[stegotorus/master] Revise chop.cc to be closer to what the paper says it does: - tor-commits

20 Jul 2012

commit 49302db0cd095bbc02c631e1628542f4d8b003a9
Author: Zack Weinberg zackw@panix.com
Date:   Sat Mar 24 20:27:50 2012 -0700
Revise chop.cc to be closer to what the paper says it does:
* new block format
    * 32-bit circuit IDs
    * separate header and payload encryption
    * sequence numbers count by block, not byte
Still to do:
* proper handshakes
    * rekeying
    * "exactly what steg wants" block padding
---
 src/crypt.cc         |    4 +-
 src/protocol/chop.cc | 2059 +++++++++++++++++++++++++-------------------------
 2 files changed, 1038 insertions(+), 1025 deletions(-)

diff --git a/src/crypt.cc b/src/crypt.cc
index d6eed49..e81e8d4 100644
--- a/src/crypt.cc
+++ b/src/crypt.cc
@@ -273,9 +273,7 @@ key_generator::from_passphrase(const uint8_t *phra, size_t plen,
     // to just feed its output directly to the HKDF-Expand phase; an
     // alternative would be to run PBKDF2 on the passphrase without a
     // salt, then put the result through HKDF-Extract with the salt.
-    //
-    // 1000 iterations or 50 ms, whichever is more
-    extractor.DeriveKey(prk, SHA256_LEN, 0, phra, plen, salt, slen, 1000, 0.05);
+    extractor.DeriveKey(prk, SHA256_LEN, 0, phra, plen, salt, slen, 1000);
key_generator *r = new key_generator_impl(prk, ctxt, clen);
     memset(prk, 0, SHA256_LEN);
diff --git a/src/protocol/chop.cc b/src/protocol/chop.cc
index b4ec692..e81214a 100644
--- a/src/protocol/chop.cc
+++ b/src/protocol/chop.cc
@@ -1,10 +1,9 @@
-/* Copyright 2011 Zack Weinberg
+/* Copyright 2011, 2012 Zack Weinberg
    See LICENSE for other credits and copying information
The chopper is the core StegoTorus protocol implementation.
-   For its design, see doc/chopper.tex.  Note that it is still
-   being implemented, and many things that are *intended* to change
-   from the toy "roundrobin" protocol have not yet changed.  */
+   For its design, see doc/chopper.txt.  Note that it is still
+   being implemented, and may change incompatibly.  */
#include "util.h"
 #include "connections.h"
@@ -20,805 +19,363 @@
 #include <event2/event.h>
 #include <event2/buffer.h>
+#ifdef HAVE_EXECINFO_H
+#include <execinfo.h>
+#endif
+
 using std::tr1::unordered_map;
 using std::tr1::unordered_set;
 using std::vector;
+using std::make_pair;
-/* Header serialization and deserialization */
-
-struct chop_header
+namespace
 {
-  uint64_t ckt_id;
-  uint8_t  pkt_iv[8];
-  uint32_t offset;
-  uint16_t length;
-  uint16_t flags;
-};
-
-#define CHOP_WIRE_HDR_LEN (sizeof(struct chop_header))
-#define CHOP_BLOCK_OVERHD (CHOP_WIRE_HDR_LEN + GCM_TAG_LEN)
-#define CHOP_MAX_DATA (65535 - CHOP_BLOCK_OVERHD)
-#define CHOP_MAX_CHAFF 2048
-#define CHOP_F_SYN   0x0001
-#define CHOP_F_FIN   0x0002
-#define CHOP_F_CHAFF 0x0004
-/* further flags values are reserved */
-
-/* Reassembly queue.  This is a doubly-linked circular list with a
-   sentinel element at the head (identified by data == 0).  List
-   entries are sorted by offset.  Gaps in so-far-received data
-   are "in between" entries in the list.  */
-
-struct chop_reassembly_elt
+/* Packets on the wire have a 16-byte header, consisting of a 32-bit
+   sequence number, two 16-bit length fields ("D" and "P"), an 8-bit
+   opcode ("F"), and a 56-bit check field.  All numbers in this header
+   are serialized in network byte order.
+
+   | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | A | B | C | D | E | F |
+   |Sequence Number|   D   |   P   | F |           Check           |
+
+   The header is encrypted with AES in ECB mode: this is safe because
+   the header is exactly one AES block long, the sequence number is
+   never repeated, the header-encryption key is not used for anything
+   else, and the high 24 bits of the sequence number, plus the check
+   field, constitute an 80-bit MAC.  The receiver maintains a
+   256-element sliding window of acceptable sequence numbers, which
+   begins one after the highest sequence number so far _processed_
+   (not received).  If the sequence number is outside this window, or
+   the check field is not all-bits-zero, the packet is discarded.  An
+   attacker's odds of being able to manipulate the D, P, or F fields
+   or the low bits of the sequence number are therefore less than one
+   in 2^80.  Unlike TCP, our sequence numbers always start at zero on
+   a new (or freshly rekeyed) circuit, and increment by one per
+   _block_, not per byte of data.  Furthermore, they do not wrap: a
+   rekeying cycle (which resets the sequence number) is required to
+   occur before the highest-received sequence number reaches 2^32.
+
+   Following the header are two variable-length payload sections,
+   "data" and "padding", whose length in bytes are given by the D and
+   P fields, respectively.  These sections are encrypted, using a
+   different key, with AES in GCM mode.  The *encrypted* packet header
+   doubles as the GCM nonce.  The semantics of the "data" section's
+   contents, if any, are defined by the opcode F.  The "padding"
+   section SHOULD be filled with zeroes by the sender; regardless, its
+   contents MUST be ignored by the receiver.  Following these sections
+   is a 16-byte GCM authentication tag, computed over the data and
+   padding sections only, NOT the message header.  */
+
+const size_t HEADER_LEN = 16;
+const size_t TRAILER_LEN = 16;
+const size_t SECTION_LEN = UINT16_MAX;
+const size_t MIN_BLOCK_SIZE = HEADER_LEN + TRAILER_LEN;
+const size_t MAX_BLOCK_SIZE = MIN_BLOCK_SIZE + SECTION_LEN*2;
+
+enum opcode_t
 {
-  struct chop_reassembly_elt *prev;
-  struct chop_reassembly_elt *next;
-  struct evbuffer *data;
-  uint32_t offset;
-  uint16_t length;
-  uint16_t flags;
+  op_DAT = 0,       // Pass data section along to upstream
+  op_FIN = 1,       // No further transmissions (pass data along if any)
+  op_RST = 2,       // Protocol error, close circuit now
+  op_RK1 = 3,       // Commence rekeying
+  op_RK2 = 4,       // Continue rekeying
+  op_RK3 = 5,       // Conclude rekeying
+  op_RESERVED0 = 6, // 6 -- 127 reserved for future definition
+  op_STEG0 = 128,   // 128 -- 255 reserved for steganography modules
+  op_LAST = 255
 };
-/* Horrifically crude "encryption".  Uses a compiled-in pair of
-   encryption keys, no MAC, and recycles the circuit ID as a
-   partial IV.  To be replaced with something less laughable ASAP. */
-
-static const uint8_t c2s_key[] =
-  "\x44\x69\x5f\x45\x41\x67\xe9\x69\x14\x6c\x5f\xd2\x41\x63\xc4\x02";
-static const uint8_t s2c_key[] =
-  "\xfa\x31\x78\x6c\xb9\x4c\x66\x2a\xd0\x30\x59\xf7\x28\x22\x2f\x22";
-
-/* Connections and circuits */
-
-namespace {
-  struct chop_config_t;
-  struct chop_circuit_t;
-  typedef unordered_map<uint64_t, chop_circuit_t *> chop_circuit_table;
-
-  struct chop_conn_t : conn_t
-  {
-    chop_config_t *config;
-    chop_circuit_t *upstream;
-    steg_t *steg;
-    struct evbuffer *recv_pending;
-    struct event *must_transmit_timer;
-    bool no_more_transmissions : 1;
-
-    CONN_DECLARE_METHODS(chop);
-  };
+class block_header
+{
+  uint8_t clear[16];
+  uint8_t ciphr[16];
-  struct chop_circuit_t : circuit_t
+public:
+  block_header(uint32_t s, uint16_t d, uint16_t p, opcode_t f,
+               ecb_encryptor &ec)
   {
-    chop_reassembly_elt reassembly_queue;
-    unordered_set<chop_conn_t *> downstreams;
-    gcm_encryptor *send_crypt;
-    gcm_decryptor *recv_crypt;
-    chop_config_t *config;
-
-    uint64_t circuit_id;
-    uint32_t send_offset;
-    uint32_t recv_offset;
-    uint32_t dead_cycles;
-    bool received_syn : 1;
-    bool received_fin : 1;
-    bool sent_syn : 1;
-    bool sent_fin : 1;
-    bool upstream_eof : 1;
-
-    CIRCUIT_DECLARE_METHODS(chop);
-
-    uint32_t axe_interval() {
-      // This function must always return a number which is larger than
-      // the maximum possible number that *our peer's* flush_interval()
-      // could have returned; otherwise, we might axe the connection when
-      // it was just that there was nothing to say for a while.
-      // For simplicity's sake, right now we hardwire this to be 30 minutes.
-      return 30 * 60 * 1000;
-    }
-    uint32_t flush_interval() {
-      // 10*60*1000 lies between 2^19 and 2^20.
-      uint32_t shift = std::max(1u, std::min(19u, dead_cycles));
-      uint32_t xv = std::max(1u, std::min(10u * 60 * 1000, 1u << shift));
-      return rng_range_geom(20 * 60 * 1000, xv) + 100;
+    if (f > op_LAST || (f >= op_RESERVED0 && f < op_STEG0)) {
+      memset(clear, 0xFF, sizeof clear); // invalid!
