[~] fix issue #717: validate all RFC 9000 Section 7.4.1 transport parameters for 0-RTT (#792)

[~] fix issue #717: validate all RFC 9000 Section 7.4.1 transport parameters for 0-RTT

RFC 9000 Section 7.4.1 requires that when a client attempts 0-RTT, the server MUST NOT reduce 7 specific transport parameters below the remembered values. Only max_datagram_frame_size was checked, leaving core flow-control and stream-limit parameters unvalidated.

Add validation for all 7 MUST parameters in xqc_conn_tls_transport_params_cb, guarded by conn_type == CLIENT && HAS_0RTT. Add WARN-level logging for 3 SHOULD parameters. Persist active_connection_id_limit in session ticket storage so the comparison uses the actual remembered value.

[~] fix 0-RTT transport param validation: check early_data accepted, unify error codes

Address review feedback on the 0-RTT transport parameter validation:

Guard condition: add xqc_tls_is_early_data_accepted() check so the validation only fires when the server actually accepted 0-RTT. Previously the guard checked HAS_0RTT (attempted), which would incorrectly reject servers that legitimately reduced params after rejecting 0-RTT.
Error codes: unify all 8 parameter checks to use TRA_0RTT_TRANS_PARAMS_ERROR so xqc_conn_should_clear_0rtt_ticket() matches and clears the cached session ticket, preventing reconnection loops.
Fix log format specifier for max_datagram_frame_size: %ud -> %ui with (uint64_t) cast to match the other 7 checks.
Add 5 new unit tests: individual reduction tests for the 4 remaining MUST parameters, plus a test that verifies parameter reduction is allowed when 0-RTT is rejected.

[+] add e2e case tests for RFC 9000 Section 7.4.1 0-RTT transport param validation

test 700: server reduces max_streams_bidi after first connection; client detects the reduction on 0-RTT resumption and closes with TRANSPORT_PARAMETER_ERROR (0x0E).

test 701: server restarts with reduced params so the session ticket is invalid; client’s 0-RTT is rejected and the param validation is skipped, verifying the connection succeeds despite the reduction.

[~] fix 0-RTT validation: restore max_datagram_frame_size reduction check

The RFC 9000 Section 7.4.1 validation refactor accidentally removed the existing max_datagram_frame_size reduction check (RFC 9221). Restore it inside the unified 0-RTT validation block and add a corresponding unit test.

Fixes CI regressions:

0RTT max_datagram_frame_size is invalid
check_clear_0rtt_ticket_flag_in_close_notify (x3)

[~] trim redundant 0-RTT unit tests, keep 3 representative cases

Remove 10 per-parameter reduction tests that all exercise the same if (X < Y) pattern. Keep: all_equal (positive baseline), all_increased (positive), initial_max_data_reduced (negative). The 2 e2e case tests (700/701) cover real-world behavior.

[~] replace single-param reduction test with loop covering all 8 fields

One test function iterates each MUST parameter (7 from RFC 9000 Section 7.4.1 + max_datagram_frame_size), reducing it individually and verifying TRA_0RTT_TRANS_PARAMS_ERROR is triggered.

[~] rename case test IDs to 701/702 to avoid collision with existing 700

ID 700 is already used by FEC frame_type_bit and crypto_error tests on main. Move 0-RTT param validation e2e tests to 701/702.

XQUIC

GitHub

Introduction

XQUIC Library released by Alibaba is …

… a client and server implementation of QUIC and HTTP/3 as specified by the IETF. Currently supported QUIC versions are v1 and draft-29.

… OS and platform agnostic. It currently supports Android, iOS, HarmonyOS, Linux, macOS and Windows(v1.2.0). Most of the code is used in our own products, and has been tested at scale on android, iOS apps, as well as servers.

… still in active development. Interoperability is regularly tested with other QUIC implementations.

