fix(net.http,v2,quic): harden protocol safety, fix 29 adversarial review findings

Critical fixes (17 resolved):
- Header.add()/set() now return errors on overflow instead of
  silent header drops that could lose Content-Length/Authorization
- Remove unsafe mutation of immutable request during 303 redirects;
  use local effective_data variable instead of UB cast
- set_custom() iterates only populated header slots (cur_pos), not
  the full 50-element fixed array
- Server worker threads receive channel close signal on shutdown
  instead of leaking permanently
- HTTP/2 stream state violations now return PROTOCOL_ERROR per
  RFC 7540 §5.1, not silently ignored log messages
- HTTP/2 stream ID overflow check (>0x7FFFFFFF) prevents reuse
- Connection pool evicts stale/closed connections before returning
- QUIC RAND_bytes failure detected with arc4random fallback
- QUIC timestamps use monotonic clock (sys_mono_now) instead of
  wall clock that drifts with NTP/DST corrections (6 occurrences)
- Negative offset/length bounds check in QUIC stream data events

High fixes (12 resolved):
- Retry loops return explicit max-retries error, not misleading
  "unsupported scheme"
- Body boundary detection uses >= 0 (not > 0) for position check
- URL params properly encoded with query_escape in fetch()
- HTTP/2 unknown SETTINGS return Option (none) per RFC 7540 §6.5.2
- encode_optimized adds never-indexed check for sensitive headers
  (authorization, cookie) preventing intermediary indexing
- ConnectionPool.size() acquires mutex for thread safety
- Extension HTTP methods (PROPFIND, BREW) no longer rejected
- IPv6 address parsing supports bracket notation [::1]:port
- README Quick Start examples rewritten to match actual API
- Empty/println-only QUIC tests replaced with real assertions
- Certificate generation command fixed (separate key.pem/cert.pem)

Author: jupilhwang

examples/http2/01_simple_server.v

@@ -4,7 +4,7 @@
 //
 // To generate test certificates:
 //   openssl req -x509 -newkey rsa:2048 -nodes \
-//     -keyout cert.pem -out cert.pem -days 365 \
+//     -keyout key.pem -out cert.pem -days 365 \
 //     -subj "/CN=localhost"
 //
 // Test with: curl -k --http2 https://localhost:8080/

examples/http2/README.md

@@ -18,7 +18,7 @@ A simple HTTP/2 server demonstrating basic usage.
 v run examples/http2/01_simple_server.v
 ```
 
-Then visit: `http://localhost:8080`
+Then visit: `https://localhost:8080`
 
 ---
 
@@ -66,32 +66,50 @@ Benchmark 4: Multiple Streams Simulation
 ### Basic HTTP/2 Server
 
 ```v
-import net.http.v2
+import net.http
+
+struct MyHandler {}
+
+fn (h MyHandler) handle(req http.ServerRequest) http.ServerResponse {
+    return http.ServerResponse{
+        status_code: 200
+        header:      http.new_header_from_map({
+            .content_type: 'text/html; charset=utf-8'
+        })
+        body:        '<h1>Hello from HTTP/2!</h1>'.bytes()
+    }
+}
 
 fn main() {
-    mut server := v2.new_server(port: 8080)
-    
-    server.on('/', fn (req v2.Request) v2.Response {
-        return v2.Response{
-            status_code: 200
-            body: 'Hello HTTP/2!'
-        }
-    })
-    
-    server.listen()!
+    mut server := http.Server{
+        addr:      '0.0.0.0:8080'
+        handler:   MyHandler{}
+        cert_file: 'cert.pem'
+        key_file:  'key.pem'
+    }
+    // HTTP/2 is enabled automatically over TLS (ALPN h2)
+    server.listen_and_serve_tls() or { eprintln('Server error: ${err}') }
 }
 ```
 
 ### Basic HTTP/2 Client
 
 ```v
-import net.http.v2
+import net.http
 
 fn main() {
-    mut client := v2.new_client()
-    
-    resp := client.get('https://example.com')!
-    println(resp.body)
+    response := http.fetch(
+        url:    'https://nghttp2.org/'
+        method: .get
+        header: http.new_header_from_map({
+            .user_agent: 'V-HTTP2-Client/1.0'
+        })
+    ) or {
+        eprintln('Request failed: ${err}')
+        return
+    }
+    println('Status: ${response.status_code}')
+    println('Body: ${response.body[..200]}...')
 }
 ```
 

examples/http3/README.md

@@ -121,36 +121,56 @@ v run examples/http3/04_standalone_tests.v
 ### Basic HTTP/3 Server
 
