Breaking Changes:

• The quiche_conn_stream_recv() and quiche_conn_stream_send() FFI functions now take an additional parameter out_error_code used to return more specific error information to the caller (similarly to what the Rust API already does).

Highlights:

• Added number of acked bytes to the Stats structure.
• The libquiche.so library, that exposes FFI bindings for C, will now have SONAME information.
• Added configuration option to change the anti-amplification limit factor (default will still be "3", per RFC 9500).
• Many more bug fixes and performance improvements.

Full changelog at 0.21.0...0.22.0

Highlights:

• Added initial implementation of path MTU discovery. Note that this feature is experimental and might have bugs.
• Added support to build against the "quictls" OpenSSL fork. Note that some features (e.g. 0-RTT) do not work yet in this mode.
• Many more bug fixes and performance improvements.

Full changelog at 0.20.0...0.21.0

⚠️ Security:

• Added a limit to how many connection IDs are locally queued for retirement. Without the limit an attacker could cause a server to queue an unbounded number of retired connection IDs, leading to a slow but steady increase in memory usage (CVE-2024-1410).
• Added a limit to the maximum CRYPTO frame data offset that can be buffered. Without the limit an attacker could cause a server to queue an unbounded number of bytes, leading to a slow but steady increase in memory usage (CVE-2024-1765).

Full changelog at 0.20.0...0.20.1

⚠️ Security:

• Added a limit to how many connection IDs are locally queued for retirement. Without the limit an attacker could cause a server to queue an unbounded number of retired connection IDs, leading to a slow but steady increase in memory usage (CVE-2024-1410).
• Added a limit to the maximum CRYPTO frame data offset that can be buffered. Without the limit an attacker could cause a server to queue an unbounded number of bytes, leading to a slow but steady increase in memory usage (CVE-2024-1765).

Full changelog at 0.19.1...0.19.2

⚠️ Security:

• Added a limit to how many PATH_CHALLENGE frames are queued. Without the limit an attacker could cause a server to queue an unbounded number of frames, leading to a slow but steady increase in memory usage (CVE-2023-6193).

Breaking Changes:

• Some methods related to connection IDs have been renamed to be more consistent. These are:
  • Connection::new_source_cid() -> Connection::new_scid()
  • Connection::active_source_cids() -> Connection::active_scids()
  • Connection::source_cids_left() -> Connection::scids_left()
  • Connection::retire_destination_cid() -> Connection::retire_dcid().

Highlights:

• Many new methods are now exposed via the FFI API that can be used by non-Rust code.
• Many more bug fixes and performance improvements.

Full changelog at 0.19.0...0.20.0

⚠️ Security:

• Added a limit to how many PATH_CHALLENGE frames are queued. Without the limit an attacker could cause a server to queue an unbounded number of frames, leading to a slow but steady increase in memory usage (CVE-2023-6193).

Full changelog at 0.19.0...0.19.1

Breaking Changes:

• Removed several fields from Stats (specifically fields representing transport parameters that were moved to Connection::peer_transport_params()).

Highlights:

• Added experimental support for the BBRv2 congestion control algorithm. ⚠️ Note that more work is needed on this (particularly implementing changes to update to the newer BBRv3), so it's not quite production-ready yet, and will later be merged with the existing BBRv1 implementation.
• Added Connection::peer_transport_params() which returns TransportParams representing the connection's peer's transport parameters.
• Many more bug fixes and performance improvements.

Full changelog at 0.18.0...0.19.0

Breaking Changes:

• Removed pre-RFC QUIC and HTTP/3 support (specifically for drafts 27, 28 and 29). Now only the final QUIC and HTTP/3 versions are supported.
• Removed the HTTP/3 DATAGRAM API (specifically the h3::Event::Datagram enum variant and h3::Connection::dgram_send() / h3::Connection::dgram_recv() / h3::Connection::dgram_max_writable_len() methods). Applications should use the transport-level APIs Connection::dgram_send() and Connection::dgram_recv() (see this change for example).
• Replaced Config::with_boring_ssl_ctx() with Config::with_boring_ssl_ctx_builder() which takes a SslContextBuilder rather than SslContext directly, for safety reasons.

Highlights:

• Massively improved the stream prioritization implementation, which is now much more accurate and reliable (this is largely transparent to applications, as the API hasn't changed).
• Added support for the final specification of DATAGRAMs (RFC 9297). Currently both draft and final versions are supported, but the draft support will be removed in a future release.
• Added some APIs to make working with migration and multiple CIDs easier. Specifically Connection::source_ids() which returns all active source IDs, and Connection::retired_scids() which returns the number of retired source IDs that haven't been returned to the application yet.
• Added Config::set_initial_congestion_window_packets() to configure the initial congestion window size.
• Many more bug fixes and performance improvements.

Full changelog at 0.17.2...0.18.0

Highlights:

• Added Config::set_max_pacing_rate() to configure the maximum rate for pacing.
• Many more bug fixes and performance improvements.

Full changelog at 0.17.1...0.17.2

Breaking Changes:

• The minimum required rust version was bumped to 1.66.

Highlights:

• Added Connection::send_ack_eliciting() (and Connection::send_ack_eliciting_on_path()) for the application to explicitly elicit an acknowledgment from the peer.
• Added Connection::timeout_instant() to return timeout as std::time::Instant instead of std::time::Duration.
• Added initial support for detecting stateless resets (note that this only covers some specific cases currently).
• Added support for handling peer-initiated key updates.
• Many more bug fixes and performance improvements.

Full changelog at 0.16.0...0.17.1