Skip to content

Releases: quic-go/quic-go

v0.44.0

19 May 03:00
@marten-seemann marten-seemann
v0.44.0
e2fbf3c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.44.0 Latest
Latest

v0.44 contains a lot of fixes related to HTTP Datagrams, new logic to determine (and configure) the QUIC packet size, as well as a significant speedup of the various parsers.

HTTP Datagram-related Fixes

The last release introduced support for HTTP Datagrams (RFC 9297). This release resolves a number of problems we discovered in the initial implementation:

  • reject sending of DATAGRAM frames that exceed the currently available MTU (#4497)
  • http3: deadline errors are now ignored in stream state tracking (#4495)
  • http3: refuse to send HTTP datagrams associated with a closed stream (#4488)
  • http3: use the send stream context for tracking the stream state (#4489)
  • http3: fix memory leak caused by stream state tracking (#4523). Thanks to @GeorgeMac for debugging and fixing!

QUIC Packet Size and Path MTU Discovery

  • The initial packet size is now configurable via quic.Config. Most users should not use this config option, but instead rely on Path MTU discovery (#4503)
  • The client's initial packet size was increased to 1280 bytes (#4500)
  • Respect the client's max_udp_payload_size transport parameter (#4514)
  • qlog: add support for the mtu_updated event (#4517)

Speeding up Parsing the variable-length Integers

The QUIC varint parser was rewritten to act on byte slices instead of a bytes.Reader. This is significantly faster (#4475). The new parser is now used for parsing QUIC frames (#4484), the QUIC packet header (#4481), the QUIC transport parameters (#4483) and HTTP datagrams (#4478).

Other Notable Changes

  • http3: ParseCapsule now returns an io.EOF (and not an io.UnexpectedEOF) if the underlying reader returns an io.EOF on the first byte (#4476)
  • http3: ListenAndServe was renamed to ListenAndServeTLS (#4522). Thanks to @ETZhangSX!
  • http3: reserved frame types now cause a connection error, as required by the RFC (#4467)
  • http3: pass the correct Connection to the ConnContext callback (#4480). Thanks to @rthellend!

quic-go needs your support!

Is your project / company relying on quic-go?
Please consider funding the project. Any support is highly appreciated!

What's Changed

New Contributors

Full Changelog: v0.43.0...v0.44.0

Contributors

GeorgeMac, marten-seemann, and 3 other contributors
Assets 2

v0.43.1

04 May 22:30
@marten-seemann marten-seemann
v0.43.1
e6b5db0
Compare
Choose a tag to compare
v0.43.1

This is a patch release that fixes a regression when calling http3.Server.ConnContext introduced in v0.43.0.

Changelog

Full Changelog: v0.43.0...v0.43.1

Assets 2

v0.43.0

27 Apr 14:46
@marten-seemann marten-seemann
v0.43.0
93c4785
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.43.0

quic-go.net: Launching a new Documentation Site

With this release, we're launching a new documentation site for the quic-go projects (quic-go itself, HTTP/3, webtransport-go, and soon, masque-go): quic-go.net.

The documentation site aims to explain QUIC concepts and how they are made accessible using quic-go's API. This site replaces the wiki, and the ever-growing README files.

A lot of work has gone into the documentation already, but we're by no means done yet. The entire source is public in https://github.com/quic-go/docs/, and we're happy about community contributions.

HTTP Datagrams (RFC 9297)

This release adds support for HTTP Datagrams (RFC 9297), both on the client and on the server side (#4452). HTTP Datagrams are used in WebTransport in CONNECT-UDP (RFC 9298), among others.

The new API for HTTP Datagrams is described on the new documentation page: HTTP Datagrams. The integration of HTTP Datagram support necessitated a comprehensive refactor of the HTTP/3 package, resulting in several breaking API changes listed below.

