removing dead/legacy server/connection logic, except for in tcp/wlan/bt plugins ...
[oweals/gnunet.git] / src / core / gnunet-service-core_kx.c
index 5a70b62ad3154f114ea38aa31550eb007da067bf..8a7cada5c5a1a1b76191e7859bb54ee703c6d760 100644 (file)
@@ -1,6 +1,6 @@
 /*
      This file is part of GNUnet.
-     (C) 2009, 2010, 2011, 2012 Christian Grothoff (and other contributing authors)
+     Copyright (C) 2009-2013, 2016 GNUnet e.V.
 
      GNUnet is free software; you can redistribute it and/or modify
      it under the terms of the GNU General Public License as published
@@ -14,8 +14,8 @@
 
      You should have received a copy of the GNU General Public License
      along with GNUnet; see the file COPYING.  If not, write to the
-     Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-     Boston, MA 02111-1307, USA.
+     Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+     Boston, MA 02110-1301, USA.
 */
 
 /**
 #include "platform.h"
 #include "gnunet-service-core_kx.h"
 #include "gnunet-service-core.h"
-#include "gnunet-service-core_clients.h"
-#include "gnunet-service-core_neighbours.h"
 #include "gnunet-service-core_sessions.h"
 #include "gnunet_statistics_service.h"
+#include "gnunet_transport_core_service.h"
 #include "gnunet_constants.h"
 #include "gnunet_signatures.h"
 #include "gnunet_protocols.h"
@@ -77,20 +76,20 @@ struct EphemeralKeyMessage
 {
 
   /**
-   * Message type is CORE_EPHEMERAL_KEY.
+   * Message type is #GNUNET_MESSAGE_TYPE_CORE_EPHEMERAL_KEY.
    */
   struct GNUNET_MessageHeader header;
 
   /**
-   * Status of the sender (should be in "enum PeerStateMachine"), nbo.
+   * Status of the sender (should be in `enum PeerStateMachine`), nbo.
    */
   int32_t sender_status GNUNET_PACKED;
 
   /**
-   * An ECC signature of the 'origin' asserting the validity of
-   * the given ephemeral key.
+   * An ECC signature of the @e origin_identity asserting the validity
+   * of the given ephemeral key.
    */
-  struct GNUNET_CRYPTO_EccSignature signature;
+  struct GNUNET_CRYPTO_EddsaSignature signature;
 
   /**
    * Information about what is being signed.
@@ -101,22 +100,22 @@ struct EphemeralKeyMessage
    * At what time was this key created (beginning of validity).
    */
   struct GNUNET_TIME_AbsoluteNBO creation_time;
-  
+
   /**
    * When does the given ephemeral key expire (end of validity).
    */
   struct GNUNET_TIME_AbsoluteNBO expiration_time;
 
   /**
-   * Ephemeral public ECC key (always for NIST P-521) encoded in a format suitable
-   * for network transmission as created using 'gcry_sexp_sprint'.
+   * Ephemeral public ECC key.
    */
-  struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded ephemeral_key;  
+  struct GNUNET_CRYPTO_EcdhePublicKey ephemeral_key;
 
   /**
-   * Public key of the signing peer (persistent version, not the ephemeral public key).
+   * Public key of the signing peer (persistent version, not the
+   * ephemeral public key).
    */
-  struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded origin_public_key;
+  struct GNUNET_PeerIdentity origin_identity;
 
 };
 
@@ -129,7 +128,7 @@ struct EphemeralKeyMessage
 struct PingMessage
 {
   /**
-   * Message type is CORE_PING.
+   * Message type is #GNUNET_MESSAGE_TYPE_CORE_PING.
    */
   struct GNUNET_MessageHeader header;
 
@@ -145,7 +144,7 @@ struct PingMessage
   struct GNUNET_PeerIdentity target;
 
   /**
-   * Random number chosen to make reply harder.
+   * Random number chosen to make replay harder.
    */
   uint32_t challenge GNUNET_PACKED;
 };
@@ -157,7 +156,7 @@ struct PingMessage
 struct PongMessage
 {
   /**
-   * Message type is CORE_PONG.
+   * Message type is #GNUNET_MESSAGE_TYPE_CORE_PONG.
    */
   struct GNUNET_MessageHeader header;
 
@@ -167,8 +166,7 @@ struct PongMessage
   uint32_t iv_seed GNUNET_PACKED;
 
   /**
-   * Random number to make faking the reply harder.  Must be
-   * first field after header (this is where we start to encrypt!).
+   * Random number to make replay attacks harder.
    */
   uint32_t challenge GNUNET_PACKED;
 
@@ -192,7 +190,7 @@ struct PongMessage
 struct EncryptedMessage
 {
   /**
-   * Message type is either CORE_ENCRYPTED_MESSAGE.
+   * Message type is #GNUNET_MESSAGE_TYPE_CORE_ENCRYPTED_MESSAGE.
    */
   struct GNUNET_MessageHeader header;
 
@@ -202,10 +200,11 @@ struct EncryptedMessage
   uint32_t iv_seed GNUNET_PACKED;
 
   /**
-   * MAC of the encrypted message (starting at 'sequence_number'),
+   * MAC of the encrypted message (starting at @e sequence_number),
    * used to verify message integrity. Everything after this value
-   * (excluding this value itself) will be encrypted and authenticated.
-   * ENCRYPTED_HEADER_SIZE must be set to the offset of the *next* field.
+   * (excluding this value itself) will be encrypted and
+   * authenticated.  #ENCRYPTED_HEADER_SIZE must be set to the offset
+   * of the *next* field.
    */
   struct GNUNET_HashCode hmac;
 
@@ -218,10 +217,10 @@ struct EncryptedMessage
   /**
    * Reserved, always zero.
    */
-  uint32_t reserved;
+  uint32_t reserved GNUNET_PACKED;
 
   /**
-   * Timestamp.  Used to prevent reply of ancient messages
+   * Timestamp.  Used to prevent replay of ancient messages
    * (recent messages are caught with the sequence number).
    */
   struct GNUNET_TIME_AbsoluteNBO timestamp;
@@ -231,56 +230,12 @@ GNUNET_NETWORK_STRUCT_END
 
 
 /**
- * Number of bytes (at the beginning) of "struct EncryptedMessage"
+ * Number of bytes (at the beginning) of `struct EncryptedMessage`
  * that are NOT encrypted.
  */
 #define ENCRYPTED_HEADER_SIZE (offsetof(struct EncryptedMessage, sequence_number))
 
 
-/**
- * State machine for our P2P encryption handshake.  Everyone starts in
- * "DOWN", if we receive the other peer's key (other peer initiated)
- * we start in state RECEIVED (since we will immediately send our
- * own); otherwise we start in SENT.  If we get back a PONG from
- * within either state, we move up to CONFIRMED (the PONG will always
- * be sent back encrypted with the key we sent to the other peer).
- */
-enum KxStateMachine
-{
-  /**
-   * No handshake yet.
-   */
-  KX_STATE_DOWN,
-
-  /**
-   * We've sent our session key.
-   */
-  KX_STATE_KEY_SENT,
-
-  /**
-   * We've received the other peers session key.
-   */
-  KX_STATE_KEY_RECEIVED,
-
-  /**
-   * The other peer has confirmed our session key + PING with a PONG
-   * message encrypted with his session key (which we got).  Key
-   * exchange is done.
-   */
-  KX_STATE_UP,
-
-  /**
-   * We're rekeying (or had a timeout), so we have sent the other peer
-   * our new ephemeral key, but we did not get a matching PONG yet.
-   * This is equivalent to being 'KX_STATE_KEY_RECEIVED', except that
-   * the session is marked as 'up' with sessions (as we don't want to
-   * drop and re-establish P2P connections simply due to rekeying).
-   */
-  KX_STATE_REKEY_SENT
-
-};
-
-
 /**
  * Information about the status of a key exchange with another peer.
  */
@@ -300,24 +255,39 @@ struct GSC_KeyExchangeInfo
   /**
    * Identity of the peer.
    */
-  struct GNUNET_PeerIdentity peer;
+  const struct GNUNET_PeerIdentity *peer;
+
+  /**
+   * Message queue for sending messages to @a peer.
+   */
+  struct GNUNET_MQ_Handle *mq;
+
+  /**
+   * Our message stream tokenizer (for encrypted payload).
+   */
+  struct GNUNET_MessageStreamTokenizer *mst;
 
   /**
    * PING message we transmit to the other peer.
    */
   struct PingMessage ping;
 
+  /**
+   * Ephemeral public ECC key of the other peer.
+   */
+  struct GNUNET_CRYPTO_EcdhePublicKey other_ephemeral_key;
+
   /**
    * Key we use to encrypt our messages for the other peer
    * (initialized by us when we do the handshake).
    */
-  struct GNUNET_CRYPTO_AesSessionKey encrypt_key;
+  struct GNUNET_CRYPTO_SymmetricSessionKey encrypt_key;
 
   /**
    * Key we use to decrypt messages from the other peer
    * (given to us by the other peer during the handshake).
    */
-  struct GNUNET_CRYPTO_AesSessionKey decrypt_key;
+  struct GNUNET_CRYPTO_SymmetricSessionKey decrypt_key;
 
   /**
    * At what time did the other peer generate the decryption key?
@@ -329,6 +299,11 @@ struct GSC_KeyExchangeInfo
    */
   struct GNUNET_TIME_Absolute timeout;
 
+  /**
+   * What was the last timeout we informed our monitors about?
+   */
+  struct GNUNET_TIME_Absolute last_notify_timeout;
+
   /**
    * At what frequency are we currently re-trying SET_KEY messages?
    */
@@ -337,19 +312,19 @@ struct GSC_KeyExchangeInfo
   /**
    * ID of task used for re-trying SET_KEY and PING message.
    */
-  GNUNET_SCHEDULER_TaskIdentifier retry_set_key_task;
+  struct GNUNET_SCHEDULER_Task *retry_set_key_task;
 
   /**
    * ID of task used for sending keep-alive pings.
    */
-  GNUNET_SCHEDULER_TaskIdentifier keep_alive_task;
+  struct GNUNET_SCHEDULER_Task *keep_alive_task;
 
   /**
-   * Bit map indicating which of the 32 sequence numbers before the last
-   * were received (good for accepting out-of-order packets and
+   * Bit map indicating which of the 32 sequence numbers before the
+   * last were received (good for accepting out-of-order packets and
    * estimating reliability of the connection)
    */
-  unsigned int last_packets_bitmap;
+  uint32_t last_packets_bitmap;
 
   /**
    * last sequence number received on this connection (highest)
@@ -366,39 +341,39 @@ struct GSC_KeyExchangeInfo
    */
   uint32_t ping_challenge;
 
+  /**
+   * #GNUNET_YES if this peer currently has excess bandwidth.
+   */
+  int has_excess_bandwidth;
+
   /**
    * What is our connection status?
    */
-  enum KxStateMachine status;
+  enum GNUNET_CORE_KxState status;
 
 };
 
 
+/**
+ * Transport service.
+ */
+static struct GNUNET_TRANSPORT_CoreHandle *transport;
+
 /**
  * Our private key.
  */
-static struct GNUNET_CRYPTO_EccPrivateKey *my_private_key;
+static struct GNUNET_CRYPTO_EddsaPrivateKey *my_private_key;
 
