Discard server 0-RTT read key when QUIC TLS handshake completes Once the handshake is complete (i.e. the server has received the client's Finished message), there shouldn't be any more messages in flight from the client under the 0-RTT keys. If a lost 0-RTT packet eventually arrives late (after the Finished), the server now won't be able to decrypt it, and instead will need to wait for the retransmission to arrive (which is presumably already en route). Protected by disabled flag quic_enable_zero_rtt_for_tls PiperOrigin-RevId: 314976141 Change-Id: I4b668e79795a942c7cec08a3cfb8085b182df781

commit: 0b8f0ca6081ebbc05128fff5b41b2482ce5094e0 [log] [tgz]
author: nharper <nharper@google.com> Fri Jun 05 12:34:18 2020 -0700
committer: Copybara-Service <copybara-worker@google.com> Fri Jun 05 12:34:48 2020 -0700
tree: 5496b7a0689998ac5780c31ba066c94f728a3edb
parent: 8212c45924e356cea0bc43acde1826aafa11e493 [diff] [blame]
diff --git a/quic/core/tls_server_handshaker.cc b/quic/core/tls_server_handshaker.cc
index 7d97bdb..58f75e4 100644
--- a/quic/core/tls_server_handshaker.cc
+++ b/quic/core/tls_server_handshaker.cc

@@ -380,6 +380,7 @@
   handshaker_delegate()->OnOneRttKeysAvailable();
   handshaker_delegate()->DiscardOldEncryptionKey(ENCRYPTION_HANDSHAKE);
   handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_HANDSHAKE);
+  handshaker_delegate()->DiscardOldDecryptionKey(ENCRYPTION_ZERO_RTT);
 }
 
 ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(
commit	0b8f0ca6081ebbc05128fff5b41b2482ce5094e0	[log] [tgz]
author	nharper <nharper@google.com>	Fri Jun 05 12:34:18 2020 -0700
committer	Copybara-Service <copybara-worker@google.com>	Fri Jun 05 12:34:48 2020 -0700
tree	5496b7a0689998ac5780c31ba066c94f728a3edb
parent	8212c45924e356cea0bc43acde1826aafa11e493 [diff] [blame]