Breaking Changes

  • quicvarint: functions now return an int instead the internal protocol.ByteCount (#4365)
  • http3: Server.SetQuicHeaders was renamed to SetQUICHeaders (#4377)
  • http3: Server.QuicConfig was renamed to QUICConfig (#4384)
  • http3: RoundTripper.QuicConfig was renamed to QUICConfig (#4385)
  • http3: RoundTripOpt.CheckSettings was removed (#4416). Use the newSingleDestinationRoundTripper API instead.
  • http3: the HTTPStreamer interface is now implemented by the http.ResponseWriter (and not the http.Request.Body) (#4469)
  • include the maximum payload size in the DatagramTooLargeError (#4470)

Other Notable Changes

  • GSO and ECN is disabled on kernel versions older than 5 (#4456)
  • http3: logging can be controlled using an slog.Logger (#4449)
  • http3: HEAD requests can now be sent in 0-RTT (#4378)
  • http3: duplicate QPACK encoder and decoder streams are not rejected as required by the RFC (#4388)
  • http3: Extended CONNECT are blocked until the server's SETTINGS are received, as required by the RFC (#4450)
  • http3: HTTP/3 client connections aren't removed if RoundTrip errors due to a cancelled context (#4448). Thanks to @GeorgeMac!
  • http3: sniff Content-Type when flushing the ResponseWriter (#4412). Thanks to @WeidiDeng!
  • The Context exposed on the quic.Stream is now derived from the connection's context (#4414)
  • The UDP send and receive buffer size was increased to 7 MiB (#4455). Thanks to @bt90!

Clarifications on the QUIC Stream State Machine

Calling CancelWrite after Close

After a long and fruitful discussion (#4404), we decided to clarify that calling CancelWrite after Close on a SendStream (or a bidirectional stream) should cause a state transition from the "Data Sent" to the "Reset Sent" state, as described in section 3.1 of RFC 9000. This matches the current behavior of quic-go, however, it didn't match the API documentation (fixed in #4419).

This means that stream data will not be delivered reliably if CancelWrite is called, and that this applies even if Close was called before.

Garbage Collection of Streams

This release also changes the way streams are garbage-collected (and the peer is granted additional limit to open a new stream), once they're not needed anymore, in a subtle way:

  • for the send direction of streams: #4445
  • for the receive direction of a stream: #4460

Thanks to @sukunrt for extremely thorough and helpful reviews on both these PRs!

quic-go needs your support!

Is your project / company relying on quic-go?
Please consider funding the project. Any support is highly appreciated!

Changelog

Read more

Contributors

GeorgeMac, marten-seemann, and 4 other contributors
Assets 2

v0.42.0

18 Mar 01:10
@marten-seemann marten-seemann
v0.42.0
4a99b81
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.42.0

New Features

  • added a qlog tracer for events that happen before / outside of established connection: #4305

Notable Changes

  • added a ClientHelloInfo.AddrVerified field: #4360
  • move callback controlling address verification (VerifySourceAddress) to the Transport: #4253 and #4362
  • connections that are closed before being accepted are not removed from the server's accept queue: #4245
  • http3: added a RoundTripOpt.CheckSettings callback to check the server's SETTINGS: #4355
  • http3: send the HTTP/3 settings value for Extended CONNECT (RFC 9220): #4341
  • http3: don't modify the user's quic.Config to enable QUIC datagram support: #4340

Fixes

  • mitigate a memory exhaustion attack against QUIC's connection ID mechanism: #4369
  • don't delay acknowledgments for packets during the handshake: #4279
  • fix deadlock when closing both Listener and Transport: #4332
  • fix handling of IPv4-mapped IPv6 addresses: #4309
  • fix duplicate logging of the key_discarded event for Handshake packets: #4274
  • send CONNECTION_REFUSED when refusing connections: #4250
  • http3: tighten validation logic for the :protocol pseudo header: #4261

What's Changed

New Contributors

Read more

Contributors

marten-seemann, bt90, and 6 other contributors
Assets 2

v0.41.0

17 Jan 03:46
@marten-seemann marten-seemann
v0.41.0
d3c2020
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.41.0

New Features

  • When calling quic.Connection.SendDatagram, we now queue up to 32 DATAGRAMs before blocking this method: #4222. This should lead to significant performance improvements for applications that send a lot of datagrams.
  • DATAGRAM frames that don't fit into a packet (at the current MTU) are now dropped: #4221.
  • http3: The remote address (as a net.Addr) can now be obtained from the HTTP/3 request context using the http3.RemoteAddrContextKey: #4208. Thanks to @oncilla!
  • http3: When an http.Handler panics, the stream is now reset: #4181. Thanks to @WeidiDeng!
  • http3: The http3.Server now has a ConnContext function, working analogously to http.Server.ConnContext: #4230. Thanks to @rthellend!
  • logging: Information about the negotiated ALPN is logged using logging.ConnectionTracer.ChoseALPN: #4216. Thanks to @birneee!
  • qlog: The package now provides an implementation of the quic.Config.ConnectionTracer callback that reads the QLOGDIR environment variable, and writes qlogs to that directory. Thanks to @birneee!

