Rename FRONTED-QUIC-OSSH

- Previous protocol name is removed and won't
  be deployed; existing clients with "FRONTED-QUIC-OSSH"
  support will not receive server entries with that
  capability set.

- FRONTED-MEEK-QUIC-OSSH reflects the use of
  meek in the protocol.

- The protocol is now default off.

- No superfluous QUIC listener is run.

psiphon/common/protocol/protocol.go

@@ -30,17 +30,17 @@ import (
 )
 
 const (
-	TUNNEL_PROTOCOL_SSH                           = "SSH"
-	TUNNEL_PROTOCOL_OBFUSCATED_SSH                = "OSSH"
-	TUNNEL_PROTOCOL_UNFRONTED_MEEK                = "UNFRONTED-MEEK-OSSH"
-	TUNNEL_PROTOCOL_UNFRONTED_MEEK_HTTPS          = "UNFRONTED-MEEK-HTTPS-OSSH"
-	TUNNEL_PROTOCOL_UNFRONTED_MEEK_SESSION_TICKET = "UNFRONTED-MEEK-SESSION-TICKET-OSSH"
-	TUNNEL_PROTOCOL_FRONTED_MEEK                  = "FRONTED-MEEK-OSSH"
-	TUNNEL_PROTOCOL_FRONTED_MEEK_HTTP             = "FRONTED-MEEK-HTTP-OSSH"
-	TUNNEL_PROTOCOL_QUIC_OBFUSCATED_SSH           = "QUIC-OSSH"
-	TUNNEL_PROTOCOL_FRONTED_QUIC_OBFUSCATED_SSH   = "FRONTED-QUIC-OSSH"
-	TUNNEL_PROTOCOL_MARIONETTE_OBFUSCATED_SSH     = "MARIONETTE-OSSH"
-	TUNNEL_PROTOCOL_TAPDANCE_OBFUSCATED_SSH       = "TAPDANCE-OSSH"
+	TUNNEL_PROTOCOL_SSH                              = "SSH"
+	TUNNEL_PROTOCOL_OBFUSCATED_SSH                   = "OSSH"
+	TUNNEL_PROTOCOL_UNFRONTED_MEEK                   = "UNFRONTED-MEEK-OSSH"
+	TUNNEL_PROTOCOL_UNFRONTED_MEEK_HTTPS             = "UNFRONTED-MEEK-HTTPS-OSSH"
+	TUNNEL_PROTOCOL_UNFRONTED_MEEK_SESSION_TICKET    = "UNFRONTED-MEEK-SESSION-TICKET-OSSH"
+	TUNNEL_PROTOCOL_FRONTED_MEEK                     = "FRONTED-MEEK-OSSH"
+	TUNNEL_PROTOCOL_FRONTED_MEEK_HTTP                = "FRONTED-MEEK-HTTP-OSSH"
+	TUNNEL_PROTOCOL_QUIC_OBFUSCATED_SSH              = "QUIC-OSSH"
+	TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH = "FRONTED-MEEK-QUIC-OSSH"
+	TUNNEL_PROTOCOL_MARIONETTE_OBFUSCATED_SSH        = "MARIONETTE-OSSH"
+	TUNNEL_PROTOCOL_TAPDANCE_OBFUSCATED_SSH          = "TAPDANCE-OSSH"
 
 	SERVER_ENTRY_SOURCE_EMBEDDED   = "EMBEDDED"
 	SERVER_ENTRY_SOURCE_REMOTE     = "REMOTE"
@@ -102,7 +102,7 @@ var SupportedTunnelProtocols = TunnelProtocols{
 	TUNNEL_PROTOCOL_FRONTED_MEEK,
 	TUNNEL_PROTOCOL_FRONTED_MEEK_HTTP,
 	TUNNEL_PROTOCOL_QUIC_OBFUSCATED_SSH,
-	TUNNEL_PROTOCOL_FRONTED_QUIC_OBFUSCATED_SSH,
+	TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH,
 	TUNNEL_PROTOCOL_MARIONETTE_OBFUSCATED_SSH,
 	TUNNEL_PROTOCOL_TAPDANCE_OBFUSCATED_SSH,
 }
@@ -110,6 +110,7 @@ var SupportedTunnelProtocols = TunnelProtocols{
 var DefaultDisabledTunnelProtocols = TunnelProtocols{
 	TUNNEL_PROTOCOL_MARIONETTE_OBFUSCATED_SSH,
 	TUNNEL_PROTOCOL_TAPDANCE_OBFUSCATED_SSH,
+	TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH,
 }
 
