Merge pull request #508 from rod-hynes/upgrade-utls

Upgrade utls

psiphon/TCPConn_bind.go

@@ -261,6 +261,22 @@ func tcpDial(ctx context.Context, addr string, config *DialConfig) (net.Conn, er
 			continue
 		}
 
+		// Handle the case where net.FileConn produces a Conn where RemoteAddr
+		// unexpectedly returns nil: https://github.com/golang/go/issues/23022.
+		//
+		// The net.Conn interface indicates that RemoteAddr returns a usable value,
+		// and code such as crypto/tls, in loadSession/clientSessionCacheKey, uses
+		// the RemoteAddr return value without a nil check, resulting in an panic.
+		//
+		// As the most likely explanation for this net.FileConn condition is
+		// getpeername returning ENOTCONN due to the socket connection closing
+		// during the net.FileConn execution, we choose to abort this dial rather
+		// than try to mask the RemoteAddr issue.
+		if conn.RemoteAddr() == nil {
+			conn.Close()
+			return nil, common.ContextError(errors.New("RemoteAddr returns nil"))
+		}
+
 		return &TCPConn{Conn: conn}, nil
 	}
 

psiphon/common/parameters/clientParameters.go

@@ -93,6 +93,7 @@ const (
 	LimitTunnelProtocols                             = "LimitTunnelProtocols"
 	LimitTLSProfilesProbability                      = "LimitTLSProfilesProbability"
 	LimitTLSProfiles                                 = "LimitTLSProfiles"
+	SelectRandomizedTLSProfileProbability            = "SelectRandomizedTLSProfileProbability"
 	LimitQUICVersionsProbability                     = "LimitQUICVersionsProbability"
 	LimitQUICVersions                                = "LimitQUICVersions"
 	FragmentorProbability                            = "FragmentorProbability"
@@ -265,8 +266,9 @@ var defaultClientParameters = map[string]struct {
 	LimitTunnelProtocolsProbability: {value: 1.0, minimum: 0.0},
 	LimitTunnelProtocols:            {value: protocol.TunnelProtocols{}},
 
-	LimitTLSProfilesProbability: {value: 1.0, minimum: 0.0},
-	LimitTLSProfiles:            {value: protocol.TLSProfiles{}},
+	LimitTLSProfilesProbability:           {value: 1.0, minimum: 0.0},
+	LimitTLSProfiles:                      {value: protocol.TLSProfiles{}},
+	SelectRandomizedTLSProfileProbability: {value: 0.25, minimum: 0.0},
 
 	LimitQUICVersionsProbability: {value: 1.0, minimum: 0.0},
 	LimitQUICVersions:            {value: protocol.QUICVersions{}},

psiphon/common/protocol/protocol.go

@@ -191,41 +191,53 @@ func UseClientTunnelProtocol(
 }
 
 const (
-	TLS_PROFILE_IOS_1131         = "iOS-Safari-11.3.1"
-	TLS_PROFILE_ANDROID_60       = "Android-6.0"
-	TLS_PROFILE_ANDROID_51       = "Android-5.1"
-	TLS_PROFILE_CHROME_58        = "Chrome-58"
-	TLS_PROFILE_CHROME_57        = "Chrome-57"
-	TLS_PROFILE_FIREFOX_56       = "Firefox-56"
-	TLS_PROFILE_RANDOMIZED       = "Randomized"
-	TLS_PROFILE_TLS13_RANDOMIZED = "TLS-1.3-Randomized"
+	TLS_VERSION_12 = "TLSv1.2"
+	TLS_VERSION_13 = "TLSv1.3"
+
+	TLS_PROFILE_IOS_111    = "iOS-11.1"
+	TLS_PROFILE_IOS_121    = "iOS-12.1"
+	TLS_PROFILE_CHROME_58  = "Chrome-58"
+	TLS_PROFILE_CHROME_62  = "Chrome-62"
+	TLS_PROFILE_CHROME_70  = "Chrome-70"
+	TLS_PROFILE_CHROME_72  = "Chrome-72"
+	TLS_PROFILE_FIREFOX_55 = "Firefox-55"
+	TLS_PROFILE_FIREFOX_56 = "Firefox-56"
+	TLS_PROFILE_FIREFOX_65 = "Firefox-65"
+	TLS_PROFILE_RANDOMIZED = "Randomized-v2"
 )
 
 var SupportedTLSProfiles = TLSProfiles{
-	TLS_PROFILE_IOS_1131,
-	TLS_PROFILE_ANDROID_60,
-	TLS_PROFILE_ANDROID_51,
+	TLS_PROFILE_IOS_111,
+	TLS_PROFILE_IOS_121,
 	TLS_PROFILE_CHROME_58,
-	TLS_PROFILE_CHROME_57,
+	TLS_PROFILE_CHROME_62,
+	TLS_PROFILE_CHROME_70,
+	TLS_PROFILE_CHROME_72,
+	TLS_PROFILE_FIREFOX_55,
 	TLS_PROFILE_FIREFOX_56,
+	TLS_PROFILE_FIREFOX_65,
 	TLS_PROFILE_RANDOMIZED,
-	TLS_PROFILE_TLS13_RANDOMIZED,
 }
 
 func TLSProfileIsRandomized(tlsProfile string) bool {
-	return tlsProfile == TLS_PROFILE_RANDOMIZED ||
-		tlsProfile == TLS_PROFILE_TLS13_RANDOMIZED
-}
-
-func TLSProfileIsTLS13(tlsProfile string) bool {
-	return tlsProfile == TLS_PROFILE_TLS13_RANDOMIZED
+	return tlsProfile == TLS_PROFILE_RANDOMIZED
 }
 
 type TLSProfiles []string
 
 func (profiles TLSProfiles) Validate() error {
+
+	legacyTLSProfiles := TLSProfiles{
+		"iOS-Safari-11.3.1",
+		"Android-6.0",
+		"Android-5.1",
+		"Chrome-57",
+		"Randomized",
+		"TLS-1.3-Randomized",
+	}
+
 	for _, p := range profiles {
-		if !common.Contains(SupportedTLSProfiles, p) {
+		if !common.Contains(SupportedTLSProfiles, p) && !common.Contains(legacyTLSProfiles, p) {
 			return common.ContextError(fmt.Errorf("invalid TLS profile: %s", p))
 		}
 	}

psiphon/config.go

@@ -20,7 +20,9 @@
 package psiphon
 
 import (
+	"crypto/md5"
 	"encoding/base64"
+	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -269,6 +271,10 @@ type Config struct {
 	// handling, and application of parameters.
 	DisableTactics bool
 
+	// DisableReplay causes any persisted dial parameters to be ignored when
+	// they would otherwise be used for replay.
+	DisableReplay bool
+
 	// TransformHostNames specifies whether to use hostname transformation
 	// circumvention strategies. Set to "always" to always transform, "never"
 	// to never transform, and "", the default, for the default transformation
@@ -519,6 +525,8 @@ type Config struct {
 	// calling clientParameters.Set directly will fail to add config values.
 	clientParameters *parameters.ClientParameters
 
+	dialParametersHash []byte
+
 	dynamicConfigMutex sync.Mutex
 	sponsorID          string
 	authorizations     []string
@@ -584,6 +592,10 @@ func (config *Config) Commit() error {
 		config.UpgradeDownloadURLs = promoteLegacyDownloadURL(config.UpgradeDownloadUrl)
 	}
 
+	if config.TunnelProtocol != "" && len(config.LimitTunnelProtocols) == 0 {
+		config.LimitTunnelProtocols = []string{config.TunnelProtocol}
+	}
+
 	// Supply default values.
 
 	if config.DataStoreDirectory == "" {
@@ -711,6 +723,11 @@ func (config *Config) Commit() error {
 		return common.ContextError(err)
 	}
 
+	// Calculate and set the dial parameters hash. After this point, related
+	// config fields must not change.
+
+	config.setDialParametersHash()
+
 	// Set defaults for dynamic config fields.
 
 	config.SetDynamicConfig(config.SponsorId, config.Authorizations)
@@ -847,8 +864,6 @@ func (config *Config) makeConfigParameters() map[string]interface{} {
 
 	if len(config.LimitTunnelProtocols) > 0 {
 		applyParameters[parameters.LimitTunnelProtocols] = protocol.TunnelProtocols(config.LimitTunnelProtocols)
-	} else if config.TunnelProtocol != "" {
-		applyParameters[parameters.LimitTunnelProtocols] = protocol.TunnelProtocols{config.TunnelProtocol}
 	}
 
 	if len(config.InitialLimitTunnelProtocols) > 0 && config.InitialLimitTunnelProtocolsCandidateCount > 0 {
@@ -1002,6 +1017,113 @@ func (config *Config) makeConfigParameters() map[string]interface{} {
 	return applyParameters
 }
 
+func (config *Config) setDialParametersHash() {
+
+	// Calculate and store a hash of the config values that may impact
+	// dial parameters. This hash is used as part of the dial parameters
+	// replay mechanism to detect when persisted dial parameters must
+	// be discarded due to conflicting config changes.
+	//
+	// MD5 hash is used solely as a data checksum and not for any security
+	// purpose.
+
+	hash := md5.New()
+
+	if len(config.LimitTunnelProtocols) > 0 {
+		for _, protocol := range config.LimitTunnelProtocols {
+			hash.Write([]byte(protocol))
+		}
+	}
+
+	if len(config.InitialLimitTunnelProtocols) > 0 && config.InitialLimitTunnelProtocolsCandidateCount > 0 {
+		for _, protocol := range config.InitialLimitTunnelProtocols {
+			hash.Write([]byte(protocol))
+		}
+		binary.Write(hash, binary.LittleEndian, config.InitialLimitTunnelProtocolsCandidateCount)
+	}
+
+	if len(config.LimitTLSProfiles) > 0 {
+		for _, profile := range config.LimitTLSProfiles {
+			hash.Write([]byte(profile))
+		}
+	}
+
+	if len(config.LimitQUICVersions) > 0 {
+		for _, version := range config.LimitQUICVersions {
+			hash.Write([]byte(version))
+		}
+	}
+
+	// Whether a custom User-Agent is specified is a binary flag: when not set,
+	// the replay dial parameters value applies. When set, external
+	// considerations apply.
+	if _, ok := config.CustomHeaders["User-Agent"]; ok {
+		hash.Write([]byte{1})
+	}
+
+	if config.UpstreamProxyURL != "" {
+		hash.Write([]byte(config.UpstreamProxyURL))
+	}
+
+	if config.TransformHostNames != "" {
+		hash.Write([]byte(config.TransformHostNames))
+	}
+
+	if config.UseFragmentor != "" {
+		hash.Write([]byte(config.UseFragmentor))
+	}
+
+	if config.FragmentorMinTotalBytes != nil {
+		binary.Write(hash, binary.LittleEndian, *config.FragmentorMinTotalBytes)
+	}
+
+	if config.FragmentorMaxTotalBytes != nil {
+		binary.Write(hash, binary.LittleEndian, *config.FragmentorMaxTotalBytes)
+	}
+
+	if config.FragmentorMinWriteBytes != nil {
+		binary.Write(hash, binary.LittleEndian, *config.FragmentorMinWriteBytes)
+	}
+
+	if config.FragmentorMaxWriteBytes != nil {
+		binary.Write(hash, binary.LittleEndian, *config.FragmentorMaxWriteBytes)
+	}
+
+	if config.FragmentorMinDelayMicroseconds != nil {
+		binary.Write(hash, binary.LittleEndian, *config.FragmentorMinDelayMicroseconds)
+	}
+
+	if config.FragmentorMaxDelayMicroseconds != nil {
+		binary.Write(hash, binary.LittleEndian, *config.FragmentorMaxDelayMicroseconds)
+	}
+
+	if config.ObfuscatedSSHMinPadding != nil {
+		binary.Write(hash, binary.LittleEndian, *config.ObfuscatedSSHMinPadding)
+	}
+
+	if config.ObfuscatedSSHMaxPadding != nil {
+		binary.Write(hash, binary.LittleEndian, *config.ObfuscatedSSHMaxPadding)
+	}
+
+	if config.LivenessTestMinUpstreamBytes != nil {
+		binary.Write(hash, binary.LittleEndian, *config.LivenessTestMinUpstreamBytes)
+	}
+
+	if config.LivenessTestMaxUpstreamBytes != nil {
+		binary.Write(hash, binary.LittleEndian, *config.LivenessTestMaxUpstreamBytes)
+	}
+
+	if config.LivenessTestMinDownstreamBytes != nil {
+		binary.Write(hash, binary.LittleEndian, *config.LivenessTestMinDownstreamBytes)
+	}
+
+	if config.LivenessTestMaxDownstreamBytes != nil {
+		binary.Write(hash, binary.LittleEndian, *config.LivenessTestMaxDownstreamBytes)
+	}
+
+	config.dialParametersHash = hash.Sum(nil)
+}
+
 func promoteLegacyDownloadURL(URL string) parameters.DownloadURLs {
 	downloadURLs := make(parameters.DownloadURLs, 1)
 	downloadURLs[0] = &parameters.DownloadURL{

psiphon/dialParameters.go

@@ -36,6 +36,7 @@ import (
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/parameters"
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/prng"
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/protocol"
+	utls "github.com/refraction-networking/utls"
 	regen "github.com/zach-klippenstein/goregen"
 )
 
@@ -91,6 +92,7 @@ type DialParameters struct {
 
 	SelectedTLSProfile       bool
 	TLSProfile               string
+	TLSVersion               string
 	RandomizedTLSProfileSeed *prng.Seed
 
 	QUICVersion               string
@@ -169,6 +171,7 @@ func MakeDialParameters(
 	//   previous dial parameters were established.
 	// - The protocol selection constraints must permit replay, as indicated
 	//   by canReplay.
+	// - Must not be using an obsolete TLS profile that is no longer supported.
 	//
 	// When existing dial parameters don't meet these conditions, dialParams
 	// is reset to nil and new dial parameters will be generated.
@@ -187,7 +190,9 @@ func MakeDialParameters(
 	if dialParams != nil &&
 		(ttl <= 0 ||
 			dialParams.LastUsedTimestamp.Before(currentTimestamp.Add(-ttl)) ||
-			bytes.Compare(dialParams.LastUsedConfigStateHash, configStateHash) != 0) {
+			bytes.Compare(dialParams.LastUsedConfigStateHash, configStateHash) != 0 ||
+			(dialParams.TLSProfile != "" &&
+				!common.Contains(protocol.SupportedTLSProfiles, dialParams.TLSProfile))) {
 
 		// In these cases, existing dial parameters are expired or no longer
 		// match the config state and so are cleared to avoid rechecking them.
@@ -200,11 +205,11 @@ func MakeDialParameters(
 	}
 
 	if dialParams != nil {
-		if !canReplay(serverEntry, dialParams.TunnelProtocol) {
+		if config.DisableReplay ||
+			!canReplay(serverEntry, dialParams.TunnelProtocol) {
 
-			// In this ephemeral case, existing dial parameters may still be
-			// valid and used in future establishment phases, and so are
-			// retained.
+			// In these ephemeral cases, existing dial parameters may still be valid
+			// and used in future establishment phases, and so are retained.
 
 			dialParams = nil
 		}
@@ -295,6 +300,28 @@ func MakeDialParameters(
 		}
 	}
 
+	if (!isReplay || !replayTLSProfile) &&
+		protocol.TunnelProtocolUsesMeekHTTPS(dialParams.TunnelProtocol) {
+
+		// Since "Randomized-v2" may be TLS 1.2 or TLS 1.3, construct the
+		// ClientHello to determine if it's TLS 1.3. This test also covers
+		// non-randomized TLS 1.3 profiles. This check must come after
+		// dialParams.TLSProfile and dialParams.RandomizedTLSProfileSeed are set.
+		// No actual dial is made here.
+
+		utlsClientHelloID := getUTLSClientHelloID(dialParams.TLSProfile)
+
+		if protocol.TLSProfileIsRandomized(dialParams.TLSProfile) {
+			utlsClientHelloID.Seed = new(utls.PRNGSeed)
+			*utlsClientHelloID.Seed = [32]byte(*dialParams.RandomizedTLSProfileSeed)
+		}
+
+		dialParams.TLSVersion, err = getClientHelloVersion(utlsClientHelloID)
+		if err != nil {
+			return nil, common.ContextError(err)
+		}
+	}
+
 	if (!isReplay || !replayFronting) &&
 		protocol.TunnelProtocolUsesFrontedMeek(dialParams.TunnelProtocol) {
 
@@ -593,13 +620,22 @@ func getConfigStateHash(
 	// of these input values change in a way that invalidates any stored dial
 	// parameters.
 
-	// MD5 hash is used solely as a data checksum and not for any security purpose.
+	// MD5 hash is used solely as a data checksum and not for any security
+	// purpose.
 	hash := md5.New()
 
+	// Add a hash of relevant config fields.
+	// Limitation: the config hash may change even when tactics will override the
+	// changed config field.
+	hash.Write(config.dialParametersHash)
+
+	// Add the active tactics tag.
 	hash.Write([]byte(p.Tag()))
 
+	// Add the server entry version and local timestamp, both of which should
+	// change when the server entry contents change and/or a new local copy is
+	// imported.
 	// TODO: marshal entire server entry?
-
 	var serverEntryConfigurationVersion [8]byte
 	binary.BigEndian.PutUint64(
 		serverEntryConfigurationVersion[:],
@@ -607,10 +643,6 @@ func getConfigStateHash(
 	hash.Write(serverEntryConfigurationVersion[:])
 	hash.Write([]byte(serverEntry.LocalTimestamp))
 
-	// TODO: add config.CustomHeaders, which could impact User-Agent header?
-
-	hash.Write([]byte(config.UpstreamProxyURL))
-
 	return hash.Sum(nil)
 }
 

psiphon/notice.go

@@ -450,6 +450,7 @@ func noticeWithDialParameters(noticeType string, dialParams *DialParameters) {
 
 	if dialParams.SelectedTLSProfile {
 		args = append(args, "TLSProfile", dialParams.TLSProfile)
+		args = append(args, "TLSVersion", dialParams.TLSVersion)
 	}
 
 	if dialParams.DialPortNumber != "" {

psiphon/server/api.go

@@ -639,6 +639,7 @@ var baseRequestParams = []requestParamSpec{
 	{"meek_transformed_host_name", isBooleanFlag, requestParamOptional | requestParamLogFlagAsBool},
 	{"user_agent", isAnyString, requestParamOptional},
 	{"tls_profile", isAnyString, requestParamOptional},
+	{"tls_version", isAnyString, requestParamOptional},
 	{"server_entry_region", isRegionCode, requestParamOptional},
 	{"server_entry_source", isServerEntrySource, requestParamOptional},
 	{"server_entry_timestamp", isISO8601Date, requestParamOptional},

psiphon/server/server_test.go

@@ -208,7 +208,7 @@ func TestUnfrontedMeekHTTPSTLS13(t *testing.T) {
 	runServer(t,
 		&runServerConfig{
 			tunnelProtocol:       "UNFRONTED-MEEK-HTTPS-OSSH",
-			tlsProfile:           protocol.TLS_PROFILE_TLS13_RANDOMIZED,
+			tlsProfile:           protocol.TLS_PROFILE_CHROME_70,
 			enableSSHAPIRequests: true,
 			doHotReload:          false,
 			doDefaultSponsorID:   false,
@@ -226,7 +226,7 @@ func TestUnfrontedMeekSessionTicket(t *testing.T) {
 	runServer(t,
 		&runServerConfig{
 			tunnelProtocol:       "UNFRONTED-MEEK-SESSION-TICKET-OSSH",
-			tlsProfile:           protocol.TLS_PROFILE_RANDOMIZED,
+			tlsProfile:           protocol.TLS_PROFILE_CHROME_58,
 			enableSSHAPIRequests: true,
 			doHotReload:          false,
 			doDefaultSponsorID:   false,
@@ -244,7 +244,7 @@ func TestUnfrontedMeekSessionTicketTLS13(t *testing.T) {
 	runServer(t,
 		&runServerConfig{
 			tunnelProtocol:       "UNFRONTED-MEEK-SESSION-TICKET-OSSH",
-			tlsProfile:           protocol.TLS_PROFILE_TLS13_RANDOMIZED,
+			tlsProfile:           protocol.TLS_PROFILE_CHROME_70,
 			enableSSHAPIRequests: true,
 			doHotReload:          false,
 			doDefaultSponsorID:   false,
@@ -1131,6 +1131,7 @@ func checkExpectedLogFields(runConfig *runServerConfig, fields map[string]interf
 
 		for _, name := range []string{
 			"tls_profile",
+			"tls_version",
 			"meek_sni_server_name",
 		} {
 			if fields[name] == nil || fmt.Sprintf("%s", fields[name]) == "" {
@@ -1152,6 +1153,11 @@ func checkExpectedLogFields(runConfig *runServerConfig, fields map[string]interf
 			return fmt.Errorf("unexpected tls_profile '%s'", fields["tls_profile"])
 		}
 
+		if !common.Contains(
+			[]string{protocol.TLS_VERSION_12, protocol.TLS_VERSION_13},
+			fields["tls_version"].(string)) {
+			return fmt.Errorf("unexpected tls_version '%s'", fields["tls_version"])
+		}
 	}
 
 	if protocol.TunnelProtocolUsesQUIC(runConfig.tunnelProtocol) {

psiphon/serverApi.go

@@ -798,6 +798,7 @@ func getBaseAPIParameters(
 
 	if dialParams.SelectedTLSProfile {
 		params["tls_profile"] = dialParams.TLSProfile
+		params["tls_version"] = dialParams.TLSVersion
 	}
 
 	if dialParams.ServerEntry.Region != "" {

psiphon/sessionTicket_test.go

@@ -0,0 +1,283 @@
+/*
+ * Copyright (c) 2016, Psiphon Inc.
+ * All rights reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package psiphon
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"errors"
+	"io"
+	"math/big"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/protocol"
+	tris "github.com/Psiphon-Labs/tls-tris"
+	utls "github.com/refraction-networking/utls"
+)
+
+func TestObfuscatedSessionTicket(t *testing.T) {
+
+	tlsProfiles := []string{
+		protocol.TLS_PROFILE_CHROME_58,
+		protocol.TLS_PROFILE_FIREFOX_55,
+		protocol.TLS_PROFILE_RANDOMIZED,
+	}
+
+	for _, tlsProfile := range tlsProfiles {
+		t.Run(tlsProfile, func(t *testing.T) {
+			runObfuscatedSessionTicket(t, tlsProfile)
+		})
+	}
+}
+
+func runObfuscatedSessionTicket(t *testing.T, tlsProfile string) {
+
+	var standardSessionTicketKey [32]byte
+	rand.Read(standardSessionTicketKey[:])
+
+	var obfuscatedSessionTicketSharedSecret [32]byte
+	rand.Read(obfuscatedSessionTicketSharedSecret[:])
+
+	clientConfig := &utls.Config{
+		InsecureSkipVerify: true,
+	}
+
+	certificate, err := generateCertificate()
+	if err != nil {
+		t.Fatalf("generateCertificate failed: %s", err)
+	}
+
+	serverConfig := &tris.Config{
+		Certificates:     []tris.Certificate{*certificate},
+		NextProtos:       []string{"http/1.1"},
+		MinVersion:       utls.VersionTLS12,
+		SessionTicketKey: obfuscatedSessionTicketSharedSecret,
+	}
+
+	serverConfig.SetSessionTicketKeys([][32]byte{
+		standardSessionTicketKey, obfuscatedSessionTicketSharedSecret})
+
+	testMessage := "test"
+
+	result := make(chan error, 1)
+
+	report := func(err error) {
+		select {
+		case result <- err:
+		default:
+		}
+	}
+
+	listening := make(chan string, 1)
+
+	go func() {
+
+		listener, err := tris.Listen("tcp", ":0", serverConfig)
+		if err != nil {
+			report(err)
+			return
+		}
+		defer listener.Close()
+
+		listening <- listener.Addr().String()
+
+		for i := 0; i < 2; i++ {
+			conn, err := listener.Accept()
+			if err != nil {
+				report(err)
+				return
+			}
+
+			recv := make([]byte, len(testMessage))
+			_, err = io.ReadFull(conn, recv)
+			if err == nil && string(recv) != testMessage {
+				err = errors.New("unexpected payload")
+			}
+			conn.Close()
+			if err != nil {
+				report(err)
+				return
+			}
+		}
+
+		// Sends nil on success
+		report(nil)
+	}()
+
+	go func() {
+
+		serverAddress := <-listening
+
+		clientSessionCache := utls.NewLRUClientSessionCache(0)
+
+		for i := 0; i < 2; i++ {
+
+			tcpConn, err := net.Dial("tcp", serverAddress)
+			if err != nil {
+				report(err)
+				return
+			}
+			defer tcpConn.Close()
+
+			utlsClientHelloID := getUTLSClientHelloID(tlsProfile)
+
+			tlsConn := utls.UClient(tcpConn, clientConfig, utlsClientHelloID)
+
+			tlsConn.SetSessionCache(clientSessionCache)
+
+			// The first connection will use an obfuscated session ticket and the
+			// second connection will use a real session ticket issued by the server.
+			var clientSessionState *utls.ClientSessionState
+			if i == 0 {
+				obfuscatedSessionState, err := tris.NewObfuscatedClientSessionState(
+					obfuscatedSessionTicketSharedSecret)
+				if err != nil {
+					report(err)
+					return
+				}
+				clientSessionState = utls.MakeClientSessionState(
+					obfuscatedSessionState.SessionTicket,
+					obfuscatedSessionState.Vers,
+					obfuscatedSessionState.CipherSuite,
+					obfuscatedSessionState.MasterSecret,
+					nil,
+					nil)
+				tlsConn.SetSessionState(clientSessionState)
+			}
+
+			if protocol.TLSProfileIsRandomized(tlsProfile) {
+				for {
+					err = tlsConn.BuildHandshakeState()
+					if err != nil {
+						report(err)
+						return
+					}
+
+					isTLS13 := false
+					for _, v := range tlsConn.HandshakeState.Hello.SupportedVersions {
+						if v == utls.VersionTLS13 {
+							isTLS13 = true
+							break
+						}
+					}
+
+					if !isTLS13 && tris.ContainsObfuscatedSessionTicketCipherSuite(
+						tlsConn.HandshakeState.Hello.CipherSuites) {
+						break
+					}
+
+					utlsClientHelloID.Seed, _ = utls.NewPRNGSeed()
+					tlsConn = utls.UClient(tcpConn, clientConfig, utlsClientHelloID)
+					tlsConn.SetSessionCache(clientSessionCache)
+					if i == 0 {
+						tlsConn.SetSessionState(clientSessionState)
+					}
+				}
+			}
+
+			err = tlsConn.Handshake()
+			if err != nil {
+				report(err)
+				return
+			}
+
+			if len(tlsConn.ConnectionState().PeerCertificates) > 0 {
+				report(errors.New("unexpected certificate in handshake"))
+				return
+			}
+
+			_, err = tlsConn.Write([]byte(testMessage))
+			if err != nil {
+				report(err)
+				return
+			}
+		}
+	}()
+
+	err = <-result
+	if err != nil {
+		t.Fatalf("connect failed: %s", err)
+	}
+}
+
+func generateCertificate() (*tris.Certificate, error) {
+
+	rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+
+	publicKeyBytes, err := x509.MarshalPKIXPublicKey(rsaKey.Public())
+	if err != nil {
+		return nil, err
+	}
+	subjectKeyID := sha1.Sum(publicKeyBytes)
+
+	template := x509.Certificate{
+		SerialNumber:          big.NewInt(1),
+		Subject:               pkix.Name{CommonName: "www.example.org"},
+		NotBefore:             time.Now().Add(-1 * time.Hour).UTC(),
+		NotAfter:              time.Now().Add(time.Hour).UTC(),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		SubjectKeyId:          subjectKeyID[:],
+		MaxPathLen:            1,
+		Version:               2,
+	}
+
+	derCert, err := x509.CreateCertificate(
+		rand.Reader,
+		&template,
+		&template,
+		rsaKey.Public(),
+		rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	certificate := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: derCert,
+		},
+	)
+
+	privateKey := pem.EncodeToMemory(
+		&pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: x509.MarshalPKCS1PrivateKey(rsaKey),
+		},
+	)
+
+	keyPair, err := tris.X509KeyPair(certificate, privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return &keyPair, nil
+}

psiphon/tlsDialer.go

@@ -67,7 +67,7 @@ import (
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/prng"
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/protocol"
 	tris "github.com/Psiphon-Labs/tls-tris"
-	utls "github.com/Psiphon-Labs/utls"
+	utls "github.com/refraction-networking/utls"
 )
 
 // CustomTLSConfig contains parameters to determine the behavior
@@ -129,36 +129,32 @@ type CustomTLSConfig struct {
 	// using the specified key.
 	ObfuscatedSessionTicketKey string
 
-	utlsClientSessionCache utls.ClientSessionCache
-	trisClientSessionCache tris.ClientSessionCache
+	clientSessionCache utls.ClientSessionCache
 }
 
 // EnableClientSessionCache initializes a cache to use to persist session
 // tickets, enabling TLS session resumability across multiple
 // CustomTLSDial calls or dialers using the same CustomTLSConfig.
-//
-// TLSProfile must be set or will be auto-set via SelectTLSProfile.
 func (config *CustomTLSConfig) EnableClientSessionCache(
 	clientParameters *parameters.ClientParameters) {
 
-	if config.TLSProfile == "" {
-		config.TLSProfile = SelectTLSProfile(config.ClientParameters.Get())
-	}
-
-	if useUTLS(config.TLSProfile) {
-		config.utlsClientSessionCache = utls.NewLRUClientSessionCache(0)
-	} else {
-		config.trisClientSessionCache = tris.NewLRUClientSessionCache(0)
+	if config.clientSessionCache == nil {
+		config.clientSessionCache = utls.NewLRUClientSessionCache(0)
 	}
 }
 
-// SelectTLSProfile picks a random TLS profile from the available candidates.
+// SelectTLSProfile picks a TLS profile at random from the available candidates.
 func SelectTLSProfile(
 	p *parameters.ClientParametersSnapshot) string {
 
+	// Two TLS profile lists are constructed, subject to limit constraints: fixed
+	// parrots and randomized. If one list is empty, the non-empty list is used.
+	// Otherwise SelectRandomizedTLSProfileProbability determines which list is used.
+
 	limitTLSProfiles := p.TLSProfiles(parameters.LimitTLSProfiles)
 
-	tlsProfiles := make([]string, 0)
+	randomizedTLSProfiles := make([]string, 0)
+	parrotTLSProfiles := make([]string, 0)
 
 	for _, tlsProfile := range protocol.SupportedTLSProfiles {
 
@@ -167,36 +163,47 @@ func SelectTLSProfile(
 			continue
 		}
 
-		tlsProfiles = append(tlsProfiles, tlsProfile)
+		if protocol.TLSProfileIsRandomized(tlsProfile) {
+			randomizedTLSProfiles = append(randomizedTLSProfiles, tlsProfile)
+		} else {
+			parrotTLSProfiles = append(parrotTLSProfiles, tlsProfile)
+		}
 	}
 
-	if len(tlsProfiles) == 0 {
-		return ""
-	}
+	if len(randomizedTLSProfiles) > 0 &&
+		(len(parrotTLSProfiles) == 0 ||
+			p.WeightedCoinFlip(parameters.SelectRandomizedTLSProfileProbability)) {
 
-	choice := prng.Intn(len(tlsProfiles))
+		return randomizedTLSProfiles[prng.Intn(len(randomizedTLSProfiles))]
+	}
 
-	return tlsProfiles[choice]
-}
+	if len(parrotTLSProfiles) == 0 {
+		return ""
+	}
 
-func useUTLS(tlsProfile string) bool {
-	return tlsProfile != protocol.TLS_PROFILE_TLS13_RANDOMIZED
+	return parrotTLSProfiles[prng.Intn(len(parrotTLSProfiles))]
 }
 
 func getUTLSClientHelloID(tlsProfile string) utls.ClientHelloID {
 	switch tlsProfile {
-	case protocol.TLS_PROFILE_IOS_1131:
-		return utls.HelloiOSSafari_11_3_1
-	case protocol.TLS_PROFILE_ANDROID_60:
-		return utls.HelloAndroid_6_0_Browser
-	case protocol.TLS_PROFILE_ANDROID_51:
-		return utls.HelloAndroid_5_1_Browser
+	case protocol.TLS_PROFILE_IOS_111:
+		return utls.HelloIOS_11_1
+	case protocol.TLS_PROFILE_IOS_121:
+		return utls.HelloIOS_12_1
 	case protocol.TLS_PROFILE_CHROME_58:
 		return utls.HelloChrome_58
-	case protocol.TLS_PROFILE_CHROME_57:
-		return utls.HelloChrome_57
+	case protocol.TLS_PROFILE_CHROME_62:
+		return utls.HelloChrome_62
+	case protocol.TLS_PROFILE_CHROME_70:
+		return utls.HelloChrome_70
+	case protocol.TLS_PROFILE_CHROME_72:
+		return utls.HelloChrome_72
+	case protocol.TLS_PROFILE_FIREFOX_55:
+		return utls.HelloFirefox_55
 	case protocol.TLS_PROFILE_FIREFOX_56:
 		return utls.HelloFirefox_56
+	case protocol.TLS_PROFILE_FIREFOX_65:
+		return utls.HelloFirefox_65
 	case protocol.TLS_PROFILE_RANDOMIZED:
 		return utls.HelloRandomized
 	default:
@@ -204,47 +211,43 @@ func getUTLSClientHelloID(tlsProfile string) utls.ClientHelloID {
 	}
 }
 
-// tlsConn provides a common interface for calling utls and tris methods. Both
-// utls and tris are derived from crypto/tls and have identical functions but
-// different types for return values etc.
-type tlsConn interface {
-	net.Conn
-	Handshake() error
-	GetPeerCertificates() []*x509.Certificate
-	IsHTTP2() bool
-}
+func getClientHelloVersion(utlsClientHelloID utls.ClientHelloID) (string, error) {
 
-type utlsConn struct {
-	*utls.UConn
-}
+	// Assumes utlsClientHelloID.Seed has been set; otherwise the result is
+	// ephemeral.
 
-func (conn *utlsConn) GetPeerCertificates() []*x509.Certificate {
-	return conn.UConn.ConnectionState().PeerCertificates
-}
+	// As utls.HelloRandomized may be either TLS 1.2 or TLS 1.3, we cannot
+	// perform a simple ClientHello ID check. BuildHandshakeState is run, which
+	// constructs the entire ClientHello.
+	//
+	// BenchmarkRandomizedGetClientHelloVersion indicates that this operation
+	// takes on the order of 0.05ms and allocates ~8KB for randomized client
+	// hellos.
 
-func (conn *utlsConn) IsHTTP2() bool {
-	state := conn.UConn.ConnectionState()
-	return state.NegotiatedProtocolIsMutual &&
-		state.NegotiatedProtocol == "h2"
-}
+	conn := utls.UClient(
+		nil,
+		&utls.Config{InsecureSkipVerify: true},
+		utlsClientHelloID)
 
-type trisConn struct {
-	*tris.Conn
-}
+	err := conn.BuildHandshakeState()
+	if err != nil {
+		return "", common.ContextError(err)
+	}
 
-func (conn *trisConn) GetPeerCertificates() []*x509.Certificate {
-	return conn.Conn.ConnectionState().PeerCertificates
-}
+	for _, v := range conn.HandshakeState.Hello.SupportedVersions {
+		if v == utls.VersionTLS13 {
+			return protocol.TLS_VERSION_13, nil
+		}
+	}
 
-func (conn *trisConn) IsHTTP2() bool {
-	state := conn.Conn.ConnectionState()
-	return state.NegotiatedProtocolIsMutual &&
-		state.NegotiatedProtocol == "h2"
+	return protocol.TLS_VERSION_12, nil
 }
 
 func IsTLSConnUsingHTTP2(conn net.Conn) bool {
-	if c, ok := conn.(tlsConn); ok {
-		return c.IsHTTP2()
+	if c, ok := conn.(*utls.UConn); ok {
+		state := c.ConnectionState()
+		return state.NegotiatedProtocolIsMutual &&
+			state.NegotiatedProtocol == "h2"
 	}
 	return false
 }
@@ -314,23 +317,6 @@ func CustomTLSDial(
 		tlsConfigInsecureSkipVerify = true
 	}
 
-	var obfuscatedSessionTicketKey [32]byte
-
-	if config.ObfuscatedSessionTicketKey != "" {
-
-		// See obfuscated session ticket overview in
-		// NewObfuscatedClientSessionCache.
-
-		key, err := hex.DecodeString(config.ObfuscatedSessionTicketKey)
-		if err == nil && len(key) != 32 {
-			err = errors.New("invalid obfuscated session key length")
-		}
-		if err != nil {
-			return nil, common.ContextError(err)
-		}
-		copy(obfuscatedSessionTicketKey[:], key)
-	}
-
 	var tlsRootCAs *x509.CertPool
 
 	if !config.SkipVerify &&
@@ -345,88 +331,121 @@ func CustomTLSDial(
 		tlsRootCAs.AppendCertsFromPEM(certData)
 	}
 
-	randomizedTLSProfileSeed := config.RandomizedTLSProfileSeed
+	tlsConfig := &utls.Config{
+		RootCAs:            tlsRootCAs,
+		InsecureSkipVerify: tlsConfigInsecureSkipVerify,
+		ServerName:         tlsConfigServerName,
+	}
+
+	utlsClientHelloID := getUTLSClientHelloID(selectedTLSProfile)
+
+	isRandomized := protocol.TLSProfileIsRandomized(selectedTLSProfile)
+
+	var randomizedTLSProfileSeed *prng.Seed
 
-	if protocol.TLSProfileIsRandomized(selectedTLSProfile) &&
-		randomizedTLSProfileSeed == nil {
+	if isRandomized {
 
-		randomizedTLSProfileSeed, err = prng.NewSeed()
+		randomizedTLSProfileSeed = config.RandomizedTLSProfileSeed
+
+		if randomizedTLSProfileSeed == nil {
+
+			randomizedTLSProfileSeed, err = prng.NewSeed()
+			if err != nil {
+				return nil, common.ContextError(err)
+			}
+		}
+
+		utlsClientHelloID.Seed = new(utls.PRNGSeed)
+		*utlsClientHelloID.Seed = [32]byte(*randomizedTLSProfileSeed)
+	}
+
+	// As noted here,
+	// https://gitlab.com/yawning/obfs4/commit/ca6765e3e3995144df2b1ca9f0e9d823a7f8a47c,
+	// the dynamic record sizing optimization in crypto/tls is not commonly
+	// implemented in browsers. Disable it for all non-Golang utls parrots and
+	// select it randomly when using the randomized client hello.
+	if isRandomized {
+		PRNG, err := prng.NewPRNGWithSaltedSeed(randomizedTLSProfileSeed, "tls-dynamic-record-sizing")
 		if err != nil {
 			return nil, common.ContextError(err)
 		}
+		tlsConfig.DynamicRecordSizingDisabled = PRNG.FlipCoin()
+	} else {
+		tlsConfig.DynamicRecordSizingDisabled = (utlsClientHelloID != utls.HelloGolang)
 	}
 
-	// Depending on the selected TLS profile, the TLS provider will be tris
-	// (TLS 1.3) or utls (all other profiles).
+	conn := utls.UClient(rawConn, tlsConfig, utlsClientHelloID)
 
-	var conn tlsConn
+	clientSessionCache := config.clientSessionCache
+	if clientSessionCache == nil {
+		clientSessionCache = utls.NewLRUClientSessionCache(0)
+	}
 
-	if useUTLS(selectedTLSProfile) {
+	conn.SetSessionCache(clientSessionCache)
 
-		clientSessionCache := config.utlsClientSessionCache
-		if clientSessionCache == nil {
-			clientSessionCache = utls.NewLRUClientSessionCache(0)
-		}
+	// Obfuscated session tickets are not currently supported in TLS 1.3, but we
+	// allow UNFRONTED-MEEK-SESSION-TICKET-OSSH to use TLS 1.3 profiles for
+	// additional diversity/capacity; TLS 1.3 encrypts the server certificate,
+	// so the desired obfuscated session tickets property of obfuscating server
+	// certificates is satisfied. We know that when the ClientHello offers TLS
+	// 1.3, the Psiphon server, in these direct protocol cases, will negotiate
+	// it.
+	if config.ObfuscatedSessionTicketKey != "" {
 
-		tlsConfig := &utls.Config{
-			RootCAs:            tlsRootCAs,
-			InsecureSkipVerify: tlsConfigInsecureSkipVerify,
-			ServerName:         tlsConfigServerName,
-			ClientSessionCache: clientSessionCache,
+		tlsVersion, err := getClientHelloVersion(utlsClientHelloID)
+		if err != nil {
+			return nil, common.ContextError(err)
 		}
 
-		uconn := utls.UClient(
-			rawConn,
-			tlsConfig,
-			getUTLSClientHelloID(selectedTLSProfile),
-			randomizedTLSProfileSeed)
+		if tlsVersion == protocol.TLS_VERSION_12 {
 
-		if config.ObfuscatedSessionTicketKey != "" {
-			sessionState, err := utls.NewObfuscatedClientSessionState(
-				obfuscatedSessionTicketKey)
+			var obfuscatedSessionTicketKey [32]byte
+
+			key, err := hex.DecodeString(config.ObfuscatedSessionTicketKey)
+			if err == nil && len(key) != 32 {
+				err = errors.New("invalid obfuscated session key length")
+			}
 			if err != nil {
 				return nil, common.ContextError(err)
 			}
-			uconn.SetSessionState(sessionState)
-		}
-
-		conn = &utlsConn{
-			UConn: uconn,
-		}
-
-	} else {
+			copy(obfuscatedSessionTicketKey[:], key)
 
-		clientSessionCache := config.trisClientSessionCache
-		if clientSessionCache == nil {
-			clientSessionCache = tris.NewLRUClientSessionCache(0)
-		}
+			obfuscatedSessionState, err := tris.NewObfuscatedClientSessionState(
+				obfuscatedSessionTicketKey)
+			if err != nil {
+				return nil, common.ContextError(err)
+			}
 
-		// The tris TLS provider should be used only for TLS 1.3.
-		//
-		// Obfuscated session tickets are not currently supported in TLS 1.3,
-		// but we allow UNFRONTED-MEEK-SESSION-TICKET-OSSH to use TLS 1.3
-		// profiles for additional diversity/capacity; TLS 1.3 encrypts the
-		// server certificate, so the desired obfuscated session tickets
-		// property of obfuscating server certificates is satisfied.
-		//
-		// An additional sanity check:
-		if !protocol.TLSProfileIsTLS13(selectedTLSProfile) {
-			return nil, common.ContextError(errors.New("TLS profile is not TLS 1.3"))
-		}
+			conn.SetSessionState(
+				utls.MakeClientSessionState(
+					obfuscatedSessionState.SessionTicket,
+					obfuscatedSessionState.Vers,
+					obfuscatedSessionState.CipherSuite,
+					obfuscatedSessionState.MasterSecret,
+					nil,
+					nil))
+
+			// Ensure that TLS ClientHello has required session ticket extension and
+			// obfuscated session ticket cipher suite; the latter is required by
+			// utls/tls.Conn.loadSession. If these requirements are not met the
+			// obfuscation session ticket would be ignored, so fail.
+
+			err = conn.BuildHandshakeState()
+			if err != nil {
+				return nil, common.ContextError(err)
+			}
 
-		tlsConfig := &tris.Config{
-			RootCAs:                 tlsRootCAs,
-			InsecureSkipVerify:      tlsConfigInsecureSkipVerify,
-			ServerName:              tlsConfigServerName,
-			ClientSessionCache:      clientSessionCache,
-			UseExtendedMasterSecret: true,
-			ClientHelloPRNGSeed:     randomizedTLSProfileSeed,
-		}
+			if !tris.ContainsObfuscatedSessionTicketCipherSuite(
+				conn.HandshakeState.Hello.CipherSuites) {
+				return nil, common.ContextError(
+					errors.New("missing obfuscated session ticket cipher suite"))
+			}
 
-		conn = &trisConn{
-			Conn: tris.Client(rawConn, tlsConfig),
+			if len(conn.HandshakeState.Hello.SessionTicket) == 0 {
+				return nil, common.ContextError(
+					errors.New("missing session ticket extension"))
+			}
 		}
-
 	}
 
 	resultChannel := make(chan error)
@@ -462,8 +481,8 @@ func CustomTLSDial(
 	return conn, nil
 }
 
-func verifyLegacyCertificate(conn tlsConn, expectedCertificate *x509.Certificate) error {
-	certs := conn.GetPeerCertificates()
+func verifyLegacyCertificate(conn *utls.UConn, expectedCertificate *x509.Certificate) error {
+	certs := conn.ConnectionState().PeerCertificates
 	if len(certs) < 1 {
 		return common.ContextError(errors.New("no certificate to verify"))
 	}
@@ -473,8 +492,8 @@ func verifyLegacyCertificate(conn tlsConn, expectedCertificate *x509.Certificate
 	return nil
 }
 
-func verifyServerCerts(conn tlsConn, hostname string) error {
-	certs := conn.GetPeerCertificates()
+func verifyServerCerts(conn *utls.UConn, hostname string) error {
+	certs := conn.ConnectionState().PeerCertificates
 
 	opts := x509.VerifyOptions{
 		Roots:         nil, // Use host's root CAs

psiphon/tlsCompatibility_test.go → psiphon/tlsDialer_test.go

@@ -32,28 +32,32 @@ import (
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/parameters"
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/protocol"
 	tris "github.com/Psiphon-Labs/tls-tris"
+	utls "github.com/refraction-networking/utls"
 )
 
-func TestTLSCompatibility(t *testing.T) {
+func TestTLSDialerCompatibility(t *testing.T) {
 
-	// Config should be newline delimited list of domain/IP:port TLS host
-	// addresses to connect to.
+	// This test checks that each TLS profile can successfully complete a TLS
+	// handshake with various servers. By default, only the "psiphon" case is
+	// run, which runs the same TLS listener used by a Psiphon server.
+	//
+	// An optional config file, when supplied, enables testing against remote
+	// servers. Config should be newline delimited list of domain/IP:port TLS
+	// host addresses to connect to.
 
