Fixed #6 - Message padding uses random length

Ne0nd0g · Jan 10, 2022 · ca37729 · ca37729
1 parent 01e6a92
commit ca37729
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 9 deletions.
diff --git a/clients/http/http.go b/clients/http/http.go
@@ -24,6 +24,7 @@ import (
 	"crypto/tls"
 	"encoding/gob"
 	"fmt"
+	"math/rand"
 	"net"
 	"net/http"
 	"net/url"
@@ -313,7 +314,9 @@ func (client *Client) SendMerlinMessage(m messages.Base) (messages.Base, error)
 	cli.Message(cli.NOTE, fmt.Sprintf("Sending %s message to %s", messages.String(m.Type), client.URL[client.currentURL]))
 
 	// Set the message padding
-	m.Padding = core.RandStringBytesMaskImprSrc(client.PaddingMax)
+	if client.PaddingMax > 0 {
+		m.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax))
+	}
 
 	var returnMessage messages.Base
 

diff --git a/clients/http/opaque.go b/clients/http/opaque.go
@@ -21,6 +21,7 @@ import (
 	// Standard
 	"crypto/sha256"
 	"fmt"
+	"math/rand"
 
 	// Merlin
 	"github.com/Ne0nd0g/merlin/pkg/core"
@@ -74,11 +75,13 @@ func (client *Client) opaqueRegister() error {
 	cli.Message(cli.NOTE, "Starting OPAQUE Registration")
 
 	msg := messages.Base{
-		ID:      client.AgentID,
-		Type:    messages.OPAQUE,
-		Padding: core.RandStringBytesMaskImprSrc(client.PaddingMax),
+		ID:   client.AgentID,
+		Type: messages.OPAQUE,
 	}
 
+	if client.PaddingMax > 0 {
+		msg.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax))
+	}
 	// Set the Agent's JWT to be self-generated
 	var err error
 	client.JWT, err = client.getJWT()
@@ -120,7 +123,10 @@ func (client *Client) opaqueRegister() error {
 	}
 	// Send OPAQUE RegComplete to the server
 	cli.Message(cli.DEBUG, "Sending OPAQUE RegComplete message")
-	msg.Padding = core.RandStringBytesMaskImprSrc(client.PaddingMax)
+	if client.PaddingMax > 0 {
+		msg.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax))
+	}
+
 	msg, err = client.SendMerlinMessage(msg)
 	if err != nil {
 		return fmt.Errorf("there was an error sending the OPAQUE User Registration Complete message to the server:\r\n%s", err)
@@ -147,9 +153,11 @@ func (client *Client) opaqueAuthenticate() (messages.Base, error) {
 	cli.Message(cli.NOTE, "Starting OPAQUE Authentication")
 
 	msg := messages.Base{
-		ID:      client.AgentID,
-		Type:    messages.OPAQUE,
-		Padding: core.RandStringBytesMaskImprSrc(client.PaddingMax),
+		ID:   client.AgentID,
+		Type: messages.OPAQUE,
+	}
+	if client.PaddingMax > 0 {
+		msg.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax))
 	}
 	// Set the Agent's JWT to be self-generated
 	var err error
@@ -189,7 +197,10 @@ func (client *Client) opaqueAuthenticate() (messages.Base, error) {
 		return msg, fmt.Errorf("there was an error creating the OPAQUE User Authentication Complete message:\r\n%s", err)
 	}
 	msg.Payload = payload
-	msg.Padding = core.RandStringBytesMaskImprSrc(client.PaddingMax)
+	if client.PaddingMax > 0 {
+		msg.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax))
+	}
+
 	// Save the OPAQUE derived Diffie-Hellman secret
 	client.secret = []byte(client.opaque.Kex.SharedSecret.String())
 	// Send OPAQUE AuthComplete to the server

diff --git a/docs/CHANGELOG.MD b/docs/CHANGELOG.MD
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## 1.2.1 - 2022-01-10
+
+### Fixed
+
+- [Issue 6](https://github.com/Ne0nd0g/merlin-agent/issues/6) - Message padding is now a random length instead of a fixed length
+
 ## 1.2.0 - 2021-12-12
 
 ### Added