From 75ea05aef617acfb23d186bbafa30083fd672076 Mon Sep 17 00:00:00 2001
From: Olaoluwa Osuntokun <laolu32@gmail.com>
Date: Mon, 14 Nov 2016 15:10:48 -0800
Subject: [PATCH] brontide: the encrypted packet length is no longer the
 associated data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit modifies the current implementation to more closely match
what’s currently specified within the spec.

The encrypted+MAC’d packet length is no longer included as the
associated data for the encryption/decryption of transport messages.
This isn’t required as if an active attacker swaps out the encrypted
length in the byte string, the decryption+MAC check will simply fail as
the nonce won’t be in proper sequence.
---
 brontide/noise.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/brontide/noise.go b/brontide/noise.go
index 243c80f1..b78ba63e 100644
--- a/brontide/noise.go
+++ b/brontide/noise.go
@@ -330,6 +330,8 @@ func NewBrontideMachine(initiator bool, localPub *btcec.PrivateKey,
 	return &BrontideMachine{handshakeState: handshake}
 }
 
+// TODO(roasbeef): add version bytes, paramterize in constructor above
+
 const (
 	// ActOneSize is the size of the packet sent from initiator to
 	// responder in ActOne. The packet consists of an ephemeral key in
@@ -613,10 +615,10 @@ func (b *BrontideMachine) WriteMessage(w io.Writer, p []byte) error {
 		return err
 	}
 
-	// Next, write out the encrypted packet itself. We use the encrypted
-	// packet length above as the AD to the cipher in order to bind both
-	// messages together thwarting an active attack.
-	cipherText := b.sendCipher.Encrypt(cipherLen, nil, p)
+	// Finally, write out the encrypted packet itself. We only write out a
+	// single packet, as any fragmentation should have taken place at a
+	// higher level.
+	cipherText := b.sendCipher.Encrypt(nil, nil, p)
 	if _, err := w.Write(cipherText); err != nil {
 		return err
 	}
@@ -646,7 +648,5 @@ func (b *BrontideMachine) ReadMessage(r io.Reader) ([]byte, error) {
 		return nil, err
 	}
 
-	// Finally, return the decrypted packet ensuring that the encrypted
-	// packet length is authenticated along with the packet itself.
-	return b.recvCipher.Decrypt(cipherLen[:], nil, ciperText)
+	return b.recvCipher.Decrypt(nil, nil, ciperText)
 }