don't send 1-RTT packets before the handshake is complete
We shouldn't send 1-RTT packets before the handshake is completed (i.e.
before receiving the Finished message) as per RFC8446, section 4.4.4.
This is already enforced a few lines later for normal packets, but the
error and probe cases were missed.
diff --git a/src/lib.rs b/src/lib.rs
index 805b892..4533193 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -2495,7 +2495,8 @@
/// Selects the packet number space for outgoing packets.
fn write_epoch(&self) -> Result<packet::Epoch> {
- // On error or probe, send packet in the latest space available.
+ // On error or PTO send packets in the latest epoch available, but only
+ // send 1-RTT ones when the handshake is completed.
if self.error.is_some() || self.recovery.probes > 0 {
let epoch = match self.handshake.write_level() {
crypto::Level::Initial => packet::EPOCH_INITIAL,
@@ -2504,6 +2505,17 @@
crypto::Level::OneRTT => packet::EPOCH_APPLICATION,
};
+ if epoch == packet::EPOCH_APPLICATION && !self.handshake_completed {
+ // For errors, downgrade the epoch to handshake. We can't
+ // currently do the same for probes because PING frames are not
+ // allowed in Handshake packets.
+ if self.error.is_some() {
+ return Ok(packet::EPOCH_HANDSHAKE);
+ }
+
+ return Err(Error::Done);
+ }
+
return Ok(epoch);
}
