Merge branch 'master' into staging-client

psiphon/common/inproxy/api.go

@@ -835,8 +835,8 @@ func (report *BrokerServerReport) ValidateAndGetLogFields(
 
 		logFields = common.LogFields{}
 
-		logFields["proxy_nat_type"] = report.ProxyNATType
-		logFields["proxy_port_mapping_types"] = report.ProxyPortMappingTypes
+		logFields["inproxy_proxy_nat_type"] = report.ProxyNATType
+		logFields["inproxy_proxy_port_mapping_types"] = report.ProxyPortMappingTypes
 
 	} else {
 

psiphon/common/inproxy/brokerClient.go

@@ -75,7 +75,7 @@ type BrokerClient struct {
 func NewBrokerClient(coordinator BrokerDialCoordinator) (*BrokerClient, error) {
 
 	// A client is expected to use an ephemeral key, and can return a
-	// zero-value private key. Each proxy should use a peristent key, as the
+	// zero-value private key. Each proxy should use a persistent key, as the
 	// corresponding public key is the proxy ID, which is used to credit the
 	// proxy for its service.
 

psiphon/common/inproxy/proxy.go

@@ -428,7 +428,7 @@ func (p *Proxy) proxyClients(
 				p.config.Logger.WithTraceFields(
 					common.LogFields{
 						"error":  errMsg,
-						"delay":  delay,
+						"delay":  delay.String(),
 						"jitter": jitter,
 					}).Error("proxy client failed")
 				logErrorsCount -= 1

replace/dtls/flight1handler.go

@@ -160,6 +160,33 @@ func flight1Generate(ctx context.Context, c flightConn, state *State, _ *handsha
 		})
 		cipherSuites = cipherSuites[:cut(len(cipherSuites))]
 
+		// At least one ECC cipher suite needs to be retained for compatibilty
+		// with the server's ECC certificate. Select from the ECC cipher suites
+		// currently returned by defaultCipherSuites.
+
+		eccCipherSuites := []uint16{
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
+		}
+		hasECC := false
+	checkECCLoop:
+		for _, cipherSuite := range cipherSuites {
+			for _, eccCipherSuite := range eccCipherSuites {
+				if cipherSuite == eccCipherSuite {
+					hasECC = true
+					break checkECCLoop
+				}
+			}
+		}
+		if !hasECC {
+			eccCipherSuite := eccCipherSuites[PRNG.Intn(len(eccCipherSuites))]
+			cipherSuites = append(cipherSuites, eccCipherSuite)
+			PRNG.Shuffle(len(cipherSuites), func(i, j int) {
+				cipherSuites[i], cipherSuites[j] = cipherSuites[j], cipherSuites[i]
+			})
+		}
+
 		for _, ext := range extensions {
 			switch e := ext.(type) {
 			case *extension.SupportedSignatureAlgorithms:

vendor/github.com/pion/dtls/v2/flight1handler.go

@@ -160,6 +160,33 @@ func flight1Generate(ctx context.Context, c flightConn, state *State, _ *handsha
 		})
 		cipherSuites = cipherSuites[:cut(len(cipherSuites))]
 
+		// At least one ECC cipher suite needs to be retained for compatibilty
+		// with the server's ECC certificate. Select from the ECC cipher suites
+		// currently returned by defaultCipherSuites.
+
+		eccCipherSuites := []uint16{
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
+		}
+		hasECC := false
+	checkECCLoop:
+		for _, cipherSuite := range cipherSuites {
+			for _, eccCipherSuite := range eccCipherSuites {
+				if cipherSuite == eccCipherSuite {
+					hasECC = true
+					break checkECCLoop
+				}
+			}
+		}
+		if !hasECC {
+			eccCipherSuite := eccCipherSuites[PRNG.Intn(len(eccCipherSuites))]
+			cipherSuites = append(cipherSuites, eccCipherSuite)
+			PRNG.Shuffle(len(cipherSuites), func(i, j int) {
+				cipherSuites[i], cipherSuites[j] = cipherSuites[j], cipherSuites[i]
+			})
+		}
+
 		for _, ext := range extensions {
 			switch e := ext.(type) {
 			case *extension.SupportedSignatureAlgorithms: