Skip to content

XQUIC v1.9.4

Latest

Choose a tag to compare

@dreamwind1985 dreamwind1985 released this 23 Jun 06:21
96155cf

Changes:

  1. [+] #679 remove TRA_HS_CERTIFICATE_VERIFY_FAIL (0x1FE) from reserved CRYPTO_ERROR range @dreamwind1985
  2. [+] #678 fix off-by-one in stateless reset minimum packet length check @dreamwind1985
  3. [+] fix crypto frame flood vulnerability (CWE-770): limit buffered out-of-order CRYPTO frame count and bytes per crypto stream, reject excessive sparse fragments @dreamwind1985
  4. [+] #561 reject zero-length CID in NEW_CONNECTION_ID parsing @dreamwind1985
  5. [~] fix buffer overflow: xqc_vsprintf memory out of bounds, '�' not correctly assigned when buffer is full @dreamwind1985
  6. [~] fix QPACK DDoS: add max_blocked_buf_per_stream and max_blocked_buf_per_conn to limit blocked data caching @dreamwind1985
  7. [~] fix SSL_use_certificate/SSL_set1_chain ordering, NULL deref in forbidden header check, anti-amplification default limit to 3 @dreamwind1985
  8. [~] #709 send no_application_protocol on ALPN failure per RFC 9001 8.1 @Yanmei-Liu
  9. [=] clarify AES-CTR HP mask equivalence to RFC 9001 AES-ECB (#696) @Yanmei-Liu
  10. [=] document supported TLS 1.3 cipher suites @Yanmei-Liu

Compatibility Notes:

  1. Peers sending excessive out-of-order CRYPTO frames will now trigger connection error (CWE-770 fix) - previously such frames were buffered indefinitely.
  2. QPACK blocked stream/conn limits are now enforced - applications using very large header blocks may see H3_DATA_EXCEED_LIMIT errors.
  3. NEW_CONNECTION_ID frames with zero-length CID are now rejected per RFC 9000 - previously they were silently accepted.
  4. ALPN negotiation failure now sends no_application_protocol alert per RFC 9001 8.1 - previously the connection was silently closed.
  5. TRA_HS_CERTIFICATE_VERIFY_FAIL (0x1FE) is no longer mapped to a reserved CRYPTO_ERROR code - custom error handlers relying on this specific code mapping may need updating.