From 48b81823394ae885bca954a2aaa39c0e746ee39a Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Thu, 13 Feb 2025 06:31:02 +0100
Subject: [PATCH] keep undecryptable packets when deriving 0-RTT and handshake
 keys (#4950)

When receiving a ClientHello for a 0-RTT connection, this allows us to derive both 0-RTT and Handshake keys at the same time. The previous logic used to inadvertently discard previously undecryptable packets (e.g. reordered 0-RTT packets).
---
 connection.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/connection.go b/connection.go
index 159d49fbf..9415584de 100644
--- a/connection.go
+++ b/connection.go
@@ -1553,8 +1553,8 @@ func (s *connection) handleHandshakeEvents(now time.Time) error {
 			s.restoreTransportParameters(ev.TransportParameters)
 			close(s.earlyConnReadyChan)
 		case handshake.EventReceivedReadKeys:
-			// Queue all packets for decryption that have been undecryptable so far.
-			s.undecryptablePacketsToProcess = s.undecryptablePackets
+			// queue all previously undecryptable packets
+			s.undecryptablePacketsToProcess = append(s.undecryptablePacketsToProcess, s.undecryptablePackets...)
 			s.undecryptablePackets = nil
 		case handshake.EventDiscard0RTTKeys:
 			err = s.dropEncryptionLevel(protocol.Encryption0RTT, now)