From 803f74634a7e88e4e2781e4b8df7afeda3d968be Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@gmail.com>
Date: Mon, 6 Feb 2017 07:39:38 -0800
Subject: Tweak how we do crypto of the masked portions of HELLO just to be
 more "boring" in the DJB sense.

---
 node/Packet.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'node/Packet.cpp')

diff --git a/node/Packet.cpp b/node/Packet.cpp
index a1bb3132..e685bcaa 100644
--- a/node/Packet.cpp
+++ b/node/Packet.cpp
@@ -2026,9 +2026,11 @@ bool Packet::dearmor(const void *key)
 void Packet::cryptField(const void *key,unsigned int start,unsigned int len)
 {
 	unsigned char mangledKey[32];
-    uint64_t iv = Utils::hton((uint64_t)start ^ at<uint64_t>(ZT_PACKET_IDX_IV));
+	unsigned char macKey[32];
 	_salsa20MangleKey((const unsigned char *)key,mangledKey);
-	Salsa20 s20(mangledKey,256,&iv);
+    mangledKey[0] ^= 1; // slightly alter key for this use case as an added guard against key stream reuse
+	Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8));
+	s20.crypt12(ZERO_KEY,macKey,sizeof(macKey)); // discard the first 32 bytes of key stream (the ones use for MAC in armor()) as a precaution
     unsigned char *const ptr = field(start,len);
     s20.crypt12(ptr,ptr,len);
 }
-- 
cgit v1.2.3