+      memset(ciphr, 0xFF, sizeof ciphr);
+      return;
     }
-  };
-
-  struct chop_config_t : config_t
-  {
-    struct evutil_addrinfo *up_address;
-    vector<struct evutil_addrinfo *> down_addresses;
-    vector<const char *> steg_targets;
-    chop_circuit_table circuits;
-    CONFIG_DECLARE_METHODS(chop);
-  };
-}
-
-PROTO_DEFINE_MODULE(chop);
+    // sequence number
+    clear[0] = (s >> 24) & 0xFF;
+    clear[1] = (s >> 16) & 0xFF;
+    clear[2] = (s >>  8) & 0xFF;
+    clear[3] = (s      ) & 0xFF;
-/* Header serialization and deserialization */
+    // D field
+    clear[4] = (d >>  8) & 0xFF;
+    clear[5] = (d      ) & 0xFF;
-static void
-chop_write_header(uint8_t *wire_header, const struct chop_header *hdr)
-{
-  /* bits on the wire are in network byte order */
-  wire_header[ 0] = (hdr->ckt_id & 0xFF00000000000000ull) >> 56;
-  wire_header[ 1] = (hdr->ckt_id & 0x00FF000000000000ull) >> 48;
-  wire_header[ 2] = (hdr->ckt_id & 0x0000FF0000000000ull) >> 40;
-  wire_header[ 3] = (hdr->ckt_id & 0x000000FF00000000ull) >> 32;
-  wire_header[ 4] = (hdr->ckt_id & 0x00000000FF000000ull) >> 24;
-  wire_header[ 5] = (hdr->ckt_id & 0x0000000000FF0000ull) >> 16;
-  wire_header[ 6] = (hdr->ckt_id & 0x000000000000FF00ull) >>  8;
-  wire_header[ 7] = (hdr->ckt_id & 0x00000000000000FFull) >>  0;
-
-  wire_header[ 8] = hdr->pkt_iv[0];
-  wire_header[ 9] = hdr->pkt_iv[1];
-  wire_header[10] = hdr->pkt_iv[2];
-  wire_header[11] = hdr->pkt_iv[3];
-  wire_header[12] = hdr->pkt_iv[4];
-  wire_header[13] = hdr->pkt_iv[5];
-  wire_header[14] = hdr->pkt_iv[6];
-  wire_header[15] = hdr->pkt_iv[7];
-
-  wire_header[16] = (hdr->offset & 0xFF000000u) >> 24;
-  wire_header[17] = (hdr->offset & 0x00FF0000u) >> 16;
-  wire_header[18] = (hdr->offset & 0x0000FF00u) >>  8;
-  wire_header[19] = (hdr->offset & 0x000000FFu) >>  0;
-
-  wire_header[20] = (hdr->length & 0xFF00u) >> 8;
-  wire_header[21] = (hdr->length & 0x00FFu) >> 0;
-  wire_header[22] = (hdr->flags  & 0xFF00u) >> 8;
-  wire_header[23] = (hdr->flags  & 0x00FFu) >> 0;
-}
+    // P field
+    clear[6] = (p >>  8) & 0xFF;
+    clear[7] = (p      ) & 0xFF;
-static int
-chop_peek_circuit_id(struct evbuffer *buf, struct chop_header *hdr)
-{
-  uint8_t wire_id[8];
-  if (evbuffer_copyout(buf, wire_id, 8) != 8)
-    return -1;
-  hdr->ckt_id = ((((uint64_t)wire_id[ 0]) << 56) +
-                 (((uint64_t)wire_id[ 1]) << 48) +
-                 (((uint64_t)wire_id[ 2]) << 40) +
-                 (((uint64_t)wire_id[ 3]) << 32) +
-                 (((uint64_t)wire_id[ 4]) << 24) +
-                 (((uint64_t)wire_id[ 5]) << 16) +
-                 (((uint64_t)wire_id[ 6]) <<  8) +
-                 (((uint64_t)wire_id[ 7]) <<  0));
-  return 0;
-}
+    // F field
+    clear[8] = uint8_t(f);
-static int
-chop_decrypt_header(chop_circuit_t *ckt,
-                    struct evbuffer *buf,
-                    struct chop_header *hdr)
-{
-  uint8_t wire_header[CHOP_WIRE_HDR_LEN];
-  uint8_t decoded_header[CHOP_WIRE_HDR_LEN-16];
+    // Check field
+    memset(clear + 9, 0, 7);
-  if (evbuffer_copyout(buf, wire_header, CHOP_WIRE_HDR_LEN)
-      != CHOP_WIRE_HDR_LEN) {
-    log_warn("not enough data copied out");
-    return -1;
+    ec.encrypt(ciphr, clear);
   }
-  hdr->ckt_id = ((((uint64_t)wire_header[ 0]) << 56) +
-                 (((uint64_t)wire_header[ 1]) << 48) +
-                 (((uint64_t)wire_header[ 2]) << 40) +
-                 (((uint64_t)wire_header[ 3]) << 32) +
-                 (((uint64_t)wire_header[ 4]) << 24) +
-                 (((uint64_t)wire_header[ 5]) << 16) +
-                 (((uint64_t)wire_header[ 6]) <<  8) +
-                 (((uint64_t)wire_header[ 7]) <<  0));
-
-  hdr->pkt_iv[0] = wire_header[ 8];
-  hdr->pkt_iv[1] = wire_header[ 9];
-  hdr->pkt_iv[2] = wire_header[10];
-  hdr->pkt_iv[3] = wire_header[11];
-  hdr->pkt_iv[4] = wire_header[12];
-  hdr->pkt_iv[5] = wire_header[13];
-  hdr->pkt_iv[6] = wire_header[14];
-  hdr->pkt_iv[7] = wire_header[15];
-
-  /* The full IV is the circuit ID plus packet ID *as it is on the
-     wire*. */
-  ckt->recv_crypt->decrypt_unchecked(decoded_header,
-                                     wire_header + 16, CHOP_WIRE_HDR_LEN - 16,
-                                     wire_header, 16);
-
-  hdr->offset = ((((uint32_t)decoded_header[0]) << 24) +
-                 (((uint32_t)decoded_header[1]) << 16) +
-                 (((uint32_t)decoded_header[2]) <<  8) +
-                 (((uint32_t)decoded_header[3]) <<  0));
-
-  hdr->length = ((((uint16_t)decoded_header[4]) << 8) +
-                 (((uint16_t)decoded_header[5]) << 0));
-
-  hdr->flags  = ((((uint16_t)decoded_header[6]) <<  8) +
-                 (((uint16_t)decoded_header[7]) <<  0));
-
-  log_debug("decoded offset %u length %hu flags %04hx",
-            hdr->offset, hdr->length, hdr->flags);
-  return 0;
-}
-
-/* Transmit subroutines. */
-
-static chop_conn_t *
-chop_pick_connection(chop_circuit_t *ckt, size_t desired, size_t *blocksize)
-{
-  size_t maxbelow = 0;
-  size_t minabove = SIZE_MAX;
-  chop_conn_t *targbelow = NULL;
-  chop_conn_t *targabove = NULL;
-
-  if (desired > CHOP_MAX_DATA)
-    desired = CHOP_MAX_DATA;
-
-  /* Find the best fit for the desired transmission from all the
-     outbound connections' transmit rooms. */
-  for (unordered_set<chop_conn_t *>::iterator i = ckt->downstreams.begin();
-       i != ckt->downstreams.end(); i++) {
-    chop_conn_t *conn = *i;
-    /* We can only use candidates that have a steg target already. */
-    if (conn->steg) {
-      /* Find the connections whose transmit rooms are closest to the
-         desired transmission length from both directions. */
-      size_t room = conn->steg->transmit_room(conn);
-      log_debug(conn, "offers %lu bytes (%s)", (unsigned long)room,
-                conn->steg->name());
-
-      if (room <= CHOP_BLOCK_OVERHD)
-	room = 0;
-      else
-	room -= CHOP_BLOCK_OVERHD;
-
-      if (room > CHOP_MAX_DATA)
-        room = CHOP_MAX_DATA;
-
-      if (room >= desired) {
-        if (room < minabove) {
-          minabove = room;
-          targabove = conn;
-        }
-      } else {
-        if (room > maxbelow) {
-          maxbelow = room;
-          targbelow = conn;
-        }
-      }
-    } else {
-      log_debug(conn, "offers 0 bytes (no steg)");
+  block_header(evbuffer *buf, ecb_decryptor &dc)
+  {
+    if (evbuffer_copyout(buf, ciphr, sizeof ciphr) != sizeof ciphr) {
+      memset(clear, 0xFF, sizeof clear);
+      memset(ciphr, 0xFF, sizeof ciphr);
+      return;
     }
+    dc.decrypt(clear, ciphr);
   }
-  /* If we have a connection that can take all the data, use it.
-     Otherwise, use the connection that can take as much of the data
-     as possible.  As a special case, if no connection can take data,
-     targbelow, targabove, maxbelow, and minabove will all still have
-     their initial values, so we'll return NULL and set blocksize to 0,
-     which callers know how to handle. */
-  if (targabove) {
-    *blocksize = minabove;
-    return targabove;
-  } else {
-    *blocksize = maxbelow;
-    return targbelow;
-  }
-}
-
-static int
-chop_send_block(chop_conn_t *dest,
-                chop_circuit_t *ckt,
-                struct evbuffer *source,
-                struct evbuffer *block,
-                uint16_t length,
-                uint16_t flags)
-{
-  chop_header hdr;
-  struct evbuffer_iovec v;
-  uint8_t *p;
-
-  log_assert(evbuffer_get_length(block) == 0);
-  log_assert(evbuffer_get_length(source) >= length);
-  log_assert(dest->steg);
-
-  /* We take special care not to modify 'source' if any step fails. */
-  if (evbuffer_reserve_space(block,
-                             length + CHOP_WIRE_HDR_LEN + GCM_TAG_LEN,
-                             &v, 1) != 1)
-    return -1;
-  if (v.iov_len < length + CHOP_WIRE_HDR_LEN + GCM_TAG_LEN)
-    goto fail;
-
-  v.iov_len = length + CHOP_WIRE_HDR_LEN + GCM_TAG_LEN;
-
-  hdr.ckt_id = ckt->circuit_id;
-  hdr.offset = ckt->send_offset;
-  hdr.length = length;
-  hdr.flags = flags;
-  rng_bytes(hdr.pkt_iv, 8);
-  chop_write_header((uint8_t*)v.iov_base, &hdr);
-
-  if (evbuffer_copyout(source, (uint8_t *)v.iov_base + CHOP_WIRE_HDR_LEN,
-                       length) != length)
-    goto fail;
-
-  p = (uint8_t *)v.iov_base;
-  ckt->send_crypt->encrypt(p + 16, p + 16, length + CHOP_WIRE_HDR_LEN - 16,
-                           p, 16);
-
-  if (evbuffer_commit_space(block, &v, 1))
-    goto fail;
-
-  if (dest->steg->transmit(block, dest))
-    goto fail_committed;
-
-  if (evbuffer_drain(source, length))
-    /* this really should never happen, and we can't recover from it */
-    log_abort(dest, "evbuffer_drain failed"); /* does not return */
-
-  /* Cancel the must-transmit timer if it's pending; we have transmitted. */
-  if (dest->must_transmit_timer)
-    evtimer_del(dest->must_transmit_timer);
-
-  if (!(flags & CHOP_F_CHAFF))
-    ckt->send_offset += length;
-  if (flags & CHOP_F_SYN)
-    ckt->sent_syn = true;
-  if (flags & CHOP_F_FIN)
-    ckt->sent_fin = true;
-  log_debug(dest, "sent %lu+%u byte block [flags %04hx]",
-            (unsigned long)CHOP_WIRE_HDR_LEN, length, flags);
-
-  return 0;
-
- fail:
-  v.iov_len = 0;
-  evbuffer_commit_space(block, &v, 1);
- fail_committed:
-  evbuffer_drain(block, evbuffer_get_length(block));
-  log_warn(dest, "allocation or buffer copy failed");
-
-  return -1;
-}
-
-static int
-chop_send_blocks(chop_circuit_t *ckt)
-{
-  struct evbuffer *xmit_pending = bufferevent_get_input(ckt->up_buffer);
-  struct evbuffer *block;
-  chop_conn_t *target;
-  size_t avail;
-  size_t blocksize;
-  uint16_t flags;
+  uint32_t seqno() const
+  {
+    return ((uint32_t(clear[0]) << 24) |
+            (uint32_t(clear[1]) << 16) |
