1 files changed, 8 insertions, 2 deletions

diff --git a/src/tweetpipe.c b/src/tweetpipe.c
index e369f70..768faaf 100644
--- a/src/tweetpipe.c
+++ b/src/tweetpipe.c
@@ -70,6 +70,7 @@ stream_encrypt(Context *ctx)
         chunk_nonce + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES;
     unsigned char *const chunk_msg = chunk_base + crypto_secretbox_ZEROBYTES;
     unsigned char        nonce[crypto_secretbox_NONCEBYTES];
+    unsigned char        chunk_key[crypto_secretbox_KEYBYTES];
     uint64_t             chunk_id;
     ssize_t              max_chunk_size;
     ssize_t              chunk_size;
@@ -109,6 +110,8 @@ stream_encrypt(Context *ctx)
         memzero(chunk_nonce, crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES +
                                  crypto_secretbox_ZEROBYTES);
         randombytes(nonce, crypto_secretbox_NONCEBYTES);
+        crypto_kdf(chunk_key, crypto_secretbox_KEYBYTES, chunk_id, (unsigned char *) "tweetkey",
+                   ctx->key, crypto_secretbox_KEYBYTES);
         /*
          * encrypt with crypto_secretbox()
          *
@@ -118,7 +121,7 @@ stream_encrypt(Context *ctx)
          * | 4 |   8   |       16      |       16      |       chunk_size
          */
         if (crypto_secretbox(chunk_base, chunk_base, chunk_size + crypto_secretbox_ZEROBYTES, nonce,
-                             ctx->key) != 0) {
+                             chunk_key) != 0) {
             die(0, "Encryption error");
         }
         /*
@@ -156,6 +159,7 @@ stream_decrypt(Context *ctx)
         chunk_nonce + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES;
     unsigned char *const chunk_msg = chunk_base + crypto_secretbox_ZEROBYTES;
     unsigned char        nonce[crypto_secretbox_NONCEBYTES];
+    unsigned char        chunk_key[crypto_secretbox_KEYBYTES];
     uint64_t             chunk_id;
     ssize_t              readnb;
     ssize_t              max_chunk_size;
@@ -181,8 +185,10 @@ stream_decrypt(Context *ctx)
         }
         memcpy(nonce, chunk_nonce, crypto_secretbox_NONCEBYTES);
         memzero(chunk_nonce, crypto_secretbox_NONCEBYTES);
+        crypto_kdf(chunk_key, crypto_secretbox_KEYBYTES, chunk_id, (unsigned char *) "tweetkey",
+                   ctx->key, crypto_secretbox_KEYBYTES);
         if (crypto_secretbox_open(chunk_base, chunk_base, chunk_size + crypto_secretbox_ZEROBYTES,
-                                  nonce, ctx->key) != 0) {
+                                  nonce, chunk_key) != 0) {
             printf("Unable to decrypt chunk #%" PRIu64 " - ", chunk_id);
             if (chunk_id == 0) {
                 die(0, "Wrong password or key?");