Pad ohttp req/res messages to consistent 8192 bytes

[DanGould]

Padded messages (POST, GET, Response 202, Response 200) are no longer distinguishable

Rationale: 7kb x 2x/min / 1h = ~1MB/hr which is not too much overhead.

• We must also specify a 30s timeout in BIP 77 for long polling and say that clients MUST poll as soon as they receive a response so as not to fingerprint clients based on request timing. TODO left in BIP comments
• allocate fixed length arrays instead of resizeing vectors.

[DanGould]

If these arguments were statically sized we wouldn't need to test it. Do that

[spacebear21]

concept ACK

[coveralls]

Pull Request Test Coverage Report for Build 12063584579

Details

• 35 of 53 (66.04%) changed or added relevant lines in 8 files are covered.
• 2 unchanged lines in 1 file lost coverage.
• Overall coverage decreased (-0.1%) to 61.494%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
payjoin/src/send/error.rs	0	2	0.0%
payjoin-cli/src/app/v2.rs	0	3	0.0%
payjoin/src/receive/v2/mod.rs	14	20	70.0%
payjoin/src/receive/v2/error.rs	0	7	0.0%

Files with Coverage Reduction	New Missed Lines	%
payjoin/src/send/mod.rs	2	92.78%

Totals
Change from base Build 12037630831:	-0.1%
Covered Lines:	2790
Relevant Lines:	4537

---

💛 - Coveralls

[spacebear21]

Following the same pattern as V2GetContext::process_response:

Suggested change

	let mut res_buf = [0u8; crate::ohttp::ENCAPSULATED_MESSAGE_BYTES];
	res_buf[..response.len()].copy_from_slice(response);
	let response = ohttp_decapsulate(self.ohttp_ctx, &res_buf)
	let response_array: &[u8; crate::ohttp::ENCAPSULATED_MESSAGE_BYTES] =
	response
	.try_into()
	.map_err(|_| InternalValidationError::UnexpectedResponseSize(response.len()))?;
	let response = ohttp_decapsulate(ohttp_ctx, response_array)

Also seems better to propagate an error instead of truncating to response.len() in case the length doesn't match the expected size.

[nothingmuch]

this is important, because if response.len() > crate::ohttp::ENCAPSULATED_MESSAGE_BYTES then this will panic due to slice out of range crashing the directory

[nothingmuch]

i selected "Request changes" because spacebear's suggestion is required (addresses out of range panic in directory). my suggestions are mere comments.

[nothingmuch]

IIRC wrapping with Cursor is not necessary as a mut slice implements Write (not sure if write_bhttp needs Seek?)

[DanGould]

Ah, we need .as_mut_slice. We kept missing this method when we stayed up late trying to fix it.

[nothingmuch]

this is important, because if response.len() > crate::ohttp::ENCAPSULATED_MESSAGE_BYTES then this will panic due to slice out of range crashing the directory

[nothingmuch]

we should probably document the total waste (8192 - ohttp overhead - 7168) somewhere, but not sure where is a good place to do that

[DanGould]

I was wondering about this. Can we match them to create no or less waste? my understanding is that we just need leeway for sufficiently long URLs in headers

[nothingmuch]

when we tried to account for the bhttp overhead we got lost in details and specifically how it varies... i'm not sure what we can promise there

my framing it as "waste" was misleading, so we should come up with a way of explaining this gap in sizes more clearly.

the bhttp encoding overhead, any variability in the vhost, uri path, etc must all fit in this ~1kib budget... that seems reasonable as a value, i'm not sure if we should match these more closely although i can only think of pretty contrived reasons why you'd that much

[DanGould]

path in an OHTTP request is in practice quite small since the target path details are encapsulated and the request ought to go to the OHTTP gateway to be marshaled to the specific path target encoded in the BHTTP. In our examples, we just use / as the path, and the host https://payjo.in'. https://payjo.in/` is 17 bytes. That makes me think this overhead is actually a lot more than it needs to be and 256 bytes, being an order of magnitude greater, is almost certainly enough for any legitimate use assuming BIP 77 is the primary use. Getting 768 additional bytes if we used 256 bytes in the payload is an ~11% increase in payload size, which is a pretty big gain for working with PSBTs for payjoins.

[nothingmuch]

i thought 7168 seemed and was deemed sufficient for the 2 party case? has anything changed the underlying rationale for that? FWIW a similar% gain would be obtained by not encoding the psbt as base64 in v2

[nothingmuch]

This seems mergeable to me as is.

However, if there are good reasons to doubt 7168 * 6/8 = ~5KiB PSBT as being sufficiently large, or 8192 as being sufficiently small then it should probably be addressed.

Both seem rather arbitrary to me, but ~5KiB being sufficiently large for BIP 77 is the more important one to get right i guess? A budget of about a dozen each of inputs and outputs per party with room to spare seems like it's more than enough for the stated use cases.

The only argument I can think of that might make a difference in user experience -- and even that is very dubious -- depends on the actual MTU. The lowest value on wikipedia for common media is 1452, which * 5 = 7260. For one packet to make a perceptible difference on average would imply the user is suffering from pretty extreme packet loss. Assuming this argument actually makes sense (again I think it doesn't) then i guess we should calculate and verify precise values for the bhttp overhead etc to make sure it all fits in less than 7260 bytes. Otherwise the argument for utilizing the existing headroom in 8192 bytes more efficiently seems very marginal for the 2 party case.

[DanGould]

This seems mergeable to me as is

You sound very confident that this will not be followed with a breaking change. Merging.

[nothingmuch]

You sound very confident that this will not be followed with a breaking change. Merging.

Merely very confident that I can't come up with a good argument for increasing or decreasing either of the two sizes ;-)