[noise] NoiseSocket and payload padding in handshake messages

[Nemanja Mijailovic]

The NoiseSocket spec currently mandates padded size for the entire message, not just the payload (WriteHandshakeMessage in section 5):

“If this message has an encryped payload and noise_message_len would be less than padded_len, padding is added to make noise_message_len equal padded_len”

If we wanted to pad only the payload, we could replace noise_message_len with message_body_len, and the padding would be trivial.

On the other hand, if we decide to keep the current definition, it would be way simpler for implementers if we defined some function like NextMessageOverhead() in the HandshakeState in the core Noise protocol, where we have the access to the internal state.

Nemanja

> On Apr 18, 2018, at 09:54, Trevor Perrin <trevp at trevp.net> wrote:
> 
> On Tue, Apr 17, 2018 at 4:43 PM, Nemanja Mijailovic
> <metalnem at mijailovic.net> wrote:
>> It is a little tricky to support padding it for handshake message. You would
>> have to calculate the whole Noise message length before deciding whether to
>> apply padding, but the message sometimes includes static and ephemeral keys,
>> where static keys can be encrypted or not, which depends on whether the
>> cipher key was calculated in current or previous message patterns, but it
>> also depends on whether the handshake pattern is PSK or not.
> 
> I guess it depends on the protocol whether you're trying to pad the
> entire message out to a fixed size (e.g. to obscure which protocol is
> executing), or just trying to pad the handshake payload ciphertext to
> a fixed size, to obscure the length of the encrypted plaintext.  In
> the latter (maybe more common?) case, you don't have to calculate
> padding based on the entire Noise message, so it's easier to do.
> 
> Trevor