Change how the length obfsucation mask is derived.

Instead of using the nonce for the secret box, just use SipHash-2-4 in
OFB mode instead.  The IV is generated as part of the KDF.  This
simplifies the code a decent amount and also is better on the off
chance that SipHash-2-4 does not avalanche as well as it is currently
assumed.

While here, also decouple the fact that *this implementation* of obfs4
uses a PRNG with 24 bytes of internal state for protocol polymorphism
instead of 32 bytes (that the spec requires).

THIS CHANGE BREAKS WIRE PROTCOL COMPATIBILITY.

1 files changed, 7 insertions, 5 deletions

diff --git a/drbg/hash_drbg.go b/drbg/hash_drbg.go
index 13cc188..7186fd0 100644
--- a/drbg/hash_drbg.go
+++ b/drbg/hash_drbg.go
@@ -44,10 +44,10 @@ import (
 const Size = siphash.Size
 
 // SeedLength is the length of the HashDrbg seed.
-const SeedLength = 32
+const SeedLength = 16 + Size
 
 // Seed is the initial state for a HashDrbg.  It consists of a SipHash-2-4
-// key, and 16 bytes of initial data.
+// key, and 8 bytes of initial data.
 type Seed [SeedLength]byte
 
 // Bytes returns a pointer to the raw HashDrbg seed.
@@ -71,9 +71,10 @@ func NewSeed() (seed *Seed, err error) {
 	return
 }
 
-// SeedFromBytes creates a Seed from the raw bytes.
+// SeedFromBytes creates a Seed from the raw bytes, truncating to SeedLength as
+// appropriate.
 func SeedFromBytes(src []byte) (seed *Seed, err error) {
-	if len(src) != SeedLength {
+	if len(src) < SeedLength {
 		return nil, InvalidSeedLengthError(len(src))
 	}
 
@@ -83,7 +84,8 @@ func SeedFromBytes(src []byte) (seed *Seed, err error) {
 	return
 }
 
-// SeedFromBase64 creates a Seed from the Base64 representation.
+// SeedFromBase64 creates a Seed from the Base64 representation, truncating to
+// SeedLength as appropriate.
 func SeedFromBase64(encoded string) (seed *Seed, err error) {
 	var raw []byte
 	raw, err = base64.StdEncoding.DecodeString(encoded)