Merge branch 'main' into ci-ubuntu-24.04

.github/actions/pr-comment-data-export/action.yml

@@ -31,7 +31,7 @@ runs:
           echo "${{ inputs.log-url }}" > comment-data/log-url
         fi
     - if: github.event_name == 'pull_request'
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
       with:
         name: ${{ inputs.name }}
         path: comment-data

.github/actions/quic-interop-runner/action.yml

@@ -74,7 +74,7 @@ runs:
         python run.py $ARGS 2>&1 | tee ../summary.txt || true
       shell: bash
 
-    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+    - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
       id: upload-logs
       with:
         name: '${{ inputs.client }} vs. ${{ inputs.server }} logs'
@@ -88,7 +88,7 @@ runs:
           mv result.json.tmp result.json
       shell: bash
 
-    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+    - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
       with:
         name: '${{ inputs.client }} vs. ${{ inputs.server }} results'
         path: |

.github/actions/rust/action.yml

@@ -24,7 +24,10 @@ runs:
 
     - name: Install Rust tools
       shell: bash
-      run: cargo +${{ inputs.version }} quickinstall --no-binstall --no-fallback cargo-llvm-cov cargo-nextest flamegraph cargo-hack cargo-mutants hyperfine
+      run: |
+        cargo +${{ inputs.version }} quickinstall --no-binstall \
+          cargo-llvm-cov cargo-nextest flamegraph cargo-hack cargo-mutants hyperfine \
+          cargo-machete cargo-fuzz
 
     # sccache slows CI down, so we leave it disabled.
     # Leaving the steps below commented out, so we can re-evaluate enabling it later.

.github/dependabot.yml

@@ -15,3 +15,7 @@ updates:
     directory: "/qns"
     schedule:
       interval: "weekly"
+  - package-ecosystem: docker
+    directory: /taskcluster/docker/linux
+    schedule:
+      interval: "weekly"

.github/workflows/bench.yml

@@ -199,7 +199,7 @@ jobs:
           fi
           sed -E -e 's/^                 //gi' \
                  -e 's/((change|time|thrpt):[^%]*% )([^%]*%)(.*)/\1<b>\3<\/b>\4/gi' results.txt |\
-            perl -p -0777 -e 's/(.*?)\n(.*?)((No change|Change within|Performance has).*?)\n(.*?)\n\n/<details><summary>$1: $3<\/summary><pre>\n$2$5<\/pre><\/details>\n/gs' |\
+            perl -p -0777 -e 's/(.*?)\n(.*?)((No change|Change within|Performance has).*?)(\nFound .*?)?\n\n/<details><summary>$1: $3<\/summary><pre>\n$2$5<\/pre><\/details>\n/gs' |\
             sed -E -e 's/(Performance has regressed.)/:broken_heart: <b>\1<\/b>/gi' \
                    -e 's/(Performance has improved.)/:green_heart: <b>\1<\/b>/gi' \
                    -e 's/^ +((<\/pre>|Found).*)/\1/gi' \
@@ -230,7 +230,7 @@ jobs:
 
       - name: Export perf data
         id: export
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
         with:
           name: ${{ github.event.repository.name }}-${{ github.sha }}
           path: |

.github/workflows/check.yml

@@ -136,13 +136,22 @@ jobs:
           cargo +${{ matrix.rust-toolchain }} fmt --all -- --check $CONFIG_PATH
         if: success() || failure()
 
+      - name: Check for unused dependencies
+        run: |
+          #  --with-metadata has false positives, see https://github.com/bnjbvr/cargo-machete/issues/127
+          cargo +${{ matrix.rust-toolchain }} machete
+
       - name: Clippy
         run: |
           # Use cargo-hack to run clippy on each crate individually with its
           # respective default features only. Can reveal warnings otherwise
           # hidden given that a plain cargo clippy combines all features of the
           # workspace. See e.g. https://github.com/mozilla/neqo/pull/1695.
           cargo +${{ matrix.rust-toolchain }} hack clippy --all-targets --feature-powerset --exclude-features gecko -- -D warnings || ${{ matrix.rust-toolchain == 'nightly' }}
+          # Check that the fuzz targets also build
+          if [ ${{ matrix.rust-toolchain }} == 'nightly' ]; then
+            cargo +${{ matrix.rust-toolchain }} fuzz check
+          fi
         if: success() || failure()
 
