diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2024-08-09 19:12:25 +0400 |
|---|---|---|
| committer | Sergey Kandaurov <pluknet@nginx.com> | 2024-08-09 19:12:25 +0400 |
| commit | 58b92177e7c3c50f77f807ab3846ad5c7bbf0ebe (patch) | |
| tree | 41eed31e03ca62653d07d4fa1ef4b993c288fb7d /src | |
| parent | 250baed4ee9bd32b6f236fd9ec17bf8800839b0e (diff) | |
| download | nginx-58b92177e7c3c50f77f807ab3846ad5c7bbf0ebe.tar.gz nginx-58b92177e7c3c50f77f807ab3846ad5c7bbf0ebe.zip | |
QUIC: discarding 0-RTT keys.
For simplicity, this is done on successful decryption of a 1-RTT packet.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/quic/ngx_event_quic.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/event/quic/ngx_event_quic.c b/src/event/quic/ngx_event_quic.c index e4690f7dd..c03b1d003 100644 --- a/src/event/quic/ngx_event_quic.c +++ b/src/event/quic/ngx_event_quic.c @@ -1022,6 +1022,16 @@ ngx_quic_handle_payload(ngx_connection_t *c, ngx_quic_header_t *pkt) } } + if (pkt->level == ssl_encryption_application) { + /* + * RFC 9001, 4.9.3. Discarding 0-RTT Keys + * + * After receiving a 1-RTT packet, servers MUST discard + * 0-RTT keys within a short time + */ + ngx_quic_discard_ctx(c, ssl_encryption_early_data); + } + if (qc->closing) { /* * RFC 9000, 10.2. Immediate Close |