test case

Co-authored-by: Ben-PH <benphawke@gmail.com>

.github/actions/add_comment/action.yml

@@ -0,0 +1,41 @@
+name: Add Comment
+description: "Add or update comment in the PR"
+inputs:
+  marker:
+    description: "Text used to find the comment to update"
+    required: true
+  markdown_path:
+    description: "Path to the file containing markdown"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Add/Update Comment
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const fs = require('fs');
+          const marker = "${{ inputs.marker }}";
+          const body = fs.readFileSync("${{ inputs.markdown_path }}", 'utf8');
+          const { data: comments } = await github.rest.issues.listComments({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: context.issue.number,
+          });
+          const existing = comments.find(c => c.body && c.body.startsWith(marker));
+          if (existing) {
+            await github.rest.issues.updateComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: existing.id,
+              body,
+            });
+          } else {
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body,
+            });
+          }

.github/actions/discord_notify/action.yml

@@ -0,0 +1,49 @@
+name: Discord Failure Notification
+description: "Send Discord notification when CI jobs fail"
+inputs:
+  webhook_url:
+    description: "Discord webhook URL"
+    required: true
+  workflow_name:
+    description: "Name of the workflow that failed"
+    required: false
+    default: ${{ github.workflow }}
+  branch:
+    description: "Branch name"
+    required: false
+    default: ${{ github.ref_name }}
+  repository:
+    description: "Repository name"
+    required: false
+    default: ${{ github.repository }}
+  run_id:
+    description: "GitHub run ID"
+    required: false
+    default: ${{ github.run_id }}
+  server_url:
+    description: "GitHub server URL"
+    required: false
+    default: ${{ github.server_url }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Send Discord notification
+      shell: bash
+      run: |
+        curl -H "Content-Type: application/json" \
+             -X POST \
+             -d "{
+               \"embeds\": [{
+                 \"title\": \"${{ inputs.workflow_name }} Job Failed\",
+                 \"url\": \"${{ inputs.server_url }}/${{ inputs.repository }}/actions/runs/${{ inputs.run_id }}\",
+                 \"description\": \"The workflow has failed on branch \`${{ inputs.branch }}\`\",
+                 \"color\": 15158332,
+                 \"fields\": [
+                   {\"name\": \"Repository\", \"value\": \"${{ inputs.repository }}\", \"inline\": true},
+                   {\"name\": \"Branch\", \"value\": \"${{ inputs.branch }}\", \"inline\": true}
+                 ],
+                 \"timestamp\": \"$(date -u +%Y-%m-%dT%H:%M:%S.000Z)\"
+               }]
+             }" \
+             "${{ inputs.webhook_url }}"

.github/actions/install_nim/action.yml

@@ -8,7 +8,7 @@ inputs:
     default: "amd64"
   nim_ref:
     description: "Nim version"
-    default: "version-1-6"
+    default: "version-2-0"
   shell:
     description: "Shell to run commands in"
     default: "bash --noprofile --norc -e -o pipefail"

.github/workflows/ci.yml

@@ -14,7 +14,7 @@ concurrency:
 
 jobs:
   test:
-    timeout-minutes: 90
+    timeout-minutes: 40
     strategy:
       fail-fast: false
       matrix:
@@ -32,10 +32,10 @@ jobs:
           - os: windows
             cpu: amd64
         nim:
-          - ref: version-1-6
-            memory_management: refc
           - ref: version-2-0
             memory_management: refc
+          - ref: version-2-2
+            memory_management: refc
         include:
           - platform:
               os: linux
@@ -116,5 +116,5 @@ jobs:
           nimble --version
           gcc --version
 
-          NIMFLAGS="${NIMFLAGS} --mm:${{ matrix.nim.memory_management }}"
+          export NIMFLAGS="${NIMFLAGS} --mm:${{ matrix.nim.memory_management }}" 
           nimble test

.github/workflows/daily_amd64.yml

@@ -6,9 +6,37 @@ on:
   workflow_dispatch:
 
 jobs:
-  test_amd64:
-    name: Daily amd64
+  test_amd64_latest:
+    name: Daily test amd64 (latest dependencies)
     uses: ./.github/workflows/daily_common.yml
     with:
-      nim: "[{'ref': 'version-1-6', 'memory_management': 'refc'}, {'ref': 'version-2-0', 'memory_management': 'refc'}]"
+      nim: "[
+          {'ref': 'version-2-0', 'memory_management': 'refc'},
+          {'ref': 'version-2-2', 'memory_management': 'refc'},
+          {'ref': 'devel', 'memory_management': 'refc'},
+        ]"
       cpu: "['amd64']"
+  test_amd64_pinned:
+    name: Daily test amd64 (pinned dependencies)
+    uses: ./.github/workflows/daily_common.yml
+    with:
+      pinned_deps: true
+      nim: "[
+          {'ref': 'version-2-0', 'memory_management': 'refc'},
+          {'ref': 'version-2-2', 'memory_management': 'refc'},
+          {'ref': 'devel', 'memory_management': 'refc'},
+        ]"
+      cpu: "['amd64']"
+  notify-on-failure:
+    name: Notify Discord on Failure
+    needs: [test_amd64_latest, test_amd64_pinned]
+    if: failure()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Discord notification
+        uses: ./.github/actions/discord_notify
+        with:
+          webhook_url: ${{ secrets.DISCORD_WEBHOOK_URL }}

.github/workflows/daily_common.yml

@@ -4,6 +4,11 @@ name: Daily Common
 on:
   workflow_call:
     inputs:
+      pinned_deps:
+        description: 'Should dependencies be installed from pinned file or use latest versions'
+        required: false
+        type: boolean
+        default: false
       nim:
         description: 'Nim Configuration'
         required: true
@@ -17,26 +22,18 @@ on:
         required: false
         type: string
         default: "[]"
-      use_sat_solver:
-        description: 'Install dependencies with SAT Solver'
-        required: false
-        type: boolean
-        default: false
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
 
 jobs:
   delete_cache:
     name: Delete github action's branch cache
     runs-on: ubuntu-latest
+    continue-on-error: true
     steps:
       - uses: snnaplab/delete-branch-cache-action@v1
 
   test:
     needs: delete_cache
-    timeout-minutes: 90
+    timeout-minutes: 40
     strategy:
       fail-fast: false
       matrix:
@@ -81,8 +78,14 @@ jobs:
       - name: Install p2pd
         run: |
           V=1 bash scripts/build_p2pd.sh p2pdCache 124530a3
-        
-      - name: Install dependencies
+
+      - name: Install dependencies (pinned)
+        if: ${{ inputs.pinned_deps }}
+        run: |
+          nimble install_pinned
+
+      - name: Install dependencies (latest)
+        if: ${{ inputs.pinned_deps == false }}
         run: |
           nimble install -y --depsOnly
 
@@ -91,11 +94,14 @@ jobs:
           nim --version
           nimble --version
 
-          if [[ "${{ inputs.use_sat_solver }}" == "true" ]]; then
-            dependency_solver="sat"
-          else
-            dependency_solver="legacy"
-          fi
-
-          NIMFLAGS="${NIMFLAGS} --mm:${{ matrix.nim.memory_management }} --solver:${dependency_solver}"
+          export NIMFLAGS="${NIMFLAGS} --mm:${{ matrix.nim.memory_management }}"
           nimble test
+
+      - name: Run integration tests
+        if: ${{ matrix.platform.os == 'linux' && matrix.cpu == 'amd64' }}
+        run: |
+          nim --version
+          nimble --version
+
+          export NIMFLAGS="${NIMFLAGS} --mm:${{ matrix.nim.memory_management }}"
+          nimble testintegration

.github/workflows/daily_devel.yml

@@ -1,14 +0,0 @@
-name: Daily Nim Devel
-
-on:
-  schedule:
-    - cron: "30 6 * * *"
-  workflow_dispatch:
-
-jobs:
-  test_nim_devel:
-    name: Daily Nim Devel
-    uses: ./.github/workflows/daily_common.yml
-    with:
-      nim: "[{'ref': 'devel', 'memory_management': 'orc'}]"
-      cpu: "['amd64']"

.github/workflows/daily_i386.yml

@@ -6,10 +6,45 @@ on:
   workflow_dispatch:
 
 jobs:
-  test_i386:
-    name: Daily i386 (Linux)
+  test_i386_latest:
+    name: Daily i386 (latest dependencies)
     uses: ./.github/workflows/daily_common.yml
     with:
-      nim: "[{'ref': 'version-1-6', 'memory_management': 'refc'}, {'ref': 'version-2-0', 'memory_management': 'refc'}, {'ref': 'devel', 'memory_management': 'orc'}]"
+      nim: "[
+          {'ref': 'version-2-0', 'memory_management': 'refc'},
+          {'ref': 'version-2-2', 'memory_management': 'refc'},
+          {'ref': 'devel', 'memory_management': 'refc'},
+        ]"
       cpu: "['i386']"
-      exclude: "[{'platform': {'os':'macos'}}, {'platform': {'os':'windows'}}]"
+      exclude: "[
+          {'platform': {'os':'macos'}},
+          {'platform': {'os':'windows'}},
+        ]"
+  test_i386_pinned:
+    name: Daily i386 (pinned dependencies)
+    uses: ./.github/workflows/daily_common.yml
+    with:
+      pinned_deps: true
+      nim: "[
+          {'ref': 'version-2-0', 'memory_management': 'refc'},
+          {'ref': 'version-2-2', 'memory_management': 'refc'},
+          {'ref': 'devel', 'memory_management': 'refc'},
+        ]"
+      cpu: "['i386']"
+      exclude: "[
+          {'platform': {'os':'macos'}},
+          {'platform': {'os':'windows'}},
+        ]"
+  notify-on-failure:
+    name: Notify Discord on Failure
+    needs: [test_i386_latest, test_i386_pinned]
+    if: failure()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Discord notification
+        uses: ./.github/actions/discord_notify
+        with:
+          webhook_url: ${{ secrets.DISCORD_WEBHOOK_URL }}

.github/workflows/daily_nimbus.yml

@@ -0,0 +1,39 @@
+name: Daily Nimbus
+
+on:
+  schedule:
+    - cron: "30 6 * * *"
+  workflow_dispatch:
+
+jobs:
+  compile_nimbus:
+    timeout-minutes: 80
+    name: 'Compile Nimbus (linux-amd64)'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Compile nimbus using nim-libp2p
+        run: |
+          git clone --branch unstable --single-branch https://github.com/status-im/nimbus-eth2.git
+          cd nimbus-eth2
+          git submodule set-branch --branch ${{ github.sha }} vendor/nim-libp2p
+
+          make -j"$(nproc)"
+          make -j"$(nproc)" nimbus_beacon_node
+
+  notify-on-failure:
+    name: Notify Discord on Failure
+    needs: compile_nimbus
+    if: failure()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Discord notification
+        uses: ./.github/actions/discord_notify
+        with:
+          webhook_url: ${{ secrets.DISCORD_WEBHOOK_URL }}
+

.github/workflows/daily_sat.yml

@@ -1,15 +0,0 @@
-name: Daily SAT
-
-on:
-  schedule:
-    - cron: "30 6 * * *"
-  workflow_dispatch:
-
-jobs:
-  test_amd64:
-    name: Daily SAT
-    uses: ./.github/workflows/daily_common.yml
-    with:
-      nim: "[{'ref': 'version-2-0', 'memory_management': 'refc'}]"
-      cpu: "['amd64']"
-      use_sat_solver: true

.github/workflows/dependencies.yml

@@ -17,13 +17,13 @@ jobs:
         target:
           - repository: status-im/nimbus-eth2
             ref: unstable
-            token: ${{ secrets.ACTIONS_GITHUB_TOKEN_NIMBUS_ETH2 }}
+            secret: ACTIONS_GITHUB_TOKEN_NIMBUS_ETH2
           - repository: waku-org/nwaku
             ref: master
-            token: ${{ secrets.ACTIONS_GITHUB_TOKEN_NWAKU }}
+            secret: ACTIONS_GITHUB_TOKEN_NWAKU
           - repository: codex-storage/nim-codex
             ref: master
-            token: ${{ secrets.ACTIONS_GITHUB_TOKEN_NIM_CODEX }}
+            secret: ACTIONS_GITHUB_TOKEN_NIM_CODEX
     steps:
       - name: Clone target repository
         uses: actions/checkout@v4
@@ -32,7 +32,7 @@ jobs:
           ref: ${{ matrix.target.ref}}
           path: nbc
           fetch-depth: 0
-          token: ${{ matrix.target.token }}
+          token: ${{ secrets[matrix.target.secret] }}
 
       - name: Checkout this ref in target repository
         run: |
@@ -50,4 +50,16 @@ jobs:
           git branch -D nim-libp2p-auto-bump-${{ matrix.target.ref }} || true
           git switch -c nim-libp2p-auto-bump-${{ matrix.target.ref }}
           git push -f origin nim-libp2p-auto-bump-${{ matrix.target.ref }}
+  notify-on-failure:
+    name: Notify Discord on Failure
+    needs: [bumper]
+    if: failure()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
 
+      - name: Discord notification
+        uses: ./.github/actions/discord_notify
+        with:
+          webhook_url: ${{ secrets.DISCORD_WEBHOOK_URL }}

.github/workflows/documentation.yml

@@ -21,7 +21,7 @@ jobs:
 
       - uses: jiro4989/setup-nim-action@v1
         with:
-          nim-version: '1.6.x'
+          nim-version: '2.2.x'
 
       - name: Generate doc
         run: |

.github/workflows/examples.yml

@@ -36,7 +36,7 @@ jobs:
           shell: bash
           os: linux
           cpu: amd64
-          nim_ref: version-1-6
+          nim_ref: version-2-2
 
       - name: Restore deps from cache
         id: deps-cache

.github/workflows/interop.yml

@@ -27,7 +27,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: docker/setup-buildx-action@v3
       - name: Build image
-        run: docker buildx build --load -t nim-libp2p-head -f tests/transport-interop/Dockerfile .
+        run: docker buildx build --load -t nim-libp2p-head -f interop/transport/Dockerfile .
       - name: Run tests
         uses: libp2p/test-plans/.github/actions/run-transport-interop-test@master
         with:
@@ -35,26 +35,28 @@ jobs:
           # without suffix action fails because "hole-punching-interop" artifacts have 
           # the same name as "transport-interop" artifacts
           test-results-suffix: transport-interop
-          extra-versions: ${{ github.workspace }}/tests/transport-interop/version.json
+          extra-versions: ${{ github.workspace }}/interop/transport/version.json
           s3-cache-bucket: ${{ vars.S3_LIBP2P_BUILD_CACHE_BUCKET_NAME }}
           s3-access-key-id: ${{ vars.S3_LIBP2P_BUILD_CACHE_AWS_ACCESS_KEY_ID }}
           s3-secret-access-key: ${{ secrets.S3_LIBP2P_BUILD_CACHE_AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ vars.S3_LIBP2P_BUILD_CACHE_AWS_REGION }}
 
-  run-hole-punching-interop:
-    name: Run hole-punching interoperability tests
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-buildx-action@v3
-      - name: Build image
-        run: docker buildx build --load -t nim-libp2p-head -f tests/hole-punching-interop/Dockerfile .
-      - name: Run tests
-        uses: libp2p/test-plans/.github/actions/run-interop-hole-punch-test@master
-        with:
-          test-filter: nim-libp2p-head
-          extra-versions: ${{ github.workspace }}/tests/hole-punching-interop/version.json
-          s3-cache-bucket: ${{ vars.S3_LIBP2P_BUILD_CACHE_BUCKET_NAME }}
-          s3-access-key-id: ${{ vars.S3_LIBP2P_BUILD_CACHE_AWS_ACCESS_KEY_ID }}
-          s3-secret-access-key: ${{ secrets.S3_LIBP2P_BUILD_CACHE_AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ vars.S3_LIBP2P_BUILD_CACHE_AWS_REGION }}
+  # nim-libp2p#1367: hole punching tests are temporary disabled as they keep failing
+  # and issue does not seem to be on nim-libp2p side
+  # run-hole-punching-interop:
+  #   name: Run hole-punching interoperability tests
+  #   runs-on: ubuntu-22.04
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #     - uses: docker/setup-buildx-action@v3
+  #     - name: Build image
+  #       run: docker buildx build --load -t nim-libp2p-head -f interop/hole-punching/Dockerfile .
+  #     - name: Run tests
+  #       uses: libp2p/test-plans/.github/actions/run-interop-hole-punch-test@master
+  #       with:
+  #         test-filter: nim-libp2p-head
+  #         extra-versions: ${{ github.workspace }}/interop/hole-punching/version.json
+  #         s3-cache-bucket: ${{ vars.S3_LIBP2P_BUILD_CACHE_BUCKET_NAME }}
+  #         s3-access-key-id: ${{ vars.S3_LIBP2P_BUILD_CACHE_AWS_ACCESS_KEY_ID }}
+  #         s3-secret-access-key: ${{ secrets.S3_LIBP2P_BUILD_CACHE_AWS_SECRET_ACCESS_KEY }}
+  #         aws-region: ${{ vars.S3_LIBP2P_BUILD_CACHE_AWS_REGION }}

.github/workflows/linters.yml

@@ -22,6 +22,6 @@ jobs:
         uses: arnetheduck/nph-action@v1
         with:
           version: 0.6.1
-          options: "examples libp2p tests tools *.nim*"
+          options: "examples libp2p tests interop tools *.nim*"
           fail: true
           suggest: true

