From: Roland Shoemaker <roland@golang.org>
Date: Mon, 17 Nov 2025 00:09:16 +0000 (-0800)
Subject: crypto/tls: use inner hello for earlyData when using QUIC and ECH
X-Git-Tag: go1.26rc1~173
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=31aa9f800bc8d4089e05b8726b599abe04a486a3;p=gostls13.git

crypto/tls: use inner hello for earlyData when using QUIC and ECH

I don't think we have good QUIC ECH tests. BoGo has some for this, but
I'm not sure how easy it would be to enable those for QUIC.

Fixes #76283

Change-Id: I0ffa535fd89a624b7f9bfd73441ce2a1683e0549
Reviewed-on: https://go-review.googlesource.com/c/go/+/720920
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
---

diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index 533b8ba31e..47cf88323d 100644
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -308,7 +308,11 @@ func (c *Conn) clientHandshake(ctx context.Context) (err error) {
 	if hello.earlyData {
 		suite := cipherSuiteTLS13ByID(session.cipherSuite)
 		transcript := suite.hash.New()
-		if err := transcriptMsg(hello, transcript); err != nil {
+		transcriptHello := hello
+		if ech != nil {
+			transcriptHello = ech.innerHello
+		}
+		if err := transcriptMsg(transcriptHello, transcript); err != nil {
 			return err
 		}
 		earlyTrafficSecret := earlySecret.ClientEarlyTrafficSecret(transcript)