# HG changeset patch # User Sergey Kandaurov # Date 1586174050 -10800 # Node ID e45719a9b148e738b7e61131fcfed59c2e660074 # Parent 6e1213ef469a9192b82cb91bb7c1492db1594674 Discarding Handshake packets if no Handshake keys yet. Found with a previously received Initial packet with ACK only, which instantiates a new connection but do not produce the handshake keys. This can be triggered by a fairly well behaving client, if the server stands behind a load balancer that stripped Initial packets exchange. Found by F5 test suite. diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c --- a/src/event/ngx_event_quic.c +++ b/src/event/ngx_event_quic.c @@ -870,6 +870,14 @@ ngx_quic_handshake_input(ngx_connection_ qc = c->quic; + keys = &c->quic->keys[ssl_encryption_handshake]; + + if (keys->client.key.len == 0) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "no read keys yet, packet ignored"); + return NGX_DECLINED; + } + /* extract cleartext data into pkt */ if (ngx_quic_parse_long_header(pkt) != NGX_OK) { return NGX_ERROR; @@ -905,8 +913,6 @@ ngx_quic_handshake_input(ngx_connection_ return NGX_ERROR; } - keys = &c->quic->keys[ssl_encryption_handshake]; - pkt->secret = &keys->client; pkt->level = ssl_encryption_handshake; pkt->plaintext = buf;