       - name: Check rustdoc links

.github/workflows/dependency-review.yml

@@ -0,0 +1,31 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on:
+  pull_request:
+    branches: ["main"]
+    paths-ignore: ["*.md", "*.png", "*.svg", "LICENSE-*"]
+  merge_group:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
+        with:
+          base-ref: ${{ github.event.pull_request.base.sha || 'main' }}
+          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}

.github/workflows/firefox.yml

@@ -110,7 +110,7 @@ jobs:
 
       - name: Export binary
         id: upload
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
         with:
           name: ${{ runner.os }}-${{ env.FIREFOX }}-${{ matrix.type }}.tgz
           path: ${{ env.FIREFOX }}.tar
@@ -119,7 +119,7 @@ jobs:
       - run: echo "${{ steps.upload.outputs.artifact-url }}" >> artifact
 
       - name: Export artifact URL
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
         with:
           name: artifact-${{ runner.os }}-${{ env.FIREFOX }}-${{ matrix.type }}
           path: artifact
@@ -133,7 +133,7 @@ jobs:
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           pattern: 'artifact-*'
           path: artifacts

.github/workflows/mutants.yml

@@ -63,7 +63,7 @@ jobs:
           } > "$GITHUB_STEP_SUMMARY"
 
       - name: Archive mutants.out
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
         if: always()
         with:
           name: mutants.out

.github/workflows/qns.yml

@@ -32,8 +32,8 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
-      - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+      - uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
+      - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
       - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: ghcr.io
@@ -53,7 +53,7 @@ jobs:
             # set latest tag for default branch
             type=raw,value=latest,enable={{is_default_branch}}
 
-      - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+      - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
         if: github.event_name != 'pull_request'
         with:
           push: true
@@ -64,7 +64,7 @@ jobs:
           cache-to: type=gha,mode=max
           platforms: 'linux/amd64, linux/arm64'
 
-      - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+      - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
         id: docker_build_and_push
         with:
           tags: ${{ steps.meta.outputs.tags }}
@@ -75,7 +75,7 @@ jobs:
           platforms: 'linux/amd64'
           outputs: type=docker,dest=/tmp/${{ env.LATEST }}.tar
 
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
         with:
           name: '${{ env.LATEST }} Docker image'
           path: /tmp/${{ env.LATEST }}.tar
@@ -130,7 +130,7 @@ jobs:
         pair: ${{ fromJson(needs.implementations.outputs.pairs) }}
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: '${{ env.LATEST }} Docker image'
           path: /tmp
@@ -158,7 +158,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           pattern: '*results'
           path: results

.pre-commit-config.yaml

@@ -0,0 +1,22 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pocc/pre-commit-hooks
+  rev: v1.3.5
+  hooks:
+  - id: cpplint
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace
+# - repo: https://github.com/pylint-dev/pylint
+#   rev: v2.17.2
+#   hooks:
+#   - id: pylint

Cargo.toml

@@ -7,6 +7,7 @@ members = [
   "neqo-http3",
   "neqo-qpack",
   "neqo-transport",
+  "neqo-udp",
   "test-fixture",
 ]
 resolver = "2"
@@ -15,7 +16,11 @@ resolver = "2"
 homepage = "https://github.com/mozilla/neqo/"
 repository = "https://github.com/mozilla/neqo/"
 authors = ["The Neqo Authors <[email protected]>"]
-version = "0.7.9"
+description = "Neqo, the Mozilla implementation of QUIC in Rust."
+keywords = ["quic", "http3", "neqo", "mozilla", "ietf", "firefox"]
+categories = ["network-programming", "web-programming"]
+readme = "README.md"
+version = "0.8.0"
 # Keep in sync with `.rustfmt.toml` `edition`.
 edition = "2021"
 license = "MIT OR Apache-2.0"
@@ -29,7 +34,10 @@ log = { version = "0.4", default-features = false }
 qlog = { version = "0.13", default-features = false }
 
 [workspace.lints.clippy]
+cargo = { level = "warn", priority = -1 }
+nursery = { level = "warn", priority = -1 }
 pedantic = { level = "warn", priority = -1 }
+multiple_crate_versions = "allow"
 
 [profile.release]
 lto = "fat"

fuzz/Cargo.toml

@@ -7,6 +7,10 @@ version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
 license.workspace = true
+description.workspace = true
+keywords.workspace = true
+categories.workspace = true
+readme.workspace = true
 
