quic_lib 0.2.0
quic_lib: ^0.2.0 copied to clipboard
A pure-Dart QUIC, HTTP/3, WebTransport, and libp2p transport stack.
Changelog #
All notable changes to dart_quic will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
0.2.0 — 2026-06-27 #
Added #
HandshakeKeyExchange— X25519 ephemeral key generation, shared secret computation, and TLS 1.3-style handshake secret derivation (scaffold for real TLS stack)- HTTP/3 full request/response —
Http3Request/Http3Responsewith QPACK header encoding/decoding,Http3Connection.sendRequest()accepts requests,getResponse()decodes received HEADERS frames - WebTransport datagram support —
DatagramCapsuleserialize/parse,CapsuleType.datagram,WebTransportSession.sendDatagram()/receivedDatagrams - Connection migration wiring —
MigrationHelperintegrated intoQuicConnection._dispatchFrames()forPATH_CHALLENGE/PATH_RESPONSE,onAddressValidated()called on successful path validation - Integration tests:
test/crypto/tls/handshake_key_exchange_test.dart(4 tests),test/http3/http3_request_response_test.dart(7 tests),test/webtransport/datagram_capsule_test.dart(3 tests),test/connection/migration_integration_test.dart(5 tests),test/integration/v020_features_test.dart(12 tests)
Fixed #
test/http3/coverage_gap_test.dart— updatedCapsuleType.fromValueunknown-value test to use0x01instead of0x00(now reserved for datagram)
0.1.0-beta.1 — 2026-06-27 #
Added #
PacketNumberReconstructor— reconstructs full packet numbers from truncated short-header PNs per RFC 9000 §17.1TlsMessageBuilder— constructs structurally valid TLS 1.3 ClientHello, ServerHello, and Finished messages for testing- HTTP/3 lifecycle scaffold in
Http3Connection:sendRequest()allocates streams,onStreamFrame()dispatches HEADERS/DATA/SETTINGS/GOAWAY frames QpackDynamicTable— dynamic table insertions, evictions, capacity management, andencodeWithDynamicTable()with dynamic→static→literal fallbackCapsuleRouter— routes WebTransport capsules toWebTransportSessioninstances by stream IDDCUtRStateMachine— DCUtR handshake state machine (idle → connectSent → syncReceived → connected/failed)- Integration tests:
test/wire/packet_number_reconstructor_test.dart(5 tests),test/crypto/tls/tls_message_builder_test.dart(6 tests),test/http3/http3_connection_test.dart(5 tests),test/http3/qpack_dynamic_table_test.dart(11 tests),test/webtransport/capsule_router_test.dart(5 tests),test/libp2p/dcutr_state_machine_test.dart(14 tests)
0.1.0-alpha.4 — 2026-06-27 #
Added #
ProtectedPacketCodec— full header protection + AEAD round-trip codec for LongHeader and ShortHeader packetsKeyManager.deriveHandshake()and.deriveApplication()— derive keys for Handshake and Application spaces per RFC 9001 §5.1KeyManager.discardInitialKeys()and.discardHandshakeKeys()— key lifecycle management per RFC 9001 §4.1.4CryptoMessageParser— parses TLS handshake message type and payload from CRYPTO frame bytesCryptoFrameHandler— wiresCryptoFrameAssembler→CryptoMessageParser→HandshakeStateMachine.onMessage()QuicEndpoint.connect()— scaffolds aQuicConnectionwith all subsystems and transitions to handshaking- Integration tests:
test/crypto/packet/protected_packet_codec_test.dart(3 tests),test/crypto/key_manager_test.dart(5 tests),test/crypto/tls/crypto_message_parser_test.dart(8 tests),test/integration/alpha4_features_test.dart(10 tests),test/io/quic_endpoint_connect_test.dart(4 tests)
Changed #
CryptoFrameHandler.onCryptoFrame()catches invalid state transitions and marks handshake as failedQuicConnection._handleCryptoFrame()now delegates toCryptoFrameHandlerwhen available
0.1.0-alpha.3 — 2026-06-27 #
Added #
- AEAD encryption/decryption wiring in packet pipeline:
KeyManager— derives Initial-space keys from DCID usingInitialSecrets+KeyDerivationPacketNumberSpaceKeys— holdsPacketProtector+HeaderProtectionper spaceQuicConnection.buildEncryptedPacket()— encrypts payload + applies header protectionQuicConnection.processEncryptedDatagram()— decrypts payload + dispatches frames- Falls back to plaintext when no keys are installed
- Integration tests:
test/integration/encrypted_pipeline_test.dart(6 tests covering key derivation, encrypted build, plaintext fallback, encrypted CRYPTO/STREAM/CONNECTION_CLOSE dispatch)
Changed #
QuicConnectionconstructor accepts optionalKeyManagerbuildPacketandprocessIncomingDatagramremain as plaintext fallbacks
