Checking the reset after encryption avoids false positives. More importantly,
it avoids the check entirely in the usual case where decryption succeeds.
RFC 9000, 10.3.1 Detecting a Stateless Reset
Endpoints MAY skip this check if any packet from a datagram is
successfully processed.
return NGX_DECLINED;
}
- } else {
+ }
+ rc = ngx_quic_process_payload(c, pkt);
+
+ if (rc == NGX_DECLINED && pkt->level == ssl_encryption_application) {
if (ngx_quic_process_stateless_reset(c, pkt) == NGX_OK) {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"quic stateless reset packet detected");
}
}
- return ngx_quic_process_payload(c, pkt);
+ return rc;
}
/* packet does not belong to a connection */