7 лет назад · f8f67147ad
--- a/psiphon/common/protocol/protocol.go
+++ b/psiphon/common/protocol/protocol.go
@@ -215,6 +215,10 @@ func TLSProfileIsRandomized(tlsProfile string) bool {
 
				 		tlsProfile == TLS_PROFILE_TLS13_RANDOMIZED
			
 
				 }
			
 
				 
			
 
				+func TLSProfileIsTLS13(tlsProfile string) bool {
			
 
				+	return tlsProfile == TLS_PROFILE_TLS13_RANDOMIZED
			
 
				+}
			
 
				+
			
 
				 type TLSProfiles []string
			
 
				 
			
 
				 func (profiles TLSProfiles) Validate() error {
			
--- a/psiphon/tlsDialer.go
+++ b/psiphon/tlsDialer.go
@@ -396,15 +396,22 @@ func CustomTLSDial(
 
				 
			
 
				 	} else {
			
 
				 
			
 
				-		var clientSessionCache tris.ClientSessionCache
			
 
				-		if config.ObfuscatedSessionTicketKey != "" {
			
 
				-			clientSessionCache = tris.NewObfuscatedClientSessionCache(
			
 
				-				obfuscatedSessionTicketKey)
			
 
				-		} else {
			
 
				-			clientSessionCache = config.trisClientSessionCache
			
 
				-			if clientSessionCache == nil {
			
 
				-				clientSessionCache = tris.NewLRUClientSessionCache(0)
			
 
				-			}
			
 
				+		clientSessionCache := config.trisClientSessionCache
			
 
				+		if clientSessionCache == nil {
			
 
				+			clientSessionCache = tris.NewLRUClientSessionCache(0)
			
 
				+		}
			
 
				+
			
 
				+		// The tris TLS provider should be used only for TLS 1.3.
			
 
				+		//
			
 
				+		// Obfuscated session tickets are not currently supported in TLS 1.3,
			
 
				+		// but we allow UNFRONTED-MEEK-SESSION-TICKET-OSSH to use TLS 1.3
			
 
				+		// profiles for additional diversity/capacity; TLS 1.3 encrypts the
			
 
				+		// server certificate, so the desired obfuscated session tickets
			
 
				+		// property of obfuscating server certificates is satisfied.
			
 
				+		//
			
 
				+		// An additional sanity check:
			
 
				+		if !protocol.TLSProfileIsTLS13(selectedTLSProfile) {
			
 
				+			return nil, common.ContextError(errors.New("TLS profile is not TLS 1.3"))
			
 
				 		}
			
 
				 
			
 
				 		tlsConfig := &tris.Config{
			
--- a/vendor/github.com/Psiphon-Labs/tls-tris/obfuscated.go
+++ b/vendor/github.com/Psiphon-Labs/tls-tris/obfuscated.go
@@ -62,6 +62,11 @@ import (
 
				 //     negotiated with the server, such as the cipher suite. It's implicitly assumed that
			
 
				 //     the server can support the selected parameters.
			
 
				 //
			
 
				+// tls-tris notes:
			
 
				+//   - Obfuscated session tickets are not supported for TLS 1.3 _clients_, which use a
			
 
				+//     distinct session ticket format. Obfuscated session ticket support in this package
			
 
				+//     is intended to support TLS 1.2 clients.
			
 
				+//
			
 
				 func NewObfuscatedClientSessionCache(sharedSecret [32]byte) ClientSessionCache {
			
 
				 	return &obfuscatedClientSessionCache{
			
 
				 		sharedSecret: sharedSecret,
			
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@@ -63,10 +63,10 @@
 
				 			"revisionTime": "2018-09-12T16:47:43Z"
			
 
				 		},
			
 
				 		{
			
 
				-			"checksumSHA1": "jfV4PEzL1mcC3i/V903S4gVDYFU=",
			
 
				+			"checksumSHA1": "jgnMy8LzzP2+YM0UxU/Bz0Gq1Xc=",
			
 
				 			"path": "github.com/Psiphon-Labs/tls-tris",
			
 
				-			"revision": "a28158310549bd66234df1b4010a6565c33173cb",
			
 
				-			"revisionTime": "2018-12-19T02:25:17Z"
			
 
				+			"revision": "b1bee89a578d564109bdfa48f9ba1b9434d776f9",
			
 
				+			"revisionTime": "2019-01-08T19:41:13Z"
			
 
				 		},
			
 
				 		{
			
 
				 			"checksumSHA1": "pXgGBe9O8n4KGzAlakVVVwwJqxo=",