+            (uint32_t(clear[2]) <<  8) |
+            (uint32_t(clear[3])      ));
-  if (!(block = evbuffer_new())) {
-    log_warn(ckt, "allocation failure");
-    return -1;
   }
-  for (;;) {
-    avail = evbuffer_get_length(xmit_pending);
-    flags = ckt->sent_syn ? 0 : CHOP_F_SYN;
-
-    log_debug(ckt, "%lu bytes to send", (unsigned long)avail);
-
-    if (avail == 0)
-      break;
-
-    target = chop_pick_connection(ckt, avail, &blocksize);
-    if (!target) {
-      log_debug(ckt, "no target connection available");
-      /* this is not an error; it can happen e.g. when the server has
-         something to send immediately and the client hasn't spoken yet */
-      break;
-    }
-
-    if (avail <= blocksize) {
-      blocksize = avail;
-      if (ckt->upstream_eof && !ckt->sent_fin)
-        flags |= CHOP_F_FIN;
-    }
-
-    if (chop_send_block(target, ckt, xmit_pending, block, blocksize, flags)) {
-      evbuffer_free(block);
-      return -1;
-    }
+  size_t dlen() const
+  {
+    return ((uint16_t(clear[4]) << 8) |
+            (uint16_t(clear[5])     ));
   }
-  evbuffer_free(block);
-  avail = evbuffer_get_length(xmit_pending);
-  if (avail)
-    log_debug(ckt, "%lu bytes still waiting to be sent", (unsigned long)avail);
-  return 0;
-}
-
-static int
-chop_send_targeted(chop_circuit_t *ckt, chop_conn_t *target, size_t blocksize)
-{
-  struct evbuffer *xmit_pending = bufferevent_get_input(ckt->up_buffer);
-  size_t avail = evbuffer_get_length(xmit_pending);
-  struct evbuffer *block = evbuffer_new();
-  uint16_t flags = 0;
-
-  log_debug(target, "%lu bytes available, %lu bytes room",
-            (unsigned long)avail, (unsigned long)blocksize);
-  if (!block) {
-    log_warn(target, "allocation failure");
-    return -1;
+  size_t plen() const
+  {
+    return ((uint16_t(clear[6]) << 8) |
+            (uint16_t(clear[7])     ));
   }
-  if (!ckt->sent_syn)
-    flags |= CHOP_F_SYN;
-
-  if (avail) {
-    if (avail <= blocksize) {
-      blocksize = avail;
-      if (ckt->upstream_eof && !ckt->sent_fin)
-        flags |= CHOP_F_FIN;
-    }
-
-
-    if (chop_send_block(target, ckt, xmit_pending, block, blocksize, flags)) {
-      evbuffer_free(block);
-      return -1;
-    }
-
-    evbuffer_free(block);
-    avail = evbuffer_get_length(xmit_pending);
-    if (avail)
-      log_debug(ckt, "%lu bytes still waiting to be sent",
-                (unsigned long)avail);
-    return 0;
-
-  } else {
-    struct evbuffer *chaff;
-    struct evbuffer_iovec v;
-
-    if (blocksize > CHOP_MAX_CHAFF)
-      blocksize = CHOP_MAX_CHAFF;
-
-    blocksize = rng_range(1, blocksize + 1);
-    log_debug(target, "generating %lu bytes chaff", (unsigned long)blocksize);
-
-    chaff = evbuffer_new();
-    if (!chaff ||
-        evbuffer_reserve_space(chaff, blocksize, &v, 1) != 1 ||
-        v.iov_len < blocksize)
-      goto fail;
-
-    v.iov_len = blocksize;
-    memset(v.iov_base, 0, v.iov_len);
-    if (evbuffer_commit_space(chaff, &v, 1))
-      goto fail;
-
-    flags |= CHOP_F_CHAFF;
-    if (ckt->upstream_eof && !ckt->sent_fin)
-      flags |= CHOP_F_FIN;
-    if (chop_send_block(target, ckt, chaff, block, blocksize, flags))
-      goto fail;
-
-    evbuffer_free(chaff);
-    evbuffer_free(block);
-    return 0;
-
-  fail:
-    log_warn(target, "failed to construct chaff block");
-    if (chaff) evbuffer_free(chaff);
-    if (block) evbuffer_free(block);
-    return -1;
+  size_t total_len() const
+  {
+    return HEADER_LEN + TRAILER_LEN + dlen() + plen();
   }
-}
-
-static int
-chop_send_chaff(chop_circuit_t *ckt)
-{
-  size_t room;
-  chop_conn_t *target = chop_pick_connection(ckt, 1, &room);
-  if (!target) {
-    /* If we have connections and we can't send, that means we're waiting
-       for the server to respond.  Just wait. */
-    return 0;
+  opcode_t opcode() const
+  {
+    return opcode_t(clear[8]);
   }
-  return chop_send_targeted(ckt, target, room);
-}
-
-static void
-must_transmit_timer_cb(evutil_socket_t, short, void *arg)
-{
-  chop_conn_t *conn = static_cast<chop_conn_t*>(arg);
-  size_t room;
-  if (!conn->upstream) {
-    log_debug(conn, "must transmit, but no circuit (stale connection)");
-    conn_do_flush(conn);
-    return;
+  bool valid(uint64_t window) const
+  {
+    // This check must run in constant time.
+    uint8_t ck = (clear[ 9] | clear[10] | clear[11] | clear[12] |
+                  clear[13] | clear[14] | clear[15]);
+    uint32_t delta = seqno() - window;
+    ck |= !!(delta & ~uint32_t(0xFF));
+    return !ck;
   }
-  if (!conn->steg) {
-    log_warn(conn, "must transmit, but no steg module available");
-    return;
-  }
-  room = conn->steg->transmit_room(conn);
-  if (room <= CHOP_BLOCK_OVERHD) {
-    log_warn(conn, "must transmit, but no transmit room");
-    return;
+  const uint8_t *nonce() const
+  {
+    return ciphr;
   }
-  log_debug(conn, "must transmit");
-  chop_send_targeted(conn->upstream, conn, room - CHOP_BLOCK_OVERHD);
-}
+  const uint8_t *cleartext() const
+  {
+    return clear;
+  }
+};
-/* Receive subroutines. */
+/* Most of a block's header information is processed before it reaches
+   the reassembly queue; the only things the queue needs to record are
+   the sequence number (which is stored implictly), the opcode, and an
+   evbuffer holding the data section.  Zero-data blocks still get an
+   evbuffer, for simplicity's sake: a reassembly queue element holds a
+   received block if and only if its data pointer is non-null.
-/* True if s < t (mod 2**32). */
-static inline bool
-mod32_lt(uint32_t s, uint32_t t)
-{
-  uint32_t d = t - s;
-  return 0 < d && d < 0x80000000u;
-}
+   The reassembly queue is a 256-element circular buffer of
+   'reassembly_elt' structs.  This corresponds to the 256-element
+   sliding window of sequence numbers which may legitimately be
+   received at any time.  */
-/* True if s <= t (mod 2**32). */
-static inline bool
-mod32_le(uint32_t s, uint32_t t)
+struct reassembly_elt
 {
-  uint32_t d = t - s;
-  return d < 0x80000000u;
-}
+  evbuffer *data;
+  opcode_t op;
+};
-/** Add BLOCK to the reassembly queue at the appropriate location
-    and merge adjacent blocks to the extent possible. */
-static int
-chop_reassemble_block(chop_circuit_t *ckt, struct evbuffer *block,
-                      chop_header *hdr)
+class reassembly_queue
 {
-  chop_reassembly_elt *queue = &ckt->reassembly_queue;
-  chop_reassembly_elt *p, *q;
-
-  if (hdr->flags & CHOP_F_CHAFF) {
-    /* Chaff goes on the reassembly queue if it carries any flags that
-       must be processed in sequence (SYN, FIN), but we throw away its
-       contents.  Doing all chaff-handling here simplifies the caller
-       at the expense of slightly more buffer-management overhead. */
-    if (!(hdr->flags & (CHOP_F_SYN|CHOP_F_FIN))) {
-      log_debug(ckt, "discarding chaff with no flags");
-      evbuffer_free(block);
-      return 0;
-    }
+  reassembly_elt cbuf[256];
+  uint32_t next_to_process;
-    hdr->length = 0;
-    evbuffer_drain(block, evbuffer_get_length(block));
-    log_debug(ckt, "chaff with flags, treating length as 0");
-  }
+  reassembly_queue(const reassembly_queue&) DELETE_METHOD;
+  reassembly_queue& operator=(const reassembly_queue&) DELETE_METHOD;
-  /* SYN must occur at offset zero, may not be duplicated, and if we
-     already have anything on the reassembly queue, it must come
-     logically after this block. */
-  if ((hdr->flags & CHOP_F_SYN) &&
-      (hdr->offset > 0 ||
-       (queue->next != queue &&
-        ((queue->next->flags & CHOP_F_SYN) ||
-         !mod32_le(hdr->offset + hdr->length, queue->next->offset))))) {
-    log_warn(ckt, "protocol error: inappropriate SYN block");
-    return -1;
+public:
+  reassembly_queue()
+    : next_to_process(0)
+  {
+    memset(cbuf, 0, sizeof cbuf);
   }
-  /* FIN may not be duplicated and must occur logically after everything
-     we've already received. */
-  if ((hdr->flags & CHOP_F_FIN) && queue->prev != queue &&
-      ((queue->prev->flags & CHOP_F_FIN) ||
-       !mod32_le(queue->prev->offset + queue->prev->length, hdr->offset))) {
-    log_warn(ckt, "protocol error: inappropriate FIN block");
-    return -1;
+  ~reassembly_queue()
+  {
+    for (int i = 0; i < 256; i++)
+      if (cbuf[i].data)
+        evbuffer_free(cbuf[i].data);
   }
-  /* Non-SYN/FIN must come after any SYN block presently in the queue
-     and before any FIN block presently in the queue. */
-  if (!(hdr->flags & (CHOP_F_SYN|CHOP_F_FIN)) && queue->next != queue &&
-      (((queue->next->flags & CHOP_F_SYN) &&
-        !mod32_le(queue->next->offset + queue->next->length, hdr->offset)) ||
-       ((queue->prev->flags & CHOP_F_FIN) &&
-        !mod32_le(hdr->offset + hdr->length, queue->prev->offset)))) {
-    log_warn(ckt, "protocol error: inappropriate normal block");
-    return -1;
+  // Remove the next block to be processed from the reassembly queue
+  // and return it.  If we are out of blocks or the next block to
+  // process has not yet arrived, return an empty reassembly_elt.
+  // Caller is responsible for freeing the evbuffer in the
+  // reassembly_elt, if any.
+  reassembly_elt
+  remove_next()
+  {
+    reassembly_elt rv = { 0, op_DAT };
+    uint8_t front = next_to_process & 0xFF;
+    if (cbuf[front].data) {
+      rv = cbuf[front];
+      cbuf[front].data = 0;
+      cbuf[front].op   = op_DAT;
+      next_to_process++;
+    }
+    return rv;
   }
-  for (p = queue->next; p != queue; p = p->next) {
-    /* Try first to merge the new block into an existing one. */
-    if (hdr->offset + hdr->length == p->offset)
-      goto grow_front;
-
-    if (hdr->offset == p->offset + p->length)
-      goto grow_back;
-
-    /* Does this block fit in between 'p->prev' and 'p'?
