Don't send tags for invitation connections.

briar-core/src/org/briarproject/invitation/AliceConnector.java

@@ -133,11 +133,11 @@ class AliceConnector extends Connector {
 		int maxFrameLength = conn.getReader().getMaxFrameLength();
 		StreamReader streamReader =
 				streamReaderFactory.createInvitationStreamReader(in,
-						maxFrameLength, secret, false);
+						maxFrameLength, secret, false); // Bob's stream
 		r = readerFactory.createReader(streamReader.getInputStream());
 		StreamWriter streamWriter =
 				streamWriterFactory.createInvitationStreamWriter(out,
-						maxFrameLength, secret, true);
+						maxFrameLength, secret, true); // Alice's stream
 		w = writerFactory.createWriter(streamWriter.getOutputStream());
 		// Derive the invitation nonces
 		byte[][] nonces = crypto.deriveInvitationNonces(secret);

briar-core/src/org/briarproject/invitation/BobConnector.java

@@ -133,11 +133,11 @@ class BobConnector extends Connector {
 		int maxFrameLength = conn.getReader().getMaxFrameLength();
 		StreamReader streamReader =
 				streamReaderFactory.createInvitationStreamReader(in,
-						maxFrameLength, secret, true);
+						maxFrameLength, secret, true); // Alice's stream
 		r = readerFactory.createReader(streamReader.getInputStream());
 		StreamWriter streamWriter =
 				streamWriterFactory.createInvitationStreamWriter(out,
-						maxFrameLength, secret, false);
+						maxFrameLength, secret, false); // Bob's stream
 		w = writerFactory.createWriter(streamWriter.getOutputStream());
 		// Derive the nonces
 		byte[][] nonces = crypto.deriveInvitationNonces(secret);

briar-core/src/org/briarproject/transport/OutgoingEncryptionLayer.java

@@ -35,7 +35,7 @@ class OutgoingEncryptionLayer implements FrameWriter {
 		aad = new byte[AAD_LENGTH];
 		ciphertext = new byte[frameLength];
 		frameNumber = 0;
-		writeTag = true;
+		writeTag = (tag != null);
 	}
 
 	public void writeFrame(byte[] frame, int payloadLength, boolean finalFrame)

briar-core/src/org/briarproject/transport/StreamWriterFactoryImpl.java

@@ -38,13 +38,9 @@ class StreamWriterFactoryImpl implements StreamWriterFactory {
 
 	public StreamWriter createInvitationStreamWriter(OutputStream out,
 			int maxFrameLength, byte[] secret, boolean alice) {
-		byte[] tag = new byte[TAG_LENGTH];
-		SecretKey tagKey = crypto.deriveTagKey(secret, alice);
-		crypto.encodeTag(tag, tagKey, 0);
-		tagKey.erase();
 		SecretKey frameKey = crypto.deriveFrameKey(secret, 0, alice);
 		FrameWriter frameWriter = new OutgoingEncryptionLayer(out,
-				crypto.getFrameCipher(), frameKey, maxFrameLength, tag);
+				crypto.getFrameCipher(), frameKey, maxFrameLength, null);
 		return new StreamWriterImpl(frameWriter, maxFrameLength);
 	}
 }

briar-tests/src/org/briarproject/transport/OutgoingEncryptionLayerTest.java

@@ -7,6 +7,7 @@ import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
 import static org.briarproject.api.transport.TransportConstants.TAG_LENGTH;
 
 import java.io.ByteArrayOutputStream;
+import java.util.Random;
 
 import org.briarproject.BriarTestCase;
 import org.briarproject.TestLifecycleModule;
@@ -28,18 +29,42 @@ public class OutgoingEncryptionLayerTest extends BriarTestCase {
 
 	private final CryptoComponent crypto;
 	private final AuthenticatedCipher frameCipher;
-	private final byte[] tag;
 
 	public OutgoingEncryptionLayerTest() {
 		Injector i = Guice.createInjector(new CryptoModule(),
 				new TestLifecycleModule(), new TestSystemModule());
 		crypto = i.getInstance(CryptoComponent.class);
 		frameCipher = crypto.getFrameCipher();
-		tag = new byte[TAG_LENGTH];
 	}
 
 	@Test
-	public void testEncryption() throws Exception {
+	public void testEncryptionWithoutTag() throws Exception {
+		int payloadLength = 123;
+		byte[] iv = new byte[IV_LENGTH], aad = new byte[AAD_LENGTH];
+		byte[] plaintext = new byte[FRAME_LENGTH - MAC_LENGTH];
+		byte[] ciphertext = new byte[FRAME_LENGTH];
+		SecretKey frameKey = crypto.generateSecretKey();
+		// Calculate the expected ciphertext
+		FrameEncoder.encodeIv(iv, 0);
+		FrameEncoder.encodeAad(aad, 0, plaintext.length);
+		frameCipher.init(true, frameKey, iv, aad);
+		FrameEncoder.encodeHeader(plaintext, false, payloadLength);
+		frameCipher.doFinal(plaintext, 0, plaintext.length, ciphertext, 0);
+		// Check that the actual ciphertext matches what's expected
+		ByteArrayOutputStream out = new ByteArrayOutputStream();
+		OutgoingEncryptionLayer o = new OutgoingEncryptionLayer(out,
+				frameCipher, frameKey, FRAME_LENGTH, null);
+		o.writeFrame(new byte[FRAME_LENGTH - MAC_LENGTH], payloadLength, false);
+		byte[] actual = out.toByteArray();
+		assertEquals(FRAME_LENGTH, actual.length);
+		for(int i = 0; i < FRAME_LENGTH; i++)
+			assertEquals(ciphertext[i], actual[i]);
+	}
+
+	@Test
+	public void testEncryptionWithTag() throws Exception {
+		byte[] tag = new byte[TAG_LENGTH];
+		new Random().nextBytes(tag);
 		int payloadLength = 123;
 		byte[] iv = new byte[IV_LENGTH], aad = new byte[AAD_LENGTH];
 		byte[] plaintext = new byte[FRAME_LENGTH - MAC_LENGTH];
@@ -59,13 +84,14 @@ public class OutgoingEncryptionLayerTest extends BriarTestCase {
 		byte[] actual = out.toByteArray();
 		assertEquals(TAG_LENGTH + FRAME_LENGTH, actual.length);
 		for(int i = 0; i < TAG_LENGTH; i++) assertEquals(tag[i], actual[i]);
-		for(int i = 0; i < FRAME_LENGTH; i++) {
-			assertEquals("" + i, ciphertext[i], actual[TAG_LENGTH + i]);
-		}
+		for(int i = 0; i < FRAME_LENGTH; i++)
+			assertEquals(ciphertext[i], actual[TAG_LENGTH + i]);
 	}
 
 	@Test
 	public void testCloseConnectionWithoutWriting() throws Exception {
+		byte[] tag = new byte[TAG_LENGTH];
+		new Random().nextBytes(tag);
 		ByteArrayOutputStream out = new ByteArrayOutputStream();
 		// Initiator's constructor
 		OutgoingEncryptionLayer o = new OutgoingEncryptionLayer(out,