Tweak how we do crypto of the masked portions of HELLO just to be more "boring" in the DJB sense.

node/Packet.cpp

@@ -2026,9 +2026,11 @@ bool Packet::dearmor(const void *key)
 void Packet::cryptField(const void *key,unsigned int start,unsigned int len)
 {
 	unsigned char mangledKey[32];
-    uint64_t iv = Utils::hton((uint64_t)start ^ at<uint64_t>(ZT_PACKET_IDX_IV));
+	unsigned char macKey[32];
 	_salsa20MangleKey((const unsigned char *)key,mangledKey);
-	Salsa20 s20(mangledKey,256,&iv);
+    mangledKey[0] ^= 1; // slightly alter key for this use case as an added guard against key stream reuse
+	Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8));
+	s20.crypt12(ZERO_KEY,macKey,sizeof(macKey)); // discard the first 32 bytes of key stream (the ones use for MAC in armor()) as a precaution
     unsigned char *const ptr = field(start,len);
     s20.crypt12(ptr,ptr,len);
 }

node/Packet.hpp

@@ -1353,16 +1353,18 @@ public:
 	/**
 	 * Encrypt/decrypt a separately armored portion of a packet
 	 *
-	 * This keys using the same key in the same way as armor/dearmor, but
-	 * uses a different IV computed from the packet's IV plus the starting
-	 * point index.
-	 *
 	 * This currently uses Salsa20/12, but any message that uses this should
-	 * incorporate a cipher selector to permit this to be changed later.
+	 * incorporate a cipher selector to permit this to be changed later. To
+	 * ensure that key stream is not reused, the key is slightly altered for
+	 * this use case and the same initial 32 keystream bytes that are taken
+	 * for MAC in ordinary armor() are also skipped here.
 	 *
 	 * This is currently only used to mask portions of HELLO as an extra
 	 * security precation since most of that message is sent in the clear.
 	 *
+	 * This must NEVER be used more than once in the same packet, as doing
+	 * so will result in re-use of the same key stream.
+	 *
 	 * @param key 32-byte key
 	 * @param start Start of encrypted portion
 	 * @param len Length of encrypted portion