-	config, err := ioutil.ReadFile("tlsCompatibility_test.config")
-	if err != nil {
-		// Skip, don't fail, if config file is not present
-		t.Skipf("error loading configuration file: %s", err)
+	var configAddresses []string
+	config, err := ioutil.ReadFile("tlsDialerCompatibility_test.config")
+	if err == nil {
+		configAddresses = strings.Split(string(config), "\n")
 	}
 
-	addresses := strings.Split(string(config), "\n")
-
 	runner := func(address string) func(t *testing.T) {
 		return func(t *testing.T) {
-			testTLSCompatibility(t, address)
+			testTLSDialerCompatibility(t, address)
 		}
 	}
 
-	for _, address := range addresses {
+	for _, address := range configAddresses {
 		if len(address) > 0 {
 			t.Run(address, runner(address))
 		}
@@ -62,7 +66,7 @@ func TestTLSCompatibility(t *testing.T) {
 	t.Run("psiphon", runner(""))
 }
 
-func testTLSCompatibility(t *testing.T, address string) {
+func testTLSDialerCompatibility(t *testing.T, address string) {
 
 	if address == "" {
 
@@ -162,3 +166,65 @@ func testTLSCompatibility(t *testing.T, address string) {
 		}
 	}
 }
+
+func TestSelectTLSProfile(t *testing.T) {
+
+	clientParameters, err := parameters.NewClientParameters(nil)
+	if err != nil {
+		t.Fatalf("%s\n", err)
+	}
+
+	selected := make(map[string]int)
+
+	numSelections := 10000
+
+	for i := 0; i < numSelections; i++ {
+		profile := SelectTLSProfile(clientParameters.Get())
+		selected[profile] += 1
+	}
+
+	// All TLS profiles should be selected at least once.
+
+	for _, profile := range protocol.SupportedTLSProfiles {
+		if selected[profile] < 1 {
+			t.Errorf("TLS profile %s not selected", profile)
+		}
+	}
+
+	// Randomized TLS profiles should be selected with expected probability.
+
+	numRandomized := 0
+	for profile, n := range selected {
+		if protocol.TLSProfileIsRandomized(profile) {
+			numRandomized += n
+		}
+	}
+
+	t.Logf("ratio of randomized selected: %d/%d",
+		numRandomized, numSelections)
+
+	randomizedProbability := clientParameters.Get().Float(
+		parameters.SelectRandomizedTLSProfileProbability)
+
+	if numRandomized < int(0.9*float64(numSelections)*randomizedProbability) ||
+		numRandomized > int(1.1*float64(numSelections)*randomizedProbability) {
+
+		t.Error("Unexpected ratio")
+	}
+
+	// getUTLSClientHelloID should map each TLS profile to a utls ClientHelloID.
+
+	for _, profile := range protocol.SupportedTLSProfiles {
+		if getUTLSClientHelloID(profile) == utls.HelloGolang {
+			t.Errorf("TLS profile %s has no utls ClientHelloID", profile)
+		}
+	}
+}
+
+func BenchmarkRandomizedGetClientHelloVersion(b *testing.B) {
+	for n := 0; n < b.N; n++ {
+		utlsClientHelloID := utls.HelloRandomized
+		utlsClientHelloID.Seed, _ = utls.NewPRNGSeed()
+		getClientHelloVersion(utlsClientHelloID)
+	}
+}

vendor/github.com/Psiphon-Labs/tls-tris/common.go

@@ -20,7 +20,7 @@ import (
 	"time"
 
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/prng"
-	"github.com/Psiphon-Labs/utls/cipherhw"
+	"github.com/Psiphon-Labs/tls-tris/cipherhw"
 )
 
 const (

vendor/github.com/Psiphon-Labs/tls-tris/obfuscated.go

@@ -1,137 +0,0 @@
-/*
- * Copyright (c) 2016, Psiphon Inc.
- * All rights reserved.
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package tls
-
-import (
-	"crypto/rand"
-)
-
-// NewObfuscatedClientSessionCache produces obfuscated session tickets.
-//
-// [Psiphon]
-// Obfuscated Session Tickets
-//
-// Obfuscated session tickets is a network traffic obfuscation protocol that appears
-// to be valid TLS using session tickets. The client actually generates the session
-// ticket and encrypts it with a shared secret, enabling a TLS session that entirely
-// skips the most fingerprintable aspects of TLS.
-// The scheme is described here:
-// https://lists.torproject.org/pipermail/tor-dev/2016-September/011354.html
-//
-// Circumvention notes:
-//  - TLS session ticket implementations are widespread:
-//    https://istlsfastyet.com/#cdn-paas.
-//  - An adversary cannot easily block session ticket capability, as this requires
-//    a downgrade attack against TLS.
-//  - Anti-probing defence is provided, as the adversary must use the correct obfuscation
-//    shared secret to form valid obfuscation session ticket; otherwise server offers
-//    standard session tickets.
-//  - Limitation: TLS protocol and session ticket size correspond to golang implementation
-//    and not more common OpenSSL.
-//  - Limitation: an adversary with the obfuscation shared secret can decrypt the session
-//    ticket and observe the plaintext traffic. It's assumed that the adversary will not
-//    learn the obfuscated shared secret without also learning the address of the TLS
-//    server and blocking it anyway; it's also assumed that the TLS payload is not
-//    plaintext but is protected with some other security layer (e.g., SSH).
-//
-// Implementation notes:
-//   - Client should set its ClientSessionCache to a NewObfuscatedTLSClientSessionCache.
-//     This cache ignores the session key and always produces obfuscated session tickets.
-//   - The TLS ClientHello includes an SNI field, even when using session tickets, so
-//     the client should populate the ServerName.
-//   - Server should set its SetSessionTicketKeys with first a standard key, followed by
-//     the obfuscation shared secret.
-//   - Since the client creates the session ticket, it selects parameters that were not
-//     negotiated with the server, such as the cipher suite. It's implicitly assumed that
-//     the server can support the selected parameters.
-//
-// tls-tris notes:
-//   - Obfuscated session tickets are not supported for TLS 1.3 _clients_, which use a
-//     distinct session ticket format. Obfuscated session ticket support in this package
-//     is intended to support TLS 1.2 clients.
-//
-func NewObfuscatedClientSessionCache(sharedSecret [32]byte) ClientSessionCache {
-	return &obfuscatedClientSessionCache{
-		sharedSecret: sharedSecret,
-		realTickets:  NewLRUClientSessionCache(-1),
-	}
-}
-
-type obfuscatedClientSessionCache struct {
-	sharedSecret [32]byte
-	realTickets  ClientSessionCache
-}
-
-func (cache *obfuscatedClientSessionCache) Put(key string, state *ClientSessionState) {
-	// When new, real session tickets are issued, use them.
-	cache.realTickets.Put(key, state)
-}
-
-func (cache *obfuscatedClientSessionCache) Get(key string) (*ClientSessionState, bool) {
-	clientSessionState, ok := cache.realTickets.Get(key)
-	if ok {
-		return clientSessionState, true
-	}
-	// Bootstrap with an obfuscated session ticket.
-	clientSessionState, err := NewObfuscatedClientSessionState(cache.sharedSecret)
-	if err != nil {
-		// TODO: log error
-		// This will fall back to regular TLS
-		return nil, false
-	}
-	return clientSessionState, true
-}
-
-func NewObfuscatedClientSessionState(sharedSecret [32]byte) (*ClientSessionState, error) {
-
-	// Create a session ticket that wasn't actually issued by the server.
-	vers := uint16(VersionTLS12)
-	cipherSuite := TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-	masterSecret := make([]byte, masterSecretLength)
-	_, err := rand.Read(masterSecret)
-	if err != nil {
-		return nil, err
-	}
-	serverState := &sessionState{
-		vers:         vers,
-		cipherSuite:  cipherSuite,
-		masterSecret: masterSecret,
-		certificates: nil,
-	}
-	c := &Conn{
-		config: &Config{
-			sessionTicketKeys: []ticketKey{ticketKeyFromBytes(sharedSecret)},
-		},
-	}
-	sessionTicket, err := c.encryptTicket(serverState.marshal())
-	if err != nil {
-		return nil, err
-	}
-
-	// Pretend we got that session ticket from the server.
-	clientState := &ClientSessionState{
-		sessionTicket: sessionTicket,
-		vers:          vers,
-		cipherSuite:   cipherSuite,
-		masterSecret:  masterSecret,
-	}
-
-	return clientState, nil
-}

vendor/github.com/Psiphon-Labs/tls-tris/ticket.go

@@ -16,6 +16,7 @@ import (
 
 	// [Psiphon]
 	"crypto/rand"
+	"crypto/x509"
 	"math/big"
 	math_rand "math/rand"
 )
@@ -183,6 +184,105 @@ func (s *sessionState) unmarshal(data []byte) alert {
 	return alertSuccess
 }
 
+// [Psiphon]
+type ObfuscatedClientSessionState struct {
+	SessionTicket      []uint8
+	Vers               uint16
+	CipherSuite        uint16
+	MasterSecret       []byte
+	ServerCertificates []*x509.Certificate
+	VerifiedChains     [][]*x509.Certificate
+	UseEMS             bool
+}
+
+var obfuscatedSessionTicketCipherSuite = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+
+// [Psiphon]
+// NewObfuscatedClientSessionState produces obfuscated session tickets.
+//
+// Obfuscated Session Tickets
+//
+// Obfuscated session tickets is a network traffic obfuscation protocol that appears
+// to be valid TLS using session tickets. The client actually generates the session
+// ticket and encrypts it with a shared secret, enabling a TLS session that entirely
+// skips the most fingerprintable aspects of TLS.
+// The scheme is described here:
+// https://lists.torproject.org/pipermail/tor-dev/2016-September/011354.html
+//
+// Circumvention notes:
+//  - TLS session ticket implementations are widespread:
+//    https://istlsfastyet.com/#cdn-paas.
+//  - An adversary cannot easily block session ticket capability, as this requires
+//    a downgrade attack against TLS.
+//  - Anti-probing defence is provided, as the adversary must use the correct obfuscation
+//    shared secret to form valid obfuscation session ticket; otherwise server offers
+//    standard session tickets.
+//  - Limitation: an adversary with the obfuscation shared secret can decrypt the session
+//    ticket and observe the plaintext traffic. It's assumed that the adversary will not
+//    learn the obfuscated shared secret without also learning the address of the TLS
+//    server and blocking it anyway; it's also assumed that the TLS payload is not
+//    plaintext but is protected with some other security layer (e.g., SSH).
+//
+// Implementation notes:
+//   - The TLS ClientHello includes an SNI field, even when using session tickets, so
+//     the client should populate the ServerName.
+//   - Server should set its SetSessionTicketKeys with first a standard key, followed by
+//     the obfuscation shared secret.
+//   - Since the client creates the session ticket, it selects parameters that were not
+//     negotiated with the server, such as the cipher suite. It's implicitly assumed that
+//     the server can support the selected parameters.
+//   - Obfuscated session tickets are not supported for TLS 1.3 _clients_, which use a
+//     distinct scheme. Obfuscated session ticket support in this package is intended to
+//     support TLS 1.2 clients.
+//
+func NewObfuscatedClientSessionState(sharedSecret [32]byte) (*ObfuscatedClientSessionState, error) {
+
+	// Create a session ticket that wasn't actually issued by the server.
+	vers := uint16(VersionTLS12)
+	cipherSuite := obfuscatedSessionTicketCipherSuite
+	masterSecret := make([]byte, masterSecretLength)
+	_, err := rand.Read(masterSecret)
+	if err != nil {
+		return nil, err
+	}
+	serverState := &sessionState{
+		vers:         vers,
+		cipherSuite:  cipherSuite,
+		masterSecret: masterSecret,
+		certificates: nil,
+	}
+	c := &Conn{
+		config: &Config{
+			sessionTicketKeys: []ticketKey{ticketKeyFromBytes(sharedSecret)},
+		},
+	}
+	sessionTicket, err := c.encryptTicket(serverState.marshal())
+	if err != nil {
+		return nil, err
+	}
+
+	// ObfuscatedClientSessionState fields are used to construct
+	// ClientSessionState objects for use in ClientSessionCaches. The client will
+	// use this cache to pretend it got that session ticket from the server.
+	clientState := &ObfuscatedClientSessionState{
+		SessionTicket: sessionTicket,
+		Vers:          vers,
+		CipherSuite:   cipherSuite,
+		MasterSecret:  masterSecret,
+	}
+
+	return clientState, nil
+}
+
+func ContainsObfuscatedSessionTicketCipherSuite(cipherSuites []uint16) bool {
+	for _, cipherSuite := range cipherSuites {
+		if cipherSuite == obfuscatedSessionTicketCipherSuite {
+			return true
+		}
+	}
+	return false
+}
+
 type sessionState13 struct {
 	vers            uint16
 	suite           uint16

vendor/github.com/Psiphon-Labs/utls/CONTRIBUTING.md

@@ -1,23 +0,0 @@
-# How to Contribute
-
-We'd love to accept your patches and contributions to this project. There are
-just a few small guidelines you need to follow.
-
-## Contributor License Agreement
-
-Contributions to this project must be accompanied by a Contributor License
-Agreement. You (or your employer) retain the copyright to your contribution,
-this simply gives us permission to use and redistribute your contributions as
-part of the project. Head over to <https://cla.developers.google.com/> to see
-your current agreements on file or to sign a new one.
-
-You generally only need to submit a CLA once, so if you've already submitted one
-(even if it was for a different project), you probably don't need to do it
-again.
-
-## Code reviews
-
-All submissions, including submissions by project members, require review. We
-use GitHub pull requests for this purpose. Consult
-[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
-information on using pull requests.

vendor/github.com/Psiphon-Labs/utls/CONTRIBUTORS_GUIDE.md

@@ -1,69 +0,0 @@
-# How this package works
-### Chapter 1: [Making private things public](./u_public.go)
-There are numerous handshake-related structs in crypto/tls, most of which are either private or have private fields.
-One of them — `clientHandshakeState` — has private function `handshake()`,
-which is called in the beginning of default handshake.  
-Unfortunately, user will not be able to directly access this struct outside of tls package.
-As a result, we decided to employ following workaround: declare public copies of private structs.
-Now user is free to manipulate fields of public `ClientHandshakeState`.
-Then, right before handshake, we can shallow-copy public state into private `clientHandshakeState`,
-call `handshake()` on it and carry on with default Golang handshake process.
-After handshake is done we shallow-copy private state back to public, allowing user to read results of handshake.
-
-### Chapter 2: [TLSExtension](./u_tls_extensions.go)
-The way we achieve reasonable flexibilty with extensions is inspired by
-[ztls'](https://github.com/zmap/zcrypto/blob/master/tls/handshake_extensions.go) design.
-However, our design has several differences, so we wrote it from scratch.
-This design allows us to have an array of `TLSExtension` objects and then marshal them in order:
-```Golang
-type TLSExtension interface {
-	writeToUConn(*UConn) error
-
-	Len() int // includes header
-
-	// Read reads up to len(p) bytes into p.
-	// It returns the number of bytes read (0 <= n <= len(p)) and any error encountered.
-	Read(p []byte) (n int, err error) // implements io.Reader
-}
-```
-`writeToUConn()` applies appropriate per-extension changes to `UConn`.
-
-`Len()` provides the size of marshaled extension, so we can allocate appropriate buffer beforehand,
-catch out-of-bound errors easily and guide size-dependent extensions such as padding.
-
-`Read(buffer []byte)` _writes(see: io.Reader interface)_ marshaled extensions into provided buffer.
-This avoids extra allocations.
-
-### Chapter 3: [UConn](./u_conn.go)
-`UConn` extends standard `tls.Conn`. Most notably, it stores slice with `TLSExtension`s and public
-`ClientHandshakeState`.  
-Whenever `UConn.BuildHandshakeState()` gets called (happens automatically in `UConn.Handshake()`
-or could be called manually), config will be applied according to chosen `ClientHelloID`.
-From contributor's view there are 2 main behaviors:  
- * `HelloGolang` simply calls default Golang's [`makeClientHello()`](./handshake_client.go)
- and directly stores it into `HandshakeState.Hello`. utls-specific stuff is ignored.  
- * Other ClientHelloIDs fill `UConn.Hello.{Random, CipherSuites, CompressionMethods}` and `UConn.Extensions` with
-per-parrot setup, which then gets applied to appropriate standard tls structs,
-and then marshaled by utls into `HandshakeState.Hello`.
-
-### Chapter 4: Tests
-
-Tests exist, but coverage is very limited. What's covered is a conjunction of
- * TLS 1.2
- * Working parrots without any unsupported extensions (only Android 5.1 at this time)
- * Ciphersuites offered by parrot.
- * Ciphersuites supported by Golang
- * Simple conversation with reference implementation of OpenSSL.
-(e.g. no automatic checks for renegotiations, parroting quality and such)
-
-plus we test some other minor things.
-Basically, current tests aim to provide a sanity check.
-
-# Merging upstream
-```Bash
-git remote add -f golang git@github.com:golang/go.git
-git checkout -b golang-upstream golang/master
-git subtree split -P src/crypto/tls/ -b golang-tls-upstream
-git checkout master
-git merge --no-commit golang-tls-upstream
-```

vendor/github.com/Psiphon-Labs/utls/LICENSE

@@ -1,27 +0,0 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/Psiphon-Labs/utls/README.md

@@ -1,161 +0,0 @@
-# uTLS
-[![Build Status](https://travis-ci.org/refraction-networking/utls.svg?branch=master)](https://travis-ci.org/refraction-networking/utls)
-[![godoc](https://img.shields.io/badge/godoc-reference-blue.svg)](https://godoc.org/github.com/refraction-networking/utls#UConn)
----
-uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance, low-level access to handshake, fake session tickets and some other features. Handshake is still performed by "crypto/tls", this library merely changes ClientHello part of it and provides low-level access.  
-If you have any questions, bug reports or contributions, you are welcome to publish those on GitHub. If you want to do so in private, you can contact one of developers personally via sergey.frolov@colorado.edu
-# Features
-## Low-level access to handshake
-* Read/write access to all bits of client hello message.  
-* Read access to fields of ClientHandshakeState, which, among other things, includes ServerHello and MasterSecret.
-* Read keystream. Can be used, for example, to "write" something in ciphertext.
-## ClientHello fingerprinting resistance
-Golang's ClientHello has a very unique fingerprint, which especially sticks out on mobile clients,
-where Golang is not too popular yet.
-Some members of anti-censorship community are concerned that their tools could be trivially blocked based on
-ClientHello with relatively small collateral damage. There are multiple solutions to this issue.
-### Randomized handshake
-This package can generate randomized ClientHello using only extensions and cipherSuites "crypto/tls" already supports.
-This provides a solid moving target without any compatibility or parrot-is-dead attack risks.  
-**Feedback about opinionated implementation details of randomized handshake is appreciated.**
-### Parroting
-This package can be used to parrot ClientHello of popular browsers.
-There are some caveats to this parroting:
-* We are forced to offer ciphersuites and tls extensions that are not supported by crypto/tls.
-This is not a problem, if you fully control the server and turn unsupported things off on server side.
-* Parroting could be imperfect, and there is no parroting beyond ClientHello.
-#### Compatibility risks of available parrots
-
-| Parrot        | Ciphers* | Signature* | Unsupported extensions |
-| ------------- | -------- | ---------- | ---------------------- |
-| Android 5.1   | low      | very low   | None                   |
-| Android 6.0   | low      | very low   | None                   |
-| Chrome 58     | no       | low        | ChannelID              |
-| Firefox 55    | very low | low        | None                   |
-
-\* Denotes very rough guesstimate of likelihood that unsupported things will get echoed back by the server in the wild,
-*visibly breaking the connection*.  
-
-
-#### Parrots FAQ
-> Does it really look like, say, Google Chrome with all the [GREASE](https://tools.ietf.org/html/draft-davidben-tls-grease-01) and stuff?
-
-It LGTM, but please open up Wireshark and check. If you see something — [say something](issues).
-
-> Aren't there side channels? Everybody knows that the ~~bird is a word~~[parrot is dead](https://people.cs.umass.edu/~amir/papers/parrot.pdf)
-
-There sure are. If you found one that approaches practicality at line speed — [please tell us](issues).
-
-#### Things to implement in Golang to make parrots better
-uTLS is fundamentially limited in parroting, because Golang's "crypto/tls" doesn't support many things. Would be nice to have:
- * ChannelID extension
- * Enable sha512 and sha224 hashes by default
- * Implement RSA PSS signature algorithms
- * In general, any modern crypto is likely to be useful going forward.
-### Custom Handshake
-It is possible to create custom handshake by
-1) Use `HelloCustom` as an argument for `UClient()` to get empty config
-2) Fill tls header fields: UConn.Hello.{Random, CipherSuites, CompressionMethods}, if needed, or stick to defaults.
-3) Configure and add various [TLS Extensions](u_tls_extensions.go) to UConn.Extensions: they will be marshaled in order.
-4) Set Session and SessionCache, as needed.
-
-If you need to manually control all the bytes on the wire(certainly not recommended!),
-you can set UConn.HandshakeStateBuilt = true, and marshal clientHello into UConn.HandshakeState.Hello.raw yourself.
-In this case you will be responsible for modifying other parts of Config and ClientHelloMsg to reflect your setup
-and not confuse "crypto/tls", which will be processing response from server.
-## Fake Session Tickets
-Fake session tickets is a very nifty trick that allows power users to hide parts of handshake, which may have some very fingerprintable features of handshake, and saves 1 RTT.
-Currently, there is a simple function to set session ticket to any desired state:
-
-```Golang
-// If you want you session tickets to be reused - use same cache on following connections
-func (uconn *UConn) SetSessionState(session *ClientSessionState)
-```
-
-Note that session tickets (fake ones or otherwise) are not reused.  
-To reuse tickets, create a shared cache and set it on current and further configs:
-
-```Golang
-// If you want you session tickets to be reused - use same cache on following connections
-func (uconn *UConn) SetSessionCache(cache ClientSessionCache)
-```
-
-# Client Hello IDs
-See full list of `clientHelloID` values [here](https://godoc.org/github.com/refraction-networking/utls#ClientHelloID).  
-There are different behaviors you can get, depending  on your `clientHelloID`:
-
-1. ```utls.HelloRandomized``` adds/reorders extensions, ciphersuites, etc. randomly.  
-`HelloRandomized` adds ALPN in 50% of cases, you may want to use `HelloRandomizedALPN` or
-`HelloRandomizedNoALPN` to choose specific behavior explicitly, as ALPN might affect application layer.
-2. ```utls.HelloGolang```
-    HelloGolang will use default "crypto/tls" handshake marshaling codepath, which WILL
-    overwrite your changes to Hello(Config, Session are fine).
-    You might want to call BuildHandshakeState() before applying any changes.
-    UConn.Extensions will be completely ignored.
-3. ```utls.HelloCustom```
-will prepare ClientHello with empty uconn.Extensions so you can fill it with TLSExtension's manually.
-4. The rest will will parrot given browser. Such parrots include, for example:
-	* `utls.HelloChrome_Auto`- parrots recommended(latest) Google Chrome version
-	* `utls.HelloChrome_58` - parrots Google Chrome 58
-	* `utls.HelloFirefox_Auto` - parrots recommended(latest) Firefox version
-	* `utls.HelloFirefox_55` - parrots Firefox 55
-	
-# Usage
-## Examples
-Find basic examples [here](examples/examples.go).  
-Here's a more [advanced example](https://github.com/sergeyfrolov/gotapdance/blob//9a777f35a04b0c4c5dacd30bca0e9224eb737b5e/tapdance/conn_raw.go#L275-L292) showing how to generate randomized ClientHello, modify generated ciphersuites a bit, and proceed with the handshake.
-### Migrating from "crypto/tls"
-Here's how default "crypto/tls" is typically used:
-```Golang
-    dialConn, err := net.Dial("tcp", "172.217.11.46:443")
-    if err != nil {
-        fmt.Printf("net.Dial() failed: %+v\n", err)
-        return
-    }
-
-    config := tls.Config{ServerName: "www.google.com"}
-    tlsConn := tls.Client(dialConn, &config)
-    n, err = tlsConn.Write("Hello, World!")
-    //...
-```
-To start using using uTLS:
-1. Import this library (e.g. `import tls "github.com/Jigsaw-Code/utls"`)
-2. Pick the [Client Hello ID](#client-hello-ids)
-3. Simply substitute `tlsConn := tls.Client(dialConn, &config)`
-with `tlsConn := tls.UClient(dialConn, &config, tls.clientHelloID)`  
-
-### Customizing handshake
-Some customizations(such as setting session ticket/clientHello) have easy-to-use functions for them. The idea is to make common manipulations easy:
-```Golang
-    cRandom := []byte{100, 101, 102, 103, 104, 105, 106, 107, 108, 109,
-        110, 111, 112, 113, 114, 115, 116, 117, 118, 119,
-        120, 121, 122, 123, 124, 125, 126, 127, 128, 129,
-        130, 131}
-    tlsConn.SetClientRandom(cRandom)
-    masterSecret := make([]byte, 48)
-    copy(masterSecret, []byte("masterSecret is NOT sent over the wire")) // you may use it for real security
-
-    // Create a session ticket that wasn't actually issued by the server.
-    sessionState := utls.MakeClientSessionState(sessionTicket, uint16(tls.VersionTLS12),
-        tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-        masterSecret,
-        nil, nil)
-    tlsConn.SetSessionState(sessionState)
-```
-
-For other customizations there are following functions
-```
-// you can use this to build the state manually and change it
-// for example use Randomized ClientHello, and add more extensions
-func (uconn *UConn) BuildHandshakeState() error
-```
-```
-// Then apply the changes and marshal final bytes, which will be sent
-func (uconn *UConn) MarshalClientHello() error
-```
-
-## Contributors' guide
-Please refer to [this document](./CONTRIBUTORS_GUIDE.md) if you're interested in internals
-
-## Disclamer
-This is not an official Google product.

vendor/github.com/Psiphon-Labs/utls/alert.go

@@ -1,81 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import "strconv"
-
-type alert uint8
-
-const (
-	// alert level
-	alertLevelWarning = 1
-	alertLevelError   = 2
-)
-
-const (
-	alertCloseNotify            alert = 0
-	alertUnexpectedMessage      alert = 10
-	alertBadRecordMAC           alert = 20
-	alertDecryptionFailed       alert = 21
-	alertRecordOverflow         alert = 22
-	alertDecompressionFailure   alert = 30
-	alertHandshakeFailure       alert = 40
-	alertBadCertificate         alert = 42
-	alertUnsupportedCertificate alert = 43
-	alertCertificateRevoked     alert = 44
-	alertCertificateExpired     alert = 45
-	alertCertificateUnknown     alert = 46
-	alertIllegalParameter       alert = 47
-	alertUnknownCA              alert = 48
-	alertAccessDenied           alert = 49
-	alertDecodeError            alert = 50
-	alertDecryptError           alert = 51
-	alertProtocolVersion        alert = 70
-	alertInsufficientSecurity   alert = 71
-	alertInternalError          alert = 80
-	alertInappropriateFallback  alert = 86
-	alertUserCanceled           alert = 90
-	alertNoRenegotiation        alert = 100
-	alertNoApplicationProtocol  alert = 120
-)
-
-var alertText = map[alert]string{
-	alertCloseNotify:            "close notify",
-	alertUnexpectedMessage:      "unexpected message",
-	alertBadRecordMAC:           "bad record MAC",
-	alertDecryptionFailed:       "decryption failed",
-	alertRecordOverflow:         "record overflow",
-	alertDecompressionFailure:   "decompression failure",
-	alertHandshakeFailure:       "handshake failure",
-	alertBadCertificate:         "bad certificate",
-	alertUnsupportedCertificate: "unsupported certificate",
-	alertCertificateRevoked:     "revoked certificate",
-	alertCertificateExpired:     "expired certificate",
-	alertCertificateUnknown:     "unknown certificate",
-	alertIllegalParameter:       "illegal parameter",
-	alertUnknownCA:              "unknown certificate authority",
-	alertAccessDenied:           "access denied",
-	alertDecodeError:            "error decoding message",
-	alertDecryptError:           "error decrypting message",
-	alertProtocolVersion:        "protocol version not supported",
-	alertInsufficientSecurity:   "insufficient security level",
-	alertInternalError:          "internal error",
-	alertInappropriateFallback:  "inappropriate fallback",
-	alertUserCanceled:           "user canceled",
-	alertNoRenegotiation:        "no renegotiation",
-	alertNoApplicationProtocol:  "no application protocol",
-}
-
-func (e alert) String() string {
-	s, ok := alertText[e]
-	if ok {
-		return "tls: " + s
-	}
-	return "tls: alert(" + strconv.Itoa(int(e)) + ")"
-}
-
-func (e alert) Error() string {
-	return e.String()
-}

vendor/github.com/Psiphon-Labs/utls/cipher_suites.go

@@ -1,396 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/des"
-	"crypto/hmac"
-	"crypto/rc4"
-	"crypto/sha1"
-	"crypto/sha256"
-	"crypto/x509"
-	"hash"
-
-	"golang.org/x/crypto/chacha20poly1305"
-)
-
-// a keyAgreement implements the client and server side of a TLS key agreement
-// protocol by generating and processing key exchange messages.
-type keyAgreement interface {
-	// On the server side, the first two methods are called in order.
-
-	// In the case that the key agreement protocol doesn't use a
-	// ServerKeyExchange message, generateServerKeyExchange can return nil,
-	// nil.
-	generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
-	processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
-
-	// On the client side, the next two methods are called in order.
-
-	// This method may not be called if the server doesn't send a
-	// ServerKeyExchange message.
-	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
-	generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
-}
-
-const (
-	// suiteECDH indicates that the cipher suite involves elliptic curve
-	// Diffie-Hellman. This means that it should only be selected when the
-	// client indicates that it supports ECC with a curve and point format
-	// that we're happy with.
-	suiteECDHE = 1 << iota
-	// suiteECDSA indicates that the cipher suite involves an ECDSA
-	// signature and therefore may only be selected when the server's
-	// certificate is ECDSA. If this is not set then the cipher suite is
-	// RSA based.
-	suiteECDSA
-	// suiteTLS12 indicates that the cipher suite should only be advertised
-	// and accepted when using TLS 1.2.
-	suiteTLS12
-	// suiteSHA384 indicates that the cipher suite uses SHA384 as the
-	// handshake hash.
-	suiteSHA384
-	// suiteDefaultOff indicates that this cipher suite is not included by
-	// default.
-	suiteDefaultOff
-)
-
-// A cipherSuite is a specific combination of key agreement, cipher and MAC
-// function. All cipher suites currently assume RSA key agreement.
-type cipherSuite struct {
-	id uint16
-	// the lengths, in bytes, of the key material needed for each component.
-	keyLen int
-	macLen int
-	ivLen  int
-	ka     func(version uint16) keyAgreement
-	// flags is a bitmask of the suite* values, above.
-	flags  int
-	cipher func(key, iv []byte, isRead bool) interface{}
-	mac    func(version uint16, macKey []byte) macFunction
-	aead   func(key, fixedNonce []byte) cipher.AEAD
-}
-
-var cipherSuites = []*cipherSuite{
-	// Ciphersuite order is chosen so that ECDHE comes before plain RSA and
-	// AEADs are the top preference.
-	{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
-	{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
-	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
-	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
-	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
-	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
-	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
-	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
-	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
-	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
-	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
-	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
-	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
-	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
-	{TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
-	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
-	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
-	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
-	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
-
-	// RC4-based cipher suites are disabled by default.
-	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},
-	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},
-	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},
-}
-
-func cipherRC4(key, iv []byte, isRead bool) interface{} {
-	cipher, _ := rc4.NewCipher(key)
-	return cipher
-}
-
-func cipher3DES(key, iv []byte, isRead bool) interface{} {
-	block, _ := des.NewTripleDESCipher(key)
-	if isRead {
-		return cipher.NewCBCDecrypter(block, iv)
-	}
-	return cipher.NewCBCEncrypter(block, iv)
-}
-
-func cipherAES(key, iv []byte, isRead bool) interface{} {
-	block, _ := aes.NewCipher(key)
-	if isRead {
-		return cipher.NewCBCDecrypter(block, iv)
-	}
-	return cipher.NewCBCEncrypter(block, iv)
-}
-
-// macSHA1 returns a macFunction for the given protocol version.
-func macSHA1(version uint16, key []byte) macFunction {
-	if version == VersionSSL30 {
-		mac := ssl30MAC{
-			h:   sha1.New(),
-			key: make([]byte, len(key)),
-		}
-		copy(mac.key, key)
-		return mac
-	}
-	return tls10MAC{hmac.New(newConstantTimeHash(sha1.New), key)}
-}
-
-// macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2
-// so the given version is ignored.
-func macSHA256(version uint16, key []byte) macFunction {
-	return tls10MAC{hmac.New(sha256.New, key)}
-}
-
-type macFunction interface {
-	Size() int
-	MAC(digestBuf, seq, header, data, extra []byte) []byte
-}
-
-type aead interface {
-	cipher.AEAD
-
-	// explicitIVLen returns the number of bytes used by the explicit nonce
-	// that is included in the record. This is eight for older AEADs and
-	// zero for modern ones.
-	explicitNonceLen() int
-}
-
-// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
-// each call.
-type fixedNonceAEAD struct {
-	// nonce contains the fixed part of the nonce in the first four bytes.
-	nonce [12]byte
-	aead  cipher.AEAD
-}
-
-func (f *fixedNonceAEAD) NonceSize() int        { return 8 }
-func (f *fixedNonceAEAD) Overhead() int         { return f.aead.Overhead() }
-func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }
-
-func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
-	copy(f.nonce[4:], nonce)
-	return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
-}
-
-func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
-	copy(f.nonce[4:], nonce)
-	return f.aead.Open(out, f.nonce[:], plaintext, additionalData)
-}
-
-// xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
-// before each call.
-type xorNonceAEAD struct {
-	nonceMask [12]byte
-	aead      cipher.AEAD
-}
-
-func (f *xorNonceAEAD) NonceSize() int        { return 8 }
-func (f *xorNonceAEAD) Overhead() int         { return f.aead.Overhead() }
-func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
-
-func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
-	for i, b := range nonce {
-		f.nonceMask[4+i] ^= b
-	}
-	result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
-	for i, b := range nonce {
-		f.nonceMask[4+i] ^= b
-	}
-
-	return result
-}
-
-func (f *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
-	for i, b := range nonce {
-		f.nonceMask[4+i] ^= b
-	}
-	result, err := f.aead.Open(out, f.nonceMask[:], plaintext, additionalData)
-	for i, b := range nonce {
-		f.nonceMask[4+i] ^= b
-	}
-
-	return result, err
-}
-
-func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
-	aes, err := aes.NewCipher(key)
-	if err != nil {
-		panic(err)
-	}
-	aead, err := cipher.NewGCM(aes)
-	if err != nil {
-		panic(err)
-	}
-
-	ret := &fixedNonceAEAD{aead: aead}
-	copy(ret.nonce[:], fixedNonce)
-	return ret
-}
-
-func aeadChaCha20Poly1305(key, fixedNonce []byte) cipher.AEAD {
-	aead, err := chacha20poly1305.New(key)
-	if err != nil {
-		panic(err)
-	}
-
-	ret := &xorNonceAEAD{aead: aead}
-	copy(ret.nonceMask[:], fixedNonce)
-	return ret
-}
-
-// ssl30MAC implements the SSLv3 MAC function, as defined in
-// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
-type ssl30MAC struct {
-	h   hash.Hash
-	key []byte
-}
-
-func (s ssl30MAC) Size() int {
-	return s.h.Size()
-}
-
-var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
-
-var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
-
-// MAC does not offer constant timing guarantees for SSL v3.0, since it's deemed
-// useless considering the similar, protocol-level POODLE vulnerability.
-func (s ssl30MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {
-	padLength := 48
-	if s.h.Size() == 20 {
-		padLength = 40
-	}
-
-	s.h.Reset()
-	s.h.Write(s.key)
-	s.h.Write(ssl30Pad1[:padLength])
-	s.h.Write(seq)
-	s.h.Write(header[:1])
-	s.h.Write(header[3:5])
-	s.h.Write(data)
-	digestBuf = s.h.Sum(digestBuf[:0])
-
-	s.h.Reset()
-	s.h.Write(s.key)
-	s.h.Write(ssl30Pad2[:padLength])
-	s.h.Write(digestBuf)
-	return s.h.Sum(digestBuf[:0])
-}
-
-type constantTimeHash interface {
-	hash.Hash
-	ConstantTimeSum(b []byte) []byte
-}
-
-// cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces
-// with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC.
-type cthWrapper struct {
-	h constantTimeHash
-}
-
-func (c *cthWrapper) Size() int                   { return c.h.Size() }
-func (c *cthWrapper) BlockSize() int              { return c.h.BlockSize() }
-func (c *cthWrapper) Reset()                      { c.h.Reset() }
-func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
-func (c *cthWrapper) Sum(b []byte) []byte         { return c.h.ConstantTimeSum(b) }
-
-func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
-	return func() hash.Hash {
-		return &cthWrapper{h().(constantTimeHash)}
-	}
-}
-
-// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
-type tls10MAC struct {
-	h hash.Hash
-}
-
-func (s tls10MAC) Size() int {
-	return s.h.Size()
-}
-
-// MAC is guaranteed to take constant time, as long as
-// len(seq)+len(header)+len(data)+len(extra) is constant. extra is not fed into
-// the MAC, but is only provided to make the timing profile constant.
-func (s tls10MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {
-	s.h.Reset()
-	s.h.Write(seq)
-	s.h.Write(header)
-	s.h.Write(data)
-	res := s.h.Sum(digestBuf[:0])
-	if extra != nil {
-		s.h.Write(extra)
-	}
-	return res
-}
-
-func rsaKA(version uint16) keyAgreement {
-	return rsaKeyAgreement{}
-}
-
-func ecdheECDSAKA(version uint16) keyAgreement {
-	return &ecdheKeyAgreement{
-		sigType: signatureECDSA,
-		version: version,
-	}
-}
-
-func ecdheRSAKA(version uint16) keyAgreement {
-	return &ecdheKeyAgreement{
-		sigType: signatureRSA,
-		version: version,
-	}
-}
-
-// mutualCipherSuite returns a cipherSuite given a list of supported
-// ciphersuites and the id requested by the peer.
-func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
-	for _, id := range have {
-		if id == want {
-			for _, suite := range utlsSupportedCipherSuites { // [UTLS]
-				if suite.id == want {
-					return suite
-				}
-			}
-			return nil
-		}
-	}
-	return nil
-}
-
-// A list of cipher suite IDs that are, or have been, implemented by this
-// package.
-//
-// Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
-const (
-	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
-	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
-	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
-	TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
-	TLS_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0x003c
-	TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c
-	TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d
-	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
-	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
-	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
-	TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
-	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
-	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
-	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
-	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
-	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   uint16 = 0xc027
-	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
-	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
-	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
-	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
-	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    uint16 = 0xcca8
-	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  uint16 = 0xcca9
-
-	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
-	// that the client is doing version fallback. See
-	// https://tools.ietf.org/html/rfc7507.
-	TLS_FALLBACK_SCSV uint16 = 0x5600
-)

