tokio-quiche: keep early-data connections in handshake stage until established

[dknecht]

Motivation

• Prevent a resource-exhaustion/DoS scenario where 0-RTT (early-data) causes the connection to leave the handshake stage and thereby bypass handshake timeout enforcement.

Description

• Change Handshake::on_flush in tokio-quiche/src/quic/io/connection_stage.rs to transition to the RunningApplication stage only when qconn.is_established() is true and stop treating qconn.is_in_early_data() as sufficient for the transition, preserving handshake-timeout checks during early data.

Testing

• Ran cargo test -p tokio-quiche --no-run, which completed successfully and produced the test binaries (compile-only run succeeded).

---

Codex Task

[toidiu]

TQ: Handshake timeout

preserving handshake-timeout checks during early data

I think this issue is referring to the Handshake timeout which is cleared via check_handshake_timeout_expired

TQ: Post Accept timeout
TQ also has post_accept_timeout is used as the timeout after establishing a connection and receiving the first headers: code.

nginx: client_header_timeout
This comment suggests that nginx uses client_header_timeout as a proxy for the handshake timeout so that would be cleared when we process the early data request. This combines TQ handshake and post_accept timeout behavior.

---

Analysis
Clearing the handshake timeout seems reasonable since at that point the Server can complete the handshake without client involvement.