-       Note: if 'p->prev->data' is NULL, it is the sentinel,
-       and p->prev->offset is meaningless. */
-    if (mod32_lt(hdr->offset + hdr->length, p->offset)) {
-      if (!p->prev->data ||
-          mod32_lt(p->prev->offset + p->prev->length, hdr->offset))
-        break;
-
-      /* protocol error: this block goes before 'p' but does not fit
-         after 'p->prev' */
-      log_warn(ckt, "protocol error: %u byte block does not fit at offset %u",
-               hdr->length, hdr->offset);
-      return -1;
+  // Insert a block into the reassembly queue at sequence number
+  // SEQNO, with opcode OP and data section DATA.  Returns true if the
+  // block was successfully added to the queue, false if it is either
+  // outside the acceptable window or duplicates a block already on
+  // the queue (both of these cases indicate protocol errors).
+  // DATA is consumed no matter what the return value is.
+  bool
+  insert(uint32_t seqno, opcode_t op, evbuffer *data, conn_t *conn)
+  {
+    if (seqno - window() > 255) {
+      log_warn(conn, "block outside receive window");
+      evbuffer_free(data);
+      return false;
+    }
+    uint8_t front = next_to_process & 0xFF;
+    uint8_t pos = front + (seqno - window());
+    if (cbuf[pos].data) {
+      log_warn(conn, "duplicate block");
+      evbuffer_free(data);
+      return false;
     }
-  }
-  /* This block goes before, but does not merge with, 'p'.
-     Special case: if 'p' is the sentinel, we have not yet checked
-     that this block goes after the last block in the list (aka p->prev). */
-  if (!p->data && p->prev->data &&
-      !mod32_lt(p->prev->offset + p->prev->length, hdr->offset)) {
-    log_warn(ckt, "protocol error: %u byte block does not fit at offset %u "
-                "(sentinel case)",
-             hdr->length, hdr->offset);
-    return -1;
+    cbuf[pos].data = data;
+    cbuf[pos].op   = op;
+    return true;
   }
-  q = (chop_reassembly_elt *)xzalloc(sizeof(chop_reassembly_elt));
-  q->data = block;
-  q->offset = hdr->offset;
-  q->length = hdr->length;
-  q->flags = hdr->flags;
+  // Return the current lowest acceptable sequence number in the
+  // receive window. This is the value to be passed to
+  // block_header::valid().
+  uint32_t window() const { return next_to_process; }
-  q->prev = p->prev;
-  q->next = p;
-  q->prev->next = q;
-  q->next->prev = q;
-  return 0;
-
- grow_back:
-  if (evbuffer_add_buffer(p->data, block)) {
-    log_warn(ckt, "failed to append to existing buffer");
-    return -1;
-  }
-  evbuffer_free(block);
-  p->length += hdr->length;
-  p->flags |= hdr->flags;
-
-  /* Can we now combine 'p' with its successor? */
-  while (p->next->data && p->offset + p->length == p->next->offset) {
-    q = p->next;
-    if (evbuffer_add_buffer(p->data, q->data)) {
-      log_warn(ckt, "failed to merge buffers");
-      return -1;
+  // As the last step of a rekeying cycle, the expected next sequence number
+  // is reset to zero.
+  void reset()
+  {
+    for (int i = 0; i < 256; i++) {
+      log_assert(!cbuf[i].data);
     }
-    p->length += q->length;
-    p->flags |= q->flags;
-
-    evbuffer_free(q->data);
-    q->next->prev = q->prev;
-    q->prev->next = q->next;
-    free(q);
+    next_to_process = 0;
   }
-  return 0;
+};
- grow_front:
-  if (evbuffer_prepend_buffer(p->data, block)) {
-    log_warn(ckt, "failed to prepend to existing buffer");
-    return -1;
-  }
-  evbuffer_free(block);
-  p->length += hdr->length;
-  p->offset -= hdr->length;
-  p->flags |= hdr->flags;
-
-  /* Can we now combine 'p' with its predecessor? */
-  while (p->prev->data && p->offset == p->prev->offset + p->prev->length) {
-    q = p->prev;
-    if (evbuffer_prepend_buffer(p->data, q->data)) {
-      log_warn(ckt, "failed to merge buffers");
-      return -1;
-    }
-    p->length += q->length;
-    p->offset -= q->length;
-    p->flags |= q->flags;
-
-    evbuffer_free(q->data);
-    q->next->prev = q->prev;
-    q->prev->next = q->next;
-    free(q);
-  }
+// Protocol objects
-  return 0;
-}
+struct chop_config_t;
+struct chop_circuit_t;
-/* Flush as much data toward upstream as we can. */
-static int
-chop_push_to_upstream(chop_circuit_t *ckt)
-{
-  /* Only the first reassembly queue entry, if any, can possibly be
-     ready to flush (because chop_reassemble_block ensures that there
-     are gaps between all queue elements).  */
-  chop_reassembly_elt *ready = ckt->reassembly_queue.next;
-  if (!ready->data || ckt->recv_offset != ready->offset) {
-    log_debug(ckt, "no data pushable to upstream yet");
-    return 0;
-  }
+typedef unordered_map<uint32_t, chop_circuit_t *> chop_circuit_table;
-  if (!ckt->received_syn) {
-    if (!(ready->flags & CHOP_F_SYN)) {
-      log_debug(ckt, "waiting for SYN");
-      return 0;
-    }
-    log_debug(ckt, "processed SYN");
-    ckt->received_syn = true;
-  }
+struct chop_conn_t : conn_t
+{
+  chop_config_t *config;
+  chop_circuit_t *upstream;
+  steg_t *steg;
+  struct evbuffer *recv_pending;
+  struct event *must_send_timer;
+  bool sent_handshake : 1;
+  bool no_more_transmissions : 1;
+
+  CONN_DECLARE_METHODS(chop);
+
+  int recv_handshake();
+  int send(struct evbuffer *block);
+
+  void send();
+  bool must_send_p() const;
+  static void must_send_timeout(evutil_socket_t, short, void *arg);
+};
-  log_debug(ckt, "can push %lu bytes to upstream",
-            (unsigned long)evbuffer_get_length(ready->data));
-  if (evbuffer_add_buffer(bufferevent_get_output(ckt->up_buffer),
-                          ready->data)) {
-    log_warn(ckt, "failure pushing data to upstream");
-    return -1;
+struct chop_circuit_t : circuit_t
+{
+  reassembly_queue recv_queue;
+  unordered_set<chop_conn_t *> downstreams;
+  gcm_encryptor *send_crypt;
+  ecb_encryptor *send_hdr_crypt;
+  gcm_decryptor *recv_crypt;
+  ecb_decryptor *recv_hdr_crypt;
+  chop_config_t *config;
+
+  uint32_t circuit_id;
+  uint32_t send_seq;
+  uint32_t dead_cycles;
+  bool received_fin : 1;
+  bool sent_fin : 1;
+  bool upstream_eof : 1;
+
+  CIRCUIT_DECLARE_METHODS(chop);
+
+  // Shortcut some unnecessary conversions for callers within this file.
+  void add_downstream(chop_conn_t *conn);
+  void drop_downstream(chop_conn_t *conn);
+
+  int send_special(opcode_t f, struct evbuffer *payload);
+  int send_targeted(chop_conn_t *conn);
+  int send_targeted(chop_conn_t *conn, size_t blocksize);
+  int send_targeted(chop_conn_t *conn, size_t d, size_t p, opcode_t f,
+                    struct evbuffer *payload);
+
+  chop_conn_t *pick_connection(size_t desired, size_t *blocksize);
+
+  int process_queue();
+  int check_for_eof();
+
+  uint32_t axe_interval() {
+    // This function must always return a number which is larger than
+    // the maximum possible number that *our peer's* flush_interval()
+    // could have returned; otherwise, we might axe the connection when
+    // it was just that there was nothing to say for a while.
+    // For simplicity's sake, right now we hardwire this to be 30 minutes.
+    return 30 * 60 * 1000;
   }
-
-  ckt->dead_cycles = 0;
-  ckt->recv_offset += ready->length;
-
-  if (ready->flags & CHOP_F_FIN) {
-    log_assert(!ckt->received_fin);
-    log_assert(ready->next == &ckt->reassembly_queue);
-    ckt->received_fin = true;
-    log_debug(ckt, "processed FIN");
-    circuit_recv_eof(ckt);
+  uint32_t flush_interval() {
+    // 10*60*1000 lies between 2^19 and 2^20.
+    uint32_t shift = std::max(1u, std::min(19u, dead_cycles));
+    uint32_t xv = std::max(1u, std::min(10u * 60 * 1000, 1u << shift));
+    return rng_range_geom(20 * 60 * 1000, xv) + 100;
   }
+};
-  log_assert(ready->next == &ckt->reassembly_queue ||
-              ready->next->offset != ckt->recv_offset);
-  ready->next->prev = ready->prev;
-  ready->prev->next = ready->next;
-
-  evbuffer_free(ready->data);
-  free(ready);
-  return 0;
-}
-
-/* Circuit handling */
-
-static int
-chop_find_or_make_circuit(chop_conn_t *conn, uint64_t circuit_id)
+struct chop_config_t : config_t
 {
-  chop_circuit_table::value_type in(circuit_id, 0);
-  std::pair<chop_circuit_table::iterator, bool> out
-    = conn->config->circuits.insert(in);
-  chop_circuit_t *ck;
-
-  if (!out.second) { // element already exists
-    if (!out.first->second) {
-      log_debug(conn, "stale circuit");
-      return 0;
-    }
-    ck = out.first->second;
-    log_debug(conn, "found circuit to %s", ck->up_peer);
-  } else {
-    ck = dynamic_cast<chop_circuit_t *>(circuit_create(conn->config, 0));
-    if (!ck) {
-      log_warn(conn, "failed to create new circuit");
-      return -1;
-    }
-    if (circuit_open_upstream(ck)) {
-      log_warn(conn, "failed to begin upstream connection");
-      delete ck;
-      return -1;
-    }
-    log_debug(conn, "created new circuit to %s", ck->up_peer);
-    ck->circuit_id = circuit_id;
-    out.first->second = ck;
-  }
+  struct evutil_addrinfo *up_address;
+  vector<struct evutil_addrinfo *> down_addresses;
+  vector<const char *> steg_targets;
+  chop_circuit_table circuits;
-  ck->add_downstream(conn);
-  return 0;
-}
+  CONFIG_DECLARE_METHODS(chop);
+};
-/* Protocol methods */
+// Configuration methods
chop_config_t::chop_config_t()
 {
@@ -833,7 +390,7 @@ chop_config_t::~chop_config_t()
        i != down_addresses.end(); i++)
     evutil_freeaddrinfo(*i);
-  /* The strings in steg_targets are not on the heap. */
+  // The strings in steg_targets are not on the heap.