 /**
  * Our ephemeral private key.
  */
-static struct GNUNET_CRYPTO_EccPrivateKey *my_ephemeral_key;
+static struct GNUNET_CRYPTO_EcdhePrivateKey *my_ephemeral_key;
 
 /**
  * Current message we send for a key exchange.
  */
 static struct EphemeralKeyMessage current_ekm;
 
-/**
- * Our public key.
- */
-static struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded my_public_key;
-
-/**
- * Our message stream tokenizer (for encrypted payload).
- */
-static struct GNUNET_SERVER_MessageStreamTokenizer *mst;
-
 /**
  * DLL head.
  */
@@ -412,8 +387,51 @@ static struct GSC_KeyExchangeInfo *kx_tail;
 /**
  * Task scheduled for periodic re-generation (and thus rekeying) of our
  * ephemeral key.
- */ 
-static GNUNET_SCHEDULER_TaskIdentifier rekey_task;
+ */
+static struct GNUNET_SCHEDULER_Task *rekey_task;
+
+/**
+ * Notification context for broadcasting to monitors.
+ */
+static struct GNUNET_NotificationContext *nc;
+
+
+/**
+ * Calculate seed value we should use for a message.
+ *
+ * @param kx key exchange context
+ */
+static uint32_t
+calculate_seed (struct GSC_KeyExchangeInfo *kx)
+{
+  /* Note: may want to make this non-random and instead
+     derive from key material to avoid having an undetectable
+     side-channel */
+  return htonl (GNUNET_CRYPTO_random_u32
+               (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX));
+}
+
+
+/**
+ * Inform all monitors about the KX state of the given peer.
+ *
+ * @param kx key exchange state to inform about
+ */
+static void
+monitor_notify_all (struct GSC_KeyExchangeInfo *kx)
+{
+  struct MonitorNotifyMessage msg;
+
+  msg.header.type = htons (GNUNET_MESSAGE_TYPE_CORE_MONITOR_NOTIFY);
+  msg.header.size = htons (sizeof (msg));
+  msg.state = htonl ((uint32_t) kx->status);
+  msg.peer = *kx->peer;
+  msg.timeout = GNUNET_TIME_absolute_hton (kx->timeout);
+  GNUNET_notification_context_broadcast (nc,
+                                        &msg.header,
+                                        GNUNET_NO);
+  kx->last_notify_timeout = kx->timeout;
+}
 
 
 /**
@@ -425,13 +443,16 @@ static GNUNET_SCHEDULER_TaskIdentifier rekey_task;
  */
 static void
 derive_auth_key (struct GNUNET_CRYPTO_AuthKey *akey,
-                 const struct GNUNET_CRYPTO_AesSessionKey *skey, uint32_t seed)
+                 const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
+                 uint32_t seed)
 {
   static const char ctx[] = "authentication key";
 
-  GNUNET_CRYPTO_hmac_derive_key (akey, skey, &seed, sizeof (seed), &skey->key,
-                                 sizeof (skey->key), ctx,
-                                 sizeof (ctx), NULL);
+  GNUNET_CRYPTO_hmac_derive_key (akey, skey,
+                                 &seed, sizeof (seed),
+                                 skey, sizeof (struct GNUNET_CRYPTO_SymmetricSessionKey),
+                                 ctx, sizeof (ctx),
+                                 NULL);
 }
 
 
@@ -444,16 +465,18 @@ derive_auth_key (struct GNUNET_CRYPTO_AuthKey *akey,
  * @param identity identity of the other peer to use
  */
 static void
-derive_iv (struct GNUNET_CRYPTO_AesInitializationVector *iv,
-           const struct GNUNET_CRYPTO_AesSessionKey *skey, uint32_t seed,
+derive_iv (struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
+           const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
+           uint32_t seed,
            const struct GNUNET_PeerIdentity *identity)
 {
   static const char ctx[] = "initialization vector";
 
-  GNUNET_CRYPTO_aes_derive_iv (iv, skey, &seed, sizeof (seed),
-                               &identity->hashPubKey.bits,
-                               sizeof (identity->hashPubKey.bits), ctx,
-                               sizeof (ctx), NULL);
+  GNUNET_CRYPTO_symmetric_derive_iv (iv, skey,
+                                     &seed, sizeof (seed),
+                                    identity,
+                                    sizeof (struct GNUNET_PeerIdentity), ctx,
+                                    sizeof (ctx), NULL);
 }
 
 
@@ -467,16 +490,21 @@ derive_iv (struct GNUNET_CRYPTO_AesInitializationVector *iv,
  * @param identity identity of the other peer to use
  */
 static void
-derive_pong_iv (struct GNUNET_CRYPTO_AesInitializationVector *iv,
-                const struct GNUNET_CRYPTO_AesSessionKey *skey, uint32_t seed,
-                uint32_t challenge, const struct GNUNET_PeerIdentity *identity)
+derive_pong_iv (struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
+                const struct GNUNET_CRYPTO_SymmetricSessionKey *skey,
+                uint32_t seed,
+                uint32_t challenge,
+                const struct GNUNET_PeerIdentity *identity)
 {
   static const char ctx[] = "pong initialization vector";
 
-  GNUNET_CRYPTO_aes_derive_iv (iv, skey, &seed, sizeof (seed),
-                               &identity->hashPubKey.bits,
-                               sizeof (identity->hashPubKey.bits), &challenge,
-                               sizeof (challenge), ctx, sizeof (ctx), NULL);
+  GNUNET_CRYPTO_symmetric_derive_iv (iv, skey,
+                                     &seed, sizeof (seed),
+                                    identity,
+                                    sizeof (struct GNUNET_PeerIdentity),
+                                    &challenge, sizeof (challenge),
+                                    ctx, sizeof (ctx),
+                                    NULL);
 }
 
 
@@ -486,19 +514,19 @@ derive_pong_iv (struct GNUNET_CRYPTO_AesInitializationVector *iv,
  * @param sender peer identity of the sender
  * @param receiver peer identity of the sender
  * @param key_material high entropy key material to use
- * @param skey set to derived session key 
+ * @param skey set to derived session key
  */
 static void
 derive_aes_key (const struct GNUNET_PeerIdentity *sender,
                const struct GNUNET_PeerIdentity *receiver,
                const struct GNUNET_HashCode *key_material,
-               struct GNUNET_CRYPTO_AesSessionKey *skey)
+               struct GNUNET_CRYPTO_SymmetricSessionKey *skey)
 {
   static const char ctx[] = "aes key generation vector";
 
-  GNUNET_CRYPTO_kdf (skey, sizeof (struct GNUNET_CRYPTO_AesSessionKey),
+  GNUNET_CRYPTO_kdf (skey, sizeof (struct GNUNET_CRYPTO_SymmetricSessionKey),
                     ctx, sizeof (ctx),
-                    skey, sizeof (struct GNUNET_CRYPTO_AesSessionKey),
+                    key_material, sizeof (struct GNUNET_HashCode),
                     sender, sizeof (struct GNUNET_PeerIdentity),
                     receiver, sizeof (struct GNUNET_PeerIdentity),
                     NULL);
@@ -506,20 +534,22 @@ derive_aes_key (const struct GNUNET_PeerIdentity *sender,
 
 
 /**
- * Encrypt size bytes from in and write the result to out.  Use the
- * key for outbound traffic of the given neighbour.
+ * Encrypt size bytes from @a in and write the result to @a out.  Use the
+ * @a kx key for outbound traffic of the given neighbour.
  *
  * @param kx key information context
  * @param iv initialization vector to use
  * @param in ciphertext
  * @param out plaintext
- * @param size size of in/out
- * @return GNUNET_OK on success
+ * @param size size of @a in/@a out
+ * @return #GNUNET_OK on success
  */
 static int
 do_encrypt (struct GSC_KeyExchangeInfo *kx,
-            const struct GNUNET_CRYPTO_AesInitializationVector *iv,
-            const void *in, void *out, size_t size)
+            const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
+            const void *in,
+            void *out,
+            size_t size)
 {
   if (size != (uint16_t) size)
   {
@@ -527,70 +557,86 @@ do_encrypt (struct GSC_KeyExchangeInfo *kx,
     return GNUNET_NO;
   }
   GNUNET_assert (size ==
-                 GNUNET_CRYPTO_aes_encrypt (in, (uint16_t) size,
-                                            &kx->encrypt_key, iv, out));
-  GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# bytes encrypted"), size,
+                 GNUNET_CRYPTO_symmetric_encrypt (in,
+                                                 (uint16_t) size,
+                                                 &kx->encrypt_key,
+                                                 iv,
+                                                 out));
+  GNUNET_STATISTICS_update (GSC_stats,
+                           gettext_noop ("# bytes encrypted"),
+                           size,
                             GNUNET_NO);
   /* the following is too sensitive to write to log files by accident,
      so we require manual intervention to get this one... */
 #if 0
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-              "Encrypted %u bytes for `%4s' using key %u, IV %u\n",
-              (unsigned int) size, GNUNET_i2s (&kx->peer),
-              (unsigned int) kx->encrypt_key.crc32, GNUNET_CRYPTO_crc32_n (iv,
-                                                                           sizeof
-                                                                           (iv)));
+              "Encrypted %u bytes for `%s' using key %u, IV %u\n",
+              (unsigned int) size,
+              GNUNET_i2s (kx->peer),
+              (unsigned int) kx->encrypt_key.crc32,
+             GNUNET_CRYPTO_crc32_n (iv,
+                                    sizeof (iv)));
 #endif
   return GNUNET_OK;
 }
 
 
 /**
- * Decrypt size bytes from in and write the result to out.  Use the
- * key for inbound traffic of the given neighbour.  This function does
- * NOT do any integrity-checks on the result.
+ * Decrypt size bytes from @a in and write the result to @a out.  Use
+ * the @a kx key for inbound traffic of the given neighbour.  This
+ * function does NOT do any integrity-checks on the result.
  *
  * @param kx key information context
  * @param iv initialization vector to use
  * @param in ciphertext
  * @param out plaintext
- * @param size size of in/out
- * @return GNUNET_OK on success
+ * @param size size of @a in / @a out
+ * @return #GNUNET_OK on success
  */
 static int
 do_decrypt (struct GSC_KeyExchangeInfo *kx,
-            const struct GNUNET_CRYPTO_AesInitializationVector *iv,
-            const void *in, void *out, size_t size)
+            const struct GNUNET_CRYPTO_SymmetricInitializationVector *iv,
+            const void *in,
+            void *out,
+            size_t size)
 {
   if (size != (uint16_t) size)
   {
     GNUNET_break (0);
     return GNUNET_NO;
   }
-  if ( (kx->status != KX_STATE_KEY_RECEIVED) && (kx->status != KX_STATE_UP) &&
-       (kx->status != KX_STATE_REKEY_SENT) )
+  if ( (kx->status != GNUNET_CORE_KX_STATE_KEY_RECEIVED) &&
+       (kx->status != GNUNET_CORE_KX_STATE_UP) &&
+       (kx->status != GNUNET_CORE_KX_STATE_REKEY_SENT) )
   {
     GNUNET_break_op (0);
     return GNUNET_SYSERR;
   }
   if (size !=
-      GNUNET_CRYPTO_aes_decrypt (in, (uint16_t) size, &kx->decrypt_key, iv,
-                                 out))
+      GNUNET_CRYPTO_symmetric_decrypt (in,
+                                       (uint16_t) size,
+                                       &kx->decrypt_key,
+                                       iv,
+                                       out))
   {
     GNUNET_break (0);
     return GNUNET_SYSERR;
   }
-  GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# bytes decrypted"), size,
+  GNUNET_STATISTICS_update (GSC_stats,
+                            gettext_noop ("# bytes decrypted"),
+                            size,
                             GNUNET_NO);
   /* the following is too sensitive to write to log files by accident,
      so we require manual intervention to get this one... */
 #if 0
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-              "Decrypted %u bytes from `%4s' using key %u, IV %u\n",
-              (unsigned int) size, GNUNET_i2s (&kx->peer),
-              (unsigned int) kx->decrypt_key.crc32, GNUNET_CRYPTO_crc32_n (iv,
-                                                                           sizeof
-                                                                           (*iv)));
+              "Decrypted %u bytes from `%s' using key %u, IV %u\n",
+              (unsigned int) size,
+              GNUNET_i2s (kx->peer),
+              (unsigned int) kx->decrypt_key.crc32,
+              GNUNET_CRYPTO_crc32_n (iv,
+                                     sizeof
+                                     (*iv)));
 #endif
   return GNUNET_OK;
 }
@@ -606,18 +652,18 @@ send_key (struct GSC_KeyExchangeInfo *kx);
 
