From d61f36c66fa6bb32d135e3891804081e16719cb4 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 19 Feb 2025 10:08:58 +0100
Subject: [PATCH] quic: decrypt only initial packets

Ticket: 7556

Avoids failed_decrypt events when the first packet seen is not
a Quic Initial packet
---
 rust/src/quic/quic.rs | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/rust/src/quic/quic.rs b/rust/src/quic/quic.rs
index c636e8d1bb..165fc44dc6 100644
--- a/rust/src/quic/quic.rs
+++ b/rust/src/quic/quic.rs
@@ -346,22 +346,6 @@ impl QuicState {
                     }
                     // header.length was checked against rest.len() during parsing
                     let (mut framebuf, next_buf) = rest.split_at(header.length.into());
-                    let hlen = buf.len() - rest.len();
-                    let mut output;
-                    if self.keys.is_some() && !framebuf.is_empty() {
-                        output = Vec::with_capacity(framebuf.len() + 4);
-                        if let Ok(dlen) =
-                            self.decrypt(to_server, &header, framebuf, buf, hlen, &mut output)
-                        {
-                            output.resize(dlen, 0);
-                        } else {
-                            self.set_event_notx(QuicEvent::FailedDecrypt, header, to_server);
-                            return false;
-                        }
-                        framebuf = &output;
-                    }
-                    buf = next_buf;
-
                     if header.ty != QuicType::Initial {
                         // only version is interesting, no frames
                         self.new_tx(
@@ -375,8 +359,24 @@ impl QuicState {
                             to_server,
                             false,
                         );
+                        buf = next_buf;
                         continue;
                     }
+                    let hlen = buf.len() - rest.len();
+                    let mut output;
+                    if self.keys.is_some() && !framebuf.is_empty() {
+                        output = Vec::with_capacity(framebuf.len() + 4);
+                        if let Ok(dlen) =
+                            self.decrypt(to_server, &header, framebuf, buf, hlen, &mut output)
+                        {
+                            output.resize(dlen, 0);
+                        } else {
+                            self.set_event_notx(QuicEvent::FailedDecrypt, header, to_server);
+                            return false;
+                        }
+                        framebuf = &output;
+                    }
+                    buf = next_buf;
 
                     let mut frag = Vec::new();
                     // take the current fragment and reset it in the state