for (chop_circuit_table::iterator i = circuits.begin();
        i != circuits.end(); i++)
@@ -854,28 +411,28 @@ chop_config_t::init(int n_options, const char *const *options)
   }
if (!strcmp(options[0], "client")) {
-    defport = "48988"; /* bf5c */
-    this->mode = LSN_SIMPLE_CLIENT;
+    defport = "48988"; // bf5c
+    mode = LSN_SIMPLE_CLIENT;
     listen_up = 1;
   } else if (!strcmp(options[0], "socks")) {
-    defport = "23548"; /* 5bf5 */
-    this->mode = LSN_SOCKS_CLIENT;
+    defport = "23548"; // 5bf5
+    mode = LSN_SOCKS_CLIENT;
     listen_up = 1;
   } else if (!strcmp(options[0], "server")) {
-    defport = "11253"; /* 2bf5 */
-    this->mode = LSN_SIMPLE_SERVER;
+    defport = "11253"; // 2bf5
+    mode = LSN_SIMPLE_SERVER;
     listen_up = 0;
   } else
     goto usage;
-  this->up_address = resolve_address_port(options[1], 1, listen_up, defport);
-  if (!this->up_address) {
+  up_address = resolve_address_port(options[1], 1, listen_up, defport);
+  if (!up_address) {
     log_warn("chop: invalid up address: %s", options[1]);
     goto usage;
   }
-  /* From here on out, arguments alternate between downstream
-     addresses and steg targets. */
+  // From here on out, arguments alternate between downstream
+  // addresses and steg targets.
   for (i = 2; i < n_options; i++) {
     struct evutil_addrinfo *addr =
       resolve_address_port(options[i], 1, !listen_up, NULL);
@@ -883,7 +440,7 @@ chop_config_t::init(int n_options, const char *const *options)
       log_warn("chop: invalid down address: %s", options[i]);
       goto usage;
     }
-    this->down_addresses.push_back(addr);
+    down_addresses.push_back(addr);
i++;
     if (i == n_options) {
@@ -895,7 +452,7 @@ chop_config_t::init(int n_options, const char *const *options)
       log_warn("chop: steganographer '%s' not supported", options[i]);
       goto usage;
     }
-    this->steg_targets.push_back(options[i]);
+    steg_targets.push_back(options[i]);
   }
   return true;
@@ -917,12 +474,12 @@ chop_config_t::init(int n_options, const char *const *options)
 struct evutil_addrinfo *
 chop_config_t::get_listen_addrs(size_t n)
 {
-  if (this->mode == LSN_SIMPLE_SERVER) {
-    if (n < this->down_addresses.size())
-      return this->down_addresses[n];
+  if (mode == LSN_SIMPLE_SERVER) {
+    if (n < down_addresses.size())
+      return down_addresses[n];
   } else {
     if (n == 0)
-      return this->up_address;
+      return up_address;
   }
   return 0;
 }
@@ -930,58 +487,96 @@ chop_config_t::get_listen_addrs(size_t n)
 struct evutil_addrinfo *
 chop_config_t::get_target_addrs(size_t n)
 {
-  if (this->mode == LSN_SIMPLE_SERVER) {
+  if (mode == LSN_SIMPLE_SERVER) {
     if (n == 0)
-      return this->up_address;
+      return up_address;
   } else {
-    if (n < this->down_addresses.size())
-      return this->down_addresses[n];
+    if (n < down_addresses.size())
+      return down_addresses[n];
   }
   return NULL;
 }
+// Circuit methods
+
+const char passphrase[] =
+  "did you buy one of therapist reawaken chemists continually gamma pacifies?";
+
 circuit_t *
 chop_config_t::circuit_create(size_t)
 {
   chop_circuit_t *ckt = new chop_circuit_t;
   ckt->config = this;
-  if (this->mode == LSN_SIMPLE_SERVER) {
-    ckt->send_crypt = gcm_encryptor::create(s2c_key, 16);
-    ckt->recv_crypt = gcm_decryptor::create(c2s_key, 16);
-  } else {
-    ckt->send_crypt = gcm_encryptor::create(c2s_key, 16);
-    ckt->recv_crypt = gcm_decryptor::create(s2c_key, 16);
-    while (!ckt->circuit_id)
-      rng_bytes((uint8_t *)&ckt->circuit_id, sizeof(uint64_t));
-
-    chop_circuit_table::value_type in(ckt->circuit_id, 0);
-    std::pair<chop_circuit_table::iterator, bool> out = circuits.insert(in);
-    log_assert(out.second);
-    out.first->second = ckt;
-  }
-  return ckt;
-}
+  key_generator *kgen =
+    key_generator::from_passphrase((const uint8_t *)passphrase,
+                                   sizeof(passphrase) - 1,
+                                   0, 0, 0, 0);
+  uint8_t kbuf[16];
-chop_circuit_t::chop_circuit_t()
-{
-  this->reassembly_queue.next = &this->reassembly_queue;
-  this->reassembly_queue.prev = &this->reassembly_queue;
+  if (mode == LSN_SIMPLE_SERVER) {
+    log_assert(kgen->generate(kbuf, 16) == 16);
+    ckt->send_crypt = gcm_encryptor::create(kbuf, 16);
+
+    log_assert(kgen->generate(kbuf, 16) == 16);
+    ckt->send_hdr_crypt = ecb_encryptor::create(kbuf, 16);
+
+    log_assert(kgen->generate(kbuf, 16) == 16);
+    ckt->recv_crypt = gcm_decryptor::create(kbuf, 16);
+
+    log_assert(kgen->generate(kbuf, 16) == 16);
+    ckt->recv_hdr_crypt = ecb_decryptor::create(kbuf, 16);
+  } else {
+    log_assert(kgen->generate(kbuf, 16) == 16);
+    ckt->recv_crypt = gcm_decryptor::create(kbuf, 16);
+
+    log_assert(kgen->generate(kbuf, 16) == 16);
+    ckt->recv_hdr_crypt = ecb_decryptor::create(kbuf, 16);
+
+    log_assert(kgen->generate(kbuf, 16) == 16);
+    ckt->send_crypt = gcm_encryptor::create(kbuf, 16);
+
+    log_assert(kgen->generate(kbuf, 16) == 16);
+    ckt->send_hdr_crypt = ecb_encryptor::create(kbuf, 16);
+
+    std::pair<chop_circuit_table::iterator, bool> out;
+    do {
+      do {
+        rng_bytes((uint8_t *)&ckt->circuit_id, sizeof(ckt->circuit_id));
+      } while (!ckt->circuit_id);
+
+      out = circuits.insert(make_pair(ckt->circuit_id, (chop_circuit_t *)0));
+    } while (!out.second);
+
+    out.first->second = ckt;
+  }
+
+  memset(kbuf, 0, 16);
+  delete kgen;
+  return ckt;
 }
-chop_circuit_t::~chop_circuit_t()
+chop_circuit_t::chop_circuit_t()
 {
-  chop_reassembly_elt *p, *q, *queue;
-  chop_circuit_table::iterator out;
+}
-  log_debug(this, "syn%c%c fin%c%c eof%c ds=%lu",
-            sent_syn ? '+' : '-', received_syn ? '+' : '-',
-            sent_fin ? '+' : '-', received_fin ? '+' : '-',
-            upstream_eof ? '+' : '-',
-            (unsigned long)downstreams.size());
+chop_circuit_t::~chop_circuit_t()
+{
+  if (!sent_fin || !received_fin || !upstream_eof) {
+    log_warn(this, "destroying active circuit: fin%c%c eof%c ds=%lu",
+             sent_fin ? '+' : '-', received_fin ? '+' : '-',
+             upstream_eof ? '+' : '-',
+             (unsigned long)downstreams.size());
+#ifdef HAVE_EXECINFO_H
+    int n;
+    void *backtracebuf[256];
+    n = backtrace(backtracebuf, sizeof backtracebuf / sizeof(void*));
+    backtrace_symbols_fd(backtracebuf, n, 2);
+#endif
+  }
-  for (unordered_set<chop_conn_t *>::iterator i = this->downstreams.begin();
-       i != this->downstreams.end(); i++) {
+  for (unordered_set<chop_conn_t *>::iterator i = downstreams.begin();
+       i != downstreams.end(); i++) {
     chop_conn_t *conn = *i;
     conn->upstream = NULL;
     if (evbuffer_get_length(conn->outbound()) > 0)
@@ -990,28 +585,23 @@ chop_circuit_t::~chop_circuit_t()
       delete conn;
   }
-  delete this->send_crypt;
-  delete this->recv_crypt;
-
-  queue = &this->reassembly_queue;
-  for (q = p = queue->next; p != queue; p = q) {
-    q = p->next;
-    if (p->data)
-      evbuffer_free(p->data);
-    free(p);
-  }
-
-  /* The IDs for old circuits are preserved for a while (at present,
-     indefinitely; FIXME: purge them on a timer) against the
-     possibility that we'll get a junk connection for one of them
-     right after we close it (same deal as the TIME_WAIT state in
-     TCP).  Note that we can hit this case for the *client* if the
-     cover protocol includes a mandatory reply to every client
-     message and the hidden channel closed s->c before c->s: the
-     circuit will get destroyed on the client side after the c->s FIN,
-     and the mandatory reply will be to a stale circuit. */
-  out = this->config->circuits.find(this->circuit_id);
-  log_assert(out != this->config->circuits.end());
+  delete send_crypt;
+  delete send_hdr_crypt;
+  delete recv_crypt;
+  delete recv_hdr_crypt;
+
+  // The IDs for old circuits are preserved for a while (at present,
+  // indefinitely; FIXME: purge them on a timer) against the
+  // possibility that we'll get a junk connection for one of them
+  // right after we close it (same deal as the TIME_WAIT state in
+  // TCP).  Note that we can hit this case for the *client* if the
+  // cover protocol includes a mandatory reply to every client message
+  // and the hidden channel closed s->c before c->s: the circuit will
+  // get destroyed on the client side after the c->s FIN, and the
+  // mandatory reply will be to a stale circuit.
+  chop_circuit_table::iterator out;
+  out = config->circuits.find(circuit_id);
+  log_assert(out != config->circuits.end());
   log_assert(out->second == this);
   out->second = NULL;
 }
@@ -1019,69 +609,442 @@ chop_circuit_t::~chop_circuit_t()
 config_t *
 chop_circuit_t::cfg() const
 {
-  return this->config;
+  return config;
 }
void
-chop_circuit_t::add_downstream(conn_t *cn)
+chop_circuit_t::add_downstream(chop_conn_t *conn)
 {
-  chop_conn_t *conn = dynamic_cast<chop_conn_t *>(cn);
   log_assert(conn);
   log_assert(!conn->upstream);
-
   conn->upstream = this;
-  this->downstreams.insert(conn);
+  downstreams.insert(conn);
log_debug(this, "added connection <%d.%d> to %s, now %lu",
-            this->serial, conn->serial, conn->peername,
-            (unsigned long)this->downstreams.size());
+            serial, conn->serial, conn->peername,
+            (unsigned long)downstreams.size());
circuit_disarm_axe_timer(this);
 }
void
-chop_circuit_t::drop_downstream(conn_t *cn)
+chop_circuit_t::add_downstream(conn_t *cn)
+{
+  add_downstream(dynamic_cast<chop_conn_t *>(cn));
+}
+
+void
+chop_circuit_t::drop_downstream(chop_conn_t *conn)
 {
-  chop_conn_t *conn = dynamic_cast<chop_conn_t *>(cn);
   log_assert(conn);
   log_assert(conn->upstream == this);
conn->upstream = NULL;
-  this->downstreams.erase(conn);
+  downstreams.erase(conn);
log_debug(this, "dropped connection <%d.%d> to %s, now %lu",
-            this->serial, conn->serial, conn->peername,
-            (unsigned long)this->downstreams.size());
-  /* If that was the last connection on this circuit AND we've both
-     received and sent a FIN, close the circuit.  Otherwise, if we're
-     the server, arm a timer that will kill off this circuit in a
-     little while if no new connections happen (we might've lost all
-     our connections to protocol errors, or because the steg modules
-     wanted them closed); if we're the client, send chaff in a bit,
-     to enable further transmissions from the server. */
-  if (this->downstreams.empty()) {
-    if (this->sent_fin && this->received_fin) {
-      if (evbuffer_get_length(bufferevent_get_output(this->up_buffer)) > 0)
-        /* this may already have happened, but there's no harm in
-           doing it again */
+            serial, conn->serial, conn->peername,
+            (unsigned long)downstreams.size());
+  // If that was the last connection on this circuit AND we've both
+  // received and sent a FIN, close the circuit.  Otherwise, if we're
+  // the server, arm a timer that will kill off this circuit in a
+  // little while if no new connections happen (we might've lost all
+  // our connections to protocol errors, or because the steg modules
+  // wanted them closed); if we're the client, send chaff in a bit,
+  // to enable further transmissions from the server.