 var SupportedServerEntrySources = TunnelProtocols{
@@ -131,13 +132,13 @@ func TunnelProtocolUsesObfuscatedSSH(protocol string) bool {
 func TunnelProtocolUsesMeek(protocol string) bool {
 	return TunnelProtocolUsesMeekHTTP(protocol) ||
 		TunnelProtocolUsesMeekHTTPS(protocol) ||
-		TunnelProtocolUsesFrontedQUIC(protocol)
+		TunnelProtocolUsesFrontedMeekQUIC(protocol)
 }
 
 func TunnelProtocolUsesFrontedMeek(protocol string) bool {
 	return protocol == TUNNEL_PROTOCOL_FRONTED_MEEK ||
 		protocol == TUNNEL_PROTOCOL_FRONTED_MEEK_HTTP ||
-		protocol == TUNNEL_PROTOCOL_FRONTED_QUIC_OBFUSCATED_SSH
+		protocol == TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH
 }
 
 func TunnelProtocolUsesMeekHTTP(protocol string) bool {
@@ -157,11 +158,11 @@ func TunnelProtocolUsesObfuscatedSessionTickets(protocol string) bool {
 
 func TunnelProtocolUsesQUIC(protocol string) bool {
 	return protocol == TUNNEL_PROTOCOL_QUIC_OBFUSCATED_SSH ||
-		protocol == TUNNEL_PROTOCOL_FRONTED_QUIC_OBFUSCATED_SSH
+		protocol == TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH
 }
 
-func TunnelProtocolUsesFrontedQUIC(protocol string) bool {
-	return protocol == TUNNEL_PROTOCOL_FRONTED_QUIC_OBFUSCATED_SSH
+func TunnelProtocolUsesFrontedMeekQUIC(protocol string) bool {
+	return protocol == TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH
 }
 
 func TunnelProtocolUsesMarionette(protocol string) bool {

psiphon/controller_test.go

@@ -443,7 +443,7 @@ func TestFrontedQUIC(t *testing.T) {
 	controllerRun(t,
 		&controllerRunConfig{
 			expectNoServerEntries:    false,
-			protocol:                 protocol.TUNNEL_PROTOCOL_FRONTED_QUIC_OBFUSCATED_SSH,
+			protocol:                 protocol.TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH,
 			clientIsLatestVersion:    false,
 			disableUntunneledUpgrade: true,
 			disableEstablishing:      false,

psiphon/dialParameters.go

@@ -337,7 +337,7 @@ func MakeDialParameters(
 	if !isReplay || !replayHostname {
 
 		if protocol.TunnelProtocolUsesMeekHTTPS(dialParams.TunnelProtocol) ||
-			protocol.TunnelProtocolUsesFrontedQUIC(dialParams.TunnelProtocol) {
+			protocol.TunnelProtocolUsesFrontedMeekQUIC(dialParams.TunnelProtocol) {
 
 			dialParams.MeekSNIServerName = ""
 			if p.WeightedCoinFlip(parameters.TransformHostNameProbability) {
@@ -368,7 +368,7 @@ func MakeDialParameters(
 	if (!isReplay || !replayQUICVersion) &&
 		protocol.TunnelProtocolUsesQUIC(dialParams.TunnelProtocol) {
 
