allow the first key update immediately after handshake confirmation

internal/handshake/updatable_aead.go

@@ -22,9 +22,10 @@ var KeyUpdateInterval uint64 = protocol.KeyUpdateInterval
 type updatableAEAD struct {
 	suite *qtls.CipherSuiteTLS13
 
-	keyPhase          protocol.KeyPhase
-	largestAcked      protocol.PacketNumber
-	firstPacketNumber protocol.PacketNumber
+	keyPhase           protocol.KeyPhase
+	largestAcked       protocol.PacketNumber
+	firstPacketNumber  protocol.PacketNumber
+	handshakeConfirmed bool
 
 	keyUpdateInterval  uint64
 	invalidPacketLimit uint64
@@ -172,35 +173,24 @@ func (a *updatableAEAD) open(dst, src []byte, rcvTime time.Time, pn protocol.Pac
 	}
 	binary.BigEndian.PutUint64(a.nonceBuf[len(a.nonceBuf)-8:], uint64(pn))
 	if kp != a.keyPhase.Bit() {
-		var receivedWrongInitialKeyPhase bool
-		if a.firstRcvdWithCurrentKey == protocol.InvalidPacketNumber || pn < a.firstRcvdWithCurrentKey {
-			if a.keyPhase == 0 {
-				// This can only occur when the first packet received has key phase 1.
-				// This is an error, since the key phase starts at 0,
-				// and peers are only allowed to update keys after the handshake is confirmed.
-				// Proceed from here, and only return an error if decryption of the packet succeeds.
-				receivedWrongInitialKeyPhase = true
-			} else {
-				if a.prevRcvAEAD == nil {
-					return nil, ErrKeysDropped
-				}
-				// we updated the key, but the peer hasn't updated yet
-				dec, err := a.prevRcvAEAD.Open(dst, a.nonceBuf, src, ad)
-				if err != nil {
-					err = ErrDecryptionFailed
-				}
-				return dec, err
+		if a.keyPhase > 0 && a.firstRcvdWithCurrentKey == protocol.InvalidPacketNumber || pn < a.firstRcvdWithCurrentKey {
+			if a.prevRcvAEAD == nil {
+				return nil, ErrKeysDropped
 			}
+			// we updated the key, but the peer hasn't updated yet
+			dec, err := a.prevRcvAEAD.Open(dst, a.nonceBuf, src, ad)
+			if err != nil {
+				err = ErrDecryptionFailed
+			}
+			return dec, err
 		}
 		// try opening the packet with the next key phase
 		dec, err := a.nextRcvAEAD.Open(dst, a.nonceBuf, src, ad)
-		if err == nil && receivedWrongInitialKeyPhase {
-			return nil, qerr.NewError(qerr.KeyUpdateError, "wrong initial key phase")
-		} else if err != nil {
+		if err != nil {
 			return nil, ErrDecryptionFailed
 		}
 		// Opening succeeded. Check if the peer was allowed to update.
-		if a.firstSentWithCurrentKey == protocol.InvalidPacketNumber {
+		if a.keyPhase > 0 && a.firstSentWithCurrentKey == protocol.InvalidPacketNumber {
 			return nil, qerr.NewError(qerr.KeyUpdateError, "keys updated too quickly")
 		}
 		a.rollKeys()
@@ -256,10 +246,20 @@ func (a *updatableAEAD) SetLargestAcked(pn protocol.PacketNumber) error {
 	return nil
 }
 
+func (a *updatableAEAD) SetHandshakeConfirmed() {
+	a.handshakeConfirmed = true
+}
+
 func (a *updatableAEAD) updateAllowed() bool {
-	return a.firstSentWithCurrentKey != protocol.InvalidPacketNumber &&
-		a.largestAcked != protocol.InvalidPacketNumber &&
-		a.largestAcked >= a.firstSentWithCurrentKey
+	if !a.handshakeConfirmed {
+		return false
+	}
+	// the first key update is allowed as soon as the handshake is confirmed
+	return a.keyPhase == 0 ||
+		// subsequent key updates as soon as a packet sent with that key phase has been acknowledged
+		(a.firstSentWithCurrentKey != protocol.InvalidPacketNumber &&
+			a.largestAcked != protocol.InvalidPacketNumber &&
+			a.largestAcked >= a.firstSentWithCurrentKey)
 }
 
 func (a *updatableAEAD) shouldInitiateKeyUpdate() bool {