+  if (downstreams.empty()) {
+    if (sent_fin && received_fin) {
+      if (evbuffer_get_length(bufferevent_get_output(up_buffer)) > 0)
+        // this may already have happened, but there's no harm in
+        // doing it again
         circuit_do_flush(this);
       else
         delete this;
-    } else if (this->config->mode == LSN_SIMPLE_SERVER) {
-      circuit_arm_axe_timer(this, this->axe_interval());
+    } else if (config->mode == LSN_SIMPLE_SERVER) {
+      circuit_arm_axe_timer(this, axe_interval());
     } else {
-      circuit_arm_flush_timer(this, this->flush_interval());
+      circuit_arm_flush_timer(this, flush_interval());
+    }
+  }
+}
+
+void
+chop_circuit_t::drop_downstream(conn_t *cn)
+{
+  drop_downstream(dynamic_cast<chop_conn_t *>(cn));
+}
+
+int
+chop_circuit_t::send()
+{
+  circuit_disarm_flush_timer(this);
+
+  if (downstreams.empty()) {
+    // We have no connections, but we must send.  If we're the client,
+    // reopen our outbound connections; the on-connection event will
+    // bring us back here.  If we're the server, we have to just
+    // twiddle our thumbs and hope the client reconnects.
+    log_debug(this, "no downstream connections");
+    if (config->mode != LSN_SIMPLE_SERVER)
+      circuit_reopen_downstreams(this);
+    else
+      circuit_arm_axe_timer(this, axe_interval());
+    return 0;
+  }
+
+  struct evbuffer *xmit_pending = bufferevent_get_input(up_buffer);
+  size_t avail = evbuffer_get_length(xmit_pending);
+  size_t avail0 = avail;
+
+  // Send at least one block, even if there is no real data to send.
+  do {
+    log_debug(this, "%lu bytes to send", (unsigned long)avail);
+    size_t blocksize;
+    chop_conn_t *target = pick_connection(avail, &blocksize);
+    if (!target) {
+      // this is not an error; it can happen e.g. when the server has
+      // something to send immediately and the client hasn't spoken yet
+      log_debug(this, "no target connection available");
+      break;
+    }
+
+    if (send_targeted(target, blocksize))
+      return -1;
+
+    avail = evbuffer_get_length(xmit_pending);
+  } while (avail > 0);
+
+  if (avail0 > avail) // we transmitted some real data
+    dead_cycles = 0;
+  else {
+    dead_cycles++;
+    log_debug(this, "%u dead cycles", dead_cycles);
+  }
+
+  return check_for_eof();
+}
+
+int
+chop_circuit_t::send_eof()
+{
+  upstream_eof = true;
+  return send();
+}
+
+int
+chop_circuit_t::send_special(opcode_t f, struct evbuffer *payload)
+{
+  size_t d = payload ? evbuffer_get_length(payload) : 0;
+  size_t blocksize;
+  log_assert(d <= SECTION_LEN);
+  chop_conn_t *conn = pick_connection(d, &blocksize);
+
+  if (!conn || (blocksize - MIN_BLOCK_SIZE < d)) {
+    log_warn("no usable connection for special block "
+             "(opcode %02x, need %lu bytes, have %lu)",
+             (unsigned int)f, (unsigned long)(d + MIN_BLOCK_SIZE),
+             (unsigned long)blocksize);
+    return -1;
+  }
+
+  return send_targeted(conn, d, (blocksize - MIN_BLOCK_SIZE) - d, f, payload);
+}
+
+int
+chop_circuit_t::send_targeted(chop_conn_t *conn)
+{
+  size_t avail = evbuffer_get_length(bufferevent_get_input(up_buffer));
+  if (avail > SECTION_LEN)
+    avail = SECTION_LEN;
+  avail += MIN_BLOCK_SIZE;
+
+  size_t room = conn->steg->transmit_room(conn);
+  if (room < MIN_BLOCK_SIZE) {
+    log_warn(conn, "send() called without enough transmit room "
+             "(have %lu, need %lu)", (unsigned long)room,
+             (unsigned long)MIN_BLOCK_SIZE);
+    return -1;
+  }
+  log_debug(conn, "offers %lu bytes (%s)", (unsigned long)room,
+            conn->steg->name());
+
+  if (room < avail)
+    avail = room;
+
+  return send_targeted(conn, avail);
+}
+
+int
+chop_circuit_t::send_targeted(chop_conn_t *conn, size_t blocksize)
+{
+  log_assert(blocksize >= MIN_BLOCK_SIZE && blocksize <= MAX_BLOCK_SIZE);
+
+  struct evbuffer *xmit_pending = bufferevent_get_input(up_buffer);
+  size_t avail = evbuffer_get_length(xmit_pending);
+  opcode_t op = op_DAT;
+
+  if (avail > SECTION_LEN)
+    avail = SECTION_LEN;
+  else if (upstream_eof && !sent_fin)
+    // this block will carry the last byte of real data to be sent in
+    // this direction; mark it as such
+    op = op_FIN;
+
+  return send_targeted(conn, avail, (blocksize - MIN_BLOCK_SIZE) - avail,
+                       op, xmit_pending);
+}
+
+int
+chop_circuit_t::send_targeted(chop_conn_t *conn, size_t d, size_t p, opcode_t f,
+                              struct evbuffer *payload)
+{
+  log_assert(payload || d == 0);
+  log_assert(d <= SECTION_LEN);
+  log_assert(p <= SECTION_LEN);
+
+  struct evbuffer *block = evbuffer_new();
+  if (!block) {
+    log_warn(conn, "memory allocation failure");
+    return -1;
+  }
+
+  size_t blocksize = d + p + MIN_BLOCK_SIZE;
+  struct evbuffer_iovec v;
+  if (evbuffer_reserve_space(block, blocksize, &v, 1) != 1 ||
+      v.iov_len < blocksize) {
+    log_warn(conn, "memory allocation failure");
+    return -1;
+  }
+  v.iov_len = blocksize;
+
+  block_header hdr(send_seq, d, p, f, *send_hdr_crypt);
+  log_assert(hdr.valid(send_seq));
+  memcpy(v.iov_base, hdr.nonce(), HEADER_LEN);
+
+  uint8_t encodebuf[SECTION_LEN*2];
+  if (payload) {
+    if (evbuffer_copyout(payload, encodebuf, d) != (ssize_t)d) {
+      log_warn(conn, "failed to extract payload");
+      evbuffer_free(block);
+      return -1;
+    }
+  }
+  memset(encodebuf + d, 0, p);
+  send_crypt->encrypt((uint8_t *)v.iov_base + HEADER_LEN, encodebuf,
+                      d + p, hdr.nonce(), HEADER_LEN);
+  if (evbuffer_commit_space(block, &v, 1)) {
+    log_warn(conn, "failed to commit block buffer");
+    evbuffer_free(block);
+    return -1;
+  }
+
+  log_debug(conn, "transmitting block %u <d=%lu p=%lu f=%02x>",
+            hdr.seqno(), (unsigned long)hdr.dlen(), (unsigned long)hdr.plen(),
+            (uint8_t)hdr.opcode());
+
+  if (conn->send(block)) {
+    evbuffer_free(block);
+    return -1;
+  }
+
+  evbuffer_free(block);
+  evbuffer_drain(payload, d);
+
+  send_seq++;
+  if (f == op_FIN)
+    sent_fin = true;
+  return 0;
+}
+
+// N.B. 'desired' is the desired size of the _data section_, and
+// 'blocksize' on output is the size to make the _entire block_.
+chop_conn_t *
+chop_circuit_t::pick_connection(size_t desired, size_t *blocksize)
+{
+  size_t maxbelow = 0;
+  size_t minabove = MAX_BLOCK_SIZE + 1;
+  chop_conn_t *targbelow = 0;
+  chop_conn_t *targabove = 0;
+
+  if (desired > SECTION_LEN)
+    desired = SECTION_LEN;
+
+  desired += MIN_BLOCK_SIZE;
+
+  log_debug(this, "target block size %lu bytes", (unsigned long)desired);
+
+  // Find the best fit for the desired transmission from all the
+  // outbound connections' transmit rooms.
+  for (unordered_set<chop_conn_t *>::iterator i = downstreams.begin();
+       i != downstreams.end(); i++) {
+    chop_conn_t *conn = *i;
+    // We can only use candidates that have a steg target already.
+    if (conn->steg) {
+      // Find the connections whose transmit rooms are closest to the
+      // desired transmission length from both directions.
+      size_t room = conn->steg->transmit_room(conn);
+
+      if (room <= MIN_BLOCK_SIZE)
+	room = 0;
+
+      if (room > MAX_BLOCK_SIZE)
+        room = MAX_BLOCK_SIZE;
+
+      log_debug(conn, "offers %lu bytes (%s)", (unsigned long)room,
+                conn->steg->name());
+
+      if (room >= desired) {
+        if (room < minabove) {
+          minabove = room;
+          targabove = conn;
+        }
+      } else {
+        if (room > maxbelow) {
+          maxbelow = room;
+          targbelow = conn;
+        }
+      }
+    } else {
+      log_debug(conn, "offers 0 bytes (no steg)");
+    }
+  }
+
+  log_debug(this, "minabove %lu for <%u.%u> maxbelow %lu for <%u.%u>",
+            (unsigned long)minabove, serial, targabove ? targabove->serial :0,
+            (unsigned long)maxbelow, serial, targbelow ? targbelow->serial :0);
+
+  // If we have a connection that can take all the data, use it.
+  // Otherwise, use the connection that can take as much of the data
+  // as possible.  As a special case, if no connection can take data,
+  // targbelow, targabove, maxbelow, and minabove will all still have
+  // their initial values, so we'll return NULL and set blocksize to 0,
+  // which callers know how to handle.