-		allowObfuscatedQUIC := !protocol.TunnelProtocolUsesFrontedQUIC(dialParams.TunnelProtocol)
+		allowObfuscatedQUIC := !protocol.TunnelProtocolUsesFrontedMeekQUIC(dialParams.TunnelProtocol)
 		dialParams.QUICVersion = selectQUICVersion(allowObfuscatedQUIC, p)
 	}
 
@@ -414,7 +414,7 @@ func MakeDialParameters(
 	case protocol.TUNNEL_PROTOCOL_QUIC_OBFUSCATED_SSH:
 		dialParams.DirectDialAddress = fmt.Sprintf("%s:%d", serverEntry.IpAddress, serverEntry.SshObfuscatedQUICPort)
 
-	case protocol.TUNNEL_PROTOCOL_FRONTED_QUIC_OBFUSCATED_SSH:
+	case protocol.TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH:
 		dialParams.MeekDialAddress = fmt.Sprintf("%s:443", dialParams.MeekFrontingDialAddress)
 		dialParams.MeekHostHeader = dialParams.MeekFrontingHost
 		if !dialParams.MeekTransformedHostName {
@@ -549,7 +549,7 @@ func MakeDialParameters(
 		dialParams.meekConfig = &MeekConfig{
 			ClientParameters:              config.clientParameters,
 			DialAddress:                   dialParams.MeekDialAddress,
-			UseQUIC:                       protocol.TunnelProtocolUsesFrontedQUIC(dialParams.TunnelProtocol),
+			UseQUIC:                       protocol.TunnelProtocolUsesFrontedMeekQUIC(dialParams.TunnelProtocol),
 			QUICVersion:                   dialParams.QUICVersion,
 			UseHTTPS:                      protocol.TunnelProtocolUsesMeekHTTPS(dialParams.TunnelProtocol),
 			TLSProfile:                    dialParams.TLSProfile,

psiphon/dialParameters_test.go

@@ -183,7 +183,7 @@ func runDialParametersAndReplay(t *testing.T, tunnelProtocol string) {
 		if dialParams.QUICVersion == "" {
 			t.Fatalf("missing QUIC version field")
 		}
-		if protocol.TunnelProtocolUsesFrontedQUIC(tunnelProtocol) {
+		if protocol.TunnelProtocolUsesFrontedMeekQUIC(tunnelProtocol) {
 			if dialParams.MeekFrontingDialAddress == "" ||
 				dialParams.MeekFrontingHost == "" ||
 				dialParams.MeekSNIServerName == "" {

psiphon/meekConn.go

@@ -594,7 +594,7 @@ func (meek *MeekConn) Close() (err error) {
 		// stopRunning interrupts HTTP requests in progress by closing the context
 		// associated with the request. In the case of h2quic.RoundTripper, testing
 		// indicates that quic-go.receiveStream.readImpl in _not_ interrupted in
-		// this case, and so an in-flight FRONTED-QUIC round trip may hang shutdown
+		// this case, and so an in-flight FRONTED-MEEK-QUIC round trip may hang shutdown
 		// in relayRoundTrip->readPayload->...->quic-go.receiveStream.readImpl.
 		//
 		// To workaround this, we call CloseIdleConnections _before_ Wait, as, in

psiphon/server/tunnelServer.go

@@ -147,7 +147,14 @@ func (server *TunnelServer) Run() error {
 		var listener net.Listener
 		var err error
 
-		if protocol.TunnelProtocolUsesQUIC(tunnelProtocol) {
+		if protocol.TunnelProtocolUsesFrontedMeekQUIC(tunnelProtocol) {
+
+			// For FRONTED-MEEK-QUIC-OSSH, no listener implemented. The edge-to-server
+			// hop uses HTTPS and the client tunnel protocol is distinguished using
+			// protocol.MeekCookieData.ClientTunnelProtocol.
+			continue
+
+		} else if protocol.TunnelProtocolUsesQUIC(tunnelProtocol) {
 
 			listener, err = quic.Listen(
 				CommonLogger(log),