.github/workflows/performance.yml

@@ -0,0 +1,69 @@
+name: Performance
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  merge_group:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  examples:
+    timeout-minutes: 10
+    strategy:
+      fail-fast: false
+
+    defaults:
+      run:
+        shell: bash
+
+    name: "Performance"
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker Image with cache
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: performance/Dockerfile
+          tags: test-node:latest
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run
+        run: |
+          ./performance/runner.sh
+
+      - name: Set up Nim for aggragate script
+        uses: jiro4989/setup-nim-action@v2
+        with:
+          nim-version: "2.x"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Aggregate and display summary
+        env:
+          MARKER: "<!-- perf-summary-marker -->"
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          COMMENT_SUMMARY_PATH: "/tmp/perf-summary.md"
+        run: |
+          nim c -r -d:release -o:/tmp/aggregate_stats ./performance/aggregate_stats.nim
+
+      - name: Post/Update PR Performance Comment
+        if: github.event_name == 'pull_request'
+        uses: ./.github/actions/add_comment
+        with:
+          marker: "<!-- perf-summary-marker -->"
+          markdown_path: "/tmp/perf-summary.md"

.pinned

@@ -1,19 +1,21 @@
-bearssl;https://github.com/status-im/nim-bearssl@#667b40440a53a58e9f922e29e20818720c62d9ac
-chronicles;https://github.com/status-im/nim-chronicles@#32ac8679680ea699f7dbc046e8e0131cac97d41a
-chronos;https://github.com/status-im/nim-chronos@#c04576d829b8a0a1b12baaa8bc92037501b3a4a0
+bearssl;https://github.com/status-im/nim-bearssl@#34d712933a4e0f91f5e66bc848594a581504a215
+chronicles;https://github.com/status-im/nim-chronicles@#61759a5e8df8f4d68bcd1b4b8c1adab3e72bbd8d
+chronos;https://github.com/status-im/nim-chronos@#b55e2816eb45f698ddaca8d8473e401502562db2
 dnsclient;https://github.com/ba0f3/dnsclient.nim@#23214235d4784d24aceed99bbfe153379ea557c8
-faststreams;https://github.com/status-im/nim-faststreams@#720fc5e5c8e428d9d0af618e1e27c44b42350309
-httputils;https://github.com/status-im/nim-http-utils@#3b491a40c60aad9e8d3407443f46f62511e63b18
-json_serialization;https://github.com/status-im/nim-json-serialization@#85b7ea093cb85ee4f433a617b97571bd709d30df
+faststreams;https://github.com/status-im/nim-faststreams@#c51315d0ae5eb2594d0bf41181d0e1aca1b3c01d
+httputils;https://github.com/status-im/nim-http-utils@#79cbab1460f4c0cdde2084589d017c43a3d7b4f1
+json_serialization;https://github.com/status-im/nim-json-serialization@#2b1c5eb11df3647a2cee107cd4cce3593cbb8bcf
 metrics;https://github.com/status-im/nim-metrics@#6142e433fc8ea9b73379770a788017ac528d46ff
 ngtcp2;https://github.com/status-im/nim-ngtcp2@#9456daa178c655bccd4a3c78ad3b8cce1f0add73
-nimcrypto;https://github.com/cheatfate/nimcrypto@#1c8d6e3caf3abc572136ae9a1da81730c4eb4288
-quic;https://github.com/status-im/nim-quic.git@#d54e8f0f2e454604b767fadeae243d95c30c383f
-results;https://github.com/arnetheduck/nim-results@#f3c666a272c69d70cb41e7245e7f6844797303ad
-secp256k1;https://github.com/status-im/nim-secp256k1@#7246d91c667f4cc3759fdd50339caa45a2ecd8be
-serialization;https://github.com/status-im/nim-serialization@#4bdbc29e54fe54049950e352bb969aab97173b35
-stew;https://github.com/status-im/nim-stew@#3159137d9a3110edb4024145ce0ba778975de40e
-testutils;https://github.com/status-im/nim-testutils@#dfc4c1b39f9ded9baf6365014de2b4bfb4dafc34
-unittest2;https://github.com/status-im/nim-unittest2@#2300fa9924a76e6c96bc4ea79d043e3a0f27120c
-websock;https://github.com/status-im/nim-websock@#f8ed9b40a5ff27ad02a3c237c4905b0924e3f982
-zlib;https://github.com/status-im/nim-zlib@#38b72eda9d70067df4a953f56b5ed59630f2a17b
+nimcrypto;https://github.com/cheatfate/nimcrypto@#19c41d6be4c00b4a2c8000583bd30cf8ceb5f4b1
+quic;https://github.com/status-im/nim-quic.git@#d9a4cbccd509f7a3ee835f75b01dec29d27a0f14
+results;https://github.com/arnetheduck/nim-results@#df8113dda4c2d74d460a8fa98252b0b771bf1f27
+secp256k1;https://github.com/status-im/nim-secp256k1@#f808ed5e7a7bfc42204ec7830f14b7a42b63c284
+serialization;https://github.com/status-im/nim-serialization@#548d0adc9797a10b2db7f788b804330306293088
+stew;https://github.com/status-im/nim-stew@#0db179256cf98eb9ce9ee7b9bc939f219e621f77
+testutils;https://github.com/status-im/nim-testutils@#9e842bd58420d23044bc55e16088e8abbe93ce51
+unittest2;https://github.com/status-im/nim-unittest2@#8b51e99b4a57fcfb31689230e75595f024543024
+websock;https://github.com/status-im/nim-websock@#d5cd89062cd2d168ef35193c7d29d2102921d97e
+zlib;https://github.com/status-im/nim-zlib@#daa8723fd32299d4ca621c837430c29a5a11e19a
+jwt;https://github.com/vacp2p/nim-jwt@#18f8378de52b241f321c1f9ea905456e89b95c6f
+bearssl_pkey_decoder;https://github.com/vacp2p/bearssl_pkey_decoder@#21dd3710df9345ed2ad8bf8f882761e07863b8e0

README.md

@@ -20,39 +20,130 @@
 - [Background](#background)
 - [Install](#install)
 - [Getting Started](#getting-started)
-  - [Go-libp2p-daemon](#go-libp2p-daemon)
-- [Modules](#modules)
-- [Users](#users)
-- [Stability](#stability)
 - [Development](#development)
   - [Contribute](#contribute)
   - [Contributors](#contributors)
   - [Core Maintainers](#core-maintainers)
+- [Modules](#modules)
+- [Users](#users)
+- [Stability](#stability)
 - [License](#license)
 
 ## Background
 libp2p is a [Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer) networking stack, with [implementations](https://github.com/libp2p/libp2p#implementations) in multiple languages derived from the same [specifications.](https://github.com/libp2p/specs)
 
-Building large scale peer-to-peer systems has been complex and difficult in the last 15 years and libp2p is a way to fix that. It's striving to be a modular stack, with sane and secure defaults, useful protocols, while remain open and extensible.
-This implementation in native Nim, relying on [chronos](https://github.com/status-im/nim-chronos) for async. It's used in production by a few [projects](#users)
+Building large scale peer-to-peer systems has been complex and difficult in the last 15 years and libp2p is a way to fix that. It strives to be a modular stack with secure defaults and useful protocols, while remaining open and extensible.
+This is a native Nim implementation, using [chronos](https://github.com/status-im/nim-chronos) for asynchronous execution. It's used in production by a few [projects](#users)
 
 Learn more about libp2p at [**libp2p.io**](https://libp2p.io) and follow libp2p's documentation [**docs.libp2p.io**](https://docs.libp2p.io).
 
 ## Install
-**Prerequisite**
-- [Nim](https://nim-lang.org/install.html)
-> The currently supported Nim version is 1.6.18.
+
+> The currently supported Nim versions are 2.0 and 2.2.
 
 ```
 nimble install libp2p
 ```
+You'll find the nim-libp2p documentation [here](https://vacp2p.github.io/nim-libp2p/docs/). See [examples](./examples) for simple usage patterns.
 
 ## Getting Started
-You'll find the nim-libp2p documentation [here](https://vacp2p.github.io/nim-libp2p/docs/).
+Try out the chat example. For this you'll need to have [`go-libp2p-daemon`](examples/go-daemon/daemonapi.md) running. Full code can be found [here](https://github.com/status-im/nim-libp2p/blob/master/examples/chat.nim):
+
+```bash
+nim c -r --threads:on examples/directchat.nim
+```
+
+This will output a peer ID such as `QmbmHfVvouKammmQDJck4hz33WvVktNEe7pasxz2HgseRu` which you can use in another instance to connect to it.
+
+```bash
+./examples/directchat
+/connect QmbmHfVvouKammmQDJck4hz33WvVktNEe7pasxz2HgseRu # change this hash by the hash you were given
+```
+
+You can now chat between the instances!
+
+![Chat example](https://imgur.com/caYRu8K.gif)
+
+## Development
+Clone the repository and install the dependencies:
+```sh
+git clone https://github.com/vacp2p/nim-libp2p
+cd nim-libp2p
+nimble install -dy
+```
+You can use `nix develop` to start a shell with Nim and Nimble.
+
+nimble 0.20.1 is required for running `testnative`. At time of writing, this is not available in nixpkgs: If using `nix develop`, follow up with `nimble install nimble`, and use that (typically `~/.nimble/bin/nimble`).
 
 ### Testing
-Remember you'll need to build the `go-libp2p-daemon` binary to run the `nim-libp2p` tests.
-To do so, please follow the installation instructions in [daemonapi.md](examples/go-daemon/daemonapi.md).
+Run unit tests:
+```sh
+# run all the unit tests
+nimble test
+```
+**Obs:** Running all tests requires the [`go-libp2p-daemon` to be installed and running](examples/go-daemon/daemonapi.md).
+
+If you only want to run tests that don't require `go-libp2p-daemon`, use:
+```
+nimble testnative
+```
+
+For a list of all available test suites, use:
+```
+nimble tasks
+```
+
+### Contribute
+
+The libp2p implementation in Nim is a work in progress. We welcome contributors to help out! Specifically, you can:
+- Go through the modules and **check out existing issues**. This would be especially useful for modules in active development. Some knowledge of IPFS/libp2p may be required, as well as the infrastructure behind it.
+- **Perform code reviews**. Feel free to let us know if you found anything that can a) speed up the project development b) ensure better quality and c) reduce possible future bugs.
+- **Add tests**. Help nim-libp2p to be more robust by adding more tests to the [tests folder](tests/).
+- **Small PRs**. Try to keep PRs atomic and digestible. This makes the review process and pinpointing bugs easier.
+- **Code format**. Code should be formatted with [nph](https://github.com/arnetheduck/nph) and follow the [Status Nim Style Guide](https://status-im.github.io/nim-style-guide/).
+- **Join the Conversation**. Connect with other contributors in our [community channel](https://discord.com/channels/1204447718093750272/1351621032263417946). Ask questions, share ideas, get support, and stay informed about the latest updates from the maintainers.
+
+### Contributors
+<a href="https://github.com/vacp2p/nim-libp2p/graphs/contributors"><img src="https://contrib.rocks/image?repo=vacp2p/nim-libp2p" alt="nim-libp2p contributors"></a>
+
+### Core Maintainers
+<table>
+  <tbody>
+    <tr>
+      <td align="center"><a href="https://github.com/richard-ramos"><img src="https://avatars.githubusercontent.com/u/1106587?v=4?s=100" width="100px;" alt="Richard"/><br /><sub><b>Richard</b></sub></a></td>
+      <td align="center"><a href="https://github.com/vladopajic"><img src="https://avatars.githubusercontent.com/u/4353513?v=4?s=100" width="100px;" alt="Vlado"/><br /><sub><b>Vlado</b></sub></a></td>
+      <td align="center"><a href="https://github.com/gmelodie"><img src="https://avatars.githubusercontent.com/u/8129788?v=4?s=100" width="100px;" alt="Gabe"/><br /><sub><b>Gabe</b></sub></a></td>
+    </tr>
+  </tbody>
+</table>
+
+### Compile time flags
+
+Enable quic transport support
+```bash
+nim c -d:libp2p_quic_support some_file.nim
+```
+
+Enable autotls support
+```bash
+nim c -d:libp2p_autotls_support some_file.nim
+```
+
+Enable expensive metrics (ie, metrics with per-peer cardinality):
+```bash
+nim c -d:libp2p_expensive_metrics some_file.nim
+```
+
+Set list of known libp2p agents for metrics:
+```bash
+nim c -d:libp2p_agents_metrics -d:KnownLibP2PAgents=nimbus,lighthouse,lodestar,prysm,teku some_file.nim
+```
+
+Specify gossipsub specific topics to measure in the metrics:
+```bash
+nim c -d:KnownLibP2PTopics=topic1,topic2,topic3 some_file.nim
+```
+
 
 ## Modules
 List of packages modules implemented in nim-libp2p:
@@ -80,10 +171,10 @@ List of packages modules implemented in nim-libp2p:
 | [libp2p-yamux](libp2p/muxers/yamux/yamux.nim)              | [Yamux](https://docs.libp2p.io/concepts/multiplex/yamux/) multiplexer                                            |
 | **Data Types**                                             |                                                                                                                  |
 | [peer-id](libp2p/peerid.nim)                               | [Cryptographic identifiers](https://docs.libp2p.io/concepts/fundamentals/peers/#peer-id)                         |
-| [peer-store](libp2p/peerstore.nim)                         | ["Address book" of known peers](https://docs.libp2p.io/concepts/fundamentals/peers/#peer-store)                  |
+| [peer-store](libp2p/peerstore.nim)                         | [Address book of known peers](https://docs.libp2p.io/concepts/fundamentals/peers/#peer-store)                  |
 | [multiaddress](libp2p/multiaddress.nim)                    | [Composable network addresses](https://github.com/multiformats/multiaddr)                                        |
-| [signed envelope](libp2p/signed_envelope.nim)              | [Signed generic data container](https://github.com/libp2p/specs/blob/master/RFC/0002-signed-envelopes.md)        |
-| [routing record](libp2p/routing_record.nim)                | [Signed peer dialing informations](https://github.com/libp2p/specs/blob/master/RFC/0003-routing-records.md)      |
+| [signed-envelope](libp2p/signed_envelope.nim)              | [Signed generic data container](https://github.com/libp2p/specs/blob/master/RFC/0002-signed-envelopes.md)        |
+| [routing-record](libp2p/routing_record.nim)                | [Signed peer dialing informations](https://github.com/libp2p/specs/blob/master/RFC/0003-routing-records.md)      |
 | [discovery manager](libp2p/discovery/discoverymngr.nim)    | Discovery Manager                                                                                                |
 | **Utilities**                                              |                                                                                                                  |
 | [libp2p-crypto](libp2p/crypto)                             | Cryptographic backend                                                                                            |
@@ -109,67 +200,7 @@ The versioning follows [semver](https://semver.org/), with some additions:
 - Some of libp2p procedures are marked as `.public.`, they will remain compatible during each `MAJOR` version
 - The rest of the procedures are considered internal, and can change at any `MINOR` version (but remain compatible for each new `PATCH`)
 
-We aim to be compatible at all time with at least 2 Nim `MINOR` versions, currently `1.6 & 2.0`
-
-## Development
-Clone and Install dependencies:
-```sh
-git clone https://github.com/vacp2p/nim-libp2p
-cd nim-libp2p
-# to use dependencies computed by nimble
-nimble install -dy
-# OR to install the dependencies versions used in CI
-nimble install_pinned
-```
-
-Run unit tests:
-```sh
-# run all the unit tests
-nimble test
-```
-This requires the go daemon to be available. To only run native tests, use `nimble testnative`.
-Or use `nimble tasks` to show all available tasks.
-
-### Contribute
-
-The libp2p implementation in Nim is a work in progress. We welcome contributors to help out! Specifically, you can:
-- Go through the modules and **check out existing issues**. This would be especially useful for modules in active development. Some knowledge of IPFS/libp2p may be required, as well as the infrastructure behind it.
-- **Perform code reviews**. Feel free to let us know if you found anything that can a) speed up the project development b) ensure better quality and c) reduce possible future bugs.
-- **Add tests**. Help nim-libp2p to be more robust by adding more tests to the [tests folder](tests/).
-- **Small PRs**. Try to keep PRs atomic and digestible. This makes the review process and pinpointing bugs easier.
-- **Code format**. Please format code using [nph](https://github.com/arnetheduck/nph) v0.5.1. This will ensure a consistent codebase and make PRs easier to review. A CI rule has been added to ensure that future commits are all formatted using the same nph version.
-The code follows the [Status Nim Style Guide](https://status-im.github.io/nim-style-guide/).
-
-### Contributors
-<a href="https://github.com/vacp2p/nim-libp2p/graphs/contributors"><img src="https://contrib.rocks/image?repo=vacp2p/nim-libp2p" alt="nim-libp2p contributors"></a>
-
-### Core Maintainers
-<table>
-  <tbody>
-    <tr>
-      <td align="center"><a href="https://github.com/richard-ramos"><img src="https://avatars.githubusercontent.com/u/1106587?v=4?s=100" width="100px;" alt="Richard"/><br /><sub><b>Richard</b></sub></a></td>
-      <td align="center"><a href="https://github.com/vladopajic"><img src="https://avatars.githubusercontent.com/u/4353513?v=4?s=100" width="100px;" alt="Vlado"/><br /><sub><b>Vlado</b></sub></a></td>
-      <td align="center"><a href="https://github.com/gmelodie"><img src="https://avatars.githubusercontent.com/u/8129788?v=4?s=100" width="100px;" alt="Gabe"/><br /><sub><b>Gabe</b></sub></a></td>
-    </tr>
-  </tbody>
-</table>
-
-### Compile time flags
-
-Enable expensive metrics (ie, metrics with per-peer cardinality):
-```bash
-nim c -d:libp2p_expensive_metrics some_file.nim
-```
-
-Set list of known libp2p agents for metrics:
-```bash
-nim c -d:libp2p_agents_metrics -d:KnownLibP2PAgents=nimbus,lighthouse,lodestar,prysm,teku some_file.nim
-```
-
-Specify gossipsub specific topics to measure in the metrics:
-```bash
-nim c -d:KnownLibP2PTopics=topic1,topic2,topic3 some_file.nim
-```
+We aim to be compatible at all time with at least 2 Nim `MINOR` versions, currently `2.0 & 2.2`
 
 ## License
 

config.nims

@@ -4,6 +4,7 @@ if dirExists("nimbledeps/pkgs"):
 if dirExists("nimbledeps/pkgs2"):
   switch("NimblePath", "nimbledeps/pkgs2")
 
+switch("warningAsError", "UnusedImport:on")
 switch("warning", "CaseTransition:off")
 switch("warning", "ObservableStores:off")
 switch("warning", "LockLevel:off")

examples/README.md

@@ -1,5 +1,5 @@
 # nim-libp2p examples
 
-In this folder, you'll find the sources of the [nim-libp2p website](https://status-im.github.io/nim-libp2p/docs/)
+In this folder, you'll find the sources of the [nim-libp2p website](https://vacp2p.github.io/nim-libp2p/docs/)
 
 We recommand to follow the tutorials on the website, but feel free to grok the sources here!

examples/circuitrelay.nim

@@ -1,3 +1,4 @@
+{.used.}
 ## # Circuit Relay example
 ##
 ## Circuit Relay can be used when a node cannot reach another node

examples/directchat.nim

@@ -1,3 +1,4 @@
+{.used.}
 when not (compileOption("threads")):
   {.fatal: "Please, compile this program with the --threads:on option!".}
 

examples/go-daemon/daemonapi.md

@@ -3,9 +3,7 @@
 - [Prerequisites](#prerequisites)
 - [Installation](#installation)
   - [Script](#script)
-- [Usage](#usage)
-  - [Example](#example)
-  - [Getting Started](#getting-started)
+- [Examples](#examples)
 
 # Introduction
 This is a libp2p-backed daemon wrapping the functionalities of go-libp2p for use in Nim. <br>
@@ -13,20 +11,25 @@ For more information about the go daemon, check out [this repository](https://gi
 > **Required only** for running the tests.
 
