?, TemporarySecret> m) {
+	private void removeSecrets(TransportId t, Map<?, TemporarySecret> m) {
 		Iterator<TemporarySecret> it = m.values().iterator();
-		while(it.hasNext()) {
-			TemporarySecret s = it.next();
-			if(s.getTransportId().equals(t)) {
-				ByteUtils.erase(s.getSecret());
-				it.remove();
-			}
-		}
+		while(it.hasNext())
+			if(it.next().getTransportId().equals(t)) it.remove();
 	}
 
 	private static class EndpointKey {
@@ -436,10 +401,10 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 			ContactId c = event.getContactId();
 			tagRecogniser.removeSecrets(c);
 			synchLock.lock();
-			try {
-				removeAndEraseSecrets(c, oldSecrets);
-				removeAndEraseSecrets(c, currentSecrets);
-				removeAndEraseSecrets(c, newSecrets);
+			try{
+				removeSecrets(c, oldSecrets);
+				removeSecrets(c, currentSecrets);
+				removeSecrets(c, newSecrets);
 			}
 			finally{
 				synchLock.unlock();
@@ -482,9 +447,9 @@ class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
 			synchLock.lock();
 			try {
 				maxLatencies.remove(t);
-				removeAndEraseSecrets(t, oldSecrets);
-				removeAndEraseSecrets(t, currentSecrets);
-				removeAndEraseSecrets(t, newSecrets);
+				removeSecrets(t, oldSecrets);
+				removeSecrets(t, currentSecrets);
+				removeSecrets(t, newSecrets);
 			}
 			finally{
 				synchLock.unlock();

