From e7610eadfee686d7d979e8d23d0b903a78288a13 Mon Sep 17 00:00:00 2001
From: Guillaume Ballet <gballet@gmail.com>
Date: Mon, 11 Dec 2017 12:32:58 +0100
Subject: [PATCH] whisper: sym encryption message padding includes salt
 (#15631)

Now that the AES salt has been moved to the payload, padding must
be adjusted to hide it, lest an attacker guesses that the packet
uses symmetric encryption.
---
 whisper/whisperv6/message.go      |  4 +++
 whisper/whisperv6/message_test.go | 56 +++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/whisper/whisperv6/message.go b/whisper/whisperv6/message.go
index 63bcdd85e..f8df50336 100644
--- a/whisper/whisperv6/message.go
+++ b/whisper/whisperv6/message.go
@@ -124,6 +124,10 @@ func (msg *sentMessage) appendPadding(params *MessageParams) error {
 	if params.Src != nil {
 		rawSize += signatureLength
 	}
+
+	if params.KeySym != nil {
+		rawSize += AESNonceLength
+	}
 	odd := rawSize % padSizeLimit
 
 	if len(params.Padding) != 0 {
diff --git a/whisper/whisperv6/message_test.go b/whisper/whisperv6/message_test.go
index 281a852d6..c90bcc01e 100644
--- a/whisper/whisperv6/message_test.go
+++ b/whisper/whisperv6/message_test.go
@@ -416,3 +416,59 @@ func TestPadding(t *testing.T) {
 		singlePaddingTest(t, n)
 	}
 }
+
+func TestPaddingAppendedToSymMessages(t *testing.T) {
+	params := &MessageParams{
+		Payload: make([]byte, 246),
+		KeySym:  make([]byte, aesKeyLength),
+	}
+
+	// Simulate a message with a payload just under 256 so that
+	// payload + flag + aesnonce > 256. Check that the result
+	// is padded on the next 256 boundary.
+	msg := sentMessage{}
+	msg.Raw = make([]byte, len(params.Payload)+1+AESNonceLength)
+
+	err := msg.appendPadding(params)
+
+	if err != nil {
+		t.Fatalf("Error appending padding to message %v", err)
+		return
+	}
+
+	if len(msg.Raw) != 512 {
+		t.Errorf("Invalid size %d != 512", len(msg.Raw))
+	}
+}
+
+func TestPaddingAppendedToSymMessagesWithSignature(t *testing.T) {
+	params := &MessageParams{
+		Payload: make([]byte, 246),
+		KeySym:  make([]byte, aesKeyLength),
+	}
+
+	pSrc, err := crypto.GenerateKey()
+
+	if err != nil {
+		t.Fatalf("Error creating the signature key %v", err)
+		return
+	}
+	params.Src = pSrc
+
+	// Simulate a message with a payload just under 256 so that
+	// payload + flag + aesnonce > 256. Check that the result
+	// is padded on the next 256 boundary.
+	msg := sentMessage{}
+	msg.Raw = make([]byte, len(params.Payload)+1+AESNonceLength+signatureLength)
+
+	err = msg.appendPadding(params)
+
+	if err != nil {
+		t.Fatalf("Error appending padding to message %v", err)
+		return
+	}
+
+	if len(msg.Raw) != 512 {
+		t.Errorf("Invalid size %d != 512", len(msg.Raw))
+	}
+}
-- 
GitLab