Merlin 0.8.0.BETA 32bit Agent JWT Expired Error During Registration

[backcountryinfosec]

Prerequisite

• I have read the README
• I have search the opened & closed issues
• I have search the WIKI and its FAQ page

Environment Data

• Merlin Version: 0.8.0.BETA
• Merlin Build: 2c1146f
• Go Version: go version go1.13.5 linux/amd64
• GOPATH Environment Variable: /root/go-workspace
• GOROOT Environment Variable: /usr/local/go
• Operating System: Kali 2019.4 & Ubuntu 18.04 || Agent Running on Windows 10 10.0.14393 Build 14393

Expected Behavior

Agent should connect to server - Arch shouldn't change JWT validation

Actual Behavior

Compiled 64bit agent runs fine with no issues connecting to server. I've also build a 32 bit version of the agent with:
GOARCH=386 GOOS=windows go build -o merlinAgentx32.exe cmd/merlinagent/main.go

Testing this on 32bit (and 64) versions of Windows10 about 40% of the time the agent fails to fully enroll with server when validating the JWT due to a expired token. When the Agent goes to check in again it attempts to start the OPAQUE Registration and the server replies that the agent is already registered however the agent is listed as dead and will never fully complete the registration with the server.

Agent Error: (debug)

Server Error: (verbose mode on)

Steps to Reproduce Behavior

Compile 32 bit agent:
GOARCH=386 GOOS=windows go build -o merlinAgentx32.exe cmd/merlinagent/main.go
Run on Windows10 32bit or 64 bit with this command:
.\merlinAgentx32.exe -url https://192.168.56.106:443 -psk test -v -debug
Roughly 40% of the time the agent fails the JWT validation due to timing issues.

Misc Information

I've tested this by running the server on virtual and non-virtual machines including Kali 2019.4 and Ubuntu 18.04. I've also tested the agent on 32&64 bit Windows 10 machines both virtual and non-virtual. Validated that the time was set correctly in all instances due to mention in this issue (#85)

I haven't seen any reference to testing 32bit binaries however I did see reference in the go module code so I believe it is still supported. If not please let me know and we can close this issue.

[Ne0nd0g]

Thanks for reporting this issue with a lot of good detail @backcountryinfosec . I've taken a look and I'm not able to reproduce the finding on my own. I ran the agent about 20 times. I suspect this is still due to a timing thing. To the best of my knowledge, there is no difference in the source code between x86 and x64.

My first guess is that the 10 second default lifetime is too short for these communications. Can you try upping the value to something like 60s and see if you still get the same errors? https://github.com/Ne0nd0g/merlin/blob/master/pkg/servers/http2/http2.go#L716

[backcountryinfosec]

@Ne0nd0g thanks for the quick response! I forgot that I had wanted to look for that wait time in the code, thanks for pointing that out. I adjusted and recompiled as you suggested and I've had no errors so far in testing. I'll probably start working backward from 60s to see how close I can get to the original 10s. Thanks again.