]> git.kaiwu.me - nginx.git/commitdiff
QUIC: attempt decrypt before checking for stateless reset.
authorMartin Duke <m.duke@f5.com>
Tue, 12 Oct 2021 08:57:50 +0000 (11:57 +0300)
committerMartin Duke <m.duke@f5.com>
Tue, 12 Oct 2021 08:57:50 +0000 (11:57 +0300)
Checking the reset after encryption avoids false positives.  More importantly,
it avoids the check entirely in the usual case where decryption succeeds.

RFC 9000, 10.3.1  Detecting a Stateless Reset

    Endpoints MAY skip this check if any packet from a datagram is
    successfully processed.

src/event/quic/ngx_event_quic.c

index 1217d02309f030d2b37aab0c04100757bed338ce..8741b83e6578d12c4c564847b1a3fc7c086d64cc 100644 (file)
@@ -804,8 +804,11 @@ ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
                 return NGX_DECLINED;
             }
 
-        } else {
+        }
 
+        rc = ngx_quic_process_payload(c, pkt);
+
+        if (rc == NGX_DECLINED && pkt->level == ssl_encryption_application) {
             if (ngx_quic_process_stateless_reset(c, pkt) == NGX_OK) {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "quic stateless reset packet detected");
@@ -817,7 +820,7 @@ ngx_quic_process_packet(ngx_connection_t *c, ngx_quic_conf_t *conf,
             }
         }
 
-        return ngx_quic_process_payload(c, pkt);
+        return rc;
     }
 
     /* packet does not belong to a connection */