Fix: QUIC TLS marshalRandomized must retain at least one TLS 1.3 cipher suite

go.mod

@@ -58,8 +58,8 @@ require (
 	git.torproject.org/pluggable-transports/goptlib.git v1.2.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20170702084017-28f7e881ca57 // indirect
 	github.com/BurntSushi/toml v0.3.1 // indirect
-	github.com/Psiphon-Labs/qtls-go1-18 v0.0.0-20221014170512-3bdc7291c091 // indirect
-	github.com/Psiphon-Labs/qtls-go1-19 v0.0.0-20221014165721-ed28749db082 // indirect
+	github.com/Psiphon-Labs/qtls-go1-18 v0.0.0-20230515185031-ae6632ab97ac // indirect
+	github.com/Psiphon-Labs/qtls-go1-19 v0.0.0-20230515185100-099bac32c181 // indirect
 	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect
 	github.com/andybalholm/brotli v1.0.5-0.20220518190645-786ec621f618 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

go.sum

@@ -12,8 +12,12 @@ github.com/Psiphon-Labs/goptlib v0.0.0-20200406165125-c0e32a7a3464 h1:VmnMMMheFX
 github.com/Psiphon-Labs/goptlib v0.0.0-20200406165125-c0e32a7a3464/go.mod h1:Pe5BqN2DdIdChorAXl6bDaQd/wghpCleJfid2NoSli0=
 github.com/Psiphon-Labs/qtls-go1-18 v0.0.0-20221014170512-3bdc7291c091 h1:Kv0LQQ3joUp8s2z36aigpNgNyiLiExT/OS9KOC/L/gI=
 github.com/Psiphon-Labs/qtls-go1-18 v0.0.0-20221014170512-3bdc7291c091/go.mod h1:0IvfcPDkLvBkir+WGq3E0shsx+TLasdcl8ojVWWTflE=
+github.com/Psiphon-Labs/qtls-go1-18 v0.0.0-20230515185031-ae6632ab97ac h1:2/n1zJIAEmpAg/IapXRdcuY29L6tud4WyKrXj8kpWSY=
+github.com/Psiphon-Labs/qtls-go1-18 v0.0.0-20230515185031-ae6632ab97ac/go.mod h1:0IvfcPDkLvBkir+WGq3E0shsx+TLasdcl8ojVWWTflE=
 github.com/Psiphon-Labs/qtls-go1-19 v0.0.0-20221014165721-ed28749db082 h1:arVlc3JYvckFXGyB8N30ul8AmA+rDuLolPRYMDHzgTU=
 github.com/Psiphon-Labs/qtls-go1-19 v0.0.0-20221014165721-ed28749db082/go.mod h1:mHM/QFYc02W9MKJ/Ux5XGOKP4OImosPeQUO7XAaXs0E=
+github.com/Psiphon-Labs/qtls-go1-19 v0.0.0-20230515185100-099bac32c181 h1:+rhvNaRVcVr6OXDPJx3lOaSccBhCxgcKlG/OVU/uvGc=
+github.com/Psiphon-Labs/qtls-go1-19 v0.0.0-20230515185100-099bac32c181/go.mod h1:mHM/QFYc02W9MKJ/Ux5XGOKP4OImosPeQUO7XAaXs0E=
 github.com/Psiphon-Labs/quic-go v0.0.0-20230215230806-9b1ddbf778cc h1:FUmGSvMiMbf1tFXWbK0+N7+5zBhOol8CHQdpB4ZQlDg=
 github.com/Psiphon-Labs/quic-go v0.0.0-20230215230806-9b1ddbf778cc/go.mod h1:cu4yhfHkyt+uQ9FFFjTpjCjcQYf52ntEAyoV4Zg0+fg=
 github.com/Psiphon-Labs/tls-tris v0.0.0-20210713133851-676a693d51ad h1:m6HS84+b5xDPLj7D/ya1CeixyaHOCZoMbBilJ48y+Ts=

vendor/github.com/Psiphon-Labs/qtls-go1-18/handshake_messages.go

@@ -336,24 +336,43 @@ func (m *clientHelloMsg) marshalRandomized() []byte {
 	// all slices before truncating.
 
