<div dir="ltr">Hello,<div><br></div><div>how was that found ? is there some compliance (automated) test ?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">пт, 9 авг. 2024 г. в 18:57, Sergey Kandaurov <<a href="mailto:pluknet@nginx.com">pluknet@nginx.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">details:   <a href="https://hg.nginx.org/nginx/rev/906a42885ce2" rel="noreferrer" target="_blank">https://hg.nginx.org/nginx/rev/906a42885ce2</a><br>
branches:  <br>
changeset: 9273:906a42885ce2<br>
user:      Sergey Kandaurov <<a href="mailto:pluknet@nginx.com" target="_blank">pluknet@nginx.com</a>><br>
date:      Fri Aug 09 19:12:25 2024 +0400<br>
description:<br>
QUIC: discarding 0-RTT keys.<br>
<br>
For simplicity, this is done on successful decryption of a 1-RTT packet.<br>
<br>
diffstat:<br>
<br>
 src/event/quic/ngx_event_quic.c |  10 ++++++++++<br>
 1 files changed, 10 insertions(+), 0 deletions(-)<br>
<br>
diffs (20 lines):<br>
<br>
diff -r 6392cb0d83e8 -r 906a42885ce2 src/event/quic/ngx_event_quic.c<br>
--- a/src/event/quic/ngx_event_quic.c   Fri Aug 09 19:12:23 2024 +0400<br>
+++ b/src/event/quic/ngx_event_quic.c   Fri Aug 09 19:12:25 2024 +0400<br>
@@ -1022,6 +1022,16 @@ ngx_quic_handle_payload(ngx_connection_t<br>
         }<br>
     }<br>
<br>
+    if (pkt->level == ssl_encryption_application) {<br>
+        /*<br>
+         * RFC 9001, 4.9.3.  Discarding 0-RTT Keys<br>
+         *<br>
+         * After receiving a 1-RTT packet, servers MUST discard<br>
+         * 0-RTT keys within a short time<br>
+         */<br>
+        ngx_quic_discard_ctx(c, ssl_encryption_early_data);<br>
+    }<br>
+<br>
     if (qc->closing) {<br>
         /*<br>
          * RFC 9000, 10.2.  Immediate Close<br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" target="_blank">nginx-devel@nginx.org</a><br>
<a href="https://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer" target="_blank">https://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
</blockquote></div>