Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic.c @ 8878:c4f249d485e3 quic
QUIC: attempt decrypt before checking for stateless reset.
Checking the reset after encryption avoids false positives. More importantly,
it avoids the check entirely in the usual case where decryption succeeds.
RFC 9000, 10.3.1 Detecting a Stateless Reset
Endpoints MAY skip this check if any packet from a datagram is
successfully processed.
author | Martin Duke <m.duke@f5.com> |
---|---|
date | Tue, 12 Oct 2021 11:57:50 +0300 |
parents | b5296bd8631c |
children | 6204120cf37f |
comparison
equal
deleted
inserted
replaced
8877:b5296bd8631c | 8878:c4f249d485e3 |
---|---|
802 | 802 |
803 if (ngx_quic_check_csid(qc, pkt) != NGX_OK) { | 803 if (ngx_quic_check_csid(qc, pkt) != NGX_OK) { |
804 return NGX_DECLINED; | 804 return NGX_DECLINED; |
805 } | 805 } |
806 | 806 |
807 } else { | 807 } |
808 | 808 |
809 rc = ngx_quic_process_payload(c, pkt); | |
810 | |
811 if (rc == NGX_DECLINED && pkt->level == ssl_encryption_application) { | |
809 if (ngx_quic_process_stateless_reset(c, pkt) == NGX_OK) { | 812 if (ngx_quic_process_stateless_reset(c, pkt) == NGX_OK) { |
810 ngx_log_error(NGX_LOG_INFO, c->log, 0, | 813 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
811 "quic stateless reset packet detected"); | 814 "quic stateless reset packet detected"); |
812 | 815 |
813 qc->draining = 1; | 816 qc->draining = 1; |
815 | 818 |
816 return NGX_OK; | 819 return NGX_OK; |
817 } | 820 } |
818 } | 821 } |
819 | 822 |
820 return ngx_quic_process_payload(c, pkt); | 823 return rc; |
821 } | 824 } |
822 | 825 |
823 /* packet does not belong to a connection */ | 826 /* packet does not belong to a connection */ |
824 | 827 |
825 if (rc == NGX_ABORT) { | 828 if (rc == NGX_ABORT) { |