 	cipherSuites := make([]uint16, len(m.cipherSuites))
-	perm := m.PRNG.Perm(len(m.cipherSuites))
-	for i, j := range perm {
-		cipherSuites[j] = m.cipherSuites[i]
-	}
-	cut := len(cipherSuites)
-	for ; cut > 1; cut-- {
-		if !m.PRNG.FlipCoin() {
+	for {
+		perm := m.PRNG.Perm(len(m.cipherSuites))
+		for i, j := range perm {
+			cipherSuites[j] = m.cipherSuites[i]
+		}
+		cut := len(cipherSuites)
+		for ; cut > 1; cut-- {
+			if !m.PRNG.FlipCoin() {
+				break
+			}
+		}
+
+		// Must contain at least one of defaultCipherSuitesTLS13.
+		containsDefault := false
+		for _, suite := range cipherSuites[:cut] {
+			for _, defaultSuite := range defaultCipherSuitesTLS13 {
+				if suite == defaultSuite {
+					containsDefault = true
+					break
+				}
+			}
+			if containsDefault {
+				break
+			}
+		}
+		if containsDefault {
+			cipherSuites = cipherSuites[:cut]
 			break
 		}
 	}
-	cipherSuites = cipherSuites[:cut]
 
 	compressionMethods := make([]uint8, len(m.compressionMethods))
-	perm = m.PRNG.Perm(len(m.compressionMethods))
+	perm := m.PRNG.Perm(len(m.compressionMethods))
 	for i, j := range perm {
 		compressionMethods[j] = m.compressionMethods[i]
 	}
-	cut = len(compressionMethods)
+	cut := len(compressionMethods)
 	for ; cut > 1; cut-- {
 		if !m.PRNG.FlipCoin() {
 			break

vendor/github.com/Psiphon-Labs/qtls-go1-19/handshake_messages.go

@@ -336,24 +336,43 @@ func (m *clientHelloMsg) marshalRandomized() []byte {
 	// all slices before truncating.
 
 	cipherSuites := make([]uint16, len(m.cipherSuites))
-	perm := m.PRNG.Perm(len(m.cipherSuites))
-	for i, j := range perm {
-		cipherSuites[j] = m.cipherSuites[i]
-	}
-	cut := len(cipherSuites)
-	for ; cut > 1; cut-- {
-		if !m.PRNG.FlipCoin() {
+	for {
+		perm := m.PRNG.Perm(len(m.cipherSuites))
+		for i, j := range perm {
+			cipherSuites[j] = m.cipherSuites[i]
+		}
+		cut := len(cipherSuites)
+		for ; cut > 1; cut-- {
+			if !m.PRNG.FlipCoin() {
+				break
+			}
+		}
+
+		// Must contain at least one of defaultCipherSuitesTLS13.
+		containsDefault := false
+		for _, suite := range cipherSuites[:cut] {
+			for _, defaultSuite := range defaultCipherSuitesTLS13 {
+				if suite == defaultSuite {
+					containsDefault = true
+					break
+				}
+			}
+			if containsDefault {
+				break
+			}
+		}
+		if containsDefault {
+			cipherSuites = cipherSuites[:cut]
 			break
 		}
 	}
-	cipherSuites = cipherSuites[:cut]
 
 	compressionMethods := make([]uint8, len(m.compressionMethods))
-	perm = m.PRNG.Perm(len(m.compressionMethods))
+	perm := m.PRNG.Perm(len(m.compressionMethods))
 	for i, j := range perm {
 		compressionMethods[j] = m.compressionMethods[i]
 	}
-	cut = len(compressionMethods)
+	cut := len(compressionMethods)
 	for ; cut > 1; cut-- {
 		if !m.PRNG.FlipCoin() {
 			break

vendor/modules.txt

@@ -16,10 +16,10 @@ github.com/Psiphon-Labs/bolt
 # github.com/Psiphon-Labs/goptlib v0.0.0-20200406165125-c0e32a7a3464
 ## explicit
 github.com/Psiphon-Labs/goptlib
-# github.com/Psiphon-Labs/qtls-go1-18 v0.0.0-20221014170512-3bdc7291c091
+# github.com/Psiphon-Labs/qtls-go1-18 v0.0.0-20230515185031-ae6632ab97ac
 ## explicit; go 1.18
 github.com/Psiphon-Labs/qtls-go1-18
-# github.com/Psiphon-Labs/qtls-go1-19 v0.0.0-20221014165721-ed28749db082
+# github.com/Psiphon-Labs/qtls-go1-19 v0.0.0-20230515185100-099bac32c181
 ## explicit; go 1.18
 github.com/Psiphon-Labs/qtls-go1-19
 # github.com/Psiphon-Labs/quic-go v0.0.0-20230215230806-9b1ddbf778cc