From 803f74634a7e88e4e2781e4b8df7afeda3d968be Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@gmail.com>
Date: Mon, 6 Feb 2017 07:39:38 -0800
Subject: Tweak how we do crypto of the masked portions of HELLO just to be
 more "boring" in the DJB sense.

---
 node/Packet.hpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'node/Packet.hpp')

diff --git a/node/Packet.hpp b/node/Packet.hpp
index 4859dafd..b736b84a 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -1353,16 +1353,18 @@ public:
 	/**
 	 * Encrypt/decrypt a separately armored portion of a packet
 	 *
-	 * This keys using the same key in the same way as armor/dearmor, but
-	 * uses a different IV computed from the packet's IV plus the starting
-	 * point index.
-	 *
 	 * This currently uses Salsa20/12, but any message that uses this should
-	 * incorporate a cipher selector to permit this to be changed later.
+	 * incorporate a cipher selector to permit this to be changed later. To
+	 * ensure that key stream is not reused, the key is slightly altered for
+	 * this use case and the same initial 32 keystream bytes that are taken
+	 * for MAC in ordinary armor() are also skipped here.
 	 *
 	 * This is currently only used to mask portions of HELLO as an extra
 	 * security precation since most of that message is sent in the clear.
 	 *
+	 * This must NEVER be used more than once in the same packet, as doing
+	 * so will result in re-use of the same key stream.
+	 *
 	 * @param key 32-byte key
 	 * @param start Start of encrypted portion
 	 * @param len Length of encrypted portion
-- 
cgit v1.2.3