vendor/github.com/Psiphon-Labs/utls/common.go

@@ -1,971 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"container/list"
-	"crypto"
-	"crypto/rand"
-	"crypto/sha512"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"github.com/Psiphon-Labs/utls/cipherhw"
-	"io"
-	"math/big"
-	"net"
-	"strings"
-	"sync"
-	"time"
-)
-
-const (
-	VersionSSL30 = 0x0300
-	VersionTLS10 = 0x0301
-	VersionTLS11 = 0x0302
-	VersionTLS12 = 0x0303
-)
-
-const (
-	maxPlaintext    = 16384        // maximum plaintext payload length
-	maxCiphertext   = 16384 + 2048 // maximum ciphertext payload length
-	recordHeaderLen = 5            // record header length
-	maxHandshake    = 65536        // maximum handshake we support (protocol max is 16 MB)
-
-	minVersion = VersionTLS10
-	maxVersion = VersionTLS12
-)
-
-// TLS record types.
-type recordType uint8
-
-const (
-	recordTypeChangeCipherSpec recordType = 20
-	recordTypeAlert            recordType = 21
-	recordTypeHandshake        recordType = 22
-	recordTypeApplicationData  recordType = 23
-)
-
-// TLS handshake message types.
-const (
-	typeHelloRequest       uint8 = 0
-	typeClientHello        uint8 = 1
-	typeServerHello        uint8 = 2
-	typeNewSessionTicket   uint8 = 4
-	typeCertificate        uint8 = 11
-	typeServerKeyExchange  uint8 = 12
-	typeCertificateRequest uint8 = 13
-	typeServerHelloDone    uint8 = 14
-	typeCertificateVerify  uint8 = 15
-	typeClientKeyExchange  uint8 = 16
-	typeFinished           uint8 = 20
-	typeCertificateStatus  uint8 = 22
-	typeNextProtocol       uint8 = 67 // Not IANA assigned
-)
-
-// TLS compression types.
-const (
-	compressionNone uint8 = 0
-)
-
-// TLS extension numbers
-const (
-	extensionServerName          uint16 = 0
-	extensionStatusRequest       uint16 = 5
-	extensionSupportedCurves     uint16 = 10
-	extensionSupportedPoints     uint16 = 11
-	extensionSignatureAlgorithms uint16 = 13
-	extensionALPN                uint16 = 16
-	extensionSCT                 uint16 = 18 // https://tools.ietf.org/html/rfc6962#section-6
-	extensionSessionTicket       uint16 = 35
-	extensionNextProtoNeg        uint16 = 13172 // not IANA assigned
-	extensionRenegotiationInfo   uint16 = 0xff01
-)
-
-// TLS signaling cipher suite values
-const (
-	scsvRenegotiation uint16 = 0x00ff
-)
-
-// CurveID is the type of a TLS identifier for an elliptic curve. See
-// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
-type CurveID uint16
-
-const (
-	CurveP256 CurveID = 23
-	CurveP384 CurveID = 24
-	CurveP521 CurveID = 25
-	X25519    CurveID = 29
-)
-
-// TLS Elliptic Curve Point Formats
-// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9
-const (
-	pointFormatUncompressed uint8 = 0
-)
-
-// TLS CertificateStatusType (RFC 3546)
-const (
-	statusTypeOCSP uint8 = 1
-)
-
-// Certificate types (for certificateRequestMsg)
-const (
-	certTypeRSASign    = 1 // A certificate containing an RSA key
-	certTypeDSSSign    = 2 // A certificate containing a DSA key
-	certTypeRSAFixedDH = 3 // A certificate containing a static DH key
-	certTypeDSSFixedDH = 4 // A certificate containing a static DH key
-
-	// See RFC 4492 sections 3 and 5.5.
-	certTypeECDSASign      = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA.
-	certTypeRSAFixedECDH   = 65 // A certificate containing an ECDH-capable public key, signed with RSA.
-	certTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA.
-
-	// Rest of these are reserved by the TLS spec
-)
-
-// Hash functions for TLS 1.2 (See RFC 5246, section A.4.1)
-const (
-	hashSHA1   uint8 = 2
-	hashSHA256 uint8 = 4
-	hashSHA384 uint8 = 5
-)
-
-// Signature algorithms for TLS 1.2 (See RFC 5246, section A.4.1)
-const (
-	signatureRSA   uint8 = 1
-	signatureECDSA uint8 = 3
-)
-
-// signatureAndHash mirrors the TLS 1.2, SignatureAndHashAlgorithm struct. See
-// RFC 5246, section A.4.1.
-type signatureAndHash struct {
-	hash, signature uint8
-}
-
-// supportedSignatureAlgorithms contains the signature and hash algorithms that
-// the code advertises as supported in a TLS 1.2 ClientHello and in a TLS 1.2
-// CertificateRequest.
-var supportedSignatureAlgorithms = []signatureAndHash{
-	{hashSHA256, signatureRSA},
-	{hashSHA256, signatureECDSA},
-	{hashSHA384, signatureRSA},
-	{hashSHA384, signatureECDSA},
-	{hashSHA1, signatureRSA},
-	{hashSHA1, signatureECDSA},
-}
-
-// ConnectionState records basic TLS details about the connection.
-type ConnectionState struct {
-	Version                     uint16                // TLS version used by the connection (e.g. VersionTLS12)
-	HandshakeComplete           bool                  // TLS handshake is complete
-	DidResume                   bool                  // connection resumes a previous TLS connection
-	CipherSuite                 uint16                // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...)
-	NegotiatedProtocol          string                // negotiated next protocol (not guaranteed to be from Config.NextProtos)
-	NegotiatedProtocolIsMutual  bool                  // negotiated protocol was advertised by server (client side only)
-	ServerName                  string                // server name requested by client, if any (server side only)
-	PeerCertificates            []*x509.Certificate   // certificate chain presented by remote peer
-	VerifiedChains              [][]*x509.Certificate // verified chains built from PeerCertificates
-	SignedCertificateTimestamps [][]byte              // SCTs from the server, if any
-	OCSPResponse                []byte                // stapled OCSP response from server, if any
-
-	// TLSUnique contains the "tls-unique" channel binding value (see RFC
-	// 5929, section 3). For resumed sessions this value will be nil
-	// because resumption does not include enough context (see
-	// https://mitls.org/pages/attacks/3SHAKE#channelbindings). This will
-	// change in future versions of Go once the TLS master-secret fix has
-	// been standardized and implemented.
-	TLSUnique []byte
-}
-
-// ClientAuthType declares the policy the server will follow for
-// TLS Client Authentication.
-type ClientAuthType int
-
-const (
-	NoClientCert ClientAuthType = iota
-	RequestClientCert
-	RequireAnyClientCert
-	VerifyClientCertIfGiven
-	RequireAndVerifyClientCert
-)
-
-// ClientSessionState contains the state needed by clients to resume TLS
-// sessions.
-type ClientSessionState struct {
-	sessionTicket      []uint8               // Encrypted ticket used for session resumption with server
-	vers               uint16                // SSL/TLS version negotiated for the session
-	cipherSuite        uint16                // Ciphersuite negotiated for the session
-	masterSecret       []byte                // MasterSecret generated by client on a full handshake
-	serverCertificates []*x509.Certificate   // Certificate chain presented by the server
-	verifiedChains     [][]*x509.Certificate // Certificate chains we built for verification
-}
-
-// ClientSessionCache is a cache of ClientSessionState objects that can be used
-// by a client to resume a TLS session with a given server. ClientSessionCache
-// implementations should expect to be called concurrently from different
-// goroutines. Only ticket-based resumption is supported, not SessionID-based
-// resumption.
-type ClientSessionCache interface {
-	// Get searches for a ClientSessionState associated with the given key.
-	// On return, ok is true if one was found.
-	Get(sessionKey string) (session *ClientSessionState, ok bool)
-
-	// Put adds the ClientSessionState to the cache with the given key.
-	Put(sessionKey string, cs *ClientSessionState)
-}
-
-// SignatureScheme identifies a signature algorithm supported by TLS. See
-// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.3.
-type SignatureScheme uint16
-
-const (
-	PKCS1WithSHA1   SignatureScheme = 0x0201
-	PKCS1WithSHA256 SignatureScheme = 0x0401
-	PKCS1WithSHA384 SignatureScheme = 0x0501
-	PKCS1WithSHA512 SignatureScheme = 0x0601
-
-	PSSWithSHA256 SignatureScheme = 0x0804
-	PSSWithSHA384 SignatureScheme = 0x0805
-	PSSWithSHA512 SignatureScheme = 0x0806
-
-	ECDSAWithP256AndSHA256 SignatureScheme = 0x0403
-	ECDSAWithP384AndSHA384 SignatureScheme = 0x0503
-	ECDSAWithP521AndSHA512 SignatureScheme = 0x0603
-)
-
-// ClientHelloInfo contains information from a ClientHello message in order to
-// guide certificate selection in the GetCertificate callback.
-type ClientHelloInfo struct {
-	// CipherSuites lists the CipherSuites supported by the client (e.g.
-	// TLS_RSA_WITH_RC4_128_SHA).
-	CipherSuites []uint16
-
-	// ServerName indicates the name of the server requested by the client
-	// in order to support virtual hosting. ServerName is only set if the
-	// client is using SNI (see
-	// http://tools.ietf.org/html/rfc4366#section-3.1).
-	ServerName string
-
-	// SupportedCurves lists the elliptic curves supported by the client.
-	// SupportedCurves is set only if the Supported Elliptic Curves
-	// Extension is being used (see
-	// http://tools.ietf.org/html/rfc4492#section-5.1.1).
-	SupportedCurves []CurveID
-
-	// SupportedPoints lists the point formats supported by the client.
-	// SupportedPoints is set only if the Supported Point Formats Extension
-	// is being used (see
-	// http://tools.ietf.org/html/rfc4492#section-5.1.2).
-	SupportedPoints []uint8
-
-	// SignatureSchemes lists the signature and hash schemes that the client
-	// is willing to verify. SignatureSchemes is set only if the Signature
-	// Algorithms Extension is being used (see
-	// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1).
-	SignatureSchemes []SignatureScheme
-
-	// SupportedProtos lists the application protocols supported by the client.
-	// SupportedProtos is set only if the Application-Layer Protocol
-	// Negotiation Extension is being used (see
-	// https://tools.ietf.org/html/rfc7301#section-3.1).
-	//
-	// Servers can select a protocol by setting Config.NextProtos in a
-	// GetConfigForClient return value.
-	SupportedProtos []string
-
-	// SupportedVersions lists the TLS versions supported by the client.
-	// For TLS versions less than 1.3, this is extrapolated from the max
-	// version advertised by the client, so values other than the greatest
-	// might be rejected if used.
-	SupportedVersions []uint16
-
-	// Conn is the underlying net.Conn for the connection. Do not read
-	// from, or write to, this connection; that will cause the TLS
-	// connection to fail.
-	Conn net.Conn
-}
-
-// CertificateRequestInfo contains information from a server's
-// CertificateRequest message, which is used to demand a certificate and proof
-// of control from a client.
-type CertificateRequestInfo struct {
-	// AcceptableCAs contains zero or more, DER-encoded, X.501
-	// Distinguished Names. These are the names of root or intermediate CAs
-	// that the server wishes the returned certificate to be signed by. An
-	// empty slice indicates that the server has no preference.
-	AcceptableCAs [][]byte
-
-	// SignatureSchemes lists the signature schemes that the server is
-	// willing to verify.
-	SignatureSchemes []SignatureScheme
-}
-
-// RenegotiationSupport enumerates the different levels of support for TLS
-// renegotiation. TLS renegotiation is the act of performing subsequent
-// handshakes on a connection after the first. This significantly complicates
-// the state machine and has been the source of numerous, subtle security
-// issues. Initiating a renegotiation is not supported, but support for
-// accepting renegotiation requests may be enabled.
-//
-// Even when enabled, the server may not change its identity between handshakes
-// (i.e. the leaf certificate must be the same). Additionally, concurrent
-// handshake and application data flow is not permitted so renegotiation can
-// only be used with protocols that synchronise with the renegotiation, such as
-// HTTPS.
-type RenegotiationSupport int
-
-const (
-	// RenegotiateNever disables renegotiation.
-	RenegotiateNever RenegotiationSupport = iota
-
-	// RenegotiateOnceAsClient allows a remote server to request
-	// renegotiation once per connection.
-	RenegotiateOnceAsClient
-
-	// RenegotiateFreelyAsClient allows a remote server to repeatedly
-	// request renegotiation.
-	RenegotiateFreelyAsClient
-)
-
-// A Config structure is used to configure a TLS client or server.
-// After one has been passed to a TLS function it must not be
-// modified. A Config may be reused; the tls package will also not
-// modify it.
-type Config struct {
-	// Rand provides the source of entropy for nonces and RSA blinding.
-	// If Rand is nil, TLS uses the cryptographic random reader in package
-	// crypto/rand.
-	// The Reader must be safe for use by multiple goroutines.
-	Rand io.Reader
-
-	// Time returns the current time as the number of seconds since the epoch.
-	// If Time is nil, TLS uses time.Now.
-	Time func() time.Time
-
-	// Certificates contains one or more certificate chains to present to
-	// the other side of the connection. Server configurations must include
-	// at least one certificate or else set GetCertificate. Clients doing
-	// client-authentication may set either Certificates or
-	// GetClientCertificate.
-	Certificates []Certificate
-
-	// NameToCertificate maps from a certificate name to an element of
-	// Certificates. Note that a certificate name can be of the form
-	// '*.example.com' and so doesn't have to be a domain name as such.
-	// See Config.BuildNameToCertificate
-	// The nil value causes the first element of Certificates to be used
-	// for all connections.
-	NameToCertificate map[string]*Certificate
-
-	// GetCertificate returns a Certificate based on the given
-	// ClientHelloInfo. It will only be called if the client supplies SNI
-	// information or if Certificates is empty.
-	//
-	// If GetCertificate is nil or returns nil, then the certificate is
-	// retrieved from NameToCertificate. If NameToCertificate is nil, the
-	// first element of Certificates will be used.
-	GetCertificate func(*ClientHelloInfo) (*Certificate, error)
-
-	// GetClientCertificate, if not nil, is called when a server requests a
-	// certificate from a client. If set, the contents of Certificates will
-	// be ignored.
-	//
-	// If GetClientCertificate returns an error, the handshake will be
-	// aborted and that error will be returned. Otherwise
-	// GetClientCertificate must return a non-nil Certificate. If
-	// Certificate.Certificate is empty then no certificate will be sent to
-	// the server. If this is unacceptable to the server then it may abort
-	// the handshake.
-	//
-	// GetClientCertificate may be called multiple times for the same
-	// connection if renegotiation occurs or if TLS 1.3 is in use.
-	GetClientCertificate func(*CertificateRequestInfo) (*Certificate, error)
-
-	// GetConfigForClient, if not nil, is called after a ClientHello is
-	// received from a client. It may return a non-nil Config in order to
-	// change the Config that will be used to handle this connection. If
-	// the returned Config is nil, the original Config will be used. The
-	// Config returned by this callback may not be subsequently modified.
-	//
-	// If GetConfigForClient is nil, the Config passed to Server() will be
-	// used for all connections.
-	//
-	// Uniquely for the fields in the returned Config, session ticket keys
-	// will be duplicated from the original Config if not set.
-	// Specifically, if SetSessionTicketKeys was called on the original
-	// config but not on the returned config then the ticket keys from the
-	// original config will be copied into the new config before use.
-	// Otherwise, if SessionTicketKey was set in the original config but
-	// not in the returned config then it will be copied into the returned
-	// config before use. If neither of those cases applies then the key
-	// material from the returned config will be used for session tickets.
-	GetConfigForClient func(*ClientHelloInfo) (*Config, error)
-
-	// VerifyPeerCertificate, if not nil, is called after normal
-	// certificate verification by either a TLS client or server. It
-	// receives the raw ASN.1 certificates provided by the peer and also
-	// any verified chains that normal processing found. If it returns a
-	// non-nil error, the handshake is aborted and that error results.
-	//
-	// If normal verification fails then the handshake will abort before
-	// considering this callback. If normal verification is disabled by
-	// setting InsecureSkipVerify then this callback will be considered but
-	// the verifiedChains argument will always be nil.
-	VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
-
-	// RootCAs defines the set of root certificate authorities
-	// that clients use when verifying server certificates.
-	// If RootCAs is nil, TLS uses the host's root CA set.
-	RootCAs *x509.CertPool
-
-	// NextProtos is a list of supported, application level protocols.
-	NextProtos []string
-
-	// ServerName is used to verify the hostname on the returned
-	// certificates unless InsecureSkipVerify is given. It is also included
-	// in the client's handshake to support virtual hosting unless it is
-	// an IP address.
-	ServerName string
-
-	// ClientAuth determines the server's policy for
-	// TLS Client Authentication. The default is NoClientCert.
-	ClientAuth ClientAuthType
-
-	// ClientCAs defines the set of root certificate authorities
-	// that servers use if required to verify a client certificate
-	// by the policy in ClientAuth.
-	ClientCAs *x509.CertPool
-
-	// InsecureSkipVerify controls whether a client verifies the
-	// server's certificate chain and host name.
-	// If InsecureSkipVerify is true, TLS accepts any certificate
-	// presented by the server and any host name in that certificate.
-	// In this mode, TLS is susceptible to man-in-the-middle attacks.
-	// This should be used only for testing.
-	InsecureSkipVerify bool
-
-	// CipherSuites is a list of supported cipher suites. If CipherSuites
-	// is nil, TLS uses a list of suites supported by the implementation.
-	CipherSuites []uint16
-
-	// PreferServerCipherSuites controls whether the server selects the
-	// client's most preferred ciphersuite, or the server's most preferred
-	// ciphersuite. If true then the server's preference, as expressed in
-	// the order of elements in CipherSuites, is used.
-	PreferServerCipherSuites bool
-
-	// SessionTicketsDisabled may be set to true to disable session ticket
-	// (resumption) support.
-	SessionTicketsDisabled bool
-
-	// SessionTicketKey is used by TLS servers to provide session
-	// resumption. See RFC 5077. If zero, it will be filled with
-	// random data before the first server handshake.
-	//
-	// If multiple servers are terminating connections for the same host
-	// they should all have the same SessionTicketKey. If the
-	// SessionTicketKey leaks, previously recorded and future TLS
-	// connections using that key are compromised.
-	SessionTicketKey [32]byte
-
-	// SessionCache is a cache of ClientSessionState entries for TLS session
-	// resumption.
-	ClientSessionCache ClientSessionCache
-
-	// MinVersion contains the minimum SSL/TLS version that is acceptable.
-	// If zero, then TLS 1.0 is taken as the minimum.
-	MinVersion uint16
-
-	// MaxVersion contains the maximum SSL/TLS version that is acceptable.
-	// If zero, then the maximum version supported by this package is used,
-	// which is currently TLS 1.2.
-	MaxVersion uint16
-
-	// CurvePreferences contains the elliptic curves that will be used in
-	// an ECDHE handshake, in preference order. If empty, the default will
-	// be used.
-	CurvePreferences []CurveID
-
-	// DynamicRecordSizingDisabled disables adaptive sizing of TLS records.
-	// When true, the largest possible TLS record size is always used. When
-	// false, the size of TLS records may be adjusted in an attempt to
-	// improve latency.
-	DynamicRecordSizingDisabled bool
-
-	// Renegotiation controls what types of renegotiation are supported.
-	// The default, none, is correct for the vast majority of applications.
-	Renegotiation RenegotiationSupport
-
-	// KeyLogWriter optionally specifies a destination for TLS master secrets
-	// in NSS key log format that can be used to allow external programs
-	// such as Wireshark to decrypt TLS connections.
-	// See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format.
-	// Use of KeyLogWriter compromises security and should only be
-	// used for debugging.
-	KeyLogWriter io.Writer
-
-	serverInitOnce sync.Once // guards calling (*Config).serverInit
-
-	// mutex protects sessionTicketKeys.
-	mutex sync.RWMutex
-	// sessionTicketKeys contains zero or more ticket keys. If the length
-	// is zero, SessionTicketsDisabled must be true. The first key is used
-	// for new tickets and any subsequent keys can be used to decrypt old
-	// tickets.
-	sessionTicketKeys []ticketKey
-}
-
-// ticketKeyNameLen is the number of bytes of identifier that is prepended to
-// an encrypted session ticket in order to identify the key used to encrypt it.
-const ticketKeyNameLen = 16
-
-// ticketKey is the internal representation of a session ticket key.
-type ticketKey struct {
-	// keyName is an opaque byte string that serves to identify the session
-	// ticket key. It's exposed as plaintext in every session ticket.
-	keyName [ticketKeyNameLen]byte
-	aesKey  [16]byte
-	hmacKey [16]byte
-}
-
-// ticketKeyFromBytes converts from the external representation of a session
-// ticket key to a ticketKey. Externally, session ticket keys are 32 random
-// bytes and this function expands that into sufficient name and key material.
-func ticketKeyFromBytes(b [32]byte) (key ticketKey) {
-	hashed := sha512.Sum512(b[:])
-	copy(key.keyName[:], hashed[:ticketKeyNameLen])
-	copy(key.aesKey[:], hashed[ticketKeyNameLen:ticketKeyNameLen+16])
-	copy(key.hmacKey[:], hashed[ticketKeyNameLen+16:ticketKeyNameLen+32])
-	return key
-}
-
-// Clone returns a shallow clone of c. It is safe to clone a Config that is
-// being used concurrently by a TLS client or server.
-func (c *Config) Clone() *Config {
-	// Running serverInit ensures that it's safe to read
-	// SessionTicketsDisabled.
-	c.serverInitOnce.Do(func() { c.serverInit(nil) })
-
-	var sessionTicketKeys []ticketKey
-	c.mutex.RLock()
-	sessionTicketKeys = c.sessionTicketKeys
-	c.mutex.RUnlock()
-
-	return &Config{
-		Rand:                        c.Rand,
-		Time:                        c.Time,
-		Certificates:                c.Certificates,
-		NameToCertificate:           c.NameToCertificate,
-		GetCertificate:              c.GetCertificate,
-		GetClientCertificate:        c.GetClientCertificate,
-		GetConfigForClient:          c.GetConfigForClient,
-		VerifyPeerCertificate:       c.VerifyPeerCertificate,
-		RootCAs:                     c.RootCAs,
-		NextProtos:                  c.NextProtos,
-		ServerName:                  c.ServerName,
-		ClientAuth:                  c.ClientAuth,
-		ClientCAs:                   c.ClientCAs,
-		InsecureSkipVerify:          c.InsecureSkipVerify,
-		CipherSuites:                c.CipherSuites,
-		PreferServerCipherSuites:    c.PreferServerCipherSuites,
-		SessionTicketsDisabled:      c.SessionTicketsDisabled,
-		SessionTicketKey:            c.SessionTicketKey,
-		ClientSessionCache:          c.ClientSessionCache,
-		MinVersion:                  c.MinVersion,
-		MaxVersion:                  c.MaxVersion,
-		CurvePreferences:            c.CurvePreferences,
-		DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled,
-		Renegotiation:               c.Renegotiation,
-		KeyLogWriter:                c.KeyLogWriter,
-		sessionTicketKeys:           sessionTicketKeys,
-	}
-}
-
-// serverInit is run under c.serverInitOnce to do initialization of c. If c was
-// returned by a GetConfigForClient callback then the argument should be the
-// Config that was passed to Server, otherwise it should be nil.
-func (c *Config) serverInit(originalConfig *Config) {
-	if c.SessionTicketsDisabled || len(c.ticketKeys()) != 0 {
-		return
-	}
-
-	alreadySet := false
-	for _, b := range c.SessionTicketKey {
-		if b != 0 {
-			alreadySet = true
-			break
-		}
-	}
-
-	if !alreadySet {
-		if originalConfig != nil {
-			copy(c.SessionTicketKey[:], originalConfig.SessionTicketKey[:])
-		} else if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
-			c.SessionTicketsDisabled = true
-			return
-		}
-	}
-
-	if originalConfig != nil {
-		originalConfig.mutex.RLock()
-		c.sessionTicketKeys = originalConfig.sessionTicketKeys
-		originalConfig.mutex.RUnlock()
-	} else {
-		c.sessionTicketKeys = []ticketKey{ticketKeyFromBytes(c.SessionTicketKey)}
-	}
-}
-
-func (c *Config) ticketKeys() []ticketKey {
-	c.mutex.RLock()
-	// c.sessionTicketKeys is constant once created. SetSessionTicketKeys
-	// will only update it by replacing it with a new value.
-	ret := c.sessionTicketKeys
-	c.mutex.RUnlock()
-	return ret
-}
-
-// SetSessionTicketKeys updates the session ticket keys for a server. The first
-// key will be used when creating new tickets, while all keys can be used for
-// decrypting tickets. It is safe to call this function while the server is
-// running in order to rotate the session ticket keys. The function will panic
-// if keys is empty.
-func (c *Config) SetSessionTicketKeys(keys [][32]byte) {
-	if len(keys) == 0 {
-		panic("tls: keys must have at least one key")
-	}
-
-	newKeys := make([]ticketKey, len(keys))
-	for i, bytes := range keys {
-		newKeys[i] = ticketKeyFromBytes(bytes)
-	}
-
-	c.mutex.Lock()
-	c.sessionTicketKeys = newKeys
-	c.mutex.Unlock()
-}
-
-func (c *Config) rand() io.Reader {
-	r := c.Rand
-	if r == nil {
-		return rand.Reader
-	}
-	return r
-}
-
-func (c *Config) time() time.Time {
-	t := c.Time
-	if t == nil {
-		t = time.Now
-	}
-	return t()
-}
-
-func (c *Config) cipherSuites() []uint16 {
-	s := c.CipherSuites
-	if s == nil {
-		s = defaultCipherSuites()
-	}
-	return s
-}
-
-func (c *Config) minVersion() uint16 {
-	if c == nil || c.MinVersion == 0 {
-		return minVersion
-	}
-	return c.MinVersion
-}
-
-func (c *Config) maxVersion() uint16 {
-	if c == nil || c.MaxVersion == 0 {
-		return maxVersion
-	}
-	return c.MaxVersion
-}
-
-var defaultCurvePreferences = []CurveID{X25519, CurveP256, CurveP384, CurveP521}
-
-func (c *Config) curvePreferences() []CurveID {
-	if c == nil || len(c.CurvePreferences) == 0 {
-		return defaultCurvePreferences
-	}
-	return c.CurvePreferences
-}
-
-// mutualVersion returns the protocol version to use given the advertised
-// version of the peer.
-func (c *Config) mutualVersion(vers uint16) (uint16, bool) {
-	minVersion := c.minVersion()
-	maxVersion := c.maxVersion()
-
-	if vers < minVersion {
-		return 0, false
-	}
-	if vers > maxVersion {
-		vers = maxVersion
-	}
-	return vers, true
-}
-
-// getCertificate returns the best certificate for the given ClientHelloInfo,
-// defaulting to the first element of c.Certificates.
-func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certificate, error) {
-	if c.GetCertificate != nil &&
-		(len(c.Certificates) == 0 || len(clientHello.ServerName) > 0) {
-		cert, err := c.GetCertificate(clientHello)
-		if cert != nil || err != nil {
-			return cert, err
-		}
-	}
-
-	if len(c.Certificates) == 0 {
-		return nil, errors.New("tls: no certificates configured")
-	}
-
-	if len(c.Certificates) == 1 || c.NameToCertificate == nil {
-		// There's only one choice, so no point doing any work.
-		return &c.Certificates[0], nil
-	}
-
-	name := strings.ToLower(clientHello.ServerName)
-	for len(name) > 0 && name[len(name)-1] == '.' {
-		name = name[:len(name)-1]
-	}
-
-	if cert, ok := c.NameToCertificate[name]; ok {
-		return cert, nil
-	}
-
-	// try replacing labels in the name with wildcards until we get a
-	// match.
-	labels := strings.Split(name, ".")
-	for i := range labels {
-		labels[i] = "*"
-		candidate := strings.Join(labels, ".")
-		if cert, ok := c.NameToCertificate[candidate]; ok {
-			return cert, nil
-		}
-	}
-
-	// If nothing matches, return the first certificate.
-	return &c.Certificates[0], nil
-}
-
-// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
-// from the CommonName and SubjectAlternateName fields of each of the leaf
-// certificates.
-func (c *Config) BuildNameToCertificate() {
-	c.NameToCertificate = make(map[string]*Certificate)
-	for i := range c.Certificates {
-		cert := &c.Certificates[i]
-		x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
-		if err != nil {
-			continue
-		}
-		if len(x509Cert.Subject.CommonName) > 0 {
-			c.NameToCertificate[x509Cert.Subject.CommonName] = cert
-		}
-		for _, san := range x509Cert.DNSNames {
-			c.NameToCertificate[san] = cert
-		}
-	}
-}
-
-// writeKeyLog logs client random and master secret if logging was enabled by
-// setting c.KeyLogWriter.
-func (c *Config) writeKeyLog(clientRandom, masterSecret []byte) error {
-	if c.KeyLogWriter == nil {
-		return nil
-	}
-
-	logLine := []byte(fmt.Sprintf("CLIENT_RANDOM %x %x\n", clientRandom, masterSecret))
-
-	writerMutex.Lock()
-	_, err := c.KeyLogWriter.Write(logLine)
-	writerMutex.Unlock()
-
-	return err
-}
-
-// writerMutex protects all KeyLogWriters globally. It is rarely enabled,
-// and is only for debugging, so a global mutex saves space.
-var writerMutex sync.Mutex
-
-// A Certificate is a chain of one or more certificates, leaf first.
-type Certificate struct {
-	Certificate [][]byte
-	// PrivateKey contains the private key corresponding to the public key
-	// in Leaf. For a server, this must implement crypto.Signer and/or
-	// crypto.Decrypter, with an RSA or ECDSA PublicKey. For a client
-	// (performing client authentication), this must be a crypto.Signer
-	// with an RSA or ECDSA PublicKey.
-	PrivateKey crypto.PrivateKey
-	// OCSPStaple contains an optional OCSP response which will be served
-	// to clients that request it.
-	OCSPStaple []byte
-	// SignedCertificateTimestamps contains an optional list of Signed
-	// Certificate Timestamps which will be served to clients that request it.
-	SignedCertificateTimestamps [][]byte
-	// Leaf is the parsed form of the leaf certificate, which may be
-	// initialized using x509.ParseCertificate to reduce per-handshake
-	// processing for TLS clients doing client authentication. If nil, the
-	// leaf certificate will be parsed as needed.
-	Leaf *x509.Certificate
-}
-
-type handshakeMessage interface {
-	marshal() []byte
-	unmarshal([]byte) bool
-}
-
-// lruSessionCache is a ClientSessionCache implementation that uses an LRU
-// caching strategy.
-type lruSessionCache struct {
-	sync.Mutex
-
-	m        map[string]*list.Element
-	q        *list.List
-	capacity int
-}
-
-type lruSessionCacheEntry struct {
-	sessionKey string
-	state      *ClientSessionState
-}
-
-// NewLRUClientSessionCache returns a ClientSessionCache with the given
-// capacity that uses an LRU strategy. If capacity is < 1, a default capacity
-// is used instead.
-func NewLRUClientSessionCache(capacity int) ClientSessionCache {
-	const defaultSessionCacheCapacity = 64
-
-	if capacity < 1 {
-		capacity = defaultSessionCacheCapacity
-	}
-	return &lruSessionCache{
-		m:        make(map[string]*list.Element),
-		q:        list.New(),
-		capacity: capacity,
-	}
-}
-
-// Put adds the provided (sessionKey, cs) pair to the cache.
-func (c *lruSessionCache) Put(sessionKey string, cs *ClientSessionState) {
-	c.Lock()
-	defer c.Unlock()
-
-	if elem, ok := c.m[sessionKey]; ok {
-		entry := elem.Value.(*lruSessionCacheEntry)
-		entry.state = cs
-		c.q.MoveToFront(elem)
-		return
-	}
-
-	if c.q.Len() < c.capacity {
-		entry := &lruSessionCacheEntry{sessionKey, cs}
-		c.m[sessionKey] = c.q.PushFront(entry)
-		return
-	}
-
-	elem := c.q.Back()
-	entry := elem.Value.(*lruSessionCacheEntry)
-	delete(c.m, entry.sessionKey)
-	entry.sessionKey = sessionKey
-	entry.state = cs
-	c.q.MoveToFront(elem)
-	c.m[sessionKey] = elem
-}
-
-// Get returns the ClientSessionState value associated with a given key. It
-// returns (nil, false) if no value is found.
-func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool) {
-	c.Lock()
-	defer c.Unlock()
-
-	if elem, ok := c.m[sessionKey]; ok {
-		c.q.MoveToFront(elem)
-		return elem.Value.(*lruSessionCacheEntry).state, true
-	}
-	return nil, false
-}
-
-// TODO(jsing): Make these available to both crypto/x509 and crypto/tls.
-type dsaSignature struct {
-	R, S *big.Int
-}
-
-type ecdsaSignature dsaSignature
-
-var emptyConfig Config
-
-func defaultConfig() *Config {
-	return &emptyConfig
-}
-
-var (
-	once                   sync.Once
-	varDefaultCipherSuites []uint16
-)
-
-func defaultCipherSuites() []uint16 {
-	once.Do(initDefaultCipherSuites)
-	return varDefaultCipherSuites
-}
-
-func initDefaultCipherSuites() {
-	var topCipherSuites []uint16
-	if cipherhw.AESGCMSupport() {
-		// If AES-GCM hardware is provided then prioritise AES-GCM
-		// cipher suites.
-		topCipherSuites = []uint16{
-			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		}
-	} else {
-		// Without AES-GCM hardware, we put the ChaCha20-Poly1305
-		// cipher suites first.
-		topCipherSuites = []uint16{
-			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		}
-	}
-
-	varDefaultCipherSuites = make([]uint16, 0, len(cipherSuites))
-	varDefaultCipherSuites = append(varDefaultCipherSuites, topCipherSuites...)
-
-NextCipherSuite:
-	for _, suite := range cipherSuites {
-		if suite.flags&suiteDefaultOff != 0 {
-			continue
-		}
-		for _, existing := range varDefaultCipherSuites {
-			if existing == suite.id {
-				continue NextCipherSuite
-			}
-		}
-		varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id)
-	}
-}
-
-func unexpectedMessageError(wanted, got interface{}) error {
-	return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted)
-}
-
-func isSupportedSignatureAndHash(sigHash signatureAndHash, sigHashes []signatureAndHash) bool {
-	for _, s := range sigHashes {
-		if s == sigHash {
-			return true
-		}
-	}
-	return false
-}

vendor/github.com/Psiphon-Labs/utls/conn.go

@@ -1,1387 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// TLS low level connection and record layer
-
-package tls
-
-import (
-	"bytes"
-	"crypto/cipher"
-	"crypto/subtle"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"sync"
-	"sync/atomic"
-	"time"
-)
-
-// A Conn represents a secured connection.
-// It implements the net.Conn interface.
-type Conn struct {
-	// constant
-	conn     net.Conn
-	isClient bool
-
-	// constant after handshake; protected by handshakeMutex
-	handshakeMutex sync.Mutex // handshakeMutex < in.Mutex, out.Mutex, errMutex
-	// handshakeCond, if not nil, indicates that a goroutine is committed
-	// to running the handshake for this Conn. Other goroutines that need
-	// to wait for the handshake can wait on this, under handshakeMutex.
-	handshakeCond *sync.Cond
-	handshakeErr  error   // error resulting from handshake
-	vers          uint16  // TLS version
-	haveVers      bool    // version has been negotiated
-	config        *Config // configuration passed to constructor
-	// handshakeComplete is true if the connection is currently transferring
-	// application data (i.e. is not currently processing a handshake).
-	handshakeComplete bool
-	// handshakes counts the number of handshakes performed on the
-	// connection so far. If renegotiation is disabled then this is either
-	// zero or one.
-	handshakes       int
-	didResume        bool // whether this connection was a session resumption
-	cipherSuite      uint16
-	ocspResponse     []byte   // stapled OCSP response
-	scts             [][]byte // signed certificate timestamps from server
-	peerCertificates []*x509.Certificate
-	// verifiedChains contains the certificate chains that we built, as
-	// opposed to the ones presented by the server.
-	verifiedChains [][]*x509.Certificate
-	// serverName contains the server name indicated by the client, if any.
-	serverName string
-	// secureRenegotiation is true if the server echoed the secure
-	// renegotiation extension. (This is meaningless as a server because
-	// renegotiation is not supported in that case.)
-	secureRenegotiation bool
-
-	// clientFinishedIsFirst is true if the client sent the first Finished
-	// message during the most recent handshake. This is recorded because
-	// the first transmitted Finished message is the tls-unique
-	// channel-binding value.
-	clientFinishedIsFirst bool
-
-	// closeNotifyErr is any error from sending the alertCloseNotify record.
-	closeNotifyErr error
-	// closeNotifySent is true if the Conn attempted to send an
-	// alertCloseNotify record.
-	closeNotifySent bool
-
-	// clientFinished and serverFinished contain the Finished message sent
-	// by the client or server in the most recent handshake. This is
-	// retained to support the renegotiation extension and tls-unique
-	// channel-binding.
-	clientFinished [12]byte
-	serverFinished [12]byte
-
-	clientProtocol         string
-	clientProtocolFallback bool
-
-	// input/output
-	in, out   halfConn     // in.Mutex < out.Mutex
-	rawInput  *block       // raw input, right off the wire
-	input     *block       // application data waiting to be read
-	hand      bytes.Buffer // handshake data waiting to be read
-	buffering bool         // whether records are buffered in sendBuf
-	sendBuf   []byte       // a buffer of records waiting to be sent
-
-	// bytesSent counts the bytes of application data sent.
-	// packetsSent counts packets.
-	bytesSent   int64
-	packetsSent int64
-
-	// activeCall is an atomic int32; the low bit is whether Close has
-	// been called. the rest of the bits are the number of goroutines
-	// in Conn.Write.
-	activeCall int32
-
-	tmp [16]byte
-}
-
-// Access to net.Conn methods.
-// Cannot just embed net.Conn because that would
-// export the struct field too.
-
-// LocalAddr returns the local network address.
-func (c *Conn) LocalAddr() net.Addr {
-	return c.conn.LocalAddr()
-}
-
-// RemoteAddr returns the remote network address.
-func (c *Conn) RemoteAddr() net.Addr {
-	return c.conn.RemoteAddr()
-}
-
-// SetDeadline sets the read and write deadlines associated with the connection.
-// A zero value for t means Read and Write will not time out.
-// After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
-func (c *Conn) SetDeadline(t time.Time) error {
-	return c.conn.SetDeadline(t)
-}
-
-// SetReadDeadline sets the read deadline on the underlying connection.
-// A zero value for t means Read will not time out.
-func (c *Conn) SetReadDeadline(t time.Time) error {
-	return c.conn.SetReadDeadline(t)
-}
-
-// SetWriteDeadline sets the write deadline on the underlying connection.
-// A zero value for t means Write will not time out.
-// After a Write has timed out, the TLS state is corrupt and all future writes will return the same error.
-func (c *Conn) SetWriteDeadline(t time.Time) error {
-	return c.conn.SetWriteDeadline(t)
-}
-
-// A halfConn represents one direction of the record layer
-// connection, either sending or receiving.
-type halfConn struct {
-	sync.Mutex
-
-	err            error       // first permanent error
-	version        uint16      // protocol version
-	cipher         interface{} // cipher algorithm
-	mac            macFunction
-	seq            [8]byte  // 64-bit sequence number
-	bfree          *block   // list of free blocks
-	additionalData [13]byte // to avoid allocs; interface method args escape
-
-	nextCipher interface{} // next encryption state
-	nextMac    macFunction // next MAC algorithm
-
-	// used to save allocating a new buffer for each MAC.
-	inDigestBuf, outDigestBuf []byte
-}
-
-func (hc *halfConn) setErrorLocked(err error) error {
-	hc.err = err
-	return err
-}
-
-// prepareCipherSpec sets the encryption and MAC states
-// that a subsequent changeCipherSpec will use.
-func (hc *halfConn) prepareCipherSpec(version uint16, cipher interface{}, mac macFunction) {
-	hc.version = version
-	hc.nextCipher = cipher
-	hc.nextMac = mac
-}
-
-// changeCipherSpec changes the encryption and MAC states
-// to the ones previously passed to prepareCipherSpec.
-func (hc *halfConn) changeCipherSpec() error {
-	if hc.nextCipher == nil {
-		return alertInternalError
-	}
-	hc.cipher = hc.nextCipher
-	hc.mac = hc.nextMac
-	hc.nextCipher = nil
-	hc.nextMac = nil
-	for i := range hc.seq {
-		hc.seq[i] = 0
-	}
-	return nil
-}
-
-// incSeq increments the sequence number.
-func (hc *halfConn) incSeq() {
-	for i := 7; i >= 0; i-- {
-		hc.seq[i]++
-		if hc.seq[i] != 0 {
-			return
-		}
-	}
-
-	// Not allowed to let sequence number wrap.
-	// Instead, must renegotiate before it does.
-	// Not likely enough to bother.
-	panic("TLS: sequence number wraparound")
-}
-
-// extractPadding returns, in constant time, the length of the padding to remove
-// from the end of payload. It also returns a byte which is equal to 255 if the
-// padding was valid and 0 otherwise. See RFC 2246, section 6.2.3.2
-func extractPadding(payload []byte) (toRemove int, good byte) {
-	if len(payload) < 1 {
-		return 0, 0
-	}
-
-	paddingLen := payload[len(payload)-1]
-	t := uint(len(payload)-1) - uint(paddingLen)
-	// if len(payload) >= (paddingLen - 1) then the MSB of t is zero
-	good = byte(int32(^t) >> 31)
-
-	toCheck := 255 // the maximum possible padding length
-	// The length of the padded data is public, so we can use an if here
-	if toCheck+1 > len(payload) {
-		toCheck = len(payload) - 1
-	}
-
-	for i := 0; i < toCheck; i++ {
-		t := uint(paddingLen) - uint(i)
-		// if i <= paddingLen then the MSB of t is zero
-		mask := byte(int32(^t) >> 31)
-		b := payload[len(payload)-1-i]
-		good &^= mask&paddingLen ^ mask&b
-	}
-
-	// We AND together the bits of good and replicate the result across
-	// all the bits.
-	good &= good << 4
-	good &= good << 2
-	good &= good << 1
-	good = uint8(int8(good) >> 7)
-
-	toRemove = int(paddingLen) + 1
-	return
-}
-
-// extractPaddingSSL30 is a replacement for extractPadding in the case that the
-// protocol version is SSLv3. In this version, the contents of the padding
-// are random and cannot be checked.
-func extractPaddingSSL30(payload []byte) (toRemove int, good byte) {
-	if len(payload) < 1 {
-		return 0, 0
-	}
-
-	paddingLen := int(payload[len(payload)-1]) + 1
-	if paddingLen > len(payload) {
-		return 0, 0
-	}
-
-	return paddingLen, 255
-}
-
-func roundUp(a, b int) int {
-	return a + (b-a%b)%b
-}
-
-// cbcMode is an interface for block ciphers using cipher block chaining.
-type cbcMode interface {
-	cipher.BlockMode
-	SetIV([]byte)
-}
-
-// decrypt checks and strips the mac and decrypts the data in b. Returns a
-// success boolean, the number of bytes to skip from the start of the record in
-// order to get the application payload, and an optional alert value.
-func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert) {
-	// pull out payload
-	payload := b.data[recordHeaderLen:]
-
-	macSize := 0
-	if hc.mac != nil {
-		macSize = hc.mac.Size()
-	}
-
-	paddingGood := byte(255)
-	paddingLen := 0
-	explicitIVLen := 0
-
-	// decrypt
-	if hc.cipher != nil {
-		switch c := hc.cipher.(type) {
-		case cipher.Stream:
-			c.XORKeyStream(payload, payload)
-		case aead:
-			explicitIVLen = c.explicitNonceLen()
-			if len(payload) < explicitIVLen {
-				return false, 0, alertBadRecordMAC
-			}
-			nonce := payload[:explicitIVLen]
-			payload = payload[explicitIVLen:]
-
-			if len(nonce) == 0 {
-				nonce = hc.seq[:]
-			}
-
-			copy(hc.additionalData[:], hc.seq[:])
-			copy(hc.additionalData[8:], b.data[:3])
-			n := len(payload) - c.Overhead()
-			hc.additionalData[11] = byte(n >> 8)
-			hc.additionalData[12] = byte(n)
-			var err error
-			payload, err = c.Open(payload[:0], nonce, payload, hc.additionalData[:])
-			if err != nil {
-				return false, 0, alertBadRecordMAC
-			}
-			b.resize(recordHeaderLen + explicitIVLen + len(payload))
-		case cbcMode:
-			blockSize := c.BlockSize()
-			if hc.version >= VersionTLS11 {
-				explicitIVLen = blockSize
-			}
-
-			if len(payload)%blockSize != 0 || len(payload) < roundUp(explicitIVLen+macSize+1, blockSize) {
-				return false, 0, alertBadRecordMAC
-			}
-
-			if explicitIVLen > 0 {
-				c.SetIV(payload[:explicitIVLen])
-				payload = payload[explicitIVLen:]
-			}
-			c.CryptBlocks(payload, payload)
-			if hc.version == VersionSSL30 {
-				paddingLen, paddingGood = extractPaddingSSL30(payload)
-			} else {
-				paddingLen, paddingGood = extractPadding(payload)
-
-				// To protect against CBC padding oracles like Lucky13, the data
-				// past paddingLen (which is secret) is passed to the MAC
-				// function as extra data, to be fed into the HMAC after
-				// computing the digest. This makes the MAC constant time as
-				// long as the digest computation is constant time and does not
-				// affect the subsequent write.
-			}
-		default:
-			panic("unknown cipher type")
-		}
-	}
-
-	// check, strip mac
-	if hc.mac != nil {
-		if len(payload) < macSize {
-			return false, 0, alertBadRecordMAC
-		}
-
-		// strip mac off payload, b.data
-		n := len(payload) - macSize - paddingLen
-		n = subtle.ConstantTimeSelect(int(uint32(n)>>31), 0, n) // if n < 0 { n = 0 }
-		b.data[3] = byte(n >> 8)
-		b.data[4] = byte(n)
-		remoteMAC := payload[n : n+macSize]
-		localMAC := hc.mac.MAC(hc.inDigestBuf, hc.seq[0:], b.data[:recordHeaderLen], payload[:n], payload[n+macSize:])
-
-		if subtle.ConstantTimeCompare(localMAC, remoteMAC) != 1 || paddingGood != 255 {
-			return false, 0, alertBadRecordMAC
-		}
-		hc.inDigestBuf = localMAC
-
-		b.resize(recordHeaderLen + explicitIVLen + n)
-	}
-	hc.incSeq()
-
-	return true, recordHeaderLen + explicitIVLen, 0
-}
-
-// padToBlockSize calculates the needed padding block, if any, for a payload.
-// On exit, prefix aliases payload and extends to the end of the last full
-// block of payload. finalBlock is a fresh slice which contains the contents of
-// any suffix of payload as well as the needed padding to make finalBlock a
-// full block.
-func padToBlockSize(payload []byte, blockSize int) (prefix, finalBlock []byte) {
-	overrun := len(payload) % blockSize
-	paddingLen := blockSize - overrun
-	prefix = payload[:len(payload)-overrun]
-	finalBlock = make([]byte, blockSize)
-	copy(finalBlock, payload[len(payload)-overrun:])
-	for i := overrun; i < blockSize; i++ {
-		finalBlock[i] = byte(paddingLen - 1)
-	}
-	return
-}
-
-// encrypt encrypts and macs the data in b.
-func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
-	// mac
-	if hc.mac != nil {
-		mac := hc.mac.MAC(hc.outDigestBuf, hc.seq[0:], b.data[:recordHeaderLen], b.data[recordHeaderLen+explicitIVLen:], nil)
-
-		n := len(b.data)
-		b.resize(n + len(mac))
-		copy(b.data[n:], mac)
-		hc.outDigestBuf = mac
-	}
-
-	payload := b.data[recordHeaderLen:]
-
-	// encrypt
-	if hc.cipher != nil {
-		switch c := hc.cipher.(type) {
-		case cipher.Stream:
-			c.XORKeyStream(payload, payload)
-		case aead:
-			payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
-			b.resize(len(b.data) + c.Overhead())
-			nonce := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
-			if len(nonce) == 0 {
-				nonce = hc.seq[:]
-			}
-			payload := b.data[recordHeaderLen+explicitIVLen:]
-			payload = payload[:payloadLen]
-
-			copy(hc.additionalData[:], hc.seq[:])
-			copy(hc.additionalData[8:], b.data[:3])
-			hc.additionalData[11] = byte(payloadLen >> 8)
-			hc.additionalData[12] = byte(payloadLen)
-
-			c.Seal(payload[:0], nonce, payload, hc.additionalData[:])
-		case cbcMode:
-			blockSize := c.BlockSize()
-			if explicitIVLen > 0 {
-				c.SetIV(payload[:explicitIVLen])
-				payload = payload[explicitIVLen:]
-			}
-			prefix, finalBlock := padToBlockSize(payload, blockSize)
-			b.resize(recordHeaderLen + explicitIVLen + len(prefix) + len(finalBlock))
-			c.CryptBlocks(b.data[recordHeaderLen+explicitIVLen:], prefix)
-			c.CryptBlocks(b.data[recordHeaderLen+explicitIVLen+len(prefix):], finalBlock)
-		default:
-			panic("unknown cipher type")
-		}
-	}
-
-	// update length to include MAC and any block padding needed.
-	n := len(b.data) - recordHeaderLen
-	b.data[3] = byte(n >> 8)
-	b.data[4] = byte(n)
-	hc.incSeq()
-
-	return true, 0
-}
-
-// A block is a simple data buffer.
-type block struct {
-	data []byte
-	off  int // index for Read
-	link *block
-}
-
-// resize resizes block to be n bytes, growing if necessary.
-func (b *block) resize(n int) {
-	if n > cap(b.data) {
-		b.reserve(n)
-	}
-	b.data = b.data[0:n]
-}
-
-// reserve makes sure that block contains a capacity of at least n bytes.
-func (b *block) reserve(n int) {
-	if cap(b.data) >= n {
-		return
-	}
-	m := cap(b.data)
-	if m == 0 {
-		m = 1024
-	}
-	for m < n {
-		m *= 2
-	}
-	data := make([]byte, len(b.data), m)
-	copy(data, b.data)
-	b.data = data
-}
-
-// readFromUntil reads from r into b until b contains at least n bytes
-// or else returns an error.
-func (b *block) readFromUntil(r io.Reader, n int) error {
-	// quick case
-	if len(b.data) >= n {
-		return nil
-	}
-
-	// read until have enough.
-	b.reserve(n)
-	for {
-		m, err := r.Read(b.data[len(b.data):cap(b.data)])
-		b.data = b.data[0 : len(b.data)+m]
-		if len(b.data) >= n {
-			// TODO(bradfitz,agl): slightly suspicious
-			// that we're throwing away r.Read's err here.
-			break
-		}
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (b *block) Read(p []byte) (n int, err error) {
-	n = copy(p, b.data[b.off:])
-	b.off += n
-	return
-}
-
-// newBlock allocates a new block, from hc's free list if possible.
-func (hc *halfConn) newBlock() *block {
-	b := hc.bfree
-	if b == nil {
-		return new(block)
-	}
-	hc.bfree = b.link
-	b.link = nil
-	b.resize(0)
-	return b
-}
-
-// freeBlock returns a block to hc's free list.
-// The protocol is such that each side only has a block or two on
-// its free list at a time, so there's no need to worry about
-// trimming the list, etc.
-func (hc *halfConn) freeBlock(b *block) {
-	b.link = hc.bfree
-	hc.bfree = b
-}
-
-// splitBlock splits a block after the first n bytes,
-// returning a block with those n bytes and a
-// block with the remainder.  the latter may be nil.
-func (hc *halfConn) splitBlock(b *block, n int) (*block, *block) {
-	if len(b.data) <= n {
-		return b, nil
-	}
-	bb := hc.newBlock()
-	bb.resize(len(b.data) - n)
-	copy(bb.data, b.data[n:])
-	b.data = b.data[0:n]
-	return b, bb
-}
-
-// RecordHeaderError results when a TLS record header is invalid.
-type RecordHeaderError struct {
-	// Msg contains a human readable string that describes the error.
-	Msg string
-	// RecordHeader contains the five bytes of TLS record header that
-	// triggered the error.
-	RecordHeader [5]byte
-}
-
-func (e RecordHeaderError) Error() string { return "tls: " + e.Msg }
-
-func (c *Conn) newRecordHeaderError(msg string) (err RecordHeaderError) {
-	err.Msg = msg
-	copy(err.RecordHeader[:], c.rawInput.data)
-	return err
-}
-
-// readRecord reads the next TLS record from the connection
-// and updates the record layer state.
-// c.in.Mutex <= L; c.input == nil.
-func (c *Conn) readRecord(want recordType) error {
-	// Caller must be in sync with connection:
-	// handshake data if handshake not yet completed,
-	// else application data.
-	switch want {
-	default:
-		c.sendAlert(alertInternalError)
-		return c.in.setErrorLocked(errors.New("tls: unknown record type requested"))
-	case recordTypeHandshake, recordTypeChangeCipherSpec:
-		if c.handshakeComplete {
-			c.sendAlert(alertInternalError)
-			return c.in.setErrorLocked(errors.New("tls: handshake or ChangeCipherSpec requested while not in handshake"))
-		}
-	case recordTypeApplicationData:
-		if !c.handshakeComplete {
-			c.sendAlert(alertInternalError)
-			return c.in.setErrorLocked(errors.New("tls: application data record requested while in handshake"))
-		}
-	}
-
-Again:
-	if c.rawInput == nil {
-		c.rawInput = c.in.newBlock()
-	}
-	b := c.rawInput
-
-	// Read header, payload.
-	if err := b.readFromUntil(c.conn, recordHeaderLen); err != nil {
-		// RFC suggests that EOF without an alertCloseNotify is
-		// an error, but popular web sites seem to do this,
-		// so we can't make it an error.
-		// if err == io.EOF {
-		// 	err = io.ErrUnexpectedEOF
-		// }
-		if e, ok := err.(net.Error); !ok || !e.Temporary() {
-			c.in.setErrorLocked(err)
-		}
-		return err
-	}
-	typ := recordType(b.data[0])
-
-	// No valid TLS record has a type of 0x80, however SSLv2 handshakes
-	// start with a uint16 length where the MSB is set and the first record
-	// is always < 256 bytes long. Therefore typ == 0x80 strongly suggests
-	// an SSLv2 client.
-	if want == recordTypeHandshake && typ == 0x80 {
-		c.sendAlert(alertProtocolVersion)
-		return c.in.setErrorLocked(c.newRecordHeaderError("unsupported SSLv2 handshake received"))
-	}
-
-	vers := uint16(b.data[1])<<8 | uint16(b.data[2])
-	n := int(b.data[3])<<8 | int(b.data[4])
-	if c.haveVers && vers != c.vers {
-		c.sendAlert(alertProtocolVersion)
-		msg := fmt.Sprintf("received record with version %x when expecting version %x", vers, c.vers)
-		return c.in.setErrorLocked(c.newRecordHeaderError(msg))
-	}
-	if n > maxCiphertext {
-		c.sendAlert(alertRecordOverflow)
-		msg := fmt.Sprintf("oversized record received with length %d", n)
-		return c.in.setErrorLocked(c.newRecordHeaderError(msg))
-	}
-	if !c.haveVers {
-		// First message, be extra suspicious: this might not be a TLS
-		// client. Bail out before reading a full 'body', if possible.
-		// The current max version is 3.3 so if the version is >= 16.0,
-		// it's probably not real.
-		if (typ != recordTypeAlert && typ != want) || vers >= 0x1000 {
-			c.sendAlert(alertUnexpectedMessage)
-			return c.in.setErrorLocked(c.newRecordHeaderError("first record does not look like a TLS handshake"))
-		}
-	}
-	if err := b.readFromUntil(c.conn, recordHeaderLen+n); err != nil {
-		if err == io.EOF {
-			err = io.ErrUnexpectedEOF
-		}
-		if e, ok := err.(net.Error); !ok || !e.Temporary() {
-			c.in.setErrorLocked(err)
-		}
-		return err
-	}
-
-	// Process message.
-	b, c.rawInput = c.in.splitBlock(b, recordHeaderLen+n)
-	ok, off, alertValue := c.in.decrypt(b)
-	if !ok {
-		c.in.freeBlock(b)
-		return c.in.setErrorLocked(c.sendAlert(alertValue))
-	}
-	b.off = off
-	data := b.data[b.off:]
-	if len(data) > maxPlaintext {
-		err := c.sendAlert(alertRecordOverflow)
-		c.in.freeBlock(b)
-		return c.in.setErrorLocked(err)
-	}
-
-	switch typ {
-	default:
-		c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
-
-	case recordTypeAlert:
-		if len(data) != 2 {
-			c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
-			break
-		}
-		if alert(data[1]) == alertCloseNotify {
-			c.in.setErrorLocked(io.EOF)
-			break
-		}
-		switch data[0] {
-		case alertLevelWarning:
-			// drop on the floor
-			c.in.freeBlock(b)
-			goto Again
-		case alertLevelError:
-			c.in.setErrorLocked(&net.OpError{Op: "remote error", Err: alert(data[1])})
-		default:
-			c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
-		}
-
-	case recordTypeChangeCipherSpec:
-		if typ != want || len(data) != 1 || data[0] != 1 {
-			c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
-			break
-		}
-		err := c.in.changeCipherSpec()
-		if err != nil {
-			c.in.setErrorLocked(c.sendAlert(err.(alert)))
-		}
-
-	case recordTypeApplicationData:
-		if typ != want {
-			c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
-			break
-		}
-		c.input = b
-		b = nil
-
-	case recordTypeHandshake:
-		// TODO(rsc): Should at least pick off connection close.
-		if typ != want && !(c.isClient && c.config.Renegotiation != RenegotiateNever) {
-			return c.in.setErrorLocked(c.sendAlert(alertNoRenegotiation))
-		}
-		c.hand.Write(data)
-	}
-
-	if b != nil {
-		c.in.freeBlock(b)
-	}
-	return c.in.err
-}
-
-// sendAlert sends a TLS alert message.
-// c.out.Mutex <= L.
-func (c *Conn) sendAlertLocked(err alert) error {
-	switch err {
-	case alertNoRenegotiation, alertCloseNotify:
-		c.tmp[0] = alertLevelWarning
-	default:
-		c.tmp[0] = alertLevelError
-	}
-	c.tmp[1] = byte(err)
-
-	_, writeErr := c.writeRecordLocked(recordTypeAlert, c.tmp[0:2])
-	if err == alertCloseNotify {
-		// closeNotify is a special case in that it isn't an error.
-		return writeErr
-	}
-
-	return c.out.setErrorLocked(&net.OpError{Op: "local error", Err: err})
-}
-
-// sendAlert sends a TLS alert message.
-// L < c.out.Mutex.
-func (c *Conn) sendAlert(err alert) error {
-	c.out.Lock()
-	defer c.out.Unlock()
-	return c.sendAlertLocked(err)
-}
-
-const (
-	// tcpMSSEstimate is a conservative estimate of the TCP maximum segment
-	// size (MSS). A constant is used, rather than querying the kernel for
-	// the actual MSS, to avoid complexity. The value here is the IPv6
-	// minimum MTU (1280 bytes) minus the overhead of an IPv6 header (40
-	// bytes) and a TCP header with timestamps (32 bytes).
-	tcpMSSEstimate = 1208
-
-	// recordSizeBoostThreshold is the number of bytes of application data
-	// sent after which the TLS record size will be increased to the
-	// maximum.
-	recordSizeBoostThreshold = 128 * 1024
-)
-
-// maxPayloadSizeForWrite returns the maximum TLS payload size to use for the
-// next application data record. There is the following trade-off:
-//
-//   - For latency-sensitive applications, such as web browsing, each TLS
-//     record should fit in one TCP segment.
-//   - For throughput-sensitive applications, such as large file transfers,
-//     larger TLS records better amortize framing and encryption overheads.
-//
-// A simple heuristic that works well in practice is to use small records for
-// the first 1MB of data, then use larger records for subsequent data, and
-// reset back to smaller records after the connection becomes idle. See "High
-// Performance Web Networking", Chapter 4, or:
-// https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/
-//
-// In the interests of simplicity and determinism, this code does not attempt
-// to reset the record size once the connection is idle, however.
-//
-// c.out.Mutex <= L.
-func (c *Conn) maxPayloadSizeForWrite(typ recordType, explicitIVLen int) int {
-	if c.config.DynamicRecordSizingDisabled || typ != recordTypeApplicationData {
-		return maxPlaintext
-	}
-
-	if c.bytesSent >= recordSizeBoostThreshold {
-		return maxPlaintext
-	}
-
-	// Subtract TLS overheads to get the maximum payload size.
-	macSize := 0
-	if c.out.mac != nil {
-		macSize = c.out.mac.Size()
-	}
-
-	payloadBytes := tcpMSSEstimate - recordHeaderLen - explicitIVLen
-	if c.out.cipher != nil {
-		switch ciph := c.out.cipher.(type) {
-		case cipher.Stream:
-			payloadBytes -= macSize
-		case cipher.AEAD:
-			payloadBytes -= ciph.Overhead()
-		case cbcMode:
-			blockSize := ciph.BlockSize()
-			// The payload must fit in a multiple of blockSize, with
-			// room for at least one padding byte.
-			payloadBytes = (payloadBytes & ^(blockSize - 1)) - 1
-			// The MAC is appended before padding so affects the
-			// payload size directly.
-			payloadBytes -= macSize
-		default:
-			panic("unknown cipher type")
-		}
-	}
-
-	// Allow packet growth in arithmetic progression up to max.
-	pkt := c.packetsSent
-	c.packetsSent++
-	if pkt > 1000 {
-		return maxPlaintext // avoid overflow in multiply below
-	}
-
-	n := payloadBytes * int(pkt+1)
-	if n > maxPlaintext {
-		n = maxPlaintext
-	}
-	return n
-}
-
-// c.out.Mutex <= L.
-func (c *Conn) write(data []byte) (int, error) {
-	if c.buffering {
-		c.sendBuf = append(c.sendBuf, data...)
-		return len(data), nil
-	}
-
-	n, err := c.conn.Write(data)
-	c.bytesSent += int64(n)
-	return n, err
-}
-
-func (c *Conn) flush() (int, error) {
-	if len(c.sendBuf) == 0 {
-		return 0, nil
-	}
-
-	n, err := c.conn.Write(c.sendBuf)
-	c.bytesSent += int64(n)
-	c.sendBuf = nil
-	c.buffering = false
-	return n, err
-}
-
-// writeRecordLocked writes a TLS record with the given type and payload to the
-// connection and updates the record layer state.
-// c.out.Mutex <= L.
-func (c *Conn) writeRecordLocked(typ recordType, data []byte) (int, error) {
-	b := c.out.newBlock()
-	defer c.out.freeBlock(b)
-
-	var n int
-	for len(data) > 0 {
-		explicitIVLen := 0
-		explicitIVIsSeq := false
-
-		var cbc cbcMode
-		if c.out.version >= VersionTLS11 {
-			var ok bool
-			if cbc, ok = c.out.cipher.(cbcMode); ok {
-				explicitIVLen = cbc.BlockSize()
-			}
-		}
-		if explicitIVLen == 0 {
-			if c, ok := c.out.cipher.(aead); ok {
-				explicitIVLen = c.explicitNonceLen()
-
-				// The AES-GCM construction in TLS has an
-				// explicit nonce so that the nonce can be
-				// random. However, the nonce is only 8 bytes
-				// which is too small for a secure, random
-				// nonce. Therefore we use the sequence number
-				// as the nonce.
-				explicitIVIsSeq = explicitIVLen > 0
-			}
-		}
-		m := len(data)
-		if maxPayload := c.maxPayloadSizeForWrite(typ, explicitIVLen); m > maxPayload {
-			m = maxPayload
-		}
-		b.resize(recordHeaderLen + explicitIVLen + m)
-		b.data[0] = byte(typ)
-		vers := c.vers
-		if vers == 0 {
-			// Some TLS servers fail if the record version is
-			// greater than TLS 1.0 for the initial ClientHello.
-			vers = VersionTLS10
-		}
-		b.data[1] = byte(vers >> 8)
-		b.data[2] = byte(vers)
-		b.data[3] = byte(m >> 8)
-		b.data[4] = byte(m)
-		if explicitIVLen > 0 {
-			explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
-			if explicitIVIsSeq {
-				copy(explicitIV, c.out.seq[:])
-			} else {
-				if _, err := io.ReadFull(c.config.rand(), explicitIV); err != nil {
-					return n, err
-				}
-			}
-		}
-		copy(b.data[recordHeaderLen+explicitIVLen:], data)
-		c.out.encrypt(b, explicitIVLen)
-		if _, err := c.write(b.data); err != nil {
-			return n, err
-		}
-		n += m
-		data = data[m:]
-	}
-
-	if typ == recordTypeChangeCipherSpec {
-		if err := c.out.changeCipherSpec(); err != nil {
-			return n, c.sendAlertLocked(err.(alert))
-		}
-	}
-
-	return n, nil
-}
-
-// writeRecord writes a TLS record with the given type and payload to the
-// connection and updates the record layer state.
-// L < c.out.Mutex.
-func (c *Conn) writeRecord(typ recordType, data []byte) (int, error) {
-	c.out.Lock()
-	defer c.out.Unlock()
-
-	return c.writeRecordLocked(typ, data)
-}
-
-// readHandshake reads the next handshake message from
-// the record layer.
-// c.in.Mutex < L; c.out.Mutex < L.
-func (c *Conn) readHandshake() (interface{}, error) {
-	for c.hand.Len() < 4 {
-		if err := c.in.err; err != nil {
-			return nil, err
-		}
-		if err := c.readRecord(recordTypeHandshake); err != nil {
-			return nil, err
-		}
-	}
-
-	data := c.hand.Bytes()
-	n := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
-	if n > maxHandshake {
-		c.sendAlertLocked(alertInternalError)
-		return nil, c.in.setErrorLocked(fmt.Errorf("tls: handshake message of length %d bytes exceeds maximum of %d bytes", n, maxHandshake))
-	}
-	for c.hand.Len() < 4+n {
-		if err := c.in.err; err != nil {
-			return nil, err
-		}
-		if err := c.readRecord(recordTypeHandshake); err != nil {
-			return nil, err
-		}
-	}
-	data = c.hand.Next(4 + n)
-	var m handshakeMessage
-	switch data[0] {
-	case typeHelloRequest:
-		m = new(helloRequestMsg)
-	case typeClientHello:
-		m = new(clientHelloMsg)
-	case typeServerHello:
-		m = new(serverHelloMsg)
-	case typeNewSessionTicket:
-		m = new(newSessionTicketMsg)
-	case typeCertificate:
-		m = new(certificateMsg)
-	case typeCertificateRequest:
-		m = &certificateRequestMsg{
-			hasSignatureAndHash: c.vers >= VersionTLS12,
-		}
-	case typeCertificateStatus:
-		m = new(certificateStatusMsg)
-	case typeServerKeyExchange:
-		m = new(serverKeyExchangeMsg)
-	case typeServerHelloDone:
-		m = new(serverHelloDoneMsg)
-	case typeClientKeyExchange:
-		m = new(clientKeyExchangeMsg)
-	case typeCertificateVerify:
-		m = &certificateVerifyMsg{
-			hasSignatureAndHash: c.vers >= VersionTLS12,
-		}
-	case typeNextProtocol:
-		m = new(nextProtoMsg)
-	case typeFinished:
-		m = new(finishedMsg)
-	default:
-		return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
-	}
-
-	// The handshake message unmarshalers
-	// expect to be able to keep references to data,
-	// so pass in a fresh copy that won't be overwritten.
-	data = append([]byte(nil), data...)
-
-	if !m.unmarshal(data) {
-		return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
-	}
-	return m, nil
-}
-
-var (
-	errClosed   = errors.New("tls: use of closed connection")
-	errShutdown = errors.New("tls: protocol is shutdown")
-)
-
-// Write writes data to the connection.
-func (c *Conn) Write(b []byte) (int, error) {
-	// interlock with Close below
-	for {
-		x := atomic.LoadInt32(&c.activeCall)
-		if x&1 != 0 {
-			return 0, errClosed
-		}
-		if atomic.CompareAndSwapInt32(&c.activeCall, x, x+2) {
-			defer atomic.AddInt32(&c.activeCall, -2)
-			break
-		}
-	}
-
-	if err := c.Handshake(); err != nil {
-		return 0, err
-	}
-
-	c.out.Lock()
-	defer c.out.Unlock()
-
-	if err := c.out.err; err != nil {
-		return 0, err
-	}
-
-	if !c.handshakeComplete {
-		return 0, alertInternalError
-	}
-
-	if c.closeNotifySent {
-		return 0, errShutdown
-	}
-
-	// SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext
-	// attack when using block mode ciphers due to predictable IVs.
-	// This can be prevented by splitting each Application Data
-	// record into two records, effectively randomizing the IV.
-	//
-	// http://www.openssl.org/~bodo/tls-cbc.txt
-	// https://bugzilla.mozilla.org/show_bug.cgi?id=665814
-	// http://www.imperialviolet.org/2012/01/15/beastfollowup.html
-
-	var m int
-	if len(b) > 1 && c.vers <= VersionTLS10 {
-		if _, ok := c.out.cipher.(cipher.BlockMode); ok {
-			n, err := c.writeRecordLocked(recordTypeApplicationData, b[:1])
-			if err != nil {
-				return n, c.out.setErrorLocked(err)
-			}
-			m, b = 1, b[1:]
-		}
-	}
-
-	n, err := c.writeRecordLocked(recordTypeApplicationData, b)
-	return n + m, c.out.setErrorLocked(err)
-}
-
-// handleRenegotiation processes a HelloRequest handshake message.
-// c.in.Mutex <= L
-func (c *Conn) handleRenegotiation() error {
-	msg, err := c.readHandshake()
-	if err != nil {
-		return err
-	}
-
-	_, ok := msg.(*helloRequestMsg)
-	if !ok {
-		c.sendAlert(alertUnexpectedMessage)
-		return alertUnexpectedMessage
-	}
-
-	if !c.isClient {
-		return c.sendAlert(alertNoRenegotiation)
-	}
-
-	switch c.config.Renegotiation {
-	case RenegotiateNever:
-		return c.sendAlert(alertNoRenegotiation)
-	case RenegotiateOnceAsClient:
-		if c.handshakes > 1 {
-			return c.sendAlert(alertNoRenegotiation)
-		}
-	case RenegotiateFreelyAsClient:
-		// Ok.
-	default:
-		c.sendAlert(alertInternalError)
-		return errors.New("tls: unknown Renegotiation value")
-	}
-
-	c.handshakeMutex.Lock()
-	defer c.handshakeMutex.Unlock()
-
-	c.handshakeComplete = false
-	if c.handshakeErr = c.clientHandshake(); c.handshakeErr == nil {
-		c.handshakes++
-	}
-	return c.handshakeErr
-}
-
-// Read can be made to time out and return a net.Error with Timeout() == true
-// after a fixed time limit; see SetDeadline and SetReadDeadline.
-func (c *Conn) Read(b []byte) (n int, err error) {
-	if err = c.Handshake(); err != nil {
-		return
-	}
-	if len(b) == 0 {
-		// Put this after Handshake, in case people were calling
-		// Read(nil) for the side effect of the Handshake.
-		return
-	}
-
-	c.in.Lock()
-	defer c.in.Unlock()
-
-	// Some OpenSSL servers send empty records in order to randomize the
-	// CBC IV. So this loop ignores a limited number of empty records.
-	const maxConsecutiveEmptyRecords = 100
-	for emptyRecordCount := 0; emptyRecordCount <= maxConsecutiveEmptyRecords; emptyRecordCount++ {
-		for c.input == nil && c.in.err == nil {
-			if err := c.readRecord(recordTypeApplicationData); err != nil {
-				// Soft error, like EAGAIN
-				return 0, err
-			}
-			if c.hand.Len() > 0 {
-				// We received handshake bytes, indicating the
-				// start of a renegotiation.
-				if err := c.handleRenegotiation(); err != nil {
-					return 0, err
-				}
-			}
-		}
-		if err := c.in.err; err != nil {
-			return 0, err
-		}
-
-		n, err = c.input.Read(b)
-		if c.input.off >= len(c.input.data) {
-			c.in.freeBlock(c.input)
-			c.input = nil
-		}
-
-		// If a close-notify alert is waiting, read it so that
-		// we can return (n, EOF) instead of (n, nil), to signal
-		// to the HTTP response reading goroutine that the
-		// connection is now closed. This eliminates a race
-		// where the HTTP response reading goroutine would
-		// otherwise not observe the EOF until its next read,
-		// by which time a client goroutine might have already
-		// tried to reuse the HTTP connection for a new
-		// request.
-		// See https://codereview.appspot.com/76400046
-		// and https://golang.org/issue/3514
-		if ri := c.rawInput; ri != nil &&
-			n != 0 && err == nil &&
-			c.input == nil && len(ri.data) > 0 && recordType(ri.data[0]) == recordTypeAlert {
-			if recErr := c.readRecord(recordTypeApplicationData); recErr != nil {
-				err = recErr // will be io.EOF on closeNotify
-			}
-		}
-
-		if n != 0 || err != nil {
-			return n, err
-		}
-	}
-
-	return 0, io.ErrNoProgress
-}
-
-// Close closes the connection.
-func (c *Conn) Close() error {
-	// Interlock with Conn.Write above.
-	var x int32
-	for {
-		x = atomic.LoadInt32(&c.activeCall)
-		if x&1 != 0 {
-			return errClosed
-		}
-		if atomic.CompareAndSwapInt32(&c.activeCall, x, x|1) {
-			break
-		}
-	}
-	if x != 0 {
-		// io.Writer and io.Closer should not be used concurrently.
-		// If Close is called while a Write is currently in-flight,
-		// interpret that as a sign that this Close is really just
-		// being used to break the Write and/or clean up resources and
-		// avoid sending the alertCloseNotify, which may block
-		// waiting on handshakeMutex or the c.out mutex.
-		return c.conn.Close()
-	}
-
-	var alertErr error
-
-	c.handshakeMutex.Lock()
-	if c.handshakeComplete {
-		alertErr = c.closeNotify()
-	}
-	c.handshakeMutex.Unlock()
-
-	if err := c.conn.Close(); err != nil {
-		return err
-	}
-	return alertErr
-}
-
-var errEarlyCloseWrite = errors.New("tls: CloseWrite called before handshake complete")
-
-// CloseWrite shuts down the writing side of the connection. It should only be
-// called once the handshake has completed and does not call CloseWrite on the
-// underlying connection. Most callers should just use Close.
-func (c *Conn) CloseWrite() error {
-	c.handshakeMutex.Lock()
-	defer c.handshakeMutex.Unlock()
-	if !c.handshakeComplete {
-		return errEarlyCloseWrite
-	}
-
-	return c.closeNotify()
-}
-
-func (c *Conn) closeNotify() error {
-	c.out.Lock()
-	defer c.out.Unlock()
-
-	if !c.closeNotifySent {
-		c.closeNotifyErr = c.sendAlertLocked(alertCloseNotify)
-		c.closeNotifySent = true
-	}
-	return c.closeNotifyErr
-}
-
-// Handshake runs the client or server handshake
-// protocol if it has not yet been run.
-// Most uses of this package need not call Handshake
-// explicitly: the first Read or Write will call it automatically.
-func (c *Conn) Handshake() error {
-	// c.handshakeErr and c.handshakeComplete are protected by
-	// c.handshakeMutex. In order to perform a handshake, we need to lock
-	// c.in also and c.handshakeMutex must be locked after c.in.
-	//
-	// However, if a Read() operation is hanging then it'll be holding the
-	// lock on c.in and so taking it here would cause all operations that
-	// need to check whether a handshake is pending (such as Write) to
-	// block.
-	//
-	// Thus we first take c.handshakeMutex to check whether a handshake is
-	// needed.
-	//
-	// If so then, previously, this code would unlock handshakeMutex and
-	// then lock c.in and handshakeMutex in the correct order to run the
-	// handshake. The problem was that it was possible for a Read to
-	// complete the handshake once handshakeMutex was unlocked and then
-	// keep c.in while waiting for network data. Thus a concurrent
-	// operation could be blocked on c.in.
-	//
-	// Thus handshakeCond is used to signal that a goroutine is committed
-	// to running the handshake and other goroutines can wait on it if they
-	// need. handshakeCond is protected by handshakeMutex.
-	c.handshakeMutex.Lock()
-	defer c.handshakeMutex.Unlock()
-
-	for {
-		if err := c.handshakeErr; err != nil {
-			return err
-		}
-		if c.handshakeComplete {
-			return nil
-		}
-		if c.handshakeCond == nil {
-			break
-		}
-
-		c.handshakeCond.Wait()
-	}
-
-	// Set handshakeCond to indicate that this goroutine is committing to
-	// running the handshake.
-	c.handshakeCond = sync.NewCond(&c.handshakeMutex)
-	c.handshakeMutex.Unlock()
-
-	c.in.Lock()
-	defer c.in.Unlock()
-
-	c.handshakeMutex.Lock()
-
-	// The handshake cannot have completed when handshakeMutex was unlocked
-	// because this goroutine set handshakeCond.
-	if c.handshakeErr != nil || c.handshakeComplete {
-		panic("handshake should not have been able to complete after handshakeCond was set")
-	}
-
-	if c.isClient {
-		c.handshakeErr = c.clientHandshake()
-	} else {
-		c.handshakeErr = c.serverHandshake()
-	}
-	if c.handshakeErr == nil {
-		c.handshakes++
-	} else {
-		// If an error occurred during the hadshake try to flush the
-		// alert that might be left in the buffer.
-		c.flush()
-	}
-
-	if c.handshakeErr == nil && !c.handshakeComplete {
-		panic("handshake should have had a result.")
-	}
-
-	// Wake any other goroutines that are waiting for this handshake to
-	// complete.
-	c.handshakeCond.Broadcast()
-	c.handshakeCond = nil
-
-	return c.handshakeErr
-}
-
-// ConnectionState returns basic TLS details about the connection.
-func (c *Conn) ConnectionState() ConnectionState {
-	c.handshakeMutex.Lock()
-	defer c.handshakeMutex.Unlock()
-
-	var state ConnectionState
-	state.HandshakeComplete = c.handshakeComplete
-	state.ServerName = c.serverName
-
-	if c.handshakeComplete {
-		state.Version = c.vers
-		state.NegotiatedProtocol = c.clientProtocol
-		state.DidResume = c.didResume
-		state.NegotiatedProtocolIsMutual = !c.clientProtocolFallback
-		state.CipherSuite = c.cipherSuite
-		state.PeerCertificates = c.peerCertificates
-		state.VerifiedChains = c.verifiedChains
-		state.SignedCertificateTimestamps = c.scts
-		state.OCSPResponse = c.ocspResponse
-		if !c.didResume {
-			if c.clientFinishedIsFirst {
-				state.TLSUnique = c.clientFinished[:]
-			} else {
-				state.TLSUnique = c.serverFinished[:]
-			}
-		}
-	}
-
-	return state
-}
-
-// OCSPResponse returns the stapled OCSP response from the TLS server, if
-// any. (Only valid for client connections.)
-func (c *Conn) OCSPResponse() []byte {
-	c.handshakeMutex.Lock()
-	defer c.handshakeMutex.Unlock()
-
-	return c.ocspResponse
-}
-
-// VerifyHostname checks that the peer certificate chain is valid for
-// connecting to host. If so, it returns nil; if not, it returns an error
-// describing the problem.
-func (c *Conn) VerifyHostname(host string) error {
-	c.handshakeMutex.Lock()
-	defer c.handshakeMutex.Unlock()
-	if !c.isClient {
-		return errors.New("tls: VerifyHostname called on TLS server connection")
-	}
-	if !c.handshakeComplete {
-		return errors.New("tls: handshake has not yet been performed")
-	}
-	if len(c.verifiedChains) == 0 {
-		return errors.New("tls: handshake did not verify certificate chain")
-	}
-	return c.peerCertificates[0].VerifyHostname(host)
-}

