rust/loro-websocket-client/src/lib.rs:1045-1138
- The %ELO client sets the IV to [0u8; 12] in both encode_elo_snapshot_container and the live
subscribe_local_update hook. Every encrypted record therefore repeats the same AES-GCM nonce under the
same key.
- protocol-e2ee.md mandates 96-bit unique IVs and warns against reuse; violating that lets an attacker
recover XORs of plaintexts and eventually the key.
- Fix: Plug in a CSPRNG (e.g. rand::rngs::OsRng) or a durable per-key counter to emit fresh IVs, and keep
embedding the 12-byte IV in the record header so receivers can decrypt.
rust/loro-websocket-client/src/lib.rs:1045-1138
subscribe_local_update hook. Every encrypted record therefore repeats the same AES-GCM nonce under the
same key.
recover XORs of plaintexts and eventually the key.
embedding the 12-byte IV in the record header so receivers can decrypt.