+  if (targabove) {
+    *blocksize = desired;
+    return targabove;
+  } else {
+    *blocksize = maxbelow;
+    return targbelow;
+  }
+}
+
+int
+chop_circuit_t::process_queue()
+{
+  reassembly_elt blk;
+  unsigned int count = 0;
+  bool pending_fin = false;
+  bool pending_error = false;
+  bool sent_error = false;
+  while ((blk = recv_queue.remove_next()).data) {
+    switch (blk.op) {
+    case op_FIN:
+      if (received_fin) {
+        log_info(this, "protocol error: duplicate FIN");
+        pending_error = true;
+        break;
+      }
+      log_debug(this, "received FIN");
+      pending_fin = true;
+      // fall through - block may have data
+    case op_DAT:
+      if (evbuffer_get_length(blk.data)) {
+        if (received_fin) {
+          log_info(this, "protocol error: data after FIN");
+          pending_error = true;
+        } else {
+          if (evbuffer_add_buffer(bufferevent_get_output(up_buffer),
+                                  blk.data)) {
+            log_warn(this, "buffer transfer failure");
+            pending_error = true;
+          }
+        }
+      }
+      break;
+
+    case op_RST:
+      log_info(this, "received RST; disconnecting circuit");
+      circuit_recv_eof(this);
+      pending_error = true;
+      break;
+
+    case op_RK1:
+    case op_RK2:
+    case op_RK3:
+      log_warn(this, "rekeying not yet implemented");
+      pending_error = true;
+      break;
+
+    default:
+      log_warn(this, "protocol error: unknown block opcode %x",
+               (unsigned int)blk.op);
+      pending_error = true;
+      break;
+    }
+
+    evbuffer_free(blk.data);
+
+    if (pending_fin && !received_fin) {
+      circuit_recv_eof(this);
+      received_fin = true;
     }
+    if (pending_error && !sent_error) {
+      // there's no point sending an RST in response to an RST or a
+      // duplicate FIN
+      if (blk.op != op_RST && blk.op != op_FIN)
+        send_special(op_RST, 0);
+      sent_error = true;
+    }
+    count++;
   }
+
+  log_debug(this, "processed %u blocks", count);
+  if (count > 0)
+    dead_cycles = 0;
+  if (sent_error)
+    return -1;
+
+  // It may have become possible to send queued data or a FIN.
+  if (evbuffer_get_length(bufferevent_get_input(up_buffer))
+      || (upstream_eof && !sent_fin))
+    return send();
+
+  return check_for_eof();
 }
+int
+chop_circuit_t::check_for_eof()
+{
+  // If we're at EOF both ways, close all connections, sending first
+  // if necessary.
+  if (sent_fin && received_fin) {
+    circuit_disarm_flush_timer(this);
+    for (unordered_set<chop_conn_t *>::iterator i = downstreams.begin();
+         i != downstreams.end(); i++) {
+      chop_conn_t *conn = *i;
+      if (conn->must_send_p())
+        conn->send();
+      conn_send_eof(conn);
+    }
+  }
+  
+
+  // If we're the client we have to keep trying to talk as long as we
+  // haven't both sent and received a FIN, or we might deadlock.
+  else if (config->mode != LSN_SIMPLE_SERVER)
+    circuit_arm_flush_timer(this, flush_interval());
+
+  return 0;
+}
+
+// Connection methods
+
 conn_t *
 chop_config_t::conn_create(size_t index)
 {
   chop_conn_t *conn = new chop_conn_t;
   conn->config = this;
-  conn->steg = steg_new(this->steg_targets.at(index),
-                        this->mode != LSN_SIMPLE_SERVER);
+  conn->steg = steg_new(steg_targets.at(index), mode != LSN_SIMPLE_SERVER);
   if (!conn->steg) {
     free(conn);
     return 0;
@@ -1097,271 +1060,239 @@ chop_conn_t::chop_conn_t()
chop_conn_t::~chop_conn_t()
 {
-  if (this->upstream)
-    this->upstream->drop_downstream(this);
-  if (this->steg)
-    delete this->steg;
-  if (this->must_transmit_timer)
-    event_free(this->must_transmit_timer);
-  evbuffer_free(this->recv_pending);
+  if (upstream)
+    upstream->drop_downstream(this);
+  if (steg)
+    delete steg;
+  if (must_send_timer)
+    event_free(must_send_timer);
+  evbuffer_free(recv_pending);
 }
circuit_t *
 chop_conn_t::circuit() const
 {
-  return this->upstream;
+  return upstream;
 }
int
 chop_conn_t::maybe_open_upstream()
 {
-  /* We can't open the upstream until we have a circuit ID. */
+  // We can't open the upstream until we have a circuit ID.
+  return 0;
+}
+
+int
+chop_conn_t::send(struct evbuffer *block)
+{
+  if (!sent_handshake && config->mode != LSN_SIMPLE_SERVER) {
+    if (!upstream || upstream->circuit_id == 0)
+      log_abort(this, "handshake: can't happen: up%c cid=%u",
+                upstream ? '+' : '-',
+                upstream ? upstream->circuit_id : 0);
+    if (evbuffer_prepend(block, (void *)&upstream->circuit_id,
+                         sizeof(upstream->circuit_id))) {
+      log_warn(this, "failed to prepend handshake to first block");
+      return -1;
+    }
+  }
+
+  if (steg->transmit(block, this)) {
+    log_warn(this, "failed to transmit block");
+    return -1;
+  }
+  sent_handshake = true;
+  if (must_send_timer)
+    evtimer_del(must_send_timer);
   return 0;
 }
int
 chop_conn_t::handshake()
 {
-  /* Chop has no handshake as such, but like dsteg, we need to send
-     _something_ from the client on at least one of the channels
-     shortly after connection, because the server doesn't know which
-     connections go with which circuits till it hears from us, _and_
-     it doesn't know what steganography to use.  We use a 1ms timeout
-     instead of a 10ms timeout as in dsteg, because unlike there, the
-     server can't even _connect to its upstream_ till it gets the
-     first packet from the client. */
-  if (this->config->mode != LSN_SIMPLE_SERVER)
-    circuit_arm_flush_timer(this->upstream, 1);
+  // The actual handshake is generated in chop_conn_t::send so that it
+  // can be merged with a block if possible; however, we use this hook
+  // to ensure that the client sends _something_ ASAP after each new
+  // connection, because the server can't forward traffic, or even
+  // open a socket to its own upstream, until it knows which circuit
+  // to associate this new connection with.  Note that in some cases
+  // it's possible for us to have _already_ sent something on this
+  // connection by the time we get called back!  Don't do it twice.
+  if (config->mode != LSN_SIMPLE_SERVER && !sent_handshake)
+    send();
   return 0;
 }
int
-chop_circuit_t::send()
+chop_conn_t::recv_handshake()
 {
-  circuit_disarm_flush_timer(this);
+  log_assert(!upstream);
+  log_assert(config->mode == LSN_SIMPLE_SERVER);
-  if (this->downstreams.empty()) {
-    /* We have no connections, but we must send.  If we're the client,
-       reopen our outbound connections; the on-connection event will
-       bring us back here.  If we're the server, we have to just
-       twiddle our thumbs and hope the client reconnects. */
-    log_debug(this, "no downstream connections");
-    if (this->config->mode != LSN_SIMPLE_SERVER)
-      circuit_reopen_downstreams(this);
-    else
-      circuit_arm_axe_timer(this, this->axe_interval());
-    return 0;
-  }
+  uint32_t circuit_id;
+  if (evbuffer_remove(recv_pending, (void *)&circuit_id,
+                      sizeof circuit_id) != sizeof circuit_id)
+    return -1;
-  if (evbuffer_get_length(bufferevent_get_input(this->up_buffer)) == 0) {
-    /* must-send timer expired and we still have nothing to say; send chaff */
-    if (chop_send_chaff(this))
-      return -1;
-    this->dead_cycles++;
-    log_debug(this, "%u dead cycles", this->dead_cycles);
-  } else {
-    if (chop_send_blocks(this))
-      return -1;
-    this->dead_cycles = 0;
-  }
+  chop_circuit_table::value_type in(circuit_id, 0);
+  std::pair<chop_circuit_table::iterator, bool> out
+    = this->config->circuits.insert(in);
+  chop_circuit_t *ck;
-  /* If we're at EOF, close all connections (sending first if
-     necessary).  If we're the client we have to keep trying to talk
-     as long as we haven't both sent and received a FIN, or we might
-     deadlock. */
-  if (this->sent_fin && this->received_fin) {
-    for (unordered_set<chop_conn_t *>::iterator i = this->downstreams.begin();
-         i != this->downstreams.end(); i++) {
-      chop_conn_t *conn = *i;
-      if (conn->must_transmit_timer &&
-          evtimer_pending(conn->must_transmit_timer, NULL))
-        must_transmit_timer_cb(-1, 0, conn);
-      conn_send_eof(conn);
+  if (!out.second) { // element already exists
+    if (!out.first->second) {
+      log_debug(this, "stale circuit");
+      return 0;
     }
+    ck = out.first->second;
+    log_debug(this, "found circuit to %s", ck->up_peer);
   } else {
-    if (this->config->mode != LSN_SIMPLE_SERVER)
-      circuit_arm_flush_timer(this, this->flush_interval());
+    ck = dynamic_cast<chop_circuit_t *>(circuit_create(this->config, 0));
+    if (!ck) {
+      log_warn(this, "failed to create new circuit");
+      return -1;
+    }
+    if (circuit_open_upstream(ck)) {
+      log_warn(this, "failed to begin upstream connection");
+      delete ck;
+      return -1;
+    }
+    log_debug(this, "created new circuit to %s", ck->up_peer);
+    ck->circuit_id = circuit_id;
+    out.first->second = ck;
   }
-  return 0;
-}
-int
-chop_circuit_t::send_eof()
-{
-  this->upstream_eof = true;
-  return this->send();
+  ck->add_downstream(this);
+  return 0;
 }
int
 chop_conn_t::recv()
 {
-  chop_circuit_t *ckt;
-  chop_header hdr;
-  struct evbuffer *block;
-  size_t avail;
-  uint8_t decodebuf[CHOP_MAX_DATA + CHOP_WIRE_HDR_LEN];
-
-  if (this->steg->receive(this, this->recv_pending))
+  if (steg->receive(this, recv_pending))
     return -1;
-  if (!this->upstream) {
-    log_debug(this, "finding circuit");
-    if (chop_peek_circuit_id(this->recv_pending, &hdr)) {
-      log_debug(this, "not enough data to find circuit yet");
-      return 0;
-    }
-    if (chop_find_or_make_circuit(this, hdr.ckt_id))
+  if (!upstream) {
+    // Try to receive a handshake.
+    if (recv_handshake())
       return -1;
-    /* If we get here and this->circuit is not set, this is a connection
-       for a stale circuit: that is, a new connection made by the
-       client (to draw more data down from the server) that crossed
-       with a server-to-client FIN.  We can't decrypt the packet, but
-       it's either chaff or a protocol error; either way we can just
-       discard it.  Since we will never reply, call conn_do_flush so
-       the connection will be dropped as soon as we receive an EOF. */
-    if (!this->upstream) {
-      evbuffer_drain(this->recv_pending,
-                     evbuffer_get_length(this->recv_pending));
+
+    // If we get here and ->upstream is not set, this is a connection
+    // for a stale circuit: that is, a new connection made by the
+    // client (to draw more data down from the server) that crossed
+    // with a server-to-client FIN, the client-to-server FIN already
+    // having been received and processed.  We no longer have the keys
+    // to decrypt anything after the handshake, but it's either chaff
+    // or a protocol error.  Either way, we can just drop the
+    // connection, possibly sending a response if the cover protocol
+    // requires one.