 # Prerequisites
-Go with version `1.16.0`.
+Go with version `1.16.0`
 > You will *likely* be able to build `go-libp2p-daemon` with different Go versions, but **they haven't been tested**.
 
 # Installation
-Follow one of the methods below:
-
-## Script
 Run the build script while having the `go` command pointing to the correct Go version.
-We recommend using `1.16.0`, as previously stated.
 ```sh
 ./scripts/build_p2pd.sh
 ```
-If everything goes correctly, the binary (`p2pd`) should be built and placed in the correct directory.
-If you find any issues, please head into our discord and ask for our assistance.
+`build_p2pd.sh` will not rebuild unless needed. If you already have the newest binary and you want to force the rebuild, use:
+```sh
+./scripts/build_p2pd.sh -f
+```
+Or:
+```sh
+./scripts/build_p2pd.sh --force
+```
+
+If everything goes correctly, the binary (`p2pd`) should be built and placed in the `$GOPATH/bin` directory.
+If you're having issues, head into [our discord](https://discord.com/channels/864066763682218004/1115526869769535629) and ask for assistance.
 
 After successfully building the binary, remember to add it to your path so it can be found. You can do that by running:
 ```sh
@@ -34,28 +37,7 @@ export PATH="$PATH:$HOME/go/bin"
 ```
 > **Tip:** To make this change permanent, add the command above to your `.bashrc` file.
 
-# Usage 
-
-## Example
+# Examples
 Examples can be found in the [examples folder](https://github.com/status-im/nim-libp2p/tree/readme/examples/go-daemon)
 
-## Getting Started
-Try out the chat example. Full code can be found [here](https://github.com/status-im/nim-libp2p/blob/master/examples/chat.nim):
-
-```bash
-nim c -r --threads:on examples/directchat.nim
-```
-
-This will output a peer ID such as `QmbmHfVvouKammmQDJck4hz33WvVktNEe7pasxz2HgseRu` which you can use in another instance to connect to it.
-
-```bash
-./examples/directchat
-/connect QmbmHfVvouKammmQDJck4hz33WvVktNEe7pasxz2HgseRu
-```
-
-You can now chat between the instances!
-
-![Chat example](https://imgur.com/caYRu8K.gif)
-
-
 

examples/helloworld.nim

@@ -1,3 +1,5 @@
+{.used.}
+
 import chronos # an efficient library for async
 import stew/byteutils # various utils
 import libp2p

examples/index.md

@@ -3,4 +3,4 @@
 Welcome to the nim-libp2p documentation!
 
 Here, you'll find [tutorials](tutorial_1_connect.md) to help you get started, as well as 
-the [full reference](https://status-im.github.io/nim-libp2p/master/libp2p.html).
+the [full reference](https://vacp2p.github.io/nim-libp2p/master/libp2p.html).

examples/tutorial_1_connect.nim

@@ -1,3 +1,4 @@
+{.used.}
 ## # Simple ping tutorial
 ##
 ## Hi all, welcome to the first nim-libp2p tutorial!

examples/tutorial_2_customproto.nim

@@ -1,3 +1,4 @@
+{.used.}
 ## # Custom protocol in libp2p
 ##
 ## In the [previous tutorial](tutorial_1_connect.md), we've looked at how to create a simple ping program using the `nim-libp2p`.

examples/tutorial_3_protobuf.nim

@@ -1,3 +1,4 @@
+{.used.}
 ## # Protobuf usage
 ##
 ## In the [previous tutorial](tutorial_2_customproto.md), we created a simple "ping" protocol.

examples/tutorial_4_gossipsub.nim

@@ -1,3 +1,4 @@
+{.used.}
 ## # GossipSub
 ##
 ## In this tutorial, we'll build a simple GossipSub network

examples/tutorial_5_discovery.nim

@@ -1,3 +1,4 @@
+{.used.}
 ## # Discovery Manager
 ##
 ## In the [previous tutorial](tutorial_4_gossipsub.md), we built a custom protocol using [protobuf](https://developers.google.com/protocol-buffers) and

examples/tutorial_6_game.nim

@@ -1,3 +1,4 @@
+{.used.}
 ## # Tron example
 ##
 ## In this tutorial, we will create a video game based on libp2p, using

flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1752620740,
+        "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,34 @@
+{
+  description = "nim-libp2p dev shell flake";
+
+  nixConfig = {
+    extra-substituters = [ "https://nix-cache.status.im/" ];
+    extra-trusted-public-keys = [ "nix-cache.status.im-1:x/93lOfLU+duPplwMSBR+OlY4+mo+dCN7n0mr4oPwgY=" ];
+  };
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+  };
+
+  outputs = { self, nixpkgs }:
+    let
+      stableSystems = [
+        "x86_64-linux" "aarch64-linux" "armv7a-linux"
+        "x86_64-darwin" "aarch64-darwin"
+        "x86_64-windows"
+      ];
+      forEach = nixpkgs.lib.genAttrs;
+      forAllSystems = forEach stableSystems;
+      pkgsFor = forEach stableSystems (
+        system: import nixpkgs { inherit system; }
+      );
+    in rec {
+      devShells = forAllSystems (system: {
+        default = pkgsFor.${system}.mkShell {
+          nativeBuildInputs = with pkgsFor.${system}; [
+            nim-2_2 nimble openssl.dev
+          ];
+        };
+      });
+    };
+}

interop/hole-punching/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.5-labs
-FROM nimlang/nim:1.6.16 as builder
+FROM nimlang/nim:latest as builder
 
 WORKDIR /workspace
 
@@ -11,7 +11,7 @@ RUN cd nim-libp2p && nimble install_pinned && nimble install redis -y
 
 COPY . nim-libp2p/
 
-RUN cd nim-libp2p && nim c --skipParentCfg --NimblePath:./nimbledeps/pkgs -d:chronicles_log_level=DEBUG -d:chronicles_default_output_device=stderr -d:release --threads:off --skipProjCfg -o:hole-punching-tests ./tests/hole-punching-interop/hole_punching.nim
+RUN cd nim-libp2p && nim c --skipParentCfg --NimblePath:./nimbledeps/pkgs2 --mm:refc -d:chronicles_log_level=DEBUG -d:chronicles_default_output_device=stderr -d:release --threads:off --skipProjCfg -o:hole-punching-tests ./interop/hole-punching/hole_punching.nim
 
 FROM --platform=linux/amd64 debian:bullseye-slim
 RUN --mount=type=cache,target=/var/cache/apt apt-get update && apt-get install -y dnsutils jq curl tcpdump iproute2 libssl-dev

interop/hole-punching/hole_punching.nim

@@ -0,0 +1,138 @@
+import std/[os, options, strformat, sequtils]
+import redis
+import chronos, chronicles
+import
+  ../../libp2p/[
+    builders,
+    switch,
+    multicodec,
+    observedaddrmanager,
+    services/hpservice,
+    services/autorelayservice,
+    protocols/connectivity/autonat/client as aclient,
+    protocols/connectivity/relay/client as rclient,
+    protocols/connectivity/relay/relay,
+    protocols/connectivity/autonat/service,
+    protocols/ping,
+  ]
+import ../../tests/[stubs/autonatclientstub, errorhelpers]
+
+logScope:
+  topics = "hp interop node"
+
+proc createSwitch(r: Relay = nil, hpService: Service = nil): Switch =
+  let rng = newRng()
+  var builder = SwitchBuilder
+    .new()
+    .withRng(rng)
+    .withAddresses(@[MultiAddress.init("/ip4/0.0.0.0/tcp/0").tryGet()])
+    .withObservedAddrManager(ObservedAddrManager.new(maxSize = 1, minCount = 1))
+    .withTcpTransport({ServerFlags.TcpNoDelay})
+    .withYamux()
+    .withAutonat()
+    .withNoise()
+
+  if hpService != nil:
+    builder = builder.withServices(@[hpService])
+
+  if r != nil:
+    builder = builder.withCircuitRelay(r)
+
+  let s = builder.build()
+  s.mount(Ping.new(rng = rng))
+  return s
+
+proc main() {.async.} =
+  let relayClient = RelayClient.new()
+  let autoRelayService = AutoRelayService.new(1, relayClient, nil, newRng())
+  let autonatClientStub = AutonatClientStub.new(expectedDials = 1)
+  autonatClientStub.answer = NotReachable
+  let autonatService = AutonatService.new(autonatClientStub, newRng(), maxQueueSize = 1)
+  let hpservice = HPService.new(autonatService, autoRelayService)
+
+  let
+    isListener = getEnv("MODE") == "listen"
+    switch = createSwitch(relayClient, hpservice)
+    auxSwitch = createSwitch()
+    redisClient = open("redis", 6379.Port)
+
+  debug "Connected to redis"
+
+  await switch.start()
+  await auxSwitch.start()
+
+  let relayAddr =
+    try:
+      redisClient.bLPop(@["RELAY_TCP_ADDRESS"], 0)
+    except Exception as e:
+      raise newException(CatchableError, e.msg)
+
+  debug "All relay addresses", relayAddr
+
+  # This is necessary to make the autonat service work. It will ask this peer for our reachability which the autonat
+  # client stub will answer NotReachable.
+  await switch.connect(auxSwitch.peerInfo.peerId, auxSwitch.peerInfo.addrs)
+
+  # Wait for autonat to be NotReachable
+  while autonatService.networkReachability != NetworkReachability.NotReachable:
+    await sleepAsync(100.milliseconds)
+
+  # This will trigger the autonat relay service to make a reservation.
+  let relayMA = MultiAddress.init(relayAddr[1]).tryGet()
+
+  try:
+    debug "Dialing relay...", relayMA
+    let relayId = await switch.connect(relayMA).wait(30.seconds)
+    debug "Connected to relay", relayId
+  except AsyncTimeoutError as e:
+    raise newException(CatchableError, "Connection to relay timed out: " & e.msg, e)
+
+  # Wait for our relay address to be published
+  while not switch.peerInfo.addrs.anyIt(it.contains(multiCodec("p2p-circuit")).tryGet()):
+    await sleepAsync(100.milliseconds)
+
+  if isListener:
+    let listenerPeerId = switch.peerInfo.peerId
+    discard redisClient.rPush("LISTEN_CLIENT_PEER_ID", $listenerPeerId)
+    debug "Pushed listener client peer id to redis", listenerPeerId
+
+    # Nothing to do anymore, wait to be killed
+    await sleepAsync(2.minutes)
+  else:
+    let listenerId =
+      try:
+        PeerId.init(redisClient.bLPop(@["LISTEN_CLIENT_PEER_ID"], 0)[1]).tryGet()
+      except Exception as e:
+        raise newException(CatchableError, "Exception init peer: " & e.msg, e)
+
+    debug "Got listener peer id", listenerId
+    let listenerRelayAddr = MultiAddress.init($relayMA & "/p2p-circuit").tryGet()
+
+    debug "Dialing listener relay address", listenerRelayAddr
+    await switch.connect(listenerId, @[listenerRelayAddr])
+
+    # wait for hole-punching to complete in the background
+    await sleepAsync(5000.milliseconds)
+
+    let conn = switch.connManager.selectMuxer(listenerId).connection
+    let channel = await switch.dial(listenerId, @[listenerRelayAddr], PingCodec)
+    let delay = await Ping.new().ping(channel)
+    await allFuturesThrowing(
+      channel.close(), conn.close(), switch.stop(), auxSwitch.stop()
+    )
+    echo &"""{{"rtt_to_holepunched_peer_millis":{delay.millis}}}"""
+
+try:
+  proc mainAsync(): Future[string] {.async.} =
+    # mainAsync wraps main and returns some value, as otherwise
+    # 'waitFor(fut)' has no type (or is ambiguous)
+    await main()
+    return "done"
+
+  discard waitFor(mainAsync().wait(4.minutes))
+except AsyncTimeoutError as e:
+  error "Program execution timed out", description = e.msg
+  quit(-1)
+except CatchableError as e:
+  error "Unexpected error", description = e.msg
+  quit(-1)

interop/transport/Dockerfile

@@ -0,0 +1,18 @@
+# syntax=docker/dockerfile:1.5-labs
+FROM nimlang/nim:latest as builder
+
+WORKDIR /app
+
+COPY .pinned libp2p.nimble nim-libp2p/
+
+RUN --mount=type=cache,target=/var/cache/apt apt-get update && apt-get install -y libssl-dev
+
+RUN cd nim-libp2p && nimble install_pinned && nimble install redis -y
+
+COPY . nim-libp2p/
+
+RUN \
+  cd nim-libp2p && \
+  nim c --skipProjCfg --skipParentCfg --NimblePath:./nimbledeps/pkgs2 -p:nim-libp2p --mm:refc -d:libp2p_quic_support -d:chronicles_log_level=WARN -d:chronicles_default_output_device=stderr --threads:off ./interop/transport/main.nim
+
+ENTRYPOINT ["/app/nim-libp2p/interop/transport/main"]

interop/transport/main.nim

@@ -47,12 +47,9 @@ proc main() {.async.} =
         MultiAddress.init("/ip4/" & ip & "/udp/0/quic-v1").tryGet()
       )
   of "ws":
-    discard switchBuilder
-      .withTransport(
-        proc(upgr: Upgrade, privateKey: PrivateKey): Transport =
-          WsTransport.new(upgr)
+    discard switchBuilder.withWsTransport().withAddress(
+        MultiAddress.init("/ip4/" & ip & "/tcp/0/ws").tryGet()
       )
-      .withAddress(MultiAddress.init("/ip4/" & ip & "/tcp/0/ws").tryGet())
   else:
     doAssert false
 
@@ -83,7 +80,7 @@ proc main() {.async.} =
       try:
         redisClient.bLPop(@["listenerAddr"], testTimeout.seconds.int)[1]
       except Exception as e:
-        raise newException(CatchableError, e.msg)
+        raise newException(CatchableError, "Exception calling bLPop: " & e.msg, e)
     let
       remoteAddr = MultiAddress.init(listenerAddr).tryGet()
       dialingStart = Moment.now()
@@ -99,7 +96,18 @@ proc main() {.async.} =
         pingRTTMilllis: float(pingDelay.milliseconds),
       )
     )
-    quit(0)
 
-discard waitFor(main().withTimeout(testTimeout))
-quit(1)
+try:
+  proc mainAsync(): Future[string] {.async.} =
+    # mainAsync wraps main and returns some value, as otherwise
+    # 'waitFor(fut)' has no type (or is ambiguous)
+    await main()
+    return "done"
+
+  discard waitFor(mainAsync().wait(testTimeout))
+except AsyncTimeoutError as e:
+  error "Program execution timed out", description = e.msg
+  quit(-1)
+except CatchableError as e:
+  error "Unexpected error", description = e.msg
+  quit(-1)

libp2p.nim

@@ -52,7 +52,6 @@ else:
       stream/connection,
       transports/transport,
       transports/tcptransport,
-      transports/quictransport,
       protocols/secure/noise,
       cid,
       multihash,
@@ -71,3 +70,7 @@ else:
     minprotobuf, switch, peerid, peerinfo, connection, multiaddress, crypto, lpstream,
     bufferstream, muxer, mplex, transport, tcptransport, noise, errors, cid, multihash,
     multicodec, builders, pubsub
+
+  when defined(libp2p_quic_support):
+    import libp2p/transports/quictransport
+    export quictransport

libp2p.nimble

@@ -1,17 +1,17 @@
 mode = ScriptMode.Verbose
 
 packageName = "libp2p"
-version = "1.10.0"
+version = "1.11.0"
 author = "Status Research & Development GmbH"
 description = "LibP2P implementation"
 license = "MIT"
 skipDirs = @["tests", "examples", "Nim", "tools", "scripts", "docs"]
 
