From d08c2145a4d93b4d38173c73a4e3fbf425e1437b Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Tue, 18 Feb 2020 17:51:05 +0700
Subject: [PATCH] drop 0-RTT read keys after 3 PTO

---
 internal/handshake/crypto_setup.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/internal/handshake/crypto_setup.go b/internal/handshake/crypto_setup.go
index d2226c70..6fc0a83b 100644
--- a/internal/handshake/crypto_setup.go
+++ b/internal/handshake/crypto_setup.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"net"
 	"sync"
+	"time"
 
 	"github.com/lucas-clemente/quic-go/internal/congestion"
 	"github.com/lucas-clemente/quic-go/internal/protocol"
@@ -95,6 +96,8 @@ type cryptoSetup struct {
 
 	mutex sync.Mutex // protects all members below
 
+	handshakeCompleteTime time.Time
+
 	readEncLevel  protocol.EncryptionLevel
 	writeEncLevel protocol.EncryptionLevel
 
@@ -244,6 +247,9 @@ func (h *cryptoSetup) RunHandshake() {
 
 	select {
 	case <-handshakeComplete: // return when the handshake is done
+		h.mutex.Lock()
+		h.handshakeCompleteTime = time.Now()
+		h.mutex.Unlock()
 		h.runner.OnHandshakeComplete()
 	case <-h.closeChan:
 		close(h.messageChan)
@@ -764,6 +770,11 @@ func (h *cryptoSetup) Get1RTTOpener() (ShortHeaderOpener, error) {
 	h.mutex.Lock()
 	defer h.mutex.Unlock()
 
+	if h.zeroRTTOpener != nil && time.Since(h.handshakeCompleteTime) > 3*h.rttStats.PTO(true) {
+		h.zeroRTTOpener = nil
+		h.logger.Debugf("Dropping 0-RTT keys.")
+	}
+
 	if !h.has1RTTOpener {
 		return nil, ErrKeysNotYetAvailable
 	}