Breaking Changes

  • This release drops support for Go 1.20 (#4195). We decided to support the old Go version a little bit earlier than usual (before the Go 1.22 release) this time, since this allowed us to completely remove our custom TLS fork that was necessary before crypto/tls gained QUIC support in Go 1.21. If you rely on Go 1.20, you can continue using the v0.40.1 release.
  • The DroppedPacket callback on the logging.ConnectionTracer now contains the packet number of the dropped packet, allowing for better logging of duplicate packets: #4171

Other Changes

  • Only attempt 0-RTT resumption if the session-ticket allowed 0-RTT: #4183
  • http3: The context cancelation error is now returned from RoundTrip: #4203
  • http3: use the AdditionalSettings for on HTTP/3 requests: #4156

Please support quic-go!

Is your project / company relying on quic-go?
Please consider funding the project. Any support is highly appreciated!

Changelog

New Contributors

Full Changelog: v0.40.0...v0.41.0

Contributors

narqo, marten-seemann, and 9 other contributors
Assets 2

v0.40.1

13 Dec 04:44
@marten-seemann marten-seemann
v0.40.1
554d543
Compare
Choose a tag to compare
v0.40.1

This release contains fixes for a resource exhaustion attack on QUIC's path validation logic (CVE-2023-49295), see https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation for details:

  • limit the number of queued PATH_RESPONSE frames to 256 (#4199)
  • don't retransmit PATH_CHALLENGE and PATH_RESPONSE frames (#4200)

Full Changelog: v0.40.0...v0.40.1

Assets 2

v0.39.4

13 Dec 04:42
@marten-seemann marten-seemann
v0.39.4
6cc3d58
Compare
Choose a tag to compare
v0.39.4

This release contains fixes for a resource exhaustion attack on QUIC's path validation logic (CVE-2023-49295), see https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation for details:

  • limit the number of queued PATH_RESPONSE frames to 256 (#4199)
  • don't retransmit PATH_CHALLENGE and PATH_RESPONSE frames (#4200)

Full Changelog: v0.39.3...v0.39.4

Assets 2

v0.38.2

13 Dec 04:41
@marten-seemann marten-seemann
v0.38.2
9aaefe1
Compare
Choose a tag to compare
v0.38.2

This release contains fixes for a resource exhaustion attack on QUIC's path validation logic (CVE-2023-49295), see https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation for details:

  • limit the number of queued PATH_RESPONSE frames to 256 (#4199)
  • don't retransmit PATH_CHALLENGE and PATH_RESPONSE frames (#4200)

Full Changelog: v0.38.1...v0.38.2

Assets 2

v0.37.7

13 Dec 04:38
@marten-seemann marten-seemann
v0.37.7
21609dd
Compare
Choose a tag to compare
v0.37.7

This release contains fixes for the Honeybadger vulnerability (CVE-2023-49295):

  • limit the number of queued PATH_RESPONSE frames to 256 (#4199)
  • don't retransmit PATH_CHALLENGE and PATH_RESPONSE frames (#4200)

Full Changelog: v0.37.6...v0.37.7

Assets 2

v0.40.0

31 Oct 04:48
@marten-seemann marten-seemann
v0.40.0
a360354
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.40.0

API Changes

  • Connection.{Send,Receive}Message was renamed to {Send,Receive}Datagram: #4116
  • Closing a Listener created from a Transport doesn't close already established QUIC connections: #4072
  • http3: the ResponseWriter now automatically discards the response body for HEAD requests: #4115

Other Changes / Fixes

  • When using Dial (not DialEarly) now doesn't perform 0-RTT handshake, even if the session ticket allows 0-RTT: #4125
  • ClientHellos offering TLS versions older than 1.3 are now reject (when using Go 1.20): #4130
  • EPERM sendmsg errors (see golang/go#63322) are now automatically caught: #4111
  • Sending CONNECTION_REFUSED now doesn't spawn a new Go routine: #4091
  • Sending Retry packets now doesn't spawn a new Go routine: #4092

Please support quic-go!

Is your project / company relying on quic-go? Please consider funding the project. Any support is highly appreciated!

Changelog

Full Changelog: v0.39.0...v0.40.0

Contributors

marten-seemann and Glonee
Assets 2