briar-core/src/org/briarproject/transport/KeyManagerImpl.java.orig

@@ -0,0 +1,546 @@
+package org.briarproject.transport;
+
+import static java.util.logging.Level.WARNING;
+import static org.briarproject.api.transport.TransportConstants.MAX_CLOCK_DIFFERENCE;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.TimerTask;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
+import java.util.logging.Logger;
+
+import javax.inject.Inject;
+
+import org.briarproject.api.ContactId;
+import org.briarproject.api.TransportId;
+import org.briarproject.api.crypto.CryptoComponent;
+import org.briarproject.api.crypto.KeyManager;
+import org.briarproject.api.db.DatabaseComponent;
+import org.briarproject.api.db.DbException;
+import org.briarproject.api.event.ContactRemovedEvent;
+import org.briarproject.api.event.Event;
+import org.briarproject.api.event.EventBus;
+import org.briarproject.api.event.EventListener;
+import org.briarproject.api.event.TransportAddedEvent;
+import org.briarproject.api.event.TransportRemovedEvent;
+import org.briarproject.api.system.Clock;
+import org.briarproject.api.system.Timer;
+import org.briarproject.api.transport.Endpoint;
+import org.briarproject.api.transport.StreamContext;
+import org.briarproject.api.transport.TagRecogniser;
+import org.briarproject.api.transport.TemporarySecret;
+
+// FIXME: Don't make alien calls with a lock held
+class KeyManagerImpl extends TimerTask implements KeyManager, EventListener {
+
+	private static final int MS_BETWEEN_CHECKS = 60 * 1000;
+
+	private static final Logger LOG =
+			Logger.getLogger(KeyManagerImpl.class.getName());
+
+	private final CryptoComponent crypto;
+	private final DatabaseComponent db;
+	private final EventBus eventBus;
+	private final TagRecogniser tagRecogniser;
+	private final Clock clock;
+	private final Timer timer;
+
+<<<<<<< HEAD
+	private final Map<TransportId, Long> maxLatencies;
+=======
+	// All of the following are locking: this
+	private final Map<TransportId, Integer> maxLatencies;
+>>>>>>> theSource
+	private final Map<EndpointKey, TemporarySecret> oldSecrets;
+	private final Map<EndpointKey, TemporarySecret> currentSecrets;
+	private final Map<EndpointKey, TemporarySecret> newSecrets;
+
+	private final Lock synchLock = new ReentrantLock();
+
+	@Inject
+	KeyManagerImpl(CryptoComponent crypto, DatabaseComponent db,
+			EventBus eventBus, TagRecogniser tagRecogniser, Clock clock,
+			Timer timer) {
+		this.crypto = crypto;
+		this.db = db;
+		this.eventBus = eventBus;
+		this.tagRecogniser = tagRecogniser;
+		this.clock = clock;
+		this.timer = timer;
+		maxLatencies = new HashMap<TransportId, Integer>();
+		oldSecrets = new HashMap<EndpointKey, TemporarySecret>();
+		currentSecrets = new HashMap<EndpointKey, TemporarySecret>();
+		newSecrets = new HashMap<EndpointKey, TemporarySecret>();
+	}
+
+	public boolean start() {
+		synchLock.lock();
+		try {
+			eventBus.addListener(this);
+			// Load the temporary secrets and transport latencies from the database
+			Collection<TemporarySecret> secrets;
+			try {
+				secrets = db.getSecrets();
+				maxLatencies.putAll(db.getTransportLatencies());
+			} catch(DbException e) {
+				if(LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
+				return false;
+			}
+			// Work out what phase of its lifecycle each secret is in
+			long now = clock.currentTimeMillis();
+			Collection<TemporarySecret> dead = assignSecretsToMaps(now, secrets);
+			// Replace any dead secrets
+			Collection<TemporarySecret> created = replaceDeadSecrets(now, dead);
+			if(!created.isEmpty()) {
+				// Store any secrets that have been created, removing any dead ones
+				try {
+					db.addSecrets(created);
+				} catch(DbException e) {
+					if(LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
+					return false;
+				}
+			}
+			// Pass the old, current and new secrets to the recogniser
+			for(TemporarySecret s : oldSecrets.values())
+				tagRecogniser.addSecret(s);
+			for(TemporarySecret s : currentSecrets.values())
+				tagRecogniser.addSecret(s);
+			for(TemporarySecret s : newSecrets.values())
+				tagRecogniser.addSecret(s);
+			// Schedule periodic key rotation
+			timer.scheduleAtFixedRate(this, MS_BETWEEN_CHECKS, MS_BETWEEN_CHECKS);
+			return true;
+		}
+		finally{
+			synchLock.unlock();
+		}
+	}
+
+	// Assigns secrets to the appropriate maps and returns any dead secrets
+	private Collection<TemporarySecret> assignSecretsToMaps(long now,
+			Collection<TemporarySecret> secrets) {
+		Collection<TemporarySecret> dead = new ArrayList<TemporarySecret>();
+		for(TemporarySecret s : secrets) {
+			// Discard the secret if the transport has been removed
+			Integer maxLatency = maxLatencies.get(s.getTransportId());
+			if(maxLatency == null) {
+				LOG.info("Discarding obsolete secret");
+				continue;
+			}
+			long rotation = maxLatency + MAX_CLOCK_DIFFERENCE;
+			long creationTime = s.getEpoch() + rotation * (s.getPeriod() - 2);
+			long activationTime = creationTime + rotation;
+			long deactivationTime = activationTime + rotation;
+			long destructionTime = deactivationTime + rotation;
+			if(now >= destructionTime) {
+				dead.add(s);
+			} else if(now >= deactivationTime) {
+				oldSecrets.put(new EndpointKey(s), s);
+			} else if(now >= activationTime) {
+				currentSecrets.put(new EndpointKey(s), s);
+			} else if(now >= creationTime) {
+				newSecrets.put(new EndpointKey(s), s);
+			} else {
+				// FIXME: Work out what to do here
+				throw new Error("Clock has moved backwards");
+			}
+		}
+		return dead;
+	}
+
+<<<<<<< HEAD
+	// Replaces and erases the given secrets and returns any secrets created
+=======
+	// Replaces the given secrets and returns any secrets created
+	// Locking: this
+>>>>>>> theSource
+	private Collection<TemporarySecret> replaceDeadSecrets(long now,