-requires "nim >= 1.6.0",
+requires "nim >= 2.0.0",
   "nimcrypto >= 0.6.0 & < 0.7.0", "dnsclient >= 0.3.0 & < 0.4.0", "bearssl >= 0.2.5",
-  "chronicles >= 0.10.2", "chronos >= 4.0.3", "metrics", "secp256k1", "stew#head",
-  "websock", "unittest2", "results",
-  "https://github.com/status-im/nim-quic.git#d54e8f0f2e454604b767fadeae243d95c30c383f"
+  "chronicles >= 0.11.0 & < 0.12.0", "chronos >= 4.0.4", "metrics", "secp256k1",
+  "stew >= 0.4.0", "websock >= 0.2.0", "unittest2", "results", "quic >= 0.2.10",
+  "https://github.com/vacp2p/nim-jwt.git#18f8378de52b241f321c1f9ea905456e89b95c6f"
 
 let nimc = getEnv("NIMC", "nim") # Which nim compiler to use
 let lang = getEnv("NIMLANG", "c") # Which backend (c/cpp/js)
@@ -30,7 +30,7 @@ proc runTest(filename: string, moreoptions: string = "") =
   excstr.add(" " & moreoptions & " ")
   if getEnv("CICOV").len > 0:
     excstr &= " --nimcache:nimcache/" & filename & "-" & $excstr.hash
-  exec excstr & " -r " & " tests/" & filename
+  exec excstr & " -r -d:libp2p_quic_support -d:libp2p_autotls_support tests/" & filename
   rmFile "tests/" & filename.toExe
 
 proc buildSample(filename: string, run = false, extraFlags = "") =
@@ -56,12 +56,15 @@ task testinterop, "Runs interop tests":
   runTest("testinterop")
 
 task testpubsub, "Runs pubsub tests":
-  runTest("pubsub/testpubsub")
+  runTest("pubsub/testpubsub", "-d:libp2p_gossipsub_1_4")
 
 task testfilter, "Run PKI filter test":
   runTest("testpkifilter")
   runTest("testpkifilter", moreoptions = "-d:libp2p_pki_schemes=")
 
+task testintegration, "Runs integraion tests":
+  runTest("testintegration")
+
 task test, "Runs the test suite":
   runTest("testall")
   exec "nimble testfilter"

libp2p/autotls/acme/api.nim

@@ -0,0 +1,533 @@
+import json, uri
+from times import DateTime, parse
+import chronos/apps/http/httpclient, results, chronicles
+
+import ./utils
+import ../../crypto/crypto
+import ../../crypto/rsa
+
+export ACMEError
+
+logScope:
+  topics = "libp2p acme api"
+
+const
+  LetsEncryptURL* = "https://acme-v02.api.letsencrypt.org"
+  LetsEncryptURLStaging* = "https://acme-staging-v02.api.letsencrypt.org"
+  Alg = "RS256"
+  DefaultChalCompletedRetries = 10
+  DefaultChalCompletedRetryTime = 1.seconds
+  DefaultFinalizeRetries = 10
+  DefaultFinalizeRetryTime = 1.seconds
+  DefaultRandStringSize = 256
+  ACMEHttpHeaders = [("Content-Type", "application/jose+json")]
+
+type Authorization* = string
+type Domain* = string
+type Kid* = string
+type Nonce* = string
+
+type ACMEDirectory* = object
+  newNonce*: string
+  newOrder*: string
+  newAccount*: string
+
+type ACMEApi* = ref object of RootObj
+  directory: Opt[ACMEDirectory]
+  session: HttpSessionRef
+  acmeServerURL*: Uri
+
+type HTTPResponse* = object
+  body*: JsonNode
+  headers*: HttpTable
+
+type JWK = object
+  kty: string
+  n: string
+  e: string
+
+# whether the request uses Kid or not
+type ACMERequestType = enum
+  ACMEJwkRequest
+  ACMEKidRequest
+
+type ACMERequestHeader = object
+  alg: string
+  typ: string
+  nonce: Nonce
+  url: string
+  case kind: ACMERequestType
+  of ACMEJwkRequest:
+    jwk: JWK
+  of ACMEKidRequest:
+    kid: Kid
+
+type Email = string
+
+type ACMERegisterRequest* = object
+  termsOfServiceAgreed: bool
+  contact: seq[Email]
+
+type ACMEAccountStatus = enum
+  valid = "valid"
+  deactivated = "deactivated"
+  revoked = "revoked"
+
+type ACMERegisterResponseBody = object
+  status*: ACMEAccountStatus
+
+type ACMERegisterResponse* = object
+  kid*: Kid
+  status*: ACMEAccountStatus
+
+type ACMEChallengeStatus* {.pure.} = enum
+  PENDING = "pending"
+  PROCESSING = "processing"
+  VALID = "valid"
+  INVALID = "invalid"
+
+type ACMEOrderStatus* {.pure.} = enum
+  PENDING = "pending"
+  READY = "ready"
+  PROCESSING = "processing"
+  VALID = "valid"
+  INVALID = "invalid"
+
+type ACMEChallengeType* {.pure.} = enum
+  DNS01 = "dns-01"
+  HTTP01 = "http-01"
+  TLSALPN01 = "tls-alpn-01"
+
+type ACMEChallengeToken* = string
+
+type ACMEChallenge* = object
+  url*: string
+  `type`*: ACMEChallengeType
+  status*: ACMEChallengeStatus
+  token*: ACMEChallengeToken
+
+type ACMEChallengeIdentifier = object
+  `type`: string
+  value: string
+
+type ACMEChallengeRequest = object
+  identifiers: seq[ACMEChallengeIdentifier]
+
+type ACMEChallengeResponseBody = object
+  status: ACMEOrderStatus
+  authorizations: seq[Authorization]
+  finalize: string
+
+type ACMEChallengeResponse* = object
+  status*: ACMEOrderStatus
+  authorizations*: seq[Authorization]
+  finalize*: string
+  order*: string
+
+type ACMEChallengeResponseWrapper* = object
+  finalize*: string
+  order*: string
+  dns01*: ACMEChallenge
+
+type ACMEAuthorizationsResponse* = object
+  challenges*: seq[ACMEChallenge]
+
+type ACMECompletedResponse* = object
+  url: string
+
+type ACMECheckKind* = enum
+  ACMEOrderCheck
+  ACMEChallengeCheck
+
+type ACMECheckResponse* = object
+  case kind: ACMECheckKind
+  of ACMEOrderCheck:
+    orderStatus: ACMEOrderStatus
+  of ACMEChallengeCheck:
+    chalStatus: ACMEChallengeStatus
+  retryAfter: Duration
+
+type ACMEFinalizeResponse* = object
+  status: ACMEOrderStatus
+
+type ACMEOrderResponse* = object
+  certificate: string
+  expires: string
+
+type ACMECertificateResponse* = object
+  rawCertificate*: string
+  certificateExpiry*: DateTime
+
+type ACMECertificate* = object
+  rawCertificate*: string
+  certificateExpiry*: DateTime
+  certKeyPair*: KeyPair
+
+when defined(libp2p_autotls_support):
+  import options, sequtils, strutils, jwt, bearssl/pem
+
+  template handleError*(msg: string, body: untyped): untyped =
+    try:
+      body
+    except ACMEError as exc:
+      raise exc
+    except CancelledError as exc:
+      raise exc
+    except JsonKindError as exc:
+      raise newException(ACMEError, msg & ": Failed to decode JSON", exc)
+    except ValueError as exc:
+      raise newException(ACMEError, msg & ": Failed to decode JSON", exc)
+    except HttpError as exc:
+      raise newException(ACMEError, msg & ": Failed to connect to ACME server", exc)
+    except CatchableError as exc:
+      raise newException(ACMEError, msg & ": Unexpected error", exc)
+
+  method post*(
+    self: ACMEApi, uri: Uri, payload: string
+  ): Future[HTTPResponse] {.
+    async: (raises: [ACMEError, HttpError, CancelledError]), base
+  .}
+
+  method get*(
+    self: ACMEApi, uri: Uri
+  ): Future[HTTPResponse] {.
+    async: (raises: [ACMEError, HttpError, CancelledError]), base
+  .}
+
+  proc new*(
+      T: typedesc[ACMEApi], acmeServerURL: Uri = parseUri(LetsEncryptURL)
+  ): ACMEApi =
+    let session = HttpSessionRef.new()
+
+    ACMEApi(
+      session: session, directory: Opt.none(ACMEDirectory), acmeServerURL: acmeServerURL
+    )
+
+  proc getDirectory(
+      self: ACMEApi
+  ): Future[ACMEDirectory] {.async: (raises: [ACMEError, CancelledError]).} =
+    handleError("getDirectory"):
+      self.directory.valueOr:
+        let acmeResponse = await self.get(self.acmeServerURL / "directory")
+        let directory = acmeResponse.body.to(ACMEDirectory)
+        self.directory = Opt.some(directory)
+        directory
+
+  method requestNonce*(
+      self: ACMEApi
+  ): Future[Nonce] {.async: (raises: [ACMEError, CancelledError]), base.} =
+    handleError("requestNonce"):
+      let acmeResponse = await self.get(parseUri((await self.getDirectory()).newNonce))
+      Nonce(acmeResponse.headers.keyOrError("Replay-Nonce"))
+
+  # TODO: save n and e in account so we don't have to recalculate every time
+  proc acmeHeader(
+      self: ACMEApi, uri: Uri, key: KeyPair, needsJwk: bool, kid: Opt[Kid]
+  ): Future[ACMERequestHeader] {.async: (raises: [ACMEError, CancelledError]).} =
+    if not needsJwk and kid.isNone():
+      raise newException(ACMEError, "kid not set")
+
+    if key.pubkey.scheme != PKScheme.RSA or key.seckey.scheme != PKScheme.RSA:
+      raise newException(ACMEError, "Unsupported signing key type")
+
+    let newNonce = await self.requestNonce()
+    if needsJwk:
+      let pubkey = key.pubkey.rsakey
+      let nArray = @(getArray(pubkey.buffer, pubkey.key.n, pubkey.key.nlen))
+      let eArray = @(getArray(pubkey.buffer, pubkey.key.e, pubkey.key.elen))
+      ACMERequestHeader(
+        kind: ACMEJwkRequest,
+        alg: Alg,
+        typ: "JWT",
+        nonce: newNonce,
+        url: $uri,
+        jwk: JWK(kty: "RSA", n: base64UrlEncode(nArray), e: base64UrlEncode(eArray)),
+      )
+    else:
+      ACMERequestHeader(
+        kind: ACMEKidRequest,
+        alg: Alg,
+        typ: "JWT",
+        nonce: newNonce,
+        url: $uri,
+        kid: kid.get(),
+      )
+
+  method post*(
+      self: ACMEApi, uri: Uri, payload: string
+  ): Future[HTTPResponse] {.
+      async: (raises: [ACMEError, HttpError, CancelledError]), base
+  .} =
+    let rawResponse = await HttpClientRequestRef
+    .post(self.session, $uri, body = payload, headers = ACMEHttpHeaders)
+    .get()
+    .send()
+    let body = await rawResponse.getResponseBody()
+    HTTPResponse(body: body, headers: rawResponse.headers)
+
+  method get*(
+      self: ACMEApi, uri: Uri
+  ): Future[HTTPResponse] {.
+      async: (raises: [ACMEError, HttpError, CancelledError]), base
+  .} =
+    let rawResponse = await HttpClientRequestRef.get(self.session, $uri).get().send()
+    let body = await rawResponse.getResponseBody()
+    HTTPResponse(body: body, headers: rawResponse.headers)
+
+  proc createSignedAcmeRequest(
+      self: ACMEApi,
+      uri: Uri,
+      payload: auto,
+      key: KeyPair,
+      needsJwk: bool = false,
+      kid: Opt[Kid] = Opt.none(Kid),
+  ): Future[string] {.async: (raises: [ACMEError, CancelledError]).} =
+    if key.pubkey.scheme != PKScheme.RSA or key.seckey.scheme != PKScheme.RSA:
+      raise newException(ACMEError, "Unsupported signing key type")
+
+    let acmeHeader = await self.acmeHeader(uri, key, needsJwk, kid)
+    handleError("createSignedAcmeRequest"):
+      var token = toJWT(%*{"header": acmeHeader, "claims": payload})
+      let derPrivKey = key.seckey.rsakey.getBytes.get
+      let pemPrivKey: string = pemEncode(derPrivKey, "PRIVATE KEY")
+      token.sign(pemPrivKey)
+      $token.toFlattenedJson()
+
+  proc requestRegister*(
+      self: ACMEApi, key: KeyPair
+  ): Future[ACMERegisterResponse] {.async: (raises: [ACMEError, CancelledError]).} =
+    let registerRequest = ACMERegisterRequest(termsOfServiceAgreed: true)
+    handleError("acmeRegister"):
+      let payload = await self.createSignedAcmeRequest(
+        parseUri((await self.getDirectory()).newAccount),
+        registerRequest,
+        key,
+        needsJwk = true,
+      )
+      let acmeResponse =
+        await self.post(parseUri((await self.getDirectory()).newAccount), payload)
+      let acmeResponseBody = acmeResponse.body.to(ACMERegisterResponseBody)
+
+      ACMERegisterResponse(
+        status: acmeResponseBody.status,
+        kid: acmeResponse.headers.keyOrError("location"),
+      )
+
+  proc requestNewOrder*(
+      self: ACMEApi, domains: seq[Domain], key: KeyPair, kid: Kid
+  ): Future[ACMEChallengeResponse] {.async: (raises: [ACMEError, CancelledError]).} =
+    # request challenge from ACME server
+    let orderRequest = ACMEChallengeRequest(
+      identifiers: domains.mapIt(ACMEChallengeIdentifier(`type`: "dns", value: it))
+    )
+    handleError("requestNewOrder"):
+      let payload = await self.createSignedAcmeRequest(
+        parseUri((await self.getDirectory()).newOrder),
+        orderRequest,
+        key,
+        kid = Opt.some(kid),
+      )
+      let acmeResponse =
+        await self.post(parseUri((await self.getDirectory()).newOrder), payload)
+      let challengeResponseBody = acmeResponse.body.to(ACMEChallengeResponseBody)
+      if challengeResponseBody.authorizations.len == 0:
+        raise newException(ACMEError, "Authorizations field is empty")
+      ACMEChallengeResponse(
+        status: challengeResponseBody.status,
+        authorizations: challengeResponseBody.authorizations,
+        finalize: challengeResponseBody.finalize,
+        order: acmeResponse.headers.keyOrError("location"),
+      )
+
+  proc requestAuthorizations*(
+      self: ACMEApi, authorizations: seq[Authorization], key: KeyPair, kid: Kid
+  ): Future[ACMEAuthorizationsResponse] {.async: (raises: [ACMEError, CancelledError]).} =
+    handleError("requestAuthorizations"):
+      doAssert authorizations.len > 0
+      let acmeResponse = await self.get(parseUri(authorizations[0]))
+      acmeResponse.body.to(ACMEAuthorizationsResponse)
+
+  proc requestChallenge*(
+      self: ACMEApi, domains: seq[Domain], key: KeyPair, kid: Kid
+  ): Future[ACMEChallengeResponseWrapper] {.
+      async: (raises: [ACMEError, CancelledError])
+  .} =
+    let orderResponse = await self.requestNewOrder(domains, key, kid)
+    if orderResponse.status != ACMEOrderStatus.PENDING and
+        orderResponse.status != ACMEOrderStatus.READY:
+      # ready is a valid status when renewing certs before expiry
+      raise
+        newException(ACMEError, "Invalid new order status: " & $orderResponse.status)
+
+    let authorizationsResponse =
+      await self.requestAuthorizations(orderResponse.authorizations, key, kid)
+    if authorizationsResponse.challenges.len == 0:
+      raise newException(ACMEError, "No challenges received")
+
+    return ACMEChallengeResponseWrapper(
+      finalize: orderResponse.finalize,
+      order: orderResponse.order,
+      dns01: authorizationsResponse.challenges.filterIt(
+        it.`type` == ACMEChallengeType.DNS01
+      )[0],
+        # getting the first element is safe since we checked that authorizationsResponse.challenges.len != 0
+    )
+
+  proc requestCheck*(
+      self: ACMEApi, checkURL: Uri, checkKind: ACMECheckKind, key: KeyPair, kid: Kid
+  ): Future[ACMECheckResponse] {.async: (raises: [ACMEError, CancelledError]).} =
+    handleError("requestCheck"):
+      let acmeResponse = await self.get(checkURL)
+      let retryAfter =
+        try:
+          parseInt(acmeResponse.headers.keyOrError("Retry-After")).seconds
+        except ValueError:
+          DefaultChalCompletedRetryTime
+
+      case checkKind
+      of ACMEOrderCheck:
+        try:
+          ACMECheckResponse(
+            kind: checkKind,
+            orderStatus: parseEnum[ACMEOrderStatus](acmeResponse.body["status"].getStr),
+            retryAfter: retryAfter,
+          )
+        except ValueError:
+          raise newException(
+            ACMEError, "Invalid order status: " & acmeResponse.body["status"].getStr
+          )
+      of ACMEChallengeCheck:
+        try:
+          ACMECheckResponse(
+            kind: checkKind,
+            chalStatus:
+              parseEnum[ACMEChallengeStatus](acmeResponse.body["status"].getStr),
+            retryAfter: retryAfter,
+          )
+        except ValueError:
+          raise newException(
+            ACMEError, "Invalid order status: " & acmeResponse.body["status"].getStr
+          )
+
+  proc sendChallengeCompleted*(
+      self: ACMEApi, chalURL: Uri, key: KeyPair, kid: Kid
+  ): Future[ACMECompletedResponse] {.async: (raises: [ACMEError, CancelledError]).} =
+    handleError("sendChallengeCompleted"):
+      let payload =
+        await self.createSignedAcmeRequest(chalURL, %*{}, key, kid = Opt.some(kid))
+      let acmeResponse = await self.post(chalURL, payload)
+      acmeResponse.body.to(ACMECompletedResponse)
+
+  proc checkChallengeCompleted*(
+      self: ACMEApi,
+      checkURL: Uri,
+      key: KeyPair,
+      kid: Kid,
+      retries: int = DefaultChalCompletedRetries,
+  ): Future[bool] {.async: (raises: [ACMEError, CancelledError]).} =
+    for i in 0 .. retries:
+      let checkResponse =
+        await self.requestCheck(checkURL, ACMEChallengeCheck, key, kid)
+      case checkResponse.chalStatus
+      of ACMEChallengeStatus.PENDING:
+        await sleepAsync(checkResponse.retryAfter) # try again after some delay
+      of ACMEChallengeStatus.VALID:
+        return true
+      else:
+        raise newException(
+          ACMEError,
+          "Failed challenge completion: expected 'valid', got '" &
+            $checkResponse.chalStatus & "'",
+        )
+    return false
+
+  proc completeChallenge*(
+      self: ACMEApi,
+      chalURL: Uri,
+      key: KeyPair,
+      kid: Kid,
+      retries: int = DefaultChalCompletedRetries,
+  ): Future[bool] {.async: (raises: [ACMEError, CancelledError]).} =
+    let completedResponse = await self.sendChallengeCompleted(chalURL, key, kid)
+    # check until acme server is done (poll validation)
+    return await self.checkChallengeCompleted(chalURL, key, kid, retries = retries)
+
+  proc requestFinalize*(
+      self: ACMEApi,
+      domain: Domain,
+      finalize: Uri,
+      certKeyPair: KeyPair,
+      key: KeyPair,
+      kid: Kid,
+  ): Future[ACMEFinalizeResponse] {.async: (raises: [ACMEError, CancelledError]).} =
+    handleError("requestFinalize"):
+      let payload = await self.createSignedAcmeRequest(
+        finalize, %*{"csr": createCSR(domain, certKeyPair)}, key, kid = Opt.some(kid)
+      )
+      let acmeResponse = await self.post(finalize, payload)
+      # server responds with updated order response
+      acmeResponse.body.to(ACMEFinalizeResponse)
+
+  proc checkCertFinalized*(
+      self: ACMEApi,
+      order: Uri,
+      key: KeyPair,
+      kid: Kid,
+      retries: int = DefaultChalCompletedRetries,
+  ): Future[bool] {.async: (raises: [ACMEError, CancelledError]).} =
+    for i in 0 .. retries:
+      let checkResponse = await self.requestCheck(order, ACMEOrderCheck, key, kid)
+      case checkResponse.orderStatus
+      of ACMEOrderStatus.VALID:
+        return true
+      of ACMEOrderStatus.PROCESSING:
+        await sleepAsync(checkResponse.retryAfter) # try again after some delay
+      else:
+        error "Failed certificate finalization",
+          description = "expected 'valid', got '" & $checkResponse.orderStatus & "'"
+        return false # do not try again
+
+    return false
+
+  proc certificateFinalized*(
+      self: ACMEApi,
+      domain: Domain,
+      finalize: Uri,
+      order: Uri,
+      certKeyPair: KeyPair,
+      key: KeyPair,
+      kid: Kid,
+      retries: int = DefaultFinalizeRetries,
+  ): Future[bool] {.async: (raises: [ACMEError, CancelledError]).} =
+    let finalizeResponse =
+      await self.requestFinalize(domain, finalize, certKeyPair, key, kid)
+    # keep checking order until cert is valid (done)
+    return await self.checkCertFinalized(order, key, kid, retries = retries)
+
+  proc requestGetOrder*(
+      self: ACMEApi, order: Uri
+  ): Future[ACMEOrderResponse] {.async: (raises: [ACMEError, CancelledError]).} =
+    handleError("requestGetOrder"):
+      let acmeResponse = await self.get(order)
+      acmeResponse.body.to(ACMEOrderResponse)
+
+  proc downloadCertificate*(
+      self: ACMEApi, order: Uri
+  ): Future[ACMECertificateResponse] {.async: (raises: [ACMEError, CancelledError]).} =
+    let orderResponse = await self.requestGetOrder(order)
+
+    handleError("downloadCertificate"):
+      let rawResponse = await HttpClientRequestRef
+      .get(self.session, orderResponse.certificate)
+      .get()
+      .send()
+      ACMECertificateResponse(
+        rawCertificate: bytesToString(await rawResponse.getBodyBytes()),
+        certificateExpiry: parse(orderResponse.expires, "yyyy-MM-dd'T'HH:mm:ss'Z'"),
+      )
+
+  proc close*(self: ACMEApi) {.async: (raises: [CancelledError]).} =
+    await self.session.closeWait()
+
+else:
+  {.hint: "autotls disabled. Use -d:libp2p_autotls_support".}