 [package.metadata]
 cargo-fuzz = true

fuzz/fuzz_targets/client_initial.rs

@@ -6,7 +6,7 @@ use libfuzzer_sys::fuzz_target;
 #[cfg(all(fuzzing, not(windows)))]
 fuzz_target!(|data: &[u8]| {
     use neqo_common::{Datagram, Encoder, Role};
-    use neqo_transport::Version;
+    use neqo_transport::{packet::MIN_INITIAL_PACKET_SIZE, Version};
     use test_fixture::{
         default_client, default_server,
         header_protection::{

fuzz/fuzz_targets/frame.rs

@@ -10,7 +10,7 @@ fuzz_target!(|data: &[u8]| {
 
     // Run the fuzzer
     let mut decoder = Decoder::new(data);
-    let _ = Frame::decode(&mut decoder);
+    _ = Frame::decode(&mut decoder);
 });
 
 #[cfg(any(not(fuzzing), windows))]

fuzz/fuzz_targets/packet.rs

@@ -14,7 +14,7 @@ fuzz_target!(|data: &[u8]| {
     neqo_crypto::init().unwrap();
 
     // Run the fuzzer
-    let _ = PublicPacket::decode(data, decoder);
+    _ = PublicPacket::decode(data, decoder);
 });
 
 #[cfg(any(not(fuzzing), windows))]

fuzz/fuzz_targets/server_initial.rs

@@ -6,7 +6,7 @@ use libfuzzer_sys::fuzz_target;
 #[cfg(all(fuzzing, not(windows)))]
 fuzz_target!(|data: &[u8]| {
     use neqo_common::{Datagram, Encoder, Role};
-    use neqo_transport::Version;
+    use neqo_transport::{packet::MIN_INITIAL_PACKET_SIZE, Version};
     use test_fixture::{
         default_client, default_server,
         header_protection::{

neqo-bin/Cargo.toml

@@ -8,6 +8,9 @@ version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
 license.workspace = true
+keywords.workspace = true
+categories.workspace = true
+readme.workspace = true
 
 [[bin]]
 name = "neqo-client"
@@ -32,10 +35,9 @@ log = { workspace = true }
 neqo-common = { path = "./../neqo-common" }
 neqo-crypto = { path = "./../neqo-crypto" }
 neqo-http3 = { path = "./../neqo-http3" }
-neqo-qpack = { path = "./../neqo-qpack" }
 neqo-transport = { path = "./../neqo-transport" }
+neqo-udp = { path = "./../neqo-udp", default-features = false, features = ["tokio"] }
 qlog = { workspace = true }
-quinn-udp = { version = "0.5.0", default-features = false }
 regex = { version = "1.9", default-features = false, features = ["unicode-perl"] }
 tokio = { version = "1", default-features = false, features = ["net", "time", "macros", "rt", "rt-multi-thread"] }
 url = { version = "2.5", default-features = false }

neqo-bin/benches/main.rs

@@ -68,6 +68,7 @@ fn transfer(c: &mut Criterion) {
     done_sender.send(()).unwrap();
 }
 
+#[allow(clippy::redundant_pub_crate)] // Bug in clippy nursery? Not sure how this lint could fire here.
 fn spawn_server() -> tokio::sync::oneshot::Sender<()> {
     let (done_sender, mut done_receiver) = tokio::sync::oneshot::channel();
     std::thread::spawn(move || {
@@ -76,7 +77,7 @@ fn spawn_server() -> tokio::sync::oneshot::Sender<()> {
             tokio::select! {
                 _ = &mut done_receiver => {}
                 res = &mut server  => panic!("expect server not to terminate: {res:?}"),
-            }
+            };
         });
     });
     done_sender

neqo-bin/src/client/http09.rs

@@ -106,7 +106,7 @@ impl<'a> super::Handler for Handler<'a> {
     }
 }
 
-pub(crate) fn create_client(
+pub fn create_client(
     args: &Args,
     local_addr: SocketAddr,
     remote_addr: SocketAddr,
@@ -147,11 +147,9 @@ impl TryFrom<&State> for CloseState {
 
     fn try_from(value: &State) -> Result<Self, Self::Error> {
         let (state, error) = match value {
-            State::Closing { error, .. } | State::Draining { error, .. } => {
-                (CloseState::Closing, error)
-            }
-            State::Closed(error) => (CloseState::Closed, error),
-            _ => return Ok(CloseState::NotClosing),
+            State::Closing { error, .. } | State::Draining { error, .. } => (Self::Closing, error),
+            State::Closed(error) => (Self::Closed, error),
+            _ => return Ok(Self::NotClosing),
         };
 
         if error.is_error() {