 
 /**
- * Task that will retry "send_key" if our previous attempt failed.
+ * Task that will retry #send_key() if our previous attempt failed.
  *
- * @param cls our 'struct GSC_KeyExchangeInfo'
- * @param tc scheduler context
+ * @param cls our `struct GSC_KeyExchangeInfo`
  */
 static void
-set_key_retry_task (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
+set_key_retry_task (void *cls)
 {
   struct GSC_KeyExchangeInfo *kx = cls;
 
-  kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
+  kx->retry_set_key_task = NULL;
   kx->set_key_retry_frequency = GNUNET_TIME_STD_BACKOFF (kx->set_key_retry_frequency);
+  GNUNET_assert (GNUNET_CORE_KX_STATE_DOWN != kx->status);
   send_key (kx);
 }
 
@@ -632,74 +678,181 @@ setup_fresh_ping (struct GSC_KeyExchangeInfo *kx)
 {
   struct PingMessage pp;
   struct PingMessage *pm;
-  struct GNUNET_CRYPTO_AesInitializationVector iv;
+  struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
 
   pm = &kx->ping;
+  kx->ping_challenge = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK,
+                                                 UINT32_MAX);
   pm->header.size = htons (sizeof (struct PingMessage));
   pm->header.type = htons (GNUNET_MESSAGE_TYPE_CORE_PING);
-  pm->iv_seed =
-      GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
-  derive_iv (&iv, &kx->encrypt_key, pm->iv_seed, &kx->peer);
+  pm->iv_seed = calculate_seed (kx);
+  derive_iv (&iv,
+            &kx->encrypt_key,
+            pm->iv_seed,
+            kx->peer);
   pp.challenge = kx->ping_challenge;
-  pp.target = kx->peer;
-  do_encrypt (kx, &iv, &pp.target, &pm->target,
+  pp.target = *kx->peer;
+  do_encrypt (kx,
+             &iv,
+             &pp.target,
+             &pm->target,
               sizeof (struct PingMessage) - ((void *) &pm->target -
                                              (void *) pm));
 }
 
 
 /**
- * Start the key exchange with the given peer.
+ * Deliver P2P message to interested clients.  Invokes send twice,
+ * once for clients that want the full message, and once for clients
+ * that only want the header
+ *
+ * @param cls the `struct GSC_KeyExchangeInfo`
+ * @param m the message
+ */
+static int
+deliver_message (void *cls,
+                 const struct GNUNET_MessageHeader *m)
+{
+  struct GSC_KeyExchangeInfo *kx = cls;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Decrypted message of type %d from %s\n",
+              ntohs (m->type),
+              GNUNET_i2s (kx->peer));
+  if (GNUNET_CORE_KX_STATE_UP != kx->status)
+  {
+    GNUNET_STATISTICS_update (GSC_stats,
+                              gettext_noop ("# PAYLOAD dropped (out of order)"),
+                              1,
+                              GNUNET_NO);
+    return GNUNET_OK;
+  }
+  switch (ntohs (m->type))
+  {
+  case GNUNET_MESSAGE_TYPE_CORE_BINARY_TYPE_MAP:
+  case GNUNET_MESSAGE_TYPE_CORE_COMPRESSED_TYPE_MAP:
+    GSC_SESSIONS_set_typemap (kx->peer, m);
+    return GNUNET_OK;
+  case GNUNET_MESSAGE_TYPE_CORE_CONFIRM_TYPE_MAP:
+    GSC_SESSIONS_confirm_typemap (kx->peer, m);
+    return GNUNET_OK;
+  default:
+    GSC_CLIENTS_deliver_message (kx->peer,
+                                 m,
+                                 ntohs (m->size),
+                                 GNUNET_CORE_OPTION_SEND_FULL_INBOUND);
+    GSC_CLIENTS_deliver_message (kx->peer,
+                                 m,
+                                 sizeof (struct GNUNET_MessageHeader),
+                                 GNUNET_CORE_OPTION_SEND_HDR_INBOUND);
+  }
+  return GNUNET_OK;
+}
+
+
+/**
+ * Function called by transport to notify us that
+ * a peer connected to us (on the network level).
+ * Starts the key exchange with the given peer.
  *
+ * @param cls closure (NULL)
  * @param pid identity of the peer to do a key exchange with
  * @return key exchange information context
  */
-struct GSC_KeyExchangeInfo *
-GSC_KX_start (const struct GNUNET_PeerIdentity *pid)
+static void *
+handle_transport_notify_connect (void *cls,
+                                 const struct GNUNET_PeerIdentity *pid,
+                                struct GNUNET_MQ_Handle *mq)
 {
   struct GSC_KeyExchangeInfo *kx;
+  struct GNUNET_HashCode h1;
+  struct GNUNET_HashCode h2;
 
-  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
              "Initiating key exchange with `%s'\n",
               GNUNET_i2s (pid));
   GNUNET_STATISTICS_update (GSC_stats,
-                            gettext_noop ("# key exchanges initiated"), 1,
+                            gettext_noop ("# key exchanges initiated"),
+                            1,
                             GNUNET_NO);
-  kx = GNUNET_malloc (sizeof (struct GSC_KeyExchangeInfo));
-  kx->peer = *pid;
+  kx = GNUNET_new (struct GSC_KeyExchangeInfo);
+  kx->mst = GNUNET_MST_create (&deliver_message,
+                               kx);
+  kx->mq = mq;
+  kx->peer = pid;
   kx->set_key_retry_frequency = INITIAL_SET_KEY_RETRY_FREQUENCY;
   GNUNET_CONTAINER_DLL_insert (kx_head,
                               kx_tail,
                               kx);
-  kx->status = KX_STATE_KEY_SENT;
-  send_key (kx);
+  kx->status = GNUNET_CORE_KX_STATE_KEY_SENT;
+  monitor_notify_all (kx);
+  GNUNET_CRYPTO_hash (pid,
+                      sizeof (struct GNUNET_PeerIdentity),
+                      &h1);
+  GNUNET_CRYPTO_hash (&GSC_my_identity,
+                      sizeof (struct GNUNET_PeerIdentity),
+                      &h2);
+  if (0 < GNUNET_CRYPTO_hash_cmp (&h1,
+                                 &h2))
+  {
+    /* peer with "lower" identity starts KX, otherwise we typically end up
+       with both peers starting the exchange and transmit the 'set key'
+       message twice */
+    send_key (kx);
+  }
+  else
+  {
+    /* peer with "higher" identity starts a delayed  KX, if the "lower" peer
+     * does not start a KX since he sees no reasons to do so  */
+    kx->retry_set_key_task
+      = GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_SECONDS,
+                                     &set_key_retry_task,
+                                     kx);
+  }
   return kx;
 }
 
 
 /**
+ * Function called by transport telling us that a peer
+ * disconnected.
  * Stop key exchange with the given peer.  Clean up key material.
  *
- * @param kx key exchange to stop
+ * @param cls closure
+ * @param peer the peer that disconnected
+ * @param handler_cls the `struct GSC_KeyExchangeInfo` of the peer
  */
-void
-GSC_KX_stop (struct GSC_KeyExchangeInfo *kx)
+static void
+handle_transport_notify_disconnect (void *cls,
+                                    const struct GNUNET_PeerIdentity *peer,
+                                   void *handler_cls)
 {
-  GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# key exchanges stopped"),
-                            1, GNUNET_NO);
-  if (kx->retry_set_key_task != GNUNET_SCHEDULER_NO_TASK)
+  struct GSC_KeyExchangeInfo *kx = handler_cls;
+
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Peer `%s' disconnected from us.\n",
+              GNUNET_i2s (peer));
+  GSC_SESSIONS_end (kx->peer);
+  GNUNET_STATISTICS_update (GSC_stats,
+                           gettext_noop ("# key exchanges stopped"),
+                            1,
+                           GNUNET_NO);
+  if (NULL != kx->retry_set_key_task)
   {
     GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
-    kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
+    kx->retry_set_key_task = NULL;
   }
-  if (kx->keep_alive_task != GNUNET_SCHEDULER_NO_TASK)
+  if (NULL != kx->keep_alive_task)
   {
     GNUNET_SCHEDULER_cancel (kx->keep_alive_task);
-    kx->keep_alive_task = GNUNET_SCHEDULER_NO_TASK;
+    kx->keep_alive_task = NULL;
   }
+  kx->status = GNUNET_CORE_KX_PEER_DISCONNECT;
+  monitor_notify_all (kx);
   GNUNET_CONTAINER_DLL_remove (kx_head,
                               kx_tail,
                               kx);
+  GNUNET_MST_destroy (kx->mst);
   GNUNET_free (kx);
 }
 
@@ -712,121 +865,156 @@ GSC_KX_stop (struct GSC_KeyExchangeInfo *kx)
 static void
 send_ping (struct GSC_KeyExchangeInfo *kx)
 {
-  GSC_NEIGHBOURS_transmit (&kx->peer, &kx->ping.header,
-                           MIN_PING_FREQUENCY);
+  struct GNUNET_MQ_Envelope *env;
+
+  GNUNET_STATISTICS_update (GSC_stats,
+                            gettext_noop ("# PING messages transmitted"),
+                            1,
+                            GNUNET_NO);
+  env = GNUNET_MQ_msg_copy (&kx->ping.header);
+  GNUNET_MQ_send (kx->mq,
+                 env);
 }
 