vendor/github.com/Psiphon-Labs/utls/handshake_client.go

@@ -1,883 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/subtle"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"strconv"
-	"strings"
-)
-
-type clientHandshakeState struct {
-	c            *Conn
-	serverHello  *serverHelloMsg
-	hello        *clientHelloMsg
-	suite        *cipherSuite
-	finishedHash finishedHash
-	masterSecret []byte
-	session      *ClientSessionState
-}
-
-func makeClientHello(config *Config) (*clientHelloMsg, error) {
-	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
-		return nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
-	}
-
-	nextProtosLength := 0
-	for _, proto := range config.NextProtos {
-		if l := len(proto); l == 0 || l > 255 {
-			return nil, errors.New("tls: invalid NextProtos value")
-		} else {
-			nextProtosLength += 1 + l
-		}
-	}
-
-	if nextProtosLength > 0xffff {
-		return nil, errors.New("tls: NextProtos values too large")
-	}
-
-	hello := &clientHelloMsg{
-		vers:                         config.maxVersion(),
-		compressionMethods:           []uint8{compressionNone},
-		random:                       make([]byte, 32),
-		ocspStapling:                 true,
-		scts:                         true,
-		serverName:                   hostnameInSNI(config.ServerName),
-		supportedCurves:              config.curvePreferences(),
-		supportedPoints:              []uint8{pointFormatUncompressed},
-		nextProtoNeg:                 len(config.NextProtos) > 0,
-		secureRenegotiationSupported: true,
-		alpnProtocols:                config.NextProtos,
-	}
-	possibleCipherSuites := config.cipherSuites()
-	hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
-
-NextCipherSuite:
-	for _, suiteId := range possibleCipherSuites {
-		for _, suite := range cipherSuites {
-			if suite.id != suiteId {
-				continue
-			}
-			// Don't advertise TLS 1.2-only cipher suites unless
-			// we're attempting TLS 1.2.
-			if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
-				continue
-			}
-			hello.cipherSuites = append(hello.cipherSuites, suiteId)
-			continue NextCipherSuite
-		}
-	}
-
-	_, err := io.ReadFull(config.rand(), hello.random)
-	if err != nil {
-		return nil, errors.New("tls: short read from Rand: " + err.Error())
-	}
-
-	if hello.vers >= VersionTLS12 {
-		hello.signatureAndHashes = supportedSignatureAlgorithms
-	}
-
-	return hello, nil
-}
-
-// c.out.Mutex <= L; c.handshakeMutex <= L.
-func (c *Conn) clientHandshake() error {
-	if c.config == nil {
-		c.config = defaultConfig()
-	}
-
-	// This may be a renegotiation handshake, in which case some fields
-	// need to be reset.
-	c.didResume = false
-
-	hello, err := makeClientHello(c.config)
-	if err != nil {
-		return err
-	}
-
-	if c.handshakes > 0 {
-		hello.secureRenegotiation = c.clientFinished[:]
-	}
-
-	var session *ClientSessionState
-	var cacheKey string
-	sessionCache := c.config.ClientSessionCache
-	if c.config.SessionTicketsDisabled {
-		sessionCache = nil
-	}
-
-	if sessionCache != nil {
-		hello.ticketSupported = true
-	}
-
-	// Session resumption is not allowed if renegotiating because
-	// renegotiation is primarily used to allow a client to send a client
-	// certificate, which would be skipped if session resumption occurred.
-	if sessionCache != nil && c.handshakes == 0 {
-
-		// Try to resume a previously negotiated TLS session, if
-		// available.
-		cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
-		candidateSession, ok := sessionCache.Get(cacheKey)
-		if ok {
-			// Check that the ciphersuite/version used for the
-			// previous session are still valid.
-			cipherSuiteOk := false
-			for _, id := range hello.cipherSuites {
-				if id == candidateSession.cipherSuite {
-					cipherSuiteOk = true
-					break
-				}
-			}
-
-			versOk := candidateSession.vers >= c.config.minVersion() &&
-				candidateSession.vers <= c.config.maxVersion()
-			if versOk && cipherSuiteOk {
-				session = candidateSession
-			}
-		}
-	}
-
-	if session != nil {
-		hello.sessionTicket = session.sessionTicket
-		// A random session ID is used to detect when the
-		// server accepted the ticket and is resuming a session
-		// (see RFC 5077).
-		hello.sessionId = make([]byte, 16)
-		if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
-			return errors.New("tls: short read from Rand: " + err.Error())
-		}
-	}
-
-	hs := &clientHandshakeState{
-		c:       c,
-		hello:   hello,
-		session: session,
-	}
-
-	if err = hs.handshake(); err != nil {
-		return err
-	}
-
-	// If we had a successful handshake and hs.session is different from
-	// the one already cached - cache a new one
-	if sessionCache != nil && hs.session != nil && session != hs.session {
-		sessionCache.Put(cacheKey, hs.session)
-	}
-
-	return nil
-}
-
-// Does the handshake, either a full one or resumes old session.
-// Requires hs.c, hs.hello, and, optionally, hs.session to be set.
-func (hs *clientHandshakeState) handshake() error {
-	c := hs.c
-
-	// send ClientHello
-	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
-		return err
-	}
-
-	msg, err := c.readHandshake()
-	if err != nil {
-		return err
-	}
-
-	var ok bool
-	if hs.serverHello, ok = msg.(*serverHelloMsg); !ok {
-		c.sendAlert(alertUnexpectedMessage)
-		return unexpectedMessageError(hs.serverHello, msg)
-	}
-
-	if err = hs.pickTLSVersion(); err != nil {
-		return err
-	}
-
-	if err = hs.pickCipherSuite(); err != nil {
-		return err
-	}
-
-	isResume, err := hs.processServerHello()
-	if err != nil {
-		return err
-	}
-
-	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
-
-	// No signatures of the handshake are needed in a resumption.
-	// Otherwise, in a full handshake, if we don't have any certificates
-	// configured then we will never send a CertificateVerify message and
-	// thus no signatures are needed in that case either.
-	if isResume || (len(c.config.Certificates) == 0 && c.config.GetClientCertificate == nil) {
-		hs.finishedHash.discardHandshakeBuffer()
-	}
-
-	hs.finishedHash.Write(hs.hello.marshal())
-	hs.finishedHash.Write(hs.serverHello.marshal())
-
-	c.buffering = true
-	if isResume {
-		if err := hs.establishKeys(); err != nil {
-			return err
-		}
-		if err := hs.readSessionTicket(); err != nil {
-			return err
-		}
-		if err := hs.readFinished(c.serverFinished[:]); err != nil {
-			return err
-		}
-		c.clientFinishedIsFirst = false
-		if err := hs.sendFinished(c.clientFinished[:]); err != nil {
-			return err
-		}
-		if _, err := c.flush(); err != nil {
-			return err
-		}
-	} else {
-		if err := hs.doFullHandshake(); err != nil {
-			return err
-		}
-		if err := hs.establishKeys(); err != nil {
-			return err
-		}
-		if err := hs.sendFinished(c.clientFinished[:]); err != nil {
-			return err
-		}
-		if _, err := c.flush(); err != nil {
-			return err
-		}
-		c.clientFinishedIsFirst = true
-		if err := hs.readSessionTicket(); err != nil {
-			return err
-		}
-		if err := hs.readFinished(c.serverFinished[:]); err != nil {
-			return err
-		}
-	}
-
-	c.didResume = isResume
-	c.handshakeComplete = true
-
-	return nil
-}
-
-func (hs *clientHandshakeState) pickTLSVersion() error {
-	vers, ok := hs.c.config.mutualVersion(hs.serverHello.vers)
-	if !ok || vers < VersionTLS10 {
-		// TLS 1.0 is the minimum version supported as a client.
-		hs.c.sendAlert(alertProtocolVersion)
-		return fmt.Errorf("tls: server selected unsupported protocol version %x", hs.serverHello.vers)
-	}
-
-	hs.c.vers = vers
-	hs.c.haveVers = true
-
-	return nil
-}
-
-func (hs *clientHandshakeState) pickCipherSuite() error {
-	if hs.suite = mutualCipherSuite(hs.hello.cipherSuites, hs.serverHello.cipherSuite); hs.suite == nil {
-		hs.c.sendAlert(alertHandshakeFailure)
-		return errors.New("tls: server chose an unconfigured cipher suite")
-	}
-
-	hs.c.cipherSuite = hs.suite.id
-	return nil
-}
-
-func (hs *clientHandshakeState) doFullHandshake() error {
-	c := hs.c
-
-	msg, err := c.readHandshake()
-	if err != nil {
-		return err
-	}
-	certMsg, ok := msg.(*certificateMsg)
-	if !ok || len(certMsg.certificates) == 0 {
-		c.sendAlert(alertUnexpectedMessage)
-		return unexpectedMessageError(certMsg, msg)
-	}
-	hs.finishedHash.Write(certMsg.marshal())
-
-	if c.handshakes == 0 {
-		// If this is the first handshake on a connection, process and
-		// (optionally) verify the server's certificates.
-		certs := make([]*x509.Certificate, len(certMsg.certificates))
-		for i, asn1Data := range certMsg.certificates {
-			cert, err := x509.ParseCertificate(asn1Data)
-			if err != nil {
-				c.sendAlert(alertBadCertificate)
-				return errors.New("tls: failed to parse certificate from server: " + err.Error())
-			}
-			certs[i] = cert
-		}
-
-		if !c.config.InsecureSkipVerify {
-			opts := x509.VerifyOptions{
-				Roots:         c.config.RootCAs,
-				CurrentTime:   c.config.time(),
-				DNSName:       c.config.ServerName,
-				Intermediates: x509.NewCertPool(),
-			}
-
-			for i, cert := range certs {
-				if i == 0 {
-					continue
-				}
-				opts.Intermediates.AddCert(cert)
-			}
-			c.verifiedChains, err = certs[0].Verify(opts)
-			if err != nil {
-				c.sendAlert(alertBadCertificate)
-				return err
-			}
-		}
-
-		if c.config.VerifyPeerCertificate != nil {
-			if err := c.config.VerifyPeerCertificate(certMsg.certificates, c.verifiedChains); err != nil {
-				c.sendAlert(alertBadCertificate)
-				return err
-			}
-		}
-
-		switch certs[0].PublicKey.(type) {
-		case *rsa.PublicKey, *ecdsa.PublicKey:
-			break
-		default:
-			c.sendAlert(alertUnsupportedCertificate)
-			return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
-		}
-
-		c.peerCertificates = certs
-	} else {
-		// This is a renegotiation handshake. We require that the
-		// server's identity (i.e. leaf certificate) is unchanged and
-		// thus any previous trust decision is still valid.
-		//
-		// See https://mitls.org/pages/attacks/3SHAKE for the
-		// motivation behind this requirement.
-		if !bytes.Equal(c.peerCertificates[0].Raw, certMsg.certificates[0]) {
-			c.sendAlert(alertBadCertificate)
-			return errors.New("tls: server's identity changed during renegotiation")
-		}
-	}
-
-	if hs.serverHello.ocspStapling {
-		msg, err = c.readHandshake()
-		if err != nil {
-			return err
-		}
-		cs, ok := msg.(*certificateStatusMsg)
-		if !ok {
-			c.sendAlert(alertUnexpectedMessage)
-			return unexpectedMessageError(cs, msg)
-		}
-		hs.finishedHash.Write(cs.marshal())
-
-		if cs.statusType == statusTypeOCSP {
-			c.ocspResponse = cs.response
-		}
-	}
-
-	msg, err = c.readHandshake()
-	if err != nil {
-		return err
-	}
-
-	keyAgreement := hs.suite.ka(c.vers)
-
-	skx, ok := msg.(*serverKeyExchangeMsg)
-	if ok {
-		hs.finishedHash.Write(skx.marshal())
-		err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, c.peerCertificates[0], skx)
-		if err != nil {
-			c.sendAlert(alertUnexpectedMessage)
-			return err
-		}
-
-		msg, err = c.readHandshake()
-		if err != nil {
-			return err
-		}
-	}
-
-	var chainToSend *Certificate
-	var certRequested bool
-	certReq, ok := msg.(*certificateRequestMsg)
-	if ok {
-		certRequested = true
-		hs.finishedHash.Write(certReq.marshal())
-
-		if chainToSend, err = hs.getCertificate(certReq); err != nil {
-			c.sendAlert(alertInternalError)
-			return err
-		}
-
-		msg, err = c.readHandshake()
-		if err != nil {
-			return err
-		}
-	}
-
-	shd, ok := msg.(*serverHelloDoneMsg)
-	if !ok {
-		c.sendAlert(alertUnexpectedMessage)
-		return unexpectedMessageError(shd, msg)
-	}
-	hs.finishedHash.Write(shd.marshal())
-
-	// If the server requested a certificate then we have to send a
-	// Certificate message, even if it's empty because we don't have a
-	// certificate to send.
-	if certRequested {
-		certMsg = new(certificateMsg)
-		certMsg.certificates = chainToSend.Certificate
-		hs.finishedHash.Write(certMsg.marshal())
-		if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
-			return err
-		}
-	}
-
-	preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, c.peerCertificates[0])
-	if err != nil {
-		c.sendAlert(alertInternalError)
-		return err
-	}
-	if ckx != nil {
-		hs.finishedHash.Write(ckx.marshal())
-		if _, err := c.writeRecord(recordTypeHandshake, ckx.marshal()); err != nil {
-			return err
-		}
-	}
-
-	if chainToSend != nil && len(chainToSend.Certificate) > 0 {
-		certVerify := &certificateVerifyMsg{
-			hasSignatureAndHash: c.vers >= VersionTLS12,
-		}
-
-		key, ok := chainToSend.PrivateKey.(crypto.Signer)
-		if !ok {
-			c.sendAlert(alertInternalError)
-			return fmt.Errorf("tls: client certificate private key of type %T does not implement crypto.Signer", chainToSend.PrivateKey)
-		}
-
-		var signatureType uint8
-		switch key.Public().(type) {
-		case *ecdsa.PublicKey:
-			signatureType = signatureECDSA
-		case *rsa.PublicKey:
-			signatureType = signatureRSA
-		default:
-			c.sendAlert(alertInternalError)
-			return fmt.Errorf("tls: failed to sign handshake with client certificate: unknown client certificate key type: %T", key)
-		}
-
-		certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, signatureType)
-		if err != nil {
-			c.sendAlert(alertInternalError)
-			return err
-		}
-		digest, hashFunc, err := hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)
-		if err != nil {
-			c.sendAlert(alertInternalError)
-			return err
-		}
-		certVerify.signature, err = key.Sign(c.config.rand(), digest, hashFunc)
-		if err != nil {
-			c.sendAlert(alertInternalError)
-			return err
-		}
-
-		hs.finishedHash.Write(certVerify.marshal())
-		if _, err := c.writeRecord(recordTypeHandshake, certVerify.marshal()); err != nil {
-			return err
-		}
-	}
-
-	if hs.hello.ems && hs.serverHello.ems {
-		hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
-	} else {
-		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
-	}
-	if err := c.config.writeKeyLog(hs.hello.random, hs.masterSecret); err != nil {
-		c.sendAlert(alertInternalError)
-		return errors.New("tls: failed to write to key log: " + err.Error())
-	}
-
-	hs.finishedHash.discardHandshakeBuffer()
-
-	return nil
-}
-
-func (hs *clientHandshakeState) establishKeys() error {
-	c := hs.c
-
-	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
-		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
-	var clientCipher, serverCipher interface{}
-	var clientHash, serverHash macFunction
-	if hs.suite.cipher != nil {
-		clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
-		clientHash = hs.suite.mac(c.vers, clientMAC)
-		serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
-		serverHash = hs.suite.mac(c.vers, serverMAC)
-	} else {
-		clientCipher = hs.suite.aead(clientKey, clientIV)
-		serverCipher = hs.suite.aead(serverKey, serverIV)
-	}
-
-	c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
-	c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
-	return nil
-}
-
-func (hs *clientHandshakeState) serverResumedSession() bool {
-	// If the server responded with the same sessionId then it means the
-	// sessionTicket is being used to resume a TLS session.
-	return hs.session != nil && hs.hello.sessionId != nil &&
-		bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
-}
-
-func (hs *clientHandshakeState) processServerHello() (bool, error) {
-	c := hs.c
-
-	if hs.serverHello.compressionMethod != compressionNone {
-		c.sendAlert(alertUnexpectedMessage)
-		return false, errors.New("tls: server selected unsupported compression format")
-	}
-
-	if c.handshakes == 0 && hs.serverHello.secureRenegotiationSupported {
-		c.secureRenegotiation = true
-		if len(hs.serverHello.secureRenegotiation) != 0 {
-			c.sendAlert(alertHandshakeFailure)
-			return false, errors.New("tls: initial handshake had non-empty renegotiation extension")
-		}
-	}
-
-	if c.handshakes > 0 && c.secureRenegotiation {
-		var expectedSecureRenegotiation [24]byte
-		copy(expectedSecureRenegotiation[:], c.clientFinished[:])
-		copy(expectedSecureRenegotiation[12:], c.serverFinished[:])
-		if !bytes.Equal(hs.serverHello.secureRenegotiation, expectedSecureRenegotiation[:]) {
-			c.sendAlert(alertHandshakeFailure)
-			return false, errors.New("tls: incorrect renegotiation extension contents")
-		}
-	}
-
-	clientDidNPN := hs.hello.nextProtoNeg
-	clientDidALPN := len(hs.hello.alpnProtocols) > 0
-	serverHasNPN := hs.serverHello.nextProtoNeg
-	serverHasALPN := len(hs.serverHello.alpnProtocol) > 0
-
-	if !clientDidNPN && serverHasNPN {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: server advertised unrequested NPN extension")
-	}
-
-	if !clientDidALPN && serverHasALPN {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: server advertised unrequested ALPN extension")
-	}
-
-	if serverHasNPN && serverHasALPN {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: server advertised both NPN and ALPN extensions")
-	}
-
-	if serverHasALPN {
-		c.clientProtocol = hs.serverHello.alpnProtocol
-		c.clientProtocolFallback = false
-	}
-	c.scts = hs.serverHello.scts
-
-	if !hs.serverResumedSession() {
-		return false, nil
-	}
-
-	if hs.session.vers != c.vers {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: server resumed a session with a different version")
-	}
-
-	if hs.session.cipherSuite != hs.suite.id {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: server resumed a session with a different cipher suite")
-	}
-
-	// Restore masterSecret and peerCerts from previous state
-	hs.masterSecret = hs.session.masterSecret
-	c.peerCertificates = hs.session.serverCertificates
-	c.verifiedChains = hs.session.verifiedChains
-	return true, nil
-}
-
-func (hs *clientHandshakeState) readFinished(out []byte) error {
-	c := hs.c
-
-	c.readRecord(recordTypeChangeCipherSpec)
-	if c.in.err != nil {
-		return c.in.err
-	}
-
-	msg, err := c.readHandshake()
-	if err != nil {
-		return err
-	}
-	serverFinished, ok := msg.(*finishedMsg)
-	if !ok {
-		c.sendAlert(alertUnexpectedMessage)
-		return unexpectedMessageError(serverFinished, msg)
-	}
-
-	verify := hs.finishedHash.serverSum(hs.masterSecret)
-	if len(verify) != len(serverFinished.verifyData) ||
-		subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
-		c.sendAlert(alertHandshakeFailure)
-		return errors.New("tls: server's Finished message was incorrect")
-	}
-	hs.finishedHash.Write(serverFinished.marshal())
-	copy(out, verify)
-	return nil
-}
-
-func (hs *clientHandshakeState) readSessionTicket() error {
-	if !hs.serverHello.ticketSupported {
-		return nil
-	}
-
-	c := hs.c
-	msg, err := c.readHandshake()
-	if err != nil {
-		return err
-	}
-	sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
-	if !ok {
-		c.sendAlert(alertUnexpectedMessage)
-		return unexpectedMessageError(sessionTicketMsg, msg)
-	}
-	hs.finishedHash.Write(sessionTicketMsg.marshal())
-
-	hs.session = &ClientSessionState{
-		sessionTicket:      sessionTicketMsg.ticket,
-		vers:               c.vers,
-		cipherSuite:        hs.suite.id,
-		masterSecret:       hs.masterSecret,
-		serverCertificates: c.peerCertificates,
-		verifiedChains:     c.verifiedChains,
-	}
-
-	return nil
-}
-
-func (hs *clientHandshakeState) sendFinished(out []byte) error {
-	c := hs.c
-
-	if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {
-		return err
-	}
-	if hs.serverHello.nextProtoNeg {
-		nextProto := new(nextProtoMsg)
-		proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos)
-		nextProto.proto = proto
-		c.clientProtocol = proto
-		c.clientProtocolFallback = fallback
-
-		hs.finishedHash.Write(nextProto.marshal())
-		if _, err := c.writeRecord(recordTypeHandshake, nextProto.marshal()); err != nil {
-			return err
-		}
-	}
-
-	finished := new(finishedMsg)
-	finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
-	hs.finishedHash.Write(finished.marshal())
-	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
-		return err
-	}
-	copy(out, finished.verifyData)
-	return nil
-}
-
-// tls11SignatureSchemes contains the signature schemes that we synthesise for
-// a TLS <= 1.1 connection, based on the supported certificate types.
-var tls11SignatureSchemes = []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1}
-
-const (
-	// tls11SignatureSchemesNumECDSA is the number of initial elements of
-	// tls11SignatureSchemes that use ECDSA.
-	tls11SignatureSchemesNumECDSA = 3
-	// tls11SignatureSchemesNumRSA is the number of trailing elements of
-	// tls11SignatureSchemes that use RSA.
-	tls11SignatureSchemesNumRSA = 4
-)
-
-func (hs *clientHandshakeState) getCertificate(certReq *certificateRequestMsg) (*Certificate, error) {
-	c := hs.c
-
-	var rsaAvail, ecdsaAvail bool
-	for _, certType := range certReq.certificateTypes {
-		switch certType {
-		case certTypeRSASign:
-			rsaAvail = true
-		case certTypeECDSASign:
-			ecdsaAvail = true
-		}
-	}
-
-	if c.config.GetClientCertificate != nil {
-		var signatureSchemes []SignatureScheme
-
-		if !certReq.hasSignatureAndHash {
-			// Prior to TLS 1.2, the signature schemes were not
-			// included in the certificate request message. In this
-			// case we use a plausible list based on the acceptable
-			// certificate types.
-			signatureSchemes = tls11SignatureSchemes
-			if !ecdsaAvail {
-				signatureSchemes = signatureSchemes[tls11SignatureSchemesNumECDSA:]
-			}
-			if !rsaAvail {
-				signatureSchemes = signatureSchemes[:len(signatureSchemes)-tls11SignatureSchemesNumRSA]
-			}
-		} else {
-			signatureSchemes = make([]SignatureScheme, 0, len(certReq.signatureAndHashes))
-			for _, sah := range certReq.signatureAndHashes {
-				signatureSchemes = append(signatureSchemes, SignatureScheme(sah.hash)<<8+SignatureScheme(sah.signature))
-			}
-		}
-
-		return c.config.GetClientCertificate(&CertificateRequestInfo{
-			AcceptableCAs:    certReq.certificateAuthorities,
-			SignatureSchemes: signatureSchemes,
-		})
-	}
-
-	// RFC 4346 on the certificateAuthorities field: A list of the
-	// distinguished names of acceptable certificate authorities.
-	// These distinguished names may specify a desired
-	// distinguished name for a root CA or for a subordinate CA;
-	// thus, this message can be used to describe both known roots
-	// and a desired authorization space. If the
-	// certificate_authorities list is empty then the client MAY
-	// send any certificate of the appropriate
-	// ClientCertificateType, unless there is some external
-	// arrangement to the contrary.
-
-	// We need to search our list of client certs for one
-	// where SignatureAlgorithm is acceptable to the server and the
-	// Issuer is in certReq.certificateAuthorities
-findCert:
-	for i, chain := range c.config.Certificates {
-		if !rsaAvail && !ecdsaAvail {
-			continue
-		}
-
-		for j, cert := range chain.Certificate {
-			x509Cert := chain.Leaf
-			// parse the certificate if this isn't the leaf
-			// node, or if chain.Leaf was nil
-			if j != 0 || x509Cert == nil {
-				var err error
-				if x509Cert, err = x509.ParseCertificate(cert); err != nil {
-					c.sendAlert(alertInternalError)
-					return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
-				}
-			}
-
-			switch {
-			case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
-			case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
-			default:
-				continue findCert
-			}
-
-			if len(certReq.certificateAuthorities) == 0 {
-				// they gave us an empty list, so just take the
-				// first cert from c.config.Certificates
-				return &chain, nil
-			}
-
-			for _, ca := range certReq.certificateAuthorities {
-				if bytes.Equal(x509Cert.RawIssuer, ca) {
-					return &chain, nil
-				}
-			}
-		}
-	}
-
-	// No acceptable certificate found. Don't send a certificate.
-	return new(Certificate), nil
-}
-
-// clientSessionCacheKey returns a key used to cache sessionTickets that could
-// be used to resume previously negotiated TLS sessions with a server.
-func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
-	if len(config.ServerName) > 0 {
-		return config.ServerName
-	}
-
-	// [Psiphon]
-	//
-	// In certain error conditions, serverAddr may be nil. In this case, since
-	// ServerName is blank, there is no valid session cache key. Calling code
-	// assumes clientSessionCacheKey always succeeds. To minimize changes to
-	// this tls fork, we return "" and no error.
-	//
-	// We assume the cache key won't be used for setting the cache, as the
-	// existing error condition in the conn should result in handshake
-	// failure. In the unlikely case of success and caching a session, the
-	// outcome could include future failure to renegotiate, although in the
-	// case of Psiphon, each connection has its own cache.
-	if serverAddr == nil {
-		return ""
-	}
-
-	return serverAddr.String()
-}
-
-// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
-// given list of possible protocols and a list of the preference order. The
-// first list must not be empty. It returns the resulting protocol and flag
-// indicating if the fallback case was reached.
-func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
-	for _, s := range preferenceProtos {
-		for _, c := range protos {
-			if s == c {
-				return s, false
-			}
-		}
-	}
-
-	return protos[0], true
-}
-
-// hostnameInSNI converts name into an approriate hostname for SNI.
-// Literal IP addresses and absolute FQDNs are not permitted as SNI values.
-// See https://tools.ietf.org/html/rfc6066#section-3.
-func hostnameInSNI(name string) string {
-	host := name
-	if len(host) > 0 && host[0] == '[' && host[len(host)-1] == ']' {
-		host = host[1 : len(host)-1]
-	}
-	if i := strings.LastIndex(host, "%"); i > 0 {
-		host = host[:i]
-	}
-	if net.ParseIP(host) != nil {
-		return ""
-	}
-	for len(name) > 0 && name[len(name)-1] == '.' {
-		name = name[:len(name)-1]
-	}
-	return name
-}

