quic: decrypt only initial packets

Ticket: 7556 Avoids failed_decrypt events when the first packet seen is not a Quic Initial packet
jufajardini · Feb 19, 2025 · d61f36c · d61f36c
1 parent 6d8910d
commit d61f36c
Showing 1 changed file with 16 additions and 16 deletions.
diff --git a/rust/src/quic/quic.rs b/rust/src/quic/quic.rs
@@ -346,22 +346,6 @@ impl QuicState {
                     }
                     // header.length was checked against rest.len() during parsing
                     let (mut framebuf, next_buf) = rest.split_at(header.length.into());
-                    let hlen = buf.len() - rest.len();
-                    let mut output;
-                    if self.keys.is_some() && !framebuf.is_empty() {
-                        output = Vec::with_capacity(framebuf.len() + 4);
-                        if let Ok(dlen) =
-                            self.decrypt(to_server, &header, framebuf, buf, hlen, &mut output)
-                        {
-                            output.resize(dlen, 0);
-                        } else {
-                            self.set_event_notx(QuicEvent::FailedDecrypt, header, to_server);
-                            return false;
-                        }
-                        framebuf = &output;
-                    }
-                    buf = next_buf;
-
                     if header.ty != QuicType::Initial {
                         // only version is interesting, no frames
                         self.new_tx(
@@ -375,8 +359,24 @@ impl QuicState {
                             to_server,
                             false,
                         );
+                        buf = next_buf;
                         continue;
                     }
+                    let hlen = buf.len() - rest.len();
+                    let mut output;
+                    if self.keys.is_some() && !framebuf.is_empty() {
+                        output = Vec::with_capacity(framebuf.len() + 4);
+                        if let Ok(dlen) =
+                            self.decrypt(to_server, &header, framebuf, buf, hlen, &mut output)
+                        {
+                            output.resize(dlen, 0);
+                        } else {
+                            self.set_event_notx(QuicEvent::FailedDecrypt, header, to_server);
+                            return false;
+                        }
+                        framebuf = &output;
+                    }
+                    buf = next_buf;
 
                     let mut frag = Vec::new();
                     // take the current fragment and reset it in the state