+
 /**
- * We received a SET_KEY message.  Validate and update
- * our key material and status.
+ * Derive fresh session keys from the current ephemeral keys.
  *
- * @param kx key exchange status for the corresponding peer
- * @param msg the set key message we received
+ * @param kx session to derive keys for
  */
-void
-GSC_KX_handle_ephemeral_key (struct GSC_KeyExchangeInfo *kx,
-                            const struct GNUNET_MessageHeader *msg)
+static void
+derive_session_keys (struct GSC_KeyExchangeInfo *kx)
+{
+  struct GNUNET_HashCode key_material;
+
+  if (GNUNET_OK !=
+      GNUNET_CRYPTO_ecc_ecdh (my_ephemeral_key,
+                             &kx->other_ephemeral_key,
+                             &key_material))
+  {
+    GNUNET_break (0);
+    return;
+  }
+  derive_aes_key (&GSC_my_identity,
+                 kx->peer,
+                 &key_material,
+                 &kx->encrypt_key);
+  derive_aes_key (kx->peer,
+                 &GSC_my_identity,
+                 &key_material,
+                 &kx->decrypt_key);
+  memset (&key_material, 0, sizeof (key_material));
+  /* fresh key, reset sequence numbers */
+  kx->last_sequence_number_received = 0;
+  kx->last_packets_bitmap = 0;
+  setup_fresh_ping (kx);
+}
+
+
+/**
+ * We received a #GNUNET_MESSAGE_TYPE_CORE_EPHEMERAL_KEY message.
+ * Validate and update our key material and status.
+ *
+ * @param cls key exchange status for the corresponding peer
+ * @param m the set key message we received
+ */
+static void
+handle_ephemeral_key (void *cls,
+                     const struct EphemeralKeyMessage *m)
 {
-  const struct EphemeralKeyMessage *m;
+  struct GSC_KeyExchangeInfo *kx = cls;
   struct GNUNET_TIME_Absolute start_t;
   struct GNUNET_TIME_Absolute end_t;
   struct GNUNET_TIME_Absolute now;
-  struct GNUNET_PeerIdentity signer_id;
-  enum KxStateMachine sender_status;  
-  uint16_t size;
-  struct GNUNET_HashCode key_material;
-  
-  size = ntohs (msg->size);
-  if (sizeof (struct EphemeralKeyMessage) != size)
+  enum GNUNET_CORE_KxState sender_status;
+
+  end_t = GNUNET_TIME_absolute_ntoh (m->expiration_time);
+  if ( ( (GNUNET_CORE_KX_STATE_KEY_RECEIVED == kx->status) ||
+        (GNUNET_CORE_KX_STATE_UP == kx->status) ||
+        (GNUNET_CORE_KX_STATE_REKEY_SENT == kx->status) ) &&
+       (end_t.abs_value_us < kx->foreign_key_expires.abs_value_us) )
   {
-    GNUNET_break_op (0);
+    GNUNET_STATISTICS_update (GSC_stats,
+                              gettext_noop ("# old ephemeral keys ignored"),
+                             1, GNUNET_NO);
     return;
   }
-  m = (const struct EphemeralKeyMessage *) msg;
-  GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# ephemeral keys received"),
+  start_t = GNUNET_TIME_absolute_ntoh (m->creation_time);
+
+  GNUNET_STATISTICS_update (GSC_stats,
+                            gettext_noop ("# ephemeral keys received"),
                             1, GNUNET_NO);
 
-  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-              "Core service receives `%s' request from `%4s'.\n", "EPHEMERAL_KEY",
-              GNUNET_i2s (&kx->peer));
-  GNUNET_CRYPTO_hash (&m->origin_public_key,
-                     sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded),
-                     &signer_id.hashPubKey);
   if (0 !=
-      memcmp (&signer_id, &kx->peer,
+      memcmp (&m->origin_identity,
+             kx->peer,
               sizeof (struct GNUNET_PeerIdentity)))
-  {    
+  {
+    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                "Received EPHEMERAL_KEY from %s, but expected %s\n",
+                GNUNET_i2s (&m->origin_identity),
+                GNUNET_i2s_full (kx->peer));
     GNUNET_break_op (0);
     return;
   }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Core service receives EPHEMERAL_KEY request from `%s'.\n",
+              GNUNET_i2s (kx->peer));
   if ((ntohl (m->purpose.size) !=
        sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
        sizeof (struct GNUNET_TIME_AbsoluteNBO) +
        sizeof (struct GNUNET_TIME_AbsoluteNBO) +
-       sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded) +
-       sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded)) ||
+       sizeof (struct GNUNET_CRYPTO_EddsaPublicKey) +
+       sizeof (struct GNUNET_CRYPTO_EddsaPublicKey)) ||
       (GNUNET_OK !=
-       GNUNET_CRYPTO_ecc_verify (GNUNET_SIGNATURE_PURPOSE_SET_ECC_KEY,
-                                &m->purpose,
-                                 &m->signature, &m->origin_public_key)))
+       GNUNET_CRYPTO_eddsa_verify (GNUNET_SIGNATURE_PURPOSE_SET_ECC_KEY,
+                                   &m->purpose,
+                                   &m->signature,
+                                   &m->origin_identity.public_key)))
   {
     /* invalid signature */
     GNUNET_break_op (0);
     return;
   }
-  start_t = GNUNET_TIME_absolute_ntoh (m->creation_time);
-  end_t = GNUNET_TIME_absolute_ntoh (m->expiration_time);
   now = GNUNET_TIME_absolute_get ();
-  if ( (end_t.abs_value < GNUNET_TIME_absolute_subtract (now, REKEY_TOLERANCE).abs_value) ||
-       (start_t.abs_value > GNUNET_TIME_absolute_add (now, REKEY_TOLERANCE).abs_value) )
+  if ( (end_t.abs_value_us < GNUNET_TIME_absolute_subtract (now, REKEY_TOLERANCE).abs_value_us) ||
+       (start_t.abs_value_us > GNUNET_TIME_absolute_add (now, REKEY_TOLERANCE).abs_value_us) )
   {
     GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
-               _("Ephemeral key message rejected as its validity range does not match our system time (%llu not in [%llu,%llu]).\n"),
-               now.abs_value,
-               start_t.abs_value,
-               end_t.abs_value);
-    return;
-  }
-  if (GNUNET_OK !=
-      GNUNET_CRYPTO_ecc_ecdh (my_ephemeral_key,
-                             &m->ephemeral_key,                              
-                             &key_material))
-  {
-    GNUNET_break (0);
+               _("Ephemeral key message from peer `%s' rejected as its validity range does not match our system time (%llu not in [%llu,%llu]).\n"),
+               GNUNET_i2s (kx->peer),
+               (unsigned long long) now.abs_value_us,
+                (unsigned long long) start_t.abs_value_us,
+                (unsigned long long) end_t.abs_value_us);
     return;
   }
+  kx->other_ephemeral_key = m->ephemeral_key;
+  kx->foreign_key_expires = end_t;
+  derive_session_keys (kx);
   GNUNET_STATISTICS_update (GSC_stats,
-                            gettext_noop ("# EPHEMERAL_KEY messages decrypted"), 1,
+                            gettext_noop ("# EPHEMERAL_KEY messages received"), 1,
                             GNUNET_NO);
-  derive_aes_key (&GSC_my_identity,
-                 &kx->peer,
-                 &key_material,
-                 &kx->encrypt_key);
-  derive_aes_key (&kx->peer,
-                 &GSC_my_identity,
-                 &key_material,
-                 &kx->decrypt_key);
-  /* fresh key, reset sequence numbers */
-  kx->last_sequence_number_received = 0;
-  kx->last_packets_bitmap = 0;
-  kx->foreign_key_expires = end_t;
-  setup_fresh_ping (kx);
 
   /* check if we still need to send the sender our key */
-  sender_status = (enum KxStateMachine) ntohl (m->sender_status);  
+  sender_status = (enum GNUNET_CORE_KxState) ntohl (m->sender_status);
   switch (sender_status)
   {
-  case KX_STATE_DOWN:
-    /* makes no sense, should be at least KX_STATE_KEY_SENT */
+  case GNUNET_CORE_KX_STATE_DOWN:
     GNUNET_break_op (0);
     break;
-  case KX_STATE_KEY_SENT:
-    send_key (kx);
+  case GNUNET_CORE_KX_STATE_KEY_SENT:
+    /* fine, need to send our key after updating our status, see below */
+    GSC_SESSIONS_reinit (kx->peer);
+    break;
+  case GNUNET_CORE_KX_STATE_KEY_RECEIVED:
+    /* other peer already got our key, but typemap did go down */
+    GSC_SESSIONS_reinit (kx->peer);
+    break;
+  case GNUNET_CORE_KX_STATE_UP:
+    /* other peer already got our key, typemap NOT down */
     break;
-  case KX_STATE_KEY_RECEIVED:
-  case KX_STATE_UP: 
-  case KX_STATE_REKEY_SENT:
-    /* other peer already got our key */
+  case GNUNET_CORE_KX_STATE_REKEY_SENT:
+    /* other peer already got our key, typemap NOT down */
     break;
   default:
     GNUNET_break (0);
@@ -835,26 +1023,44 @@ GSC_KX_handle_ephemeral_key (struct GSC_KeyExchangeInfo *kx,
   /* check if we need to confirm everything is fine via PING + PONG */
   switch (kx->status)
   {
-  case KX_STATE_DOWN:
-    kx->status = KX_STATE_KEY_RECEIVED;
-    send_ping (kx);
+  case GNUNET_CORE_KX_STATE_DOWN:
+    GNUNET_assert (NULL == kx->keep_alive_task);
+    kx->status = GNUNET_CORE_KX_STATE_KEY_RECEIVED;
+    monitor_notify_all (kx);
+    if (GNUNET_CORE_KX_STATE_KEY_SENT == sender_status)
+      send_key (kx);
+    else
+      send_ping (kx);
     break;
-  case KX_STATE_KEY_SENT:
-    kx->status = KX_STATE_KEY_RECEIVED;
-    send_ping (kx);
+  case GNUNET_CORE_KX_STATE_KEY_SENT:
+    GNUNET_assert (NULL == kx->keep_alive_task);
+    kx->status = GNUNET_CORE_KX_STATE_KEY_RECEIVED;
+    monitor_notify_all (kx);
+    if (GNUNET_CORE_KX_STATE_KEY_SENT == sender_status)
+      send_key (kx);
+    else
+      send_ping (kx);
     break;
-  case KX_STATE_KEY_RECEIVED:
-    send_ping (kx);
+  case GNUNET_CORE_KX_STATE_KEY_RECEIVED:
+    GNUNET_assert (NULL == kx->keep_alive_task);
+    if (GNUNET_CORE_KX_STATE_KEY_SENT == sender_status)
+      send_key (kx);
+    else
+      send_ping (kx);
     break;
-  case KX_STATE_UP: 
-    kx->status = KX_STATE_REKEY_SENT;
-    /* we got a new key, need to reconfirm! */
-    send_ping (kx);
+  case GNUNET_CORE_KX_STATE_UP:
+    kx->status = GNUNET_CORE_KX_STATE_REKEY_SENT;
+    monitor_notify_all (kx);
+    if (GNUNET_CORE_KX_STATE_KEY_SENT == sender_status)
+      send_key (kx);
+    else
+      send_ping (kx);
     break;
-  case KX_STATE_REKEY_SENT:
-    kx->status = KX_STATE_REKEY_SENT;
-    /* we got a new key, need to reconfirm! */
-    send_ping (kx);
+  case GNUNET_CORE_KX_STATE_REKEY_SENT:
+    if (GNUNET_CORE_KX_STATE_KEY_SENT == sender_status)
+      send_key (kx);
+    else
+      send_ping (kx);
     break;
   default:
     GNUNET_break (0);
@@ -867,46 +1073,47 @@ GSC_KX_handle_ephemeral_key (struct GSC_KeyExchangeInfo *kx,
  * We received a PING message.  Validate and transmit
  * a PONG message.
  *
- * @param kx key exchange status for the corresponding peer
- * @param msg the encrypted PING message itself
+ * @param cls key exchange status for the corresponding peer
+ * @param m the encrypted PING message itself
  */
-void
-GSC_KX_handle_ping (struct GSC_KeyExchangeInfo *kx,
-                    const struct GNUNET_MessageHeader *msg)
+static void
+handle_ping (void *cls,
+            const struct PingMessage *m)
 {
-  const struct PingMessage *m;
+  struct GSC_KeyExchangeInfo *kx = cls;
   struct PingMessage t;
   struct PongMessage tx;
-  struct PongMessage tp;
-  struct GNUNET_CRYPTO_AesInitializationVector iv;
-  uint16_t msize;
+  struct PongMessage *tp;
+  struct GNUNET_MQ_Envelope *env;
+  struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
 