libp2p/autotls/acme/client.nim

@@ -0,0 +1,98 @@
+# Nim-Libp2p
+# Copyright (c) 2025 Status Research & Development GmbH
+# Licensed under either of
+#  * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE))
+#  * MIT license ([LICENSE-MIT](LICENSE-MIT))
+# at your option.
+# This file may not be copied, modified, or distributed except according to
+# those terms.
+
+{.push raises: [].}
+
+import chronicles
+import ../../crypto/crypto
+import ./api
+
+export api
+
+type KeyAuthorization* = string
+
+type ACMEClient* = ref object
+  api: ACMEApi
+  key*: KeyPair
+  kid*: Kid
+
+logScope:
+  topics = "libp2p acme client"
+
+when defined(libp2p_autotls_support):
+  import uri
+  import chronos, results, stew/byteutils
+  import ../../crypto/rsa
+  import ./utils
+
+  proc new*(
+      T: typedesc[ACMEClient],
+      rng: ref HmacDrbgContext = newRng(),
+      api: ACMEApi = ACMEApi.new(acmeServerURL = parseUri(LetsEncryptURL)),
+      key: Opt[KeyPair] = Opt.none(KeyPair),
+      kid: Kid = Kid(""),
+  ): T {.raises: [].} =
+    let key = key.valueOr:
+      KeyPair.random(PKScheme.RSA, rng[]).get()
+    T(api: api, key: key, kid: kid)
+
+  proc getOrInitKid*(
+      self: ACMEClient
+  ): Future[Kid] {.async: (raises: [ACMEError, CancelledError]).} =
+    if self.kid.len == 0:
+      let registerResponse = await self.api.requestRegister(self.key)
+      self.kid = registerResponse.kid
+    return self.kid
+
+  proc genKeyAuthorization*(self: ACMEClient, token: string): KeyAuthorization =
+    base64UrlEncode(@(sha256.digest((token & "." & thumbprint(self.key)).toBytes).data))
+
+  proc getChallenge*(
+      self: ACMEClient, domains: seq[api.Domain]
+  ): Future[ACMEChallengeResponseWrapper] {.
+      async: (raises: [ACMEError, CancelledError])
+  .} =
+    await self.api.requestChallenge(domains, self.key, await self.getOrInitKid())
+
+  proc getCertificate*(
+      self: ACMEClient,
+      domain: api.Domain,
+      certKeyPair: KeyPair,
+      challenge: ACMEChallengeResponseWrapper,
+  ): Future[ACMECertificateResponse] {.async: (raises: [ACMEError, CancelledError]).} =
+    let chalURL = parseUri(challenge.dns01.url)
+    let orderURL = parseUri(challenge.order)
+    let finalizeURL = parseUri(challenge.finalize)
+    trace "Sending challenge completed notification"
+    discard await self.api.sendChallengeCompleted(
+      chalURL, self.key, await self.getOrInitKid()
+    )
+
+    trace "Checking for completed challenge"
+    let completed = await self.api.checkChallengeCompleted(
+      chalURL, self.key, await self.getOrInitKid()
+    )
+    if not completed:
+      raise newException(
+        ACMEError, "Failed to signal ACME server about challenge completion"
+      )
+
+    trace "Waiting for certificate to be finalized"
+    let finalized = await self.api.certificateFinalized(
+      domain, finalizeURL, orderURL, certKeyPair, self.key, await self.getOrInitKid()
+    )
+    if not finalized:
+      raise
+        newException(ACMEError, "Failed to finalize certificate for domain " & domain)
+
+    trace "Downloading certificate"
+    await self.api.downloadCertificate(orderURL)
+
+  proc close*(self: ACMEClient) {.async: (raises: [CancelledError]).} =
+    await self.api.close()

libp2p/autotls/acme/mockapi.nim

@@ -0,0 +1,40 @@
+import uri
+import chronos, chronos/apps/http/httpclient, json
+import ./api, ./utils
+
+export api
+
+type MockACMEApi* = ref object of ACMEApi
+  mockedResponses*: seq[HTTPResponse]
+
+proc new*(
+    T: typedesc[MockACMEApi]
+): Future[T] {.async: (raises: [ACMEError, CancelledError]).} =
+  let directory = ACMEDirectory(
+    newNonce: LetsEncryptURL & "/new-nonce",
+    newOrder: LetsEncryptURL & "/new-order",
+    newAccount: LetsEncryptURL & "/new-account",
+  )
+  MockACMEApi(
+    session: HttpSessionRef.new(),
+    directory: Opt.some(directory),
+    acmeServerURL: parseUri(LetsEncryptURL),
+  )
+
+when defined(libp2p_autotls_support):
+  method requestNonce*(
+      self: MockACMEApi
+  ): Future[Nonce] {.async: (raises: [ACMEError, CancelledError]).} =
+    return $self.acmeServerURL & "/acme/1234"
+
+  method post*(
+      self: MockACMEApi, uri: Uri, payload: string
+  ): Future[HTTPResponse] {.async: (raises: [ACMEError, HttpError, CancelledError]).} =
+    result = self.mockedResponses[0]
+    self.mockedResponses.delete(0)
+
+  method get*(
+      self: MockACMEApi, uri: Uri
+  ): Future[HTTPResponse] {.async: (raises: [ACMEError, HttpError, CancelledError]).} =
+    result = self.mockedResponses[0]
+    self.mockedResponses.delete(0)

libp2p/autotls/acme/utils.nim

@@ -0,0 +1,73 @@
+import ../../errors
+
+type ACMEError* = object of LPError
+
+when defined(libp2p_autotls_support):
+  import base64, strutils, chronos/apps/http/httpclient, json
+  import ../../transports/tls/certificate_ffi
+  import ../../transports/tls/certificate
+  import ../../crypto/crypto
+  import ../../crypto/rsa
+
+  proc keyOrError*(table: HttpTable, key: string): string {.raises: [ValueError].} =
+    if not table.contains(key):
+      raise newException(ValueError, "key " & key & " not present in headers")
+    table.getString(key)
+
+  proc base64UrlEncode*(data: seq[byte]): string =
+    ## Encodes data using base64url (RFC 4648 §5) — no padding, URL-safe
+    var encoded = base64.encode(data, safe = true)
+    encoded.removeSuffix("=")
+    encoded.removeSuffix("=")
+    return encoded
+
+  proc thumbprint*(key: KeyPair): string =
+    doAssert key.seckey.scheme == PKScheme.RSA, "unsupported keytype"
+    let pubkey = key.pubkey.rsakey
+    let nArray = @(getArray(pubkey.buffer, pubkey.key.n, pubkey.key.nlen))
+    let eArray = @(getArray(pubkey.buffer, pubkey.key.e, pubkey.key.elen))
+
+    let n = base64UrlEncode(nArray)
+    let e = base64UrlEncode(eArray)
+    let keyJson = %*{"e": e, "kty": "RSA", "n": n}
+    let digest = sha256.digest($keyJson)
+    return base64UrlEncode(@(digest.data))
+
+  proc getResponseBody*(
+      response: HttpClientResponseRef
+  ): Future[JsonNode] {.async: (raises: [ACMEError, CancelledError]).} =
+    try:
+      let bodyBytes = await response.getBodyBytes()
+      if bodyBytes.len > 0:
+        return bytesToString(bodyBytes).parseJson()
+      return %*{} # empty body
+    except CancelledError as exc:
+      raise exc
+    except CatchableError as exc:
+      raise newException(
+        ACMEError, "Unexpected error occurred while getting body bytes", exc
+      )
+    except Exception as exc: # this is required for nim 1.6
+      raise newException(
+        ACMEError, "Unexpected error occurred while getting body bytes", exc
+      )
+
+  proc createCSR*(
+      domain: string, certKeyPair: KeyPair
+  ): string {.raises: [ACMEError].} =
+    var certKey: cert_key_t
+    var certCtx: cert_context_t
+    var derCSR: ptr cert_buffer = nil
+
+    # convert KeyPair to cert_key_t
+    let rawSeckey: seq[byte] = certKeyPair.seckey.getRawBytes.valueOr:
+      raise newException(ACMEError, "Failed to get seckey raw bytes (DER)")
+    let seckeyBuffer = rawSeckey.toCertBuffer()
+    if cert_new_key_t(seckeyBuffer.unsafeAddr, certKey.addr) != CERT_SUCCESS:
+      raise newException(ACMEError, "Failed to convert key pair to cert_key_t")
+
+    # create CSR
+    if cert_signing_req(domain.cstring, certKey, derCSR.addr) != CERT_SUCCESS:
+      raise newException(ACMEError, "Failed to create CSR")
+
+    base64.encode(derCSR.toSeq, safe = true)

libp2p/autotls/mockservice.nim

@@ -0,0 +1,33 @@
+when defined(libp2p_autotls_support):
+  import ./service, ./acme/client, ../peeridauth/client
+
+  import ../crypto/crypto, ../crypto/rsa, websock/websock
+
+  type MockAutotlsService* = ref object of AutotlsService
+    mockedCert*: TLSCertificate
+    mockedKey*: TLSPrivateKey
+
+  proc new*(
+      T: typedesc[MockAutotlsService],
+      rng: ref HmacDrbgContext = newRng(),
+      config: AutotlsConfig = AutotlsConfig.new(),
+  ): T =
+    T(
+      acmeClient:
+        ACMEClient.new(api = ACMEApi.new(acmeServerURL = config.acmeServerURL)),
+      brokerClient: PeerIDAuthClient.new(),
+      bearer: Opt.none(BearerToken),
+      cert: Opt.none(AutotlsCert),
+      certReady: newAsyncEvent(),
+      running: newAsyncEvent(),
+      config: config,
+      rng: rng,
+    )
+
+  method getCertWhenReady*(
+      self: MockAutotlsService
+  ): Future[AutotlsCert] {.async: (raises: [AutoTLSError, CancelledError]).} =
+    AutotlsCert.new(self.mockedCert, self.mockedKey, Moment.now)
+
+  method setup*(self: MockAutotlsService) {.base, async.} =
+    self.running.fire()

