Update utls

Obfuscated session ticket enhancements:

- Pad obfuscated session tickets to common sizes

- Apply common-size padding to server-issued, standard
  session tickets

- Use common session ticket lifetime hints

vendor/github.com/Psiphon-Labs/utls/handshake_messages.go

@@ -7,6 +7,11 @@ package tls
 import (
 	"bytes"
 	"strings"
+
+	// [Psiphon]
+	"crypto/rand"
+	"math/big"
+	math_rand "math/rand"
 )
 
 type clientHelloMsg struct {
@@ -1477,6 +1482,24 @@ func (m *newSessionTicketMsg) marshal() (x []byte) {
 	x[9] = uint8(ticketLen)
 	copy(x[10:], m.ticket)
 
+	// [Psiphon]
+	// Set lifetime hint to a more typical value.
+	if obfuscateSessionTickets {
+		hints := []int{300, 1200, 7200, 10800, 64800, 100800, 129600}
+		randomInt, err := rand.Int(rand.Reader, big.NewInt(int64(len(hints))))
+		index := 0
+		if err == nil {
+			index = int(randomInt.Int64())
+		} else {
+			index = math_rand.Intn(len(hints))
+		}
+		hint := hints[index]
+		x[4] = uint8(hint >> 24)
+		x[5] = uint8(hint >> 16)
+		x[6] = uint8(hint >> 8)
+		x[7] = uint8(hint)
+	}
+
 	m.raw = x
 
 	return

vendor/github.com/Psiphon-Labs/utls/obfuscated.go

@@ -21,7 +21,6 @@ package tls
 
 import (
 	"crypto/rand"
-	"math/big"
 )
 
 // NewObfuscatedClientSessionCache produces obfuscated session tickets.
@@ -97,19 +96,11 @@ func (cache *obfuscatedClientSessionCache) Get(key string) (*ClientSessionState,
 
 func NewObfuscatedClientSessionState(sharedSecret [32]byte) (*ClientSessionState, error) {
 
-	// Pad golang TLS session ticket to a more typical size.
-	paddingSize := 72
-	randomInt, err := rand.Int(rand.Reader, big.NewInt(18))
-	if err != nil {
-		return nil, err
-	}
-	paddingSize += int(randomInt.Int64()) * 2
-
 	// Create a session ticket that wasn't actually issued by the server.
 	vers := uint16(VersionTLS12)
 	cipherSuite := TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 	masterSecret := make([]byte, masterSecretLength)
-	_, err = rand.Read(masterSecret)
+	_, err := rand.Read(masterSecret)
 	if err != nil {
 		return nil, err
 	}
@@ -118,7 +109,6 @@ func NewObfuscatedClientSessionState(sharedSecret [32]byte) (*ClientSessionState
 		cipherSuite:  cipherSuite,
 		masterSecret: masterSecret,
 		certificates: nil,
-		paddingSize:  paddingSize,
 	}
 	c := &Conn{
 		config: &Config{

vendor/github.com/Psiphon-Labs/utls/ticket.go

@@ -13,8 +13,16 @@ import (
 	"crypto/subtle"
 	"errors"
 	"io"
+
+	// [Psiphon]
+	"crypto/rand"
+	"math/big"
+	math_rand "math/rand"
 )
 
+// [Psiphon]
+var obfuscateSessionTickets = true
+
 // sessionState contains the information that is serialized into a session
 // ticket in order to later resume a connection.
 type sessionState struct {
@@ -25,10 +33,6 @@ type sessionState struct {
 	// usedOldKey is true if the ticket from which this session came from
 	// was encrypted with an older key and thus should be refreshed.
 	usedOldKey bool
-
-	// [Psiphon]
-	// Padding for obfuscated session tickets
-	paddingSize int
 }
 
 func (s *sessionState) equal(i interface{}) bool {
@@ -63,8 +67,20 @@ func (s *sessionState) marshal() []byte {
 	}
 
 	// [Psiphon]
-	// Add padding for obfuscated session tickets
-	length += s.paddingSize
+	// Pad golang TLS session ticket to a more typical size.
+	if obfuscateSessionTickets {
+		paddedSizes := []int{160, 176, 192, 208, 218, 224, 240, 255}
+		initialSize := 120
+		randomInt, err := rand.Int(rand.Reader, big.NewInt(int64(len(paddedSizes))))
+		index := 0
+		if err == nil {
+			index = int(randomInt.Int64())
+		} else {
+			index = math_rand.Intn(len(paddedSizes))
+		}
+		paddingSize := paddedSizes[index] - initialSize
+		length += paddingSize
+	}
 
 	ret := make([]byte, length)
 	x := ret

vendor/vendor.json

@@ -33,10 +33,10 @@
 			"revisionTime": "2018-04-26T17:24:40Z"
 		},
 		{
-			"checksumSHA1": "caix7UTy0XJTu4FDWMrCQfWSYVY=",
+			"checksumSHA1": "OBN3dfn0yx9L3I2RPo58o27my2k=",
 			"path": "github.com/Psiphon-Labs/utls",
-			"revision": "eb962170f02f3071efeda4b36af37cade7e28ea6",
-			"revisionTime": "2018-05-17T17:24:30Z"
+			"revision": "690e3cce41f16569c0b4297bb36df8d7a04c98c2",
+			"revisionTime": "2018-07-12T18:20:28Z"
 		},
 		{
 			"checksumSHA1": "zaEXXT0xMkEADcxW9GvBK0iYe1A=",