From: Philippe Antoine Date: Wed, 19 Feb 2025 09:08:58 +0000 (+0100) Subject: quic: decrypt only initial packets X-Git-Tag: suricata-7.0.9~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=530f1a40e467e2992266d098c0ac406bcd556f32;p=thirdparty%2Fsuricata.git quic: decrypt only initial packets Ticket: 7556 Avoids failed_decrypt events when the first packet seen is not a Quic Initial packet (cherry picked from commit d61f36c66fa6bb32d135e3891804081e16719cb4) --- diff --git a/rust/src/quic/quic.rs b/rust/src/quic/quic.rs index f0e40f72a2..e937196f78 100644 --- a/rust/src/quic/quic.rs +++ b/rust/src/quic/quic.rs @@ -341,22 +341,6 @@ impl QuicState { } // header.length was checked against rest.len() during parsing let (mut framebuf, next_buf) = rest.split_at(header.length.into()); - let hlen = buf.len() - rest.len(); - let mut output; - if self.keys.is_some() && !framebuf.is_empty() { - output = Vec::with_capacity(framebuf.len() + 4); - if let Ok(dlen) = - self.decrypt(to_server, &header, framebuf, buf, hlen, &mut output) - { - output.resize(dlen, 0); - } else { - self.set_event_notx(QuicEvent::FailedDecrypt, header, to_server); - return false; - } - framebuf = &output; - } - buf = next_buf; - if header.ty != QuicType::Initial { // only version is interesting, no frames self.new_tx( @@ -370,8 +354,24 @@ impl QuicState { to_server, false, ); + buf = next_buf; continue; } + let hlen = buf.len() - rest.len(); + let mut output; + if self.keys.is_some() && !framebuf.is_empty() { + output = Vec::with_capacity(framebuf.len() + 4); + if let Ok(dlen) = + self.decrypt(to_server, &header, framebuf, buf, hlen, &mut output) + { + output.resize(dlen, 0); + } else { + self.set_event_notx(QuicEvent::FailedDecrypt, header, to_server); + return false; + } + framebuf = &output; + } + buf = next_buf; let mut frag = Vec::new(); // take the current fragment and reset it in the state