qtls: protect the tls.ClientSessionCache implementation with a mutex (#4319)

This prevents a race condition when the underlying ClientSessionCache provided by the application returns the same session ticket for multiple connections. Reusing session tickets is explicitly recommended against by both RFC 8446 and RFC 9001, but it's not forbidden. This fix only benefits applications that compromise their users' privacy by reusing session tickets.
2025-04-03 04:07:35 +03:00 · 2024-02-09 22:47:28 +07:00 · 2024-02-09 22:47:28 +07:00 · 284996e13c
commit 284996e13c
parent 4790797b58
1 changed files with 10 additions and 2 deletions
--- a/internal/qtls/client_session_cache.go
+++ b/internal/qtls/client_session_cache.go
@ -2,9 +2,11 @@ package qtls

 import (
 	"crypto/tls"
+	"sync"
 )

 type clientSessionCache struct {
+	mx      sync.Mutex
 	getData func(earlyData bool) []byte
 	setData func(data []byte, earlyData bool) (allowEarlyData bool)
 	wrapped tls.ClientSessionCache
@ -12,7 +14,10 @@ type clientSessionCache struct {

 var _ tls.ClientSessionCache = &clientSessionCache{}

-func (c clientSessionCache) Put(key string, cs *tls.ClientSessionState) {
+func (c *clientSessionCache) Put(key string, cs *tls.ClientSessionState) {
+	c.mx.Lock()
+	defer c.mx.Unlock()
+
 	if cs == nil {
 		c.wrapped.Put(key, nil)
 		return
@ -32,7 +37,10 @@ func (c clientSessionCache) Put(key string, cs *tls.ClientSessionState) {
 	c.wrapped.Put(key, newCS)
 }

-func (c clientSessionCache) Get(key string) (*tls.ClientSessionState, bool) {
+func (c *clientSessionCache) Get(key string) (*tls.ClientSessionState, bool) {
+	c.mx.Lock()
+	defer c.mx.Unlock()
+
 	cs, ok := c.wrapped.Get(key)
 	if !ok || cs == nil {
 		return cs, ok