+			Collection<TemporarySecret> dead) {
+		// If there are several dead secrets for an endpoint, use the newest
+		Map<EndpointKey, TemporarySecret> newest =
+				new HashMap<EndpointKey, TemporarySecret>();
+		for(TemporarySecret s : dead) {
+			EndpointKey k = new EndpointKey(s);
+			TemporarySecret exists = newest.get(k);
+			if(exists == null) {
+				// There's no other secret for this endpoint
+				newest.put(k, s);
+			} else if(exists.getPeriod() < s.getPeriod()) {
+				// There's an older secret - use this one instead
+				newest.put(k, s);
+			} else {
+				// There's a newer secret - keep using it
+			}
+		}
+		Collection<TemporarySecret> created = new ArrayList<TemporarySecret>();
+		for(Entry<EndpointKey, TemporarySecret> e : newest.entrySet()) {
+			TemporarySecret s = e.getValue();
+			Integer maxLatency = maxLatencies.get(s.getTransportId());
+			if(maxLatency == null) throw new IllegalStateException();
+			// Work out which rotation period we're in
+			long elapsed = now - s.getEpoch();
+			long rotation = maxLatency + MAX_CLOCK_DIFFERENCE;
+			long period = (elapsed / rotation) + 1;
+			if(period < 1) throw new IllegalStateException();
+			if(period - s.getPeriod() < 2)
+				throw new IllegalStateException();
+			// Derive the old, current and new secrets
+			byte[] b1 = s.getSecret();
+			for(long p = s.getPeriod() + 1; p < period; p++)
+				b1 = crypto.deriveNextSecret(b1, p);
+			byte[] b2 = crypto.deriveNextSecret(b1, period);
+			byte[] b3 = crypto.deriveNextSecret(b2, period + 1);
+			// Add the secrets to their respective maps if not already present
+			EndpointKey k = e.getKey();
+			if(!oldSecrets.containsKey(k)) {
+				TemporarySecret s1 = new TemporarySecret(s, period - 1, b1);
+				oldSecrets.put(k, s1);
+				created.add(s1);
+			}
+			if(!currentSecrets.containsKey(k)) {
+				TemporarySecret s2 = new TemporarySecret(s, period, b2);
+				currentSecrets.put(k, s2);
+				created.add(s2);
+			}
+			if(!newSecrets.containsKey(k)) {
+				TemporarySecret s3 = new TemporarySecret(s, period + 1, b3);
+				newSecrets.put(k, s3);
+				created.add(s3);
+			}
+		}
+		return created;
+	}
+
+<<<<<<< HEAD
+	public boolean stop() {
+		synchLock.lock();
+		try{
+			eventBus.removeListener(this);
+			timer.cancel();
+			tagRecogniser.removeSecrets();
+			maxLatencies.clear();
+			removeAndEraseSecrets(oldSecrets);
+			removeAndEraseSecrets(currentSecrets);
+			removeAndEraseSecrets(newSecrets);
+			return true;
+		}
+		finally{
+			synchLock.unlock();
+		}
+	}
+
+	private void removeAndEraseSecrets(Map<?, TemporarySecret> m) {
+		for(TemporarySecret s : m.values()) ByteUtils.erase(s.getSecret());
+		m.clear();
+	}
+
+	public StreamContext getStreamContext(ContactId c,
+=======
+	public synchronized boolean stop() {
+		eventBus.removeListener(this);
+		timer.cancel();
+		tagRecogniser.removeSecrets();
+		maxLatencies.clear();
+		oldSecrets.clear();
+		currentSecrets.clear();
+		newSecrets.clear();
+		return true;
+	}
+
+	public synchronized StreamContext getStreamContext(ContactId c,
+>>>>>>> theSource
+			TransportId t) {
+		synchLock.lock();
+		try{
+			TemporarySecret s = currentSecrets.get(new EndpointKey(c, t));
+			if(s == null) {
+				LOG.info("No secret for endpoint");
+				return null;
+			}
+			long streamNumber;
+			try {
+				streamNumber = db.incrementStreamCounter(c, t, s.getPeriod());
+				if(streamNumber == -1) {
+					LOG.info("No counter for period");
+					return null;
+				}
+			} catch(DbException e) {
+				if(LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
+				return null;
+			}
+			// Clone the secret - the original will be erased
+			byte[] secret = s.getSecret().clone();
+			return new StreamContext(c, t, secret, streamNumber, s.getAlice());
+		}
+		finally{
+			synchLock.unlock();
+		}
+<<<<<<< HEAD
+	}
+
+	public void endpointAdded(Endpoint ep, long maxLatency,
+			byte[] initialSecret) {
+		synchLock.lock();
+		try{
+			maxLatencies.put(ep.getTransportId(), maxLatency);
+			// Work out which rotation period we're in
+			long elapsed = clock.currentTimeMillis() - ep.getEpoch();
+			long rotation = maxLatency + MAX_CLOCK_DIFFERENCE;
+			long period = (elapsed / rotation) + 1;
+			if(period < 1) throw new IllegalStateException();
+			// Derive the old, current and new secrets
+			byte[] b1 = initialSecret;
+			for(long p = 0; p < period; p++) {
+				byte[] temp = crypto.deriveNextSecret(b1, p);
+				ByteUtils.erase(b1);
+				b1 = temp;
+			}
+			byte[] b2 = crypto.deriveNextSecret(b1, period);
+			byte[] b3 = crypto.deriveNextSecret(b2, period + 1);
+			TemporarySecret s1 = new TemporarySecret(ep, period - 1, b1);
+			TemporarySecret s2 = new TemporarySecret(ep, period, b2);
+			TemporarySecret s3 = new TemporarySecret(ep, period + 1, b3);
+			// Add the incoming secrets to their respective maps
+			EndpointKey k = new EndpointKey(ep);
+			oldSecrets.put(k, s1);
+			currentSecrets.put(k, s2);
+			newSecrets.put(k, s3);
+			// Store the new secrets
+			try {
+				db.addSecrets(Arrays.asList(s1, s2, s3));
+			} catch(DbException e) {
+				if(LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
+				return;
+			}
+			// Pass the new secrets to the recogniser
+			tagRecogniser.addSecret(s1);
+			tagRecogniser.addSecret(s2);
+			tagRecogniser.addSecret(s3);
+		}
+		finally{
+			synchLock.unlock();
+=======
+		byte[] secret = s.getSecret();
+		return new StreamContext(c, t, secret, streamNumber, s.getAlice());
+	}
+
+	public synchronized void endpointAdded(Endpoint ep, int maxLatency,
+			byte[] initialSecret) {
+		maxLatencies.put(ep.getTransportId(), maxLatency);
+		// Work out which rotation period we're in
+		long elapsed = clock.currentTimeMillis() - ep.getEpoch();
+		long rotation = maxLatency + MAX_CLOCK_DIFFERENCE;
+		long period = (elapsed / rotation) + 1;
