Merge branch 'master' into staging-client

.github/workflows/tests.yml

@@ -80,7 +80,7 @@ jobs:
           go test -v -race ./psiphon/common/accesscontrol
           go test -v -race ./psiphon/common/crypto/ssh
           go test -v -race ./psiphon/common/fragmentor
-          go test -v -timeout 20m -race -tags "PSIPHON_ENABLE_INPROXY" ./psiphon/common/inproxy
+          go test -v -race -tags "PSIPHON_ENABLE_INPROXY" ./psiphon/common/inproxy
           go test -v -race ./psiphon/common/regen
           go test -v -race ./psiphon/common/monotime
           go test -v -race ./psiphon/common/obfuscator
@@ -95,9 +95,9 @@ jobs:
           go test -v -race ./psiphon/common/values
           go test -v -race ./psiphon/common/wildcard
           go test -v -race ./psiphon/transferstats
-          sudo -E env "PATH=$PATH" go test -v -timeout 20m -race -tags "PSIPHON_ENABLE_INPROXY PSIPHON_RUN_PACKET_MANIPULATOR_TEST" ./psiphon/server
+          sudo -E env "PATH=$PATH" go test -v -timeout 30m -race -tags "PSIPHON_ENABLE_INPROXY PSIPHON_RUN_PACKET_MANIPULATOR_TEST" ./psiphon/server
           go test -v -race ./psiphon/server/psinet
-          go test -v -timeout 20m -race ./psiphon
+          go test -v -timeout 30m -race ./psiphon
           go test -v -race ./ClientLibrary/clientlib
           go test -v -race ./Server/logging/analysis
 
@@ -113,7 +113,7 @@ jobs:
           go test -v -covermode=count -coverprofile=accesscontrol.coverprofile ./psiphon/common/accesscontrol
           go test -v -covermode=count -coverprofile=ssh.coverprofile ./psiphon/common/crypto/ssh
           go test -v -covermode=count -coverprofile=fragmentor.coverprofile ./psiphon/common/fragmentor
-          go test -v -timeout 20m -covermode=count -tags "PSIPHON_ENABLE_INPROXY" -coverprofile=inproxy.coverprofile ./psiphon/common/inproxy
+          go test -v -covermode=count -tags "PSIPHON_ENABLE_INPROXY" -coverprofile=inproxy.coverprofile ./psiphon/common/inproxy
           go test -v -covermode=count -coverprofile=regen.coverprofile ./psiphon/common/regen
           go test -v -covermode=count -coverprofile=monotime.coverprofile ./psiphon/common/monotime
           go test -v -covermode=count -coverprofile=obfuscator.coverprofile ./psiphon/common/obfuscator
@@ -128,9 +128,9 @@ jobs:
           go test -v -covermode=count -coverprofile=values.coverprofile ./psiphon/common/values
           go test -v -covermode=count -coverprofile=wildcard.coverprofile ./psiphon/common/wildcard
           go test -v -covermode=count -coverprofile=transferstats.coverprofile ./psiphon/transferstats
-          sudo -E env "PATH=$PATH" go test -v -timeout 20m -covermode=count -coverprofile=server.coverprofile -tags "PSIPHON_ENABLE_INPROXY PSIPHON_RUN_PACKET_MANIPULATOR_TEST" ./psiphon/server
+          sudo -E env "PATH=$PATH" go test -v -timeout 30m -covermode=count -coverprofile=server.coverprofile -tags "PSIPHON_ENABLE_INPROXY PSIPHON_RUN_PACKET_MANIPULATOR_TEST" ./psiphon/server
           go test -v -covermode=count -coverprofile=psinet.coverprofile ./psiphon/server/psinet
-          go test -v -timeout 20m -covermode=count -coverprofile=psiphon.coverprofile ./psiphon
+          go test -v -timeout 30m -covermode=count -coverprofile=psiphon.coverprofile ./psiphon
           go test -v -covermode=count -coverprofile=clientlib.coverprofile ./ClientLibrary/clientlib
           go test -v -covermode=count -coverprofile=analysis.coverprofile ./Server/logging/analysis
           $GOPATH/bin/gover

