drop old keys 3 PTOs after a key update

2025-04-03 20:27:35 +03:00 · 2019-06-29 16:40:45 +07:00 · 2019-06-29 16:40:45 +07:00 · a3878d99c9
commit a3878d99c9
parent a2a4a216de
5 changed files with 76 additions and 9 deletions
--- a/internal/handshake/updatable_aead.go
+++ b/internal/handshake/updatable_aead.go
@ -7,7 +7,9 @@ import (
 	"fmt"
 	"os"
 	"strconv"
+	"time"

+	"github.com/lucas-clemente/quic-go/internal/congestion"
 	"github.com/lucas-clemente/quic-go/internal/qerr"
 	"github.com/lucas-clemente/quic-go/internal/utils"

@ -47,7 +49,9 @@ type updatableAEAD struct {
 	largestAcked      protocol.PacketNumber
 	keyUpdateInterval uint64

-	prevRcvAEAD cipher.AEAD
+	// Time when the keys should be dropped. Keys are dropped on the next call to Open().
+	prevRcvAEADExpiry time.Time
+	prevRcvAEAD       cipher.AEAD

 	firstRcvdWithCurrentKey protocol.PacketNumber
 	firstSentWithCurrentKey protocol.PacketNumber
@ -64,6 +68,8 @@ type updatableAEAD struct {
 	hpDecrypter cipher.Block
 	hpEncrypter cipher.Block

+	rttStats *congestion.RTTStats
+
 	logger utils.Logger

 	// use a single slice to avoid allocations
@ -74,12 +80,13 @@ type updatableAEAD struct {
 var _ ShortHeaderOpener = &updatableAEAD{}
 var _ ShortHeaderSealer = &updatableAEAD{}

-func newUpdatableAEAD(logger utils.Logger) *updatableAEAD {
+func newUpdatableAEAD(rttStats *congestion.RTTStats, logger utils.Logger) *updatableAEAD {
 	return &updatableAEAD{
 		largestAcked:            protocol.InvalidPacketNumber,
 		firstRcvdWithCurrentKey: protocol.InvalidPacketNumber,
 		firstSentWithCurrentKey: protocol.InvalidPacketNumber,
 		keyUpdateInterval:       keyUpdateInterval,
+		rttStats:                rttStats,
 		logger:                  logger,
 	}
 }
@ -91,6 +98,7 @@ func (a *updatableAEAD) rollKeys() {
 	a.numRcvdWithCurrentKey = 0
 	a.numSentWithCurrentKey = 0
 	a.prevRcvAEAD = a.rcvAEAD
+	a.prevRcvAEADExpiry = time.Now().Add(3 * a.rttStats.PTO())
 	a.rcvAEAD = a.nextRcvAEAD
 	a.sendAEAD = a.nextSendAEAD

@ -135,15 +143,22 @@ func (a *updatableAEAD) SetWriteKey(suite cipherSuite, trafficSecret []byte) {
 }

 func (a *updatableAEAD) Open(dst, src []byte, pn protocol.PacketNumber, kp protocol.KeyPhaseBit, ad []byte) ([]byte, error) {
+	if a.prevRcvAEAD != nil && time.Now().After(a.prevRcvAEADExpiry) {
+		a.prevRcvAEAD = nil
+		a.prevRcvAEADExpiry = time.Time{}
+	}
 	binary.BigEndian.PutUint64(a.nonceBuf[len(a.nonceBuf)-8:], uint64(pn))
 	if kp != a.keyPhase.Bit() {
 		if a.firstRcvdWithCurrentKey == protocol.InvalidPacketNumber || pn < a.firstRcvdWithCurrentKey {
-			if a.prevRcvAEAD == nil {
+			if a.keyPhase == 0 {
 				// This can only occur when the first packet received has key phase 1.
 				// This is an error, since the key phase starts at 0,
 				// and peers are only allowed to update keys after the handshake is confirmed.
 				return nil, qerr.Error(qerr.ProtocolViolation, "wrong initial keyphase")
 			}
+			if a.prevRcvAEAD == nil {
+				return nil, ErrKeysDropped
+			}
 			// we updated the key, but the peer hasn't updated yet
 			dec, err := a.prevRcvAEAD.Open(dst, a.nonceBuf, src, ad)
 			if err != nil {