Fix random range edge conditions and add comments for clarity

psiphon/meekConn.go

@@ -505,7 +505,8 @@ func makeCookie(serverEntry *ServerEntry, sessionId string) (cookie *http.Cookie
 	// The format is <random letter 'A'-'Z'>=<base64 data>, which is intended to match common cookie formats.
 	A := int('A')
 	Z := int('Z')
-	letterIndex, err := MakeSecureRandomInt(Z - A)
+	// letterIndex is integer in range [int('A'), int('Z')]
+	letterIndex, err := MakeSecureRandomInt(Z - A + 1)
 	if err != nil {
 		return nil, ContextError(err)
 	}

psiphon/obfuscatedSshConn.go

@@ -304,6 +304,7 @@ func (conn *ObfuscatedSshConn) transformAndWrite(buffer []byte) (err error) {
 			// See RFC 4253 sec. 6 for constraints
 			possiblePaddings := (SSH_MAX_PADDING_LENGTH - paddingLength) / SSH_PADDING_MULTIPLE
 			if possiblePaddings > 0 {
+				// selectedPadding is integer in range [0, possiblePaddings)
 				selectedPadding, err := MakeSecureRandomInt(possiblePaddings)
 				if err != nil {
 					return ContextError(err)

psiphon/obfuscator.go

@@ -125,7 +125,8 @@ func deriveKey(seed, keyword, iv []byte) ([]byte, error) {
 }
 
 func makeSeedMessage(maxPadding int, seed []byte, clientToServerCipher *rc4.Cipher) ([]byte, error) {
-	paddingLength, err := MakeSecureRandomInt(maxPadding)
+	// paddingLength is integer in range [0, maxPadding]
+	paddingLength, err := MakeSecureRandomInt(maxPadding + 1)
 	if err != nil {
 		return nil, ContextError(err)
 	}

psiphon/utils.go

@@ -42,7 +42,7 @@ func Contains(list []string, target string) bool {
 }
 
 // MakeSecureRandomInt is a helper function that wraps
-// crypto/rand.Int.
+// crypto/rand.Int, which returns a uniform random value in [0, max).
 func MakeSecureRandomInt(max int) (int, error) {
 	randomInt, err := rand.Int(rand.Reader, big.NewInt(int64(max)))
 	if err != nil {