From 7538b633f5f5b2229073dbf7ca7096005e314994 Mon Sep 17 00:00:00 2001 From: Guillaume Ballet Date: Mon, 11 Dec 2017 12:32:58 +0100 Subject: [PATCH] whisper: sym encryption message padding includes salt (#15631) Now that the AES salt has been moved to the payload, padding must be adjusted to hide it, lest an attacker guesses that the packet uses symmetric encryption. --- whisperv6/message.go | 4 +++ whisperv6/message_test.go | 56 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/whisperv6/message.go b/whisperv6/message.go index 63bcdd8..f8df503 100644 --- a/whisperv6/message.go +++ b/whisperv6/message.go @@ -124,6 +124,10 @@ func (msg *sentMessage) appendPadding(params *MessageParams) error { if params.Src != nil { rawSize += signatureLength } + + if params.KeySym != nil { + rawSize += AESNonceLength + } odd := rawSize % padSizeLimit if len(params.Padding) != 0 { diff --git a/whisperv6/message_test.go b/whisperv6/message_test.go index 281a852..c90bcc0 100644 --- a/whisperv6/message_test.go +++ b/whisperv6/message_test.go @@ -416,3 +416,59 @@ func TestPadding(t *testing.T) { singlePaddingTest(t, n) } } + +func TestPaddingAppendedToSymMessages(t *testing.T) { + params := &MessageParams{ + Payload: make([]byte, 246), + KeySym: make([]byte, aesKeyLength), + } + + // Simulate a message with a payload just under 256 so that + // payload + flag + aesnonce > 256. Check that the result + // is padded on the next 256 boundary. + msg := sentMessage{} + msg.Raw = make([]byte, len(params.Payload)+1+AESNonceLength) + + err := msg.appendPadding(params) + + if err != nil { + t.Fatalf("Error appending padding to message %v", err) + return + } + + if len(msg.Raw) != 512 { + t.Errorf("Invalid size %d != 512", len(msg.Raw)) + } +} + +func TestPaddingAppendedToSymMessagesWithSignature(t *testing.T) { + params := &MessageParams{ + Payload: make([]byte, 246), + KeySym: make([]byte, aesKeyLength), + } + + pSrc, err := crypto.GenerateKey() + + if err != nil { + t.Fatalf("Error creating the signature key %v", err) + return + } + params.Src = pSrc + + // Simulate a message with a payload just under 256 so that + // payload + flag + aesnonce > 256. Check that the result + // is padded on the next 256 boundary. + msg := sentMessage{} + msg.Raw = make([]byte, len(params.Payload)+1+AESNonceLength+signatureLength) + + err = msg.appendPadding(params) + + if err != nil { + t.Fatalf("Error appending padding to message %v", err) + return + } + + if len(msg.Raw) != 512 { + t.Errorf("Invalid size %d != 512", len(msg.Raw)) + } +}