Merge branch 'main' into quinn-udp

Signed-off-by: Lars Eggert <lars@eggert.org>

.dockerignore

@@ -1,3 +1,9 @@
-nss
-nspr
-target
+# Ignore everything:
+*
+# Except for the following:
+!**/*.toml
+!**/*.rs
+!**/*.h
+!**/*.hpp
+!qns
+!Cargo.lock

.github/CODEOWNERS

@@ -1,4 +1,4 @@
-*    @KershawChang @martinthomson
+*    @KershawChang @martinthomson @larseggert
 /docker/	@martinthomson
 /hooks/    @martinthomson
 /neqo-crypto/    @martinthomson

.github/semantic.yml

@@ -0,0 +1,3 @@
+enabled: true
+titleOnly: true
+targetUrl: "https://www.conventionalcommits.org/en/v1.0.0/#summary"

.github/workflows/check.yml

@@ -17,7 +17,14 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-13, windows-latest]
-        rust-toolchain: [1.70.0, stable, beta]
+        rust-toolchain: [1.70.0, stable, nightly]
+        type: [debug]
+        include:
+          - os: ubuntu-latest
+            rust-toolchain: stable
+            type: release
+    env:
+      BUILD_TYPE: ${{ matrix.type == 'release' && '--release' || '' }}
     runs-on: ${{ matrix.os }}
     defaults:
       run:
@@ -35,8 +42,9 @@ jobs:
         env:
           DEBIAN_FRONTEND: noninteractive
         run: |
-          sudo apt-get install -y --no-install-recommends gyp mercurial ninja-build
+          sudo apt-get install -y --no-install-recommends gyp mercurial ninja-build lld
           curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
+          echo "RUSTFLAGS=-C link-arg=-fuse-ld=lld" >> "$GITHUB_ENV"
 
       # In addition to installing dependencies, first make sure System Integrity Protection (SIP)
       # is disabled on this MacOS runner. This is needed to allow the NSS libraries to be loaded
@@ -47,13 +55,15 @@ jobs:
         if: runner.os == 'MacOS'
         run: |
           csrutil status | grep disabled
-          brew install ninja mercurial cargo-binstall
+          brew install ninja mercurial cargo-binstall llvm
+          echo "/usr/local/opt/llvm/bin" >> "$GITHUB_PATH"
           # python3 -m pip install gyp-next
           # Above does not work, since pypi only has gyp 0.15.0, which is too old
           # for the homebrew python3. Install from source instead.
           python3 -m pip install git+https://github.com/nodejs/gyp-next
           python3 -m pip install packaging
           echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
+          echo "RUSTFLAGS=-C link-arg=-fuse-ld=lld" >> "$GITHUB_ENV"
 
       - name: Install dependencies (Windows)
         if: runner.os == 'Windows'
@@ -65,9 +75,10 @@ jobs:
         run: |
           echo "C:\\msys64\\usr\\bin" >> "$GITHUB_PATH"
           echo "C:\\msys64\\mingw64\\bin" >> "$GITHUB_PATH"
-          /c/msys64/usr/bin/pacman -S --noconfirm nsinstall
+          /c/msys64/usr/bin/pacman -S --noconfirm nsinstall lld
           python3 -m pip install git+https://github.com/nodejs/gyp-next
           echo "$(python3 -m site --user-base)/bin" >> "$GITHUB_PATH"
+          echo "RUSTFLAGS=-C link-arg=-fuse-ld=lld.exe" >> "$GITHUB_ENV"
 
       - name: Set up MSVC build environment (Windows)
         if: runner.os == 'Windows'
@@ -83,10 +94,11 @@ jobs:
       # version of NSS.  Ubuntu 20.04 only has 3.49, which is far too old.
       # (neqo-crypto/build.rs would also need to query pkg-config to get the
       # right build flags rather than building NSS.)
+      # Clone from the main hg repo, because the GitHub mirror can be out of date.
       - name: Fetch NSS and NSPR
         run: |
           hg clone https://hg.mozilla.org/projects/nspr "$NSPR_DIR"
-          git clone --depth=1 https://github.com/nss-dev/nss "$NSS_DIR"
+          hg clone https://hg.mozilla.org/projects/nss "$NSS_DIR"
           echo "NSS_DIR=$NSS_DIR" >> "$GITHUB_ENV"
           echo "NSPR_DIR=$NSPR_DIR" >> "$GITHUB_ENV"
         env:
@@ -104,44 +116,50 @@ jobs:
 