+		if(period < 1) throw new IllegalStateException();
+		// Derive the old, current and new secrets
+		byte[] b1 = initialSecret;
+		for(long p = 0; p < period; p++)
+			b1 = crypto.deriveNextSecret(b1, p);
+		byte[] b2 = crypto.deriveNextSecret(b1, period);
+		byte[] b3 = crypto.deriveNextSecret(b2, period + 1);
+		TemporarySecret s1 = new TemporarySecret(ep, period - 1, b1);
+		TemporarySecret s2 = new TemporarySecret(ep, period, b2);
+		TemporarySecret s3 = new TemporarySecret(ep, period + 1, b3);
+		// Add the incoming secrets to their respective maps
+		EndpointKey k = new EndpointKey(ep);
+		oldSecrets.put(k, s1);
+		currentSecrets.put(k, s2);
+		newSecrets.put(k, s3);
+		// Store the new secrets
+		try {
+			db.addSecrets(Arrays.asList(s1, s2, s3));
+		} catch(DbException e) {
+			if(LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
+			return;
+>>>>>>> theSource
+		}
+	}
+
+	@Override
+	public void run() {
+		synchLock.lock();
+		try{
+		// Rebuild the maps because we may be running a whole period late
+			Collection<TemporarySecret> secrets = new ArrayList<TemporarySecret>();
+			secrets.addAll(oldSecrets.values());
+			secrets.addAll(currentSecrets.values());
+			secrets.addAll(newSecrets.values());
+			oldSecrets.clear();
+			currentSecrets.clear();
+			newSecrets.clear();
+			// Work out what phase of its lifecycle each secret is in
+			long now = clock.currentTimeMillis();
+			Collection<TemporarySecret> dead = assignSecretsToMaps(now, secrets);
+			// Remove any dead secrets from the recogniser
+			for(TemporarySecret s : dead) {
+				ContactId c = s.getContactId();
+				TransportId t = s.getTransportId();
+				long period = s.getPeriod();
+				tagRecogniser.removeSecret(c, t, period);
+			}
+			// Replace any dead secrets
+			Collection<TemporarySecret> created = replaceDeadSecrets(now, dead);
+			if(!created.isEmpty()) {
+				// Store any secrets that have been created
+				try {
+					db.addSecrets(created);
+				} catch(DbException e) {
+					if(LOG.isLoggable(WARNING)) LOG.log(WARNING, e.toString(), e);
+				}
+				// Pass any secrets that have been created to the recogniser
+				for(TemporarySecret s : created) tagRecogniser.addSecret(s);
+			}
+		}
+		finally{
+			synchLock.unlock();
+		}
+	}
+
+	public void eventOccurred(Event e) {
+		if(e instanceof ContactRemovedEvent) {
+			ContactRemovedEvent c = (ContactRemovedEvent) e;
+			timer.schedule(new ContactRemovedTask(c), 0);
+		} else if(e instanceof TransportAddedEvent) {
+			TransportAddedEvent t = (TransportAddedEvent) e;
+			timer.schedule(new TransportAddedTask(t), 0);
+		} else if(e instanceof TransportRemovedEvent) {
+			TransportRemovedEvent t = (TransportRemovedEvent) e;
+			timer.schedule(new TransportRemovedTask(t), 0);
+		}
+	}
+
+<<<<<<< HEAD
+	private void removeAndEraseSecrets(ContactId c, Map<?, TemporarySecret> m) {
+=======
+	// Locking: this
+	private void removeSecrets(ContactId c, Map<?, TemporarySecret> m) {
+>>>>>>> theSource
+		Iterator<TemporarySecret> it = m.values().iterator();
+		while(it.hasNext())
+			if(it.next().getContactId().equals(c)) it.remove();
+	}
+
+<<<<<<< HEAD
+	private void removeAndEraseSecrets(TransportId t,
+			Map<?, TemporarySecret> m) {
+=======
+	// Locking: this
+	private void removeSecrets(TransportId t, Map<?, TemporarySecret> m) {
+>>>>>>> theSource
+		Iterator<TemporarySecret> it = m.values().iterator();
+		while(it.hasNext())
+			if(it.next().getTransportId().equals(t)) it.remove();
+	}
+
+	private static class EndpointKey {
+
+		private final ContactId contactId;
+		private final TransportId transportId;
+
+		private EndpointKey(ContactId contactId, TransportId transportId) {
+			this.contactId = contactId;
+			this.transportId = transportId;
+		}
+
+		private EndpointKey(Endpoint ep) {
+			this(ep.getContactId(), ep.getTransportId());
+		}
+
+		@Override
+		public int hashCode() {
+			return contactId.hashCode() ^ transportId.hashCode();
+		}
+
+		@Override
+		public boolean equals(Object o) {
+			if(o instanceof EndpointKey) {
+				EndpointKey k = (EndpointKey) o;
+				return contactId.equals(k.contactId) &&
+						transportId.equals(k.transportId);
+			}
+			return false;
+		}
+	}
+
+	private class ContactRemovedTask extends TimerTask {
+
+		private final ContactRemovedEvent event;
+
+		private ContactRemovedTask(ContactRemovedEvent event) {
+			this.event = event;
+		}
+
+		@Override
+		public void run() {
+			ContactId c = event.getContactId();
+			tagRecogniser.removeSecrets(c);
+<<<<<<< HEAD
+			synchLock.lock();
+			try {
+				removeAndEraseSecrets(c, oldSecrets);
+				removeAndEraseSecrets(c, currentSecrets);
+				removeAndEraseSecrets(c, newSecrets);
+=======
+			synchronized(KeyManagerImpl.this) {
+				removeSecrets(c, oldSecrets);
+				removeSecrets(c, currentSecrets);
+				removeSecrets(c, newSecrets);
+>>>>>>> theSource
+			}
+			finally{
+				synchLock.unlock();
+			}
+		}
+	}
+
+	private class TransportAddedTask extends TimerTask {
+
+		private final TransportAddedEvent event;
+
+		private TransportAddedTask(TransportAddedEvent event) {
+			this.event = event;
+		}
+
+		@Override
+		public void run() {
+			synchLock.lock();
+			try {
+				maxLatencies.put(event.getTransportId(), event.getMaxLatency());
+			}
+			finally{
+				synchLock.unlock();
+			}
+		}
+	}
+
+	private class TransportRemovedTask extends TimerTask {
+
+		private TransportRemovedEvent event;
+
+		private TransportRemovedTask(TransportRemovedEvent event) {
+			this.event = event;
+		}
+
+		@Override
+		public void run() {
+			TransportId t = event.getTransportId();
+			tagRecogniser.removeSecrets(t);
+			synchLock.lock();
+			try {
+				maxLatencies.remove(t);
+				removeSecrets(t, oldSecrets);
+				removeSecrets(t, currentSecrets);
+				removeSecrets(t, newSecrets);
+			}
+			finally{
+				synchLock.unlock();
+			}
+		}
+	}
+}

