Use refraction-networking/utls@23de245734c7

go.mod

@@ -37,7 +37,7 @@ require (
 	github.com/pion/sctp v1.8.8
 	github.com/refraction-networking/conjure v0.7.11-0.20240130155008-c8df96195ab2
 	github.com/refraction-networking/gotapdance v1.7.10
-	github.com/refraction-networking/utls v1.6.7
+	github.com/refraction-networking/utls v1.6.8-0.20240720032424-23de245734c7
 	github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.8.4

go.sum

@@ -192,8 +192,8 @@ github.com/refraction-networking/gotapdance v1.7.10 h1:vPtvuihP95SqrnnpX//KI1PTq
 github.com/refraction-networking/gotapdance v1.7.10/go.mod h1:N7Xmt+/bLv+1VctiBHtsaL6YBknW2ox5LRLzPTISMzY=
 github.com/refraction-networking/obfs4 v0.1.2 h1:J842O4fGSkd2W8ogYj0KN6gqVVY+Cpqodw9qFGL7wVU=
 github.com/refraction-networking/obfs4 v0.1.2/go.mod h1:wAl/+gWiLsrcykJA3nKJHx89f5/gXGM8UKvty7+mvbM=
-github.com/refraction-networking/utls v1.6.7 h1:zVJ7sP1dJx/WtVuITug3qYUq034cDq9B2MR1K67ULZM=
-github.com/refraction-networking/utls v1.6.7/go.mod h1:BC3O4vQzye5hqpmDTWUqi4P5DDhzJfkV1tdqtawQIH0=
+github.com/refraction-networking/utls v1.6.8-0.20240720032424-23de245734c7 h1:2D69ZJ8F+kPHFTQp4jF6GQ80eZWXDUwWf1JWsGMak0M=
+github.com/refraction-networking/utls v1.6.8-0.20240720032424-23de245734c7/go.mod h1:BC3O4vQzye5hqpmDTWUqi4P5DDhzJfkV1tdqtawQIH0=
 github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
 github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735 h1:7YvPJVmEeFHR1Tj9sZEYsmarJEQfMVYpd/Vyy/A8dqE=
 github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=

vendor/github.com/refraction-networking/utls/handshake_client.go

@@ -368,25 +368,21 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
 	// Check that the cached server certificate is not expired, and that it's
 	// valid for the ServerName. This should be ensured by the cache key, but
 	// protect the application from a faulty ClientSessionCache implementation.
-	if c.config.time().After(session.peerCertificates[0].NotAfter) {
-		// Expired certificate, delete the entry.
-		c.config.ClientSessionCache.Put(cacheKey, nil)
-		return nil, nil, nil, nil
+	// [UTLS SECTION START]
+	if !c.config.InsecureSkipTimeVerify {
+		if c.config.time().After(session.peerCertificates[0].NotAfter) {
+			// Expired certificate, delete the entry.
+			c.config.ClientSessionCache.Put(cacheKey, nil)
+			return nil, nil, nil, nil
+		}
 	}
+	// [UTLS SECTION END]
 	if !c.config.InsecureSkipVerify {
 		if len(session.verifiedChains) == 0 {
 			// The original connection had InsecureSkipVerify, while this doesn't.
 			return nil, nil, nil, nil
 		}
-		serverCert := session.peerCertificates[0]
 		// [UTLS SECTION START]
-		if !c.config.InsecureSkipTimeVerify {
-			if c.config.time().After(serverCert.NotAfter) {
-				// Expired certificate, delete the entry.
-				c.config.ClientSessionCache.Put(cacheKey, nil)
-				return nil, nil, nil, nil
-			}
-		}
 		var dnsName string
 		if len(c.config.InsecureServerNameToVerify) == 0 {
 			dnsName = c.config.ServerName
@@ -394,7 +390,7 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
 			dnsName = c.config.InsecureServerNameToVerify
 		}
 		if len(dnsName) > 0 {
-			if err := serverCert.VerifyHostname(dnsName); err != nil {
+			if err := session.peerCertificates[0].VerifyHostname(dnsName); err != nil {
 				return nil, nil, nil, nil
 			}
 		}

vendor/github.com/refraction-networking/utls/u_conn.go

@@ -32,6 +32,7 @@ type UConn struct {
 	sessionController *sessionController
 
 	clientHelloBuildStatus ClientHelloBuildStatus
+	clientHelloSpec        *ClientHelloSpec
 
 	HandshakeState PubClientHandshakeState
 
@@ -154,9 +155,9 @@ func (uconn *UConn) buildHandshakeState(loadSession bool) error {
 		if loadSession {
 			uconn.uApplyPatch()
 			uconn.sessionController.finalCheck()
+			uconn.clientHelloBuildStatus = BuildByUtls
 		}
 
