Code review follows. If you prefer I can fix things myself, but since you didthe first draft I figure I should give you the option. :-)
Can't do that -- it would break backwards compatibility. (I don't know if
anyone is running with -f on one endpoint and not on the other, and if they
are it's probably a mistake... but we still have to avoid any possibility
that upgrading to a newer version of spiped will turn a working setup into
a non-working setup.)
Let's add a new option instead:
-g Require perfect forward secrecy by dropping connections if the
other host is using the -f option.
This is wrong. We need to detect 1; we don't need to detect 0. (A validly
> + * is_zero_or_one(x, len):
> + * Returns non-zero if the big-endian value stored at (${x}, ${len}) is equal
> + * to either 0 or 1.
signed 0 implies that someone who has the shared key is not following the
protocol, in which case we've already lost.)