libp2p/autotls/service.nim

@@ -0,0 +1,291 @@
+# Nim-Libp2p
+# Copyright (c) 2025 Status Research & Development GmbH
+# Licensed under either of
+#  * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE))
+#  * MIT license ([LICENSE-MIT](LICENSE-MIT))
+# at your option.
+# This file may not be copied, modified, or distributed except according to
+# those terms.
+
+{.push raises: [].}
+{.push public.}
+
+import chronos, chronicles, net, results
+import chronos/apps/http/httpclient, bearssl/rand
+
+import
+  ./acme/client,
+  ./utils,
+  ../crypto/crypto,
+  ../nameresolving/nameresolver,
+  ../peeridauth/client,
+  ../switch,
+  ../peerinfo,
+  ../wire
+
+logScope:
+  topics = "libp2p autotls"
+
+export LetsEncryptURL, AutoTLSError
+
+const
+  DefaultDnsServers* =
+    @[
+      initTAddress("1.1.1.1:53"),
+      initTAddress("1.0.0.1:53"),
+      initTAddress("[2606:4700:4700::1111]:53"),
+    ]
+  DefaultRenewCheckTime* = 1.hours
+  DefaultRenewBufferTime = 1.hours
+
+  DefaultIssueRetries = 3
+  DefaultIssueRetryTime = 1.seconds
+
+  AutoTLSBroker* = "registration.libp2p.direct"
+  AutoTLSDNSServer* = "libp2p.direct"
+  HttpOk* = 200
+  HttpCreated* = 201
+  # NoneIp is needed because nim 1.6.16 can't do proper generic inference
+  NoneIp = Opt.none(IpAddress)
+
+type SigParam = object
+  k: string
+  v: seq[byte]
+
+type AutotlsCert* = ref object
+  cert*: TLSCertificate
+  privkey*: TLSPrivateKey
+  expiry*: Moment
+
+type AutotlsConfig* = ref object
+  acmeServerURL*: Uri
+  nameResolver*: NameResolver
+  ipAddress: Opt[IpAddress]
+  renewCheckTime*: Duration
+  renewBufferTime*: Duration
+  issueRetries*: int
+  issueRetryTime*: Duration
+
+type AutotlsService* = ref object of Service
+  acmeClient*: ACMEClient
+  brokerClient*: PeerIDAuthClient
+  bearer*: Opt[BearerToken]
+  cert*: Opt[AutotlsCert]
+  certReady*: AsyncEvent
+  running*: AsyncEvent
+  config*: AutotlsConfig
+  managerFut: Future[void]
+  peerInfo: PeerInfo
+  rng*: ref HmacDrbgContext
+
+when defined(libp2p_autotls_support):
+  import json, sequtils, bearssl/pem
+
+  import
+    ../crypto/rsa,
+    ../utils/heartbeat,
+    ../transports/transport,
+    ../transports/tcptransport,
+    ../nameresolving/dnsresolver
+
+  proc new*(
+      T: typedesc[AutotlsCert],
+      cert: TLSCertificate,
+      privkey: TLSPrivateKey,
+      expiry: Moment,
+  ): T =
+    T(cert: cert, privkey: privkey, expiry: expiry)
+
+  method getCertWhenReady*(
+      self: AutotlsService
+  ): Future[AutotlsCert] {.base, async: (raises: [AutoTLSError, CancelledError]).} =
+    await self.certReady.wait()
+    return self.cert.get
+
+  proc new*(
+      T: typedesc[AutotlsConfig],
+      ipAddress: Opt[IpAddress] = NoneIp,
+      nameServers: seq[TransportAddress] = DefaultDnsServers,
+      acmeServerURL: Uri = parseUri(LetsEncryptURL),
+      renewCheckTime: Duration = DefaultRenewCheckTime,
+      renewBufferTime: Duration = DefaultRenewBufferTime,
+      issueRetries: int = DefaultIssueRetries,
+      issueRetryTime: Duration = DefaultIssueRetryTime,
+  ): T =
+    T(
+      nameResolver: DnsResolver.new(nameServers),
+      acmeServerURL: acmeServerURL,
+      ipAddress: ipAddress,
+      renewCheckTime: renewCheckTime,
+      renewBufferTime: renewBufferTime,
+      issueRetries: issueRetries,
+      issueRetryTime: issueRetryTime,
+    )
+
+  proc new*(
+      T: typedesc[AutotlsService],
+      rng: ref HmacDrbgContext = newRng(),
+      config: AutotlsConfig = AutotlsConfig.new(),
+  ): T =
+    T(
+      acmeClient:
+        ACMEClient.new(api = ACMEApi.new(acmeServerURL = config.acmeServerURL)),
+      brokerClient: PeerIDAuthClient.new(),
+      bearer: Opt.none(BearerToken),
+      cert: Opt.none(AutotlsCert),
+      certReady: newAsyncEvent(),
+      running: newAsyncEvent(),
+      config: config,
+      managerFut: nil,
+      peerInfo: nil,
+      rng: rng,
+    )
+
+  method setup*(
+      self: AutotlsService, switch: Switch
+  ): Future[bool] {.async: (raises: [CancelledError]).} =
+    trace "Setting up AutotlsService"
+    let hasBeenSetup = await procCall Service(self).setup(switch)
+    if hasBeenSetup:
+      if self.config.ipAddress.isNone():
+        try:
+          self.config.ipAddress = Opt.some(getPublicIPAddress())
+        except AutoTLSError as exc:
+          error "Failed to get public IP address", err = exc.msg
+          return false
+      self.managerFut = self.run(switch)
+    return hasBeenSetup
+
+  method issueCertificate(
+      self: AutotlsService
+  ): Future[bool] {.
+      base, async: (raises: [AutoTLSError, ACMEError, PeerIDAuthError, CancelledError])
+  .} =
+    trace "Issuing certificate"
+
+    if self.peerInfo.isNil():
+      error "Cannot issue new certificate: peerInfo not set"
+      return false
+
+    # generate autotls domain string: "*.{peerID}.libp2p.direct"
+    let baseDomain =
+      api.Domain(encodePeerId(self.peerInfo.peerId) & "." & AutoTLSDNSServer)
+    let domain = api.Domain("*." & baseDomain)
+
+    let acmeClient = self.acmeClient
+
+    trace "Requesting ACME challenge"
+    let dns01Challenge = await acmeClient.getChallenge(@[domain])
+    trace "Generating key authorization"
+    let keyAuth = acmeClient.genKeyAuthorization(dns01Challenge.dns01.token)
+
+    let addrs = await self.peerInfo.expandAddrs()
+    if addrs.len == 0:
+      error "Unable to authenticate with broker: no addresses"
+      return false
+
+    let strMultiaddresses: seq[string] = addrs.mapIt($it)
+    let payload = %*{"value": keyAuth, "addresses": strMultiaddresses}
+    let registrationURL = parseUri("https://" & AutoTLSBroker & "/v1/_acme-challenge")
+
+    trace "Sending challenge to AutoTLS broker"
+    let (bearer, response) =
+      await self.brokerClient.send(registrationURL, self.peerInfo, payload, self.bearer)
+    if self.bearer.isNone():
+      # save bearer token for future
+      self.bearer = Opt.some(bearer)
+    if response.status != HttpOk:
+      error "Failed to authenticate with AutoTLS Broker at " & AutoTLSBroker
+      debug "Broker message",
+        body = bytesToString(response.body), peerinfo = self.peerInfo
+      return false
+
+    let dashedIpAddr = ($self.config.ipAddress.get()).replace(".", "-")
+    let acmeChalDomain = api.Domain("_acme-challenge." & baseDomain)
+    let ip4Domain = api.Domain(dashedIpAddr & "." & baseDomain)
+    debug "Waiting for DNS record to be set", ip = ip4Domain, acme = acmeChalDomain
+    let dnsSet = await checkDNSRecords(
+      self.config.nameResolver, self.config.ipAddress.get(), baseDomain, keyAuth
+    )
+    if not dnsSet:
+      error "DNS records not set"
+      return false
+
+    trace "Notifying challenge completion to ACME and downloading cert"
+    let certKeyPair = KeyPair.random(PKScheme.RSA, self.rng[]).get()
+
+    let certificate =
+      await acmeClient.getCertificate(domain, certKeyPair, dns01Challenge)
+
+    let derPrivKey = certKeyPair.seckey.rsakey.getBytes.valueOr:
+      raise newException(AutoTLSError, "Unable to get TLS private key")
+    let pemPrivKey: string = derPrivKey.pemEncode("PRIVATE KEY")
+    debug "autotls cert", pemPrivKey = pemPrivKey, cert = certificate.rawCertificate
+
+    trace "Installing certificate"
+    let newCert =
+      try:
+        AutotlsCert.new(
+          TLSCertificate.init(certificate.rawCertificate),
+          TLSPrivateKey.init(pemPrivKey),
+          asMoment(certificate.certificateExpiry),
+        )
+      except TLSStreamProtocolError:
+        error "Could not parse downloaded certificates"
+        return false
+    self.cert = Opt.some(newCert)
+    self.certReady.fire()
+    trace "Certificate installed"
+    true
+
+  proc hasTcpStarted(switch: Switch): bool =
+    switch.transports.filterIt(it of TcpTransport and it.running).len == 0
+
+  proc tryIssueCertificate(self: AutotlsService) {.async: (raises: [CancelledError]).} =
+    for _ in 0 ..< self.config.issueRetries:
+      try:
+        if await self.issueCertificate():
+          return
+      except CancelledError as exc:
+        raise exc
+      except CatchableError as exc:
+        error "Failed to issue certificate", err = exc.msg
+      await sleepAsync(self.config.issueRetryTime)
+    error "Failed to issue certificate"
+
+  method run*(
+      self: AutotlsService, switch: Switch
+  ) {.async: (raises: [CancelledError]).} =
+    trace "Starting Autotls management"
+    self.running.fire()
+    self.peerInfo = switch.peerInfo
+
+    # ensure that there's at least one TcpTransport running
+    # for communicating with autotls broker
+    if switch.hasTcpStarted():
+      error "Could not find a running TcpTransport in switch"
+      return
+
+    heartbeat "Certificate Management", self.config.renewCheckTime:
+      if self.cert.isNone():
+        await self.tryIssueCertificate()
+
+      # AutotlsService will renew the cert 1h before it expires
+      let cert = self.cert.get
+      let waitTime = cert.expiry - Moment.now - self.config.renewBufferTime
+      if waitTime <= self.config.renewBufferTime:
+        await self.tryIssueCertificate()
+
+  method stop*(
+      self: AutotlsService, switch: Switch
+  ): Future[bool] {.async: (raises: [CancelledError]).} =
+    let hasBeenStopped = await procCall Service(self).stop(switch)
+    if hasBeenStopped:
+      if not self.acmeClient.isNil():
+        await self.acmeClient.close()
+      if not self.brokerClient.isNil():
+        await self.brokerClient.close()
+      if not self.managerFut.isNil():
+        await self.managerFut.cancelAndWait()
+        self.managerFut = nil
+    return hasBeenStopped

libp2p/autotls/utils.nim

@@ -0,0 +1,112 @@
+# Nim-Libp2p
+# Copyright (c) 2025 Status Research & Development GmbH
+# Licensed under either of
+#  * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE))
+#  * MIT license ([LICENSE-MIT](LICENSE-MIT))
+# at your option.
+# This file may not be copied, modified, or distributed except according to
+# those terms.
+{.push raises: [].}
+{.push public.}
+
+import chronos, chronicles
+import ../errors
+
+logScope:
+  topics = "libp2p utils"
+
+const
+  DefaultDnsRetries = 3
+  DefaultDnsRetryTime = 1.seconds
+
+type AutoTLSError* = object of LPError
+
+when defined(libp2p_autotls_support):
+  import net, strutils
+  from times import DateTime, toTime, toUnix
+  import stew/base36
+  import
+    ../peerid,
+    ../multihash,
+    ../cid,
+    ../multicodec,
+    ../nameresolving/nameresolver,
+    ./acme/client
+
+  proc checkedGetPrimaryIPAddr*(): IpAddress {.raises: [AutoTLSError].} =
+    # This is so that we don't need to catch Exceptions directly
+    # since we support 1.6.16 and getPrimaryIPAddr before nim 2 didn't have explicit .raises. pragmas
+    try:
+      return getPrimaryIPAddr()
+    except Exception as exc:
+      raise newException(AutoTLSError, "Error while getting primary IP address", exc)
+
+  proc isIPv4*(ip: IpAddress): bool =
+    ip.family == IpAddressFamily.IPv4
+
+  proc isPublic*(ip: IpAddress): bool {.raises: [AutoTLSError].} =
+    let ip = $ip
+    try:
+      not (
+        ip.startsWith("10.") or
+        (ip.startsWith("172.") and parseInt(ip.split(".")[1]) in 16 .. 31) or
+        ip.startsWith("192.168.") or ip.startsWith("127.") or ip.startsWith("169.254.")
+      )
+    except ValueError as exc:
+      raise newException(AutoTLSError, "Failed to parse IP address", exc)
+
+  proc getPublicIPAddress*(): IpAddress {.raises: [AutoTLSError].} =
+    let ip = checkedGetPrimaryIPAddr()
+    if not ip.isIPv4():
+      raise newException(AutoTLSError, "Host does not have an IPv4 address")
+    if not ip.isPublic():
+      raise newException(AutoTLSError, "Host does not have a public IPv4 address")
+    return ip
+
+  proc asMoment*(dt: DateTime): Moment =
+    let unixTime: int64 = dt.toTime.toUnix
+    return Moment.init(unixTime, Second)
+
+  proc encodePeerId*(peerId: PeerId): string {.raises: [AutoTLSError].} =
+    var mh: MultiHash
+    let decodeResult = MultiHash.decode(peerId.data, mh)
+    if decodeResult.isErr() or decodeResult.get() == -1:
+      raise
+        newException(AutoTLSError, "Failed to decode PeerId: invalid multihash format")
+
+    let cidResult = Cid.init(CIDv1, multiCodec("libp2p-key"), mh)
+    if cidResult.isErr():
+      raise newException(AutoTLSError, "Failed to initialize CID from multihash")
+
+    return Base36.encode(cidResult.get().data.buffer)
+
+  proc checkDNSRecords*(
+      nameResolver: NameResolver,
+      ipAddress: IpAddress,
+      baseDomain: api.Domain,
+      keyAuth: KeyAuthorization,
+      retries: int = DefaultDnsRetries,
+  ): Future[bool] {.async: (raises: [AutoTLSError, CancelledError]).} =
+    # if my ip address is 100.10.10.3 then the ip4Domain will be:
+    #     100-10-10-3.{peerIdBase36}.libp2p.direct
+    # and acme challenge TXT domain will be:
+    #     _acme-challenge.{peerIdBase36}.libp2p.direct
+    let dashedIpAddr = ($ipAddress).replace(".", "-")
+    let acmeChalDomain = api.Domain("_acme-challenge." & baseDomain)
+    let ip4Domain = api.Domain(dashedIpAddr & "." & baseDomain)
+
+    var txt: seq[string]
+    var ip4: seq[TransportAddress]
+    for _ in 0 .. retries:
+      txt = await nameResolver.resolveTxt(acmeChalDomain)
+      try:
+        ip4 = await nameResolver.resolveIp(ip4Domain, 0.Port)
+      except CancelledError as exc:
+        raise exc
+      except CatchableError as exc:
+        error "Failed to resolve IP", description = exc.msg # retry
+    if txt.len > 0 and txt[0] == keyAuth and ip4.len > 0:
+      return true
+    await sleepAsync(DefaultDnsRetryTime)
+
+    return false

libp2p/builders.nim

@@ -23,26 +23,37 @@ import
   stream/connection,
   multiaddress,
   crypto/crypto,
-  transports/[transport, tcptransport, quictransport, memorytransport],
+  transports/[transport, tcptransport, wstransport, memorytransport],
   muxers/[muxer, mplex/mplex, yamux/yamux],
   protocols/[identify, secure/secure, secure/noise, rendezvous],
   protocols/connectivity/[autonat/server, relay/relay, relay/client, relay/rtransport],
   connmanager,
   upgrademngrs/muxedupgrade,
   observedaddrmanager,
+  autotls/service,
   nameresolving/nameresolver,
   errors,
   utility
 import services/wildcardresolverservice
 
-export switch, peerid, peerinfo, connection, multiaddress, crypto, errors
+export
+  switch, peerid, peerinfo, connection, multiaddress, crypto, errors, TLSPrivateKey,
+  TLSCertificate, TLSFlags, ServerFlags
 
 const MemoryAutoAddress* = memorytransport.MemoryAutoAddress
 
 type
-  TransportProvider* {.public.} =
+  TransportProvider* {.deprecated: "Use TransportBuilder instead".} =
     proc(upgr: Upgrade, privateKey: PrivateKey): Transport {.gcsafe, raises: [].}
 
+  TransportBuilder* {.public.} =
+    proc(config: TransportConfig): Transport {.gcsafe, raises: [].}
+
+  TransportConfig* = ref object
+    upgr*: Upgrade
+    privateKey*: PrivateKey
+    autotls*: AutotlsService
+
   SecureProtocol* {.pure.} = enum
     Noise
 
@@ -51,7 +62,7 @@ type
     addresses: seq[MultiAddress]
     secureManagers: seq[SecureProtocol]
     muxers: seq[MuxerProvider]
-    transports: seq[TransportProvider]
+    transports: seq[TransportBuilder]
     rng: ref HmacDrbgContext
     maxConnections: int
     maxIn: int
@@ -63,6 +74,7 @@ type
     nameResolver: NameResolver
     peerStoreCapacity: Opt[int]
     autonat: bool
+    autotls: AutotlsService
     circuitRelay: Relay
     rdv: RendezVous
     services: seq[Service]
@@ -147,8 +159,23 @@ proc withNoise*(b: SwitchBuilder): SwitchBuilder {.public.} =
   b
 
 proc withTransport*(
-    b: SwitchBuilder, prov: TransportProvider
+    b: SwitchBuilder, prov: TransportBuilder
 ): SwitchBuilder {.public.} =
+  ## Use a custom transport
+  runnableExamples:
+    let switch = SwitchBuilder
+      .new()
+      .withTransport(
+        proc(config: TransportConfig): Transport =
+          TcpTransport.new(flags, config.upgr)
+      )
+      .build()
+  b.transports.add(prov)
+  b
+
+proc withTransport*(
+    b: SwitchBuilder, prov: TransportProvider
+): SwitchBuilder {.deprecated: "Use TransportBuilder instead".} =
   ## Use a custom transport
   runnableExamples:
     let switch = SwitchBuilder
@@ -158,27 +185,45 @@ proc withTransport*(
           TcpTransport.new(flags, upgr)
       )
       .build()
-  b.transports.add(prov)
-  b
+  let tBuilder: TransportBuilder = proc(config: TransportConfig): Transport =
+    prov(config.upgr, config.privateKey)
+  b.withTransport(tBuilder)
 
 proc withTcpTransport*(
     b: SwitchBuilder, flags: set[ServerFlags] = {}
 ): SwitchBuilder {.public.} =
   b.withTransport(
-    proc(upgr: Upgrade, privateKey: PrivateKey): Transport =
-      TcpTransport.new(flags, upgr)
+    proc(config: TransportConfig): Transport =
+      TcpTransport.new(flags, config.upgr)
   )
 
-proc withQuicTransport*(b: SwitchBuilder): SwitchBuilder {.public.} =
+proc withWsTransport*(
+    b: SwitchBuilder,
+    tlsPrivateKey: TLSPrivateKey = nil,
+    tlsCertificate: TLSCertificate = nil,
+    tlsFlags: set[TLSFlags] = {},
+    flags: set[ServerFlags] = {},
+): SwitchBuilder =
   b.withTransport(
-    proc(upgr: Upgrade, privateKey: PrivateKey): Transport =
-      QuicTransport.new(upgr, privateKey)
+    proc(config: TransportConfig): Transport =
+      WsTransport.new(
+        config.upgr, tlsPrivateKey, tlsCertificate, config.autotls, tlsFlags, flags
+      )
   )
 
+when defined(libp2p_quic_support):
+  import transports/quictransport
+
+  proc withQuicTransport*(b: SwitchBuilder): SwitchBuilder {.public.} =
+    b.withTransport(
+      proc(config: TransportConfig): Transport =
+        QuicTransport.new(config.upgr, config.privateKey)
+    )
+
 proc withMemoryTransport*(b: SwitchBuilder): SwitchBuilder {.public.} =
   b.withTransport(
-    proc(upgr: Upgrade, privateKey: PrivateKey): Transport =
-      MemoryTransport.new(upgr)
+    proc(config: TransportConfig): Transport =
+      MemoryTransport.new(config.upgr)
   )
 
 proc withRng*(b: SwitchBuilder, rng: ref HmacDrbgContext): SwitchBuilder {.public.} =
@@ -235,6 +280,13 @@ proc withAutonat*(b: SwitchBuilder): SwitchBuilder =
   b.autonat = true
   b
 
+when defined(libp2p_autotls_support):
+  proc withAutotls*(
+      b: SwitchBuilder, config: AutotlsConfig = AutotlsConfig.new()
+  ): SwitchBuilder {.public.} =
+    b.autotls = AutotlsService.new(config = config)
+    b
+
 proc withCircuitRelay*(b: SwitchBuilder, r: Relay = Relay.new()): SwitchBuilder =
   b.circuitRelay = r
   b
@@ -286,10 +338,17 @@ proc build*(b: SwitchBuilder): Switch {.raises: [LPError], public.} =
     ms = MultistreamSelect.new()
     muxedUpgrade = MuxedUpgrade.new(b.muxers, secureManagerInstances, ms)
 
+  if not b.autotls.isNil():
+    b.services.insert(b.autotls, 0)
+
   let transports = block:
     var transports: seq[Transport]
     for tProvider in b.transports:
-      transports.add(tProvider(muxedUpgrade, seckey))
+      transports.add(
+        tProvider(
+          TransportConfig(upgr: muxedUpgrade, privateKey: seckey, autotls: b.autotls)
+        )
+      )
     transports
 
   if b.secureManagers.len == 0:

libp2p/cid.nim

@@ -10,10 +10,12 @@
 ## This module implementes CID (Content IDentifier).
 
