feat: Shuffle the client Initial crypto data

neqo-transport/src/connection/mod.rs

@@ -2168,6 +2168,7 @@ impl Connection {
         self.crypto.write_frame(
             PacketNumberSpace::ApplicationData,
             builder,
+            false,
             tokens,
             frame_stats,
         );
@@ -2301,7 +2302,13 @@ impl Connection {
                 self.write_appdata_frames(builder, &mut tokens);
             } else {
                 let stats = &mut self.stats.borrow_mut().frame_tx;
-                self.crypto.write_frame(space, builder, &mut tokens, stats);
+                self.crypto.write_frame(
+                    space,
+                    builder,
+                    space == PacketNumberSpace::Initial && self.role == Role::Client,
+                    &mut tokens,
+                    stats,
+                );
             }
         }
 
@@ -2512,7 +2519,7 @@ impl Connection {
             // Perform additional padding for Initial packets as necessary.
             let mut packets: Vec<u8> = encoder.into();
             if let Some(mut initial) = initial_sent.take() {
-                if needs_padding {
+                if needs_padding && packets.len() < profile.limit() {
                     qdebug!(
                         [self],
                         "pad Initial from {} to PLPMTU {}",

neqo-transport/src/connection/tests/handshake.rs

@@ -1193,13 +1193,17 @@ fn client_initial_retransmits_identical() {
 
     // Force the client to retransmit its Initial packet a number of times and make sure the
     // retranmissions are identical to the original. Also, verify the PTO durations.
+    let mut crypto_frames_in_first_ci = 0;
     for i in 1..=5 {
         let ci = client.process_output(now).dgram().unwrap();
+        if i == 1 {
+            crypto_frames_in_first_ci = client.stats().frame_tx.crypto;
+        }
         assert_eq!(ci.len(), client.plpmtu());
         assert_eq!(
             client.stats().frame_tx,
             FrameStats {
-                crypto: i,
+                crypto: i * crypto_frames_in_first_ci,
                 ..Default::default()
             }
         );
@@ -1219,13 +1223,17 @@ fn server_initial_retransmits_identical() {
     // retranmissions are identical to the original. Also, verify the PTO durations.
     let mut server = default_server();
     let mut total_ptos: Duration = Duration::from_secs(0);
+    let mut crypto_frames_in_first_si = 0;
     for i in 1..=3 {
         let si = server.process(ci.take(), now).dgram().unwrap();
+        if i == 1 {
+            crypto_frames_in_first_si = server.stats().frame_tx.crypto;
+        }
         assert_eq!(si.len(), server.plpmtu());
         assert_eq!(
             server.stats().frame_tx,
             FrameStats {
-                crypto: i * 2,
+                crypto: i * crypto_frames_in_first_si,
                 ack: i,
                 ..Default::default()
             }

neqo-transport/src/connection/tests/idle.rs

@@ -311,6 +311,7 @@ fn idle_caching() {
     server.crypto.streams.write_frame(
         PacketNumberSpace::Initial,
         &mut builder,
+        false,
         &mut tokens,
         &mut FrameStats::default(),
     );
@@ -319,6 +320,7 @@ fn idle_caching() {
     server.crypto.streams.write_frame(
         PacketNumberSpace::Initial,
         &mut builder,
+        false,
         &mut tokens,
         &mut FrameStats::default(),
     );

neqo-transport/src/connection/tests/vn.rs

@@ -251,7 +251,7 @@ fn compatible_upgrade_large_initial() {
     assert_eq!(server.version(), Version::Version2);
     // Only handshake padding is "dropped".
     assert_eq!(client.stats().dropped_rx, 1);
-    assert_eq!(server.stats().dropped_rx, 1);
+    assert!(server.stats().dropped_rx >= 1);
 }
 
 /// A server that supports versions 1 and 2 might prefer version 1 and that's OK.