Padding appears to be a fixed amount each time, not a random size

[r00t0v3rr1d3]

After some investigation into the padding feature of Merlin, I'm not sure if it is acting in the intended fashion. It seems that each message is always given a padding the exact size specified by the user at build time for PaddingMax. So if it is 4096, then every message has a padding of 4096 bytes, not a random number of UP TO 4096 bytes. We also discussed randomizing the PaddingMax on the server side during OPAQUE so it isn't a hard coded value.

[Ne0nd0g]

The SendMerlinMessage function in clients/http/http.go updates the message's padding with m.Padding = core.RandStringBytesMaskImprSrc(client.PaddingMax). However, this function returns a random string of characters but with a fixed length. The issue is confirmed as the intent is to include a random string of random length, not a fixed length. I'll work on implementing a fix and pushing it.

[Ne0nd0g]

Seems like wrapping the PaddingMax value in rand.Intn should do the trick (e.g., m.Padding = core.RandStringBytesMaskImprSrc(rand.Intn(client.PaddingMax)). rand.Seed(time.Now().UTC().UnixNano()) is called when the agent starts.

[Ne0nd0g]

On the server side, padding is added to return messages in the Handler function of pkg/server/jobs/jobs.go.

During the OPAQUE process, the server does not know the agent's configuration and will not be able to determine its PaddingMax value, so a hard coded value of 4096 is used.

I'll update both places with the same solution of wrapping the values in rand.Intn.