search

p-quic / pquic

The PQUIC implementation, a framework that enables QUIC clients and servers to dynamically exchange protocol plugins that extend the protocol on a per-connection basis
https://pquic.org
MIT License
126 stars 20 forks source link

Retention of the unused encryption keys #35

Open QUICTester opened 1 year ago

QUICTester commented 1 year ago

Hi,

During testing commit 841c8228, we discovered that the PQUIC server does not discard the unused encryption keys after moving to a new encryption level.

The unused encryption keys, such as the Initial key, should be discarded once QUIC has moved to the Handshake encryption level (https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys), same as the Handshake key after moving to the 1-RTT encryption level. An attacker can obtain the Initial key by capturing the Initial packets sent between the client and server during the connection establishment. If the server/client still accepts and processes Initial packets at any encryption level, an attacker can disrupt the connection by sending a CONNECTION_CLOSE frame in an Initial packet to the server/client, causing a connection close that is not initiated by either the client or the server.

mpiraux commented 11 months ago

Could you test #39 as a potential fix ?

QUICTester commented 10 months ago

Yes, the server is not retaining any unused keys in the fix.