       - name: Build
         run: |
-          cargo +${{ matrix.rust-toolchain }} build -v --all-targets
-          echo "LD_LIBRARY_PATH=${{ github.workspace }}/dist/Debug/lib" >> "$GITHUB_ENV"
-          echo "DYLD_FALLBACK_LIBRARY_PATH=${{ github.workspace }}/dist/Debug/lib" >> "$GITHUB_ENV"
-          echo "${{ github.workspace }}/dist/Debug/lib" >> "$GITHUB_PATH"
+          cargo +${{ matrix.rust-toolchain }} build $BUILD_TYPE --all-targets --features ci,bench
+          echo "LD_LIBRARY_PATH=${{ github.workspace }}/dist/$LIB_DIR/lib" >> "$GITHUB_ENV"
+          echo "DYLD_FALLBACK_LIBRARY_PATH=${{ github.workspace }}/dist/$LIB_DIR/lib" >> "$GITHUB_ENV"
+          echo "${{ github.workspace }}/dist/$LIB_DIR/lib" >> "$GITHUB_PATH"
+        env:
+          LIB_DIR: ${{ matrix.type == 'release' && 'Release' || 'Debug' }}
 
       - name: Run tests and determine coverage
-        run: cargo +${{ matrix.rust-toolchain }} llvm-cov nextest --features ci --all-targets --no-fail-fast --lcov --output-path lcov.info
+        run: cargo +${{ matrix.rust-toolchain }} llvm-cov nextest $BUILD_TYPE --all-targets --features ci,bench --no-fail-fast --lcov --output-path lcov.info
 
       - name: Run client/server transfer
         run: |
-          cargo +${{ matrix.rust-toolchain }} build --bin neqo-client --bin neqo-server
-          cargo +${{ matrix.rust-toolchain }} run --bin neqo-server -- $HOST:4433 &
+          cargo +${{ matrix.rust-toolchain }} build $BUILD_TYPE --features ci,bench --bin neqo-client --bin neqo-server
+          cargo +${{ matrix.rust-toolchain }} run $BUILD_TYPE  --features ci,bench --bin neqo-server -- $HOST:4433 &
           PID=$!
-          cargo +${{ matrix.rust-toolchain }} run --bin neqo-client -- --output-dir . https://$HOST:4433/$SIZE
+          cargo +${{ matrix.rust-toolchain }} run $BUILD_TYPE --features ci,bench --bin neqo-client -- --output-dir . https://$HOST:4433/$SIZE
           kill $PID
           [ "$(wc -c <"$SIZE")" -eq "$SIZE" ] || exit 1
         env:
           HOST: localhost
           SIZE: 54321
-          RUST_LOG: info
+          RUST_LOG: warn
 
       - name: Check formatting
-        run: cargo +${{ matrix.rust-toolchain }} fmt --all -- --check
+        run: |
+          if [ "${{ matrix.rust-toolchain }}" != "nightly" ]; then
+            export CONFIG_PATH="--config-path=$(mktemp)"
+          fi
+          cargo +${{ matrix.rust-toolchain }} fmt --all -- --check $CONFIG_PATH
         if: success() || failure()
 
       - name: Clippy
-        run: cargo +${{ matrix.rust-toolchain }} clippy -v --tests -- -D warnings
+        run: cargo +${{ matrix.rust-toolchain }} clippy --all-targets -- -D warnings
         if: success() || failure()
-        continue-on-error: ${{ matrix.rust-toolchain == 'beta' }}
+        continue-on-error: ${{ matrix.rust-toolchain == 'nightly' }}
 
       - name: Check rustdoc links
-        run: cargo +${{ matrix.rust-toolchain }} doc --verbose --workspace --no-deps --document-private-items
+        run: cargo +${{ matrix.rust-toolchain }} doc --workspace --no-deps --document-private-items
         env:
           RUSTDOCFLAGS: "--deny rustdoc::broken_intra_doc_links --deny warnings"
         if: success() || failure()
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           file: lcov.info
           fail_ci_if_error: false

.github/workflows/qns.yml

@@ -5,14 +5,17 @@ on:
     - cron: '42 3 * * 2,5' # Runs at 03:42 UTC (m and h chosen arbitrarily) twice a week.
   workflow_dispatch:
   pull_request:
-    branch: ["main"]
+    branches: ["main"]
     paths:
       - 'qns/**'
       - '.github/workflows/qns.yml'
 jobs:
   docker-image:
     runs-on: ubuntu-latest
     steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -47,3 +50,4 @@ jobs:
             RUST_VERSION=stable
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          platforms: linux/amd64, linux/arm64

