use distinct tag for key and nonce for sequence watermarking

xiaokangwang · xiaokangwang · commit 7ffb36eec9b8 · 2025-11-20T19:55:41.000Z
diff --git a/transport/internet/tlsmirror/mirrorcrypto/derive_key.go b/transport/internet/tlsmirror/mirrorcrypto/derive_key.go
@@ -62,12 +62,12 @@ func DeriveSequenceWatermarkingKey(primaryKey, clientRandom, serverRandom []byte
 	combined := append(primaryKey, clientRandom...) // nolint: gocritic
 	combined = append(combined, serverRandom...)
 
-	encryptionKey, err := hkdf.Expand(sha256.New, combined, "v2ray-xv64FXUU-GxMn8UYz-bTy6UDeE:tlsmirror-sequence-watermark"+tag, 32)
+	encryptionKey, err := hkdf.Expand(sha256.New, combined, "v2ray-xv64FXUU-GxMn8UYz-bTy6UDeE:tlsmirror-sequence-watermark-encryption"+tag, 32)
 	if err != nil {
 		return nil, nil, newError("unable to derive encryption key").Base(err)
 	}
 
-	nonceMask, err := hkdf.Expand(sha256.New, combined, "v2ray-xv64FXUU-GxMn8UYz-bTy6UDeE:tlsmirror-sequence-watermark"+tag, 24)
+	nonceMask, err := hkdf.Expand(sha256.New, combined, "v2ray-xv64FXUU-GxMn8UYz-bTy6UDeE:tlsmirror-sequence-watermark-noncemask"+tag, 24)
 	if err != nil {
 		return nil, nil, newError("unable to derive nonce mask").Base(err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -62,12 +62,12 @@ func DeriveSequenceWatermarkingKey(primaryKey, clientRandom, serverRandom []byte`
`62`	`62`	`combined := append(primaryKey, clientRandom...) // nolint: gocritic`
`63`	`63`	`combined = append(combined, serverRandom...)`
`64`	`64`
`65`		`- encryptionKey, err := hkdf.Expand(sha256.New, combined, "v2ray-xv64FXUU-GxMn8UYz-bTy6UDeE:tlsmirror-sequence-watermark"+tag, 32)`
	`65`	`+ encryptionKey, err := hkdf.Expand(sha256.New, combined, "v2ray-xv64FXUU-GxMn8UYz-bTy6UDeE:tlsmirror-sequence-watermark-encryption"+tag, 32)`
`66`	`66`	`if err != nil {`
`67`	`67`	`return nil, nil, newError("unable to derive encryption key").Base(err)`
`68`	`68`	`}`
`69`	`69`
`70`		`- nonceMask, err := hkdf.Expand(sha256.New, combined, "v2ray-xv64FXUU-GxMn8UYz-bTy6UDeE:tlsmirror-sequence-watermark"+tag, 24)`
	`70`	`+ nonceMask, err := hkdf.Expand(sha256.New, combined, "v2ray-xv64FXUU-GxMn8UYz-bTy6UDeE:tlsmirror-sequence-watermark-noncemask"+tag, 24)`
`71`	`71`	`if err != nil {`
`72`	`72`	`return nil, nil, newError("unable to derive nonce mask").Base(err)`
`73`	`73`	`}`