briar-core/src/org/briarproject/transport/OutgoingEncryptionLayer.java

@@ -1,103 +0,0 @@
-package org.briarproject.transport;
-
-import static org.briarproject.api.transport.TransportConstants.AAD_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.IV_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
-import static org.briarproject.util.ByteUtils.MAX_32_BIT_UNSIGNED;
-
-import java.io.IOException;
-import java.io.OutputStream;
-import java.security.GeneralSecurityException;
-
-import org.briarproject.api.crypto.AuthenticatedCipher;
-import org.briarproject.api.crypto.SecretKey;
-
-class OutgoingEncryptionLayer implements FrameWriter {
-
-	private final OutputStream out;
-	private final AuthenticatedCipher frameCipher;
-	private final SecretKey frameKey;
-	private final byte[] tag, iv, aad, ciphertext;
-	private final int frameLength;
-
-	private long frameNumber;
-	private boolean writeTag;
-
-	OutgoingEncryptionLayer(OutputStream out, AuthenticatedCipher frameCipher,
-			SecretKey frameKey, int frameLength, byte[] tag) {
-		this.out = out;
-		this.frameCipher = frameCipher;
-		this.frameKey = frameKey;
-		this.frameLength = frameLength;
-		this.tag = tag;
-		iv = new byte[IV_LENGTH];
-		aad = new byte[AAD_LENGTH];
-		ciphertext = new byte[frameLength];
-		frameNumber = 0;
-		writeTag = (tag != null);
-	}
-
-	public void writeFrame(byte[] frame, int payloadLength, boolean finalFrame)
-			throws IOException {
-		if(frameNumber > MAX_32_BIT_UNSIGNED) throw new IllegalStateException();
-		// Write the tag if required
-		if(writeTag) {
-			try {
-				out.write(tag, 0, tag.length);
-			} catch(IOException e) {
-				frameKey.erase();
-				throw e;
-			}
-			writeTag = false;
-		}
-		// Encode the header
-		FrameEncoder.encodeHeader(frame, finalFrame, payloadLength);
-		// Don't pad the final frame
-		int plaintextLength, ciphertextLength;
-		if(finalFrame) {
-			plaintextLength = HEADER_LENGTH + payloadLength;
-			ciphertextLength = plaintextLength + MAC_LENGTH;
-		} else {
-			plaintextLength = frameLength - MAC_LENGTH;
-			ciphertextLength = frameLength;
-		}
-		// If there's any padding it must all be zeroes
-		for(int i = HEADER_LENGTH + payloadLength; i < plaintextLength; i++) {
-			frame[i] = 0;
-		}
-		// Encrypt and authenticate the frame
-		FrameEncoder.encodeIv(iv, frameNumber);
-		FrameEncoder.encodeAad(aad, frameNumber, plaintextLength);
-		try {
-			frameCipher.init(true, frameKey, iv, aad);
-			int encrypted = frameCipher.doFinal(frame, 0, plaintextLength,
-					ciphertext, 0);
-			if(encrypted != ciphertextLength) throw new RuntimeException();
-		} catch(GeneralSecurityException badCipher) {
-			throw new RuntimeException(badCipher);
-		}
-		// Write the frame
-		try {
-			out.write(ciphertext, 0, ciphertextLength);
-		} catch(IOException e) {
-			frameKey.erase();
-			throw e;
-		}
-		frameNumber++;
-	}
-
-	public void flush() throws IOException {
-		// Write the tag if required
-		if(writeTag) {
-			try {
-				out.write(tag, 0, tag.length);
-			} catch(IOException e) {
-				frameKey.erase();
-				throw e;
-			}
-			writeTag = false;
-		}
-		out.flush();
-	}
-}

briar-core/src/org/briarproject/transport/StreamReaderFactoryImpl.java

@@ -4,37 +4,28 @@ import java.io.InputStream;
 
 import javax.inject.Inject;
 
-import org.briarproject.api.crypto.CryptoComponent;
-import org.briarproject.api.crypto.SecretKey;
+import org.briarproject.api.crypto.StreamDecrypterFactory;
 import org.briarproject.api.transport.StreamContext;
-import org.briarproject.api.transport.StreamReader;
 import org.briarproject.api.transport.StreamReaderFactory;
 
 class StreamReaderFactoryImpl implements StreamReaderFactory {
 
-	private final CryptoComponent crypto;
+	private final StreamDecrypterFactory streamDecrypterFactory;
 
 	@Inject
-	StreamReaderFactoryImpl(CryptoComponent crypto) {
-		this.crypto = crypto;
+	StreamReaderFactoryImpl(StreamDecrypterFactory streamDecrypterFactory) {
+		this.streamDecrypterFactory = streamDecrypterFactory;
 	}
 
-	public StreamReader createStreamReader(InputStream in,
-			int maxFrameLength, StreamContext ctx) {
-		byte[] secret = ctx.getSecret();
-		long streamNumber = ctx.getStreamNumber();
-		boolean alice = !ctx.getAlice();
-		SecretKey frameKey = crypto.deriveFrameKey(secret, streamNumber, alice);
-		FrameReader frameReader = new IncomingEncryptionLayer(in,
-				crypto.getFrameCipher(), frameKey, maxFrameLength);
-		return new StreamReaderImpl(frameReader, maxFrameLength);
+	public InputStream createStreamReader(InputStream in, StreamContext ctx) {
+		return new StreamReaderImpl(
+				streamDecrypterFactory.createStreamDecrypter(in, ctx));
 	}
 
-	public StreamReader createInvitationStreamReader(InputStream in,
-			int maxFrameLength, byte[] secret, boolean alice) {
-		SecretKey frameKey = crypto.deriveFrameKey(secret, 0, alice);
-		FrameReader frameReader = new IncomingEncryptionLayer(in,
-				crypto.getFrameCipher(), frameKey, maxFrameLength);
-		return new StreamReaderImpl(frameReader, maxFrameLength);
+	public InputStream createInvitationStreamReader(InputStream in,
+			byte[] secret, boolean alice) {
+		return new StreamReaderImpl(
+				streamDecrypterFactory.createInvitationStreamDecrypter(in,
+						secret, alice));
 	}
 }

briar-core/src/org/briarproject/transport/StreamReaderImpl.java

@@ -1,27 +1,22 @@
 package org.briarproject.transport;
 
-import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
 
 import java.io.IOException;
 import java.io.InputStream;
 
-import org.briarproject.api.transport.StreamReader;
+import org.briarproject.api.crypto.StreamDecrypter;
 
-class StreamReaderImpl extends InputStream implements StreamReader {
+class StreamReaderImpl extends InputStream {
 
-	private final FrameReader in;
-	private final byte[] frame;
+	private final StreamDecrypter decrypter;
+	private final byte[] payload;
 
 	private int offset = 0, length = 0;
 