0.1.0-alpha.2 — 2026-06-27 #
Added #
- Packet pipeline integration in
QuicConnection:processIncomingDatagram()— splits coalesced packets, dispatches frames to subsystemsbuildPacket()— builds outgoing packets withPacketSenderand tracks viaRecoveryManager- Frame dispatch: CRYPTO →
CryptoFrameAssembler, ACK →RecoveryManager, STREAM →StreamManager, CONNECTION_CLOSE →ConnectionStateMachine.draining, HANDSHAKE_DONE →ConnectionStateMachine.established
StreamManager— routes STREAM frames toQuicReceiveStreaminstances by stream IDSentPacketTracker.resetAll()— clears all tracked spacesQuicConnection.stateMachinepublic getter- Integration tests:
test/integration/packet_pipeline_test.dart(7 tests covering build, ACK dispatch, CRYPTO dispatch, STREAM dispatch, CONNECTION_CLOSE transition, coalesced packets, anti-amplification)
Changed #
RecoveryManager.reset()now calls_sentPacketTracker.resetAll()- CI workflow fuzz/benchmark jobs reference actual scaffold files with realistic timeouts
0.1.0-alpha.1 — 2026-06-27 #
Security #
- 36 security fixes applied across 7 audit loops covering DoS, overflow, replay, info disclosure, timing side channels, and partial frame injection
- Added memory caps on all unbounded collections (ReassemblyBuffer, ConnectionRegistry, MigrationHelper, LossDetector, SentPacketTracker, FlowController, ConnectionIdManager, CryptoFrameAssembler)
- Added integer overflow protection (CongestionController cwnd cap, PtoScheduler ptoCount cap)
- Implemented 64-packet replay window in PacketNumberSpaceManager
- Added ACK validation and clamping in SentPacketTracker
- Added RTT clamping (60s max) and maxAckDelay cap (~16s)
- Added RateLimiter utility for state transition flood protection
- Added anti-amplification limit integration into QuicConnection
- Fixed timing side channels in RetryIntegrityTag.verify and DefaultCryptoBackend.rsaPkcs1Verify
- Fixed partial frame injection vulnerability in PacketReceiver
- Sanitized toString() methods in HTTP/3 frame types to prevent info disclosure via logging
Added #
RateLimiterutility class for sliding-window rate limitingAntiAmplificationLimittracker per RFC 9000 Section 8QuicLoggerlightweight logging abstraction (replaces stdout print calls)- Per-source IP UDP rate limiting in
UdpSocket(1000 datagrams/sec) - Integration wiring in
QuicConnection:onPacketSent,onAckReceived,isPtoExpired,onPtoFired,onAddressValidated - Public getters for all
QuicConnectionsubsystems (cidManager,rttEstimator,lossDetector,ptoScheduler,congestionController)
Changed #
ConnectionStateMachineandWebTransportSessionnow useQuicLoggerinstead ofprint()FlowController.consume()now rejects negative byte countsSentPacketTracker.onAck()validates space parameter to 0..2PacketNumberSpaceManager.onReceived()rejects negative packet numbersLossDetectorignores negative packet numbers and clamps negativelargestAckedCryptoFrameDeliverer.chunk()rejects non-positivemaxFrameSizeCoalescedPacket._decodeVarInt()andHeaderProtection._readVarInt()now guard against buffer over-readPacketReceiverdiscards all frames when any frame parse fails
Removed #
- 5 experimental
tmp_*.dartcrypto scratchpad files using deprecatedAESFastEngine - Unused imports and fields in
QuicConnection
Fixed #
- Analyzer warnings: reduced from 10 to 0 in
lib/src/
Documentation #
- Added 7 security audit reports (Blue Team V1/V2/V3, Red Team V1/V2/Novel, Meta-Analysis)
- Added
SECURITY_FIXES.mdtracking all 36 fixes - Added
doc/POINTYCASTLE_4_MIGRATION.md
0.1.0-alpha.1-pre — 2026-06-25 #
Added #
- Initial alpha release with modular QUIC, HTTP/3, WebTransport, and libp2p components
- Wire format: VarInt, packet headers, frame types, coalesced packets
- Crypto: TLS 1.3 handshake scaffold, key derivation, header protection, packet protection
- Recovery: LossDetector, SentPacketTracker, CongestionController, RttEstimator, PtoScheduler
- Streams: StreamId, SendStateMachine, ReceiveStateMachine, ReassemblyBuffer, FlowController
- Connection: ConnectionStateMachine, ConnectionIdManager, ConnectionRegistry, MigrationHelper
- HTTP/3: All frame types, SETTINGS, QPACK static table encoder
- WebTransport: Session state machine, capsule types
- libp2p: Multiaddr parser, PeerId, DCUtR message scaffold
- 1000+ tests with 96%+ line coverage