MINOR: quic-be: discard the 0-RTT keys

This patch allows the discarding of the 0-RTT keys as soon as 1-RTT keys
are available.

diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index b64df7ce2d79647b3f4fdf53c2af0c0e328d09ae..dfa25b7acaefe3fff8134b9d249ffc147e84a883 100644 (file)
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -291,6 +291,19 @@ write:
                struct quic_tls_kp *nxt_rx = &qc->ku.nxt_rx;
                struct quic_tls_kp *nxt_tx = &qc->ku.nxt_tx;
 
+               /* RFC 9000
+                * 4.9.3. Discarding 0-RTT Keys 0-RTT and 1-RTT packets share the same
+                * packet number space, and clients do not send 0-RTT packets after
+                * sending a 1-RTT packet (Section 5.6).
+                *
+                * Therefore, a client SHOULD discard 0-RTT keys as soon as it installs
+                * 1-RTT keys as they have no use after that moment.
+                */
+               if (objt_server(qc->target) && qc->eel) {
+                       TRACE_PROTO("discarding Early Data keys", QUIC_EV_CONN_PHPKTS, qc);
+                       qc_enc_level_free(qc, &qc->eel);
+               }
+
 #if !defined(USE_QUIC_OPENSSL_COMPAT) && !defined(HAVE_OPENSSL_QUIC)
                if (objt_server(qc->target)) {
                        const unsigned char *tp;