vendor/github.com/Psiphon-Labs/utls/handshake_messages.go

@@ -1,1591 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"bytes"
-	"strings"
-
-	// [Psiphon]
-	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/prng"
-)
-
-type clientHelloMsg struct {
-	raw                          []byte
-	vers                         uint16
-	random                       []byte
-	sessionId                    []byte
-	cipherSuites                 []uint16
-	compressionMethods           []uint8
-	nextProtoNeg                 bool
-	serverName                   string
-	ocspStapling                 bool
-	scts                         bool
-	ems                          bool
-	supportedCurves              []CurveID
-	supportedPoints              []uint8
-	ticketSupported              bool
-	sessionTicket                []uint8
-	signatureAndHashes           []signatureAndHash
-	secureRenegotiation          []byte
-	secureRenegotiationSupported bool
-	alpnProtocols                []string
-}
-
-func (m *clientHelloMsg) equal(i interface{}) bool {
-	m1, ok := i.(*clientHelloMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		m.vers == m1.vers &&
-		bytes.Equal(m.random, m1.random) &&
-		bytes.Equal(m.sessionId, m1.sessionId) &&
-		eqUint16s(m.cipherSuites, m1.cipherSuites) &&
-		bytes.Equal(m.compressionMethods, m1.compressionMethods) &&
-		m.nextProtoNeg == m1.nextProtoNeg &&
-		m.serverName == m1.serverName &&
-		m.ocspStapling == m1.ocspStapling &&
-		m.scts == m1.scts &&
-		eqCurveIDs(m.supportedCurves, m1.supportedCurves) &&
-		bytes.Equal(m.supportedPoints, m1.supportedPoints) &&
-		m.ticketSupported == m1.ticketSupported &&
-		bytes.Equal(m.sessionTicket, m1.sessionTicket) &&
-		eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes) &&
-		m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
-		bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
-		eqStrings(m.alpnProtocols, m1.alpnProtocols)
-}
-
-func (m *clientHelloMsg) marshal() []byte {
-	if m.raw != nil {
-		return m.raw
-	}
-
-	length := 2 + 32 + 1 + len(m.sessionId) + 2 + len(m.cipherSuites)*2 + 1 + len(m.compressionMethods)
-	numExtensions := 0
-	extensionsLength := 0
-	if m.nextProtoNeg {
-		numExtensions++
-	}
-	if m.ocspStapling {
-		extensionsLength += 1 + 2 + 2
-		numExtensions++
-	}
-	if len(m.serverName) > 0 {
-		extensionsLength += 5 + len(m.serverName)
-		numExtensions++
-	}
-	if len(m.supportedCurves) > 0 {
-		extensionsLength += 2 + 2*len(m.supportedCurves)
-		numExtensions++
-	}
-	if len(m.supportedPoints) > 0 {
-		extensionsLength += 1 + len(m.supportedPoints)
-		numExtensions++
-	}
-	if m.ticketSupported {
-		extensionsLength += len(m.sessionTicket)
-		numExtensions++
-	}
-	if len(m.signatureAndHashes) > 0 {
-		extensionsLength += 2 + 2*len(m.signatureAndHashes)
-		numExtensions++
-	}
-	if m.secureRenegotiationSupported {
-		extensionsLength += 1 + len(m.secureRenegotiation)
-		numExtensions++
-	}
-	if len(m.alpnProtocols) > 0 {
-		extensionsLength += 2
-		for _, s := range m.alpnProtocols {
-			if l := len(s); l == 0 || l > 255 {
-				panic("invalid ALPN protocol")
-			}
-			extensionsLength++
-			extensionsLength += len(s)
-		}
-		numExtensions++
-	}
-	if m.scts {
-		numExtensions++
-	}
-	if numExtensions > 0 {
-		extensionsLength += 4 * numExtensions
-		length += 2 + extensionsLength
-	}
-
-	x := make([]byte, 4+length)
-	x[0] = typeClientHello
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-	x[4] = uint8(m.vers >> 8)
-	x[5] = uint8(m.vers)
-	copy(x[6:38], m.random)
-	x[38] = uint8(len(m.sessionId))
-	copy(x[39:39+len(m.sessionId)], m.sessionId)
-	y := x[39+len(m.sessionId):]
-	y[0] = uint8(len(m.cipherSuites) >> 7)
-	y[1] = uint8(len(m.cipherSuites) << 1)
-	for i, suite := range m.cipherSuites {
-		y[2+i*2] = uint8(suite >> 8)
-		y[3+i*2] = uint8(suite)
-	}
-	z := y[2+len(m.cipherSuites)*2:]
-	z[0] = uint8(len(m.compressionMethods))
-	copy(z[1:], m.compressionMethods)
-
-	z = z[1+len(m.compressionMethods):]
-	if numExtensions > 0 {
-		z[0] = byte(extensionsLength >> 8)
-		z[1] = byte(extensionsLength)
-		z = z[2:]
-	}
-	if m.nextProtoNeg {
-		z[0] = byte(extensionNextProtoNeg >> 8)
-		z[1] = byte(extensionNextProtoNeg & 0xff)
-		// The length is always 0
-		z = z[4:]
-	}
-	if len(m.serverName) > 0 {
-		z[0] = byte(extensionServerName >> 8)
-		z[1] = byte(extensionServerName & 0xff)
-		l := len(m.serverName) + 5
-		z[2] = byte(l >> 8)
-		z[3] = byte(l)
-		z = z[4:]
-
-		// RFC 3546, section 3.1
-		//
-		// struct {
-		//     NameType name_type;
-		//     select (name_type) {
-		//         case host_name: HostName;
-		//     } name;
-		// } ServerName;
-		//
-		// enum {
-		//     host_name(0), (255)
-		// } NameType;
-		//
-		// opaque HostName<1..2^16-1>;
-		//
-		// struct {
-		//     ServerName server_name_list<1..2^16-1>
-		// } ServerNameList;
-
-		z[0] = byte((len(m.serverName) + 3) >> 8)
-		z[1] = byte(len(m.serverName) + 3)
-		z[3] = byte(len(m.serverName) >> 8)
-		z[4] = byte(len(m.serverName))
-		copy(z[5:], []byte(m.serverName))
-		z = z[l:]
-	}
-	if m.ocspStapling {
-		// RFC 4366, section 3.6
-		z[0] = byte(extensionStatusRequest >> 8)
-		z[1] = byte(extensionStatusRequest)
-		z[2] = 0
-		z[3] = 5
-		z[4] = 1 // OCSP type
-		// Two zero valued uint16s for the two lengths.
-		z = z[9:]
-	}
-	if len(m.supportedCurves) > 0 {
-		// http://tools.ietf.org/html/rfc4492#section-5.5.1
-		z[0] = byte(extensionSupportedCurves >> 8)
-		z[1] = byte(extensionSupportedCurves)
-		l := 2 + 2*len(m.supportedCurves)
-		z[2] = byte(l >> 8)
-		z[3] = byte(l)
-		l -= 2
-		z[4] = byte(l >> 8)
-		z[5] = byte(l)
-		z = z[6:]
-		for _, curve := range m.supportedCurves {
-			z[0] = byte(curve >> 8)
-			z[1] = byte(curve)
-			z = z[2:]
-		}
-	}
-	if len(m.supportedPoints) > 0 {
-		// http://tools.ietf.org/html/rfc4492#section-5.5.2
-		z[0] = byte(extensionSupportedPoints >> 8)
-		z[1] = byte(extensionSupportedPoints)
-		l := 1 + len(m.supportedPoints)
-		z[2] = byte(l >> 8)
-		z[3] = byte(l)
-		l--
-		z[4] = byte(l)
-		z = z[5:]
-		for _, pointFormat := range m.supportedPoints {
-			z[0] = pointFormat
-			z = z[1:]
-		}
-	}
-	if m.ticketSupported {
-		// http://tools.ietf.org/html/rfc5077#section-3.2
-		z[0] = byte(extensionSessionTicket >> 8)
-		z[1] = byte(extensionSessionTicket)
-		l := len(m.sessionTicket)
-		z[2] = byte(l >> 8)
-		z[3] = byte(l)
-		z = z[4:]
-		copy(z, m.sessionTicket)
-		z = z[len(m.sessionTicket):]
-	}
-	if len(m.signatureAndHashes) > 0 {
-		// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
-		z[0] = byte(extensionSignatureAlgorithms >> 8)
-		z[1] = byte(extensionSignatureAlgorithms)
-		l := 2 + 2*len(m.signatureAndHashes)
-		z[2] = byte(l >> 8)
-		z[3] = byte(l)
-		z = z[4:]
-
-		l -= 2
-		z[0] = byte(l >> 8)
-		z[1] = byte(l)
-		z = z[2:]
-		for _, sigAndHash := range m.signatureAndHashes {
-			z[0] = sigAndHash.hash
-			z[1] = sigAndHash.signature
-			z = z[2:]
-		}
-	}
-	if m.secureRenegotiationSupported {
-		z[0] = byte(extensionRenegotiationInfo >> 8)
-		z[1] = byte(extensionRenegotiationInfo & 0xff)
-		z[2] = 0
-		z[3] = byte(len(m.secureRenegotiation) + 1)
-		z[4] = byte(len(m.secureRenegotiation))
-		z = z[5:]
-		copy(z, m.secureRenegotiation)
-		z = z[len(m.secureRenegotiation):]
-	}
-	if len(m.alpnProtocols) > 0 {
-		z[0] = byte(extensionALPN >> 8)
-		z[1] = byte(extensionALPN & 0xff)
-		lengths := z[2:]
-		z = z[6:]
-
-		stringsLength := 0
-		for _, s := range m.alpnProtocols {
-			l := len(s)
-			z[0] = byte(l)
-			copy(z[1:], s)
-			z = z[1+l:]
-			stringsLength += 1 + l
-		}
-
-		lengths[2] = byte(stringsLength >> 8)
-		lengths[3] = byte(stringsLength)
-		stringsLength += 2
-		lengths[0] = byte(stringsLength >> 8)
-		lengths[1] = byte(stringsLength)
-	}
-	if m.scts {
-		// https://tools.ietf.org/html/rfc6962#section-3.3.1
-		z[0] = byte(extensionSCT >> 8)
-		z[1] = byte(extensionSCT)
-		// zero uint16 for the zero-length extension_data
-		z = z[4:]
-	}
-
-	m.raw = x
-
-	return x
-}
-
-func (m *clientHelloMsg) unmarshal(data []byte) bool {
-	if len(data) < 42 {
-		return false
-	}
-	m.raw = data
-	m.vers = uint16(data[4])<<8 | uint16(data[5])
-	m.random = data[6:38]
-	sessionIdLen := int(data[38])
-	if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
-		return false
-	}
-	m.sessionId = data[39 : 39+sessionIdLen]
-	data = data[39+sessionIdLen:]
-	if len(data) < 2 {
-		return false
-	}
-	// cipherSuiteLen is the number of bytes of cipher suite numbers. Since
-	// they are uint16s, the number must be even.
-	cipherSuiteLen := int(data[0])<<8 | int(data[1])
-	if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen {
-		return false
-	}
-	numCipherSuites := cipherSuiteLen / 2
-	m.cipherSuites = make([]uint16, numCipherSuites)
-	for i := 0; i < numCipherSuites; i++ {
-		m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])
-		if m.cipherSuites[i] == scsvRenegotiation {
-			m.secureRenegotiationSupported = true
-		}
-	}
-	data = data[2+cipherSuiteLen:]
-	if len(data) < 1 {
-		return false
-	}
-	compressionMethodsLen := int(data[0])
-	if len(data) < 1+compressionMethodsLen {
-		return false
-	}
-	m.compressionMethods = data[1 : 1+compressionMethodsLen]
-
-	data = data[1+compressionMethodsLen:]
-
-	m.nextProtoNeg = false
-	m.serverName = ""
-	m.ocspStapling = false
-	m.ticketSupported = false
-	m.sessionTicket = nil
-	m.signatureAndHashes = nil
-	m.alpnProtocols = nil
-	m.scts = false
-
-	if len(data) == 0 {
-		// ClientHello is optionally followed by extension data
-		return true
-	}
-	if len(data) < 2 {
-		return false
-	}
-
-	extensionsLength := int(data[0])<<8 | int(data[1])
-	data = data[2:]
-	if extensionsLength != len(data) {
-		return false
-	}
-
-	for len(data) != 0 {
-		if len(data) < 4 {
-			return false
-		}
-		extension := uint16(data[0])<<8 | uint16(data[1])
-		length := int(data[2])<<8 | int(data[3])
-		data = data[4:]
-		if len(data) < length {
-			return false
-		}
-
-		switch extension {
-		case extensionServerName:
-			d := data[:length]
-			if len(d) < 2 {
-				return false
-			}
-			namesLen := int(d[0])<<8 | int(d[1])
-			d = d[2:]
-			if len(d) != namesLen {
-				return false
-			}
-			for len(d) > 0 {
-				if len(d) < 3 {
-					return false
-				}
-				nameType := d[0]
-				nameLen := int(d[1])<<8 | int(d[2])
-				d = d[3:]
-				if len(d) < nameLen {
-					return false
-				}
-				if nameType == 0 {
-					m.serverName = string(d[:nameLen])
-					// An SNI value may not include a
-					// trailing dot. See
-					// https://tools.ietf.org/html/rfc6066#section-3.
-					if strings.HasSuffix(m.serverName, ".") {
-						return false
-					}
-					break
-				}
-				d = d[nameLen:]
-			}
-		case extensionNextProtoNeg:
-			if length > 0 {
-				return false
-			}
-			m.nextProtoNeg = true
-		case extensionStatusRequest:
-			m.ocspStapling = length > 0 && data[0] == statusTypeOCSP
-		case extensionSupportedCurves:
-			// http://tools.ietf.org/html/rfc4492#section-5.5.1
-			if length < 2 {
-				return false
-			}
-			l := int(data[0])<<8 | int(data[1])
-			if l%2 == 1 || length != l+2 {
-				return false
-			}
-			numCurves := l / 2
-			m.supportedCurves = make([]CurveID, numCurves)
-			d := data[2:]
-			for i := 0; i < numCurves; i++ {
-				m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1])
-				d = d[2:]
-			}
-		case extensionSupportedPoints:
-			// http://tools.ietf.org/html/rfc4492#section-5.5.2
-			if length < 1 {
-				return false
-			}
-			l := int(data[0])
-			if length != l+1 {
-				return false
-			}
-			m.supportedPoints = make([]uint8, l)
-			copy(m.supportedPoints, data[1:])
-		case extensionSessionTicket:
-			// http://tools.ietf.org/html/rfc5077#section-3.2
-			m.ticketSupported = true
-			m.sessionTicket = data[:length]
-		case extensionSignatureAlgorithms:
-			// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
-			if length < 2 || length&1 != 0 {
-				return false
-			}
-			l := int(data[0])<<8 | int(data[1])
-			if l != length-2 {
-				return false
-			}
-			n := l / 2
-			d := data[2:]
-			m.signatureAndHashes = make([]signatureAndHash, n)
-			for i := range m.signatureAndHashes {
-				m.signatureAndHashes[i].hash = d[0]
-				m.signatureAndHashes[i].signature = d[1]
-				d = d[2:]
-			}
-		case extensionRenegotiationInfo:
-			if length == 0 {
-				return false
-			}
-			d := data[:length]
-			l := int(d[0])
-			d = d[1:]
-			if l != len(d) {
-				return false
-			}
-
-			m.secureRenegotiation = d
-			m.secureRenegotiationSupported = true
-		case extensionALPN:
-			if length < 2 {
-				return false
-			}
-			l := int(data[0])<<8 | int(data[1])
-			if l != length-2 {
-				return false
-			}
-			d := data[2:length]
-			for len(d) != 0 {
-				stringLen := int(d[0])
-				d = d[1:]
-				if stringLen == 0 || stringLen > len(d) {
-					return false
-				}
-				m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen]))
-				d = d[stringLen:]
-			}
-		case extensionSCT:
-			m.scts = true
-			if length != 0 {
-				return false
-			}
-		}
-		data = data[length:]
-	}
-
-	return true
-}
-
-type serverHelloMsg struct {
-	raw                          []byte
-	vers                         uint16
-	random                       []byte
-	sessionId                    []byte
-	cipherSuite                  uint16
-	compressionMethod            uint8
-	nextProtoNeg                 bool
-	nextProtos                   []string
-	ocspStapling                 bool
-	scts                         [][]byte
-	ems                          bool
-	ticketSupported              bool
-	secureRenegotiation          []byte
-	secureRenegotiationSupported bool
-	alpnProtocol                 string
-}
-
-func (m *serverHelloMsg) equal(i interface{}) bool {
-	m1, ok := i.(*serverHelloMsg)
-	if !ok {
-		return false
-	}
-
-	if len(m.scts) != len(m1.scts) {
-		return false
-	}
-	for i, sct := range m.scts {
-		if !bytes.Equal(sct, m1.scts[i]) {
-			return false
-		}
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		m.vers == m1.vers &&
-		bytes.Equal(m.random, m1.random) &&
-		bytes.Equal(m.sessionId, m1.sessionId) &&
-		m.cipherSuite == m1.cipherSuite &&
-		m.compressionMethod == m1.compressionMethod &&
-		m.nextProtoNeg == m1.nextProtoNeg &&
-		eqStrings(m.nextProtos, m1.nextProtos) &&
-		m.ocspStapling == m1.ocspStapling &&
-		m.ems == m1.ems &&
-		m.ticketSupported == m1.ticketSupported &&
-		m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
-		bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
-		m.alpnProtocol == m1.alpnProtocol
-}
-
-func (m *serverHelloMsg) marshal() []byte {
-	if m.raw != nil {
-		return m.raw
-	}
-
-	length := 38 + len(m.sessionId)
-	numExtensions := 0
-	extensionsLength := 0
-
-	nextProtoLen := 0
-	if m.nextProtoNeg {
-		numExtensions++
-		for _, v := range m.nextProtos {
-			nextProtoLen += len(v)
-		}
-		nextProtoLen += len(m.nextProtos)
-		extensionsLength += nextProtoLen
-	}
-	if m.ocspStapling {
-		numExtensions++
-	}
-	if m.ticketSupported {
-		numExtensions++
-	}
-	if m.secureRenegotiationSupported {
-		extensionsLength += 1 + len(m.secureRenegotiation)
-		numExtensions++
-	}
-	if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
-		if alpnLen >= 256 {
-			panic("invalid ALPN protocol")
-		}
-		extensionsLength += 2 + 1 + alpnLen
-		numExtensions++
-	}
-	sctLen := 0
-	if len(m.scts) > 0 {
-		for _, sct := range m.scts {
-			sctLen += len(sct) + 2
-		}
-		extensionsLength += 2 + sctLen
-		numExtensions++
-	}
-
-	if numExtensions > 0 {
-		extensionsLength += 4 * numExtensions
-		length += 2 + extensionsLength
-	}
-
-	x := make([]byte, 4+length)
-	x[0] = typeServerHello
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-	x[4] = uint8(m.vers >> 8)
-	x[5] = uint8(m.vers)
-	copy(x[6:38], m.random)
-	x[38] = uint8(len(m.sessionId))
-	copy(x[39:39+len(m.sessionId)], m.sessionId)
-	z := x[39+len(m.sessionId):]
-	z[0] = uint8(m.cipherSuite >> 8)
-	z[1] = uint8(m.cipherSuite)
-	z[2] = m.compressionMethod
-
-	z = z[3:]
-	if numExtensions > 0 {
-		z[0] = byte(extensionsLength >> 8)
-		z[1] = byte(extensionsLength)
-		z = z[2:]
-	}
-	if m.nextProtoNeg {
-		z[0] = byte(extensionNextProtoNeg >> 8)
-		z[1] = byte(extensionNextProtoNeg & 0xff)
-		z[2] = byte(nextProtoLen >> 8)
-		z[3] = byte(nextProtoLen)
-		z = z[4:]
-
-		for _, v := range m.nextProtos {
-			l := len(v)
-			if l > 255 {
-				l = 255
-			}
-			z[0] = byte(l)
-			copy(z[1:], []byte(v[0:l]))
-			z = z[1+l:]
-		}
-	}
-	if m.ocspStapling {
-		z[0] = byte(extensionStatusRequest >> 8)
-		z[1] = byte(extensionStatusRequest)
-		z = z[4:]
-	}
-	if m.ticketSupported {
-		z[0] = byte(extensionSessionTicket >> 8)
-		z[1] = byte(extensionSessionTicket)
-		z = z[4:]
-	}
-	if m.secureRenegotiationSupported {
-		z[0] = byte(extensionRenegotiationInfo >> 8)
-		z[1] = byte(extensionRenegotiationInfo & 0xff)
-		z[2] = 0
-		z[3] = byte(len(m.secureRenegotiation) + 1)
-		z[4] = byte(len(m.secureRenegotiation))
-		z = z[5:]
-		copy(z, m.secureRenegotiation)
-		z = z[len(m.secureRenegotiation):]
-	}
-	if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
-		z[0] = byte(extensionALPN >> 8)
-		z[1] = byte(extensionALPN & 0xff)
-		l := 2 + 1 + alpnLen
-		z[2] = byte(l >> 8)
-		z[3] = byte(l)
-		l -= 2
-		z[4] = byte(l >> 8)
-		z[5] = byte(l)
-		l -= 1
-		z[6] = byte(l)
-		copy(z[7:], []byte(m.alpnProtocol))
-		z = z[7+alpnLen:]
-	}
-	if sctLen > 0 {
-		z[0] = byte(extensionSCT >> 8)
-		z[1] = byte(extensionSCT)
-		l := sctLen + 2
-		z[2] = byte(l >> 8)
-		z[3] = byte(l)
-		z[4] = byte(sctLen >> 8)
-		z[5] = byte(sctLen)
-
-		z = z[6:]
-		for _, sct := range m.scts {
-			z[0] = byte(len(sct) >> 8)
-			z[1] = byte(len(sct))
-			copy(z[2:], sct)
-			z = z[len(sct)+2:]
-		}
-	}
-
-	m.raw = x
-
-	return x
-}
-
-func (m *serverHelloMsg) unmarshal(data []byte) bool {
-	if len(data) < 42 {
-		return false
-	}
-	m.raw = data
-	m.vers = uint16(data[4])<<8 | uint16(data[5])
-	m.random = data[6:38]
-	sessionIdLen := int(data[38])
-	if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
-		return false
-	}
-	m.sessionId = data[39 : 39+sessionIdLen]
-	data = data[39+sessionIdLen:]
-	if len(data) < 3 {
-		return false
-	}
-	m.cipherSuite = uint16(data[0])<<8 | uint16(data[1])
-	m.compressionMethod = data[2]
-	data = data[3:]
-
-	m.nextProtoNeg = false
-	m.nextProtos = nil
-	m.ocspStapling = false
-	m.scts = nil
-	m.ticketSupported = false
-	m.alpnProtocol = ""
-
-	if len(data) == 0 {
-		// ServerHello is optionally followed by extension data
-		return true
-	}
-	if len(data) < 2 {
-		return false
-	}
-
-	extensionsLength := int(data[0])<<8 | int(data[1])
-	data = data[2:]
-	if len(data) != extensionsLength {
-		return false
-	}
-
-	for len(data) != 0 {
-		if len(data) < 4 {
-			return false
-		}
-		extension := uint16(data[0])<<8 | uint16(data[1])
-		length := int(data[2])<<8 | int(data[3])
-		data = data[4:]
-		if len(data) < length {
-			return false
-		}
-
-		switch extension {
-		case extensionNextProtoNeg:
-			m.nextProtoNeg = true
-			d := data[:length]
-			for len(d) > 0 {
-				l := int(d[0])
-				d = d[1:]
-				if l == 0 || l > len(d) {
-					return false
-				}
-				m.nextProtos = append(m.nextProtos, string(d[:l]))
-				d = d[l:]
-			}
-		case extensionStatusRequest:
-			if length > 0 {
-				return false
-			}
-			m.ocspStapling = true
-		case extensionSessionTicket:
-			if length > 0 {
-				return false
-			}
-			m.ticketSupported = true
-		case utlsExtensionExtendedMasterSecret:
-			// No sanity check for this extension: pretending not to know it.
-			// if length > 0 {
-			// 	return false
-			// }
-			m.ems = true
-		case extensionRenegotiationInfo:
-			if length == 0 {
-				return false
-			}
-			d := data[:length]
-			l := int(d[0])
-			d = d[1:]
-			if l != len(d) {
-				return false
-			}
-
-			m.secureRenegotiation = d
-			m.secureRenegotiationSupported = true
-		case extensionALPN:
-			d := data[:length]
-			if len(d) < 3 {
-				return false
-			}
-			l := int(d[0])<<8 | int(d[1])
-			if l != len(d)-2 {
-				return false
-			}
-			d = d[2:]
-			l = int(d[0])
-			if l != len(d)-1 {
-				return false
-			}
-			d = d[1:]
-			if len(d) == 0 {
-				// ALPN protocols must not be empty.
-				return false
-			}
-			m.alpnProtocol = string(d)
-		case extensionSCT:
-			d := data[:length]
-
-			if len(d) < 2 {
-				return false
-			}
-			l := int(d[0])<<8 | int(d[1])
-			d = d[2:]
-			if len(d) != l || l == 0 {
-				return false
-			}
-
-			m.scts = make([][]byte, 0, 3)
-			for len(d) != 0 {
-				if len(d) < 2 {
-					return false
-				}
-				sctLen := int(d[0])<<8 | int(d[1])
-				d = d[2:]
-				if sctLen == 0 || len(d) < sctLen {
-					return false
-				}
-				m.scts = append(m.scts, d[:sctLen])
-				d = d[sctLen:]
-			}
-		}
-		data = data[length:]
-	}
-
-	return true
-}
-
-type certificateMsg struct {
-	raw          []byte
-	certificates [][]byte
-}
-
-func (m *certificateMsg) equal(i interface{}) bool {
-	m1, ok := i.(*certificateMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		eqByteSlices(m.certificates, m1.certificates)
-}
-
-func (m *certificateMsg) marshal() (x []byte) {
-	if m.raw != nil {
-		return m.raw
-	}
-
-	var i int
-	for _, slice := range m.certificates {
-		i += len(slice)
-	}
-
-	length := 3 + 3*len(m.certificates) + i
-	x = make([]byte, 4+length)
-	x[0] = typeCertificate
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-
-	certificateOctets := length - 3
-	x[4] = uint8(certificateOctets >> 16)
-	x[5] = uint8(certificateOctets >> 8)
-	x[6] = uint8(certificateOctets)
-
-	y := x[7:]
-	for _, slice := range m.certificates {
-		y[0] = uint8(len(slice) >> 16)
-		y[1] = uint8(len(slice) >> 8)
-		y[2] = uint8(len(slice))
-		copy(y[3:], slice)
-		y = y[3+len(slice):]
-	}
-
-	m.raw = x
-	return
-}
-
-func (m *certificateMsg) unmarshal(data []byte) bool {
-	if len(data) < 7 {
-		return false
-	}
-
-	m.raw = data
-	certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
-	if uint32(len(data)) != certsLen+7 {
-		return false
-	}
-
-	numCerts := 0
-	d := data[7:]
-	for certsLen > 0 {
-		if len(d) < 4 {
-			return false
-		}
-		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
-		if uint32(len(d)) < 3+certLen {
-			return false
-		}
-		d = d[3+certLen:]
-		certsLen -= 3 + certLen
-		numCerts++
-	}
-
-	m.certificates = make([][]byte, numCerts)
-	d = data[7:]
-	for i := 0; i < numCerts; i++ {
-		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
-		m.certificates[i] = d[3 : 3+certLen]
-		d = d[3+certLen:]
-	}
-
-	return true
-}
-
-type serverKeyExchangeMsg struct {
-	raw []byte
-	key []byte
-}
-
-func (m *serverKeyExchangeMsg) equal(i interface{}) bool {
-	m1, ok := i.(*serverKeyExchangeMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		bytes.Equal(m.key, m1.key)
-}
-
-func (m *serverKeyExchangeMsg) marshal() []byte {
-	if m.raw != nil {
-		return m.raw
-	}
-	length := len(m.key)
-	x := make([]byte, length+4)
-	x[0] = typeServerKeyExchange
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-	copy(x[4:], m.key)
-
-	m.raw = x
-	return x
-}
-
-func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
-	m.raw = data
-	if len(data) < 4 {
-		return false
-	}
-	m.key = data[4:]
-	return true
-}
-
-type certificateStatusMsg struct {
-	raw        []byte
-	statusType uint8
-	response   []byte
-}
-
-func (m *certificateStatusMsg) equal(i interface{}) bool {
-	m1, ok := i.(*certificateStatusMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		m.statusType == m1.statusType &&
-		bytes.Equal(m.response, m1.response)
-}
-
-func (m *certificateStatusMsg) marshal() []byte {
-	if m.raw != nil {
-		return m.raw
-	}
-
-	var x []byte
-	if m.statusType == statusTypeOCSP {
-		x = make([]byte, 4+4+len(m.response))
-		x[0] = typeCertificateStatus
-		l := len(m.response) + 4
-		x[1] = byte(l >> 16)
-		x[2] = byte(l >> 8)
-		x[3] = byte(l)
-		x[4] = statusTypeOCSP
-
-		l -= 4
-		x[5] = byte(l >> 16)
-		x[6] = byte(l >> 8)
-		x[7] = byte(l)
-		copy(x[8:], m.response)
-	} else {
-		x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType}
-	}
-
-	m.raw = x
-	return x
-}
-
-func (m *certificateStatusMsg) unmarshal(data []byte) bool {
-	m.raw = data
-	if len(data) < 5 {
-		return false
-	}
-	m.statusType = data[4]
-
-	m.response = nil
-	if m.statusType == statusTypeOCSP {
-		if len(data) < 8 {
-			return false
-		}
-		respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])
-		if uint32(len(data)) != 4+4+respLen {
-			return false
-		}
-		m.response = data[8:]
-	}
-	return true
-}
-
-type serverHelloDoneMsg struct{}
-
-func (m *serverHelloDoneMsg) equal(i interface{}) bool {
-	_, ok := i.(*serverHelloDoneMsg)
-	return ok
-}
-
-func (m *serverHelloDoneMsg) marshal() []byte {
-	x := make([]byte, 4)
-	x[0] = typeServerHelloDone
-	return x
-}
-
-func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
-	return len(data) == 4
-}
-
-type clientKeyExchangeMsg struct {
-	raw        []byte
-	ciphertext []byte
-}
-
-func (m *clientKeyExchangeMsg) equal(i interface{}) bool {
-	m1, ok := i.(*clientKeyExchangeMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		bytes.Equal(m.ciphertext, m1.ciphertext)
-}
-
-func (m *clientKeyExchangeMsg) marshal() []byte {
-	if m.raw != nil {
-		return m.raw
-	}
-	length := len(m.ciphertext)
-	x := make([]byte, length+4)
-	x[0] = typeClientKeyExchange
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-	copy(x[4:], m.ciphertext)
-
-	m.raw = x
-	return x
-}
-
-func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
-	m.raw = data
-	if len(data) < 4 {
-		return false
-	}
-	l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
-	if l != len(data)-4 {
-		return false
-	}
-	m.ciphertext = data[4:]
-	return true
-}
-
-type finishedMsg struct {
-	raw        []byte
-	verifyData []byte
-}
-
-func (m *finishedMsg) equal(i interface{}) bool {
-	m1, ok := i.(*finishedMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		bytes.Equal(m.verifyData, m1.verifyData)
-}
-
-func (m *finishedMsg) marshal() (x []byte) {
-	if m.raw != nil {
-		return m.raw
-	}
-
-	x = make([]byte, 4+len(m.verifyData))
-	x[0] = typeFinished
-	x[3] = byte(len(m.verifyData))
-	copy(x[4:], m.verifyData)
-	m.raw = x
-	return
-}
-
-func (m *finishedMsg) unmarshal(data []byte) bool {
-	m.raw = data
-	if len(data) < 4 {
-		return false
-	}
-	m.verifyData = data[4:]
-	return true
-}
-
-type nextProtoMsg struct {
-	raw   []byte
-	proto string
-}
-
-func (m *nextProtoMsg) equal(i interface{}) bool {
-	m1, ok := i.(*nextProtoMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		m.proto == m1.proto
-}
-
-func (m *nextProtoMsg) marshal() []byte {
-	if m.raw != nil {
-		return m.raw
-	}
-	l := len(m.proto)
-	if l > 255 {
-		l = 255
-	}
-
-	padding := 32 - (l+2)%32
-	length := l + padding + 2
-	x := make([]byte, length+4)
-	x[0] = typeNextProtocol
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-
-	y := x[4:]
-	y[0] = byte(l)
-	copy(y[1:], []byte(m.proto[0:l]))
-	y = y[1+l:]
-	y[0] = byte(padding)
-
-	m.raw = x
-
-	return x
-}
-
-func (m *nextProtoMsg) unmarshal(data []byte) bool {
-	m.raw = data
-
-	if len(data) < 5 {
-		return false
-	}
-	data = data[4:]
-	protoLen := int(data[0])
-	data = data[1:]
-	if len(data) < protoLen {
-		return false
-	}
-	m.proto = string(data[0:protoLen])
-	data = data[protoLen:]
-
-	if len(data) < 1 {
-		return false
-	}
-	paddingLen := int(data[0])
-	data = data[1:]
-	if len(data) != paddingLen {
-		return false
-	}
-
-	return true
-}
-
-type certificateRequestMsg struct {
-	raw []byte
-	// hasSignatureAndHash indicates whether this message includes a list
-	// of signature and hash functions. This change was introduced with TLS
-	// 1.2.
-	hasSignatureAndHash bool
-
-	certificateTypes       []byte
-	signatureAndHashes     []signatureAndHash
-	certificateAuthorities [][]byte
-}
-
-func (m *certificateRequestMsg) equal(i interface{}) bool {
-	m1, ok := i.(*certificateRequestMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		bytes.Equal(m.certificateTypes, m1.certificateTypes) &&
-		eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) &&
-		eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes)
-}
-
-func (m *certificateRequestMsg) marshal() (x []byte) {
-	if m.raw != nil {
-		return m.raw
-	}
-
-	// See http://tools.ietf.org/html/rfc4346#section-7.4.4
-	length := 1 + len(m.certificateTypes) + 2
-	casLength := 0
-	for _, ca := range m.certificateAuthorities {
-		casLength += 2 + len(ca)
-	}
-	length += casLength
-
-	if m.hasSignatureAndHash {
-		length += 2 + 2*len(m.signatureAndHashes)
-	}
-
-	x = make([]byte, 4+length)
-	x[0] = typeCertificateRequest
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-
-	x[4] = uint8(len(m.certificateTypes))
-
-	copy(x[5:], m.certificateTypes)
-	y := x[5+len(m.certificateTypes):]
-
-	if m.hasSignatureAndHash {
-		n := len(m.signatureAndHashes) * 2
-		y[0] = uint8(n >> 8)
-		y[1] = uint8(n)
-		y = y[2:]
-		for _, sigAndHash := range m.signatureAndHashes {
-			y[0] = sigAndHash.hash
-			y[1] = sigAndHash.signature
-			y = y[2:]
-		}
-	}
-
-	y[0] = uint8(casLength >> 8)
-	y[1] = uint8(casLength)
-	y = y[2:]
-	for _, ca := range m.certificateAuthorities {
-		y[0] = uint8(len(ca) >> 8)
-		y[1] = uint8(len(ca))
-		y = y[2:]
-		copy(y, ca)
-		y = y[len(ca):]
-	}
-
-	m.raw = x
-	return
-}
-
-func (m *certificateRequestMsg) unmarshal(data []byte) bool {
-	m.raw = data
-
-	if len(data) < 5 {
-		return false
-	}
-
-	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
-	if uint32(len(data))-4 != length {
-		return false
-	}
-
-	numCertTypes := int(data[4])
-	data = data[5:]
-	if numCertTypes == 0 || len(data) <= numCertTypes {
-		return false
-	}
-
-	m.certificateTypes = make([]byte, numCertTypes)
-	if copy(m.certificateTypes, data) != numCertTypes {
-		return false
-	}
-
-	data = data[numCertTypes:]
-
-	if m.hasSignatureAndHash {
-		if len(data) < 2 {
-			return false
-		}
-		sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
-		data = data[2:]
-		if sigAndHashLen&1 != 0 {
-			return false
-		}
-		if len(data) < int(sigAndHashLen) {
-			return false
-		}
-		numSigAndHash := sigAndHashLen / 2
-		m.signatureAndHashes = make([]signatureAndHash, numSigAndHash)
-		for i := range m.signatureAndHashes {
-			m.signatureAndHashes[i].hash = data[0]
-			m.signatureAndHashes[i].signature = data[1]
-			data = data[2:]
-		}
-	}
-
-	if len(data) < 2 {
-		return false
-	}
-	casLength := uint16(data[0])<<8 | uint16(data[1])
-	data = data[2:]
-	if len(data) < int(casLength) {
-		return false
-	}
-	cas := make([]byte, casLength)
-	copy(cas, data)
-	data = data[casLength:]
-
-	m.certificateAuthorities = nil
-	for len(cas) > 0 {
-		if len(cas) < 2 {
-			return false
-		}
-		caLen := uint16(cas[0])<<8 | uint16(cas[1])
-		cas = cas[2:]
-
-		if len(cas) < int(caLen) {
-			return false
-		}
-
-		m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
-		cas = cas[caLen:]
-	}
-
-	return len(data) == 0
-}
-
-type certificateVerifyMsg struct {
-	raw                 []byte
-	hasSignatureAndHash bool
-	signatureAndHash    signatureAndHash
-	signature           []byte
-}
-
-func (m *certificateVerifyMsg) equal(i interface{}) bool {
-	m1, ok := i.(*certificateVerifyMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		m.hasSignatureAndHash == m1.hasSignatureAndHash &&
-		m.signatureAndHash.hash == m1.signatureAndHash.hash &&
-		m.signatureAndHash.signature == m1.signatureAndHash.signature &&
-		bytes.Equal(m.signature, m1.signature)
-}
-
-func (m *certificateVerifyMsg) marshal() (x []byte) {
-	if m.raw != nil {
-		return m.raw
-	}
-
-	// See http://tools.ietf.org/html/rfc4346#section-7.4.8
-	siglength := len(m.signature)
-	length := 2 + siglength
-	if m.hasSignatureAndHash {
-		length += 2
-	}
-	x = make([]byte, 4+length)
-	x[0] = typeCertificateVerify
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-	y := x[4:]
-	if m.hasSignatureAndHash {
-		y[0] = m.signatureAndHash.hash
-		y[1] = m.signatureAndHash.signature
-		y = y[2:]
-	}
-	y[0] = uint8(siglength >> 8)
-	y[1] = uint8(siglength)
-	copy(y[2:], m.signature)
-
-	m.raw = x
-
-	return
-}
-
-func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
-	m.raw = data
-
-	if len(data) < 6 {
-		return false
-	}
-
-	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
-	if uint32(len(data))-4 != length {
-		return false
-	}
-
-	data = data[4:]
-	if m.hasSignatureAndHash {
-		m.signatureAndHash.hash = data[0]
-		m.signatureAndHash.signature = data[1]
-		data = data[2:]
-	}
-
-	if len(data) < 2 {
-		return false
-	}
-	siglength := int(data[0])<<8 + int(data[1])
-	data = data[2:]
-	if len(data) != siglength {
-		return false
-	}
-
-	m.signature = data
-
-	return true
-}
-
-type newSessionTicketMsg struct {
-	raw    []byte
-	ticket []byte
-}
-
-func (m *newSessionTicketMsg) equal(i interface{}) bool {
-	m1, ok := i.(*newSessionTicketMsg)
-	if !ok {
-		return false
-	}
-
-	return bytes.Equal(m.raw, m1.raw) &&
-		bytes.Equal(m.ticket, m1.ticket)
-}
-
-func (m *newSessionTicketMsg) marshal() (x []byte) {
-	if m.raw != nil {
-		return m.raw
-	}
-
-	// See http://tools.ietf.org/html/rfc5077#section-3.3
-	ticketLen := len(m.ticket)
-	length := 2 + 4 + ticketLen
-	x = make([]byte, 4+length)
-	x[0] = typeNewSessionTicket
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-	x[8] = uint8(ticketLen >> 8)
-	x[9] = uint8(ticketLen)
-	copy(x[10:], m.ticket)
-
-	// [Psiphon]
-	// Set lifetime hint to a more typical value.
-	if obfuscateSessionTickets {
-		hints := []int{300, 1200, 7200, 10800, 64800, 100800, 129600}
-		hint := hints[prng.Intn(len(hints))]
-		x[4] = uint8(hint >> 24)
-		x[5] = uint8(hint >> 16)
-		x[6] = uint8(hint >> 8)
-		x[7] = uint8(hint)
-	}
-
-	m.raw = x
-
-	return
-}
-
-func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
-	m.raw = data
-
-	if len(data) < 10 {
-		return false
-	}
-
-	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
-	if uint32(len(data))-4 != length {
-		return false
-	}
-
-	ticketLen := int(data[8])<<8 + int(data[9])
-	if len(data)-10 != ticketLen {
-		return false
-	}
-
-	m.ticket = data[10:]
-
-	return true
-}
-
-type helloRequestMsg struct {
-}
-
-func (*helloRequestMsg) marshal() []byte {
-	return []byte{typeHelloRequest, 0, 0, 0}
-}
-
-func (*helloRequestMsg) unmarshal(data []byte) bool {
-	return len(data) == 4
-}
-
-func eqUint16s(x, y []uint16) bool {
-	if len(x) != len(y) {
-		return false
-	}
-	for i, v := range x {
-		if y[i] != v {
-			return false
-		}
-	}
-	return true
-}
-
-func eqCurveIDs(x, y []CurveID) bool {
-	if len(x) != len(y) {
-		return false
-	}
-	for i, v := range x {
-		if y[i] != v {
-			return false
-		}
-	}
-	return true
-}
-
-func eqStrings(x, y []string) bool {
-	if len(x) != len(y) {
-		return false
-	}
-	for i, v := range x {
-		if y[i] != v {
-			return false
-		}
-	}
-	return true
-}
-
-func eqByteSlices(x, y [][]byte) bool {
-	if len(x) != len(y) {
-		return false
-	}
-	for i, v := range x {
-		if !bytes.Equal(v, y[i]) {
-			return false
-		}
-	}
-	return true
-}
-
-func eqSignatureAndHashes(x, y []signatureAndHash) bool {
-	if len(x) != len(y) {
-		return false
-	}
-	for i, v := range x {
-		v2 := y[i]
-		if v.hash != v2.hash || v.signature != v2.signature {
-			return false
-		}
-	}
-	return true
-}

vendor/github.com/Psiphon-Labs/utls/handshake_server.go

@@ -1,838 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/subtle"
-	"crypto/x509"
-	"encoding/asn1"
-	"errors"
-	"fmt"
-	"io"
-)
-
-// serverHandshakeState contains details of a server handshake in progress.
-// It's discarded once the handshake has completed.
-type serverHandshakeState struct {
-	c                     *Conn
-	clientHello           *clientHelloMsg
-	hello                 *serverHelloMsg
-	suite                 *cipherSuite
-	ellipticOk            bool
-	ecdsaOk               bool
-	rsaDecryptOk          bool
-	rsaSignOk             bool
-	sessionState          *sessionState
-	finishedHash          finishedHash
-	masterSecret          []byte
-	certsFromClient       [][]byte
-	cert                  *Certificate
-	cachedClientHelloInfo *ClientHelloInfo
-}
-
-// serverHandshake performs a TLS handshake as a server.
-// c.out.Mutex <= L; c.handshakeMutex <= L.
-func (c *Conn) serverHandshake() error {
-	// If this is the first server handshake, we generate a random key to
-	// encrypt the tickets with.
-	c.config.serverInitOnce.Do(func() { c.config.serverInit(nil) })
-
-	hs := serverHandshakeState{
-		c: c,
-	}
-	isResume, err := hs.readClientHello()
-	if err != nil {
-		return err
-	}
-
-	// For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3
-	c.buffering = true
-	if isResume {
-		// The client has included a session ticket and so we do an abbreviated handshake.
-		if err := hs.doResumeHandshake(); err != nil {
-			return err
-		}
-		if err := hs.establishKeys(); err != nil {
-			return err
-		}
-		// ticketSupported is set in a resumption handshake if the
-		// ticket from the client was encrypted with an old session
-		// ticket key and thus a refreshed ticket should be sent.
-		if hs.hello.ticketSupported {
-			if err := hs.sendSessionTicket(); err != nil {
-				return err
-			}
-		}
-		if err := hs.sendFinished(c.serverFinished[:]); err != nil {
-			return err
-		}
-		if _, err := c.flush(); err != nil {
-			return err
-		}
-		c.clientFinishedIsFirst = false
-		if err := hs.readFinished(nil); err != nil {
-			return err
-		}
-		c.didResume = true
-	} else {
-		// The client didn't include a session ticket, or it wasn't
-		// valid so we do a full handshake.
-		if err := hs.doFullHandshake(); err != nil {
-			return err
-		}
-		if err := hs.establishKeys(); err != nil {
-			return err
-		}
-		if err := hs.readFinished(c.clientFinished[:]); err != nil {
-			return err
-		}
-		c.clientFinishedIsFirst = true
-		c.buffering = true
-		if err := hs.sendSessionTicket(); err != nil {
-			return err
-		}
-		if err := hs.sendFinished(nil); err != nil {
-			return err
-		}
-		if _, err := c.flush(); err != nil {
-			return err
-		}
-	}
-	c.handshakeComplete = true
-
-	return nil
-}
-
-// readClientHello reads a ClientHello message from the client and decides
-// whether we will perform session resumption.
-func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
-	c := hs.c
-
-	msg, err := c.readHandshake()
-	if err != nil {
-		return false, err
-	}
-	var ok bool
-	hs.clientHello, ok = msg.(*clientHelloMsg)
-	if !ok {
-		c.sendAlert(alertUnexpectedMessage)
-		return false, unexpectedMessageError(hs.clientHello, msg)
-	}
-
-	if c.config.GetConfigForClient != nil {
-		if newConfig, err := c.config.GetConfigForClient(hs.clientHelloInfo()); err != nil {
-			c.sendAlert(alertInternalError)
-			return false, err
-		} else if newConfig != nil {
-			newConfig.serverInitOnce.Do(func() { newConfig.serverInit(c.config) })
-			c.config = newConfig
-		}
-	}
-
-	c.vers, ok = c.config.mutualVersion(hs.clientHello.vers)
-	if !ok {
-		c.sendAlert(alertProtocolVersion)
-		return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)
-	}
-	c.haveVers = true
-
-	hs.hello = new(serverHelloMsg)
-
-	supportedCurve := false
-	preferredCurves := c.config.curvePreferences()
-Curves:
-	for _, curve := range hs.clientHello.supportedCurves {
-		for _, supported := range preferredCurves {
-			if supported == curve {
-				supportedCurve = true
-				break Curves
-			}
-		}
-	}
-
-	supportedPointFormat := false
-	for _, pointFormat := range hs.clientHello.supportedPoints {
-		if pointFormat == pointFormatUncompressed {
-			supportedPointFormat = true
-			break
-		}
-	}
-	hs.ellipticOk = supportedCurve && supportedPointFormat
-
-	foundCompression := false
-	// We only support null compression, so check that the client offered it.
-	for _, compression := range hs.clientHello.compressionMethods {
-		if compression == compressionNone {
-			foundCompression = true
-			break
-		}
-	}
-
-	if !foundCompression {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: client does not support uncompressed connections")
-	}
-
-	hs.hello.vers = c.vers
-	hs.hello.random = make([]byte, 32)
-	_, err = io.ReadFull(c.config.rand(), hs.hello.random)
-	if err != nil {
-		c.sendAlert(alertInternalError)
-		return false, err
-	}
-
-	if len(hs.clientHello.secureRenegotiation) != 0 {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: initial handshake had non-empty renegotiation extension")
-	}
-
-	hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
-	hs.hello.compressionMethod = compressionNone
-	if len(hs.clientHello.serverName) > 0 {
-		c.serverName = hs.clientHello.serverName
-	}
-
-	if len(hs.clientHello.alpnProtocols) > 0 {
-		if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {
-			hs.hello.alpnProtocol = selectedProto
-			c.clientProtocol = selectedProto
-		}
-	} else {
-		// Although sending an empty NPN extension is reasonable, Firefox has
-		// had a bug around this. Best to send nothing at all if
-		// c.config.NextProtos is empty. See
-		// https://golang.org/issue/5445.
-		if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 {
-			hs.hello.nextProtoNeg = true
-			hs.hello.nextProtos = c.config.NextProtos
-		}
-	}
-
-	hs.cert, err = c.config.getCertificate(hs.clientHelloInfo())
-	if err != nil {
-		c.sendAlert(alertInternalError)
-		return false, err
-	}
-	if hs.clientHello.scts {
-		hs.hello.scts = hs.cert.SignedCertificateTimestamps
-	}
-
-	if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
-		switch priv.Public().(type) {
-		case *ecdsa.PublicKey:
-			hs.ecdsaOk = true
-		case *rsa.PublicKey:
-			hs.rsaSignOk = true
-		default:
-			c.sendAlert(alertInternalError)
-			return false, fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
-		}
-	}
-	if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
-		switch priv.Public().(type) {
-		case *rsa.PublicKey:
-			hs.rsaDecryptOk = true
-		default:
-			c.sendAlert(alertInternalError)
-			return false, fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
-		}
-	}
-
-	if hs.checkForResumption() {
-		return true, nil
-	}
-
-	var preferenceList, supportedList []uint16
-	if c.config.PreferServerCipherSuites {
-		preferenceList = c.config.cipherSuites()
-		supportedList = hs.clientHello.cipherSuites
-	} else {
-		preferenceList = hs.clientHello.cipherSuites
-		supportedList = c.config.cipherSuites()
-	}
-
-	for _, id := range preferenceList {
-		if hs.setCipherSuite(id, supportedList, c.vers) {
-			break
-		}
-	}
-
-	if hs.suite == nil {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: no cipher suite supported by both client and server")
-	}
-
-	// See https://tools.ietf.org/html/rfc7507.
-	for _, id := range hs.clientHello.cipherSuites {
-		if id == TLS_FALLBACK_SCSV {
-			// The client is doing a fallback connection.
-			if hs.clientHello.vers < c.config.maxVersion() {
-				c.sendAlert(alertInappropriateFallback)
-				return false, errors.New("tls: client using inappropriate protocol fallback")
-			}
-			break
-		}
-	}
-
-	return false, nil
-}
-
-// checkForResumption reports whether we should perform resumption on this connection.
-func (hs *serverHandshakeState) checkForResumption() bool {
-	c := hs.c
-
-	if c.config.SessionTicketsDisabled {
-		return false
-	}
-
-	var ok bool
-	var sessionTicket = append([]uint8{}, hs.clientHello.sessionTicket...)
-	if hs.sessionState, ok = c.decryptTicket(sessionTicket); !ok {
-		return false
-	}
-
-	// Never resume a session for a different TLS version.
-	if c.vers != hs.sessionState.vers {
-		return false
-	}
-
-	cipherSuiteOk := false
-	// Check that the client is still offering the ciphersuite in the session.
-	for _, id := range hs.clientHello.cipherSuites {
-		if id == hs.sessionState.cipherSuite {
-			cipherSuiteOk = true
-			break
-		}
-	}
-	if !cipherSuiteOk {
-		return false
-	}
-
-	// Check that we also support the ciphersuite from the session.
-	if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) {
-		return false
-	}
-
-	sessionHasClientCerts := len(hs.sessionState.certificates) != 0
-	needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert
-	if needClientCerts && !sessionHasClientCerts {
-		return false
-	}
-	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
-		return false
-	}
-
-	return true
-}
-
-func (hs *serverHandshakeState) doResumeHandshake() error {
-	c := hs.c
-
-	hs.hello.cipherSuite = hs.suite.id
-	// We echo the client's session ID in the ServerHello to let it know
-	// that we're doing a resumption.
-	hs.hello.sessionId = hs.clientHello.sessionId
-	hs.hello.ticketSupported = hs.sessionState.usedOldKey
-	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
-	hs.finishedHash.discardHandshakeBuffer()
-	hs.finishedHash.Write(hs.clientHello.marshal())
-	hs.finishedHash.Write(hs.hello.marshal())
-	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
-		return err
-	}
-
-	if len(hs.sessionState.certificates) > 0 {
-		if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {
-			return err
-		}
-	}
-
-	hs.masterSecret = hs.sessionState.masterSecret
-
-	return nil
-}
-
-func (hs *serverHandshakeState) doFullHandshake() error {
-	c := hs.c
-
-	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
-		hs.hello.ocspStapling = true
-	}
-
-	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
-	hs.hello.cipherSuite = hs.suite.id
-
-	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
-	if c.config.ClientAuth == NoClientCert {
-		// No need to keep a full record of the handshake if client
-		// certificates won't be used.
-		hs.finishedHash.discardHandshakeBuffer()
-	}
-	hs.finishedHash.Write(hs.clientHello.marshal())
-	hs.finishedHash.Write(hs.hello.marshal())
-	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
-		return err
-	}
-
-	certMsg := new(certificateMsg)
-	certMsg.certificates = hs.cert.Certificate
-	hs.finishedHash.Write(certMsg.marshal())
-	if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
-		return err
-	}
-
-	if hs.hello.ocspStapling {
-		certStatus := new(certificateStatusMsg)
-		certStatus.statusType = statusTypeOCSP
-		certStatus.response = hs.cert.OCSPStaple
-		hs.finishedHash.Write(certStatus.marshal())
-		if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil {
-			return err
-		}
-	}
-
-	keyAgreement := hs.suite.ka(c.vers)
-	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
-	if err != nil {
-		c.sendAlert(alertHandshakeFailure)
-		return err
-	}
-	if skx != nil {
-		hs.finishedHash.Write(skx.marshal())
-		if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil {
-			return err
-		}
-	}
-
-	if c.config.ClientAuth >= RequestClientCert {
-		// Request a client certificate
-		certReq := new(certificateRequestMsg)
-		certReq.certificateTypes = []byte{
-			byte(certTypeRSASign),
-			byte(certTypeECDSASign),
-		}
-		if c.vers >= VersionTLS12 {
-			certReq.hasSignatureAndHash = true
-			certReq.signatureAndHashes = supportedSignatureAlgorithms
-		}
-
-		// An empty list of certificateAuthorities signals to
-		// the client that it may send any certificate in response
-		// to our request. When we know the CAs we trust, then
-		// we can send them down, so that the client can choose
-		// an appropriate certificate to give to us.
-		if c.config.ClientCAs != nil {
-			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
-		}
-		hs.finishedHash.Write(certReq.marshal())
-		if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
-			return err
-		}
-	}
-
-	helloDone := new(serverHelloDoneMsg)
-	hs.finishedHash.Write(helloDone.marshal())
-	if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil {
-		return err
-	}
-
-	if _, err := c.flush(); err != nil {
-		return err
-	}
-
-	var pub crypto.PublicKey // public key for client auth, if any
-
-	msg, err := c.readHandshake()
-	if err != nil {
-		return err
-	}
-
-	var ok bool
-	// If we requested a client certificate, then the client must send a
-	// certificate message, even if it's empty.
-	if c.config.ClientAuth >= RequestClientCert {
-		if certMsg, ok = msg.(*certificateMsg); !ok {
-			c.sendAlert(alertUnexpectedMessage)
-			return unexpectedMessageError(certMsg, msg)
-		}
-		hs.finishedHash.Write(certMsg.marshal())
-
-		if len(certMsg.certificates) == 0 {
-			// The client didn't actually send a certificate
-			switch c.config.ClientAuth {
-			case RequireAnyClientCert, RequireAndVerifyClientCert:
-				c.sendAlert(alertBadCertificate)
-				return errors.New("tls: client didn't provide a certificate")
-			}
-		}
-
-		pub, err = hs.processCertsFromClient(certMsg.certificates)
-		if err != nil {
-			return err
-		}
-
-		msg, err = c.readHandshake()
-		if err != nil {
-			return err
-		}
-	}
-
-	// Get client key exchange
-	ckx, ok := msg.(*clientKeyExchangeMsg)
-	if !ok {
-		c.sendAlert(alertUnexpectedMessage)
-		return unexpectedMessageError(ckx, msg)
-	}
-	hs.finishedHash.Write(ckx.marshal())
-
-	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
-	if err != nil {
-		c.sendAlert(alertHandshakeFailure)
-		return err
-	}
-	hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
-	if err := c.config.writeKeyLog(hs.clientHello.random, hs.masterSecret); err != nil {
-		c.sendAlert(alertInternalError)
-		return err
-	}
-
-	// If we received a client cert in response to our certificate request message,
-	// the client will send us a certificateVerifyMsg immediately after the
-	// clientKeyExchangeMsg. This message is a digest of all preceding
-	// handshake-layer messages that is signed using the private key corresponding
-	// to the client's certificate. This allows us to verify that the client is in
-	// possession of the private key of the certificate.
-	if len(c.peerCertificates) > 0 {
-		msg, err = c.readHandshake()
-		if err != nil {
-			return err
-		}
-		certVerify, ok := msg.(*certificateVerifyMsg)
-		if !ok {
-			c.sendAlert(alertUnexpectedMessage)
-			return unexpectedMessageError(certVerify, msg)
-		}
-
-		// Determine the signature type.
-		var signatureAndHash signatureAndHash
-		if certVerify.hasSignatureAndHash {
-			signatureAndHash = certVerify.signatureAndHash
-			if !isSupportedSignatureAndHash(signatureAndHash, supportedSignatureAlgorithms) {
-				return errors.New("tls: unsupported hash function for client certificate")
-			}
-		} else {
-			// Before TLS 1.2 the signature algorithm was implicit
-			// from the key type, and only one hash per signature
-			// algorithm was possible. Leave the hash as zero.
-			switch pub.(type) {
-			case *ecdsa.PublicKey:
-				signatureAndHash.signature = signatureECDSA
-			case *rsa.PublicKey:
-				signatureAndHash.signature = signatureRSA
-			}
-		}
-
-		switch key := pub.(type) {
-		case *ecdsa.PublicKey:
-			if signatureAndHash.signature != signatureECDSA {
-				err = errors.New("tls: bad signature type for client's ECDSA certificate")
-				break
-			}
-			ecdsaSig := new(ecdsaSignature)
-			if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil {
-				break
-			}
-			if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
-				err = errors.New("tls: ECDSA signature contained zero or negative values")
-				break
-			}
-			var digest []byte
-			if digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil {
-				break
-			}
-			if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) {
-				err = errors.New("tls: ECDSA verification failure")
-			}
-		case *rsa.PublicKey:
-			if signatureAndHash.signature != signatureRSA {
-				err = errors.New("tls: bad signature type for client's RSA certificate")
-				break
-			}
-			var digest []byte
-			var hashFunc crypto.Hash
-			if digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil {
-				break
-			}
-			err = rsa.VerifyPKCS1v15(key, hashFunc, digest, certVerify.signature)
-		}
-		if err != nil {
-			c.sendAlert(alertBadCertificate)
-			return errors.New("tls: could not validate signature of connection nonces: " + err.Error())
-		}
-
-		hs.finishedHash.Write(certVerify.marshal())
-	}
-
-	hs.finishedHash.discardHandshakeBuffer()
-
-	return nil
-}
-
-func (hs *serverHandshakeState) establishKeys() error {
-	c := hs.c
-
-	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
-		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
-
-	var clientCipher, serverCipher interface{}
-	var clientHash, serverHash macFunction
-
-	if hs.suite.aead == nil {
-		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
-		clientHash = hs.suite.mac(c.vers, clientMAC)
-		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
-		serverHash = hs.suite.mac(c.vers, serverMAC)
-	} else {
-		clientCipher = hs.suite.aead(clientKey, clientIV)
-		serverCipher = hs.suite.aead(serverKey, serverIV)
-	}
-
-	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
-	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
-
-	return nil
-}
-
-func (hs *serverHandshakeState) readFinished(out []byte) error {
-	c := hs.c
-
-	c.readRecord(recordTypeChangeCipherSpec)
-	if c.in.err != nil {
-		return c.in.err
-	}
-
-	if hs.hello.nextProtoNeg {
-		msg, err := c.readHandshake()
-		if err != nil {
-			return err
-		}
-		nextProto, ok := msg.(*nextProtoMsg)
-		if !ok {
-			c.sendAlert(alertUnexpectedMessage)
-			return unexpectedMessageError(nextProto, msg)
-		}
-		hs.finishedHash.Write(nextProto.marshal())
-		c.clientProtocol = nextProto.proto
-	}
-
-	msg, err := c.readHandshake()
-	if err != nil {
-		return err
-	}
-	clientFinished, ok := msg.(*finishedMsg)
-	if !ok {
-		c.sendAlert(alertUnexpectedMessage)
-		return unexpectedMessageError(clientFinished, msg)
-	}
-
-	verify := hs.finishedHash.clientSum(hs.masterSecret)
-	if len(verify) != len(clientFinished.verifyData) ||
-		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
-		c.sendAlert(alertHandshakeFailure)
-		return errors.New("tls: client's Finished message is incorrect")
-	}
-
-	hs.finishedHash.Write(clientFinished.marshal())
-	copy(out, verify)
-	return nil
-}
-
-func (hs *serverHandshakeState) sendSessionTicket() error {
-	if !hs.hello.ticketSupported {
-		return nil
-	}
-
-	c := hs.c
-	m := new(newSessionTicketMsg)
-
-	var err error
-	state := sessionState{
-		vers:         c.vers,
-		cipherSuite:  hs.suite.id,
-		masterSecret: hs.masterSecret,
-		certificates: hs.certsFromClient,
-	}
-	m.ticket, err = c.encryptTicket(&state)
-	if err != nil {
-		return err
-	}
-
-	hs.finishedHash.Write(m.marshal())
-	if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (hs *serverHandshakeState) sendFinished(out []byte) error {
-	c := hs.c
-
-	if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {
-		return err
-	}
-
-	finished := new(finishedMsg)
-	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
-	hs.finishedHash.Write(finished.marshal())
-	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
-		return err
-	}
-
-	c.cipherSuite = hs.suite.id
-	copy(out, finished.verifyData)
-
-	return nil
-}
-
-// processCertsFromClient takes a chain of client certificates either from a
-// Certificates message or from a sessionState and verifies them. It returns
-// the public key of the leaf certificate.
-func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {
-	c := hs.c
-
-	hs.certsFromClient = certificates
-	certs := make([]*x509.Certificate, len(certificates))
-	var err error
-	for i, asn1Data := range certificates {
-		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
-			c.sendAlert(alertBadCertificate)
-			return nil, errors.New("tls: failed to parse client certificate: " + err.Error())
-		}
-	}
-
-	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
-		opts := x509.VerifyOptions{
-			Roots:         c.config.ClientCAs,
-			CurrentTime:   c.config.time(),
-			Intermediates: x509.NewCertPool(),
-			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
-		}
-
-		for _, cert := range certs[1:] {
-			opts.Intermediates.AddCert(cert)
-		}
-
-		chains, err := certs[0].Verify(opts)
-		if err != nil {
-			c.sendAlert(alertBadCertificate)
-			return nil, errors.New("tls: failed to verify client's certificate: " + err.Error())
-		}
-
-		c.verifiedChains = chains
-	}
-
-	if c.config.VerifyPeerCertificate != nil {
-		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
-			c.sendAlert(alertBadCertificate)
-			return nil, err
-		}
-	}
-
-	if len(certs) == 0 {
-		return nil, nil
-	}
-
-	var pub crypto.PublicKey
-	switch key := certs[0].PublicKey.(type) {
-	case *ecdsa.PublicKey, *rsa.PublicKey:
-		pub = key
-	default:
-		c.sendAlert(alertUnsupportedCertificate)
-		return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)
-	}
-	c.peerCertificates = certs
-	return pub, nil
-}
-
-// setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState
-// suite if that cipher suite is acceptable to use.
-// It returns a bool indicating if the suite was set.
-func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool {
-	for _, supported := range supportedCipherSuites {
-		if id == supported {
-			var candidate *cipherSuite
-
-			for _, s := range cipherSuites {
-				if s.id == id {
-					candidate = s
-					break
-				}
-			}
-			if candidate == nil {
-				continue
-			}
-			// Don't select a ciphersuite which we can't
-			// support for this client.
-			if candidate.flags&suiteECDHE != 0 {
-				if !hs.ellipticOk {
-					continue
-				}
-				if candidate.flags&suiteECDSA != 0 {
-					if !hs.ecdsaOk {
-						continue
-					}
-				} else if !hs.rsaSignOk {
-					continue
-				}
-			} else if !hs.rsaDecryptOk {
-				continue
-			}
-			if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
-				continue
-			}
-			hs.suite = candidate
-			return true
-		}
-	}
-	return false
-}
-
-// suppVersArray is the backing array of ClientHelloInfo.SupportedVersions
-var suppVersArray = [...]uint16{VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
-
-func (hs *serverHandshakeState) clientHelloInfo() *ClientHelloInfo {
-	if hs.cachedClientHelloInfo != nil {
-		return hs.cachedClientHelloInfo
-	}
-
-	var supportedVersions []uint16
-	if hs.clientHello.vers > VersionTLS12 {
-		supportedVersions = suppVersArray[:]
-	} else if hs.clientHello.vers >= VersionSSL30 {
-		supportedVersions = suppVersArray[VersionTLS12-hs.clientHello.vers:]
-	}
-
-	signatureSchemes := make([]SignatureScheme, 0, len(hs.clientHello.signatureAndHashes))
-	for _, sah := range hs.clientHello.signatureAndHashes {
-		signatureSchemes = append(signatureSchemes, SignatureScheme(sah.hash)<<8+SignatureScheme(sah.signature))
-	}
-
-	hs.cachedClientHelloInfo = &ClientHelloInfo{
-		CipherSuites:      hs.clientHello.cipherSuites,
-		ServerName:        hs.clientHello.serverName,
-		SupportedCurves:   hs.clientHello.supportedCurves,
-		SupportedPoints:   hs.clientHello.supportedPoints,
-		SignatureSchemes:  signatureSchemes,
-		SupportedProtos:   hs.clientHello.alpnProtocols,
-		SupportedVersions: supportedVersions,
-		Conn:              hs.c.conn,
-	}
-
-	return hs.cachedClientHelloInfo
-}

