Mercurial > hg > nginx

changeset 8878:c4f249d485e3 quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: attempt decrypt before checking for stateless reset. Checking the reset after encryption avoids false positives. More importantly, it avoids the check entirely in the usual case where decryption succeeds. RFC 9000, 10.3.1 Detecting a Stateless Reset Endpoints MAY skip this check if any packet from a datagram is successfully processed.
author Martin Duke <m.duke@f5.com>
date Tue, 12 Oct 2021 11:57:50 +0300
parents b5296bd8631c
children 531075860fe2
files src/event/quic/ngx_event_quic.c
diffstat 1 files changed, 5 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic.c
+++ b/src/event/quic/ngx_event_quic.c
@@ -804,8 +804,11 @@ ngx_quic_process_packet(ngx_connection_t
                 return NGX_DECLINED;
             }
 
-        } else {
+        }
 
+        rc = ngx_quic_process_payload(c, pkt);
+
+        if (rc == NGX_DECLINED && pkt->level == ssl_encryption_application) {
             if (ngx_quic_process_stateless_reset(c, pkt) == NGX_OK) {
                 ngx_log_error(NGX_LOG_INFO, c->log, 0,
                               "quic stateless reset packet detected");
@@ -817,7 +820,7 @@ ngx_quic_process_packet(ngx_connection_t
             }
         }
 
-        return ngx_quic_process_payload(c, pkt);
+        return rc;
     }
 
     /* packet does not belong to a connection */