go.mod

@@ -37,7 +37,7 @@ require (
 	github.com/Psiphon-Labs/goptlib v0.0.0-20200406165125-c0e32a7a3464
 	github.com/Psiphon-Labs/psiphon-tls v0.0.0-20240824224428-ca6969e315a9
 	github.com/Psiphon-Labs/quic-go v0.0.0-20240821052333-b6316b594e39
-	github.com/Psiphon-Labs/utls v1.1.1-0.20240821052800-443a34df921f
+	github.com/Psiphon-Labs/utls v1.1.1-0.20241107183331-b18909f8ccaa
 	github.com/armon/go-proxyproto v0.0.0-20180202201750-5b7edb60ff5f
 	github.com/bifurcation/mint v0.0.0-20180306135233-198357931e61
 	github.com/bits-and-blooms/bloom/v3 v3.6.0

go.sum

@@ -22,8 +22,8 @@ github.com/Psiphon-Labs/psiphon-tls v0.0.0-20240824224428-ca6969e315a9 h1:AJj1cS
 github.com/Psiphon-Labs/psiphon-tls v0.0.0-20240824224428-ca6969e315a9/go.mod h1:AaKKoshr8RI1LZTheeNDtNuZ39qNVPWVK4uir2c2XIs=
 github.com/Psiphon-Labs/quic-go v0.0.0-20240821052333-b6316b594e39 h1:ft0K9EDdBtMl+Q/akZ+qt3SdcmbtnTQOgE3OlWI6uz0=
 github.com/Psiphon-Labs/quic-go v0.0.0-20240821052333-b6316b594e39/go.mod h1:2MTiPsgoOqWs3Bo6Xr3ElMBX6zzfjd3YkDFpQJLwHdQ=
-github.com/Psiphon-Labs/utls v1.1.1-0.20240821052800-443a34df921f h1:7pxNVyg1fYHhJGoZjlDVXYIEeEbihNPv7fUgmKw3MG4=
-github.com/Psiphon-Labs/utls v1.1.1-0.20240821052800-443a34df921f/go.mod h1:dxmztdV9lf59cq44YY8r21m3b+xSjhg98cgZW8WK1p0=
+github.com/Psiphon-Labs/utls v1.1.1-0.20241107183331-b18909f8ccaa h1:5FszHIhxb7yO267qt47tTfJOtD31k7R80L88EwNm4tc=
+github.com/Psiphon-Labs/utls v1.1.1-0.20241107183331-b18909f8ccaa/go.mod h1:dxmztdV9lf59cq44YY8r21m3b+xSjhg98cgZW8WK1p0=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=

psiphon/common/tactics/tactics.go

@@ -158,6 +158,7 @@ import (
 	"net/http"
 	"sort"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common"
@@ -255,7 +256,7 @@ type Server struct {
 	apiParameterValidator common.APIParameterValidator
 
 	cachedTacticsData *lrucache.Cache
-	filterMatches     []bool
+	filterMatches     *sync.Pool
 }
 
 const (
@@ -468,6 +469,9 @@ func NewServer(
 				return errors.Trace(err)
 			}
 
+			// Server.ReloadableFile.RWMutex is the mutex for accessing
+			// these and other Server fields.
+
 			// Modify actual traffic rules only after validation
 			server.RequestPublicKey = newServer.RequestPublicKey
 			server.RequestPrivateKey = newServer.RequestPrivateKey
@@ -477,15 +481,23 @@ func NewServer(
 
 			// Any cached, merged tactics data is flushed when the
 			// configuration changes.
-			//
-			// A single filterMatches, used in getTactics, is allocated here
-			// to avoid allocating a slice per getTactics call.
-			//
-			// Server.ReloadableFile.RLock/RUnlock is the mutex for accessing
-			// these and other Server fields.
 