vendor/github.com/Psiphon-Labs/utls/key_agreement.go

@@ -1,473 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/md5"
-	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/x509"
-	"encoding/asn1"
-	"errors"
-	"io"
-	"math/big"
-
-	"golang.org/x/crypto/curve25519"
-)
-
-var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message")
-var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")
-
-// rsaKeyAgreement implements the standard TLS key agreement where the client
-// encrypts the pre-master secret to the server's public key.
-type rsaKeyAgreement struct{}
-
-func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
-	return nil, nil
-}
-
-func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
-	if len(ckx.ciphertext) < 2 {
-		return nil, errClientKeyExchange
-	}
-
-	ciphertext := ckx.ciphertext
-	if version != VersionSSL30 {
-		ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1])
-		if ciphertextLen != len(ckx.ciphertext)-2 {
-			return nil, errClientKeyExchange
-		}
-		ciphertext = ckx.ciphertext[2:]
-	}
-	priv, ok := cert.PrivateKey.(crypto.Decrypter)
-	if !ok {
-		return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter")
-	}
-	// Perform constant time RSA PKCS#1 v1.5 decryption
-	preMasterSecret, err := priv.Decrypt(config.rand(), ciphertext, &rsa.PKCS1v15DecryptOptions{SessionKeyLen: 48})
-	if err != nil {
-		return nil, err
-	}
-	// We don't check the version number in the premaster secret. For one,
-	// by checking it, we would leak information about the validity of the
-	// encrypted pre-master secret. Secondly, it provides only a small
-	// benefit against a downgrade attack and some implementations send the
-	// wrong version anyway. See the discussion at the end of section
-	// 7.4.7.1 of RFC 4346.
-	return preMasterSecret, nil
-}
-
-func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {
-	return errors.New("tls: unexpected ServerKeyExchange")
-}
-
-func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {
-	preMasterSecret := make([]byte, 48)
-	preMasterSecret[0] = byte(clientHello.vers >> 8)
-	preMasterSecret[1] = byte(clientHello.vers)
-	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])
-	if err != nil {
-		return nil, nil, err
-	}
-
-	encrypted, err := rsa.EncryptPKCS1v15(config.rand(), cert.PublicKey.(*rsa.PublicKey), preMasterSecret)
-	if err != nil {
-		return nil, nil, err
-	}
-	ckx := new(clientKeyExchangeMsg)
-	ckx.ciphertext = make([]byte, len(encrypted)+2)
-	ckx.ciphertext[0] = byte(len(encrypted) >> 8)
-	ckx.ciphertext[1] = byte(len(encrypted))
-	copy(ckx.ciphertext[2:], encrypted)
-	return preMasterSecret, ckx, nil
-}
-
-// sha1Hash calculates a SHA1 hash over the given byte slices.
-func sha1Hash(slices [][]byte) []byte {
-	hsha1 := sha1.New()
-	for _, slice := range slices {
-		hsha1.Write(slice)
-	}
-	return hsha1.Sum(nil)
-}
-
-// md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the
-// concatenation of an MD5 and SHA1 hash.
-func md5SHA1Hash(slices [][]byte) []byte {
-	md5sha1 := make([]byte, md5.Size+sha1.Size)
-	hmd5 := md5.New()
-	for _, slice := range slices {
-		hmd5.Write(slice)
-	}
-	copy(md5sha1, hmd5.Sum(nil))
-	copy(md5sha1[md5.Size:], sha1Hash(slices))
-	return md5sha1
-}
-
-// hashForServerKeyExchange hashes the given slices and returns their digest
-// and the identifier of the hash function used. The sigAndHash argument is
-// only used for >= TLS 1.2 and precisely identifies the hash function to use.
-func hashForServerKeyExchange(sigAndHash signatureAndHash, version uint16, slices ...[]byte) ([]byte, crypto.Hash, error) {
-	if version >= VersionTLS12 {
-		if !isSupportedSignatureAndHash(sigAndHash, utlsSupportedSignatureAlgorithms) { // [UTLS]
-			return nil, crypto.Hash(0), errors.New("tls: unsupported hash function used by peer")
-		}
-		hashFunc, err := lookupTLSHash(sigAndHash.hash)
-		if err != nil {
-			return nil, crypto.Hash(0), err
-		}
-		h := hashFunc.New()
-		for _, slice := range slices {
-			h.Write(slice)
-		}
-		digest := h.Sum(nil)
-		return digest, hashFunc, nil
-	}
-	if sigAndHash.signature == signatureECDSA {
-		return sha1Hash(slices), crypto.SHA1, nil
-	}
-	return md5SHA1Hash(slices), crypto.MD5SHA1, nil
-}
-
-// pickTLS12HashForSignature returns a TLS 1.2 hash identifier for signing a
-// ServerKeyExchange given the signature type being used and the client's
-// advertised list of supported signature and hash combinations.
-func pickTLS12HashForSignature(sigType uint8, clientList []signatureAndHash) (uint8, error) {
-	if len(clientList) == 0 {
-		// If the client didn't specify any signature_algorithms
-		// extension then we can assume that it supports SHA1. See
-		// http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
-		return hashSHA1, nil
-	}
-
-	for _, sigAndHash := range clientList {
-		if sigAndHash.signature != sigType {
-			continue
-		}
-		if isSupportedSignatureAndHash(sigAndHash, supportedSignatureAlgorithms) {
-			return sigAndHash.hash, nil
-		}
-	}
-
-	return 0, errors.New("tls: client doesn't support any common hash functions")
-}
-
-func curveForCurveID(id CurveID) (elliptic.Curve, bool) {
-	switch id {
-	case CurveP256:
-		return elliptic.P256(), true
-	case CurveP384:
-		return elliptic.P384(), true
-	case CurveP521:
-		return elliptic.P521(), true
-	default:
-		return nil, false
-	}
-
-}
-
-// ecdheRSAKeyAgreement implements a TLS key agreement where the server
-// generates a ephemeral EC public/private key pair and signs it. The
-// pre-master secret is then calculated using ECDH. The signature may
-// either be ECDSA or RSA.
-type ecdheKeyAgreement struct {
-	version    uint16
-	sigType    uint8
-	privateKey []byte
-	curveid    CurveID
-
-	// publicKey is used to store the peer's public value when X25519 is
-	// being used.
-	publicKey []byte
-	// x and y are used to store the peer's public value when one of the
-	// NIST curves is being used.
-	x, y *big.Int
-}
-
-func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
-	preferredCurves := config.curvePreferences()
-
-NextCandidate:
-	for _, candidate := range preferredCurves {
-		for _, c := range clientHello.supportedCurves {
-			if candidate == c {
-				ka.curveid = c
-				break NextCandidate
-			}
-		}
-	}
-
-	if ka.curveid == 0 {
-		return nil, errors.New("tls: no supported elliptic curves offered")
-	}
-
-	var ecdhePublic []byte
-
-	if ka.curveid == X25519 {
-		var scalar, public [32]byte
-		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {
-			return nil, err
-		}
-
-		curve25519.ScalarBaseMult(&public, &scalar)
-		ka.privateKey = scalar[:]
-		ecdhePublic = public[:]
-	} else {
-		curve, ok := curveForCurveID(ka.curveid)
-		if !ok {
-			return nil, errors.New("tls: preferredCurves includes unsupported curve")
-		}
-
-		var x, y *big.Int
-		var err error
-		ka.privateKey, x, y, err = elliptic.GenerateKey(curve, config.rand())
-		if err != nil {
-			return nil, err
-		}
-		ecdhePublic = elliptic.Marshal(curve, x, y)
-	}
-
-	// http://tools.ietf.org/html/rfc4492#section-5.4
-	serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic))
-	serverECDHParams[0] = 3 // named curve
-	serverECDHParams[1] = byte(ka.curveid >> 8)
-	serverECDHParams[2] = byte(ka.curveid)
-	serverECDHParams[3] = byte(len(ecdhePublic))
-	copy(serverECDHParams[4:], ecdhePublic)
-
-	sigAndHash := signatureAndHash{signature: ka.sigType}
-
-	if ka.version >= VersionTLS12 {
-		var err error
-		if sigAndHash.hash, err = pickTLS12HashForSignature(ka.sigType, clientHello.signatureAndHashes); err != nil {
-			return nil, err
-		}
-	}
-
-	digest, hashFunc, err := hashForServerKeyExchange(sigAndHash, ka.version, clientHello.random, hello.random, serverECDHParams)
-	if err != nil {
-		return nil, err
-	}
-
-	priv, ok := cert.PrivateKey.(crypto.Signer)
-	if !ok {
-		return nil, errors.New("tls: certificate private key does not implement crypto.Signer")
-	}
-	var sig []byte
-	switch ka.sigType {
-	case signatureECDSA:
-		_, ok := priv.Public().(*ecdsa.PublicKey)
-		if !ok {
-			return nil, errors.New("tls: ECDHE ECDSA requires an ECDSA server key")
-		}
-	case signatureRSA:
-		_, ok := priv.Public().(*rsa.PublicKey)
-		if !ok {
-			return nil, errors.New("tls: ECDHE RSA requires a RSA server key")
-		}
-	default:
-		return nil, errors.New("tls: unknown ECDHE signature algorithm")
-	}
-	sig, err = priv.Sign(config.rand(), digest, hashFunc)
-	if err != nil {
-		return nil, errors.New("tls: failed to sign ECDHE parameters: " + err.Error())
-	}
-
-	skx := new(serverKeyExchangeMsg)
-	sigAndHashLen := 0
-	if ka.version >= VersionTLS12 {
-		sigAndHashLen = 2
-	}
-	skx.key = make([]byte, len(serverECDHParams)+sigAndHashLen+2+len(sig))
-	copy(skx.key, serverECDHParams)
-	k := skx.key[len(serverECDHParams):]
-	if ka.version >= VersionTLS12 {
-		k[0] = sigAndHash.hash
-		k[1] = sigAndHash.signature
-		k = k[2:]
-	}
-	k[0] = byte(len(sig) >> 8)
-	k[1] = byte(len(sig))
-	copy(k[2:], sig)
-
-	return skx, nil
-}
-
-func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
-	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {
-		return nil, errClientKeyExchange
-	}
-
-	if ka.curveid == X25519 {
-		if len(ckx.ciphertext) != 1+32 {
-			return nil, errClientKeyExchange
-		}
-
-		var theirPublic, sharedKey, scalar [32]byte
-		copy(theirPublic[:], ckx.ciphertext[1:])
-		copy(scalar[:], ka.privateKey)
-		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)
-		return sharedKey[:], nil
-	}
-
-	curve, ok := curveForCurveID(ka.curveid)
-	if !ok {
-		panic("internal error")
-	}
-	x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:])
-	if x == nil {
-		return nil, errClientKeyExchange
-	}
-	if !curve.IsOnCurve(x, y) {
-		return nil, errClientKeyExchange
-	}
-	x, _ = curve.ScalarMult(x, y, ka.privateKey)
-	preMasterSecret := make([]byte, (curve.Params().BitSize+7)>>3)
-	xBytes := x.Bytes()
-	copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)
-
-	return preMasterSecret, nil
-}
-
-func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {
-	if len(skx.key) < 4 {
-		return errServerKeyExchange
-	}
-	if skx.key[0] != 3 { // named curve
-		return errors.New("tls: server selected unsupported curve")
-	}
-	ka.curveid = CurveID(skx.key[1])<<8 | CurveID(skx.key[2])
-
-	publicLen := int(skx.key[3])
-	if publicLen+4 > len(skx.key) {
-		return errServerKeyExchange
-	}
-	serverECDHParams := skx.key[:4+publicLen]
-	publicKey := serverECDHParams[4:]
-
-	sig := skx.key[4+publicLen:]
-	if len(sig) < 2 {
-		return errServerKeyExchange
-	}
-
-	if ka.curveid == X25519 {
-		if len(publicKey) != 32 {
-			return errors.New("tls: bad X25519 public value")
-		}
-		ka.publicKey = publicKey
-	} else {
-		curve, ok := curveForCurveID(ka.curveid)
-		if !ok {
-			return errors.New("tls: server selected unsupported curve")
-		}
-
-		ka.x, ka.y = elliptic.Unmarshal(curve, publicKey)
-		if ka.x == nil {
-			return errServerKeyExchange
-		}
-		if !curve.IsOnCurve(ka.x, ka.y) {
-			return errServerKeyExchange
-		}
-	}
-
-	sigAndHash := signatureAndHash{signature: ka.sigType}
-	if ka.version >= VersionTLS12 {
-		// handle SignatureAndHashAlgorithm
-		sigAndHash = signatureAndHash{hash: sig[0], signature: sig[1]}
-		if sigAndHash.signature != ka.sigType {
-			return errServerKeyExchange
-		}
-		sig = sig[2:]
-		if len(sig) < 2 {
-			return errServerKeyExchange
-		}
-	}
-	sigLen := int(sig[0])<<8 | int(sig[1])
-	if sigLen+2 != len(sig) {
-		return errServerKeyExchange
-	}
-	sig = sig[2:]
-
-	digest, hashFunc, err := hashForServerKeyExchange(sigAndHash, ka.version, clientHello.random, serverHello.random, serverECDHParams)
-	if err != nil {
-		return err
-	}
-	switch ka.sigType {
-	case signatureECDSA:
-		pubKey, ok := cert.PublicKey.(*ecdsa.PublicKey)
-		if !ok {
-			return errors.New("tls: ECDHE ECDSA requires a ECDSA server public key")
-		}
-		ecdsaSig := new(ecdsaSignature)
-		if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {
-			return err
-		}
-		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
-			return errors.New("tls: ECDSA signature contained zero or negative values")
-		}
-		if !ecdsa.Verify(pubKey, digest, ecdsaSig.R, ecdsaSig.S) {
-			return errors.New("tls: ECDSA verification failure")
-		}
-	case signatureRSA:
-		pubKey, ok := cert.PublicKey.(*rsa.PublicKey)
-		if !ok {
-			return errors.New("tls: ECDHE RSA requires a RSA server public key")
-		}
-		if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, digest, sig); err != nil {
-			return err
-		}
-	default:
-		return errors.New("tls: unknown ECDHE signature algorithm")
-	}
-
-	return nil
-}
-
-func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {
-	if ka.curveid == 0 {
-		return nil, nil, errors.New("tls: missing ServerKeyExchange message")
-	}
-
-	var serialized, preMasterSecret []byte
-
-	if ka.curveid == X25519 {
-		var ourPublic, theirPublic, sharedKey, scalar [32]byte
-
-		if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil {
-			return nil, nil, err
-		}
-
-		copy(theirPublic[:], ka.publicKey)
-		curve25519.ScalarBaseMult(&ourPublic, &scalar)
-		curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic)
-		serialized = ourPublic[:]
-		preMasterSecret = sharedKey[:]
-	} else {
-		curve, ok := curveForCurveID(ka.curveid)
-		if !ok {
-			panic("internal error")
-		}
-		priv, mx, my, err := elliptic.GenerateKey(curve, config.rand())
-		if err != nil {
-			return nil, nil, err
-		}
-		x, _ := curve.ScalarMult(ka.x, ka.y, priv)
-		preMasterSecret = make([]byte, (curve.Params().BitSize+7)>>3)
-		xBytes := x.Bytes()
-		copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes)
-
-		serialized = elliptic.Marshal(curve, mx, my)
-	}
-
-	ckx := new(clientKeyExchangeMsg)
-	ckx.ciphertext = make([]byte, 1+len(serialized))
-	ckx.ciphertext[0] = byte(len(serialized))
-	copy(ckx.ciphertext[1:], serialized)
-
-	return preMasterSecret, ckx, nil
-}

vendor/github.com/Psiphon-Labs/utls/obfuscated.go

@@ -1,132 +0,0 @@
-/*
- * Copyright (c) 2016, Psiphon Inc.
- * All rights reserved.
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-package tls
-
-import (
-	"crypto/rand"
-)
-
-// NewObfuscatedClientSessionCache produces obfuscated session tickets.
-//
-// [Psiphon]
-// Obfuscated Session Tickets
-//
-// Obfuscated session tickets is a network traffic obfuscation protocol that appears
-// to be valid TLS using session tickets. The client actually generates the session
-// ticket and encrypts it with a shared secret, enabling a TLS session that entirely
-// skips the most fingerprintable aspects of TLS.
-// The scheme is described here:
-// https://lists.torproject.org/pipermail/tor-dev/2016-September/011354.html
-//
-// Circumvention notes:
-//  - TLS session ticket implementations are widespread:
-//    https://istlsfastyet.com/#cdn-paas.
-//  - An adversary cannot easily block session ticket capability, as this requires
-//    a downgrade attack against TLS.
-//  - Anti-probing defence is provided, as the adversary must use the correct obfuscation
-//    shared secret to form valid obfuscation session ticket; otherwise server offers
-//    standard session tickets.
-//  - Limitation: TLS protocol and session ticket size correspond to golang implementation
-//    and not more common OpenSSL.
-//  - Limitation: an adversary with the obfuscation shared secret can decrypt the session
-//    ticket and observe the plaintext traffic. It's assumed that the adversary will not
-//    learn the obfuscated shared secret without also learning the address of the TLS
-//    server and blocking it anyway; it's also assumed that the TLS payload is not
-//    plaintext but is protected with some other security layer (e.g., SSH).
-//
-// Implementation notes:
-//   - Client should set its ClientSessionCache to a NewObfuscatedTLSClientSessionCache.
-//     This cache ignores the session key and always produces obfuscated session tickets.
-//   - The TLS ClientHello includes an SNI field, even when using session tickets, so
-//     the client should populate the ServerName.
-//   - Server should set its SetSessionTicketKeys with first a standard key, followed by
-//     the obfuscation shared secret.
-//   - Since the client creates the session ticket, it selects parameters that were not
-//     negotiated with the server, such as the cipher suite. It's implicitly assumed that
-//     the server can support the selected parameters.
-//
-func NewObfuscatedClientSessionCache(sharedSecret [32]byte) ClientSessionCache {
-	return &obfuscatedClientSessionCache{
-		sharedSecret: sharedSecret,
-		realTickets:  NewLRUClientSessionCache(-1),
-	}
-}
-
-type obfuscatedClientSessionCache struct {
-	sharedSecret [32]byte
-	realTickets  ClientSessionCache
-}
-
-func (cache *obfuscatedClientSessionCache) Put(key string, state *ClientSessionState) {
-	// When new, real session tickets are issued, use them.
-	cache.realTickets.Put(key, state)
-}
-
-func (cache *obfuscatedClientSessionCache) Get(key string) (*ClientSessionState, bool) {
-	clientSessionState, ok := cache.realTickets.Get(key)
-	if ok {
-		return clientSessionState, true
-	}
-	// Bootstrap with an obfuscated session ticket.
-	clientSessionState, err := NewObfuscatedClientSessionState(cache.sharedSecret)
-	if err != nil {
-		// TODO: log error
-		// This will fall back to regular TLS
-		return nil, false
-	}
-	return clientSessionState, true
-}
-
-func NewObfuscatedClientSessionState(sharedSecret [32]byte) (*ClientSessionState, error) {
-
-	// Create a session ticket that wasn't actually issued by the server.
-	vers := uint16(VersionTLS12)
-	cipherSuite := TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-	masterSecret := make([]byte, masterSecretLength)
-	_, err := rand.Read(masterSecret)
-	if err != nil {
-		return nil, err
-	}
-	serverState := &sessionState{
-		vers:         vers,
-		cipherSuite:  cipherSuite,
-		masterSecret: masterSecret,
-		certificates: nil,
-	}
-	c := &Conn{
-		config: &Config{
-			sessionTicketKeys: []ticketKey{ticketKeyFromBytes(sharedSecret)},
-		},
-	}
-	sessionTicket, err := c.encryptTicket(serverState)
-	if err != nil {
-		return nil, err
-	}
-
-	// Pretend we got that session ticket from the server.
-	clientState := &ClientSessionState{
-		sessionTicket: sessionTicket,
-		vers:          vers,
-		cipherSuite:   cipherSuite,
-		masterSecret:  masterSecret,
-	}
-
-	return clientState, nil
-}

vendor/github.com/Psiphon-Labs/utls/prf.go

@@ -1,370 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"crypto"
-	"crypto/hmac"
-	"crypto/md5"
-	"crypto/sha1"
-	"crypto/sha256"
-	"crypto/sha512"
-	"errors"
-	"hash"
-)
-
-// Split a premaster secret in two as specified in RFC 4346, section 5.
-func splitPreMasterSecret(secret []byte) (s1, s2 []byte) {
-	s1 = secret[0 : (len(secret)+1)/2]
-	s2 = secret[len(secret)/2:]
-	return
-}
-
-// pHash implements the P_hash function, as defined in RFC 4346, section 5.
-func pHash(result, secret, seed []byte, hash func() hash.Hash) {
-	h := hmac.New(hash, secret)
-	h.Write(seed)
-	a := h.Sum(nil)
-
-	j := 0
-	for j < len(result) {
-		h.Reset()
-		h.Write(a)
-		h.Write(seed)
-		b := h.Sum(nil)
-		todo := len(b)
-		if j+todo > len(result) {
-			todo = len(result) - j
-		}
-		copy(result[j:j+todo], b)
-		j += todo
-
-		h.Reset()
-		h.Write(a)
-		a = h.Sum(nil)
-	}
-}
-
-// prf10 implements the TLS 1.0 pseudo-random function, as defined in RFC 2246, section 5.
-func prf10(result, secret, label, seed []byte) {
-	hashSHA1 := sha1.New
-	hashMD5 := md5.New
-
-	labelAndSeed := make([]byte, len(label)+len(seed))
-	copy(labelAndSeed, label)
-	copy(labelAndSeed[len(label):], seed)
-
-	s1, s2 := splitPreMasterSecret(secret)
-	pHash(result, s1, labelAndSeed, hashMD5)
-	result2 := make([]byte, len(result))
-	pHash(result2, s2, labelAndSeed, hashSHA1)
-
-	for i, b := range result2 {
-		result[i] ^= b
-	}
-}
-
-// prf12 implements the TLS 1.2 pseudo-random function, as defined in RFC 5246, section 5.
-func prf12(hashFunc func() hash.Hash) func(result, secret, label, seed []byte) {
-	return func(result, secret, label, seed []byte) {
-		labelAndSeed := make([]byte, len(label)+len(seed))
-		copy(labelAndSeed, label)
-		copy(labelAndSeed[len(label):], seed)
-
-		pHash(result, secret, labelAndSeed, hashFunc)
-	}
-}
-
-// prf30 implements the SSL 3.0 pseudo-random function, as defined in
-// www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 6.
-func prf30(result, secret, label, seed []byte) {
-	hashSHA1 := sha1.New()
-	hashMD5 := md5.New()
-
-	done := 0
-	i := 0
-	// RFC 5246 section 6.3 says that the largest PRF output needed is 128
-	// bytes. Since no more ciphersuites will be added to SSLv3, this will
-	// remain true. Each iteration gives us 16 bytes so 10 iterations will
-	// be sufficient.
-	var b [11]byte
-	for done < len(result) {
-		for j := 0; j <= i; j++ {
-			b[j] = 'A' + byte(i)
-		}
-
-		hashSHA1.Reset()
-		hashSHA1.Write(b[:i+1])
-		hashSHA1.Write(secret)
-		hashSHA1.Write(seed)
-		digest := hashSHA1.Sum(nil)
-
-		hashMD5.Reset()
-		hashMD5.Write(secret)
-		hashMD5.Write(digest)
-
-		done += copy(result[done:], hashMD5.Sum(nil))
-		i++
-	}
-}
-
-const (
-	tlsRandomLength      = 32 // Length of a random nonce in TLS 1.1.
-	masterSecretLength   = 48 // Length of a master secret in TLS 1.1.
-	finishedVerifyLength = 12 // Length of verify_data in a Finished message.
-)
-
-var masterSecretLabel = []byte("master secret")
-var keyExpansionLabel = []byte("key expansion")
-var clientFinishedLabel = []byte("client finished")
-var serverFinishedLabel = []byte("server finished")
-
-func prfAndHashForVersion(version uint16, suite *cipherSuite) (func(result, secret, label, seed []byte), crypto.Hash) {
-	switch version {
-	case VersionSSL30:
-		return prf30, crypto.Hash(0)
-	case VersionTLS10, VersionTLS11:
-		return prf10, crypto.Hash(0)
-	case VersionTLS12:
-		if suite.flags&suiteSHA384 != 0 {
-			return prf12(sha512.New384), crypto.SHA384
-		}
-		return prf12(sha256.New), crypto.SHA256
-	default:
-		panic("unknown version")
-	}
-}
-
-func prfForVersion(version uint16, suite *cipherSuite) func(result, secret, label, seed []byte) {
-	prf, _ := prfAndHashForVersion(version, suite)
-	return prf
-}
-
-// masterFromPreMasterSecret generates the master secret from the pre-master
-// secret. See http://tools.ietf.org/html/rfc5246#section-8.1
-func masterFromPreMasterSecret(version uint16, suite *cipherSuite, preMasterSecret, clientRandom, serverRandom []byte) []byte {
-	seed := make([]byte, 0, len(clientRandom)+len(serverRandom))
-	seed = append(seed, clientRandom...)
-	seed = append(seed, serverRandom...)
-
-	masterSecret := make([]byte, masterSecretLength)
-	prfForVersion(version, suite)(masterSecret, preMasterSecret, masterSecretLabel, seed)
-	return masterSecret
-}
-
-// keysFromMasterSecret generates the connection keys from the master
-// secret, given the lengths of the MAC key, cipher key and IV, as defined in
-// RFC 2246, section 6.3.
-func keysFromMasterSecret(version uint16, suite *cipherSuite, masterSecret, clientRandom, serverRandom []byte, macLen, keyLen, ivLen int) (clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV []byte) {
-	seed := make([]byte, 0, len(serverRandom)+len(clientRandom))
-	seed = append(seed, serverRandom...)
-	seed = append(seed, clientRandom...)
-
-	n := 2*macLen + 2*keyLen + 2*ivLen
-	keyMaterial := make([]byte, n)
-	prfForVersion(version, suite)(keyMaterial, masterSecret, keyExpansionLabel, seed)
-	clientMAC = keyMaterial[:macLen]
-	keyMaterial = keyMaterial[macLen:]
-	serverMAC = keyMaterial[:macLen]
-	keyMaterial = keyMaterial[macLen:]
-	clientKey = keyMaterial[:keyLen]
-	keyMaterial = keyMaterial[keyLen:]
-	serverKey = keyMaterial[:keyLen]
-	keyMaterial = keyMaterial[keyLen:]
-	clientIV = keyMaterial[:ivLen]
-	keyMaterial = keyMaterial[ivLen:]
-	serverIV = keyMaterial[:ivLen]
-	return
-}
-
-// lookupTLSHash looks up the corresponding crypto.Hash for a given
-// TLS hash identifier.
-func lookupTLSHash(hash uint8) (crypto.Hash, error) {
-	switch hash {
-	case hashSHA1:
-		return crypto.SHA1, nil
-	case hashSHA256:
-		return crypto.SHA256, nil
-	case hashSHA384:
-		return crypto.SHA384, nil
-	case disabledHashSHA512:
-		return crypto.SHA512, nil
-	default:
-		return 0, errors.New("tls: unsupported hash algorithm")
-	}
-}
-
-func newFinishedHash(version uint16, cipherSuite *cipherSuite) finishedHash {
-	var buffer []byte
-	if version == VersionSSL30 || version >= VersionTLS12 {
-		buffer = []byte{}
-	}
-
-	prf, hash := prfAndHashForVersion(version, cipherSuite)
-	if hash != 0 {
-		return finishedHash{hash.New(), hash.New(), nil, nil, buffer, version, prf}
-	}
-
-	return finishedHash{sha1.New(), sha1.New(), md5.New(), md5.New(), buffer, version, prf}
-}
-
-// A finishedHash calculates the hash of a set of handshake messages suitable
-// for including in a Finished message.
-type finishedHash struct {
-	client hash.Hash
-	server hash.Hash
-
-	// Prior to TLS 1.2, an additional MD5 hash is required.
-	clientMD5 hash.Hash
-	serverMD5 hash.Hash
-
-	// In TLS 1.2, a full buffer is sadly required.
-	buffer []byte
-
-	version uint16
-	prf     func(result, secret, label, seed []byte)
-}
-
-func (h *finishedHash) Write(msg []byte) (n int, err error) {
-	h.client.Write(msg)
-	h.server.Write(msg)
-
-	if h.version < VersionTLS12 {
-		h.clientMD5.Write(msg)
-		h.serverMD5.Write(msg)
-	}
-
-	if h.buffer != nil {
-		h.buffer = append(h.buffer, msg...)
-	}
-
-	return len(msg), nil
-}
-
-func (h finishedHash) Sum() []byte {
-	if h.version >= VersionTLS12 {
-		return h.client.Sum(nil)
-	}
-
-	out := make([]byte, 0, md5.Size+sha1.Size)
-	out = h.clientMD5.Sum(out)
-	return h.client.Sum(out)
-}
-
-// finishedSum30 calculates the contents of the verify_data member of a SSLv3
-// Finished message given the MD5 and SHA1 hashes of a set of handshake
-// messages.
-func finishedSum30(md5, sha1 hash.Hash, masterSecret []byte, magic []byte) []byte {
-	md5.Write(magic)
-	md5.Write(masterSecret)
-	md5.Write(ssl30Pad1[:])
-	md5Digest := md5.Sum(nil)
-
-	md5.Reset()
-	md5.Write(masterSecret)
-	md5.Write(ssl30Pad2[:])
-	md5.Write(md5Digest)
-	md5Digest = md5.Sum(nil)
-
-	sha1.Write(magic)
-	sha1.Write(masterSecret)
-	sha1.Write(ssl30Pad1[:40])
-	sha1Digest := sha1.Sum(nil)
-
-	sha1.Reset()
-	sha1.Write(masterSecret)
-	sha1.Write(ssl30Pad2[:40])
-	sha1.Write(sha1Digest)
-	sha1Digest = sha1.Sum(nil)
-
-	ret := make([]byte, len(md5Digest)+len(sha1Digest))
-	copy(ret, md5Digest)
-	copy(ret[len(md5Digest):], sha1Digest)
-	return ret
-}
-
-var ssl3ClientFinishedMagic = [4]byte{0x43, 0x4c, 0x4e, 0x54}
-var ssl3ServerFinishedMagic = [4]byte{0x53, 0x52, 0x56, 0x52}
-
-// clientSum returns the contents of the verify_data member of a client's
-// Finished message.
-func (h finishedHash) clientSum(masterSecret []byte) []byte {
-	if h.version == VersionSSL30 {
-		return finishedSum30(h.clientMD5, h.client, masterSecret, ssl3ClientFinishedMagic[:])
-	}
-
-	out := make([]byte, finishedVerifyLength)
-	h.prf(out, masterSecret, clientFinishedLabel, h.Sum())
-	return out
-}
-
-// serverSum returns the contents of the verify_data member of a server's
-// Finished message.
-func (h finishedHash) serverSum(masterSecret []byte) []byte {
-	if h.version == VersionSSL30 {
-		return finishedSum30(h.serverMD5, h.server, masterSecret, ssl3ServerFinishedMagic[:])
-	}
-
-	out := make([]byte, finishedVerifyLength)
-	h.prf(out, masterSecret, serverFinishedLabel, h.Sum())
-	return out
-}
-
-// selectClientCertSignatureAlgorithm returns a signatureAndHash to sign a
-// client's CertificateVerify with, or an error if none can be found.
-func (h finishedHash) selectClientCertSignatureAlgorithm(serverList []signatureAndHash, sigType uint8) (signatureAndHash, error) {
-	if h.version < VersionTLS12 {
-		// Nothing to negotiate before TLS 1.2.
-		return signatureAndHash{signature: sigType}, nil
-	}
-
-	for _, v := range serverList {
-		if v.signature == sigType && isSupportedSignatureAndHash(v, supportedSignatureAlgorithms) {
-			return v, nil
-		}
-	}
-	return signatureAndHash{}, errors.New("tls: no supported signature algorithm found for signing client certificate")
-}
-
-// hashForClientCertificate returns a digest, hash function, and TLS 1.2 hash
-// id suitable for signing by a TLS client certificate.
-func (h finishedHash) hashForClientCertificate(signatureAndHash signatureAndHash, masterSecret []byte) ([]byte, crypto.Hash, error) {
-	if (h.version == VersionSSL30 || h.version >= VersionTLS12) && h.buffer == nil {
-		panic("a handshake hash for a client-certificate was requested after discarding the handshake buffer")
-	}
-
-	if h.version == VersionSSL30 {
-		if signatureAndHash.signature != signatureRSA {
-			return nil, 0, errors.New("tls: unsupported signature type for client certificate")
-		}
-
-		md5Hash := md5.New()
-		md5Hash.Write(h.buffer)
-		sha1Hash := sha1.New()
-		sha1Hash.Write(h.buffer)
-		return finishedSum30(md5Hash, sha1Hash, masterSecret, nil), crypto.MD5SHA1, nil
-	}
-	if h.version >= VersionTLS12 {
-		hashAlg, err := lookupTLSHash(signatureAndHash.hash)
-		if err != nil {
-			return nil, 0, err
-		}
-		hash := hashAlg.New()
-		hash.Write(h.buffer)
-		return hash.Sum(nil), hashAlg, nil
-	}
-
-	if signatureAndHash.signature == signatureECDSA {
-		return h.server.Sum(nil), crypto.SHA1, nil
-	}
-
-	return h.Sum(), crypto.MD5SHA1, nil
-}
-
-// discardHandshakeBuffer is called when there is no more need to
-// buffer the entirety of the handshake messages.
-func (h *finishedHash) discardHandshakeBuffer() {
-	h.buffer = nil
-}

vendor/github.com/Psiphon-Labs/utls/ticket.go

@@ -1,227 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"bytes"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/hmac"
-	"crypto/sha256"
-	"crypto/subtle"
-	"errors"
-	"io"
-
-	// [Psiphon]
-	"crypto/rand"
-	"math/big"
-	math_rand "math/rand"
-)
-
-// [Psiphon]
-var obfuscateSessionTickets = true
-
-// sessionState contains the information that is serialized into a session
-// ticket in order to later resume a connection.
-type sessionState struct {
-	vers         uint16
-	cipherSuite  uint16
-	masterSecret []byte
-	certificates [][]byte
-	// usedOldKey is true if the ticket from which this session came from
-	// was encrypted with an older key and thus should be refreshed.
-	usedOldKey bool
-}
-
-func (s *sessionState) equal(i interface{}) bool {
-	s1, ok := i.(*sessionState)
-	if !ok {
-		return false
-	}
-
-	if s.vers != s1.vers ||
-		s.cipherSuite != s1.cipherSuite ||
-		!bytes.Equal(s.masterSecret, s1.masterSecret) {
-		return false
-	}
-
-	if len(s.certificates) != len(s1.certificates) {
-		return false
-	}
-
-	for i := range s.certificates {
-		if !bytes.Equal(s.certificates[i], s1.certificates[i]) {
-			return false
-		}
-	}
-
-	return true
-}
-
-func (s *sessionState) marshal() []byte {
-	length := 2 + 2 + 2 + len(s.masterSecret) + 2
-	for _, cert := range s.certificates {
-		length += 4 + len(cert)
-	}
-
-	// [Psiphon]
-	// Pad golang TLS session ticket to a more typical size.
-	if obfuscateSessionTickets {
-		paddedSizes := []int{160, 176, 192, 208, 218, 224, 240, 255}
-		initialSize := 120
-		randomInt, err := rand.Int(rand.Reader, big.NewInt(int64(len(paddedSizes))))
-		index := 0
-		if err == nil {
-			index = int(randomInt.Int64())
-		} else {
-			index = math_rand.Intn(len(paddedSizes))
-		}
-		paddingSize := paddedSizes[index] - initialSize
-		length += paddingSize
-	}
-
-	ret := make([]byte, length)
-	x := ret
-	x[0] = byte(s.vers >> 8)
-	x[1] = byte(s.vers)
-	x[2] = byte(s.cipherSuite >> 8)
-	x[3] = byte(s.cipherSuite)
-	x[4] = byte(len(s.masterSecret) >> 8)
-	x[5] = byte(len(s.masterSecret))
-	x = x[6:]
-	copy(x, s.masterSecret)
-	x = x[len(s.masterSecret):]
-
-	x[0] = byte(len(s.certificates) >> 8)
-	x[1] = byte(len(s.certificates))
-	x = x[2:]
-
-	for _, cert := range s.certificates {
-		x[0] = byte(len(cert) >> 24)
-		x[1] = byte(len(cert) >> 16)
-		x[2] = byte(len(cert) >> 8)
-		x[3] = byte(len(cert))
-		copy(x[4:], cert)
-		x = x[4+len(cert):]
-	}
-
-	return ret
-}
-
-func (s *sessionState) unmarshal(data []byte) bool {
-	if len(data) < 8 {
-		return false
-	}
-
-	s.vers = uint16(data[0])<<8 | uint16(data[1])
-	s.cipherSuite = uint16(data[2])<<8 | uint16(data[3])
-	masterSecretLen := int(data[4])<<8 | int(data[5])
-	data = data[6:]
-	if len(data) < masterSecretLen {
-		return false
-	}
-
-	s.masterSecret = data[:masterSecretLen]
-	data = data[masterSecretLen:]
-
-	if len(data) < 2 {
-		return false
-	}
-
-	numCerts := int(data[0])<<8 | int(data[1])
-	data = data[2:]
-
-	s.certificates = make([][]byte, numCerts)
-	for i := range s.certificates {
-		if len(data) < 4 {
-			return false
-		}
-		certLen := int(data[0])<<24 | int(data[1])<<16 | int(data[2])<<8 | int(data[3])
-		data = data[4:]
-		if certLen < 0 {
-			return false
-		}
-		if len(data) < certLen {
-			return false
-		}
-		s.certificates[i] = data[:certLen]
-		data = data[certLen:]
-	}
-
-	// [Psiphon]
-	// Ignore padding for obfuscated session tickets
-	//return len(data) == 0
-	return true
-}
-
-func (c *Conn) encryptTicket(state *sessionState) ([]byte, error) {
-	serialized := state.marshal()
-	encrypted := make([]byte, ticketKeyNameLen+aes.BlockSize+len(serialized)+sha256.Size)
-	keyName := encrypted[:ticketKeyNameLen]
-	iv := encrypted[ticketKeyNameLen : ticketKeyNameLen+aes.BlockSize]
-	macBytes := encrypted[len(encrypted)-sha256.Size:]
-
-	if _, err := io.ReadFull(c.config.rand(), iv); err != nil {
-		return nil, err
-	}
-	key := c.config.ticketKeys()[0]
-	copy(keyName, key.keyName[:])
-	block, err := aes.NewCipher(key.aesKey[:])
-	if err != nil {
-		return nil, errors.New("tls: failed to create cipher while encrypting ticket: " + err.Error())
-	}
-	cipher.NewCTR(block, iv).XORKeyStream(encrypted[ticketKeyNameLen+aes.BlockSize:], serialized)
-
-	mac := hmac.New(sha256.New, key.hmacKey[:])
-	mac.Write(encrypted[:len(encrypted)-sha256.Size])
-	mac.Sum(macBytes[:0])
-
-	return encrypted, nil
-}
-
-func (c *Conn) decryptTicket(encrypted []byte) (*sessionState, bool) {
-	if c.config.SessionTicketsDisabled ||
-		len(encrypted) < ticketKeyNameLen+aes.BlockSize+sha256.Size {
-		return nil, false
-	}
-
-	keyName := encrypted[:ticketKeyNameLen]
-	iv := encrypted[ticketKeyNameLen : ticketKeyNameLen+aes.BlockSize]
-	macBytes := encrypted[len(encrypted)-sha256.Size:]
-
-	keys := c.config.ticketKeys()
-	keyIndex := -1
-	for i, candidateKey := range keys {
-		if bytes.Equal(keyName, candidateKey.keyName[:]) {
-			keyIndex = i
-			break
-		}
-	}
-
-	if keyIndex == -1 {
-		return nil, false
-	}
-	key := &keys[keyIndex]
-
-	mac := hmac.New(sha256.New, key.hmacKey[:])
-	mac.Write(encrypted[:len(encrypted)-sha256.Size])
-	expected := mac.Sum(nil)
-
-	if subtle.ConstantTimeCompare(macBytes, expected) != 1 {
-		return nil, false
-	}
-
-	block, err := aes.NewCipher(key.aesKey[:])
-	if err != nil {
-		return nil, false
-	}
-	ciphertext := encrypted[ticketKeyNameLen+aes.BlockSize : len(encrypted)-sha256.Size]
-	plaintext := ciphertext
-	cipher.NewCTR(block, iv).XORKeyStream(plaintext, ciphertext)
-
-	state := &sessionState{usedOldKey: keyIndex > 0}
-	ok := state.unmarshal(plaintext)
-	return state, ok
-}

