Randomly include ALPS in HelloRandomized

common.go

@@ -97,7 +97,6 @@ const (
 	extensionKeyShare                uint16 = 51
 	extensionNextProtoNeg            uint16 = 13172 // not IANA assigned
 	extensionALPS                    uint16 = 17513
-	extensionApplicationSettings     uint16 = 0x4469
 	extensionRenegotiationInfo       uint16 = 0xff01
 )
 

u_parrots.go

@@ -1528,6 +1528,32 @@ func (uconn *UConn) generateRandomizedSpec() (ClientHelloSpec, error) {
 			Versions: makeSupportedVersions(p.TLSVersMin, p.TLSVersMax),
 		}
 		p.Extensions = append(p.Extensions, &ks, &pskExchangeModes, &supportedVersionsExt)
+
+		// Randomly add an ALPS extension. ALPS is TLS 1.3-only and may only
+		// appear when an ALPN extension is present
+		// (https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-3).
+		// ALPS is a draft specification at this time, but appears in
+		// Chrome/BoringSSL.
+		if WithALPN {
+
+			// ALPS is a new addition to generateRandomizedSpec. Use a salted
+			// seed to create a new, independent PRNG, so that a seed used
+			// with the previous version of generateRandomizedSpec will
+			// produce the exact same spec as long as ALPS isn't selected.
+			r, err := newPRNGWithSaltedSeed(uconn.ClientHelloID.Seed, "ALPS")
+			if err != nil {
+				return p, err
+			}
+			if r.FlipWeightedCoin(0.33) {
+				// As with the ALPN case above, default to something popular
+				// (unlike ALPN, ALPS can't yet be specified in uconn.config).
+				alps := &ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}}
+				p.Extensions = append(p.Extensions, alps)
+			}
+		}
+
+		// TODO: randomly add DelegatedCredentialsExtension, once it is
+		// sufficiently popular.
 	}
 	r.rand.Shuffle(len(p.Extensions), func(i, j int) {
 		p.Extensions[i], p.Extensions[j] = p.Extensions[j], p.Extensions[i]

u_prng.go

@@ -19,6 +19,7 @@ import (
 	"math/rand"
 	"sync"
 
+	"golang.org/x/crypto/hkdf"
 	"golang.org/x/crypto/sha3"
 )
 
@@ -39,6 +40,21 @@ func NewPRNGSeed() (*PRNGSeed, error) {
 	return seed, nil
 }
 
+// newSaltedPRNGSeed creates a new seed derived from an existing seed and a
+// salt. A HKDF is applied to the seed and salt.
+//
+// newSaltedPRNGSeed is intended for use cases where a single seed needs to be
+// used in distinct contexts to produce independent random streams.
+func newSaltedPRNGSeed(seed *PRNGSeed, salt string) (*PRNGSeed, error) {
+	saltedSeed := new(PRNGSeed)
+	_, err := io.ReadFull(
+		hkdf.New(sha3.New256, seed[:], []byte(salt), nil), saltedSeed[:])
+	if err != nil {
+		return nil, err
+	}
+	return saltedSeed, nil
+}
+
 // prng is a seeded, unbiased PRNG based on SHAKE256. that is suitable for use
 // cases such as obfuscation. Seeding is based on crypto/rand.Read.
 //
@@ -78,6 +94,16 @@ func newPRNGWithSeed(seed *PRNGSeed) (*prng, error) {
 	return p, nil
 }
 
+// newPRNGWithSaltedSeed initializes a new PRNG using a seed derived from an
+// existing seed and a salt with NewSaltedSeed.
+func newPRNGWithSaltedSeed(seed *PRNGSeed, salt string) (*prng, error) {
+	saltedSeed, err := newSaltedPRNGSeed(seed, salt)
+	if err != nil {
+		return nil, err
+	}
+	return newPRNGWithSeed(saltedSeed)
+}
+
 // Read reads random bytes from the PRNG stream into b. Read conforms to
 // io.Reader and always returns len(p), nil.
 func (p *prng) Read(b []byte) (int, error) {