-	StreamReaderImpl(FrameReader in, int frameLength) {
-		this.in = in;
-		frame = new byte[frameLength - MAC_LENGTH];
-	}
-
-	public InputStream getInputStream() {
-		return this;
+	StreamReaderImpl(StreamDecrypter decrypter) {
+		this.decrypter = decrypter;
+		payload = new byte[MAX_PAYLOAD_LENGTH];
 	}
 
 	@Override
@@ -30,7 +25,7 @@ class StreamReaderImpl extends InputStream implements StreamReader {
 			if(length == -1) return -1;
 			readFrame();
 		}
-		int b = frame[offset] & 0xff;
+		int b = payload[offset] & 0xff;
 		offset++;
 		length--;
 		return b;
@@ -48,7 +43,7 @@ class StreamReaderImpl extends InputStream implements StreamReader {
 			readFrame();
 		}
 		len = Math.min(len, length);
-		System.arraycopy(frame, offset, b, off, len);
+		System.arraycopy(payload, offset, b, off, len);
 		offset += len;
 		length -= len;
 		return len;
@@ -56,7 +51,7 @@ class StreamReaderImpl extends InputStream implements StreamReader {
 
 	private void readFrame() throws IOException {
 		assert length == 0;
-		offset = HEADER_LENGTH;
-		length = in.readFrame(frame);
+		offset = 0;
+		length = decrypter.readFrame(payload);
 	}
 }

briar-core/src/org/briarproject/transport/StreamWriterFactoryImpl.java

@@ -1,46 +1,32 @@
 package org.briarproject.transport;
 
-import static org.briarproject.api.transport.TransportConstants.TAG_LENGTH;
-
 import java.io.OutputStream;
 
 import javax.inject.Inject;
 
-import org.briarproject.api.crypto.CryptoComponent;
-import org.briarproject.api.crypto.SecretKey;
+import org.briarproject.api.crypto.StreamEncrypterFactory;
 import org.briarproject.api.transport.StreamContext;
-import org.briarproject.api.transport.StreamWriter;
 import org.briarproject.api.transport.StreamWriterFactory;
 
 class StreamWriterFactoryImpl implements StreamWriterFactory {
 
-	private final CryptoComponent crypto;
+	private final StreamEncrypterFactory streamEncrypterFactory;
 
 	@Inject
-	StreamWriterFactoryImpl(CryptoComponent crypto) {
-		this.crypto = crypto;
+	StreamWriterFactoryImpl(StreamEncrypterFactory streamEncrypterFactory) {
+		this.streamEncrypterFactory = streamEncrypterFactory;
 	}
 
-	public StreamWriter createStreamWriter(OutputStream out,
-			int maxFrameLength, StreamContext ctx) {
-		byte[] secret = ctx.getSecret();
-		long streamNumber = ctx.getStreamNumber();
-		boolean alice = ctx.getAlice();
-		byte[] tag = new byte[TAG_LENGTH];
-		SecretKey tagKey = crypto.deriveTagKey(secret, alice);
-		crypto.encodeTag(tag, tagKey, streamNumber);
-		tagKey.erase();
-		SecretKey frameKey = crypto.deriveFrameKey(secret, streamNumber, alice);
-		FrameWriter frameWriter = new OutgoingEncryptionLayer(out,
-				crypto.getFrameCipher(), frameKey, maxFrameLength, tag);
-		return new StreamWriterImpl(frameWriter, maxFrameLength);
+	public OutputStream createStreamWriter(OutputStream out,
+			StreamContext ctx) {
+		return new StreamWriterImpl(
+				streamEncrypterFactory.createStreamEncrypter(out, ctx));
 	}
 
-	public StreamWriter createInvitationStreamWriter(OutputStream out,
-			int maxFrameLength, byte[] secret, boolean alice) {
-		SecretKey frameKey = crypto.deriveFrameKey(secret, 0, alice);
-		FrameWriter frameWriter = new OutgoingEncryptionLayer(out,
-				crypto.getFrameCipher(), frameKey, maxFrameLength, null);
-		return new StreamWriterImpl(frameWriter, maxFrameLength);
+	public OutputStream createInvitationStreamWriter(OutputStream out,
+			byte[] secret, boolean alice) {
+		return new StreamWriterImpl(
+				streamEncrypterFactory.createInvitationStreamEncrypter(out,
+						secret, alice));
 	}
 }

briar-core/src/org/briarproject/transport/StreamWriterImpl.java

@@ -1,12 +1,11 @@
 package org.briarproject.transport;
 
-import static org.briarproject.api.transport.TransportConstants.HEADER_LENGTH;
-import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
+import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH;
 
 import java.io.IOException;
 import java.io.OutputStream;
 
-import org.briarproject.api.transport.StreamWriter;
+import org.briarproject.api.crypto.StreamEncrypter;
 
 /**
  * A {@link org.briarproject.api.transport.StreamWriter StreamWriter} that
@@ -15,43 +14,36 @@ import org.briarproject.api.transport.StreamWriter;
  * <p>
  * This class is not thread-safe.
  */
-class StreamWriterImpl extends OutputStream implements StreamWriter {
+class StreamWriterImpl extends OutputStream {
 
-	private final FrameWriter out;
-	private final byte[] frame;
-	private final int frameLength;
+	private final StreamEncrypter encrypter;
+	private final byte[] payload;
 
 	private int length = 0;
 
-	StreamWriterImpl(FrameWriter out, int frameLength) {
-		this.out = out;
-		this.frameLength = frameLength;
-		frame = new byte[frameLength - MAC_LENGTH];
-	}
-
-	public OutputStream getOutputStream() {
-		return this;
+	StreamWriterImpl(StreamEncrypter encrypter) {
+		this.encrypter = encrypter;
+		payload = new byte[MAX_PAYLOAD_LENGTH];
 	}
 
 	@Override
 	public void close() throws IOException {
 		writeFrame(true);
-		out.flush();
+		encrypter.flush();
 		super.close();
 	}
 
