don't drop Handshake keys when receiving an ACK for a 0-RTT packet

2025-04-04 04:37:36 +03:00 · 2019-06-27 13:05:09 +08:00 · 2019-06-27 13:05:09 +08:00 · 0b65a0c75e
commit 0b65a0c75e
parent d6b50cf15a
2 changed files with 16 additions and 0 deletions
--- a/internal/handshake/updatable_aead.go
+++ b/internal/handshake/updatable_aead.go
@ -47,6 +47,7 @@ type updatableAEAD struct {

 	keyPhase          protocol.KeyPhase
 	largestAcked      protocol.PacketNumber
+	firstPacketNumber protocol.PacketNumber
 	keyUpdateInterval uint64

 	// Time when the keys should be dropped. Keys are dropped on the next call to Open().
@ -83,6 +84,7 @@ var _ ShortHeaderSealer = &updatableAEAD{}

 func newUpdatableAEAD(rttStats *congestion.RTTStats, logger utils.Logger) *updatableAEAD {
 	return &updatableAEAD{
+		firstPacketNumber:       protocol.InvalidPacketNumber,
 		largestAcked:            protocol.InvalidPacketNumber,
 		firstRcvdWithCurrentKey: protocol.InvalidPacketNumber,
 		firstSentWithCurrentKey: protocol.InvalidPacketNumber,
@ -199,6 +201,9 @@ func (a *updatableAEAD) Seal(dst, src []byte, pn protocol.PacketNumber, ad []byt
 	if a.firstSentWithCurrentKey == protocol.InvalidPacketNumber {
 		a.firstSentWithCurrentKey = pn
 	}
+	if a.firstPacketNumber == protocol.InvalidPacketNumber {
+		a.firstPacketNumber = pn
+	}
 	a.numSentWithCurrentKey++
 	binary.BigEndian.PutUint64(a.nonceBuf[len(a.nonceBuf)-8:], uint64(pn))
 	// The AEAD we're using here will be the qtls.aeadAESGCM13.
@ -249,3 +254,7 @@ func (a *updatableAEAD) EncryptHeader(sample []byte, firstByte *byte, hdrBytes [
 func (a *updatableAEAD) DecryptHeader(sample []byte, firstByte *byte, hdrBytes []byte) {
 	a.headerDecrypter.DecryptHeader(sample, firstByte, hdrBytes)
 }
+
+func (a *updatableAEAD) FirstPacketNumber() protocol.PacketNumber {
+	return a.firstPacketNumber
+}