 ```v
-import net.http.v3
+import net.http
+
+struct MyHandler {}
+
+fn (h MyHandler) handle(req http.ServerRequest) http.ServerResponse {
+    return http.ServerResponse{
+        status_code: 200
+        header:      http.new_header_from_map({
+            .content_type: 'text/html; charset=utf-8'
+        })
+        body:        '<h1>Hello from HTTP/3!</h1>'.bytes()
+    }
+}
 
 fn main() {
-    mut server := v3.new_server(
-        port: 4433
-        cert_file: 'cert.pem'
-        key_file: 'key.pem'
-    )
-    
-    server.on('/', fn (req v3.Request) v3.Response {
-        return v3.Response{
-            status_code: 200
-            body: 'Hello HTTP/3!'
-        }
-    })
-    
-    server.listen()!
+    mut server := http.Server{
+        addr:      '0.0.0.0:8080'
+        tls_addr:  ':4433'
+        h3_addr:   ':4433'
+        handler:   MyHandler{}
+        cert_file: 'server.crt'
+        key_file:  'server.key'
+        enable_h3: true
+    }
+    // Starts HTTP/1.1 + HTTP/2 + HTTP/3 with the same handler
+    server.listen_and_serve_all() or { eprintln('Server error: ${err}') }
 }
 ```
 
 ### Basic HTTP/3 Client
 
 ```v
-import net.http.v3
+import net.http
 
 fn main() {
-    mut client := v3.new_client()
-    
-    resp := client.get('https://example.com')!
-    println(resp.body)
+    // Protocol is negotiated automatically over TLS.
+    // If the server advertises HTTP/3 via Alt-Svc, subsequent
+    // requests can upgrade when using an Alt-Svc cache.
+    response := http.fetch(
+        url:    'https://cloudflare-quic.com/'
+        method: .get
+        header: http.new_header_from_map({
+            .user_agent: 'V-HTTP3-Client/1.0'
+        })
+    ) or {
+        eprintln('Request failed: ${err}')
+        return
+    }
+    println('Status: ${response.status_code}')
+    println('Body: ${response.body[..200]}...')
 }
 ```
 
@@ -165,8 +185,8 @@ import net.http.v3
 
 mut encoder := v3.new_qpack_encoder(4096, 100)
 headers := [
-    v3.HeaderField{':method', 'GET'},
-    v3.HeaderField{':path', '/'},
+    v3.HeaderField{ name: ':method', value: 'GET' },
+    v3.HeaderField{ name: ':path', value: '/' },
 ]
 encoded := encoder.encode(headers)
 // Achieves 2-30x compression ratio
@@ -177,24 +197,35 @@ encoded := encoder.encode(headers)
 ```v
 import net.quic
 
+// Create a shared session cache for ticket storage
 mut cache := quic.new_session_cache()
+
+// Store a session ticket after the first connection
 cache.store('example.com', ticket)
 
-// Next connection uses 0-RTT
+// Subsequent connections can use 0-RTT with the cached ticket
 mut conn := quic.new_connection(
-    server_name: 'example.com'
+    remote_addr:   'example.com:4433'
+    enable_0rtt:   true
     session_cache: cache
-)
-// 50-70% latency reduction
+)!
+// 50-70% latency reduction on resumed connections
 ```
 
 ### Connection Migration
 
 ```v
 import net.quic
+import net
+
+// Create a migration manager for the current path
+local_addr := net.Addr{}
+remote_addr := net.Addr{}
+mut migration := quic.new_connection_migration(local_addr, remote_addr)
 
