From dd57d6787acf72af982aa04bff23bbf8f17bf452 Mon Sep 17 00:00:00 2001
From: Rod Hynes <rod-hynes@users.noreply.github.com>
Date: Mon, 15 May 2023 14:51:00 -0400
Subject: [PATCH] Fix: marshalRandomized must retain at least one TLS 1.3
 cipher suite

---
 handshake_messages.go | 39 +++++++++++++++++++++++++++++----------
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/handshake_messages.go b/handshake_messages.go
index 6c569de..f8ddd5d 100644
--- a/handshake_messages.go
+++ b/handshake_messages.go
@@ -336,24 +336,43 @@ func (m *clientHelloMsg) marshalRandomized() []byte {
 	// all slices before truncating.
 
 	cipherSuites := make([]uint16, len(m.cipherSuites))
-	perm := m.PRNG.Perm(len(m.cipherSuites))
-	for i, j := range perm {
-		cipherSuites[j] = m.cipherSuites[i]
-	}
-	cut := len(cipherSuites)
-	for ; cut > 1; cut-- {
-		if !m.PRNG.FlipCoin() {
+	for {
+		perm := m.PRNG.Perm(len(m.cipherSuites))
+		for i, j := range perm {
+			cipherSuites[j] = m.cipherSuites[i]
+		}
+		cut := len(cipherSuites)
+		for ; cut > 1; cut-- {
+			if !m.PRNG.FlipCoin() {
+				break
+			}
+		}
+
+		// Must contain at least one of defaultCipherSuitesTLS13.
+		containsDefault := false
+		for _, suite := range cipherSuites[:cut] {
+			for _, defaultSuite := range defaultCipherSuitesTLS13 {
+				if suite == defaultSuite {
+					containsDefault = true
+					break
+				}
+			}
+			if containsDefault {
+				break
+			}
+		}
+		if containsDefault {
+			cipherSuites = cipherSuites[:cut]
 			break
 		}
 	}
-	cipherSuites = cipherSuites[:cut]
 
 	compressionMethods := make([]uint8, len(m.compressionMethods))
-	perm = m.PRNG.Perm(len(m.compressionMethods))
+	perm := m.PRNG.Perm(len(m.compressionMethods))
 	for i, j := range perm {
 		compressionMethods[j] = m.compressionMethods[i]
 	}
-	cut = len(compressionMethods)
+	cut := len(compressionMethods)
 	for ; cut > 1; cut-- {
 		if !m.PRNG.FlipCoin() {
 			break