 			server.cachedTacticsData.Flush()
-			server.filterMatches = make([]bool, len(server.FilteredTactics))
+
+			// A pool of filterMatches, used in getTactics, is used to avoid
+			// allocating a slice for every getTactics call.
+			//
+			// A pointer to a slice is used with sync.Pool to avoid an
+			// allocation on Put, as would happen if passing in a slice
+			// instead of a pointer; see
+			// https://github.com/dominikh/go-tools/issues/1042#issuecomment-869064445
+
+			server.filterMatches = &sync.Pool{
+				New: func() any {
+					b := make([]bool, len(server.FilteredTactics))
+					return &b
+				},
+			}
 
 			server.initLookups()
 
@@ -874,8 +886,12 @@ func (server *Server) getTactics(
 	var aggregatedValues map[string]int
 	filterMatchCount := 0
 
-	// Use the preallocated slice to avoid an allocation per getTactics call.
-	filterMatches := server.filterMatches
+	// Use the filterMatches buffer pool to avoid an allocation per getTactics
+	// call.
+	b := server.filterMatches.Get().(*[]bool)
+	filterMatches := *b
+	clear(filterMatches)
+	defer server.filterMatches.Put(b)
 
 	for filterIndex, filteredTactics := range server.FilteredTactics {
 

psiphon/controller_test.go

@@ -719,12 +719,12 @@ func controllerRun(t *testing.T, runConfig *controllerRunConfig) {
 		}
 	}
 
-	// Test: upgrade check/download must be downloaded within 180 seconds
+	// Test: upgrade check/download must be downloaded within 240 seconds
 
 	expectUpgrade := !runConfig.disableApi && !runConfig.disableUntunneledUpgrade
 
 	if expectUpgrade {
-		upgradeTimeout := time.NewTimer(120 * time.Second)
+		upgradeTimeout := time.NewTimer(240 * time.Second)
 
 		select {
 		case <-upgradeDownloaded:

psiphon/server/server_test.go

@@ -619,7 +619,9 @@ func TestOmitProvider(t *testing.T) {
 func TestSteeringIP(t *testing.T) {
 	runServer(t,
 		&runServerConfig{
-			tunnelProtocol:       "FRONTED-MEEK-OSSH",
+			tunnelProtocol: "FRONTED-MEEK-OSSH",
+			// use a TLS profile that offers h2 in the ALPN
+			tlsProfile:           protocol.TLS_PROFILE_CHROME_102,
 			requireAuthorization: true,
 			doTunneledWebRequest: true,
 			doTunneledNTPRequest: true,

vendor/github.com/Psiphon-Labs/utls/u_parrots.go

@@ -2636,7 +2636,12 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 	} else if kemKey, ok := clientKeySharePrivate.(*kemPrivateKey); ok {
 		uconn.HandshakeState.State13.KEMKey = kemKey.ToPublic()
 	}
-	uconn.HandshakeState.State13.KeySharesParams = NewKeySharesParameters()
+
+	// [Psiphon]
+	if uconn.HandshakeState.State13.KeySharesParams == nil {
+		uconn.HandshakeState.State13.KeySharesParams = NewKeySharesParameters()
+	}
+
 	hello := uconn.HandshakeState.Hello
 
 	switch len(hello.Random) {

vendor/modules.txt

@@ -44,7 +44,7 @@ github.com/Psiphon-Labs/quic-go/internal/utils/ringbuffer
 github.com/Psiphon-Labs/quic-go/internal/wire
 github.com/Psiphon-Labs/quic-go/logging
 github.com/Psiphon-Labs/quic-go/quicvarint
-# github.com/Psiphon-Labs/utls v1.1.1-0.20240821052800-443a34df921f
+# github.com/Psiphon-Labs/utls v1.1.1-0.20241107183331-b18909f8ccaa
 ## explicit; go 1.21
 github.com/Psiphon-Labs/utls
 github.com/Psiphon-Labs/utls/dicttls