-  msize = ntohs (msg->size);
-  if (msize != sizeof (struct PingMessage))
-  {
-    GNUNET_break_op (0);
-    return;
-  }
   GNUNET_STATISTICS_update (GSC_stats,
-                            gettext_noop ("# PING messages received"), 1,
+                            gettext_noop ("# PING messages received"),
+                            1,
                             GNUNET_NO);
-  if ( (kx->status != KX_STATE_KEY_RECEIVED) && 
-       (kx->status != KX_STATE_UP) &&
-       (kx->status != KX_STATE_REKEY_SENT))
+  if ( (kx->status != GNUNET_CORE_KX_STATE_KEY_RECEIVED) &&
+       (kx->status != GNUNET_CORE_KX_STATE_UP) &&
+       (kx->status != GNUNET_CORE_KX_STATE_REKEY_SENT))
   {
     /* ignore */
     GNUNET_STATISTICS_update (GSC_stats,
-                             gettext_noop ("# PING messages dropped (out of order)"), 1,
+                             gettext_noop ("# PING messages dropped (out of order)"),
+                              1,
                              GNUNET_NO);
     return;
   }
-  m = (const struct PingMessage *) msg;
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-              "Core service receives `%s' request from `%4s'.\n", "PING",
-              GNUNET_i2s (&kx->peer));
-  derive_iv (&iv, &kx->decrypt_key, m->iv_seed, &GSC_my_identity);
+              "Core service receives PING request from `%s'.\n",
+              GNUNET_i2s (kx->peer));
+  derive_iv (&iv,
+            &kx->decrypt_key,
+            m->iv_seed,
+            &GSC_my_identity);
   if (GNUNET_OK !=
-      do_decrypt (kx, &iv, &m->target, &t.target,
+      do_decrypt (kx,
+                 &iv,
+                 &m->target,
+                 &t.target,
                   sizeof (struct PingMessage) - ((void *) &m->target -
                                                  (void *) m)))
   {
@@ -914,17 +1121,18 @@ GSC_KX_handle_ping (struct GSC_KeyExchangeInfo *kx,
     return;
   }
   if (0 !=
-      memcmp (&t.target, &GSC_my_identity, sizeof (struct GNUNET_PeerIdentity)))
+      memcmp (&t.target,
+              &GSC_my_identity,
+              sizeof (struct GNUNET_PeerIdentity)))
   {
-    char sender[9];
-    char peer[9];
-
-    GNUNET_snprintf (sender, sizeof (sender), "%8s", GNUNET_i2s (&kx->peer));
-    GNUNET_snprintf (peer, sizeof (peer), "%8s", GNUNET_i2s (&t.target));
-    GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
-                _
-                ("Received PING from `%s' for different identity: I am `%s', PONG identity: `%s'\n"),
-                sender, GNUNET_i2s (&GSC_my_identity), peer);
+    if (GNUNET_CORE_KX_STATE_REKEY_SENT != kx->status)
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                  "Decryption of PING from peer `%s' failed\n",
+                  GNUNET_i2s (kx->peer));
+    else
+      GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+                  "Decryption of PING from peer `%s' failed after rekey (harmless)\n",
+                  GNUNET_i2s (kx->peer));
     GNUNET_break_op (0);
     return;
   }
@@ -932,18 +1140,26 @@ GSC_KX_handle_ping (struct GSC_KeyExchangeInfo *kx,
   tx.reserved = 0;
   tx.challenge = t.challenge;
   tx.target = t.target;
-  tp.header.type = htons (GNUNET_MESSAGE_TYPE_CORE_PONG);
-  tp.header.size = htons (sizeof (struct PongMessage));
-  tp.iv_seed =
-      GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX);
-  derive_pong_iv (&iv, &kx->encrypt_key, tp.iv_seed, t.challenge, &kx->peer);
-  do_encrypt (kx, &iv, &tx.challenge, &tp.challenge,
-              sizeof (struct PongMessage) - ((void *) &tp.challenge -
-                                             (void *) &tp));
-  GNUNET_STATISTICS_update (GSC_stats, gettext_noop ("# PONG messages created"),
-                            1, GNUNET_NO);
-  GSC_NEIGHBOURS_transmit (&kx->peer, &tp.header,
-                           GNUNET_TIME_UNIT_FOREVER_REL /* FIXME: timeout */ );
+  env = GNUNET_MQ_msg (tp,
+                      GNUNET_MESSAGE_TYPE_CORE_PONG);
+  tp->iv_seed = calculate_seed (kx);
+  derive_pong_iv (&iv,
+                  &kx->encrypt_key,
+                  tp->iv_seed,
+                  t.challenge,
+                  kx->peer);
+  do_encrypt (kx,
+              &iv,
+              &tx.challenge,
+              &tp->challenge,
+              sizeof (struct PongMessage) - ((void *) &tp->challenge -
+                                             (void *) tp));
+  GNUNET_STATISTICS_update (GSC_stats,
+                            gettext_noop ("# PONG messages created"),
+                            1,
+                            GNUNET_NO);
+  GNUNET_MQ_send (kx->mq,
+                 env);
 }
 
 
@@ -951,41 +1167,45 @@ GSC_KX_handle_ping (struct GSC_KeyExchangeInfo *kx,
  * Task triggered when a neighbour entry is about to time out
  * (and we should prevent this by sending a PING).
  *
- * @param cls the 'struct GSC_KeyExchangeInfo'
- * @param tc scheduler context (not used)
+ * @param cls the `struct GSC_KeyExchangeInfo`
  */
 static void
-send_keep_alive (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
+send_keep_alive (void *cls)
 {
   struct GSC_KeyExchangeInfo *kx = cls;
   struct GNUNET_TIME_Relative retry;
   struct GNUNET_TIME_Relative left;
 
-  kx->keep_alive_task = GNUNET_SCHEDULER_NO_TASK;
+  kx->keep_alive_task = NULL;
   left = GNUNET_TIME_absolute_get_remaining (kx->timeout);
-  if (0 == left.rel_value)
+  if (0 == left.rel_value_us)
   {
     GNUNET_STATISTICS_update (GSC_stats,
                               gettext_noop ("# sessions terminated by timeout"),
-                              1, GNUNET_NO);
-    GSC_SESSIONS_end (&kx->peer);
-    kx->status = KX_STATE_KEY_SENT;
+                              1,
+                              GNUNET_NO);
+    GSC_SESSIONS_end (kx->peer);
+    kx->status = GNUNET_CORE_KX_STATE_KEY_SENT;
+    monitor_notify_all (kx);
     send_key (kx);
     return;
   }
-  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Sending KEEPALIVE to `%s'\n",
-              GNUNET_i2s (&kx->peer));
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Sending KEEPALIVE to `%s'\n",
+              GNUNET_i2s (kx->peer));
   GNUNET_STATISTICS_update (GSC_stats,
-                            gettext_noop ("# keepalive messages sent"), 1,
+                            gettext_noop ("# keepalive messages sent"),
+                            1,
                             GNUNET_NO);
   setup_fresh_ping (kx);
-  GSC_NEIGHBOURS_transmit (&kx->peer, &kx->ping.header,
-                           kx->set_key_retry_frequency);
+  send_ping (kx);
   retry =
       GNUNET_TIME_relative_max (GNUNET_TIME_relative_divide (left, 2),
                                 MIN_PING_FREQUENCY);
   kx->keep_alive_task =
-      GNUNET_SCHEDULER_add_delayed (retry, &send_keep_alive, kx);
+      GNUNET_SCHEDULER_add_delayed (retry,
+                                    &send_keep_alive,
+                                    kx);
 }
 
 
@@ -999,15 +1219,27 @@ send_keep_alive (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
 static void
 update_timeout (struct GSC_KeyExchangeInfo *kx)
 {
+  struct GNUNET_TIME_Relative delta;
+
   kx->timeout =
       GNUNET_TIME_relative_to_absolute
       (GNUNET_CONSTANTS_IDLE_CONNECTION_TIMEOUT);
-  if (kx->keep_alive_task != GNUNET_SCHEDULER_NO_TASK)
+  delta = GNUNET_TIME_absolute_get_difference (kx->last_notify_timeout,
+                                               kx->timeout);
+  if (delta.rel_value_us > 5LL * 1000LL * 1000LL)
+  {
+    /* we only notify monitors about timeout changes if those
+       are bigger than the threshold (5s) */
+    monitor_notify_all (kx);
+  }
+  if (NULL != kx->keep_alive_task)
     GNUNET_SCHEDULER_cancel (kx->keep_alive_task);
   kx->keep_alive_task =
       GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_relative_divide
                                     (GNUNET_CONSTANTS_IDLE_CONNECTION_TIMEOUT,
-                                     2), &send_keep_alive, kx);
+                                     2),
+                                    &send_keep_alive,
+                                    kx);
 }
 
 
@@ -1015,58 +1247,57 @@ update_timeout (struct GSC_KeyExchangeInfo *kx)
  * We received a PONG message.  Validate and update our status.
  *
  * @param kx key exchange context for the the PONG
- * @param msg the encrypted PONG message itself
+ * @param m the encrypted PONG message itself
  */
-void
-GSC_KX_handle_pong (struct GSC_KeyExchangeInfo *kx,
-                    const struct GNUNET_MessageHeader *msg)
+static void
+handle_pong (void *cls,
+            const struct PongMessage *m)
 {
-  const struct PongMessage *m;
+  struct GSC_KeyExchangeInfo *kx = cls;
   struct PongMessage t;
-  struct GNUNET_CRYPTO_AesInitializationVector iv;
-  uint16_t msize;
+  struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
 