.rustfmt.toml

@@ -0,0 +1,7 @@
+comment_width=100
+wrap_comments=true
+
+imports_granularity="Crate"
+group_imports="StdExternalCrate"
+
+format_code_in_doc_comments=true

SECURITY.md

@@ -0,0 +1,31 @@
+# Security Policy
+
+This document describes how security vulnerabilities in this project should be reported.
+
+## Supported Versions
+
+Support for neqo is based on the Firefox version in which it has landed.
+Versions of neqo in [current versions of Firefox](https://whattrainisitnow.com/calendar/) are actively supported.
+
+The version of neqo that is active can be found in the Firefox repositories:
+
+- [release](https://hg.mozilla.org/mozilla-unified/file/release/third_party/rust/neqo-transport/Cargo.toml),
+- [beta](https://hg.mozilla.org/mozilla-unified/file/beta/third_party/rust/neqo-transport/Cargo.toml), and
+- [trunk/central](https://hg.mozilla.org/mozilla-unified/file/central/third_party/rust/neqo-transport/Cargo.toml),
+- [ESR 115](https://hg.mozilla.org/mozilla-unified/file/esr115/third_party/rust/neqo-transport/Cargo.toml).
+
+The listed version in these files corresponds to [tags](https://github.com/mozilla/neqo/tags) on this repository.
+Releases do not always correspond to a branch.
+
+We welcome reports of security vulnerabilities in any of these released versions or the latest code on the `main` branch.
+
+## Reporting a Vulnerability
+
+To report a security problem with neqo, create a bug in Mozilla's Bugzilla instance in the [Core :: Networking](https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Networking) component.
+
+**IMPORTANT: For security issues, please make sure that you check the box labelled "Many users could be harmed by this security problem".**
+We advise that you check this option for anything that involves anything security-relevant, including memory safety, crashes, race conditions, and handling of confidential information.
+
+Review Mozilla's [guides on bug reporting](https://bugzilla.mozilla.org/page.cgi?id=bug-writing.html) before you open a bug.
+
+Mozilla operates a [bug bounty program](https://www.mozilla.org/en-US/security/bug-bounty/), for which this project is eligible.

hooks/pre-commit

@@ -32,12 +32,20 @@ if [[ ./neqo-crypto/bindings/bindings.toml -nt ./neqo-crypto/src/lib.rs ]]; then
     exit 1
 fi
 
+toolchain=nightly
+fmtconfig="$root/.rustfmt.toml"
+if cargo "+$toolchain" version >/dev/null; then
+    echo "warning: A rust $toolchain toolchain is recommended to check formatting."
+    toolchain=stable
+    fmtconfig=/dev/null
+fi
+
 # Check formatting.
 trap 'git stash pop -q' EXIT
 git stash push -k -u -q -m "pre-commit stash"
-if ! errors=($(cargo fmt -- --check -l)); then
+if ! errors=($(cargo "+$toolchain" fmt -- --check -l --config-path="$fmtconfig")); then
     echo "Formatting errors found."
-    echo "Run \`cargo fmt\` to fix the following files:"
+    echo "Run \`cargo fmt +$toolchain\` to fix the following files:"
     for err in "${errors[@]}"; do
         echo "  $err"
     done

neqo-client/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "neqo-client"
-version = "0.6.8"
+version = "0.7.0"
 authors = ["Martin Thomson <mt@lowentropy.net>",
 	"Dragana Damjanovic <dragana.damjano@gmail.com>",
 	"Andy Grover <agrover@mozilla.com>"]
@@ -9,14 +9,16 @@ rust-version = "1.70.0"
 license = "MIT OR Apache-2.0"
 
 [dependencies]
-mio = "~0.6.23"
+futures = "0.3"
+log = {version = "0.4.17", default-features = false}
 neqo-common = { path="./../neqo-common" }
 neqo-crypto = { path = "./../neqo-crypto" }
 neqo-http3 = { path = "./../neqo-http3" }
 neqo-qpack = { path = "./../neqo-qpack" }
 neqo-transport = { path = "./../neqo-transport" }
-qlog = "0.11.0"
+qlog = "0.12.0"
 structopt = "0.3"
+tokio = { version = "1", features = ["net", "time", "macros", "rt", "rt-multi-thread"] }
 url = "~2.5.0"
 
 [features]