The padding field in auth.proto (field 6, lines 37–39) carries random bytes to vary ciphertext length across sessions. Its comment documents the purpose but states no upper bound on the payload size.
Proto3 implementations apply a default message size ceiling of 64 MB. The Node must deserialize the full Auth message before it can reach the HMAC at field 3 and verify the caller's identity. A client — or any party that can complete a TLS handshake with the Node — may send an Auth message whose padding fills the entire 64 MB budget. The Node allocates up to 64 MB per such attempt before it can reject the message.
Every other bounded field in auth.proto documents its constraint: client_id is "exactly nine raw UTF-8 bytes", hmac is "12 bytes". padding is the only field without a stated limit. No implementation can apply a tighter check before deserialization from the proto comment alone, so the 64 MB default becomes the de-facto maximum for every consumer.
Add a sentence to the padding comment stating the maximum allowed size (1 KB is sufficient for fingerprint resistance) and note that the Node should enforce this ceiling before HMAC verification, ideally as a message-length check on the raw wire bytes before passing the buffer to the proto deserializer.
The
paddingfield inauth.proto(field 6, lines 37–39) carries random bytes to vary ciphertext length across sessions. Its comment documents the purpose but states no upper bound on the payload size.Proto3 implementations apply a default message size ceiling of 64 MB. The Node must deserialize the full Auth message before it can reach the HMAC at field 3 and verify the caller's identity. A client — or any party that can complete a TLS handshake with the Node — may send an Auth message whose
paddingfills the entire 64 MB budget. The Node allocates up to 64 MB per such attempt before it can reject the message.Every other bounded field in
auth.protodocuments its constraint:client_idis "exactly nine raw UTF-8 bytes",hmacis "12 bytes".paddingis the only field without a stated limit. No implementation can apply a tighter check before deserialization from the proto comment alone, so the 64 MB default becomes the de-facto maximum for every consumer.Add a sentence to the
paddingcomment stating the maximum allowed size (1 KB is sufficient for fingerprint resistance) and note that the Node should enforce this ceiling before HMAC verification, ideally as a message-length check on the raw wire bytes before passing the buffer to the proto deserializer.