-  msize = ntohs (msg->size);
-  if (sizeof (struct PongMessage) != msize)
-  {
-    GNUNET_break_op (0);
-    return;
-  }
   GNUNET_STATISTICS_update (GSC_stats,
-                            gettext_noop ("# PONG messages received"), 1,
+                            gettext_noop ("# PONG messages received"),
+                            1,
                             GNUNET_NO);
   switch (kx->status)
   {
-  case KX_STATE_DOWN:
+  case GNUNET_CORE_KX_STATE_DOWN:
     GNUNET_STATISTICS_update (GSC_stats,
                              gettext_noop ("# PONG messages dropped (connection down)"), 1,
                              GNUNET_NO);
     return;
-  case KX_STATE_KEY_SENT:
+  case GNUNET_CORE_KX_STATE_KEY_SENT:
     GNUNET_STATISTICS_update (GSC_stats,
                              gettext_noop ("# PONG messages dropped (out of order)"), 1,
                              GNUNET_NO);
     return;
-  case KX_STATE_KEY_RECEIVED:
+  case GNUNET_CORE_KX_STATE_KEY_RECEIVED:
     break;
-  case KX_STATE_UP:
+  case GNUNET_CORE_KX_STATE_UP:
     break;
-  case KX_STATE_REKEY_SENT:
+  case GNUNET_CORE_KX_STATE_REKEY_SENT:
     break;
   default:
     GNUNET_break (0);
     return;
   }
-  m = (const struct PongMessage *) msg;
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-              "Core service receives `%s' response from `%4s'.\n", "PONG",
-              GNUNET_i2s (&kx->peer));
+              "Core service receives PONG response from `%s'.\n",
+              GNUNET_i2s (kx->peer));
   /* mark as garbage, just to be sure */
   memset (&t, 255, sizeof (t));
-  derive_pong_iv (&iv, &kx->decrypt_key, m->iv_seed, kx->ping_challenge,
+  derive_pong_iv (&iv,
+                  &kx->decrypt_key,
+                  m->iv_seed,
+                  kx->ping_challenge,
                   &GSC_my_identity);
   if (GNUNET_OK !=
-      do_decrypt (kx, &iv, &m->challenge, &t.challenge,
+      do_decrypt (kx,
+                  &iv,
+                  &m->challenge,
+                  &t.challenge,
                   sizeof (struct PongMessage) - ((void *) &m->challenge -
                                                  (void *) m)))
   {
@@ -1074,60 +1305,67 @@ GSC_KX_handle_pong (struct GSC_KeyExchangeInfo *kx,
     return;
   }
   GNUNET_STATISTICS_update (GSC_stats,
-                            gettext_noop ("# PONG messages decrypted"), 1,
+                            gettext_noop ("# PONG messages decrypted"),
+                            1,
                             GNUNET_NO);
-  if ((0 != memcmp (&t.target, &kx->peer, sizeof (struct GNUNET_PeerIdentity)))
-      || (kx->ping_challenge != t.challenge))
+  if ((0 != memcmp (&t.target,
+                    kx->peer,
+                    sizeof (struct GNUNET_PeerIdentity))) ||
+      (kx->ping_challenge != t.challenge))
   {
     /* PONG malformed */
     GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-                "Received malformed `%s' wanted sender `%4s' with challenge %u\n",
-                "PONG", GNUNET_i2s (&kx->peer),
+                "Received malformed PONG wanted sender `%s' with challenge %u\n",
+                GNUNET_i2s (kx->peer),
                 (unsigned int) kx->ping_challenge);
     GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-                "Received malformed `%s' received from `%4s' with challenge %u\n",
-                "PONG", GNUNET_i2s (&t.target), (unsigned int) t.challenge);
+                "Received malformed PONG received from `%s' with challenge %u\n",
+                GNUNET_i2s (&t.target),
+                (unsigned int) t.challenge);
     return;
   }
-  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Received PONG from `%s'\n",
-              GNUNET_i2s (&kx->peer));
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Received PONG from `%s'\n",
+              GNUNET_i2s (kx->peer));
   /* no need to resend key any longer */
-  if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
+  if (NULL != kx->retry_set_key_task)
   {
     GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
-    kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
-  }  
+    kx->retry_set_key_task = NULL;
+  }
   switch (kx->status)
   {
-  case KX_STATE_DOWN:
+  case GNUNET_CORE_KX_STATE_DOWN:
     GNUNET_assert (0);           /* should be impossible */
     return;
-  case KX_STATE_KEY_SENT:
+  case GNUNET_CORE_KX_STATE_KEY_SENT:
     GNUNET_assert (0);           /* should be impossible */
     return;
-  case KX_STATE_KEY_RECEIVED:
+  case GNUNET_CORE_KX_STATE_KEY_RECEIVED:
     GNUNET_STATISTICS_update (GSC_stats,
-                              gettext_noop
-                              ("# session keys confirmed via PONG"), 1,
+                              gettext_noop ("# session keys confirmed via PONG"),
+                              1,
                               GNUNET_NO);
-    kx->status = KX_STATE_UP;
-    GSC_SESSIONS_create (&kx->peer, kx);
-    GNUNET_assert (GNUNET_SCHEDULER_NO_TASK == kx->keep_alive_task);
+    kx->status = GNUNET_CORE_KX_STATE_UP;
+    monitor_notify_all (kx);
+    GSC_SESSIONS_create (kx->peer, kx);
+    GNUNET_assert (NULL == kx->keep_alive_task);
     update_timeout (kx);
     break;
-  case KX_STATE_UP:
+  case GNUNET_CORE_KX_STATE_UP:
     GNUNET_STATISTICS_update (GSC_stats,
-                              gettext_noop
-                              ("# timeouts prevented via PONG"), 1,
+                              gettext_noop ("# timeouts prevented via PONG"),
+                              1,
                               GNUNET_NO);
     update_timeout (kx);
     break;
-  case KX_STATE_REKEY_SENT:
+  case GNUNET_CORE_KX_STATE_REKEY_SENT:
     GNUNET_STATISTICS_update (GSC_stats,
-                              gettext_noop
-                              ("# rekey operations confirmed via PONG"), 1,
+                              gettext_noop ("# rekey operations confirmed via PONG"),
+                              1,
                               GNUNET_NO);
-    kx->status = KX_STATE_UP;
+    kx->status = GNUNET_CORE_KX_STATE_UP;
+    monitor_notify_all (kx);
     update_timeout (kx);
     break;
   default:
@@ -1145,22 +1383,29 @@ GSC_KX_handle_pong (struct GSC_KeyExchangeInfo *kx,
 static void
 send_key (struct GSC_KeyExchangeInfo *kx)
 {
-  if (GNUNET_SCHEDULER_NO_TASK != kx->retry_set_key_task)
+  struct GNUNET_MQ_Envelope *env;
+
+  GNUNET_assert (GNUNET_CORE_KX_STATE_DOWN != kx->status);
+  if (NULL != kx->retry_set_key_task)
   {
      GNUNET_SCHEDULER_cancel (kx->retry_set_key_task);
-     kx->retry_set_key_task = GNUNET_SCHEDULER_NO_TASK;
+     kx->retry_set_key_task = NULL;
   }
   /* always update sender status in SET KEY message */
-  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
              "Sending key to `%s' (my status: %d)\n",
-              GNUNET_i2s (&kx->peer),
+              GNUNET_i2s (kx->peer),
              kx->status);
-  current_ekm.sender_status = htonl ((int32_t) (kx->status));  
-  GSC_NEIGHBOURS_transmit (&kx->peer, &current_ekm.header,
-                           kx->set_key_retry_frequency);
+  current_ekm.sender_status = htonl ((int32_t) (kx->status));
+  env = GNUNET_MQ_msg_copy (&current_ekm.header);
+  GNUNET_MQ_send (kx->mq,
+                 env);
+  if (GNUNET_CORE_KX_STATE_KEY_SENT != kx->status)
+    send_ping (kx);
   kx->retry_set_key_task =
       GNUNET_SCHEDULER_add_delayed (kx->set_key_retry_frequency,
-                                    &set_key_retry_task, kx);
+                                    &set_key_retry_task,
+                                    kx);
 }
 
 
@@ -1169,150 +1414,169 @@ send_key (struct GSC_KeyExchangeInfo *kx)
  *
  * @param kx key exchange context
  * @param payload payload of the message
- * @param payload_size number of bytes in 'payload'
+ * @param payload_size number of bytes in @a payload
  */
 void
 GSC_KX_encrypt_and_transmit (struct GSC_KeyExchangeInfo *kx,
-                             const void *payload, size_t payload_size)
+                             const void *payload,
+                             size_t payload_size)
 {
   size_t used = payload_size + sizeof (struct EncryptedMessage);
   char pbuf[used];              /* plaintext */
-  char cbuf[used];              /* ciphertext */
   struct EncryptedMessage *em;  /* encrypted message */
   struct EncryptedMessage *ph;  /* plaintext header */
-  struct GNUNET_CRYPTO_AesInitializationVector iv;
+  struct GNUNET_MQ_Envelope *env;
+  struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
   struct GNUNET_CRYPTO_AuthKey auth_key;
 
   ph = (struct EncryptedMessage *) pbuf;
-  ph->iv_seed =
-      htonl (GNUNET_CRYPTO_random_u32
-             (GNUNET_CRYPTO_QUALITY_NONCE, UINT32_MAX));
   ph->sequence_number = htonl (++kx->last_sequence_number_sent);
+  ph->iv_seed = calculate_seed (kx);
   ph->reserved = 0;
   ph->timestamp = GNUNET_TIME_absolute_hton (GNUNET_TIME_absolute_get ());
-  memcpy (&ph[1], payload, payload_size);
-
-  em = (struct EncryptedMessage *) cbuf;
-  em->header.size = htons (used);
-  em->header.type = htons (GNUNET_MESSAGE_TYPE_CORE_ENCRYPTED_MESSAGE);
+  GNUNET_memcpy (&ph[1],
+                payload,
+                payload_size);
+  env = GNUNET_MQ_msg_extra (em,
+                            payload_size,
+                            GNUNET_MESSAGE_TYPE_CORE_ENCRYPTED_MESSAGE);
   em->iv_seed = ph->iv_seed;
-  derive_iv (&iv, &kx->encrypt_key, ph->iv_seed, &kx->peer);
+  derive_iv (&iv,
+             &kx->encrypt_key,
+             ph->iv_seed,
+             kx->peer);
   GNUNET_assert (GNUNET_OK ==
-                 do_encrypt (kx, &iv, &ph->sequence_number,
+                 do_encrypt (kx,
+                             &iv,
+                             &ph->sequence_number,
                              &em->sequence_number,
                              used - ENCRYPTED_HEADER_SIZE));
-  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Encrypted %u bytes for %s\n",
-              used - ENCRYPTED_HEADER_SIZE, GNUNET_i2s (&kx->peer));
-  derive_auth_key (&auth_key, 
-                  &kx->encrypt_key, 
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Encrypted %u bytes for %s\n",
+              (unsigned int) (used - ENCRYPTED_HEADER_SIZE),
+              GNUNET_i2s (kx->peer));
+  derive_auth_key (&auth_key,
+                  &kx->encrypt_key,
                   ph->iv_seed);
-  GNUNET_CRYPTO_hmac (&auth_key, &em->sequence_number,
-                      used - ENCRYPTED_HEADER_SIZE, &em->hmac);
-  GSC_NEIGHBOURS_transmit (&kx->peer, &em->header,
-                           GNUNET_TIME_UNIT_FOREVER_REL);
+  GNUNET_CRYPTO_hmac (&auth_key,
+                      &em->sequence_number,
+                      used - ENCRYPTED_HEADER_SIZE,
+                      &em->hmac);
+  kx->has_excess_bandwidth = GNUNET_NO;
+  GNUNET_MQ_send (kx->mq,
+                 env);
 }
 
 
 /**
- * Closure for 'deliver_message'
+ * We received an encrypted message.  Check that it is
+ * well-formed (size-wise).
+ *
+ * @param cls key exchange context for encrypting the message
+ * @param m encrypted message
+ * @return #GNUNET_OK if @a msg is well-formed (size-wise)
  */
-struct DeliverMessageContext
+static int
+check_encrypted (void *cls,
+                const struct EncryptedMessage *m)
 {
+  uint16_t size = ntohs (m->header.size) - sizeof (*m);
 