Features

Standardized Features

All big features conforming with RFC 9000, RFC9001, RFC9002, RFC9114 and RFC9204, including the interface between QUIC and TLS, 0-RTT connection establishment, HTTP/3 and QPACK.
ALPN Extension conforming with RFC7301

Not Yet Standardized Features

Library Features

Pluggable congestion control: NewReno, Cubic, BBR and BBRv2, …
Pluggable cryptography, integration with BoringSSL and BabaSSL
Cross-platform implementation, support Android, iOS, HarmonyOS, Linux, macOS and Windows(v1.2.0)

Requirements

To build XQUIC, you need

CMake
BoringSSL or BabaSSL

To run test cases, you need

libevent
CUnit

QuickStart Guide

XQUIC can be built with BabaSSL(Tongsuo) or BoringSSL.

Build with BoringSSL

sudo apt-get install -y build-essential libevent-dev

# get XQUIC source code
git clone https://github.com/alibaba/xquic.git; cd xquic

# get and build BoringSSL
git clone https://github.com/google/boringssl.git ./third_party/boringssl; cd ./third_party/boringssl
mkdir -p build && cd build
cmake -DBUILD_SHARED_LIBS=0 -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC" ..
make -j ssl crypto
cd ..
SSL_TYPE_STR="boringssl"
SSL_PATH_STR="${PWD}"
cd ../..

# build XQUIC with BoringSSL
# When build XQUIC with boringssl, by default XQUIC will use boringssl
# in third_party. If boringssl is deployed in other directories, SSL_PATH could be 
# used to specify the search path of boringssl
git submodule update --init --recursive
mkdir -p build; cd build
cmake -DGCOV=on -DCMAKE_BUILD_TYPE=Debug -DXQC_ENABLE_TESTING=1 -DXQC_SUPPORT_SENDMMSG_BUILD=1 -DXQC_ENABLE_EVENT_LOG=1 -DXQC_ENABLE_BBR2=1 -DXQC_ENABLE_RENO=1 -DSSL_TYPE=${SSL_TYPE_STR} -DSSL_PATH=${SSL_PATH_STR} ..

# exit if cmake error
if [ $? -ne 0 ]; then
    echo "cmake failed"
    exit 1
fi

make -j

Build with BabaSSL(Tongsuo)

sudo apt-get install -y build-essential libevent-dev

# get XQUIC source code
git clone https://github.com/alibaba/xquic.git; cd xquic

# get and build BabaSSL(Tongsuo)
git clone -b 8.3-stable https://github.com/Tongsuo-Project/Tongsuo.git ./third_party/babassl; cd ./third_party/babassl/
./config --prefix=/usr/local/babassl
make -j
SSL_TYPE_STR="babassl"
SSL_PATH_STR="${PWD}"
cd -

# build XQUIC with BabaSSL
# When build XQUIC with babassl, /usr/local/babassl directory will be searched
# as default. If babassl is deployed in other directories, SSL_PATH could be 
# used to specify the search path of babassl
git submodule update --init --recursive
mkdir -p build; cd build
cmake -DGCOV=on -DCMAKE_BUILD_TYPE=Debug -DXQC_ENABLE_TESTING=1 -DXQC_SUPPORT_SENDMMSG_BUILD=1 -DXQC_ENABLE_EVENT_LOG=1 -DXQC_ENABLE_BBR2=1 -DXQC_ENABLE_RENO=1 -DSSL_TYPE=${SSL_TYPE_STR} -DSSL_PATH=${SSL_PATH_STR} ..

# exit if cmake error
if [ $? -ne 0 ]; then
    echo "cmake failed"
    exit 1
fi

make -j

Run testcases

sh ../scripts/xquic_test.sh

Documentation

For using the API, see the API docs.
For platform support details, see the Platforms docs.
For Chinese Simplified (zh-CN) translation of the IETF QUIC Protocol, see the Translation docs.
For using quic-qlog, see the Features: qlog
For testing the library, see the Testing docs.
For other frequently asked questions, see the FAQs and Trouble Shooting Guide.

Contributing

We would love for you to contribute to XQUIC and help make it even better than it is today! All types of contributions are encouraged and valued. Thanks to all contributors. See our Contributing Guidelines for more information.

If you have any questions, please feel free to open a new Discussion topic in our discussion forums.

License

XQUIC is released under the Apache 2.0 License.

Contact Us

Feel free to contact us in the following ways:

e-mail: xquic@alibaba-inc.com
Dingtalk group: 34059705
slack channel: #xquic in quicdev group