From 5a0def61d647f2cbb402cf3caf26ca8e82373431 Mon Sep 17 00:00:00 2001
From: John-Mark Gurney <jmg@funkthat.com>
Date: Tue, 27 Apr 2021 22:21:04 -0700
Subject: [PATCH] ratchet after nonces, this will help prevent leaking the
 shared key...

---
 PROTOCOL.md | 2 ++
 comms.c     | 3 +++
 lora.py     | 4 ++++
 3 files changed, 9 insertions(+)

diff --git a/PROTOCOL.md b/PROTOCOL.md
index 6094ab3..d34bf65 100644
--- a/PROTOCOL.md
+++ b/PROTOCOL.md
@@ -29,6 +29,8 @@ respondent:
 send_enc(<16 bytes random data>)	# nonce injection
 send_mac(8)
 
+ratchet()	# prevent backtracking
+
 initiator:
 send_enc('confirm')
 send_mac(8)
diff --git a/comms.c b/comms.c
index 2ae25a8..614d0dd 100644
--- a/comms.c
+++ b/comms.c
@@ -74,6 +74,9 @@ comms_process(struct comms_state *cs, struct pktbuf pbin, struct pktbuf *pbout)
 		ret = strobe_put(&cs->cs_state, APP_CIPHERTEXT, buf,
 		    CHALLENGE_LEN);
 		ret += strobe_put(&cs->cs_state, MAC, NULL, MAC_LEN);
+
+		strobe_operate(&cs->cs_state, RATCHET, NULL, 32);
+
 		cs->cs_comm_state = COMMS_WAIT_CONFIRM;
 		break;
 
diff --git a/lora.py b/lora.py
index f34bfa7..2a2e045 100644
--- a/lora.py
+++ b/lora.py
@@ -35,6 +35,8 @@ class LORANode(object):
 		self.st.recv_enc(resp[:16])
 		self.st.recv_mac(resp[16:])
 
+		self.st.ratchet()
+
 		resp = await self.sd.sendtillrecv(
 		    self.st.send_enc(b'confirm') + self.st.send_mac(8), 1)
 
@@ -190,6 +192,8 @@ class TestLORANode(unittest.IsolatedAsyncioTestCase):
 				await self.put(l.send_enc(os.urandom(16)) +
 				    l.send_mac(8))
 
+				l.ratchet()
+
 				r = await self.get()
 				c = l.recv_enc(r[:-8])
 				l.recv_mac(r[-8:])