 	@Override
 	public void flush() throws IOException {
-		if(length > 0) writeFrame(false);
-		out.flush();
+		writeFrame(false);
+		encrypter.flush();
 	}
 
 	@Override
 	public void write(int b) throws IOException {
-		frame[HEADER_LENGTH + length] = (byte) b;
+		payload[length] = (byte) b;
 		length++;
-		if(HEADER_LENGTH + length + MAC_LENGTH == frameLength)
-			writeFrame(false);
+		if(length == payload.length) writeFrame(false);
 	}
 
 	@Override
@@ -61,21 +53,21 @@ class StreamWriterImpl extends OutputStream implements StreamWriter {
 
 	@Override
 	public void write(byte[] b, int off, int len) throws IOException {
-		int available = frameLength - HEADER_LENGTH - length - MAC_LENGTH;
+		int available = payload.length - length;
 		while(available <= len) {
-			System.arraycopy(b, off, frame, HEADER_LENGTH + length, available);
+			System.arraycopy(b, off, payload, length, available);
 			length += available;
 			writeFrame(false);
 			off += available;
 			len -= available;
-			available = frameLength - HEADER_LENGTH - length - MAC_LENGTH;
+			available = payload.length - length;
 		}
-		System.arraycopy(b, off, frame, HEADER_LENGTH + length, len);
+		System.arraycopy(b, off, payload, length, len);
 		length += len;
 	}
 
 	private void writeFrame(boolean finalFrame) throws IOException {
-		out.writeFrame(frame, length, finalFrame);
+		encrypter.writeFrame(payload, length, 0, finalFrame);
 		length = 0;
 	}
 }

briar-core/src/org/briarproject/transport/TransportTagRecogniser.java

@@ -62,13 +62,10 @@ class TransportTagRecogniser {
 					assert duplicate == null;
 				}
 			}
-			key.erase();
 			// Store the updated reordering window in the DB
 			db.setReorderingWindow(t.contactId, transportId, t.period,
 					t.window.getCentre(), t.window.getBitmap());
-			// Clone the secret - the key manager will erase the original
-			byte[] secret = t.secret.clone();
-			return new StreamContext(t.contactId, transportId, secret,
+		return new StreamContext(t.contactId, transportId, t.secret,
 					t.streamNumber, t.alice);
 		}
 		finally{
@@ -96,7 +93,6 @@ class TransportTagRecogniser {
 				TagContext duplicate = tagMap.put(new Bytes(tag), added);
 				assert duplicate == null;
 			}
-			key.erase();
 			// Create a removal context to remove the window and the tags later
 			RemovalContext r = new RemovalContext(window, secret, alice);
 			removalMap.put(new RemovalKey(contactId, period), r);
@@ -128,7 +124,6 @@ class TransportTagRecogniser {
 			TagContext removed = tagMap.remove(new Bytes(tag));
 			assert removed != null;
 		}
-		key.erase();
 	}
 