 {.push raises: [].}
+{.used.}
 
 import tables, hashes
 import multibase, multicodec, multihash, vbuffer, varint, results
 import stew/base58
+import ./utils/sequninit
 
 export results
 
@@ -122,7 +124,7 @@ proc decode(data: openArray[char]): Result[Cid, CidError] =
     return err(CidError.Incorrect)
   if len(data) == 46:
     if data[0] == 'Q' and data[1] == 'm':
-      buffer = newSeq[byte](BTCBase58.decodedLength(len(data)))
+      buffer = newSeqUninit[byte](BTCBase58.decodedLength(len(data)))
       if BTCBase58.decode(data, buffer, plen) != Base58Status.Success:
         return err(CidError.Incorrect)
       buffer.setLen(plen)
@@ -130,7 +132,7 @@ proc decode(data: openArray[char]): Result[Cid, CidError] =
     let length = MultiBase.decodedLength(data[0], len(data))
     if length == -1:
       return err(CidError.Incorrect)
-    buffer = newSeq[byte](length)
+    buffer = newSeqUninit[byte](length)
     if MultiBase.decode(data, buffer, plen) != MultiBaseStatus.Success:
       return err(CidError.Incorrect)
     buffer.setLen(plen)

libp2p/connmanager.nim

@@ -140,7 +140,7 @@ proc triggerConnEvent*(
   except CancelledError as exc:
     raise exc
   except CatchableError as exc:
-    warn "Exception in triggerConnEvents",
+    warn "Exception in triggerConnEvent",
       description = exc.msg, peer = peerId, event = $event
 
 proc addPeerEventHandler*(
@@ -186,7 +186,7 @@ proc expectConnection*(
   if key in c.expectedConnectionsOverLimit:
     raise newException(
       AlreadyExpectingConnectionError,
-      "Already expecting an incoming connection from that peer",
+      "Already expecting an incoming connection from that peer: " & shortLog(p),
     )
 
   let future = Future[Muxer].Raising([CancelledError]).init()

libp2p/crypto/crypto.nim

@@ -11,6 +11,7 @@
 {.push raises: [].}
 
 from strutils import split, strip, cmpIgnoreCase
+import ../utils/sequninit
 
 const libp2p_pki_schemes* {.strdefine.} = "rsa,ed25519,secp256k1,ecnist"
 
@@ -176,7 +177,7 @@ proc shuffle*[T](rng: ref HmacDrbgContext, x: var openArray[T]) =
   if x.len == 0:
     return
 
-  var randValues = newSeqUninitialized[byte](len(x) * 2)
+  var randValues = newSeqUninit[byte](len(x) * 2)
   hmacDrbgGenerate(rng[], randValues)
 
   for i in countdown(x.high, 1):
@@ -873,7 +874,7 @@ proc stretchKeys*(
   var seed = "key expansion"
   result.macsize = 20
   let length = result.ivsize + result.keysize + result.macsize
-  result.data = newSeq[byte](2 * length)
+  result.data = newSeqUninit[byte](2 * length)
 
   if hashType == "SHA256":
     makeSecret(result.data, HMAC[sha256], sharedSecret, seed)
@@ -904,7 +905,7 @@ template macOpenArray*(secret: Secret, id: int): untyped =
 
 proc iv*(secret: Secret, id: int): seq[byte] {.inline.} =
   ## Get array of bytes with with initial vector.
-  result = newSeq[byte](secret.ivsize)
+  result = newSeqUninit[byte](secret.ivsize)
   var offset =
     if id == 0:
       0
@@ -913,7 +914,7 @@ proc iv*(secret: Secret, id: int): seq[byte] {.inline.} =
   copyMem(addr result[0], unsafeAddr secret.data[offset], secret.ivsize)
 
 proc key*(secret: Secret, id: int): seq[byte] {.inline.} =
-  result = newSeq[byte](secret.keysize)
+  result = newSeqUninit[byte](secret.keysize)
   var offset =
     if id == 0:
       0
@@ -923,7 +924,7 @@ proc key*(secret: Secret, id: int): seq[byte] {.inline.} =
   copyMem(addr result[0], unsafeAddr secret.data[offset], secret.keysize)
 
 proc mac*(secret: Secret, id: int): seq[byte] {.inline.} =
-  result = newSeq[byte](secret.macsize)
+  result = newSeqUninit[byte](secret.macsize)
   var offset =
     if id == 0:
       0

libp2p/crypto/ecnist.nim

@@ -23,6 +23,7 @@ import minasn1
 export minasn1.Asn1Error
 import stew/ctops
 import results
+import ../utils/sequninit
 
 import ../utility
 
@@ -458,7 +459,7 @@ proc getBytes*(seckey: EcPrivateKey): EcResult[seq[byte]] =
   if isNil(seckey):
     return err(EcKeyIncorrectError)
   if seckey.key.curve in EcSupportedCurvesCint:
-    var res = newSeq[byte]()
+    var res = newSeqUninit[byte](0)
     let length = ?seckey.toBytes(res)
     res.setLen(length)
     discard ?seckey.toBytes(res)
@@ -471,7 +472,7 @@ proc getBytes*(pubkey: EcPublicKey): EcResult[seq[byte]] =
   if isNil(pubkey):
     return err(EcKeyIncorrectError)
   if pubkey.key.curve in EcSupportedCurvesCint:
-    var res = newSeq[byte]()
+    var res = newSeqUninit[byte](0)
     let length = ?pubkey.toBytes(res)
     res.setLen(length)
     discard ?pubkey.toBytes(res)
@@ -483,7 +484,7 @@ proc getBytes*(sig: EcSignature): EcResult[seq[byte]] =
   ## Serialize EC signature ``sig`` to ASN.1 DER binary form and return it.
   if isNil(sig):
     return err(EcSignatureError)
-  var res = newSeq[byte]()
+  var res = newSeqUninit[byte](0)
   let length = ?sig.toBytes(res)
   res.setLen(length)
   discard ?sig.toBytes(res)
@@ -494,7 +495,7 @@ proc getRawBytes*(seckey: EcPrivateKey): EcResult[seq[byte]] =
   if isNil(seckey):
     return err(EcKeyIncorrectError)
   if seckey.key.curve in EcSupportedCurvesCint:
-    var res = newSeq[byte]()
+    var res = newSeqUninit[byte](0)
     let length = ?seckey.toRawBytes(res)
     res.setLen(length)
     discard ?seckey.toRawBytes(res)
@@ -507,7 +508,7 @@ proc getRawBytes*(pubkey: EcPublicKey): EcResult[seq[byte]] =
   if isNil(pubkey):
     return err(EcKeyIncorrectError)
   if pubkey.key.curve in EcSupportedCurvesCint:
-    var res = newSeq[byte]()
+    var res = newSeqUninit[byte](0)
     let length = ?pubkey.toRawBytes(res)
     res.setLen(length)
     discard ?pubkey.toRawBytes(res)
@@ -519,7 +520,7 @@ proc getRawBytes*(sig: EcSignature): EcResult[seq[byte]] =
   ## Serialize EC signature ``sig`` to raw binary form and return it.
   if isNil(sig):
     return err(EcSignatureError)
-  var res = newSeq[byte]()
+  var res = newSeqUninit[byte](0)
   let length = ?sig.toBytes(res)
   res.setLen(length)
   discard ?sig.toBytes(res)
@@ -929,7 +930,7 @@ proc getSecret*(pubkey: EcPublicKey, seckey: EcPrivateKey): seq[byte] =
   var data: array[Secret521Length, byte]
   let res = toSecret(pubkey, seckey, data)
   if res > 0:
-    result = newSeq[byte](res)
+    result = newSeqUninit[byte](res)
     copyMem(addr result[0], addr data[0], res)
 
 proc sign*[T: byte | char](
@@ -943,7 +944,7 @@ proc sign*[T: byte | char](
   var impl = ecGetDefault()
   if seckey.key.curve in EcSupportedCurvesCint:
     var sig = new EcSignature
-    sig.buffer = newSeq[byte](256)
+    sig.buffer = newSeqUninit[byte](256)
     var kv = addr sha256Vtable
     kv.init(addr hc.vtable)
     if len(message) > 0:

libp2p/crypto/minasn1.nim

@@ -17,6 +17,7 @@ export results
 # We use `ncrutils` for constant-time hexadecimal encoding/decoding procedures.
 import nimcrypto/utils as ncrutils
 import ../utility
+import ../utils/sequninit
 
 type
   Asn1Error* {.pure.} = enum
@@ -679,15 +680,15 @@ proc init*(t: typedesc[Asn1Buffer], data: string): Asn1Buffer =
 
 proc init*(t: typedesc[Asn1Buffer]): Asn1Buffer =
   ## Initialize empty ``Asn1Buffer``.
-  Asn1Buffer(buffer: newSeq[byte]())
+  Asn1Buffer(buffer: newSeqUninit[byte](0))
 
 proc init*(t: typedesc[Asn1Composite], tag: Asn1Tag): Asn1Composite =
   ## Initialize ``Asn1Composite`` with tag ``tag``.
-  Asn1Composite(tag: tag, buffer: newSeq[byte]())
+  Asn1Composite(tag: tag, buffer: newSeqUninit[byte](0))
 
 proc init*(t: typedesc[Asn1Composite], idx: int): Asn1Composite =
   ## Initialize ``Asn1Composite`` with tag context-specific id ``id``.
-  Asn1Composite(tag: Asn1Tag.Context, idx: idx, buffer: newSeq[byte]())
+  Asn1Composite(tag: Asn1Tag.Context, idx: idx, buffer: newSeqUninit[byte](0))
 
 proc `$`*(buffer: Asn1Buffer): string =
   ## Return string representation of ``buffer``.

libp2p/crypto/rsa.nim

@@ -21,6 +21,7 @@ import results
 import stew/ctops
 # We use `ncrutils` for constant-time hexadecimal encoding/decoding procedures.
 import nimcrypto/utils as ncrutils
+import ../utils/sequninit
 
 export Asn1Error, results
 
@@ -124,7 +125,7 @@ proc random*[T: RsaKP](
     length = eko + ((bits + 7) shr 3)
 
   let res = new T
-  res.buffer = newSeq[byte](length)
+  res.buffer = newSeqUninit[byte](length)
 
   var keygen = rsaKeygenGetDefault()
 
@@ -169,7 +170,7 @@ proc copy*[T: RsaPKI](key: T): T =
         key.seck.dqlen.uint + key.seck.iqlen.uint + key.pubk.nlen.uint +
         key.pubk.elen.uint + key.pexplen.uint
       result = new RsaPrivateKey
-      result.buffer = newSeq[byte](length)
+      result.buffer = newSeqUninit[byte](length)
       let po: uint = 0
       let qo = po + key.seck.plen
       let dpo = qo + key.seck.qlen
@@ -207,7 +208,7 @@ proc copy*[T: RsaPKI](key: T): T =
     if len(key.buffer) > 0:
       let length = key.key.nlen + key.key.elen
       result = new RsaPublicKey
-      result.buffer = newSeq[byte](length)
+      result.buffer = newSeqUninit[byte](length)
       let no = 0
       let eo = no + key.key.nlen
       copyMem(addr result.buffer[no], key.key.n, key.key.nlen)
@@ -226,7 +227,7 @@ proc getPublicKey*(key: RsaPrivateKey): RsaPublicKey =
   doAssert(not isNil(key))
   let length = key.pubk.nlen + key.pubk.elen
   result = new RsaPublicKey
-  result.buffer = newSeq[byte](length)
+  result.buffer = newSeqUninit[byte](length)
   result.key.n = addr result.buffer[0]
   result.key.e = addr result.buffer[key.pubk.nlen]
   copyMem(addr result.buffer[0], cast[pointer](key.pubk.n), key.pubk.nlen)
@@ -357,7 +358,7 @@ proc getBytes*(key: RsaPrivateKey): RsaResult[seq[byte]] =
   ## return it.
   if isNil(key):
     return err(RsaKeyIncorrectError)
-  var res = newSeq[byte](4096)
+  var res = newSeqUninit[byte](4096)
   let length = ?key.toBytes(res)
   if length > 0:
     res.setLen(length)
@@ -370,7 +371,7 @@ proc getBytes*(key: RsaPublicKey): RsaResult[seq[byte]] =
   ## return it.
   if isNil(key):
     return err(RsaKeyIncorrectError)
-  var res = newSeq[byte](4096)
+  var res = newSeqUninit[byte](4096)
   let length = ?key.toBytes(res)
   if length > 0:
     res.setLen(length)
@@ -382,7 +383,7 @@ proc getBytes*(sig: RsaSignature): RsaResult[seq[byte]] =
   ## Serialize RSA signature ``sig`` to raw binary form and return it.
   if isNil(sig):
     return err(RsaSignatureError)
-  var res = newSeq[byte](4096)
+  var res = newSeqUninit[byte](4096)
   let length = ?sig.toBytes(res)
   if length > 0:
     res.setLen(length)
@@ -753,7 +754,7 @@ proc sign*[T: byte | char](
   var hash: array[32, byte]
   let impl = rsaPkcs1SignGetDefault()
   var res = new RsaSignature
-  res.buffer = newSeq[byte]((key.seck.nBitlen + 7) shr 3)
+  res.buffer = newSeqUninit[byte]((key.seck.nBitlen + 7) shr 3)
   var kv = addr sha256Vtable
   kv.init(addr hc.vtable)
   if len(message) > 0:

libp2p/crypto/secp.nim

@@ -11,6 +11,7 @@
 
 import bearssl/rand
 import secp256k1, results, stew/byteutils, nimcrypto/[hash, sha2]
+import ../utils/sequninit
 
 export sha2, results, rand
 
@@ -85,8 +86,9 @@ proc init*(sig: var SkSignature, data: string): SkResult[void] =
   var buffer: seq[byte]
   try:
     buffer = hexToSeqByte(data)
-  except ValueError:
-    return err("secp: Hex to bytes failed")
+  except ValueError as e:
+    let errMsg = "secp: Hex to bytes failed: " & e.msg
+    return err(errMsg.cstring)
   init(sig, buffer)
 
 proc init*(t: typedesc[SkPrivateKey], data: openArray[byte]): SkResult[SkPrivateKey] =
@@ -181,7 +183,7 @@ proc getBytes*(key: SkPublicKey): seq[byte] {.inline.} =
 
 proc getBytes*(sig: SkSignature): seq[byte] {.inline.} =
   ## Serialize Secp256k1 `signature` and return it.
-  result = newSeq[byte](72)
+  result = newSeqUninit[byte](72)
   let length = toBytes(sig, result)
   result.setLen(length)
 

libp2p/daemon/daemonapi.nim

@@ -15,6 +15,7 @@ import pkg/[chronos, chronicles]
 import ../varint, ../multiaddress, ../multicodec, ../cid, ../peerid
 import ../wire, ../multihash, ../protobuf/minprotobuf, ../errors
 import ../crypto/crypto, ../utility
+import ../utils/sequninit
 
 export peerid, multiaddress, multicodec, multihash, cid, crypto, wire, errors
 
@@ -496,7 +497,7 @@ proc recvMessage(
     size: uint
     length: int
     res: VarintResult[void]
-  var buffer = newSeq[byte](10)
+  var buffer = newSeqUninit[byte](10)
   try:
     for i in 0 ..< len(buffer):
       await conn.readExactly(addr buffer[i], 1)
@@ -595,13 +596,13 @@ template exceptionToAssert(body: untyped): untyped =
     try:
       res = body
     except OSError as exc:
-      raise exc
+      raise newException(OSError, "failure in exceptionToAssert: " & exc.msg, exc)
     except IOError as exc:
-      raise exc
+      raise newException(IOError, "failure in exceptionToAssert: " & exc.msg, exc)
     except Defect as exc:
-      raise exc
+      raise newException(Defect, "failure in exceptionToAssert: " & exc.msg, exc)
     except Exception as exc:
-      raiseAssert exc.msg
+      raiseAssert "Exception captured in exceptionToAssert: " & exc.msg
     when defined(nimHasWarnBareExcept):
       {.pop.}
     res
@@ -957,8 +958,7 @@ proc openStream*(
       var res: seq[byte]
       if pb.getRequiredField(ResponseType.STREAMINFO.int, res).isOk():
         let resPb = initProtoBuffer(res)
-        # stream.peer = newSeq[byte]()
-        var raddress = newSeq[byte]()
+        var raddress = newSeqUninit[byte](0)
         stream.protocol = ""
         resPb.getRequiredField(1, stream.peer).tryGet()
         resPb.getRequiredField(2, raddress).tryGet()
@@ -967,9 +967,9 @@ proc openStream*(
         stream.flags.incl(Outbound)
         stream.transp = transp
         result = stream
-  except ResultError[ProtoError]:
+  except ResultError[ProtoError] as e:
     await api.closeConnection(transp)
-    raise newException(DaemonLocalError, "Wrong message type!")
+    raise newException(DaemonLocalError, "Wrong message type: " & e.msg, e)
 
 proc streamHandler(server: StreamServer, transp: StreamTransport) {.async.} =
   # must not specify raised exceptions as this is StreamCallback from chronos
@@ -977,7 +977,7 @@ proc streamHandler(server: StreamServer, transp: StreamTransport) {.async.} =
   var message = await transp.recvMessage()
   var pb = initProtoBuffer(message)
   var stream = new P2PStream
-  var raddress = newSeq[byte]()
+  var raddress = newSeqUninit[byte](0)
   stream.protocol = ""
   pb.getRequiredField(1, stream.peer).tryGet()
   pb.getRequiredField(2, raddress).tryGet()
@@ -1023,10 +1023,10 @@ proc addHandler*(
       api.servers.add(P2PServer(server: server, address: maddress))
   except DaemonLocalError as e:
     await removeHandler()
-    raise e
+    raise newException(DaemonLocalError, "Could not add stream handler: " & e.msg, e)
   except TransportError as e:
     await removeHandler()
-    raise e
+    raise newException(TransportError, "Could not add stream handler: " & e.msg, e)
   except CancelledError as e:
     await removeHandler()
     raise e
@@ -1116,7 +1116,7 @@ proc dhtGetSinglePeerInfo(pb: ProtoBuffer): PeerInfo {.raises: [DaemonLocalError
     raise newException(DaemonLocalError, "Missing required field `peer`!")
 