-  /**
-   * Performance information for the connection.
-   */
-  const struct GNUNET_ATS_Information *atsi;
-
-  /**
-   * Key exchange context.
-   */
-  struct GSC_KeyExchangeInfo *kx;
-
-  /**
-   * Sender of the message.
-   */
-  const struct GNUNET_PeerIdentity *peer;
-
-  /**
-   * Number of entries in 'atsi' array.
-   */
-  uint32_t atsi_count;
-};
+  if (size < sizeof (struct GNUNET_MessageHeader))
+  {
+    GNUNET_break_op (0);
+    return GNUNET_SYSERR;
+  }
+  return GNUNET_OK;
+}
 
 
 /**
  * We received an encrypted message.  Decrypt, validate and
  * pass on to the appropriate clients.
  *
- * @param kx key exchange context for encrypting the message
- * @param msg encrypted message
- * @param atsi performance data
- * @param atsi_count number of entries in ats (excluding 0-termination)
+ * @param cls key exchange context for encrypting the message
+ * @param m encrypted message
  */
-void
-GSC_KX_handle_encrypted_message (struct GSC_KeyExchangeInfo *kx,
-                                 const struct GNUNET_MessageHeader *msg,
-                                 const struct GNUNET_ATS_Information *atsi,
-                                 uint32_t atsi_count)
+static void
+handle_encrypted (void *cls,
+                 const struct EncryptedMessage *m)
 {
-  const struct EncryptedMessage *m;
+  struct GSC_KeyExchangeInfo *kx = cls;
   struct EncryptedMessage *pt;  /* plaintext */
   struct GNUNET_HashCode ph;
   uint32_t snum;
   struct GNUNET_TIME_Absolute t;
-  struct GNUNET_CRYPTO_AesInitializationVector iv;
+  struct GNUNET_CRYPTO_SymmetricInitializationVector iv;
   struct GNUNET_CRYPTO_AuthKey auth_key;
-  struct DeliverMessageContext dmc;
-  uint16_t size = ntohs (msg->size);
+  uint16_t size = ntohs (m->header.size);
   char buf[size] GNUNET_ALIGN;
 
-  if (size <
-      sizeof (struct EncryptedMessage) + sizeof (struct GNUNET_MessageHeader))
-  {
-    GNUNET_break_op (0);
-    return;
-  }
-  m = (const struct EncryptedMessage *) msg;
-  if (kx->status != KX_STATE_UP)
+  if (GNUNET_CORE_KX_STATE_UP != kx->status)
   {
     GNUNET_STATISTICS_update (GSC_stats,
-                              gettext_noop
-                              ("# DATA message dropped (out of order)"),
-                              1, GNUNET_NO);
+                              gettext_noop ("# DATA message dropped (out of order)"),
+                              1,
+                              GNUNET_NO);
     return;
   }
-  if (0 == GNUNET_TIME_absolute_get_remaining (kx->foreign_key_expires).rel_value)
+  if (0 == GNUNET_TIME_absolute_get_remaining (kx->foreign_key_expires).rel_value_us)
   {
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+               _("Session to peer `%s' went down due to key expiration (should not happen)\n"),
+               GNUNET_i2s (kx->peer));
     GNUNET_STATISTICS_update (GSC_stats,
                               gettext_noop ("# sessions terminated by key expiration"),
                               1, GNUNET_NO);
-    GSC_SESSIONS_end (&kx->peer);
-    kx->status = KX_STATE_KEY_SENT;
+    GSC_SESSIONS_end (kx->peer);
+    if (NULL != kx->keep_alive_task)
+    {
+      GNUNET_SCHEDULER_cancel (kx->keep_alive_task);
+      kx->keep_alive_task = NULL;
+    }
+    kx->status = GNUNET_CORE_KX_STATE_KEY_SENT;
+    monitor_notify_all (kx);
     send_key (kx);
     return;
   }
 
   /* validate hash */
-  derive_auth_key (&auth_key, &kx->decrypt_key, m->iv_seed);
-  GNUNET_CRYPTO_hmac (&auth_key, &m->sequence_number,
-                      size - ENCRYPTED_HEADER_SIZE, &ph);
-  if (0 != memcmp (&ph, &m->hmac, sizeof (struct GNUNET_HashCode)))
+  derive_auth_key (&auth_key,
+                   &kx->decrypt_key,
+                   m->iv_seed);
+  GNUNET_CRYPTO_hmac (&auth_key,
+                      &m->sequence_number,
+                      size - ENCRYPTED_HEADER_SIZE,
+                      &ph);
+  if (0 != memcmp (&ph,
+                   &m->hmac,
+                   sizeof (struct GNUNET_HashCode)))
   {
     /* checksum failed */
-    GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, 
-               "Failed checksum validation for a message from `%s'\n", 
-               GNUNET_i2s (&kx->peer));
+    GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+               "Failed checksum validation for a message from `%s'\n",
+               GNUNET_i2s (kx->peer));
     return;
   }
-  derive_iv (&iv, &kx->decrypt_key, m->iv_seed, &GSC_my_identity);
+  derive_iv (&iv,
+             &kx->decrypt_key,
+             m->iv_seed,
+             &GSC_my_identity);
   /* decrypt */
   if (GNUNET_OK !=
-      do_decrypt (kx, &iv, &m->sequence_number, &buf[ENCRYPTED_HEADER_SIZE],
+      do_decrypt (kx,
+                  &iv,
+                  &m->sequence_number,
+                  &buf[ENCRYPTED_HEADER_SIZE],
                   size - ENCRYPTED_HEADER_SIZE))
+  {
+    GNUNET_break_op (0);
     return;
-  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Decrypted %u bytes from %s\n",
-              size - ENCRYPTED_HEADER_SIZE, GNUNET_i2s (&kx->peer));
+  }
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Decrypted %u bytes from %s\n",
+              (unsigned int) (size - ENCRYPTED_HEADER_SIZE),
+              GNUNET_i2s (kx->peer));
   pt = (struct EncryptedMessage *) buf;
 
   /* validate sequence number */
@@ -1324,7 +1588,8 @@ GSC_KX_handle_encrypted_message (struct GSC_KeyExchangeInfo *kx,
     /* duplicate, ignore */
     GNUNET_STATISTICS_update (GSC_stats,
                               gettext_noop ("# bytes dropped (duplicates)"),
-                              size, GNUNET_NO);
+                              size,
+                              GNUNET_NO);
     return;
   }
   if ((kx->last_sequence_number_received > snum) &&
@@ -1341,7 +1606,7 @@ GSC_KX_handle_encrypted_message (struct GSC_KeyExchangeInfo *kx,
   }
   if (kx->last_sequence_number_received > snum)
   {
-    unsigned int rotbit = 1 << (kx->last_sequence_number_received - snum - 1);
+    uint32_t rotbit = 1U << (kx->last_sequence_number_received - snum - 1);
 
     if ((kx->last_packets_bitmap & rotbit) != 0)
     {
@@ -1368,12 +1633,13 @@ GSC_KX_handle_encrypted_message (struct GSC_KeyExchangeInfo *kx,
 
   /* check timestamp */
   t = GNUNET_TIME_absolute_ntoh (pt->timestamp);
-  if (GNUNET_TIME_absolute_get_duration (t).rel_value >
-      MAX_MESSAGE_AGE.rel_value)
+  if (GNUNET_TIME_absolute_get_duration (t).rel_value_us >
+      MAX_MESSAGE_AGE.rel_value_us)
   {
     GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
                 "Message received far too old (%s). Content ignored.\n",
-                GNUNET_STRINGS_relative_time_to_string (GNUNET_TIME_absolute_get_duration (t), GNUNET_YES));
+                GNUNET_STRINGS_relative_time_to_string (GNUNET_TIME_absolute_get_duration (t),
+                                                        GNUNET_YES));
     GNUNET_STATISTICS_update (GSC_stats,
                               gettext_noop
                               ("# bytes dropped (ancient message)"), size,
@@ -1385,57 +1651,37 @@ GSC_KX_handle_encrypted_message (struct GSC_KeyExchangeInfo *kx,
   update_timeout (kx);
   GNUNET_STATISTICS_update (GSC_stats,
                             gettext_noop ("# bytes of payload decrypted"),
-                            size - sizeof (struct EncryptedMessage), GNUNET_NO);
-  dmc.atsi = atsi;
-  dmc.kx = kx;
-  dmc.atsi_count = atsi_count;
-  dmc.peer = &kx->peer;
+                            size - sizeof (struct EncryptedMessage),
+                            GNUNET_NO);
   if (GNUNET_OK !=
-      GNUNET_SERVER_mst_receive (mst, &dmc,
-                                 &buf[sizeof (struct EncryptedMessage)],
-                                 size - sizeof (struct EncryptedMessage),
-                                 GNUNET_YES, GNUNET_NO))
+      GNUNET_MST_from_buffer (kx->mst,
+                              &buf[sizeof (struct EncryptedMessage)],
+                              size - sizeof (struct EncryptedMessage),
+                              GNUNET_YES,
+                              GNUNET_NO))
     GNUNET_break_op (0);
 }
 
 
 /**
- * Deliver P2P message to interested clients.
- * Invokes send twice, once for clients that want the full message, and once
- * for clients that only want the header
+ * One of our neighbours has excess bandwidth, remember this.
  *
- * @param cls always NULL
- * @param client who sent us the message (struct GSC_KeyExchangeInfo)
- * @param m the message
+ * @param cls NULL
+ * @param pid identity of the peer with excess bandwidth
+ * @param connect_cls the `struct Neighbour`
  */
-static int
-deliver_message (void *cls, void *client, const struct GNUNET_MessageHeader *m)
+static void
+handle_transport_notify_excess_bw (void *cls,
+                                   const struct GNUNET_PeerIdentity *pid,
+                                  void *connect_cls)
 {
-  struct DeliverMessageContext *dmc = client;
+  struct GSC_KeyExchangeInfo *kx = connect_cls;
 
-  if (KX_STATE_UP != dmc->kx->status)
-  {
-    GNUNET_STATISTICS_update (GSC_stats,
-                              gettext_noop
-                              ("# PAYLOAD dropped (out of order)"),
-                              1, GNUNET_NO);
-    return GNUNET_OK;
-  }
-  switch (ntohs (m->type))
-  {
-  case GNUNET_MESSAGE_TYPE_CORE_BINARY_TYPE_MAP:
-  case GNUNET_MESSAGE_TYPE_CORE_COMPRESSED_TYPE_MAP:
-    GSC_SESSIONS_set_typemap (dmc->peer, m);
-    return GNUNET_OK;
-  default:
-    GSC_CLIENTS_deliver_message (dmc->peer, dmc->atsi, dmc->atsi_count, m,
-                                 ntohs (m->size),
-                                 GNUNET_CORE_OPTION_SEND_FULL_INBOUND);
-    GSC_CLIENTS_deliver_message (dmc->peer, dmc->atsi, dmc->atsi_count, m,
-                                 sizeof (struct GNUNET_MessageHeader),
-                                 GNUNET_CORE_OPTION_SEND_HDR_INBOUND);
-  }
-  return GNUNET_OK;
+  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+              "Peer %s has excess bandwidth available\n",
+              GNUNET_i2s (pid));
+  kx->has_excess_bandwidth = GNUNET_YES;
+  GSC_SESSIONS_solicit (pid);
 }
 
