ratchet after nonces, this will help prevent leaking the shared key...

PROTOCOL.md

@@ -29,6 +29,8 @@ respondent:
 send_enc(<16 bytes random data>)	# nonce injection
 send_mac(8)
 
+ratchet()	# prevent backtracking
+
 initiator:
 send_enc('confirm')
 send_mac(8)

comms.c

@@ -74,6 +74,9 @@ comms_process(struct comms_state *cs, struct pktbuf pbin, struct pktbuf *pbout)
 		ret = strobe_put(&cs->cs_state, APP_CIPHERTEXT, buf,
 		    CHALLENGE_LEN);
 		ret += strobe_put(&cs->cs_state, MAC, NULL, MAC_LEN);
+
+		strobe_operate(&cs->cs_state, RATCHET, NULL, 32);
+
 		cs->cs_comm_state = COMMS_WAIT_CONFIRM;
 		break;
 

lora.py

@@ -35,6 +35,8 @@ class LORANode(object):
 		self.st.recv_enc(resp[:16])
 		self.st.recv_mac(resp[16:])
 
+		self.st.ratchet()
+
 		resp = await self.sd.sendtillrecv(
 		    self.st.send_enc(b'confirm') + self.st.send_mac(8), 1)
 
@@ -190,6 +192,8 @@ class TestLORANode(unittest.IsolatedAsyncioTestCase):
 				await self.put(l.send_enc(os.urandom(16)) +
 				    l.send_mac(8))
 
+				l.ratchet()
+
 				r = await self.get()
 				c = l.recv_enc(r[:-8])
 				l.recv_mac(r[-8:])