-		uconn.clientHelloBuildStatus = BuildByUtls
 	}
 	return nil
 }

vendor/github.com/refraction-networking/utls/u_handshake_client.go

@@ -219,7 +219,6 @@ func (c *Conn) makeClientHelloForApplyPreset() (*clientHelloMsg, clientKeyShareP
 		vers:                         clientHelloVersion,
 		compressionMethods:           []uint8{compressionNone},
 		random:                       make([]byte, 32),
-		extendedMasterSecret:         true,
 		ocspStapling:                 true,
 		scts:                         true,
 		serverName:                   hostnameInSNI(config.ServerName),

vendor/github.com/refraction-networking/utls/u_parrots.go

@@ -2588,25 +2588,31 @@ func ShuffleChromeTLSExtensions(exts []TLSExtension) []TLSExtension {
 }
 
 func (uconn *UConn) applyPresetByID(id ClientHelloID) (err error) {
-	var spec ClientHelloSpec
-	uconn.ClientHelloID = id
-	// choose/generate the spec
-	switch id.Client {
-	case helloRandomized, helloRandomizedNoALPN, helloRandomizedALPN:
-		spec, err = uconn.generateRandomizedSpec()
-		if err != nil {
-			return err
-		}
-	case helloCustom:
-		return nil
-	default:
-		spec, err = UTLSIdToSpec(id)
-		if err != nil {
-			return err
+
+	if uconn.clientHelloSpec == nil {
+		var spec ClientHelloSpec
+		uconn.ClientHelloID = id
+
+		// choose/generate the spec
+		switch id.Client {
+		case helloRandomized, helloRandomizedNoALPN, helloRandomizedALPN:
+			spec, err = uconn.generateRandomizedSpec()
+			if err != nil {
+				return err
+			}
+		case helloCustom:
+			return nil
+		default:
+			spec, err = UTLSIdToSpec(id)
+			if err != nil {
+				return err
+			}
 		}
+
+		uconn.clientHelloSpec = &spec
 	}
 
-	return uconn.ApplyPreset(&spec)
+	return uconn.ApplyPreset(uconn.clientHelloSpec)
 }
 
 // ApplyPreset should only be used in conjunction with HelloCustom to apply custom specs.

vendor/github.com/refraction-networking/utls/u_public.go

@@ -617,9 +617,6 @@ func (PSS PskIdentities) ToPrivate() []pskIdentity {
 
 // ClientSessionState is public, but all its fields are private. Let's add setters, getters and constructor
 
-// TODO! can we change this enought (or export SessionState),
-// such that we wouldn't need to fork crypto/tls?
-
 // ClientSessionState contains the state needed by clients to resume TLS sessions.
 func MakeClientSessionState(
 	SessionTicket []uint8,
@@ -679,36 +676,49 @@ func (css *ClientSessionState) VerifiedChains() [][]*x509.Certificate {
 func (css *ClientSessionState) SetSessionTicket(SessionTicket []uint8) {
 	css.ticket = SessionTicket
 }
+
 func (css *ClientSessionState) SetVers(Vers uint16) {
 	if css.session == nil {
 		css.session = &SessionState{}
 	}
 	css.session.version = Vers
 }
+
 func (css *ClientSessionState) SetCipherSuite(CipherSuite uint16) {
 	if css.session == nil {
 		css.session = &SessionState{}
 	}
 	css.session.cipherSuite = CipherSuite
 }
+
+func (css *ClientSessionState) SetCreatedAt(createdAt uint64) {
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.createdAt = createdAt
+}
+
 func (css *ClientSessionState) SetMasterSecret(MasterSecret []byte) {
 	if css.session == nil {
 		css.session = &SessionState{}
 	}
 	css.session.secret = MasterSecret
 }
+
 func (css *ClientSessionState) SetEMS(ems bool) {
 	if css.session == nil {
 		css.session = &SessionState{}
 	}
 	css.session.extMasterSecret = ems
 }
+
 func (css *ClientSessionState) SetServerCertificates(ServerCertificates []*x509.Certificate) {
 	if css.session == nil {
 		css.session = &SessionState{}
 	}
 	css.session.peerCertificates = ServerCertificates
 }
+
 func (css *ClientSessionState) SetVerifiedChains(VerifiedChains [][]*x509.Certificate) {
 	if css.session == nil {
 		css.session = &SessionState{}
@@ -716,6 +726,20 @@ func (css *ClientSessionState) SetVerifiedChains(VerifiedChains [][]*x509.Certif
 	css.session.verifiedChains = VerifiedChains
 }
 
+func (css *ClientSessionState) SetUseBy(useBy uint64) {
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.useBy = useBy
+}
+
+func (css *ClientSessionState) SetAgeAdd(ageAdd uint32) {
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.ageAdd = ageAdd
+}
+
 // TicketKey is the internal representation of a session ticket key.
 type TicketKey struct {
 	AesKey  [16]byte

vendor/modules.txt

@@ -338,7 +338,7 @@ github.com/refraction-networking/obfs4/common/replayfilter
 github.com/refraction-networking/obfs4/transports/base
 github.com/refraction-networking/obfs4/transports/obfs4
 github.com/refraction-networking/obfs4/transports/obfs4/framing
-# github.com/refraction-networking/utls v1.6.7
+# github.com/refraction-networking/utls v1.6.8-0.20240720032424-23de245734c7
 ## explicit; go 1.21
 github.com/refraction-networking/utls
 github.com/refraction-networking/utls/dicttls