Initial packets are protected with AEAD_AES_128_GCM.

1 files changed, 14 insertions, 9 deletions

diff --git a/src/event/ngx_event_quic.c b/src/event/ngx_event_quic.c
index a6999f7f4..30a130339 100644
--- a/src/event/ngx_event_quic.c
+++ b/src/event/ngx_event_quic.c
@@ -634,18 +634,23 @@ ngx_quic_create_long_packet(ngx_connection_t *c, ngx_ssl_conn_t *ssl_conn,
 
     ngx_quic_hexdump0(c->log, "ad", ad.data, ad.len);
 
-    switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
+    if (pkt->level != ssl_encryption_initial) {
+        switch (SSL_CIPHER_get_id(SSL_get_current_cipher(ssl_conn)) & 0xffff) {
 
-    case NGX_AES_128_GCM_SHA256:
-        cipher = EVP_aes_128_gcm();
-        break;
+        case NGX_AES_128_GCM_SHA256:
+            cipher = EVP_aes_128_gcm();
+            break;
 
-    case NGX_AES_256_GCM_SHA384:
-        cipher = EVP_aes_256_gcm();
-        break;
+        case NGX_AES_256_GCM_SHA384:
+            cipher = EVP_aes_256_gcm();
+            break;
 
-    default:
-        return NGX_ERROR;
+        default:
+            return NGX_ERROR;
+        }
+
+    } else {
+        cipher = EVP_aes_128_gcm();
     }
 
     nonce = ngx_pstrdup(c->pool, &pkt->secret->iv);