+    if (!upstream) {
+      evbuffer_drain(recv_pending, evbuffer_get_length(recv_pending));
+      if (must_send_p())
+        send();
       conn_do_flush(this);
       return 0;
     }
   }
-  ckt = this->upstream;
-  log_debug(this, "circuit to %s", ckt->up_peer);
-
+  log_debug(this, "circuit to %s", upstream->up_peer);
   for (;;) {
-    avail = evbuffer_get_length(this->recv_pending);
+    size_t avail = evbuffer_get_length(recv_pending);
     if (avail == 0)
       break;
log_debug(this, "%lu bytes available", (unsigned long)avail);
-    if (avail < CHOP_WIRE_HDR_LEN) {
-      log_debug(this, "incomplete block");
+    if (avail < MIN_BLOCK_SIZE) {
+      log_debug(this, "incomplete block framing");
       break;
     }
-    if (chop_decrypt_header(ckt, this->recv_pending, &hdr))
+    block_header hdr(recv_pending, *upstream->recv_hdr_crypt);
+    if (!hdr.valid(upstream->recv_queue.window())) {
+      const uint8_t *c = hdr.cleartext();
+      log_warn(this, "invalid block header: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
+               c[0], c[1], c[2], c[3], c[4], c[5], c[6], c[7],
+               c[8], c[9], c[10], c[11], c[12], c[13], c[14], c[15]);
       return -1;
-
-    if (avail < CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length) {
+    }
+    if (avail < hdr.total_len()) {
       log_debug(this, "incomplete block (need %lu bytes)",
-                (unsigned long)(CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length));
+                (unsigned long)hdr.total_len());
       break;
     }
-    if (ckt->circuit_id != hdr.ckt_id) {
-      log_warn(this, "protocol error: circuit id mismatch");
-      return -1;
-    }
-
-    log_debug(this, "receiving block of %lu+%u bytes "
-                 "[offset %u flags %04hx]",
-                 (unsigned long)CHOP_WIRE_HDR_LEN + GCM_TAG_LEN,
-                 hdr.length, hdr.offset, hdr.flags);
-
-    if (evbuffer_copyout(this->recv_pending, decodebuf,
-                         CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length)
-        != (ssize_t)(CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length)) {
+    uint8_t decodebuf[MAX_BLOCK_SIZE];
+    if (evbuffer_drain(recv_pending, HEADER_LEN) ||
+        evbuffer_remove(recv_pending, decodebuf, hdr.total_len() - HEADER_LEN)
+        != (ssize_t)(hdr.total_len() - HEADER_LEN)) {
       log_warn(this, "failed to copy block to decode buffer");
       return -1;
     }
-    block = evbuffer_new();
-    if (!block || evbuffer_expand(block, hdr.length)) {
-      log_warn(this, "allocation failure");
+    if (upstream->recv_crypt->decrypt(decodebuf,
+                                      decodebuf, hdr.total_len() - HEADER_LEN,
+                                      hdr.nonce(), HEADER_LEN)) {
+      log_warn("MAC verification failure");
       return -1;
     }
-    if (ckt->recv_crypt
-        ->decrypt(decodebuf + 16, decodebuf + 16,
-                  hdr.length + CHOP_WIRE_HDR_LEN + GCM_TAG_LEN - 16,
-                  decodebuf, 16)) {
-      log_warn(this, "MAC verification failure");
-      evbuffer_free(block);
-      return -1;
-    }
-
-    if (evbuffer_add(block, decodebuf + CHOP_WIRE_HDR_LEN, hdr.length)) {
-      log_warn(this, "failed to transfer block to reassembly queue");
-      evbuffer_free(block);
-      return -1;
-    }
-
-    if (evbuffer_drain(this->recv_pending,
-                       CHOP_WIRE_HDR_LEN + GCM_TAG_LEN + hdr.length)) {
-      log_warn(this, "failed to consume block from wire");
-      evbuffer_free(block);
-      return -1;
-    }
+    log_debug(this, "receiving block %u <d=%lu p=%lu f=%u>",
+              hdr.seqno(), (unsigned long)hdr.dlen(), (unsigned long)hdr.plen(),
+              (unsigned int)hdr.opcode());
-    if (chop_reassemble_block(ckt, block, &hdr)) {
-      evbuffer_free(block);
+    evbuffer *data = evbuffer_new();
+    if (!data || (hdr.dlen() && evbuffer_add(data, decodebuf, hdr.dlen()))) {
+      log_warn(this, "failed to extract data from decode buffer");
+      evbuffer_free(data);
       return -1;
     }
-  }
-
-  if (chop_push_to_upstream(ckt))
-    return -1;
-  /* It may have now become possible to send queued data. */
-  if (evbuffer_get_length(bufferevent_get_input(ckt->up_buffer)))
-    ckt->send();
-
-  /* If we're at EOF, close all connections (sending first if
-     necessary).  If we're the client we have to keep trying to talk
-     as long as we haven't both sent and received a FIN, or we might
-     deadlock. */
-  else if (ckt->sent_fin && ckt->received_fin) {
-    circuit_disarm_flush_timer(ckt);
-    for (unordered_set<chop_conn_t *>::iterator i = ckt->downstreams.begin();
-         i != ckt->downstreams.end(); i++) {
-      chop_conn_t *conn = *i;
-      if (conn->must_transmit_timer &&
-          evtimer_pending(conn->must_transmit_timer, NULL))
-        must_transmit_timer_cb(-1, 0, conn);
-      conn_send_eof(conn);
-    }
-  } else {
-    if (ckt->config->mode != LSN_SIMPLE_SERVER)
-      circuit_arm_flush_timer(ckt, ckt->flush_interval());
+    if (!upstream->recv_queue.insert(hdr.seqno(), hdr.opcode(), data, this))
+      return -1; // insert() logs an error
   }
-  return 0;
+  return upstream->process_queue();
 }
int
 chop_conn_t::recv_eof()
 {
-  /* EOF on a _connection_ does not mean EOF on a _circuit_.
-     EOF on a _circuit_ occurs when chop_push_to_upstream processes a FIN.
-     We should only drop the connection from the circuit if we're no
-     longer sending in the opposite direction.  Also, we should not
-     drop the connection if its must-transmit timer is still pending.  */
-  if (this->upstream) {
-    chop_circuit_t *ckt = this->upstream;
-
-    if (evbuffer_get_length(this->inbound()) > 0)
-      if (this->recv())
-        return -1;
-
-    if ((ckt->sent_fin || this->no_more_transmissions) &&
-        (!this->must_transmit_timer ||
-         !evtimer_pending(this->must_transmit_timer, NULL)))
-      ckt->drop_downstream(this);
+  // Consume any not-yet-processed incoming data.  It's possible for
+  // us to get here before we've processed _any_ data -- including the
+  // handshake! -- from a new connection, so we have to do this before
+  // we look at ->upstream.  */
+  if (evbuffer_get_length(inbound()) > 0) {
+    if (recv())
+      return -1;
+    // If there's anything left in the buffer at this point, it's a
+    // protocol error.
+    if (evbuffer_get_length(inbound()) > 0)
+      return -1;
   }
+
+  // We should only drop the connection from the circuit if we're no
+  // longer sending covert data in the opposite direction _and_ the
+  // cover protocol does not need us to send a reply (i.e. the
+  // must_send_timer is not pending).
+  if (upstream && (upstream->sent_fin || no_more_transmissions) &&
+      !must_send_p())
+    upstream->drop_downstream(this);
+
   return 0;
 }
void
 chop_conn_t::expect_close()
 {
-  /* do we need to do something here? */
+  // We currently don't need to do anything here.
+  // FIXME: figure out if this hook is _ever_ useful, and if not, remove it.
 }
void
 chop_conn_t::cease_transmission()
 {
-  this->no_more_transmissions = true;
+  no_more_transmissions = true;
+  if (must_send_timer)
+    evtimer_del(must_send_timer);
   conn_do_flush(this);
 }
@@ -1370,13 +1301,97 @@ chop_conn_t::transmit_soon(unsigned long milliseconds)
 {
   struct timeval tv;
-  log_debug(this, "must transmit within %lu milliseconds", milliseconds);
+  log_debug(this, "must send within %lu milliseconds", milliseconds);
tv.tv_sec = milliseconds / 1000;
   tv.tv_usec = (milliseconds % 1000) * 1000;
-  if (!this->must_transmit_timer)
-    this->must_transmit_timer = evtimer_new(this->config->base,
-                                            must_transmit_timer_cb, this);
-  evtimer_add(this->must_transmit_timer, &tv);
+  if (!must_send_timer)
+    must_send_timer = evtimer_new(config->base, must_send_timeout, this);
+  evtimer_add(must_send_timer, &tv);
+}
+
+void
+chop_conn_t::send()
+{
+  if (must_send_timer)
+    evtimer_del(must_send_timer);
+
+  if (!steg) {
+    log_warn(this, "send() called with no steg module available");
+    conn_do_flush(this);
+    return;
+  }
+
+  // When this happens, we must send _even if_ we have no upstream to
+  // provide us with data.  For instance, to preserve the cover
+  // protocol, we must send an HTTP reply to each HTTP query that
+  // comes in for a stale circuit.
+  if (upstream) {
+    log_debug(this, "must send");
+    if (upstream->send_targeted(this))
+      conn_do_flush(this);
+
+  } else {
+    log_debug(this, "must send (no upstream)");
+
+    size_t room = steg->transmit_room(this);
+    if (room < MIN_BLOCK_SIZE) {
+      log_warn(this, "send() called without enough transmit room "
+               "(have %lu, need %lu)", (unsigned long)room,
+               (unsigned long)MIN_BLOCK_SIZE);
+      conn_do_flush(this);
+      return;
+    }
+
+    // Since we have no upstream, we can't encrypt anything; instead,
+    // generate random bytes and feed them straight to steg_transmit.
+    struct evbuffer *chaff = evbuffer_new();
+    struct evbuffer_iovec v;
+    if (!chaff || evbuffer_reserve_space(chaff, MIN_BLOCK_SIZE, &v, 1) != 1 ||
+        v.iov_len < MIN_BLOCK_SIZE) {
+      log_warn(this, "memory allocation failed");
+      if (chaff)
+        evbuffer_free(chaff);
+      conn_do_flush(this);
+      return;
+    }
+    v.iov_len = MIN_BLOCK_SIZE;
+    rng_bytes((uint8_t *)v.iov_base, MIN_BLOCK_SIZE);
+    if (evbuffer_commit_space(chaff, &v, 1)) {
+      log_warn(this, "evbuffer_commit_space failed");
+      if (chaff)
+        evbuffer_free(chaff);
+      conn_do_flush(this);
+      return;
+    }
+
+    if (steg->transmit(chaff, this))
+      conn_do_flush(this);
+
+    evbuffer_free(chaff);
+  }
+}
+
+bool
+chop_conn_t::must_send_p() const
+{
+  return must_send_timer && evtimer_pending(must_send_timer, 0);
+}
+
+/* static */ void
+chop_conn_t::must_send_timeout(evutil_socket_t, short, void *arg)
+{
+  static_cast<chop_conn_t *>(arg)->send();
 }
+
+} // anonymous namespace
+
+PROTO_DEFINE_MODULE(chop);
+
+// Local Variables:
+// mode: c++
+// c-basic-offset: 2
+// c-file-style: "gnu"
+// c-file-offsets: ((innamespace . 0) (brace-list-open . 0))
+// End:

    