transport,deps: bump zquic to v1.5.0#55
Merged
Merged
Conversation
Pulls in the v1.3.0..v1.5.0 security and correctness fixes: - Retry token replay window (30 s) with hourly secret rotation (zquic #108). - FINAL_SIZE_ERROR enforcement cross-checking RESET_STREAM vs STREAM+FIN final sizes (zquic #109). - Non-minimal varint rejection per RFC 9000 §16 (zquic #110). - Active connection ID limit enforced per RFC 9000 §5.1.1 (zquic #111). - ACK range underflow returns FrameEncodingError instead of saturating (zquic #112). - Stream-initiator violations on STREAM frames are rejected (zquic #113). - Coalesced packet parser hardening (zquic #115). API adjustment: rawAllocateNextLocalBidiStream and rawAllocateNextLocalUniStream now return OpenLocalStreamError!u64 instead of u64. Add `try` at the two call sites in zquic_quic_shim so StreamLimitExceeded propagates as a stream create failure. Tests: zig fmt --check . plus test, test-broadcast, test-sim-rs, test-sim-gossipsub and test-quic all pass locally.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates the
zquicdependency fromv1.2.1tov1.5.0, picking up the security and correctness fixes landed in v1.3.x–v1.5.0:retry_secretrotation — bounds the blast radius of a leaked secret from "forever" to ~1 hour + 30 s (zquic #108).FINAL_SIZE_ERRORenforcement cross-checkingRESET_STREAMfinal_sizeagainst any priorSTREAM+FINon the same stream (RFC 9000 §3.5/§11.3, zquic #109).FrameEncodingErrorinstead of saturating (RFC 9000 §19.3, zquic #112).STREAMframes are rejected (RFC 9000 §19.8, zquic #113).API adjustment in
src/transport/zquic_quic_shim.zigrawAllocateNextLocalBidiStream/rawAllocateNextLocalUniStreamnow returnOpenLocalStreamError!u64instead ofu64— they enforce the peer-advertisedinitial_max_streams_*. Addedtryat both call sites instreamMake/streamMakeUnisoStreamLimitExceededpropagates as a stream-create failure.No other v1.5.0 API breaks bite us:
LossDetector.onAck,AckFrame.parse, andvarint.DecodeError.NonMinimalEncodinglive in layers that zig-ethp2p doesn't call directly.Test plan
zig fmt --check .zig build test(150 passed)zig build test-broadcast(54 passed)zig build test-sim-rs(22 passed)zig build test-sim-gossipsub(23 passed)zig build test-quic(44 passed)