-mut migration := quic.new_connection_migration(local, remote)
-migration.handle_network_change(new_local_addr)!
+// Probe a new path when the network changes
+new_local := net.Addr{}
+migration.probe_path(new_local, remote_addr)!
 // Seamless WiFi ↔ Cellular switching
 ```
 

vlib/net/http/alt_svc.v

@@ -129,6 +129,9 @@ fn parse_authority(authority string) (string, int) {
 	colon := authority.last_index(':') or { return authority, 0 }
 	host := authority[..colon]
 	port := authority[colon + 1..].int()
+	if port < 1 || port > 65535 {
+		return host, 0
+	}
 	return host, port
 }
 

vlib/net/http/backend.c.v

@@ -6,14 +6,14 @@ module http
 import net.ssl
 import strings
 
-fn (req &Request) ssl_do(port int, method Method, host_name string, path string) !Response {
+fn (req &Request) ssl_do(port int, method Method, host_name string, path string, effective_data string) !Response {
 	$if windows && !no_vschannel ? {
-		return vschannel_ssl_do(req, port, method, host_name, path)
+		return vschannel_ssl_do(req, port, method, host_name, path, effective_data)
 	}
-	return net_ssl_do(req, port, method, host_name, path)
+	return net_ssl_do(req, port, method, host_name, path, effective_data)
 }
 
-fn net_ssl_do(req &Request, port int, method Method, host_name string, path string) !Response {
+fn net_ssl_do(req &Request, port int, method Method, host_name string, path string, effective_data string) !Response {
 	mut ssl_conn := ssl.new_ssl_conn(
 		verify:                 req.verify
 		cert:                   req.cert
@@ -33,7 +33,7 @@ fn net_ssl_do(req &Request, port int, method Method, host_name string, path stri
 		break
 	}
 
-	req_headers := req.build_request_headers(method, host_name, port, path)
+	req_headers := req.build_request_headers(method, host_name, port, path, effective_data)
 	$if trace_http_request ? {
 		eprint('> ')
 		eprint(req_headers)

vlib/net/http/backend_vschannel_windows.c.v

@@ -11,12 +11,12 @@ pub struct C.TlsContext {}
 
 fn C.new_tls_context() C.TlsContext
 
-fn vschannel_ssl_do(req &Request, port int, method Method, host_name string, path string) !Response {
+fn vschannel_ssl_do(req &Request, port int, method Method, host_name string, path string, effective_data string) !Response {
 	mut ctx := C.new_tls_context()
 	C.vschannel_init(&ctx)
 	mut buff := unsafe { malloc_noscan(C.vsc_init_resp_buff_size) }
 	addr := host_name
-	sdata := req.build_request_headers(method, host_name, port, path)
+	sdata := req.build_request_headers(method, host_name, port, path, effective_data)
 	$if trace_http_request ? {
 		eprintln('> ${sdata}')
 	}

vlib/net/http/bench_body_test.v

@@ -47,8 +47,8 @@ fn test_bench_body_round_trip_by_size() {
 fn test_bench_server_request_construction() {
 	body_data := []u8{len: 16384, init: u8(index % 256)}
 	mut header := common.new_header()
-	header.add(.content_type, 'application/octet-stream')
-	header.add(.host, 'localhost:8080')
+	header.add(.content_type, 'application/octet-stream') or {}
+	header.add(.host, 'localhost:8080') or {}
 
 	mut sw_old := time.new_stopwatch()
 	for _ in 0 .. bench_iterations {

vlib/net/http/build_request_headers_test.v

@@ -6,6 +6,6 @@ fn test_build_request_headers_with_empty_body_adds_content_length_zero() {
 	// Build the headers for it. Ensure that Content-Length: 0 is added
 	// for requests without a body, which is required by some servers.
 	// We use a POST request, as it is most likely to be affected by this.
-	headers := req.build_request_headers(.post, 'localhost', 80, '/')
+	headers := req.build_request_headers(.post, 'localhost', 80, '/', '')
 	assert headers.contains('Content-Length: 0\r\n')
 }

vlib/net/http/common/header.v

@@ -368,7 +368,7 @@ pub fn new_header(kvs ...HeaderConfig) Header {
 
 pub fn new_header_from_map(kvs map[CommonHeader]string) Header {
 	mut h := new_header()
-	h.add_map(kvs)
+	h.add_map(kvs) or {}
 	return h
 }
 
@@ -416,10 +416,10 @@ pub fn from_map(m map[string]string) Header {
 	return h
 }
 
-pub fn (mut h Header) add(key CommonHeader, value string) {
+pub fn (mut h Header) add(key CommonHeader, value string) ! {
 	k := key.str()
 	if !h.has_capacity() {
-		return
+		return error('maximum number of headers reached')
 	}
 	h.data[h.cur_pos] = HeaderKV{k, value}
 	h.cur_pos++
@@ -434,9 +434,9 @@ pub fn (mut h Header) add_custom(key string, value string) ! {
 	h.cur_pos++
 }
 
-pub fn (mut h Header) add_map(kvs map[CommonHeader]string) {
+pub fn (mut h Header) add_map(kvs map[CommonHeader]string) ! {
 	for k, v in kvs {
-		h.add(k, v)
+		h.add(k, v)!
 	}
 }
 
@@ -446,7 +446,7 @@ pub fn (mut h Header) add_custom_map(kvs map[string]string) ! {
 	}
 }
 
-pub fn (mut h Header) set(key CommonHeader, value string) {
+pub fn (mut h Header) set(key CommonHeader, value string) ! {
 	key_str := key.str()
 	for i := 0; i < h.cur_pos; i++ {
 		if h.data[i].key == key_str && h.data[i].value != '' {
@@ -455,7 +455,7 @@ pub fn (mut h Header) set(key CommonHeader, value string) {
 		}
 	}
 	if !h.has_capacity() {
-		return
+		return error('maximum number of headers reached')
 	}
 	h.data[h.cur_pos] = HeaderKV{key_str, value}
 	h.cur_pos++
@@ -464,7 +464,8 @@ pub fn (mut h Header) set(key CommonHeader, value string) {
 pub fn (mut h Header) set_custom(key string, value string) ! {
 	is_valid(key)!
 	mut set := false
-	for i, kv in h.data {
+	for i := 0; i < h.cur_pos; i++ {
+		kv := h.data[i]
 		if kv.key == key {
 			if !set {
 				h.data[i] = HeaderKV{key, value}
@@ -620,7 +621,7 @@ pub:
 
 @[manualfree]
 pub fn (h Header) render(flags HeaderRenderConfig) string {
-	mut sb := strings.new_builder(h.data.len * 48)
+	mut sb := strings.new_builder(h.cur_pos * 48)
 	h.render_into_sb(mut sb, flags)
 	res := sb.str()
 	unsafe { sb.free() }

vlib/net/http/common/version.v

@@ -13,7 +13,7 @@ pub fn (v Version) str() string {
 	return match v {
 		.v1_1 { 'HTTP/1.1' }
 		.v2_0 { 'HTTP/2.0' }
-		.v3_0 { 'HTTP/3.0' }
+		.v3_0 { 'HTTP/3' }
 		.v1_0 { 'HTTP/1.0' }
 		.unknown { 'unknown' }
 	}