vendor/github.com/Psiphon-Labs/utls/tls.go

@@ -1,297 +0,0 @@
-// Copyright 2009 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package tls partially implements TLS 1.2, as specified in RFC 5246.
-package tls
-
-// BUG(agl): The crypto/tls package only implements some countermeasures
-// against Lucky13 attacks on CBC-mode encryption, and only on SHA1
-// variants. See http://www.isg.rhul.ac.uk/tls/TLStiming.pdf and
-// https://www.imperialviolet.org/2013/02/04/luckythirteen.html.
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"net"
-	"strings"
-	"time"
-)
-
-// Server returns a new TLS server side connection
-// using conn as the underlying transport.
-// The configuration config must be non-nil and must include
-// at least one certificate or else set GetCertificate.
-func Server(conn net.Conn, config *Config) *Conn {
-	return &Conn{conn: conn, config: config}
-}
-
-// Client returns a new TLS client side connection
-// using conn as the underlying transport.
-// The config cannot be nil: users must set either ServerName or
-// InsecureSkipVerify in the config.
-func Client(conn net.Conn, config *Config) *Conn {
-	return &Conn{conn: conn, config: config, isClient: true}
-}
-
-// A listener implements a network listener (net.Listener) for TLS connections.
-type listener struct {
-	net.Listener
-	config *Config
-}
-
-// Accept waits for and returns the next incoming TLS connection.
-// The returned connection is of type *Conn.
-func (l *listener) Accept() (net.Conn, error) {
-	c, err := l.Listener.Accept()
-	if err != nil {
-		return nil, err
-	}
-	return Server(c, l.config), nil
-}
-
-// NewListener creates a Listener which accepts connections from an inner
-// Listener and wraps each connection with Server.
-// The configuration config must be non-nil and must include
-// at least one certificate or else set GetCertificate.
-func NewListener(inner net.Listener, config *Config) net.Listener {
-	l := new(listener)
-	l.Listener = inner
-	l.config = config
-	return l
-}
-
-// Listen creates a TLS listener accepting connections on the
-// given network address using net.Listen.
-// The configuration config must be non-nil and must include
-// at least one certificate or else set GetCertificate.
-func Listen(network, laddr string, config *Config) (net.Listener, error) {
-	if config == nil || (len(config.Certificates) == 0 && config.GetCertificate == nil) {
-		return nil, errors.New("tls: neither Certificates nor GetCertificate set in Config")
-	}
-	l, err := net.Listen(network, laddr)
-	if err != nil {
-		return nil, err
-	}
-	return NewListener(l, config), nil
-}
-
-type timeoutError struct{}
-
-func (timeoutError) Error() string   { return "tls: DialWithDialer timed out" }
-func (timeoutError) Timeout() bool   { return true }
-func (timeoutError) Temporary() bool { return true }
-
-// DialWithDialer connects to the given network address using dialer.Dial and
-// then initiates a TLS handshake, returning the resulting TLS connection. Any
-// timeout or deadline given in the dialer apply to connection and TLS
-// handshake as a whole.
-//
-// DialWithDialer interprets a nil configuration as equivalent to the zero
-// configuration; see the documentation of Config for the defaults.
-func DialWithDialer(dialer *net.Dialer, network, addr string, config *Config) (*Conn, error) {
-	// We want the Timeout and Deadline values from dialer to cover the
-	// whole process: TCP connection and TLS handshake. This means that we
-	// also need to start our own timers now.
-	timeout := dialer.Timeout
-
-	if !dialer.Deadline.IsZero() {
-		deadlineTimeout := time.Until(dialer.Deadline)
-		if timeout == 0 || deadlineTimeout < timeout {
-			timeout = deadlineTimeout
-		}
-	}
-
-	var errChannel chan error
-
-	if timeout != 0 {
-		errChannel = make(chan error, 2)
-		time.AfterFunc(timeout, func() {
-			errChannel <- timeoutError{}
-		})
-	}
-
-	rawConn, err := dialer.Dial(network, addr)
-	if err != nil {
-		return nil, err
-	}
-
-	colonPos := strings.LastIndex(addr, ":")
-	if colonPos == -1 {
-		colonPos = len(addr)
-	}
-	hostname := addr[:colonPos]
-
-	if config == nil {
-		config = defaultConfig()
-	}
-	// If no ServerName is set, infer the ServerName
-	// from the hostname we're connecting to.
-	if config.ServerName == "" {
-		// Make a copy to avoid polluting argument or default.
-		c := config.Clone()
-		c.ServerName = hostname
-		config = c
-	}
-
-	conn := Client(rawConn, config)
-
-	if timeout == 0 {
-		err = conn.Handshake()
-	} else {
-		go func() {
-			errChannel <- conn.Handshake()
-		}()
-
-		err = <-errChannel
-	}
-
-	if err != nil {
-		rawConn.Close()
-		return nil, err
-	}
-
-	return conn, nil
-}
-
-// Dial connects to the given network address using net.Dial
-// and then initiates a TLS handshake, returning the resulting
-// TLS connection.
-// Dial interprets a nil configuration as equivalent to
-// the zero configuration; see the documentation of Config
-// for the defaults.
-func Dial(network, addr string, config *Config) (*Conn, error) {
-	return DialWithDialer(new(net.Dialer), network, addr, config)
-}
-
-// LoadX509KeyPair reads and parses a public/private key pair from a pair
-// of files. The files must contain PEM encoded data. The certificate file
-// may contain intermediate certificates following the leaf certificate to
-// form a certificate chain. On successful return, Certificate.Leaf will
-// be nil because the parsed form of the certificate is not retained.
-func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
-	certPEMBlock, err := ioutil.ReadFile(certFile)
-	if err != nil {
-		return Certificate{}, err
-	}
-	keyPEMBlock, err := ioutil.ReadFile(keyFile)
-	if err != nil {
-		return Certificate{}, err
-	}
-	return X509KeyPair(certPEMBlock, keyPEMBlock)
-}
-
-// X509KeyPair parses a public/private key pair from a pair of
-// PEM encoded data. On successful return, Certificate.Leaf will be nil because
-// the parsed form of the certificate is not retained.
-func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
-	fail := func(err error) (Certificate, error) { return Certificate{}, err }
-
-	var cert Certificate
-	var skippedBlockTypes []string
-	for {
-		var certDERBlock *pem.Block
-		certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
-		if certDERBlock == nil {
-			break
-		}
-		if certDERBlock.Type == "CERTIFICATE" {
-			cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
-		} else {
-			skippedBlockTypes = append(skippedBlockTypes, certDERBlock.Type)
-		}
-	}
-
-	if len(cert.Certificate) == 0 {
-		if len(skippedBlockTypes) == 0 {
-			return fail(errors.New("tls: failed to find any PEM data in certificate input"))
-		}
-		if len(skippedBlockTypes) == 1 && strings.HasSuffix(skippedBlockTypes[0], "PRIVATE KEY") {
-			return fail(errors.New("tls: failed to find certificate PEM data in certificate input, but did find a private key; PEM inputs may have been switched"))
-		}
-		return fail(fmt.Errorf("tls: failed to find \"CERTIFICATE\" PEM block in certificate input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
-	}
-
-	skippedBlockTypes = skippedBlockTypes[:0]
-	var keyDERBlock *pem.Block
-	for {
-		keyDERBlock, keyPEMBlock = pem.Decode(keyPEMBlock)
-		if keyDERBlock == nil {
-			if len(skippedBlockTypes) == 0 {
-				return fail(errors.New("tls: failed to find any PEM data in key input"))
-			}
-			if len(skippedBlockTypes) == 1 && skippedBlockTypes[0] == "CERTIFICATE" {
-				return fail(errors.New("tls: found a certificate rather than a key in the PEM for the private key"))
-			}
-			return fail(fmt.Errorf("tls: failed to find PEM block with type ending in \"PRIVATE KEY\" in key input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
-		}
-		if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
-			break
-		}
-		skippedBlockTypes = append(skippedBlockTypes, keyDERBlock.Type)
-	}
-
-	var err error
-	cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes)
-	if err != nil {
-		return fail(err)
-	}
-
-	// We don't need to parse the public key for TLS, but we so do anyway
-	// to check that it looks sane and matches the private key.
-	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
-	if err != nil {
-		return fail(err)
-	}
-
-	switch pub := x509Cert.PublicKey.(type) {
-	case *rsa.PublicKey:
-		priv, ok := cert.PrivateKey.(*rsa.PrivateKey)
-		if !ok {
-			return fail(errors.New("tls: private key type does not match public key type"))
-		}
-		if pub.N.Cmp(priv.N) != 0 {
-			return fail(errors.New("tls: private key does not match public key"))
-		}
-	case *ecdsa.PublicKey:
-		priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
-		if !ok {
-			return fail(errors.New("tls: private key type does not match public key type"))
-		}
-		if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
-			return fail(errors.New("tls: private key does not match public key"))
-		}
-	default:
-		return fail(errors.New("tls: unknown public key algorithm"))
-	}
-
-	return cert, nil
-}
-
-// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
-// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
-// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
-func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
-	if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
-		return key, nil
-	}
-	if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
-		switch key := key.(type) {
-		case *rsa.PrivateKey, *ecdsa.PrivateKey:
-			return key, nil
-		default:
-			return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping")
-		}
-	}
-	if key, err := x509.ParseECPrivateKey(der); err == nil {
-		return key, nil
-	}
-
-	return nil, errors.New("tls: failed to parse private key")
-}

vendor/github.com/Psiphon-Labs/utls/u_common.go

@@ -1,143 +0,0 @@
-// Copyright 2017 Google Inc. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"crypto/hmac"
-	"crypto/sha512"
-	"fmt"
-)
-
-// Naming convention:
-// Unsupported things are prefixed with "Fake"
-// Things, supported by utls, but not crypto/tls' are prefixed with "utls"
-// Supported things, that have changed their ID are prefixed with "Old"
-// Supported but disabled things are prefixed with "Disabled". We will _enable_ them.
-const (
-	utlsExtensionPadding              uint16 = 21
-	utlsExtensionExtendedMasterSecret uint16 = 23 // https://tools.ietf.org/html/rfc7627
-
-	// extensions with 'fake' prefix break connection, if server echoes them back
-	fakeExtensionChannelID uint16 = 30032 // not IANA assigned
-)
-
-const (
-	OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   = uint16(0xcc13)
-	OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = uint16(0xcc14)
-
-	DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = uint16(0xc024)
-	DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   = uint16(0xc028)
-	DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256         = uint16(0x003d)
-
-	FAKE_OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = uint16(0xcc15) // we can try to craft these ciphersuites
-	FAKE_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256           = uint16(0x009e) // from existing pieces, if needed
-
-	FAKE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA  = uint16(0x0033)
-	FAKE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA  = uint16(0x0039)
-	FAKE_TLS_RSA_WITH_RC4_128_MD5          = uint16(0x0004)
-	FAKE_TLS_EMPTY_RENEGOTIATION_INFO_SCSV = uint16(0x00ff)
-)
-
-// newest signatures
-var (
-	fakeRsaPssSha256 = SignatureAndHash{0x08, 0x04} // also declared in common.go as type SignatureScheme,
-	fakeRsaPssSha384 = SignatureAndHash{0x08, 0x05} // but not used by default and not implemented
-	fakeRsaPssSha512 = SignatureAndHash{0x08, 0x06}
-	// fakeEd25519 = SignatureAndHash{0x08, 0x07}
-	// fakeEd448 = SignatureAndHash{0x08, 0x08}
-)
-
-// IDs of hash functions in signatures
-const (
-	disabledHashSHA512 uint8 = 6 // Supported, but disabled by default. Will be enabled, as needed
-	fakeHashSHA224     uint8 = 3 // Supported, but we won't enable it: sounds esoteric and fishy
-)
-
-type ClientHelloID struct {
-	Browser string
-	Version uint16
-	// TODO: consider adding OS?
-}
-
-func (p *ClientHelloID) Str() string {
-	return fmt.Sprintf("%s-%d", p.Browser, p.Version)
-}
-
-const (
-	helloGolang     = "Golang"
-	helloRandomized = "Randomized"
-	helloCustom     = "Custom"
-	helloFirefox    = "Firefox"
-	helloChrome     = "Chrome"
-	helloAndroid    = "Android"
-	helloiOSSafari  = "iOSSafari"
-)
-
-const (
-	helloAutoVers = iota
-	helloRandomizedALPN
-	helloRandomizedNoALPN
-)
-
-var (
-	// HelloGolang will use default "crypto/tls" handshake marshaling codepath, which WILL
-	// overwrite your changes to Hello(Config, Session are fine).
-	// You might want to call BuildHandshakeState() before applying any changes.
-	// UConn.Extensions will be completely ignored.
-	HelloGolang ClientHelloID = ClientHelloID{helloGolang, helloAutoVers}
-
-	// HelloCustom will prepare ClientHello with empty uconn.Extensions so you can fill it with TLSExtension's manually
-	HelloCustom ClientHelloID = ClientHelloID{helloCustom, helloAutoVers}
-
-	// HelloRandomized* randomly adds/reorders extensions, ciphersuites, etc.
-	HelloRandomized       ClientHelloID = ClientHelloID{helloRandomized, helloAutoVers}
-	HelloRandomizedALPN   ClientHelloID = ClientHelloID{helloRandomized, helloRandomizedALPN}
-	HelloRandomizedNoALPN ClientHelloID = ClientHelloID{helloRandomized, helloRandomizedNoALPN}
-
-	// The rest will will parrot given browser.
-	HelloFirefox_Auto ClientHelloID = ClientHelloID{helloFirefox, helloAutoVers}
-	HelloFirefox_55                 = ClientHelloID{helloFirefox, 55}
-	HelloFirefox_56                 = ClientHelloID{helloFirefox, 56}
-
-	HelloChrome_Auto ClientHelloID = ClientHelloID{helloChrome, helloAutoVers}
-	HelloChrome_57   ClientHelloID = ClientHelloID{helloChrome, 57}
-	HelloChrome_58   ClientHelloID = ClientHelloID{helloChrome, 58}
-	HelloChrome_62   ClientHelloID = ClientHelloID{helloChrome, 62}
-
-	HelloAndroid_Auto        ClientHelloID = ClientHelloID{helloAndroid, helloAutoVers}
-	HelloAndroid_6_0_Browser ClientHelloID = ClientHelloID{helloAndroid, 23}
-	HelloAndroid_5_1_Browser ClientHelloID = ClientHelloID{helloAndroid, 22}
-
-	HelloiOSSafari_11_3_1 ClientHelloID = ClientHelloID{helloiOSSafari, 1131}
-)
-
-// utlsMacSHA384 returns a SHA-384.
-func utlsMacSHA384(version uint16, key []byte) macFunction {
-	return tls10MAC{hmac.New(sha512.New384, key)}
-}
-
-var utlsSupportedSignatureAlgorithms []signatureAndHash
-var utlsSupportedCipherSuites []*cipherSuite
-
-func init() {
-	utlsSupportedSignatureAlgorithms = append(supportedSignatureAlgorithms,
-		[]signatureAndHash{{disabledHashSHA512, signatureRSA}, {disabledHashSHA512, signatureECDSA}}...)
-
-	utlsSupportedCipherSuites = append(cipherSuites, []*cipherSuite{
-		{OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheRSAKA,
-			suiteECDHE | suiteTLS12 | suiteDefaultOff, nil, nil, aeadChaCha20Poly1305},
-		{OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 12, ecdheECDSAKA,
-			suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, nil, nil, aeadChaCha20Poly1305},
-
-		// The following weak ciphersuites are enabled for maximum compatibility,
-		// given that we establish secure connections within the utls connection.
-		{DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256, 32, 32, 16, rsaKA,
-			suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
-		{DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheECDSAKA,
-			suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff | suiteSHA384, cipherAES, utlsMacSHA384, nil},
-		{DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheRSAKA,
-			suiteECDHE | suiteTLS12 | suiteDefaultOff | suiteSHA384, cipherAES, utlsMacSHA384, nil},
-	}...)
-}

vendor/github.com/Psiphon-Labs/utls/u_conn.go

@@ -1,484 +0,0 @@
-// Copyright 2017 Google Inc. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"bufio"
-	"bytes"
-	"crypto/cipher"
-	"encoding/binary"
-	"errors"
-	"io"
-	"net"
-	"strconv"
-	"sync"
-	"sync/atomic"
-
-	// [Psiphon]
-	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/prng"
-)
-
-type UConn struct {
-	*Conn
-
-	Extensions    []TLSExtension
-	clientHelloID ClientHelloID
-
-	HandshakeState ClientHandshakeState
-
-	HandshakeStateBuilt bool
-
-	// IncludeEmptySNI indicates to include an SNI extension when the
-	// ServerName is "". This is non-standard behavior. Common TLS
-	// implementations (Go, BoringSSL, etc.) omit the SNI extention in
-	// this case.
-	//
-	// One concrete instance is when the remote host name is an IP address;
-	// https://tools.ietf.org/html/rfc6066#section-3 prohibits an SNI with an
-	// IP address.
-	//
-	// Go's hostnameInSNI sets the ServerName to "":
-	// https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/tls/handshake_client.go#L804
-	//
-	// And then omits the SNI extension:
-	// https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/tls/handshake_messages.go#L150
-	//
-	// IncludeEmptySNI is set to true for test runs, as test data expects
-	// empty SNI extensions.
-	IncludeEmptySNI bool
-
-	// [Psiphon]
-	// Seeded PRNG allows for optional replay of same randomized Client Hello.
-	clientHelloPRNGSeed *prng.Seed
-}
-
-// UClient returns a new uTLS client, with behavior depending on clientHelloID.
-// Config CAN be nil, but make sure to eventually specify ServerName.
-func UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID, clientHelloPRNGSeed *prng.Seed) *UConn {
-	if config == nil {
-		config = &Config{}
-	}
-	tlsConn := Conn{conn: conn, config: config, isClient: true}
-	handshakeState := ClientHandshakeState{C: &tlsConn, Hello: &ClientHelloMsg{}}
-	uconn := UConn{Conn: &tlsConn, clientHelloID: clientHelloID, HandshakeState: handshakeState, clientHelloPRNGSeed: clientHelloPRNGSeed}
-	return &uconn
-}
-
-// BuildHandshakeState() overwrites most fields, therefore, it is advised to manually call this function,
-// if you need to inspect/change contents after parroting/making default Golang ClientHello.
-// Otherwise, there is no need to call this function explicitly.
-func (uconn *UConn) BuildHandshakeState() error {
-	if uconn.clientHelloID == HelloGolang {
-		// use default Golang ClientHello.
-		hello, err := makeClientHello(uconn.config)
-		if uconn.HandshakeState.Session != nil {
-			// session is lost at makeClientHello(), let's reapply
-			uconn.SetSessionState(uconn.HandshakeState.Session)
-		}
-		if err != nil {
-			return err
-		}
-		uconn.HandshakeState.Hello = hello.getPublicPtr()
-	} else {
-		err := uconn.generateClientHelloConfig(uconn.clientHelloID)
-		if err != nil {
-			return err
-		}
-		err = uconn.ApplyConfig()
-		if err != nil {
-			return err
-		}
-		err = uconn.MarshalClientHello()
-		if err != nil {
-			return err
-		}
-	}
-	uconn.HandshakeStateBuilt = true
-	return nil
-}
-
-// If you want you session tickets to be reused - use same cache on following connections
-func (uconn *UConn) SetSessionState(session *ClientSessionState) {
-	uconn.HandshakeState.Session = session
-	if session != nil {
-		uconn.HandshakeState.Hello.SessionTicket = session.sessionTicket
-	}
-	uconn.HandshakeState.Hello.TicketSupported = true
-	for _, ext := range uconn.Extensions {
-		st, ok := ext.(*SessionTicketExtension)
-		if ok {
-			st.Session = session
-		}
-	}
-}
-
-// If you want you session tickets to be reused - use same cache on following connections
-func (uconn *UConn) SetSessionCache(cache ClientSessionCache) {
-	uconn.config.ClientSessionCache = cache
-	uconn.HandshakeState.Hello.TicketSupported = true
-}
-
-// r has to be 32 bytes long
-func (uconn *UConn) SetClientRandom(r []byte) error {
-	if len(r) != 32 {
-		return errors.New("Incorrect client random length! Expected: 32, got: " + strconv.Itoa(len(r)))
-	} else {
-		uconn.HandshakeState.Hello.Random = make([]byte, 32)
-		copy(uconn.HandshakeState.Hello.Random, r)
-		return nil
-	}
-}
-
-func (uconn *UConn) SetSNI(sni string) {
-	hname := hostnameInSNI(sni)
-	uconn.config.ServerName = hname
-	for _, ext := range uconn.Extensions {
-		sniExt, ok := ext.(*SNIExtension)
-		if ok {
-			sniExt.ServerName = hname
-		}
-	}
-}
-
-// Handshake runs the client handshake using given clientHandshakeState
-// Requires hs.hello, and, optionally, hs.session to be set.
-func (c *UConn) Handshake() error {
-	// This code was copied almost as is from tls/conn.go
-	// c.handshakeErr and c.handshakeComplete are protected by
-	// c.handshakeMutex. In order to perform a handshake, we need to lock
-	// c.in also and c.handshakeMutex must be locked after c.in.
-	//
-	// However, if a Read() operation is hanging then it'll be holding the
-	// lock on c.in and so taking it here would cause all operations that
-	// need to check whether a handshake is pending (such as Write) to
-	// block.
-	//
-	// Thus we first take c.handshakeMutex to check whether a handshake is
-	// needed.
-	//
-	// If so then, previously, this code would unlock handshakeMutex and
-	// then lock c.in and handshakeMutex in the correct order to run the
-	// handshake. The problem was that it was possible for a Read to
-	// complete the handshake once handshakeMutex was unlocked and then
-	// keep c.in while waiting for network data. Thus a concurrent
-	// operation could be blocked on c.in.
-	//
-	// Thus handshakeCond is used to signal that a goroutine is committed
-	// to running the handshake and other goroutines can wait on it if they
-	// need. handshakeCond is protected by handshakeMutex.
-	c.handshakeMutex.Lock()
-	defer c.handshakeMutex.Unlock()
-
-	for {
-		if err := c.handshakeErr; err != nil {
-			return err
-		}
-		if c.handshakeComplete {
-			return nil
-		}
-		if c.handshakeCond == nil {
-			break
-		}
-
-		c.handshakeCond.Wait()
-	}
-
-	// Set handshakeCond to indicate that this goroutine is committing to
-	// running the handshake.
-	c.handshakeCond = sync.NewCond(&c.handshakeMutex)
-	c.handshakeMutex.Unlock()
-
-	c.in.Lock()
-	defer c.in.Unlock()
-
-	c.handshakeMutex.Lock()
-
-	// The handshake cannot have completed when handshakeMutex was unlocked
-	// because this goroutine set handshakeCond.
-	if c.handshakeErr != nil || c.handshakeComplete {
-		panic("handshake should not have been able to complete after handshakeCond was set")
-	}
-
-	if !c.isClient {
-		panic("Servers should not call ClientHandshakeWithState()")
-	}
-
-	if !c.HandshakeStateBuilt {
-		err := c.BuildHandshakeState()
-		if err != nil {
-			return err
-		}
-	}
-
-	privateState := c.HandshakeState.getPrivatePtr()
-	c.handshakeErr = c.clientHandshakeWithState(privateState)
-	c.HandshakeState = *privateState.getPublicPtr()
-
-	if c.handshakeErr == nil {
-		c.handshakes++
-	} else {
-		// If an error occurred during the hadshake try to flush the
-		// alert that might be left in the buffer.
-		c.flush()
-	}
-
-	if c.handshakeErr == nil && !c.handshakeComplete {
-		panic("handshake should have had a result.")
-	}
-
-	// Wake any other goroutines that are waiting for this handshake to complete.
-	c.handshakeCond.Broadcast()
-	c.handshakeCond = nil
-
-	return c.handshakeErr
-}
-
-// Copy-pasted from tls.Conn in its entirety. But c.Handshake() is now utls' one, not tls.
-// Write writes data to the connection.
-func (c *UConn) Write(b []byte) (int, error) {
-	// interlock with Close below
-	for {
-		x := atomic.LoadInt32(&c.activeCall)
-		if x&1 != 0 {
-			return 0, errClosed
-		}
-		if atomic.CompareAndSwapInt32(&c.activeCall, x, x+2) {
-			defer atomic.AddInt32(&c.activeCall, -2)
-			break
-		}
-	}
-
-	if err := c.Handshake(); err != nil {
-		return 0, err
-	}
-
-	c.out.Lock()
-	defer c.out.Unlock()
-
-	if err := c.out.err; err != nil {
-		return 0, err
-	}
-
-	if !c.handshakeComplete {
-		return 0, alertInternalError
-	}
-
-	if c.closeNotifySent {
-		return 0, errShutdown
-	}
-
-	// SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext
-	// attack when using block mode ciphers due to predictable IVs.
-	// This can be prevented by splitting each Application Data
-	// record into two records, effectively randomizing the IV.
-	//
-	// http://www.openssl.org/~bodo/tls-cbc.txt
-	// https://bugzilla.mozilla.org/show_bug.cgi?id=665814
-	// http://www.imperialviolet.org/2012/01/15/beastfollowup.html
-
-	var m int
-	if len(b) > 1 && c.vers <= VersionTLS10 {
-		if _, ok := c.out.cipher.(cipher.BlockMode); ok {
-			n, err := c.writeRecordLocked(recordTypeApplicationData, b[:1])
-			if err != nil {
-				return n, c.out.setErrorLocked(err)
-			}
-			m, b = 1, b[1:]
-		}
-	}
-
-	n, err := c.writeRecordLocked(recordTypeApplicationData, b)
-	return n + m, c.out.setErrorLocked(err)
-}
-
-// c.out.Mutex <= L; c.handshakeMutex <= L.
-func (c *UConn) clientHandshakeWithState(hs *clientHandshakeState) error {
-	// This code was copied almost as is from tls/handshake_client.go
-	if c.config == nil {
-		c.config = &Config{}
-	}
-
-	// This may be a renegotiation handshake, in which case some fields
-	// need to be reset.
-	c.didResume = false
-
-	if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
-		return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
-	}
-
-	nextProtosLength := 0
-	for _, proto := range c.config.NextProtos {
-		if l := len(proto); l == 0 || l > 255 {
-			return errors.New("tls: invalid NextProtos value")
-		} else {
-			nextProtosLength += 1 + l
-		}
-	}
-	if nextProtosLength > 0xffff {
-		return errors.New("tls: NextProtos values too large")
-	}
-
-	var session *ClientSessionState
-	sessionCache := c.config.ClientSessionCache
-	cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
-
-	// If sessionCache is set but session itself isn't - try to retrieve session from cache
-	if sessionCache != nil && hs.session == nil {
-		hs.hello.ticketSupported = true
-		// Session resumption is not allowed if renegotiating because
-		// renegotiation is primarily used to allow a client to send a client
-		// certificate, which would be skipped if session resumption occurred.
-		if c.handshakes == 0 {
-			// Try to resume a previously negotiated TLS session, if
-			// available.
-			candidateSession, ok := sessionCache.Get(cacheKey)
-			if ok {
-				// Check that the ciphersuite/version used for the
-				// previous session are still valid.
-				cipherSuiteOk := false
-				for _, id := range hs.hello.cipherSuites {
-					if id == candidateSession.cipherSuite {
-						cipherSuiteOk = true
-						break
-					}
-				}
-
-				versOk := candidateSession.vers >= c.config.minVersion() &&
-					candidateSession.vers <= c.config.maxVersion()
-				if versOk && cipherSuiteOk {
-					session = candidateSession
-				}
-				if session != nil {
-					hs.hello.sessionTicket = session.sessionTicket
-					// A random session ID is used to detect when the
-					// server accepted the ticket and is resuming a session
-					// (see RFC 5077).
-					hs.hello.sessionId = make([]byte, 16)
-					if _, err := io.ReadFull(c.config.rand(), hs.hello.sessionId); err != nil {
-						return errors.New("tls: short read from Rand: " + err.Error())
-					}
-				}
-				hs.session = session
-			}
-		}
-	}
-
-	if err := hs.handshake(); err != nil {
-		return err
-	}
-	// If we had a successful handshake and hs.session is different from the one already cached - cache a new one
-	if sessionCache != nil && hs.session != nil && hs.session != session {
-		sessionCache.Put(cacheKey, hs.session)
-	}
-	return nil
-}
-
-func (uconn *UConn) ApplyConfig() error {
-	for _, ext := range uconn.Extensions {
-		err := ext.writeToUConn(uconn)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (uconn *UConn) MarshalClientHello() error {
-	hello := uconn.HandshakeState.Hello
-	headerLength := 2 + 32 + 1 + len(hello.SessionId) +
-		2 + len(hello.CipherSuites)*2 +
-		1 + len(hello.CompressionMethods)
-
-	extensions := make([]TLSExtension, 0, len(uconn.Extensions))
-	for _, ext := range uconn.Extensions {
-		if SNI, ok := ext.(*SNIExtension); !ok ||
-			len(SNI.ServerName) > 0 ||
-			uconn.IncludeEmptySNI {
-
-			extensions = append(extensions, ext)
-		}
-	}
-
-	extensionsLen := 0
-	var paddingExt *utlsPaddingExtension
-	for _, ext := range extensions {
-		if pe, ok := ext.(*utlsPaddingExtension); !ok {
-			// If not padding - just add length of extension to total length
-			extensionsLen += ext.Len()
-		} else {
-			// If padding - process it later
-			if paddingExt == nil {
-				paddingExt = pe
-			} else {
-				return errors.New("Multiple padding extensions!")
-			}
-		}
-	}
-
-	if paddingExt != nil {
-		// determine padding extension presence and length
-		paddingExt.Update(headerLength + 4 + extensionsLen + 2)
-		extensionsLen += paddingExt.Len()
-	}
-
-	helloLen := headerLength
-	if len(extensions) > 0 {
-		helloLen += 2 + extensionsLen // 2 bytes for extensions' length
-	}
-
-	helloBuffer := bytes.Buffer{}
-	bufferedWriter := bufio.NewWriterSize(&helloBuffer, helloLen+4) // 1 byte for tls record type, 3 for length
-	// We use buffered Writer to avoid checking write errors after every Write(): whenever first error happens
-	// Write() will become noop, and error will be accessible via Flush(), which is called once in the end
-
-	binary.Write(bufferedWriter, binary.BigEndian, typeClientHello)
-	helloLenBytes := []byte{byte(helloLen >> 16), byte(helloLen >> 8), byte(helloLen)} // poor man's uint24
-	binary.Write(bufferedWriter, binary.BigEndian, helloLenBytes)
-	binary.Write(bufferedWriter, binary.BigEndian, hello.Vers)
-
-	binary.Write(bufferedWriter, binary.BigEndian, hello.Random)
-
-	binary.Write(bufferedWriter, binary.BigEndian, uint8(len(hello.SessionId)))
-	binary.Write(bufferedWriter, binary.BigEndian, hello.SessionId)
-
-	binary.Write(bufferedWriter, binary.BigEndian, uint16(len(hello.CipherSuites)<<1))
-	for _, suite := range hello.CipherSuites {
-		binary.Write(bufferedWriter, binary.BigEndian, suite)
-	}
-
-	binary.Write(bufferedWriter, binary.BigEndian, uint8(len(hello.CompressionMethods)))
-	binary.Write(bufferedWriter, binary.BigEndian, hello.CompressionMethods)
-
-	if len(extensions) > 0 {
-		binary.Write(bufferedWriter, binary.BigEndian, uint16(extensionsLen))
-		for _, ext := range extensions {
-			bufferedWriter.ReadFrom(ext)
-		}
-	}
-
-	if helloBuffer.Len() != 4+helloLen {
-		return errors.New("utls: unexpected ClientHello length. Expected: " + strconv.Itoa(4+helloLen) +
-			". Got: " + strconv.Itoa(helloBuffer.Len()))
-	}
-
-	err := bufferedWriter.Flush()
-	if err != nil {
-		return err
-	}
-
-	hello.Raw = helloBuffer.Bytes()
-	return nil
-}
-
-// get current state of cipher and encrypt zeros to get keystream
-func (uconn *UConn) GetOutKeystream(length int) ([]byte, error) {
-	zeros := make([]byte, length)
-
-	if outCipher, ok := uconn.out.cipher.(cipher.AEAD); ok {
-		// AEAD.Seal() does not mutate internal state, other ciphers might
-		return outCipher.Seal(nil, uconn.out.seq[:], zeros, nil), nil
-	}
-	return nil, errors.New("Could not convert OutCipher to cipher.AEAD")
-}

vendor/github.com/Psiphon-Labs/utls/u_parrots.go

@@ -1,712 +0,0 @@
-// Copyright 2017 Google Inc. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"crypto/sha256"
-	"errors"
-	"io"
-	"sort"
-	"strconv"
-
-	// [Psiphon]
-	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common/prng"
-)
-
-func (uconn *UConn) generateClientHelloConfig(id ClientHelloID) error {
-	uconn.clientHelloID = id
-	switch uconn.clientHelloID {
-	case HelloFirefox_56:
-		fallthrough
-	case HelloFirefox_55:
-		return uconn.parrotFirefox_55()
-
-	case HelloAndroid_6_0_Browser:
-		return uconn.parrotAndroid_6_0()
-	case HelloAndroid_5_1_Browser:
-		return uconn.parrotAndroid_5_1()
-
-	case HelloChrome_62:
-		fallthrough
-	case HelloChrome_58:
-		return uconn.parrotChrome_5x(false)
-	case HelloChrome_57:
-		return uconn.parrotChrome_5x(true)
-
-	case HelloiOSSafari_11_3_1:
-		return uconn.parrotiOSSafari_11_3_1()
-
-	case HelloRandomizedALPN:
-		return uconn.parrotRandomizedALPN()
-	case HelloRandomizedNoALPN:
-		return uconn.parrotRandomizedNoALPN()
-
-	case HelloCustom:
-		return uconn.parrotCustom()
-
-	// following ClientHello's are aliases, so we call generateClientHelloConfig() again to set the correct id
-	case HelloRandomized:
-		if prng.FlipCoin() {
-			return uconn.generateClientHelloConfig(HelloRandomizedALPN)
-		} else {
-			return uconn.generateClientHelloConfig(HelloRandomizedNoALPN)
-		}
-	case HelloAndroid_Auto:
-		return uconn.generateClientHelloConfig(HelloAndroid_6_0_Browser)
-	case HelloFirefox_Auto:
-		return uconn.generateClientHelloConfig(HelloFirefox_56)
-	case HelloChrome_Auto:
-		return uconn.generateClientHelloConfig(HelloChrome_62)
-
-	default:
-		return errors.New("Unknown ParrotID: " + id.Str())
-	}
-}
-
-// Fills clientHello header(everything but extensions) fields, which are not set explicitly yet, with defaults
-func (uconn *UConn) fillClientHelloHeader() error {
-	hello := uconn.HandshakeState.Hello
-	if hello.Vers == 0 {
-		hello.Vers = VersionTLS12
-	}
-	switch len(hello.Random) {
-	case 0:
-		hello.Random = make([]byte, 32)
-		_, err := io.ReadFull(uconn.config.rand(), hello.Random)
-		if err != nil {
-			return errors.New("tls: short read from Rand: " + err.Error())
-		}
-	case 32:
-		// carry on
-	default:
-		return errors.New("ClientHello expected length: 32 bytes. Got: " +
-			strconv.Itoa(len(hello.Random)) + " bytes")
-	}
-	if len(hello.CipherSuites) == 0 {
-		hello.CipherSuites = defaultCipherSuites()
-	}
-	if len(hello.CompressionMethods) == 0 {
-		hello.CompressionMethods = []uint8{compressionNone}
-	}
-	return nil
-}
-
-func (uconn *UConn) parrotFirefox_55() error {
-	hello := uconn.HandshakeState.Hello
-	session := uconn.HandshakeState.Session
-	hello.CipherSuites = []uint16{
-		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		FAKE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-		FAKE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-		TLS_RSA_WITH_AES_128_CBC_SHA,
-		TLS_RSA_WITH_AES_256_CBC_SHA,
-		TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-	}
-	err := uconn.fillClientHelloHeader()
-	if err != nil {
-		return err
-	}
-
-	sni := SNIExtension{uconn.config.ServerName}
-	ems := utlsExtendedMasterSecretExtension{}
-	reneg := RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}
-	curves := SupportedCurvesExtension{[]CurveID{X25519, CurveP256, CurveP384, CurveP521}}
-	points := SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}
-	sessionTicket := SessionTicketExtension{Session: session}
-	if session != nil {
-		sessionTicket.Session = session
-		if len(session.SessionTicket()) > 0 {
-			hello.SessionId = make([]byte, 32)
-			_, err := io.ReadFull(uconn.config.rand(), hello.SessionId)
-			if err != nil {
-				return errors.New("tls: short read from Rand: " + err.Error())
-			}
-		}
-	}
-	alpn := ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}
-	status := StatusRequestExtension{}
-	sigAndHash := SignatureAlgorithmsExtension{SignatureAndHashes: []SignatureAndHash{
-		{hashSHA256, signatureECDSA},
-		{hashSHA384, signatureECDSA},
-		{disabledHashSHA512, signatureECDSA},
-		fakeRsaPssSha256,
-		fakeRsaPssSha384,
-		fakeRsaPssSha512,
-		{hashSHA256, signatureRSA},
-		{hashSHA384, signatureRSA},
-		{disabledHashSHA512, signatureRSA},
-		{hashSHA1, signatureECDSA},
-		{hashSHA1, signatureRSA}},
-	}
-	padding := utlsPaddingExtension{GetPaddingLen: boringPaddingStyle}
-	uconn.Extensions = []TLSExtension{
-		&sni,
-		&ems,
-		&reneg,
-		&curves,
-		&points,
-		&sessionTicket,
-		&alpn,
-		&status,
-		&sigAndHash,
-		&padding,
-	}
-	return nil
-}
-
-func (uconn *UConn) parrotAndroid_6_0() error {
-	hello := uconn.HandshakeState.Hello
-	session := uconn.HandshakeState.Session
-
-	hello.CipherSuites = []uint16{
-		OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-		OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-		FAKE_OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		FAKE_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
-		TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		FAKE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		FAKE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-		TLS_RSA_WITH_AES_128_GCM_SHA256,
-		TLS_RSA_WITH_AES_256_CBC_SHA,
-		TLS_RSA_WITH_AES_128_CBC_SHA,
-		TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		FAKE_TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
-	}
-	err := uconn.fillClientHelloHeader()
-	if err != nil {
-		return err
-	}
-
-	sni := SNIExtension{uconn.config.ServerName}
-	ems := utlsExtendedMasterSecretExtension{}
-	sessionTicket := SessionTicketExtension{Session: session}
-	if session != nil {
-		sessionTicket.Session = session
-		if len(session.SessionTicket()) > 0 {
-			sessionId := sha256.Sum256(session.SessionTicket())
-			hello.SessionId = sessionId[:]
-		}
-	}
-	sigAndHash := SignatureAlgorithmsExtension{SignatureAndHashes: []SignatureAndHash{
-		{disabledHashSHA512, signatureRSA},
-		{disabledHashSHA512, signatureECDSA},
-		{hashSHA384, signatureRSA},
-		{hashSHA384, signatureECDSA},
-		{hashSHA256, signatureRSA},
-		{hashSHA256, signatureECDSA},
-		{fakeHashSHA224, signatureRSA},
-		{fakeHashSHA224, signatureECDSA},
-		{hashSHA1, signatureRSA},
-		{hashSHA1, signatureECDSA}},
-	}
-	status := StatusRequestExtension{}
-	npn := NPNExtension{}
-	sct := SCTExtension{}
-	alpn := ALPNExtension{AlpnProtocols: []string{"http/1.1", "spdy/8.1"}}
-	points := SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}
-	curves := SupportedCurvesExtension{[]CurveID{CurveP256, CurveP384}}
-	padding := utlsPaddingExtension{GetPaddingLen: boringPaddingStyle}
-
-	uconn.Extensions = []TLSExtension{
-		&sni,
-		&ems,
-		&sessionTicket,
-		&sigAndHash,
-		&status,
-		&npn,
-		&sct,
-		&alpn,
-		&points,
-		&curves,
-		&padding,
-	}
-	return nil
-}
-
-func (uconn *UConn) parrotAndroid_5_1() error {
-	hello := uconn.HandshakeState.Hello
-	session := uconn.HandshakeState.Session
-
-	hello.CipherSuites = []uint16{
-		OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-		OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-		FAKE_OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		FAKE_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
-		TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		FAKE_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		FAKE_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-		TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-		TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-		TLS_RSA_WITH_AES_128_GCM_SHA256,
-		TLS_RSA_WITH_AES_256_CBC_SHA,
-		TLS_RSA_WITH_AES_128_CBC_SHA,
-		TLS_RSA_WITH_RC4_128_SHA,
-		FAKE_TLS_RSA_WITH_RC4_128_MD5,
-		TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		FAKE_TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
-	}
-	err := uconn.fillClientHelloHeader()
-	if err != nil {
-		return err
-	}
-
-	sni := SNIExtension{uconn.config.ServerName}
-	sessionTicket := SessionTicketExtension{Session: session}
-	if session != nil {
-		sessionTicket.Session = session
-		if len(session.SessionTicket()) > 0 {
-			sessionId := sha256.Sum256(session.SessionTicket())
-			hello.SessionId = sessionId[:]
-		}
-	}
-	sigAndHash := SignatureAlgorithmsExtension{SignatureAndHashes: []SignatureAndHash{
-		{disabledHashSHA512, signatureRSA},
-		{disabledHashSHA512, signatureECDSA},
-		{hashSHA384, signatureRSA},
-		{hashSHA384, signatureECDSA},
-		{hashSHA256, signatureRSA},
-		{hashSHA256, signatureECDSA},
-		{fakeHashSHA224, signatureRSA},
-		{fakeHashSHA224, signatureECDSA},
-		{hashSHA1, signatureRSA},
-		{hashSHA1, signatureECDSA}},
-	}
-	status := StatusRequestExtension{}
-	npn := NPNExtension{}
-	sct := SCTExtension{}
-	alpn := ALPNExtension{AlpnProtocols: []string{"http/1.1", "spdy/3", "spdy/3.1"}}
-	points := SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}
-	curves := SupportedCurvesExtension{[]CurveID{CurveP256, CurveP384, CurveP521}}
-	padding := utlsPaddingExtension{GetPaddingLen: boringPaddingStyle}
-
-	uconn.Extensions = []TLSExtension{
-		&sni,
-		&sessionTicket,
-		&sigAndHash,
-		&status,
-		&npn,
-		&sct,
-		&alpn,
-		&points,
-		&curves,
-		&padding,
-	}
-	return nil
-}
-
-func (uconn *UConn) parrotChrome_5x(includeNonStandardChaChaCiphers bool) error {
-	hello := uconn.HandshakeState.Hello
-	session := uconn.HandshakeState.Session
-
-	err := uconn.fillClientHelloHeader()
-	if err != nil {
-		return err
-	}
-
-	if includeNonStandardChaChaCiphers {
-		hello.CipherSuites = []uint16{
-			GetBoringGREASEValue(hello.Random, ssl_grease_cipher),
-			TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-			OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-			TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-			TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-			TLS_RSA_WITH_AES_128_GCM_SHA256,
-			TLS_RSA_WITH_AES_256_GCM_SHA384,
-			TLS_RSA_WITH_AES_128_CBC_SHA,
-			TLS_RSA_WITH_AES_256_CBC_SHA,
-			TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		}
-	} else {
-		hello.CipherSuites = []uint16{
-			GetBoringGREASEValue(hello.Random, ssl_grease_cipher),
-			TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-			TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-			TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-			TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-			TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-			TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-			TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-			TLS_RSA_WITH_AES_128_GCM_SHA256,
-			TLS_RSA_WITH_AES_256_GCM_SHA384,
-			TLS_RSA_WITH_AES_128_CBC_SHA,
-			TLS_RSA_WITH_AES_256_CBC_SHA,
-			TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		}
-	}
-
-	grease_ext1 := GetBoringGREASEValue(hello.Random, ssl_grease_extension1)
-	grease_ext2 := GetBoringGREASEValue(hello.Random, ssl_grease_extension2)
-	if grease_ext1 == grease_ext2 {
-		grease_ext2 ^= 0x1010
-	}
-
-	grease1 := FakeGREASEExtension{Value: grease_ext1}
-	reneg := RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}
-	sni := SNIExtension{uconn.config.ServerName}
-	ems := utlsExtendedMasterSecretExtension{}
-	sessionTicket := SessionTicketExtension{Session: session}
-	if session != nil {
-		sessionTicket.Session = session
-		if len(session.SessionTicket()) > 0 {
-			sessionId := sha256.Sum256(session.SessionTicket())
-			hello.SessionId = sessionId[:]
-		}
-	}
-	sigAndHash := SignatureAlgorithmsExtension{SignatureAndHashes: []SignatureAndHash{
-		{hashSHA256, signatureECDSA},
-		fakeRsaPssSha256,
-		{hashSHA256, signatureRSA},
-		{hashSHA384, signatureECDSA},
-		fakeRsaPssSha384,
-		{hashSHA384, signatureRSA},
-		fakeRsaPssSha512,
-		{disabledHashSHA512, signatureRSA},
-		{hashSHA1, signatureRSA}},
-	}
-	status := StatusRequestExtension{}
-	sct := SCTExtension{}
-	alpn := ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}
-	channelId := FakeChannelIDExtension{}
-	points := SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}
-	curves := SupportedCurvesExtension{[]CurveID{CurveID(GetBoringGREASEValue(hello.Random, ssl_grease_group)),
-		X25519, CurveP256, CurveP384}}
-	grease2 := FakeGREASEExtension{Value: grease_ext2, Body: []byte{0}}
-	padding := utlsPaddingExtension{GetPaddingLen: boringPaddingStyle}
-
-	uconn.Extensions = []TLSExtension{
-		&grease1,
-		&reneg,
-		&sni,
-		&ems,
-		&sessionTicket,
-		&sigAndHash,
-		&status,
-		&sct,
-		&alpn,
-		&channelId,
-		&points,
-		&curves,
-		&grease2,
-		&padding,
-	}
-	return nil
-}
-
-func (uconn *UConn) parrotiOSSafari_11_3_1() error {
-	hello := uconn.HandshakeState.Hello
-	session := uconn.HandshakeState.Session
-
-	hello.CipherSuites = []uint16{
-		TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-		TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-		DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-		TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-		TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-		TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-		DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
-		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-		TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-		TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-		TLS_RSA_WITH_AES_256_GCM_SHA384,
-		TLS_RSA_WITH_AES_128_GCM_SHA256,
-		DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256,
-		TLS_RSA_WITH_AES_128_CBC_SHA256,
-		TLS_RSA_WITH_AES_256_CBC_SHA,
-		TLS_RSA_WITH_AES_128_CBC_SHA,
-	}
-	err := uconn.fillClientHelloHeader()
-	if err != nil {
-		return err
-	}
-
-	reneg := RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}
-	sni := SNIExtension{uconn.config.ServerName}
-	ems := utlsExtendedMasterSecretExtension{}
-	sessionTicket := SessionTicketExtension{Session: session}
-	if session != nil {
-		sessionTicket.Session = session
-		if len(session.SessionTicket()) > 0 {
-			sessionId := sha256.Sum256(session.SessionTicket())
-			hello.SessionId = sessionId[:]
-		}
-	}
-	sigAndHash := SignatureAlgorithmsExtension{SignatureAndHashes: []SignatureAndHash{
-		{hashSHA256, signatureECDSA},
-		fakeRsaPssSha256,
-		{hashSHA256, signatureRSA},
-		{hashSHA384, signatureECDSA},
-		fakeRsaPssSha384,
-		{hashSHA384, signatureRSA},
-		fakeRsaPssSha512,
-		{disabledHashSHA512, signatureRSA},
-		{hashSHA1, signatureRSA},
-	},
-	}
-	status := StatusRequestExtension{}
-	npn := NPNExtension{}
-	sct := SCTExtension{}
-	alpn := ALPNExtension{AlpnProtocols: []string{"h2", "h2-16", "h2-15", "h2-14", "spdy/3.1", "spdy/3", "http/1.1"}}
-	points := SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}
-	curves := SupportedCurvesExtension{[]CurveID{X25519, CurveP256, CurveP384, CurveP521}}
-
-	uconn.Extensions = []TLSExtension{
-		&reneg,
-		&sni,
-		&ems,
-		&sessionTicket,
-		&sigAndHash,
-		&status,
-		&npn,
-		&sct,
-		&alpn,
-		&points,
-		&curves,
-	}
-	return nil
-}
-
-func (uconn *UConn) parrotRandomizedALPN() error {
-	err := uconn.parrotRandomizedNoALPN()
-	if len(uconn.config.NextProtos) == 0 {
-		// if user didn't specify alpn, choose something popular
-		uconn.config.NextProtos = []string{"h2", "http/1.1"}
-	}
-	alpn := ALPNExtension{AlpnProtocols: uconn.config.NextProtos}
-	uconn.Extensions = append(uconn.Extensions, &alpn)
-	return err
-}
-
-func (uconn *UConn) parrotRandomizedNoALPN() error {
-
-	// [Psiphon]
-	if uconn.clientHelloPRNGSeed == nil {
-		return errors.New("missing UConn.clientHelloPRNGSeed")
-	}
-	PRNG := prng.NewPRNGWithSeed(uconn.clientHelloPRNGSeed)
-
-	hello := uconn.HandshakeState.Hello
-	session := uconn.HandshakeState.Session
-
-	hello.CipherSuites = make([]uint16, len(defaultCipherSuites()))
-	copy(hello.CipherSuites, defaultCipherSuites())
-	shuffledSuites, err := shuffledCiphers(PRNG)
-	if err != nil {
-		return err
-	}
-	hello.CipherSuites = removeRandomCiphers(PRNG, shuffledSuites, 0.4)
-	err = uconn.fillClientHelloHeader()
-	if err != nil {
-		return err
-	}
-
-	sni := SNIExtension{uconn.config.ServerName}
-	sessionTicket := SessionTicketExtension{Session: session}
-	if session != nil {
-		sessionTicket.Session = session
-		if len(session.SessionTicket()) > 0 {
-			sessionId := sha256.Sum256(session.SessionTicket())
-			hello.SessionId = sessionId[:]
-		}
-	}
-	sigAndHashAlgos := []SignatureAndHash{
-		{hashSHA256, signatureECDSA},
-		{hashSHA256, signatureRSA},
-		{hashSHA384, signatureECDSA},
-		{hashSHA384, signatureRSA},
-		{hashSHA1, signatureRSA},
-	}
-	if tossBiasedCoin(PRNG, 0.5) {
-		sigAndHashAlgos = append(sigAndHashAlgos, SignatureAndHash{disabledHashSHA512, signatureECDSA})
-	}
-	if tossBiasedCoin(PRNG, 0.5) {
-		sigAndHashAlgos = append(sigAndHashAlgos, SignatureAndHash{disabledHashSHA512, signatureRSA})
-	}
-	if tossBiasedCoin(PRNG, 0.5) {
-		sigAndHashAlgos = append(sigAndHashAlgos, SignatureAndHash{hashSHA1, signatureECDSA})
-	}
-	err = shuffleSignatures(PRNG, sigAndHashAlgos)
-	if err != nil {
-		return err
-	}
-	sigAndHash := SignatureAlgorithmsExtension{SignatureAndHashes: sigAndHashAlgos}
-
-	status := StatusRequestExtension{}
-	sct := SCTExtension{}
-	points := SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}
-
-	curveIDs := []CurveID{}
-	if tossBiasedCoin(PRNG, 0.7) {
-		curveIDs = append(curveIDs, X25519)
-	}
-	curveIDs = append(curveIDs, CurveP256, CurveP384)
-	if tossBiasedCoin(PRNG, 0.3) {
-		curveIDs = append(curveIDs, CurveP521)
-	}
-	curves := SupportedCurvesExtension{curveIDs}
-
-	padding := utlsPaddingExtension{GetPaddingLen: boringPaddingStyle}
-	reneg := RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}
-
-	uconn.Extensions = []TLSExtension{
-		&sni,
-		&sessionTicket,
-		&sigAndHash,
-		&points,
-		&curves,
-	}
-
-	if tossBiasedCoin(PRNG, 0.66) {
-		uconn.Extensions = append(uconn.Extensions, &padding)
-	}
-	if tossBiasedCoin(PRNG, 0.66) {
-		uconn.Extensions = append(uconn.Extensions, &status)
-	}
-	if tossBiasedCoin(PRNG, 0.55) {
-		uconn.Extensions = append(uconn.Extensions, &sct)
-	}
-	if tossBiasedCoin(PRNG, 0.44) {
-		uconn.Extensions = append(uconn.Extensions, &reneg)
-	}
-	err = shuffleTLSExtensions(PRNG, uconn.Extensions)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (uconn *UConn) parrotCustom() error {
-	return uconn.fillClientHelloHeader()
-}
-
-func tossBiasedCoin(PRNG *prng.PRNG, probability float32) bool {
-	// probability is expected to be in [0,1]
-	// this function never returns errors for ease of use
-	const precision = 0xffff
-	threshold := float32(precision) * probability
-	value := PRNG.Intn(precision)
-
-	if float32(value) <= threshold {
-		return true
-	} else {
-		return false
-	}
-}
-
-func removeRandomCiphers(PRNG *prng.PRNG, s []uint16, maxRemovalProbability float32) []uint16 {
-	// removes elements in place
-	// probability to remove increases for further elements
-	// never remove first cipher
-	if len(s) <= 1 {
-		return s
-	}
-
-	// remove random elements
-	floatLen := float32(len(s))
-	sliceLen := len(s)
-	for i := 1; i < sliceLen; i++ {
-		if tossBiasedCoin(PRNG, maxRemovalProbability*float32(i)/floatLen) {
-			s = append(s[:i], s[i+1:]...)
-			sliceLen--
-			i--
-		}
-	}
-	return s
-}
-
-func shuffledCiphers(PRNG *prng.PRNG) ([]uint16, error) {
-	ciphers := make(sortableCiphers, len(cipherSuites))
-	perm := PRNG.Perm(len(cipherSuites))
-	for i, suite := range cipherSuites {
-		ciphers[i] = sortableCipher{suite: suite.id,
-			isObsolete: ((suite.flags & suiteTLS12) == 0),
-			randomTag:  perm[i]}
-	}
-	sort.Sort(ciphers)
-	return ciphers.GetCiphers(), nil
-}
-
-type sortableCipher struct {
-	isObsolete bool
-	randomTag  int
-	suite      uint16
-}
-
-type sortableCiphers []sortableCipher
-
-func (ciphers sortableCiphers) Len() int {
-	return len(ciphers)
-}
-
-func (ciphers sortableCiphers) Less(i, j int) bool {
-	if ciphers[i].isObsolete && !ciphers[j].isObsolete {
-		return false
-	}
-	if ciphers[j].isObsolete && !ciphers[i].isObsolete {
-		return true
-	}
-	return ciphers[i].randomTag < ciphers[j].randomTag
-}
-
-func (ciphers sortableCiphers) Swap(i, j int) {
-	ciphers[i], ciphers[j] = ciphers[j], ciphers[i]
-}
-
-func (ciphers sortableCiphers) GetCiphers() []uint16 {
-	cipherIDs := make([]uint16, len(ciphers))
-	for i := range ciphers {
-		cipherIDs[i] = ciphers[i].suite
-	}
-	return cipherIDs
-}
-
-// so much for generics
-func shuffleTLSExtensions(PRNG *prng.PRNG, s []TLSExtension) error {
-	// shuffles array in place
-	perm := PRNG.Perm(len(s))
-	for i := range s {
-		s[i], s[perm[i]] = s[perm[i]], s[i]
-	}
-	return nil
-}
-
-// so much for generics
-func shuffleSignatures(PRNG *prng.PRNG, s []SignatureAndHash) error {
-	// shuffles array in place
-	perm := PRNG.Perm(len(s))
-	for i := range s {
-		s[i], s[perm[i]] = s[perm[i]], s[i]
-	}
-	return nil
-}

