never allow 0-RTT when using Dial, even if the session ticket allows it (#4125)

When resuming a TLS session using Dial (and not DialEarly), 0-RTT should be disabled at the TLS layer, even if the session ticket allows for 0-RTT resumption. This bug is not critical, since Dial doesn't return an EarlyConnection, so the client wouldn't be able to actually send 0-RTT data in practice.
2023-10-25 22:20:23 +07:00
parent 1bcec70978
commit 746290b78a
11 changed files with 93 additions and 14 deletions
--- a/internal/qtls/client_session_cache.go
+++ b/internal/qtls/client_session_cache.go
@@ -8,7 +8,7 @@ import (

 type clientSessionCache struct {
 	getData func() []byte
-	setData func([]byte)
+	setData func([]byte) (allowEarlyData bool)
 	wrapped tls.ClientSessionCache
 }

@@ -46,10 +46,12 @@ func (c clientSessionCache) Get(key string) (*tls.ClientSessionState, bool) {
 		c.wrapped.Put(key, nil)
 		return nil, false
 	}
+	var earlyData bool
 	// restore QUIC transport parameters and RTT stored in state.Extra
 	if extra := findExtraData(state.Extra); extra != nil {
-		c.setData(extra)
+		earlyData = c.setData(extra)
 	}
+	state.EarlyData = earlyData
 	session, err := tls.NewResumptionState(ticket, state)
 	if err != nil {
 		// It's not clear why this would error.
--- a/internal/qtls/client_session_cache_test.go
+++ b/internal/qtls/client_session_cache_test.go
@@ -41,7 +41,10 @@ var _ = Describe("Client Session Cache", func() {
 			ClientSessionCache: &clientSessionCache{
 				wrapped: tls.NewLRUClientSessionCache(10),
 				getData: func() []byte { return []byte("session") },
-				setData: func(data []byte) { restored <- data },
+				setData: func(data []byte) bool {
+					restored <- data
+					return true
+				},
 			},
 		}
 		conn, err := tls.Dial(
--- a/internal/qtls/go120.go
+++ b/internal/qtls/go120.go
@@ -52,7 +52,7 @@ func SetupConfigForServer(conf *QUICConfig, enable0RTT bool, getDataForSessionTi
 	}
 }

-func SetupConfigForClient(conf *QUICConfig, getDataForSessionState func() []byte, setDataFromSessionState func([]byte)) {
+func SetupConfigForClient(conf *QUICConfig, getDataForSessionState func() []byte, setDataFromSessionState func([]byte) bool) {
 	conf.ExtraConfig = &qtls.ExtraConfig{
 		GetAppDataForSessionState:  getDataForSessionState,
 		SetAppDataFromSessionState: setDataFromSessionState,
--- a/internal/qtls/go121.go
+++ b/internal/qtls/go121.go
@@ -93,7 +93,7 @@ func SetupConfigForServer(qconf *QUICConfig, _ bool, getData func() []byte, hand
 	}
 }

-func SetupConfigForClient(qconf *QUICConfig, getData func() []byte, setData func([]byte)) {
+func SetupConfigForClient(qconf *QUICConfig, getData func() []byte, setData func([]byte) bool) {
 	conf := qconf.TLSConfig
 	if conf.ClientSessionCache != nil {
 		origCache := conf.ClientSessionCache