 
@@ -1453,18 +1699,28 @@ sign_ephemeral_key ()
   current_ekm.purpose.size = htonl (sizeof (struct GNUNET_CRYPTO_EccSignaturePurpose) +
                                    sizeof (struct GNUNET_TIME_AbsoluteNBO) +
                                    sizeof (struct GNUNET_TIME_AbsoluteNBO) +
-                                   sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded) +
-                                   sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded));
+                                   sizeof (struct GNUNET_CRYPTO_EcdhePublicKey) +
+                                   sizeof (struct GNUNET_PeerIdentity));
   current_ekm.creation_time = GNUNET_TIME_absolute_hton (GNUNET_TIME_absolute_get ());
-  current_ekm.expiration_time = GNUNET_TIME_absolute_hton (GNUNET_TIME_relative_to_absolute (GNUNET_TIME_relative_add (REKEY_FREQUENCY,
-                                                                                                                      REKEY_TOLERANCE)));
-  GNUNET_CRYPTO_ecc_key_get_public (my_ephemeral_key,
-                                   &current_ekm.ephemeral_key);
-  current_ekm.origin_public_key = my_public_key;
+  if (GNUNET_YES ==
+      GNUNET_CONFIGURATION_get_value_yesno (GSC_cfg,
+                                           "core",
+                                           "USE_EPHEMERAL_KEYS"))
+  {
+    current_ekm.expiration_time = GNUNET_TIME_absolute_hton (GNUNET_TIME_relative_to_absolute (GNUNET_TIME_relative_add (REKEY_FREQUENCY,
+                                                                                                                        REKEY_TOLERANCE)));
+  }
+  else
+  {
+    current_ekm.expiration_time = GNUNET_TIME_absolute_hton (GNUNET_TIME_UNIT_FOREVER_ABS);
+  }
+  GNUNET_CRYPTO_ecdhe_key_get_public (my_ephemeral_key,
+                                      &current_ekm.ephemeral_key);
+  current_ekm.origin_identity = GSC_my_identity;
   GNUNET_assert (GNUNET_OK ==
-                GNUNET_CRYPTO_ecc_sign (my_private_key,
-                                        &current_ekm.purpose,
-                                        &current_ekm.signature));
+                GNUNET_CRYPTO_eddsa_sign (my_private_key,
+                                           &current_ekm.purpose,
+                                          &current_ekm.signature));
 }
 
 
@@ -1472,11 +1728,9 @@ sign_ephemeral_key ()
  * Task run to trigger rekeying.
  *
  * @param cls closure, NULL
- * @param tc scheduler context
  */
 static void
-do_rekey (void *cls,
-         const struct GNUNET_SCHEDULER_TaskContext *tc)
+do_rekey (void *cls)
 {
   struct GSC_KeyExchangeInfo *pos;
 
@@ -1484,13 +1738,26 @@ do_rekey (void *cls,
                                             &do_rekey,
                                             NULL);
   if (NULL != my_ephemeral_key)
-    GNUNET_CRYPTO_ecc_key_free (my_ephemeral_key);
-  my_ephemeral_key = GNUNET_CRYPTO_ecc_key_create ();
+    GNUNET_free (my_ephemeral_key);
+  GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+              "Rekeying\n");
+  my_ephemeral_key = GNUNET_CRYPTO_ecdhe_key_create ();
   GNUNET_assert (NULL != my_ephemeral_key);
   sign_ephemeral_key ();
   for (pos = kx_head; NULL != pos; pos = pos->next)
   {
-    pos->status = KX_STATE_REKEY_SENT;
+    if (GNUNET_CORE_KX_STATE_UP == pos->status)
+    {
+      pos->status = GNUNET_CORE_KX_STATE_REKEY_SENT;
+      monitor_notify_all (pos);
+      derive_session_keys (pos);
+    }
+    if (GNUNET_CORE_KX_STATE_DOWN == pos->status)
+    {
+      pos->status = GNUNET_CORE_KX_STATE_KEY_SENT;
+      monitor_notify_all (pos);
+    }
+    monitor_notify_all (pos);
     send_key (pos);
   }
 }
@@ -1500,29 +1767,60 @@ do_rekey (void *cls,
  * Initialize KX subsystem.
  *
  * @param pk private key to use for the peer
- * @return GNUNET_OK on success, GNUNET_SYSERR on failure
+ * @return #GNUNET_OK on success, #GNUNET_SYSERR on failure
  */
 int
-GSC_KX_init (struct GNUNET_CRYPTO_EccPrivateKey *pk)
+GSC_KX_init (struct GNUNET_CRYPTO_EddsaPrivateKey *pk)
 {
-  GNUNET_assert (NULL != pk);
+  struct GNUNET_MQ_MessageHandler handlers[] = {
+    GNUNET_MQ_hd_fixed_size (ephemeral_key,
+                             GNUNET_MESSAGE_TYPE_CORE_EPHEMERAL_KEY,
+                             struct EphemeralKeyMessage,
+                             NULL),
+    GNUNET_MQ_hd_fixed_size (ping,
+                             GNUNET_MESSAGE_TYPE_CORE_PING,
+                             struct PingMessage,
+                             NULL),
+    GNUNET_MQ_hd_fixed_size (pong,
+                             GNUNET_MESSAGE_TYPE_CORE_PONG,
+                             struct PongMessage,
+                             NULL),
+    GNUNET_MQ_hd_var_size (encrypted,
+                           GNUNET_MESSAGE_TYPE_CORE_ENCRYPTED_MESSAGE,
+                           struct EncryptedMessage,
+                           NULL),
+    GNUNET_MQ_handler_end()
+  };
+
   my_private_key = pk;
-  GNUNET_CRYPTO_ecc_key_get_public (my_private_key, &my_public_key);
-  GNUNET_CRYPTO_hash (&my_public_key, sizeof (my_public_key),
-                      &GSC_my_identity.hashPubKey);
-  my_ephemeral_key = GNUNET_CRYPTO_ecc_key_create ();
+  GNUNET_CRYPTO_eddsa_key_get_public (my_private_key,
+                                      &GSC_my_identity.public_key);
+  my_ephemeral_key = GNUNET_CRYPTO_ecdhe_key_create ();
   if (NULL == my_ephemeral_key)
   {
     GNUNET_break (0);
-    GNUNET_CRYPTO_ecc_key_free (my_private_key);
+    GNUNET_free (my_private_key);
     my_private_key = NULL;
     return GNUNET_SYSERR;
   }
   sign_ephemeral_key ();
-  mst = GNUNET_SERVER_mst_create (&deliver_message, NULL);
+  nc = GNUNET_notification_context_create (1);
   rekey_task = GNUNET_SCHEDULER_add_delayed (REKEY_FREQUENCY,
-                                            &do_rekey,
-                                            NULL);
+                                             &do_rekey,
+                                             NULL);
+  transport
+    = GNUNET_TRANSPORT_core_connect (GSC_cfg,
+                                    &GSC_my_identity,
+                                    handlers,
+                                    NULL,
+                                    &handle_transport_notify_connect,
+                                    &handle_transport_notify_disconnect,
+                                    &handle_transport_notify_excess_bw);
+  if (NULL == transport)
+  {
+    GSC_KX_done ();
+    return GNUNET_SYSERR;
+  }
   return GNUNET_OK;
 }
 
@@ -1533,26 +1831,97 @@ GSC_KX_init (struct GNUNET_CRYPTO_EccPrivateKey *pk)
 void
 GSC_KX_done ()
 {
-  if (GNUNET_SCHEDULER_NO_TASK != rekey_task)
+  if (NULL != transport)
+  {
+    GNUNET_TRANSPORT_core_disconnect (transport);
+    transport = NULL;
+  }
+  if (NULL != rekey_task)
   {
     GNUNET_SCHEDULER_cancel (rekey_task);
-    rekey_task = GNUNET_SCHEDULER_NO_TASK;
+    rekey_task = NULL;
+  }
+  if (NULL != my_ephemeral_key)
+  {
+    GNUNET_free (my_ephemeral_key);
+    my_ephemeral_key = NULL;
   }
   if (NULL != my_private_key)
   {
-    GNUNET_CRYPTO_ecc_key_free (my_private_key);
+    GNUNET_free (my_private_key);
     my_private_key = NULL;
   }
-  if (NULL != my_ephemeral_key)
+  if (NULL != nc)
   {
-    GNUNET_CRYPTO_ecc_key_free (my_ephemeral_key);
-    my_ephemeral_key = NULL;
+    GNUNET_notification_context_destroy (nc);
+    nc = NULL;
   }
-  if (NULL != mst)
+}
+
+
+ /**
+ * Check how many messages are queued for the given neighbour.
+ *
+ * @param kxinfo data about neighbour to check
+ * @return number of items in the message queue
+ */
+unsigned int
+GSC_NEIGHBOURS_get_queue_length (const struct GSC_KeyExchangeInfo *kxinfo)
+{
+  return GNUNET_MQ_get_length (kxinfo->mq);
+}
+
+
+/**
+ * Check if the given neighbour has excess bandwidth available.
+ *
+ * @param target neighbour to check
+ * @return #GNUNET_YES if excess bandwidth is available, #GNUNET_NO if not
+ */
+int
+GSC_NEIGHBOURS_check_excess_bandwidth (const struct GSC_KeyExchangeInfo *kxinfo)
+{
+  return kxinfo->has_excess_bandwidth;
+}
+
+
+/**
+ * Handle #GNUNET_MESSAGE_TYPE_CORE_MONITOR_PEERS request.  For this
+ * request type, the client does not have to have transmitted an INIT
+ * request.  All current peers are returned, regardless of which
+ * message types they accept.
+ *
+ * @param mq message queue to add for monitoring
+ */
+void
+GSC_KX_handle_client_monitor_peers (struct GNUNET_MQ_Handle *mq)
+{
+  struct GNUNET_MQ_Envelope *env;
+  struct MonitorNotifyMessage *done_msg;
+  struct GSC_KeyExchangeInfo *kx;
+
+  GNUNET_notification_context_add (nc,
+                                  mq);
+  for (kx = kx_head; NULL != kx; kx = kx->next)
   {
-    GNUNET_SERVER_mst_destroy (mst);
-    mst = NULL;
+    struct GNUNET_MQ_Envelope *env;
+    struct MonitorNotifyMessage *msg;
+
+    env = GNUNET_MQ_msg (msg,
+                        GNUNET_MESSAGE_TYPE_CORE_MONITOR_NOTIFY);
+    msg->state = htonl ((uint32_t) kx->status);
+    msg->peer = *kx->peer;
+    msg->timeout = GNUNET_TIME_absolute_hton (kx->timeout);
+    GNUNET_MQ_send (mq,
+                   env);
   }
+  env = GNUNET_MQ_msg (done_msg,
+                      GNUNET_MESSAGE_TYPE_CORE_MONITOR_NOTIFY);
+  done_msg->state = htonl ((uint32_t) GNUNET_CORE_KX_ITERATION_FINISHED);
+  done_msg->timeout = GNUNET_TIME_absolute_hton (GNUNET_TIME_UNIT_FOREVER_ABS);
+  GNUNET_MQ_send (mq,
+                 env);
 }
 
+
 /* end of gnunet-service-core_kx.c */