quic: pad ack-eliciting server Initial datagrams

UDP datagrams containing Initial packets are expanded to 1200 bytes
to validate that the path is capable of supporting the smallest
allowed maximum QUIC datagram size.

(In addition, client Initial packets must be sent in datagrams
of at least 1200 bytes, to defend against amplification attacks.)

We were expanding client datagrams containing Initial packets,
but not server datagrams. Fix this. (More specifically, server
datagrams must be expanded to 1200 bytes when they contain
ack-eliciting Initial packets.)

RFC 9000, Section 14.1.

Change-Id: I0c0c36321c055e960be3e29a49d7cb7620640b82
Reviewed-on: https://go-review.googlesource.com/c/net/+/538776
Reviewed-by: Jonathan Amsterdam <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: neild

internal/quic/conn_recv.go

@@ -24,7 +24,7 @@ func (c *Conn) handleDatagram(now time.Time, dgram *datagram) {
 		ptype := getPacketType(buf)
 		switch ptype {
 		case packetTypeInitial:
-			if c.side == serverSide && len(dgram.b) < minimumClientInitialDatagramSize {
+			if c.side == serverSide && len(dgram.b) < paddedInitialDatagramSize {
 				// Discard client-sent Initial packets in too-short datagrams.
 				// https://www.rfc-editor.org/rfc/rfc9000#section-14.1-4
 				return

internal/quic/conn_send.go

@@ -77,10 +77,11 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 			}
 			sentInitial = c.w.finishProtectedLongHeaderPacket(pnumMaxAcked, c.keysInitial.w, p)
 			if sentInitial != nil {
-				// Client initial packets need to be sent in a datagram padded to
-				// at least 1200 bytes. We can't add the padding yet, however,
-				// since we may want to coalesce additional packets with this one.
-				if c.side == clientSide {
+				// Client initial packets and ack-eliciting server initial packaets
+				// need to be sent in a datagram padded to at least 1200 bytes.
+				// We can't add the padding yet, however, since we may want to
+				// coalesce additional packets with this one.
+				if c.side == clientSide || sentInitial.ackEliciting {
 					pad = true
 				}
 			}
@@ -123,7 +124,7 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 				// 1-RTT packets have no length field and extend to the end
 				// of the datagram, so if we're sending a datagram that needs
 				// padding we need to add it inside the 1-RTT packet.
-				c.w.appendPaddingTo(minimumClientInitialDatagramSize)
+				c.w.appendPaddingTo(paddedInitialDatagramSize)
 				pad = false
 			}
 			if logPackets {
@@ -149,7 +150,7 @@ func (c *Conn) maybeSend(now time.Time) (next time.Time) {
 				// Pad out the datagram with zeros, coalescing the Initial
 				// packet with invalid packets that will be ignored by the peer.
 				// https://www.rfc-editor.org/rfc/rfc9000.html#section-14.1-1
-				for len(buf) < minimumClientInitialDatagramSize {
+				for len(buf) < paddedInitialDatagramSize {
 					buf = append(buf, 0)
 					// Technically this padding isn't in any packet, but
 					// account it to the Initial packet in this datagram

internal/quic/listener.go

@@ -269,7 +269,7 @@ func (l *Listener) handleUnknownDestinationDatagram(m *datagram) {
 		return
 	}
 	p, ok := parseGenericLongHeaderPacket(m.b)
-	if !ok || len(m.b) < minimumClientInitialDatagramSize {
+	if !ok || len(m.b) < paddedInitialDatagramSize {
 		return
 	}
 	switch p.version {
@@ -382,7 +382,7 @@ func (l *Listener) sendConnectionClose(in genericLongPacket, addr netip.AddrPort
 		srcConnID: in.dstConnID,
 	}
 	const pnumMaxAcked = 0
-	w.reset(minimumClientInitialDatagramSize)
+	w.reset(paddedInitialDatagramSize)
 	w.startProtectedLongHeaderPacket(pnumMaxAcked, p)
 	w.appendConnectionCloseTransportFrame(code, 0, "")
 	w.finishProtectedLongHeaderPacket(pnumMaxAcked, keys.w, p)

internal/quic/listener_test.go

@@ -172,7 +172,7 @@ func (tl *testListener) writeDatagram(d *testDatagram) {
 		}
 		pad := 0
 		if p.ptype == packetType1RTT {
-			pad = d.paddedSize
+			pad = d.paddedSize - len(buf)
 		}
 		buf = append(buf, encodeTestPacket(tl.t, tc, p, pad)...)
 	}

internal/quic/quic.go

@@ -58,9 +58,10 @@ const (
 // https://www.rfc-editor.org/rfc/rfc9002.html#section-6.1.2-6
 const timerGranularity = 1 * time.Millisecond
 
-// Minimum size of a UDP datagram sent by a client carrying an Initial packet.
+// Minimum size of a UDP datagram sent by a client carrying an Initial packet,
+// or a server containing an ack-eliciting Initial packet.
 // https://www.rfc-editor.org/rfc/rfc9000#section-14.1
-const minimumClientInitialDatagramSize = 1200
+const paddedInitialDatagramSize = 1200
 
 // Maximum number of streams of a given type which may be created.
 // https://www.rfc-editor.org/rfc/rfc9000.html#section-4.6-2

internal/quic/tls_test.go

@@ -148,6 +148,7 @@ func handshakeDatagrams(tc *testConn) (dgrams []*testDatagram) {
 				},
 			},
 		}},
+		paddedSize: 1200,
 	}, {
 		// Client Initial + Handshake + 1-RTT
 		packets: []*testPacket{{

internal/quic/version_test.go

@@ -30,7 +30,7 @@ func TestVersionNegotiationServerReceivesUnknownVersion(t *testing.T) {
 	pkt = append(pkt, dstConnID...)
 	pkt = append(pkt, byte(len(srcConnID)))
 	pkt = append(pkt, srcConnID...)
-	for len(pkt) < minimumClientInitialDatagramSize {
+	for len(pkt) < paddedInitialDatagramSize {
 		pkt = append(pkt, 0)
 	}