Retention of the unused encryption keys #35
Description
Hi,
During testing commit 841c822, we discovered that the PQUIC server does not discard the unused encryption keys after moving to a new encryption level.
The unused encryption keys, such as the Initial key, should be discarded once QUIC has moved to the Handshake encryption level (https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys), same as the Handshake key after moving to the 1-RTT encryption level. An attacker can obtain the Initial key by capturing the Initial packets sent between the client and server during the connection establishment. If the server/client still accepts and processes Initial packets at any encryption level, an attacker can disrupt the connection by sending a CONNECTION_CLOSE frame in an Initial packet to the server/client, causing a connection close that is not initiated by either the client or the server.