[release-branch.go1.24] crypto/tls: use inner hello for earlyData when using QUIC...

I don't think we have good QUIC ECH tests. BoGo has some for this, but
I'm not sure how easy it would be to enable those for QUIC.

Updates #76283
Fixes #76408

Change-Id: I0ffa535fd89a624b7f9bfd73441ce2a1683e0549
Reviewed-on: https://go-review.googlesource.com/c/go/+/720920
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
(cherry picked from commit 31aa9f800bc8d4089e05b8726b599abe04a486a3)
Reviewed-on: https://go-review.googlesource.com/c/go/+/726400
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>

diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index 38bd417a0dca7258c923cd454479b28b53a6d3f1..ef4e01a4c6982fa379bf52219044424630e0b574 100644 (file)
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -329,7 +329,11 @@ func (c *Conn) clientHandshake(ctx context.Context) (err error) {
        if hello.earlyData {
                suite := cipherSuiteTLS13ByID(session.cipherSuite)
                transcript := suite.hash.New()
-               if err := transcriptMsg(hello, transcript); err != nil {
+               transcriptHello := hello
+               if ech != nil {
+                       transcriptHello = ech.innerHello
+               }
+               if err := transcriptMsg(transcriptHello, transcript); err != nil {
                        return err
                }
                earlyTrafficSecret := earlySecret.ClientEarlyTrafficSecret(transcript)