 	void removeSecrets(ContactId c) {

briar-core/src/org/briarproject/transport/TransportTagRecogniser.java.orig

@@ -0,0 +1,235 @@
+package org.briarproject.transport;
+
+import static org.briarproject.api.transport.TransportConstants.TAG_LENGTH;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
+
+import org.briarproject.api.Bytes;
+import org.briarproject.api.ContactId;
+import org.briarproject.api.TransportId;
+import org.briarproject.api.crypto.CryptoComponent;
+import org.briarproject.api.crypto.SecretKey;
+import org.briarproject.api.db.DatabaseComponent;
+import org.briarproject.api.db.DbException;
+import org.briarproject.api.transport.StreamContext;
+import org.briarproject.api.transport.TemporarySecret;
+
+// FIXME: Don't make alien calls with a lock held
+/**
+ * A {@link org.briarproject.api.transport.TagRecogniser TagRecogniser} for a
+ * specific transport.
+ */
+class TransportTagRecogniser {
+
+	private final CryptoComponent crypto;
+	private final DatabaseComponent db;
+	private final TransportId transportId;
+	private final Map<Bytes, TagContext> tagMap;
+	private final Map<RemovalKey, RemovalContext> removalMap;
+
+	private final Lock synchLock = new ReentrantLock();
+
+	TransportTagRecogniser(CryptoComponent crypto, DatabaseComponent db,
+			TransportId transportId) {
+		this.crypto = crypto;
+		this.db = db;
+		this.transportId = transportId;
+		tagMap = new HashMap<Bytes, TagContext>();
+		removalMap = new HashMap<RemovalKey, RemovalContext>();
+	}
+
+	StreamContext recogniseTag(byte[] tag) throws DbException {
+		synchLock.lock();
+		try{
+			TagContext t = tagMap.remove(new Bytes(tag));
+			if(t == null) return null; // The tag was not expected
+			// Update the reordering window and the expected tags
+			SecretKey key = crypto.deriveTagKey(t.secret, !t.alice);
+			for(long streamNumber : t.window.setSeen(t.streamNumber)) {
+				byte[] tag1 = new byte[TAG_LENGTH];
+				crypto.encodeTag(tag1, key, streamNumber);
+				if(streamNumber < t.streamNumber) {
+					TagContext removed = tagMap.remove(new Bytes(tag1));
+					assert removed != null;
+				} else {
+					TagContext added = new TagContext(t, streamNumber);
+					TagContext duplicate = tagMap.put(new Bytes(tag1), added);
+					assert duplicate == null;
+				}
+			}
+			key.erase();
+			// Store the updated reordering window in the DB
+			db.setReorderingWindow(t.contactId, transportId, t.period,
+					t.window.getCentre(), t.window.getBitmap());
+			// Clone the secret - the key manager will erase the original
+			byte[] secret = t.secret.clone();
+			return new StreamContext(t.contactId, transportId, secret,
+					t.streamNumber, t.alice);
+		}
+		finally{
+			synchLock.unlock();
+		}
+<<<<<<< HEAD
+=======
+		// Store the updated reordering window in the DB
+		db.setReorderingWindow(t.contactId, transportId, t.period,
+				t.window.getCentre(), t.window.getBitmap());
+		return new StreamContext(t.contactId, transportId, t.secret,
+				t.streamNumber, t.alice);
+>>>>>>> theSource
+	}
+
+	void addSecret(TemporarySecret s) {
+		synchLock.lock();
+		try{
+			ContactId contactId = s.getContactId();
+			boolean alice = s.getAlice();
+			long period = s.getPeriod();
+			byte[] secret = s.getSecret();
+			long centre = s.getWindowCentre();
+			byte[] bitmap = s.getWindowBitmap();
+			// Create the reordering window and the expected tags
+			SecretKey key = crypto.deriveTagKey(secret, !alice);
+			ReorderingWindow window = new ReorderingWindow(centre, bitmap);
+			for(long streamNumber : window.getUnseen()) {
+				byte[] tag = new byte[TAG_LENGTH];
+				crypto.encodeTag(tag, key, streamNumber);
+				TagContext added = new TagContext(contactId, alice, period,
+						secret, window, streamNumber);
+				TagContext duplicate = tagMap.put(new Bytes(tag), added);
+				assert duplicate == null;
+			}
+			key.erase();
+			// Create a removal context to remove the window and the tags later
+			RemovalContext r = new RemovalContext(window, secret, alice);
+			removalMap.put(new RemovalKey(contactId, period), r);
+		}
+		finally{
+			synchLock.unlock();
+		}
+<<<<<<< HEAD
+=======
+		// Create a removal context to remove the window and the tags later
+		RemovalContext r = new RemovalContext(window, secret, alice);
+		removalMap.put(new RemovalKey(contactId, period), r);
+>>>>>>> theSource
+	}
+
+	void removeSecret(ContactId contactId, long period) {
+		synchLock.lock();
+		try{
+			RemovalKey k = new RemovalKey(contactId, period);
+			RemovalContext removed = removalMap.remove(k);
+			if(removed == null) throw new IllegalArgumentException();
+			removeSecret(removed);
+		}
+		finally{
+			synchLock.unlock();
+		}
+	}
+
+	private void removeSecret(RemovalContext r) {
+		// Remove the expected tags
+		SecretKey key = crypto.deriveTagKey(r.secret, !r.alice);
+		byte[] tag = new byte[TAG_LENGTH];
+		for(long streamNumber : r.window.getUnseen()) {
+			crypto.encodeTag(tag, key, streamNumber);
+			TagContext removed = tagMap.remove(new Bytes(tag));
+			assert removed != null;
+		}
+	}
+
+	void removeSecrets(ContactId c) {
+		synchLock.lock();
+		try{
+			Collection<RemovalKey> keysToRemove = new ArrayList<RemovalKey>();
+			for(RemovalKey k : removalMap.keySet())
+				if(k.contactId.equals(c)) keysToRemove.add(k);
+			for(RemovalKey k : keysToRemove) removeSecret(k.contactId, k.period);
+		}
+		finally{
+			synchLock.unlock();
+		}
+	}
+
+	void removeSecrets() {
+		synchLock.lock();
+		try{
+			for(RemovalContext r : removalMap.values()) removeSecret(r);
+			assert tagMap.isEmpty();
+			removalMap.clear();
+		}
+		finally{
+			synchLock.unlock();
+		}
+	}
+
+	private static class TagContext {
+
+		private final ContactId contactId;
+		private final boolean alice;
+		private final long period;
+		private final byte[] secret;
+		private final ReorderingWindow window;
+		private final long streamNumber;
+
+		private TagContext(ContactId contactId, boolean alice, long period,
+				byte[] secret, ReorderingWindow window, long streamNumber) {
+			this.contactId = contactId;
+			this.alice = alice;
+			this.period = period;
+			this.secret = secret;
+			this.window = window;
+			this.streamNumber = streamNumber;
+		}
+
+		private TagContext(TagContext t, long streamNumber) {
+			this(t.contactId, t.alice, t.period, t.secret, t.window,
+					streamNumber);
+		}
+	}
+
+	private static class RemovalKey {
+
+		private final ContactId contactId;
+		private final long period;
+
+		private RemovalKey(ContactId contactId, long period) {
+			this.contactId = contactId;
+			this.period = period;
+		}
+
+		@Override
+		public int hashCode() {
+			return contactId.hashCode() ^ (int) (period ^ (period >>> 32));
+		}
+
+		@Override
+		public boolean equals(Object o) {
+			if(o instanceof RemovalKey) {
+				RemovalKey k = (RemovalKey) o;
+				return contactId.equals(k.contactId) && period == k.period;
+			}
+			return false;
+		}
+	}
+
+	private static class RemovalContext {
+
+		private final ReorderingWindow window;
+		private final byte[] secret;
+		private final boolean alice;
+
+		private RemovalContext(ReorderingWindow window, byte[] secret,
+				boolean alice) {
+			this.window = window;
+			this.secret = secret;
+			this.alice = alice;
+		}
+	}
+}

briar-core/src/org/briarproject/util/ByteUtils.java

@@ -48,10 +48,6 @@ public class ByteUtils {
 				| ((b[offset + 2] & 0xFFL) << 8) | (b[offset + 3] & 0xFFL);
 	}
 
-	public static void erase(byte[] b) {
-		for(int i = 0; i < b.length; i++) b[i] = 0;
-	}
-
 	public static int readUint(byte[] b, int bits) {
 		if(b.length << 3 < bits) throw new IllegalArgumentException();
 		int result = 0;