vendor/github.com/Psiphon-Labs/utls/u_public.go

@@ -1,393 +0,0 @@
-// Copyright 2017 Google Inc. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"crypto/cipher"
-	"crypto/x509"
-	"hash"
-)
-
-type ClientHandshakeState struct {
-	C            *Conn
-	ServerHello  *ServerHelloMsg
-	Hello        *ClientHelloMsg
-	Suite        *CipherSuite
-	FinishedHash FinishedHash
-	MasterSecret []byte
-	Session      *ClientSessionState
-}
-
-// getPrivatePtr() methods make shallow copies
-
-func (chs *ClientHandshakeState) getPrivatePtr() *clientHandshakeState {
-	if chs == nil {
-		return nil
-	} else {
-		return &clientHandshakeState{
-			c:            chs.C,
-			serverHello:  chs.ServerHello.getPrivatePtr(),
-			hello:        chs.Hello.getPrivatePtr(),
-			suite:        chs.Suite.getPrivatePtr(),
-			finishedHash: *chs.FinishedHash.getPrivatePtr(),
-			masterSecret: chs.MasterSecret,
-			session:      chs.Session,
-		}
-	}
-}
-
-func (chs *clientHandshakeState) getPublicPtr() *ClientHandshakeState {
-	if chs == nil {
-		return nil
-	} else {
-		return &ClientHandshakeState{
-			C:            chs.c,
-			ServerHello:  chs.serverHello.getPublicPtr(),
-			Hello:        chs.hello.getPublicPtr(),
-			Suite:        chs.suite.getPublicPtr(),
-			FinishedHash: *chs.finishedHash.getPublicPtr(),
-			MasterSecret: chs.masterSecret,
-			Session:      chs.session,
-		}
-	}
-}
-
-type BensStruct serverHelloMsg
-
-type ServerHelloMsg struct {
-	Raw                          []byte
-	Vers                         uint16
-	Random                       []byte
-	SessionId                    []byte
-	CipherSuite                  uint16
-	CompressionMethod            uint8
-	NextProtoNeg                 bool
-	NextProtos                   []string
-	OcspStapling                 bool
-	Scts                         [][]byte
-	Ems                          bool
-	TicketSupported              bool
-	SecureRenegotiation          []byte
-	SecureRenegotiationSupported bool
-	AlpnProtocol                 string
-}
-
-func (shm *ServerHelloMsg) getPrivatePtr() *serverHelloMsg {
-	if shm == nil {
-		return nil
-	} else {
-		return &serverHelloMsg{
-			raw:                          shm.Raw,
-			vers:                         shm.Vers,
-			random:                       shm.Random,
-			sessionId:                    shm.SessionId,
-			cipherSuite:                  shm.CipherSuite,
-			compressionMethod:            shm.CompressionMethod,
-			nextProtoNeg:                 shm.NextProtoNeg,
-			nextProtos:                   shm.NextProtos,
-			ocspStapling:                 shm.OcspStapling,
-			scts:                         shm.Scts,
-			ems:                          shm.Ems,
-			ticketSupported:              shm.TicketSupported,
-			secureRenegotiation:          shm.SecureRenegotiation,
-			secureRenegotiationSupported: shm.SecureRenegotiationSupported,
-			alpnProtocol:                 shm.AlpnProtocol,
-		}
-	}
-}
-
-func (shm *serverHelloMsg) getPublicPtr() *ServerHelloMsg {
-	if shm == nil {
-		return nil
-	} else {
-		return &ServerHelloMsg{
-			Raw:                          shm.raw,
-			Vers:                         shm.vers,
-			Random:                       shm.random,
-			SessionId:                    shm.sessionId,
-			CipherSuite:                  shm.cipherSuite,
-			CompressionMethod:            shm.compressionMethod,
-			NextProtoNeg:                 shm.nextProtoNeg,
-			NextProtos:                   shm.nextProtos,
-			OcspStapling:                 shm.ocspStapling,
-			Scts:                         shm.scts,
-			Ems:                          shm.ems,
-			TicketSupported:              shm.ticketSupported,
-			SecureRenegotiation:          shm.secureRenegotiation,
-			SecureRenegotiationSupported: shm.secureRenegotiationSupported,
-			AlpnProtocol:                 shm.alpnProtocol,
-		}
-	}
-}
-
-type ClientHelloMsg struct {
-	Raw                          []byte
-	Vers                         uint16
-	Random                       []byte
-	SessionId                    []byte
-	CipherSuites                 []uint16
-	CompressionMethods           []uint8
-	NextProtoNeg                 bool
-	ServerName                   string
-	OcspStapling                 bool
-	Scts                         bool
-	Ems                          bool
-	SupportedCurves              []CurveID
-	SupportedPoints              []uint8
-	TicketSupported              bool
-	SessionTicket                []uint8
-	SignatureAndHashes           []SignatureAndHash
-	SecureRenegotiation          []byte
-	SecureRenegotiationSupported bool
-	AlpnProtocols                []string
-}
-
-func (chm *ClientHelloMsg) getPrivatePtr() *clientHelloMsg {
-	if chm == nil {
-		return nil
-	} else {
-		return &clientHelloMsg{
-			raw:                          chm.Raw,
-			vers:                         chm.Vers,
-			random:                       chm.Random,
-			sessionId:                    chm.SessionId,
-			cipherSuites:                 chm.CipherSuites,
-			compressionMethods:           chm.CompressionMethods,
-			nextProtoNeg:                 chm.NextProtoNeg,
-			serverName:                   chm.ServerName,
-			ocspStapling:                 chm.OcspStapling,
-			scts:                         chm.Scts,
-			ems:                          chm.Ems,
-			supportedCurves:              chm.SupportedCurves,
-			supportedPoints:              chm.SupportedPoints,
-			ticketSupported:              chm.TicketSupported,
-			sessionTicket:                chm.SessionTicket,
-			signatureAndHashes:           sigAndHashGetMakePrivate(chm.SignatureAndHashes),
-			secureRenegotiation:          chm.SecureRenegotiation,
-			secureRenegotiationSupported: chm.SecureRenegotiationSupported,
-			alpnProtocols:                chm.AlpnProtocols,
-		}
-	}
-}
-
-func (chm *clientHelloMsg) getPublicPtr() *ClientHelloMsg {
-	if chm == nil {
-		return nil
-	} else {
-		return &ClientHelloMsg{
-			Raw:                          chm.raw,
-			Vers:                         chm.vers,
-			Random:                       chm.random,
-			SessionId:                    chm.sessionId,
-			CipherSuites:                 chm.cipherSuites,
-			CompressionMethods:           chm.compressionMethods,
-			NextProtoNeg:                 chm.nextProtoNeg,
-			ServerName:                   chm.serverName,
-			OcspStapling:                 chm.ocspStapling,
-			Scts:                         chm.scts,
-			Ems:                          chm.ems,
-			SupportedCurves:              chm.supportedCurves,
-			SupportedPoints:              chm.supportedPoints,
-			TicketSupported:              chm.ticketSupported,
-			SessionTicket:                chm.sessionTicket,
-			SignatureAndHashes:           sigAndHashMakePublic(chm.signatureAndHashes),
-			SecureRenegotiation:          chm.secureRenegotiation,
-			SecureRenegotiationSupported: chm.secureRenegotiationSupported,
-			AlpnProtocols:                chm.alpnProtocols,
-		}
-	}
-}
-
-// SignatureAndHash mirrors the TLS 1.2, SignatureAndHashAlgorithm struct. See
-// RFC 5246, section A.4.1.
-type SignatureAndHash struct {
-	Hash, Signature uint8
-}
-
-func sigAndHashGetMakePrivate(sahSlice []SignatureAndHash) []signatureAndHash {
-	res := []signatureAndHash{}
-	for _, sah := range sahSlice {
-		res = append(res, signatureAndHash{hash: sah.Hash,
-			signature: sah.Signature})
-	}
-	return res
-}
-
-func sigAndHashMakePublic(sahSlice []signatureAndHash) []SignatureAndHash {
-	res := []SignatureAndHash{}
-	for _, sah := range sahSlice {
-		res = append(res, SignatureAndHash{Hash: sah.hash,
-			Signature: sah.signature})
-	}
-	return res
-}
-
-// A CipherSuite is a specific combination of key agreement, cipher and MAC
-// function. All cipher suites currently assume RSA key agreement.
-type CipherSuite struct {
-	Id uint16
-	// the lengths, in bytes, of the key material needed for each component.
-	KeyLen int
-	MacLen int
-	IvLen  int
-	Ka     func(version uint16) keyAgreement
-	// flags is a bitmask of the suite* values, above.
-	Flags  int
-	Cipher func(key, iv []byte, isRead bool) interface{}
-	Mac    func(version uint16, macKey []byte) macFunction
-	Aead   func(key, fixedNonce []byte) cipher.AEAD
-}
-
-func (cs *CipherSuite) getPrivatePtr() *cipherSuite {
-	if cs == nil {
-		return nil
-	} else {
-		return &cipherSuite{
-			id:     cs.Id,
-			keyLen: cs.KeyLen,
-			macLen: cs.MacLen,
-			ivLen:  cs.IvLen,
-			ka:     cs.Ka,
-			flags:  cs.Flags,
-			cipher: cs.Cipher,
-			mac:    cs.Mac,
-			aead:   cs.Aead,
-		}
-	}
-}
-
-func (cs *cipherSuite) getPublicPtr() *CipherSuite {
-	if cs == nil {
-		return nil
-	} else {
-		return &CipherSuite{
-			Id:     cs.id,
-			KeyLen: cs.keyLen,
-			MacLen: cs.macLen,
-			IvLen:  cs.ivLen,
-			Ka:     cs.ka,
-			Flags:  cs.flags,
-			Cipher: cs.cipher,
-			Mac:    cs.mac,
-			Aead:   cs.aead,
-		}
-	}
-}
-
-// A FinishedHash calculates the hash of a set of handshake messages suitable
-// for including in a Finished message.
-type FinishedHash struct {
-	Client hash.Hash
-	Server hash.Hash
-
-	// Prior to TLS 1.2, an additional MD5 hash is required.
-	ClientMD5 hash.Hash
-	ServerMD5 hash.Hash
-
-	// In TLS 1.2, a full buffer is sadly required.
-	Buffer []byte
-
-	Version uint16
-	Prf     func(result, secret, label, seed []byte)
-}
-
-func (fh *FinishedHash) getPrivatePtr() *finishedHash {
-	if fh == nil {
-		return nil
-	} else {
-		return &finishedHash{
-			client:    fh.Client,
-			server:    fh.Server,
-			clientMD5: fh.ClientMD5,
-			serverMD5: fh.ServerMD5,
-			buffer:    fh.Buffer,
-			version:   fh.Version,
-			prf:       fh.Prf,
-		}
-	}
-}
-
-func (fh *finishedHash) getPublicPtr() *FinishedHash {
-	if fh == nil {
-		return nil
-	} else {
-		return &FinishedHash{
-			Client:    fh.client,
-			Server:    fh.server,
-			ClientMD5: fh.clientMD5,
-			ServerMD5: fh.serverMD5,
-			Buffer:    fh.buffer,
-			Version:   fh.version,
-			Prf:       fh.prf}
-	}
-}
-
-// ClientSessionState is public, but all its fields are private. Let's add setters, getters and constructor
-
-// ClientSessionState contains the state needed by clients to resume TLS sessions.
-func MakeClientSessionState(
-	SessionTicket []uint8,
-	Vers uint16,
-	CipherSuite uint16,
-	MasterSecret []byte,
-	ServerCertificates []*x509.Certificate,
-	VerifiedChains [][]*x509.Certificate) *ClientSessionState {
-	css := ClientSessionState{sessionTicket: SessionTicket,
-		vers:               Vers,
-		cipherSuite:        CipherSuite,
-		masterSecret:       MasterSecret,
-		serverCertificates: ServerCertificates,
-		verifiedChains:     VerifiedChains}
-	return &css
-}
-
-// Encrypted ticket used for session resumption with server
-func (css *ClientSessionState) SessionTicket() []uint8 {
-	return css.sessionTicket
-}
-
-// SSL/TLS version negotiated for the session
-func (css *ClientSessionState) Vers() uint16 {
-	return css.vers
-}
-
-// Ciphersuite negotiated for the session
-func (css *ClientSessionState) CipherSuite() uint16 {
-	return css.cipherSuite
-}
-
-// MasterSecret generated by client on a full handshake
-func (css *ClientSessionState) MasterSecret() []byte {
-	return css.masterSecret
-}
-
-// Certificate chain presented by the server
-func (css *ClientSessionState) ServerCertificates() []*x509.Certificate {
-	return css.serverCertificates
-}
-
-// Certificate chains we built for verification
-func (css *ClientSessionState) VerifiedChains() [][]*x509.Certificate {
-	return css.verifiedChains
-}
-
-func (css *ClientSessionState) SetSessionTicket(SessionTicket []uint8) {
-	css.sessionTicket = SessionTicket
-}
-func (css *ClientSessionState) SetVers(Vers uint16) {
-	css.vers = Vers
-}
-func (css *ClientSessionState) SetCipherSuite(CipherSuite uint16) {
-	css.cipherSuite = CipherSuite
-}
-func (css *ClientSessionState) SetMasterSecret(MasterSecret []byte) {
-	css.masterSecret = MasterSecret
-}
-func (css *ClientSessionState) SetServerCertificates(ServerCertificates []*x509.Certificate) {
-	css.serverCertificates = ServerCertificates
-}
-func (css *ClientSessionState) SetVerifiedChains(VerifiedChains [][]*x509.Certificate) {
-	css.verifiedChains = VerifiedChains
-}

vendor/github.com/Psiphon-Labs/utls/u_tls_extensions.go

@@ -1,522 +0,0 @@
-// Copyright 2017 Google Inc. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package tls
-
-import (
-	"io"
-)
-
-type TLSExtension interface {
-	writeToUConn(*UConn) error
-
-	Len() int // includes header
-
-	// Read reads up to len(p) bytes into p.
-	// It returns the number of bytes read (0 <= n <= len(p)) and any error encountered.
-	Read(p []byte) (n int, err error) // implements io.Reader
-}
-
-type NPNExtension struct {
-	NextProtos []string
-}
-
-func (e *NPNExtension) writeToUConn(uc *UConn) error {
-	uc.config.NextProtos = e.NextProtos
-	uc.HandshakeState.Hello.NextProtoNeg = true
-	return nil
-}
-
-func (e *NPNExtension) Len() int {
-	return 4
-}
-
-func (e *NPNExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	b[0] = byte(extensionNextProtoNeg >> 8)
-	b[1] = byte(extensionNextProtoNeg & 0xff)
-	// The length is always 0
-	return e.Len(), io.EOF
-}
-
-type SNIExtension struct {
-	ServerName string // not an array because go crypto/tls doesn't support multiple SNIs
-}
-
-func (e *SNIExtension) writeToUConn(uc *UConn) error {
-	uc.config.ServerName = e.ServerName
-	uc.HandshakeState.Hello.ServerName = e.ServerName
-	return nil
-}
-
-func (e *SNIExtension) Len() int {
-	return 4 + 2 + 1 + 2 + len(e.ServerName)
-}
-
-func (e *SNIExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// RFC 3546, section 3.1
-	b[0] = byte(extensionServerName >> 8)
-	b[1] = byte(extensionServerName)
-	b[2] = byte((len(e.ServerName) + 5) >> 8)
-	b[3] = byte((len(e.ServerName) + 5))
-	b[4] = byte((len(e.ServerName) + 3) >> 8)
-	b[5] = byte(len(e.ServerName) + 3)
-	// b[6] Server Name Type: host_name (0)
-	b[7] = byte(len(e.ServerName) >> 8)
-	b[8] = byte(len(e.ServerName))
-	copy(b[9:], []byte(e.ServerName))
-	return e.Len(), io.EOF
-}
-
-type StatusRequestExtension struct {
-}
-
-func (e *StatusRequestExtension) writeToUConn(uc *UConn) error {
-	uc.HandshakeState.Hello.OcspStapling = true
-	return nil
-}
-
-func (e *StatusRequestExtension) Len() int {
-	return 9
-}
-
-func (e *StatusRequestExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// RFC 4366, section 3.6
-	b[0] = byte(extensionStatusRequest >> 8)
-	b[1] = byte(extensionStatusRequest)
-	b[2] = 0
-	b[3] = 5
-	b[4] = 1 // OCSP type
-	// Two zero valued uint16s for the two lengths.
-	return e.Len(), io.EOF
-}
-
-type SupportedCurvesExtension struct {
-	Curves []CurveID
-}
-
-func (e *SupportedCurvesExtension) writeToUConn(uc *UConn) error {
-	uc.config.CurvePreferences = e.Curves
-	uc.HandshakeState.Hello.SupportedCurves = e.Curves
-	return nil
-}
-
-func (e *SupportedCurvesExtension) Len() int {
-	return 6 + 2*len(e.Curves)
-}
-
-func (e *SupportedCurvesExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// http://tools.ietf.org/html/rfc4492#section-5.5.1
-	b[0] = byte(extensionSupportedCurves >> 8)
-	b[1] = byte(extensionSupportedCurves)
-	b[2] = byte((2 + 2*len(e.Curves)) >> 8)
-	b[3] = byte((2 + 2*len(e.Curves)))
-	b[4] = byte((2 * len(e.Curves)) >> 8)
-	b[5] = byte((2 * len(e.Curves)))
-	for i, curve := range e.Curves {
-		b[6+2*i] = byte(curve >> 8)
-		b[7+2*i] = byte(curve)
-	}
-	return e.Len(), io.EOF
-}
-
-type SupportedPointsExtension struct {
-	SupportedPoints []uint8
-}
-
-func (e *SupportedPointsExtension) writeToUConn(uc *UConn) error {
-	uc.HandshakeState.Hello.SupportedPoints = e.SupportedPoints
-	return nil
-}
-
-func (e *SupportedPointsExtension) Len() int {
-	return 5 + len(e.SupportedPoints)
-}
-
-func (e *SupportedPointsExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// http://tools.ietf.org/html/rfc4492#section-5.5.2
-	b[0] = byte(extensionSupportedPoints >> 8)
-	b[1] = byte(extensionSupportedPoints)
-	b[2] = byte((1 + len(e.SupportedPoints)) >> 8)
-	b[3] = byte((1 + len(e.SupportedPoints)))
-	b[4] = byte((len(e.SupportedPoints)))
-	for i, pointFormat := range e.SupportedPoints {
-		b[5+i] = pointFormat
-	}
-	return e.Len(), io.EOF
-}
-
-type SignatureAlgorithmsExtension struct {
-	SignatureAndHashes []SignatureAndHash
-}
-
-func (e *SignatureAlgorithmsExtension) writeToUConn(uc *UConn) error {
-	uc.HandshakeState.Hello.SignatureAndHashes = e.SignatureAndHashes
-	return nil
-}
-
-func (e *SignatureAlgorithmsExtension) Len() int {
-	return 6 + 2*len(e.SignatureAndHashes)
-}
-
-func (e *SignatureAlgorithmsExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
-	b[0] = byte(extensionSignatureAlgorithms >> 8)
-	b[1] = byte(extensionSignatureAlgorithms)
-	b[2] = byte((2 + 2*len(e.SignatureAndHashes)) >> 8)
-	b[3] = byte((2 + 2*len(e.SignatureAndHashes)))
-	b[4] = byte((2 * len(e.SignatureAndHashes)) >> 8)
-	b[5] = byte((2 * len(e.SignatureAndHashes)))
-	for i, sigAndHash := range e.SignatureAndHashes {
-		b[6+2*i] = byte(sigAndHash.Hash)
-		b[7+2*i] = byte(sigAndHash.Signature)
-	}
-	return e.Len(), io.EOF
-}
-
-type RenegotiationInfoExtension struct {
-	renegotiation       RenegotiationSupport
-	SecureRenegotiation []byte // you probably want to leave it empty
-}
-
-func (e *RenegotiationInfoExtension) writeToUConn(uc *UConn) error {
-	uc.config.Renegotiation = e.renegotiation
-	switch e.renegotiation {
-	case RenegotiateOnceAsClient:
-		fallthrough
-	case RenegotiateFreelyAsClient:
-		uc.HandshakeState.Hello.SecureRenegotiationSupported = true
-		// Note that if we manage to use this in renegotiation(currently only in initial handshake), we'd have to point
-		// uc.HandshakeState.Hello.SecureRenegotiation = chs.C.clientFinished
-		// and probably do something else. It's a mess.
-	case RenegotiateNever:
-	default:
-	}
-	return nil
-}
-
-func (e *RenegotiationInfoExtension) Len() int {
-	switch e.renegotiation {
-	case RenegotiateOnceAsClient:
-		fallthrough
-	case RenegotiateFreelyAsClient:
-		return 5 + len(e.SecureRenegotiation)
-	case RenegotiateNever:
-	default:
-	}
-	return 0
-}
-
-func (e *RenegotiationInfoExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	switch e.renegotiation {
-	case RenegotiateOnceAsClient:
-		fallthrough
-	case RenegotiateFreelyAsClient:
-		b[0] = byte(extensionRenegotiationInfo >> 8)
-		b[1] = byte(extensionRenegotiationInfo & 0xff)
-		b[2] = 0 // TODO: this is not what Chrome does :(
-		b[3] = byte(len(e.SecureRenegotiation) + 1)
-		b[4] = byte(len(e.SecureRenegotiation))
-		if len(e.SecureRenegotiation) != 0 {
-			copy(b[5:], e.SecureRenegotiation)
-		}
-	case RenegotiateNever:
-	default:
-	}
-	return e.Len(), io.EOF
-}
-
-type ALPNExtension struct {
-	AlpnProtocols []string
-}
-
-func (e *ALPNExtension) writeToUConn(uc *UConn) error {
-	uc.config.NextProtos = e.AlpnProtocols
-	uc.HandshakeState.Hello.AlpnProtocols = e.AlpnProtocols
-	return nil
-}
-
-func (e *ALPNExtension) Len() int {
-	bLen := 2 + 2 + 2
-	for _, s := range e.AlpnProtocols {
-		bLen += 1 + len(s)
-	}
-	return bLen
-}
-
-func (e *ALPNExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-
-	b[0] = byte(extensionALPN >> 8)
-	b[1] = byte(extensionALPN & 0xff)
-	lengths := b[2:]
-	b = b[6:]
-
-	stringsLength := 0
-	for _, s := range e.AlpnProtocols {
-		l := len(s)
-		b[0] = byte(l)
-		copy(b[1:], s)
-		b = b[1+l:]
-		stringsLength += 1 + l
-	}
-
-	lengths[2] = byte(stringsLength >> 8)
-	lengths[3] = byte(stringsLength)
-	stringsLength += 2
-	lengths[0] = byte(stringsLength >> 8)
-	lengths[1] = byte(stringsLength)
-
-	return e.Len(), io.EOF
-}
-
-type SCTExtension struct {
-}
-
-func (e *SCTExtension) writeToUConn(uc *UConn) error {
-	uc.HandshakeState.Hello.Scts = true
-	return nil
-}
-
-func (e *SCTExtension) Len() int {
-	return 4
-}
-
-func (e *SCTExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// https://tools.ietf.org/html/rfc6962#section-3.3.1
-	b[0] = byte(extensionSCT >> 8)
-	b[1] = byte(extensionSCT)
-	// zero uint16 for the zero-length extension_data
-	return e.Len(), io.EOF
-}
-
-type SessionTicketExtension struct {
-	Session *ClientSessionState
-}
-
-func (e *SessionTicketExtension) writeToUConn(uc *UConn) error {
-	if e.Session != nil {
-		uc.HandshakeState.Session = e.Session
-		uc.HandshakeState.Hello.SessionTicket = e.Session.sessionTicket
-	}
-	return nil
-}
-
-func (e *SessionTicketExtension) Len() int {
-	if e.Session != nil {
-		return 4 + len(e.Session.sessionTicket)
-	}
-	return 4
-}
-
-func (e *SessionTicketExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-
-	extBodyLen := e.Len() - 4
-
-	b[0] = byte(extensionSessionTicket >> 8)
-	b[1] = byte(extensionSessionTicket)
-	b[2] = byte(extBodyLen >> 8)
-	b[3] = byte(extBodyLen)
-	if extBodyLen > 0 {
-		copy(b[4:], e.Session.sessionTicket)
-	}
-	return e.Len(), io.EOF
-}
-
-/*
-FAKE EXTENSIONS
-*/
-
-type FakeChannelIDExtension struct {
-}
-
-func (e *FakeChannelIDExtension) writeToUConn(uc *UConn) error {
-	return nil
-}
-
-func (e *FakeChannelIDExtension) Len() int {
-	return 4
-}
-
-func (e *FakeChannelIDExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
-	b[0] = byte(fakeExtensionChannelID >> 8)
-	b[1] = byte(fakeExtensionChannelID & 0xff)
-	// The length is 0
-	return e.Len(), io.EOF
-}
-
-type utlsExtendedMasterSecretExtension struct {
-}
-
-// TODO: update when this extension is implemented in crypto/tls
-// but we probably won't have to enable it in Config
-func (e *utlsExtendedMasterSecretExtension) writeToUConn(uc *UConn) error {
-	uc.HandshakeState.Hello.Ems = true
-	return nil
-}
-
-func (e *utlsExtendedMasterSecretExtension) Len() int {
-	return 4
-}
-
-func (e *utlsExtendedMasterSecretExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// https://tools.ietf.org/html/rfc7627
-	b[0] = byte(utlsExtensionExtendedMasterSecret >> 8)
-	b[1] = byte(utlsExtensionExtendedMasterSecret)
-	// The length is 0
-	return e.Len(), io.EOF
-}
-
-var extendedMasterSecretLabel = []byte("extended master secret")
-
-// extendedMasterFromPreMasterSecret generates the master secret from the pre-master
-// secret and session hash. See https://tools.ietf.org/html/rfc7627#section-4
-func extendedMasterFromPreMasterSecret(version uint16, suite *cipherSuite, preMasterSecret []byte, fh finishedHash) []byte {
-	sessionHash := fh.Sum()
-	masterSecret := make([]byte, masterSecretLength)
-	prfForVersion(version, suite)(masterSecret, preMasterSecret, extendedMasterSecretLabel, sessionHash)
-	return masterSecret
-}
-
-// GREASE stinks with dead parrots, have to be super careful, and, if possible, not include GREASE
-const (
-	ssl_grease_cipher = iota
-	ssl_grease_group
-	ssl_grease_extension1
-	ssl_grease_extension2
-	ssl_grease_version
-	ssl_grease_ticket_extension
-)
-
-// it is responsibility of user not to generate multiple grease extensions with same value
-type FakeGREASEExtension struct {
-	Value uint16
-	Body  []byte // in Chrome first grease has empty body, second grease has a single zero byte
-}
-
-func (e *FakeGREASEExtension) writeToUConn(uc *UConn) error {
-	return nil
-}
-
-// will panic if clientRandom[index] is out of bounds.
-func GetBoringGREASEValue(clientRandom []byte, index int) uint16 {
-	// Get GREASE value BoringSSL-style. Unfortunately, this value isn't really boring and is quite interesting :(
-	// https://github.com/google/boringssl/blob/a365138ac60f38b64bfc608b493e0f879845cb88/ssl/handshake_client.c#L530
-	ret := uint16(clientRandom[index])
-	/* This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. */
-	ret = (ret & 0xf0) | 0x0a
-	ret |= ret << 8
-	return ret
-}
-
-func (e *FakeGREASEExtension) Len() int {
-	return 4 + len(e.Body)
-}
-
-func (e *FakeGREASEExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-
-	b[0] = byte(e.Value >> 8)
-	b[1] = byte(e.Value)
-	b[2] = byte(len(e.Body) >> 8)
-	b[3] = byte(len(e.Body))
-	if len(e.Body) > 0 {
-		copy(b[4:], e.Body)
-	}
-	return e.Len(), io.EOF
-}
-
-//
-type utlsPaddingExtension struct {
-	PaddingLen int
-	WillPad    bool // set to false to disable extension
-
-	// Functor for deciding on padding length based on unpadded ClientHello length.
-	// If willPad is false, then this extension should not be included.
-	GetPaddingLen func(clientHelloUnpaddedLen int) (paddingLen int, willPad bool)
-}
-
-func (e *utlsPaddingExtension) writeToUConn(uc *UConn) error {
-	return nil
-}
-
-func (e *utlsPaddingExtension) Len() int {
-	if e.WillPad {
-		return 4 + e.PaddingLen
-	} else {
-		return 0
-	}
-}
-
-func (e *utlsPaddingExtension) Update(clientHelloUnpaddedLen int) {
-	if e.GetPaddingLen != nil {
-		e.PaddingLen, e.WillPad = e.GetPaddingLen(clientHelloUnpaddedLen)
-	}
-}
-
-func (e *utlsPaddingExtension) Read(b []byte) (int, error) {
-	if !e.WillPad {
-		return 0, io.EOF
-	}
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// https://tools.ietf.org/html/rfc7627
-	b[0] = byte(utlsExtensionPadding >> 8)
-	b[1] = byte(utlsExtensionPadding)
-	b[2] = byte(e.PaddingLen >> 8)
-	b[3] = byte(e.PaddingLen)
-	return e.Len(), io.EOF
-}
-
-// https://github.com/google/boringssl/blob/7d7554b6b3c79e707e25521e61e066ce2b996e4c/ssl/t1_lib.c#L2803
-func boringPaddingStyle(unpaddedLen int) (int, bool) {
-	if unpaddedLen > 0xff && unpaddedLen < 0x200 {
-		paddingLen := 0x200 - unpaddedLen
-		if paddingLen >= 4+1 {
-			paddingLen -= 4
-		} else {
-			paddingLen = 1
-		}
-		return paddingLen, true
-	}
-	return 0, false
-}

vendor/github.com/refraction-networking/utls/README.md

@@ -65,9 +65,11 @@ This is not a problem, if you fully control the server and turn unsupported thin
 | ------------- | -------- | ---------- | ---------------------- | --------------------------------------------- |
 | Chrome 62     | no       | no         | ChannelID              | [0a4a74aeebd1bb66](https://tlsfingerprint.io/id/0a4a74aeebd1bb66) |
 | Chrome 70     | no       | no         | ChannelID, Encrypted Certs | [bc4c7e42f4961cd7](https://tlsfingerprint.io/id/bc4c7e42f4961cd7) |
+| Chrome 72     | no       | no         | ChannelID, Encrypted Certs | [bbf04e5f1881f506](https://tlsfingerprint.io/id/bbf04e5f1881f506) |
 | Firefox 56    | very low | no         | None                   | [c884bad7f40bee56](https://tlsfingerprint.io/id/c884bad7f40bee56) |
-| Firefox 63    | very low | no         | MaxRecordSize                   | [6bfedc5d5c740d58](https://tlsfingerprint.io/id/6bfedc5d5c740d58) |
+| Firefox 65    | very low | no         | MaxRecordSize                   | [6bfedc5d5c740d58](https://tlsfingerprint.io/id/6bfedc5d5c740d58) |
 | iOS 11.1      | low** | no         | None                   | [71a81bafd58e1301](https://tlsfingerprint.io/id/71a81bafd58e1301) |
+| iOS 12.1      | low** | no         | None                   | [ec55e5b4136c7949](https://tlsfingerprint.io/id/ec55e5b4136c7949) |
 
 \* Denotes very rough guesstimate of likelihood that unsupported things will get echoed back by the server in the wild,
 *visibly breaking the connection*.  

vendor/github.com/refraction-networking/utls/u_common.go

@@ -58,8 +58,21 @@ var (
 	FakeFFDHE3072 = uint16(0x0101)
 )
 
+// https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-04
+type CertCompressionAlgo uint16
+
+const (
+	CertCompressionZlib   CertCompressionAlgo = 0x0001
+	CertCompressionBrotli CertCompressionAlgo = 0x0002
+)
+
+const (
+	PskModePlain uint8 = pskModePlain
+	PskModeDHE   uint8 = pskModeDHE
+)
+
 type ClientHelloID struct {
-	Client  string
+	Client string
 
 	// Version specifies version of a mimicked clients (e.g. browsers).
 	// Not used in randomized, custom handshake, and default Go.
@@ -99,8 +112,8 @@ type ClientHelloSpec struct {
 	CompressionMethods []uint8        // nil => no compression
 	Extensions         []TLSExtension // nil => no extensions
 
-	TLSVersMin uint16 // [1.0-1.3]
-	TLSVersMax uint16 // [1.2-1.3]
+	TLSVersMin uint16 // [1.0-1.3] default: parse from .Extensions, if SupportedVersions ext is not present => 1.0
+	TLSVersMax uint16 // [1.2-1.3] default: parse from .Extensions, if SupportedVersions ext is not present => 1.2
 
 	// GreaseStyle: currently only random
 	// sessionID may or may not depend on ticket; nil => random
@@ -126,18 +139,21 @@ var (
 	HelloRandomizedNoALPN = ClientHelloID{helloRandomizedNoALPN, helloAutoVers, nil}
 
 	// The rest will will parrot given browser.
-	HelloFirefox_Auto = HelloFirefox_63
+	HelloFirefox_Auto = HelloFirefox_65
 	HelloFirefox_55   = ClientHelloID{helloFirefox, "55", nil}
 	HelloFirefox_56   = ClientHelloID{helloFirefox, "56", nil}
 	HelloFirefox_63   = ClientHelloID{helloFirefox, "63", nil}
+	HelloFirefox_65   = ClientHelloID{helloFirefox, "65", nil}
 
-	HelloChrome_Auto = HelloChrome_70
+	HelloChrome_Auto = HelloChrome_72
 	HelloChrome_58   = ClientHelloID{helloChrome, "58", nil}
 	HelloChrome_62   = ClientHelloID{helloChrome, "62", nil}
 	HelloChrome_70   = ClientHelloID{helloChrome, "70", nil}
+	HelloChrome_72   = ClientHelloID{helloChrome, "72", nil}
 
-	HelloIOS_Auto = HelloIOS_11_1
-	HelloIOS_11_1 = ClientHelloID{helloIOS, "111", nil}
+	HelloIOS_Auto = HelloIOS_12_1
+	HelloIOS_11_1 = ClientHelloID{helloIOS, "111", nil} // legacy "111" means 11.1
+	HelloIOS_12_1 = ClientHelloID{helloIOS, "12.1", nil}
 )
 
 // based on spec's GreaseStyle, GREASE_PLACEHOLDER may be replaced by another GREASE value

vendor/github.com/refraction-networking/utls/u_conn.go

@@ -480,8 +480,58 @@ func (uconn *UConn) GetOutKeystream(length int) ([]byte, error) {
 	return nil, errors.New("Could not convert OutCipher to cipher.AEAD")
 }
 
-// SetVersCreateState set min and max TLS version in all appropriate places.
-func (uconn *UConn) SetTLSVers(minTLSVers, maxTLSVers uint16) error {
+// SetTLSVers sets min and max TLS version in all appropriate places.
+// Function will use first non-zero version parsed in following order:
+//   1) Provided minTLSVers, maxTLSVers
+//   2) specExtensions may have SupportedVersionsExtension
+//   3) [default] min = TLS 1.0, max = TLS 1.2
+//
+// Error is only returned if things are in clearly undesirable state
+// to help user fix them.
+func (uconn *UConn) SetTLSVers(minTLSVers, maxTLSVers uint16, specExtensions []TLSExtension) error {
+	if minTLSVers == 0 && maxTLSVers == 0 {
+		// if version is not set explicitly in the ClientHelloSpec, check the SupportedVersions extension
+		supportedVersionsExtensionsPresent := 0
+		for _, e := range specExtensions {
+			switch ext := e.(type) {
+			case *SupportedVersionsExtension:
+				findVersionsInSupportedVersionsExtensions := func(versions []uint16) (uint16, uint16) {
+					// returns (minVers, maxVers)
+					minVers := uint16(0)
+					maxVers := uint16(0)
+					for _, vers := range versions {
+						if vers == GREASE_PLACEHOLDER {
+							continue
+						}
+						if maxVers < vers || maxVers == 0 {
+							maxVers = vers
+						}
+						if minVers > vers || minVers == 0 {
+							minVers = vers
+						}
+					}
+					return minVers, maxVers
+				}
+
+				supportedVersionsExtensionsPresent += 1
+				minTLSVers, maxTLSVers = findVersionsInSupportedVersionsExtensions(ext.Versions)
+				if minTLSVers == 0 && maxTLSVers == 0 {
+					return fmt.Errorf("SupportedVersions extension has invalid Versions field")
+				} // else: proceed
+			}
+		}
+		switch supportedVersionsExtensionsPresent {
+		case 0:
+			// if mandatory for TLS 1.3 extension is not present, just default to 1.2
+			minTLSVers = VersionTLS10
+			maxTLSVers = VersionTLS12
+		case 1:
+		default:
+			return fmt.Errorf("uconn.Extensions contains %v separate SupportedVersions extensions",
+				supportedVersionsExtensionsPresent)
+		}
+	}
+
 	if minTLSVers < VersionTLS10 || minTLSVers > VersionTLS12 {
 		return fmt.Errorf("uTLS does not support 0x%X as min version", minTLSVers)
 	}

vendor/github.com/refraction-networking/utls/u_parrots.go

@@ -133,7 +133,81 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 					CurveP256,
 					CurveP384,
 				}},
-				&GenericExtension{id: fakeCertCompressionAlgs, data: []byte{02, 00, 02}},
+				&FakeCertCompressionAlgsExtension{[]CertCompressionAlgo{CertCompressionBrotli}},
+				&UtlsGREASEExtension{},
+				&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
+			},
+		}, nil
+	case HelloChrome_72:
+		return ClientHelloSpec{
+			CipherSuites: []uint16{
+				GREASE_PLACEHOLDER,
+				TLS_AES_128_GCM_SHA256,
+				TLS_AES_256_GCM_SHA384,
+				TLS_CHACHA20_POLY1305_SHA256,
+				TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+				TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				TLS_RSA_WITH_AES_128_GCM_SHA256,
+				TLS_RSA_WITH_AES_256_GCM_SHA384,
+				TLS_RSA_WITH_AES_128_CBC_SHA,
+				TLS_RSA_WITH_AES_256_CBC_SHA,
+				TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+			},
+			CompressionMethods: []byte{
+				0x00, // compressionNone
+			},
+			Extensions: []TLSExtension{
+				&UtlsGREASEExtension{},
+				&SNIExtension{},
+				&UtlsExtendedMasterSecretExtension{},
+				&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient},
+				&SupportedCurvesExtension{[]CurveID{
+					CurveID(GREASE_PLACEHOLDER),
+					X25519,
+					CurveP256,
+					CurveP384,
+				}},
+				&SupportedPointsExtension{SupportedPoints: []byte{
+					0x00, // pointFormatUncompressed
+				}},
+				&SessionTicketExtension{},
+				&ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}},
+				&StatusRequestExtension{},
+				&SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{
+					ECDSAWithP256AndSHA256,
+					PSSWithSHA256,
+					PKCS1WithSHA256,
+					ECDSAWithP384AndSHA384,
+					PSSWithSHA384,
+					PKCS1WithSHA384,
+					PSSWithSHA512,
+					PKCS1WithSHA512,
+					PKCS1WithSHA1,
+				}},
+				&SCTExtension{},
+				&KeyShareExtension{[]KeyShare{
+					{Group: CurveID(GREASE_PLACEHOLDER), Data: []byte{0}},
+					{Group: X25519},
+				}},
+				&PSKKeyExchangeModesExtension{[]uint8{
+					PskModeDHE,
+				}},
+				&SupportedVersionsExtension{[]uint16{
+					GREASE_PLACEHOLDER,
+					VersionTLS13,
+					VersionTLS12,
+					VersionTLS11,
+					VersionTLS10,
+				}},
+				&FakeCertCompressionAlgsExtension{[]CertCompressionAlgo{
+					CertCompressionBrotli,
+				}},
 				&UtlsGREASEExtension{},
 				&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
 			},
@@ -186,7 +260,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 			},
 			GetSessionID: nil,
 		}, nil
-	case HelloFirefox_63:
+	case HelloFirefox_63, HelloFirefox_65:
 		return ClientHelloSpec{
 			TLSVersMin: VersionTLS10,
 			TLSVersMax: VersionTLS13,
@@ -254,7 +328,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 					PKCS1WithSHA1,
 				}},
 				&PSKKeyExchangeModesExtension{[]uint8{pskModeDHE}},
-				&GenericExtension{id: fakeRecordSizeLimit, data: []byte{0x40, 0x01}},
+				&FakeRecordSizeLimitExtension{0x4001},
 				&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
 			}}, nil
 	case HelloIOS_11_1:
@@ -316,6 +390,68 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 				}},
 			},
 		}, nil
+	case HelloIOS_12_1:
+		return ClientHelloSpec{
+			CipherSuites: []uint16{
+				TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				DISABLED_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+				TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+				TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+				TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+				TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				DISABLED_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+				TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+				TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				TLS_RSA_WITH_AES_256_GCM_SHA384,
+				TLS_RSA_WITH_AES_128_GCM_SHA256,
+				DISABLED_TLS_RSA_WITH_AES_256_CBC_SHA256,
+				TLS_RSA_WITH_AES_128_CBC_SHA256,
+				TLS_RSA_WITH_AES_256_CBC_SHA,
+				TLS_RSA_WITH_AES_128_CBC_SHA,
+				0xc008,
+				TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+				TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+			},
+			CompressionMethods: []byte{
+				compressionNone,
+			},
+			Extensions: []TLSExtension{
+				&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient},
+				&SNIExtension{},
+				&UtlsExtendedMasterSecretExtension{},
+				&SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{
+					ECDSAWithP256AndSHA256,
+					PSSWithSHA256,
+					PKCS1WithSHA256,
+					ECDSAWithP384AndSHA384,
+					ECDSAWithSHA1,
+					PSSWithSHA384,
+					PSSWithSHA384,
+					PKCS1WithSHA384,
+					PSSWithSHA512,
+					PKCS1WithSHA512,
+					PKCS1WithSHA1,
+				}},
+				&StatusRequestExtension{},
+				&NPNExtension{},
+				&SCTExtension{},
+				&ALPNExtension{AlpnProtocols: []string{"h2", "h2-16", "h2-15", "h2-14", "spdy/3.1", "spdy/3", "http/1.1"}},
+				&SupportedPointsExtension{SupportedPoints: []byte{
+					pointFormatUncompressed,
+				}},
+				&SupportedCurvesExtension{[]CurveID{
+					X25519,
+					CurveP256,
+					CurveP384,
+					CurveP521,
+				}},
+			},
+		}, nil
 	default:
 		return ClientHelloSpec{}, errors.New("ClientHello ID " + id.Str() + " is unknown")
 	}
@@ -349,7 +485,8 @@ func (uconn *UConn) applyPresetByID(id ClientHelloID) (err error) {
 // same ClientHelloSpec. It is advised to use different specs and avoid any shared state.
 func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 	var err error
-	err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax)
+
+	err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax, p.Extensions)
 	if err != nil {
 		return err
 	}
@@ -427,6 +564,11 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 			}
 			grease_extensions_seen += 1
 		case *SessionTicketExtension:
+			if session == nil && uconn.config.ClientSessionCache != nil {
+				cacheKey := clientSessionCacheKey(uconn.RemoteAddr(), uconn.config)
+				session, _ = uconn.config.ClientSessionCache.Get(cacheKey)
+				// TODO: use uconn.loadSession(hello.getPrivatePtr()) to support TLS 1.3 PSK-style resumption
+			}
 			err := uconn.SetSessionState(session)
 			if err != nil {
 				return err
@@ -635,10 +777,6 @@ func (uconn *UConn) generateRandomizedSpec() (ClientHelloSpec, error) {
 	r.rand.Shuffle(len(p.Extensions), func(i, j int) {
 		p.Extensions[i], p.Extensions[j] = p.Extensions[j], p.Extensions[i]
 	})
-	err = uconn.SetTLSVers(p.TLSVersMin, p.TLSVersMax)
-	if err != nil {
-		return p, err
-	}
 
 	return p, nil
 }

vendor/github.com/refraction-networking/utls/u_tls_extensions.go

@@ -392,32 +392,6 @@ func (e *GenericExtension) Read(b []byte) (int, error) {
 	return e.Len(), io.EOF
 }
 
-/*
-FAKE EXTENSIONS
-*/
-
-type FakeChannelIDExtension struct {
-}
-
-func (e *FakeChannelIDExtension) writeToUConn(uc *UConn) error {
-	return nil
-}
-
-func (e *FakeChannelIDExtension) Len() int {
-	return 4
-}
-
-func (e *FakeChannelIDExtension) Read(b []byte) (int, error) {
-	if len(b) < e.Len() {
-		return 0, io.ErrShortBuffer
-	}
-	// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
-	b[0] = byte(fakeExtensionChannelID >> 8)
-	b[1] = byte(fakeExtensionChannelID & 0xff)
-	// The length is 0
-	return e.Len(), io.EOF
-}
-
 type UtlsExtendedMasterSecretExtension struct {
 }
 
@@ -712,5 +686,94 @@ func (e *CookieExtension) Read(b []byte) (int, error) {
 	return e.Len(), io.EOF
 }
 
-// TODO: FakeCertificateCompressionAlgorithmsExtension
-// TODO: FakeRecordSizeLimitExtension
+/*
+FAKE EXTENSIONS
+*/
+
+type FakeChannelIDExtension struct {
+}
+
+func (e *FakeChannelIDExtension) writeToUConn(uc *UConn) error {
+	return nil
+}
+
+func (e *FakeChannelIDExtension) Len() int {
+	return 4
+}
+
+func (e *FakeChannelIDExtension) Read(b []byte) (int, error) {
+	if len(b) < e.Len() {
+		return 0, io.ErrShortBuffer
+	}
+	// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
+	b[0] = byte(fakeExtensionChannelID >> 8)
+	b[1] = byte(fakeExtensionChannelID & 0xff)
+	// The length is 0
+	return e.Len(), io.EOF
+}
+
+type FakeCertCompressionAlgsExtension struct {
+	Methods []CertCompressionAlgo
+}
+
+func (e *FakeCertCompressionAlgsExtension) writeToUConn(uc *UConn) error {
+	return nil
+}
+
+func (e *FakeCertCompressionAlgsExtension) Len() int {
+	return 4 + 1 + (2 * len(e.Methods))
+}
+
+func (e *FakeCertCompressionAlgsExtension) Read(b []byte) (int, error) {
+	if len(b) < e.Len() {
+		return 0, io.ErrShortBuffer
+	}
+	// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
+	b[0] = byte(fakeCertCompressionAlgs >> 8)
+	b[1] = byte(fakeCertCompressionAlgs & 0xff)
+
+	extLen := 2 * len(e.Methods)
+	if extLen > 255 {
+		return 0, errors.New("too many certificate compression methods")
+	}
+
+	b[2] = byte((extLen + 1) >> 8)
+	b[3] = byte((extLen + 1) & 0xff)
+	b[4] = byte(extLen)
+
+	i := 5
+	for _, compMethod := range e.Methods {
+		b[i] = byte(compMethod >> 8)
+		b[i+1] = byte(compMethod)
+		i += 2
+	}
+	return e.Len(), io.EOF
+}
+
+type FakeRecordSizeLimitExtension struct {
+	Limit uint16
+}
+
+func (e *FakeRecordSizeLimitExtension) writeToUConn(uc *UConn) error {
+	return nil
+}
+
+func (e *FakeRecordSizeLimitExtension) Len() int {
+	return 6
+}
+
+func (e *FakeRecordSizeLimitExtension) Read(b []byte) (int, error) {
+	if len(b) < e.Len() {
+		return 0, io.ErrShortBuffer
+	}
+	// https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
+	b[0] = byte(fakeRecordSizeLimit >> 8)
+	b[1] = byte(fakeRecordSizeLimit & 0xff)
+
+	b[2] = byte(0)
+	b[3] = byte(2)
+
+	b[4] = byte(e.Limit >> 8)
+	b[5] = byte(e.Limit & 0xff)
+	return e.Len(), io.EOF
+}

vendor/vendor.json

@@ -63,16 +63,10 @@
 			"revisionTime": "2018-09-12T16:47:43Z"
 		},
 		{
-			"checksumSHA1": "jgnMy8LzzP2+YM0UxU/Bz0Gq1Xc=",
+			"checksumSHA1": "DmQc8vfP44VMUTIZJGM4WslOyk0=",
 			"path": "github.com/Psiphon-Labs/tls-tris",
-			"revision": "b1bee89a578d564109bdfa48f9ba1b9434d776f9",
-			"revisionTime": "2019-01-08T19:41:13Z"
-		},
-		{
-			"checksumSHA1": "pXgGBe9O8n4KGzAlakVVVwwJqxo=",
-			"path": "github.com/Psiphon-Labs/utls",
-			"revision": "11a4cc03332235a55c37ed7d686f4ac008749ddb",
-			"revisionTime": "2018-12-19T02:27:42Z"
+			"revision": "b5083341bf6cb581f3319c6dfbb39dd6ae3a97ea",
+			"revisionTime": "2019-03-21T17:45:24Z"
 		},
 		{
 			"checksumSHA1": "zaEXXT0xMkEADcxW9GvBK0iYe1A=",
@@ -460,10 +454,10 @@
 			"tree": true
 		},
 		{
-			"checksumSHA1": "DOD/+i5lGLwR8HueE7E4H48Z8OA=",
+			"checksumSHA1": "Uuafl1PrU6CwsKq6X5ckHNMAA6w=",
 			"path": "github.com/refraction-networking/utls",
-			"revision": "f8425e69f7d4eff4e1988c6c4ca1ca9a6e17a42f",
-			"revisionTime": "2019-03-17T21:38:08Z"
+			"revision": "b7c656eec2d2aa957b1e844446e867a567e17d1f",
+			"revisionTime": "2019-03-27T16:53:10Z"
 		},
 		{
 			"checksumSHA1": "Fn9JW8u40ABN9Uc9wuvquuyOB+8=",