3 files changed, 19 insertions, 4 deletions

diff --git a/node/EllipticCurveKey.hpp b/node/EllipticCurveKey.hpp
index 5a7b895f..cc666104 100644
--- a/node/EllipticCurveKey.hpp
+++ b/node/EllipticCurveKey.hpp
@@ -65,6 +65,7 @@ public:
 		throw() :
 		_bytes(0)
 	{
+		memset(_key,0,sizeof(_key));
 	}
 
 	EllipticCurveKey(const void *data,unsigned int len)
diff --git a/node/EllipticCurveKeyPair.cpp b/node/EllipticCurveKeyPair.cpp
index bed0725e..66acf320 100644
--- a/node/EllipticCurveKeyPair.cpp
+++ b/node/EllipticCurveKeyPair.cpp
@@ -55,7 +55,20 @@ public:
 };
 static _EC_Group ZT_EC_GROUP;
 
-/* Key derivation function */
+/**
+ * Key derivation function
+ *
+ * TODO:
+ * If/when we document the protocol, this will have to be documented as
+ * well. It's a fairly standard KDF that uses SHA-256 to transform the
+ * raw EC key. It's generally considered good crypto practice to do this
+ * to eliminate the possibility of leaking information from EC exchange to
+ * downstream algorithms.
+ *
+ * In our code it is used to produce a two 32-bit keys. One key is used
+ * for Salsa20 and the other for HMAC-SHA-256. They are generated together
+ * as a single 64-bit key.
+ */
 static void *_zt_EC_KDF(const void *in,size_t inlen,void *out,size_t *outlen)
 {
 	SHA256_CTX sha;
@@ -130,9 +143,8 @@ bool EllipticCurveKeyPair::generate()
 			fread(tmp,sizeof(tmp),1,rf);
 			fclose(rf);
 		} else {
-			fprintf(stderr,"WARNING: cannot open /dev/urandom\n");
-			for(unsigned int i=0;i<sizeof(tmp);++i)
-				tmp[i] = (unsigned char)(rand() >> 3);
+			fprintf(stderr,"FATAL: could not open /dev/urandom\n");
+			exit(-1);
 		}
 		RAND_seed(tmp,sizeof(tmp));
 #else
diff --git a/node/EllipticCurveKeyPair.hpp b/node/EllipticCurveKeyPair.hpp
index 2649f4c4..dbe08cc9 100644
--- a/node/EllipticCurveKeyPair.hpp
+++ b/node/EllipticCurveKeyPair.hpp
@@ -35,6 +35,8 @@ namespace ZeroTier {
 
 /**
  * An elliptic curve key pair supporting generation and key agreement
+ *
+ * This is basically OpenSSL libcrypto glue.
  */
 class EllipticCurveKeyPair
 {