From ca37729e80c2da00403fd321631fd03eb06dbb15 Mon Sep 17 00:00:00 2001 From: Ne0nd0g Date: Mon, 10 Jan 2022 10:57:55 -0500 Subject: [PATCH] Fixed #6 - Message padding uses random length --- clients/http/http.go | 5 ++++- clients/http/opaque.go | 27 +++++++++++++++++++-------- docs/CHANGELOG.MD | 6 ++++++ 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/clients/http/http.go b/clients/http/http.go index a07aca1..eaabf90 100644 --- a/clients/http/http.go +++ b/clients/http/http.go @@ -24,6 +24,7 @@ import ( "crypto/tls" "encoding/gob" "fmt" + "math/rand" "net" "net/http" "net/url" @@ -313,7 +314,9 @@ func (client *Client) SendMerlinMessage(m messages.Base) (messages.Base, error) cli.Message(cli.NOTE, fmt.Sprintf("Sending %s message to %s", messages.String(m.Type), client.URL[client.currentURL])) // Set the message padding - m.Padding = core.RandStringBytesMaskImprSrc(client.PaddingMax) + if client.PaddingMax > 0 { + m.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax)) + } var returnMessage messages.Base diff --git a/clients/http/opaque.go b/clients/http/opaque.go index 4d65dd7..142a25e 100644 --- a/clients/http/opaque.go +++ b/clients/http/opaque.go @@ -21,6 +21,7 @@ import ( // Standard "crypto/sha256" "fmt" + "math/rand" // Merlin "github.com/Ne0nd0g/merlin/pkg/core" @@ -74,11 +75,13 @@ func (client *Client) opaqueRegister() error { cli.Message(cli.NOTE, "Starting OPAQUE Registration") msg := messages.Base{ - ID: client.AgentID, - Type: messages.OPAQUE, - Padding: core.RandStringBytesMaskImprSrc(client.PaddingMax), + ID: client.AgentID, + Type: messages.OPAQUE, } + if client.PaddingMax > 0 { + msg.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax)) + } // Set the Agent's JWT to be self-generated var err error client.JWT, err = client.getJWT() @@ -120,7 +123,10 @@ func (client *Client) opaqueRegister() error { } // Send OPAQUE RegComplete to the server cli.Message(cli.DEBUG, "Sending OPAQUE RegComplete message") - msg.Padding = core.RandStringBytesMaskImprSrc(client.PaddingMax) + if client.PaddingMax > 0 { + msg.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax)) + } + msg, err = client.SendMerlinMessage(msg) if err != nil { return fmt.Errorf("there was an error sending the OPAQUE User Registration Complete message to the server:\r\n%s", err) @@ -147,9 +153,11 @@ func (client *Client) opaqueAuthenticate() (messages.Base, error) { cli.Message(cli.NOTE, "Starting OPAQUE Authentication") msg := messages.Base{ - ID: client.AgentID, - Type: messages.OPAQUE, - Padding: core.RandStringBytesMaskImprSrc(client.PaddingMax), + ID: client.AgentID, + Type: messages.OPAQUE, + } + if client.PaddingMax > 0 { + msg.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax)) } // Set the Agent's JWT to be self-generated var err error @@ -189,7 +197,10 @@ func (client *Client) opaqueAuthenticate() (messages.Base, error) { return msg, fmt.Errorf("there was an error creating the OPAQUE User Authentication Complete message:\r\n%s", err) } msg.Payload = payload - msg.Padding = core.RandStringBytesMaskImprSrc(client.PaddingMax) + if client.PaddingMax > 0 { + msg.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax)) + } + // Save the OPAQUE derived Diffie-Hellman secret client.secret = []byte(client.opaque.Kex.SharedSecret.String()) // Send OPAQUE AuthComplete to the server diff --git a/docs/CHANGELOG.MD b/docs/CHANGELOG.MD index 7aaebdb..5395159 100644 --- a/docs/CHANGELOG.MD +++ b/docs/CHANGELOG.MD @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## 1.2.1 - 2022-01-10 + +### Fixed + +- [Issue 6](https://github.com/Ne0nd0g/merlin-agent/issues/6) - Message padding is now a random length instead of a fixed length + ## 1.2.0 - 2021-12-12 ### Added