Home Explore Help
Sign In
yosoyhendrix
/
psiphon-tunnel-core
mirror of https://github.com/Psiphon-Labs/psiphon-tunnel-core
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fix to avoid incompatible randomized DTLS ClientHello

Rod Hynes 1 year ago
parent
d95a00398d
commit
eabb3d0a1b
2 changed files with 54 additions and 0 deletions
Unified View Show Diff Stats
  1. 27 0
      replace/dtls/flight1handler.go
  2. 27 0
      vendor/github.com/pion/dtls/v2/flight1handler.go

+ 27 - 0
replace/dtls/flight1handler.go
View File 

@@ -160,6 +160,33 @@ func flight1Generate(ctx context.Context, c flightConn, state *State, _ *handsha
 
 		})
 
 		})
 
 		cipherSuites = cipherSuites[:cut(len(cipherSuites))]
 
 		cipherSuites = cipherSuites[:cut(len(cipherSuites))]
 
 
 
+		// At least one ECC cipher suite needs to be retained for compatibilty
 
+		// with the server's ECC certificate. Select from the ECC cipher suites
 
+		// currently returned by defaultCipherSuites.
 
+
 
+		eccCipherSuites := []uint16{
 
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
 
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
 
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
 
+		}
 
+		hasECC := false
 
+	checkECCLoop:
 
+		for _, cipherSuite := range cipherSuites {
 
+			for _, eccCipherSuite := range eccCipherSuites {
 
+				if cipherSuite == eccCipherSuite {
 
+					hasECC = true
 
+					break checkECCLoop
 
+				}
 
+			}
 
+		}
 
+		if !hasECC {
 
+			eccCipherSuite := eccCipherSuites[PRNG.Intn(len(eccCipherSuites))]
 
+			cipherSuites = append(cipherSuites, eccCipherSuite)
 
+			PRNG.Shuffle(len(cipherSuites), func(i, j int) {
 
+				cipherSuites[i], cipherSuites[j] = cipherSuites[j], cipherSuites[i]
 
+			})
 
+		}
 
+
 
 		for _, ext := range extensions {
 
 		for _, ext := range extensions {
 
 			switch e := ext.(type) {
 
 			switch e := ext.(type) {
 
 			case *extension.SupportedSignatureAlgorithms:
 
 			case *extension.SupportedSignatureAlgorithms:

+ 27 - 0
vendor/github.com/pion/dtls/v2/flight1handler.go
View File 

@@ -160,6 +160,33 @@ func flight1Generate(ctx context.Context, c flightConn, state *State, _ *handsha
 
 		})
 
 		})
 
 		cipherSuites = cipherSuites[:cut(len(cipherSuites))]
 
 		cipherSuites = cipherSuites[:cut(len(cipherSuites))]
 
 
 
+		// At least one ECC cipher suite needs to be retained for compatibilty
 
+		// with the server's ECC certificate. Select from the ECC cipher suites
 
+		// currently returned by defaultCipherSuites.
 
+
 
+		eccCipherSuites := []uint16{
 
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
 
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA),
 
+			uint16(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384),
 
+		}
 
+		hasECC := false
 
+	checkECCLoop:
 
+		for _, cipherSuite := range cipherSuites {
 
+			for _, eccCipherSuite := range eccCipherSuites {
 
+				if cipherSuite == eccCipherSuite {
 
+					hasECC = true
 
+					break checkECCLoop
 
+				}
 
+			}
 
+		}
 
+		if !hasECC {
 
+			eccCipherSuite := eccCipherSuites[PRNG.Intn(len(eccCipherSuites))]
 
+			cipherSuites = append(cipherSuites, eccCipherSuite)
 
+			PRNG.Shuffle(len(cipherSuites), func(i, j int) {
 
+				cipherSuites[i], cipherSuites[j] = cipherSuites[j], cipherSuites[i]
 
+			})
 
+		}
 
+
 
 		for _, ext := range extensions {
 
 		for _, ext := range extensions {
 
 			switch e := ext.(type) {
 
 			switch e := ext.(type) {
 
 			case *extension.SupportedSignatureAlgorithms:
 
 			case *extension.SupportedSignatureAlgorithms: