From ce7c9ea8834b9d2ed79efa9269467f02c0895d42 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Fri, 3 Oct 2025 13:25:05 +0800 Subject: [PATCH] drop initial keys when the handshake is confirmed (#5354) --- connection.go | 7 +++++++ connection_test.go | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/connection.go b/connection.go index 50e39349..74e84cba 100644 --- a/connection.go +++ b/connection.go @@ -949,6 +949,13 @@ func (c *Conn) handleHandshakeComplete(now monotime.Time) error { } func (c *Conn) handleHandshakeConfirmed(now monotime.Time) error { + // Drop initial keys. + // On the client side, this should have happened when sending the first Handshake packet, + // but this is not guaranteed if the server misbehaves. + // See CVE-2025-59530 for more details. + if err := c.dropEncryptionLevel(protocol.EncryptionInitial, now); err != nil { + return err + } if err := c.dropEncryptionLevel(protocol.EncryptionHandshake, now); err != nil { return err } diff --git a/connection_test.go b/connection_test.go index bdf1f272..51ea93e4 100644 --- a/connection_test.go +++ b/connection_test.go @@ -1084,7 +1084,7 @@ func TestConnectionHandshakeServer(t *testing.T) { data, err := (&wire.CryptoFrame{Data: []byte("foobar")}).Append(nil, protocol.Version1) require.NoError(t, err) - cs.EXPECT().DiscardInitialKeys() + cs.EXPECT().DiscardInitialKeys().Times(2) gomock.InOrder( cs.EXPECT().StartHandshake(gomock.Any()), cs.EXPECT().NextEvent().Return(handshake.Event{Kind: handshake.EventNoEvent}), @@ -1235,6 +1235,7 @@ func testConnectionHandshakeClient(t *testing.T, usePreferredAddress bool) { unpacker.EXPECT().UnpackLongHeader(gomock.Any(), gomock.Any()).Return( &unpackedPacket{hdr: hdr, encryptionLevel: protocol.Encryption1RTT, data: data}, nil, ), + cs.EXPECT().DiscardInitialKeys(), cs.EXPECT().SetHandshakeConfirmed(), tc.packer.EXPECT().AppendPacket(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn( func(buf *packetBuffer, _ protocol.ByteCount, _ monotime.Time, _ protocol.Version) (shortHeaderPacket, error) {