 proc dhtGetSingleValue(pb: ProtoBuffer): seq[byte] {.raises: [DaemonLocalError].} =
-  result = newSeq[byte]()
+  result = newSeqUninit[byte](0)
   if pb.getRequiredField(3, result).isErr():
     raise newException(DaemonLocalError, "Missing field `value`!")
 
@@ -1453,8 +1453,8 @@ proc pubsubPublish*(
     await api.closeConnection(transp)
 
 proc getPubsubMessage*(pb: ProtoBuffer): PubSubMessage =
-  result.data = newSeq[byte]()
-  result.seqno = newSeq[byte]()
+  result.data = newSeqUninit[byte](0)
+  result.seqno = newSeqUninit[byte](0)
   discard pb.getField(1, result.peer)
   discard pb.getField(2, result.data)
   discard pb.getField(3, result.seqno)
@@ -1503,10 +1503,14 @@ proc pubsubSubscribe*(
       result = ticket
   except DaemonLocalError as exc:
     await api.closeConnection(transp)
-    raise exc
+    raise newException(
+      DaemonLocalError, "Could not subscribe to topic '" & topic & "': " & exc.msg, exc
+    )
   except TransportError as exc:
     await api.closeConnection(transp)
-    raise exc
+    raise newException(
+      TransportError, "Could not subscribe to topic '" & topic & "': " & exc.msg, exc
+    )
   except CancelledError as exc:
     await api.closeConnection(transp)
     raise exc

libp2p/dialer.nim

@@ -104,12 +104,13 @@ proc expandDnsAddr(
 ): Future[seq[(MultiAddress, Opt[PeerId])]] {.
     async: (raises: [CancelledError, MaError, TransportAddressError, LPError])
 .} =
-  if not DNSADDR.matchPartial(address):
+  if not DNS.matchPartial(address):
     return @[(address, peerId)]
   if isNil(self.nameResolver):
     info "Can't resolve DNSADDR without NameResolver", ma = address
     return @[]
 
+  trace "Start trying to resolve addresses"
   let
     toResolve =
       if peerId.isSome:
@@ -121,12 +122,19 @@ proc expandDnsAddr(
         address
     resolved = await self.nameResolver.resolveDnsAddr(toResolve)
 
+  debug "resolved addresses",
+    originalAddresses = toResolve, resolvedAddresses = resolved
+
   for resolvedAddress in resolved:
     let lastPart = resolvedAddress[^1].tryGet()
     if lastPart.protoCode == Result[MultiCodec, string].ok(multiCodec("p2p")):
-      let
+      var peerIdBytes: seq[byte]
+      try:
         peerIdBytes = lastPart.protoArgument().tryGet()
-        addrPeerId = PeerId.init(peerIdBytes).tryGet()
+      except ResultError[string] as e:
+        raiseAssert "expandDnsAddr failed in expandDnsAddr protoArgument: " & e.msg
+
+      let addrPeerId = PeerId.init(peerIdBytes).tryGet()
       result.add((resolvedAddress[0 ..^ 2].tryGet(), Opt.some(addrPeerId)))
     else:
       result.add((resolvedAddress, peerId))
@@ -141,7 +149,6 @@ proc dialAndUpgrade(
   for rawAddress in addrs:
     # resolve potential dnsaddr
     let addresses = await self.expandDnsAddr(peerId, rawAddress)
-
     for (expandedAddress, addrPeerId) in addresses:
       # DNS resolution
       let
@@ -152,6 +159,11 @@ proc dialAndUpgrade(
           else:
             await self.nameResolver.resolveMAddress(expandedAddress)
 
+      debug "Expanded address and hostname",
+        expandedAddress = expandedAddress,
+        hostname = hostname,
+        resolvedAddresses = resolvedAddresses
+
       for resolvedAddress in resolvedAddresses:
         result = await self.dialAndUpgrade(addrPeerId, hostname, resolvedAddress, dir)
         if not isNil(result):
@@ -174,7 +186,7 @@ proc internalConnect(
     dir = Direction.Out,
 ): Future[Muxer] {.async: (raises: [DialFailedError, CancelledError]).} =
   if Opt.some(self.localPeerId) == peerId:
-    raise newException(DialFailedError, "can't dial self!")
+    raise newException(DialFailedError, "internalConnect can't dial self!")
 
   # Ensure there's only one in-flight attempt per peer
   let lock = self.dialLock.mgetOrPut(peerId.get(default(PeerId)), newAsyncLock())
@@ -182,8 +194,8 @@ proc internalConnect(
   defer:
     try:
       lock.release()
-    except AsyncLockError:
-      raiseAssert "lock must have been acquired in line above"
+    except AsyncLockError as e:
+      raiseAssert "lock must have been acquired in line above: " & e.msg
 
   if reuseConnection:
     peerId.withValue(peerId):
@@ -194,7 +206,9 @@ proc internalConnect(
     try:
       self.connManager.getOutgoingSlot(forceDial)
     except TooManyConnectionsError as exc:
-      raise newException(DialFailedError, exc.msg)
+      raise newException(
+        DialFailedError, "failed getOutgoingSlot in internalConnect: " & exc.msg, exc
+      )
 
   let muxed =
     try:
@@ -204,11 +218,15 @@ proc internalConnect(
       raise exc
     except CatchableError as exc:
       slot.release()
-      raise newException(DialFailedError, exc.msg)
+      raise newException(
+        DialFailedError, "failed dialAndUpgrade in internalConnect: " & exc.msg, exc
+      )
 
   slot.trackMuxer(muxed)
   if isNil(muxed): # None of the addresses connected
-    raise newException(DialFailedError, "Unable to establish outgoing link")
+    raise newException(
+      DialFailedError, "Unable to establish outgoing link in internalConnect"
+    )
 
   try:
     self.connManager.storeMuxer(muxed)
@@ -224,7 +242,11 @@ proc internalConnect(
   except CatchableError as exc:
     trace "Failed to finish outgoing upgrade", description = exc.msg
     await muxed.close()
-    raise newException(DialFailedError, "Failed to finish outgoing upgrade")
+    raise newException(
+      DialFailedError,
+      "Failed to finish outgoing upgrade in internalConnect: " & exc.msg,
+      exc,
+    )
 
 method connect*(
     self: Dialer,
@@ -256,7 +278,7 @@ method connect*(
 
   if allowUnknownPeerId == false:
     raise newException(
-      DialFailedError, "Address without PeerID and unknown peer id disabled!"
+      DialFailedError, "Address without PeerID and unknown peer id disabled in connect"
     )
 
   return
@@ -269,7 +291,7 @@ proc negotiateStream(
   let selected = await MultistreamSelect.select(conn, protos)
   if not protos.contains(selected):
     await conn.closeWithEOF()
-    raise newException(DialFailedError, "Unable to select sub-protocol " & $protos)
+    raise newException(DialFailedError, "Unable to select sub-protocol: " & $protos)
 
   return conn
 
@@ -285,13 +307,13 @@ method tryDial*(
   try:
     let mux = await self.dialAndUpgrade(Opt.some(peerId), addrs)
     if mux.isNil():
-      raise newException(DialFailedError, "No valid multiaddress")
+      raise newException(DialFailedError, "No valid multiaddress in tryDial")
     await mux.close()
     return mux.connection.observedAddr
   except CancelledError as exc:
     raise exc
   except CatchableError as exc:
-    raise newException(DialFailedError, exc.msg)
+    raise newException(DialFailedError, "tryDial failed: " & exc.msg, exc)
 
 method dial*(
     self: Dialer, peerId: PeerId, protos: seq[string]
@@ -305,14 +327,17 @@ method dial*(
   try:
     let stream = await self.connManager.getStream(peerId)
     if stream.isNil:
-      raise newException(DialFailedError, "Couldn't get muxed stream")
+      raise newException(
+        DialFailedError,
+        "Couldn't get muxed stream in dial for peer_id: " & shortLog(peerId),
+      )
     return await self.negotiateStream(stream, protos)
   except CancelledError as exc:
-    trace "Dial canceled"
+    trace "Dial canceled", description = exc.msg
     raise exc
   except CatchableError as exc:
     trace "Error dialing", description = exc.msg
-    raise newException(DialFailedError, exc.msg)
+    raise newException(DialFailedError, "failed dial existing: " & exc.msg)
 
 method dial*(
     self: Dialer,
@@ -343,17 +368,20 @@ method dial*(
     stream = await self.connManager.getStream(conn)
 
     if isNil(stream):
-      raise newException(DialFailedError, "Couldn't get muxed stream")
+      raise newException(
+        DialFailedError,
+        "Couldn't get muxed stream in new dial for remote_peer_id: " & shortLog(peerId),
+      )
 
     return await self.negotiateStream(stream, protos)
   except CancelledError as exc:
-    trace "Dial canceled", conn
+    trace "Dial canceled", conn, description = exc.msg
     await cleanup()
     raise exc
   except CatchableError as exc:
     debug "Error dialing", conn, description = exc.msg
     await cleanup()
-    raise newException(DialFailedError, exc.msg)
+    raise newException(DialFailedError, "failed new dial: " & exc.msg, exc)
 
 method addTransport*(self: Dialer, t: Transport) =
   self.transports &= t

libp2p/discovery/discoverymngr.nim

@@ -113,7 +113,7 @@ proc add*(dm: DiscoveryManager, di: DiscoveryInterface) =
         try:
           query.peers.putNoWait(pa)
         except AsyncQueueFullError as exc:
-          debug "Cannot push discovered peer to queue"
+          debug "Cannot push discovered peer to queue", description = exc.msg
 
 proc request*(dm: DiscoveryManager, pa: PeerAttributes): DiscoveryQuery =
   var query = DiscoveryQuery(attr: pa, peers: newAsyncQueue[PeerAttributes]())
@@ -159,7 +159,7 @@ proc stop*(query: DiscoveryQuery) =
   query.finished = true
   for r in query.futs:
     if not r.finished():
-      r.cancel()
+      r.cancelSoon()
 
 proc stop*(dm: DiscoveryManager) =
   for q in dm.queries:
@@ -167,7 +167,7 @@ proc stop*(dm: DiscoveryManager) =
   for i in dm.interfaces:
     if isNil(i.advertiseLoop):
       continue
-    i.advertiseLoop.cancel()
+    i.advertiseLoop.cancelSoon()
 
 proc getPeer*(
     query: DiscoveryQuery
@@ -179,7 +179,7 @@ proc getPeer*(
   try:
     await getter or allFinished(query.futs)
   except CancelledError as exc:
-    getter.cancel()
+    getter.cancelSoon()
     raise exc
 
   if not finished(getter):

libp2p/multiaddress.nim

@@ -27,6 +27,7 @@ import
   utility
 import stew/[base58, base32, endians2]
 export results, vbuffer, errors, utility
+import ./utils/sequninit
 
 logScope:
   topics = "libp2p multiaddress"
@@ -223,7 +224,7 @@ proc p2pStB(s: string, vb: var VBuffer): bool =
 
 proc p2pBtS(vb: var VBuffer, s: var string): bool =
   ## P2P address bufferToString() implementation.
-  var address = newSeq[byte]()
+  var address = newSeqUninit[byte](0)
   if vb.readSeq(address) > 0:
     var mh: MultiHash
     if MultiHash.decode(address, mh).isOk:
@@ -232,7 +233,7 @@ proc p2pBtS(vb: var VBuffer, s: var string): bool =
 
 proc p2pVB(vb: var VBuffer): bool =
   ## P2P address validateBuffer() implementation.
-  var address = newSeq[byte]()
+  var address = newSeqUninit[byte](0)
   if vb.readSeq(address) > 0:
     var mh: MultiHash
     if MultiHash.decode(address, mh).isOk:
@@ -555,7 +556,7 @@ proc protoAddress*(ma: MultiAddress): MaResult[seq[byte]] =
   ##
   ## If current MultiAddress do not have argument value, then result array will
   ## be empty.
-  var buffer = newSeq[byte](len(ma.data.buffer))
+  var buffer = newSeqUninit[byte](len(ma.data.buffer))
   let res = ?protoArgument(ma, buffer)
   buffer.setLen(res)
   ok(buffer)
@@ -569,7 +570,7 @@ proc protoArgument*(ma: MultiAddress): MaResult[seq[byte]] =
 
 proc getPart(ma: MultiAddress, index: int): MaResult[MultiAddress] =
   var header: uint64
-  var data = newSeq[byte]()
+  var data = newSeqUninit[byte](0)
   var offset = 0
   var vb = ma
   var res: MultiAddress
@@ -643,7 +644,7 @@ proc `[]`*(ma: MultiAddress, slice: HSlice): MaResult[MultiAddress] {.inline.} =
 iterator items*(ma: MultiAddress): MaResult[MultiAddress] =
   ## Iterates over all addresses inside of MultiAddress ``ma``.
   var header: uint64
-  var data = newSeq[byte]()
+  var data = newSeqUninit[byte](0)
   var vb = ma
   while true:
     if vb.data.isEmpty():

libp2p/multibase.nim

@@ -18,6 +18,7 @@
 import tables
 import results
 import stew/[base32, base58, base64]
+import ./utils/sequninit
 
 type
   MultiBaseStatus* {.pure.} = enum
@@ -533,7 +534,7 @@ proc decode*(
     let empty: seq[byte] = @[]
     ok(empty) # empty
   else:
-    var buffer = newSeq[byte](mb.decl(length - 1))
+    var buffer = newSeqUninit[byte](mb.decl(length - 1))
     var outlen = 0
     let res = mb.decr(inbytes.toOpenArray(1, length - 1), buffer, outlen)
     if res != MultiBaseStatus.Success:

libp2p/multicodec.nim

@@ -10,6 +10,7 @@
 ## This module implements MultiCodec.
 
 {.push raises: [].}
+{.used.}
 
 import tables, hashes
 import vbuffer

libp2p/multihash.nim

@@ -22,6 +22,7 @@
 ## 2. MURMUR
 
 {.push raises: [].}
+{.used.}
 
 import tables
 import nimcrypto/[sha, sha2, keccak, blake2, hash, utils]
@@ -566,7 +567,7 @@ proc init*(mhtype: typedesc[MultiHash], data: string): MhResult[MultiHash] {.inl
 proc init58*(mhtype: typedesc[MultiHash], data: string): MultiHash {.inline.} =
   ## Create MultiHash from BASE58 encoded string representation ``data``.
   if MultiHash.decode(Base58.decode(data), result) == -1:
-    raise newException(MultihashError, "Incorrect MultiHash binary format")
+    raise newException(MultihashError, "Incorrect MultiHash binary format in init58")
 
 proc cmp(a: openArray[byte], b: openArray[byte]): bool {.inline.} =
   if len(a) != len(b):

libp2p/multistream.nim

@@ -249,11 +249,7 @@ proc addHandler*[E](
   m.handlers.add(HandlerHolder(protos: @[codec], protocol: protocol, match: matcher))
 
 proc start*(m: MultistreamSelect) {.async: (raises: [CancelledError]).} =
-  # Nim 1.6.18: Using `mapIt` results in a seq of `.Raising([])`
-  # TODO https://github.com/nim-lang/Nim/issues/23445
-  var futs = newSeqOfCap[Future[void].Raising([CancelledError])](m.handlers.len)
-  for it in m.handlers:
-    futs.add it.protocol.start()
+  let futs = m.handlers.mapIt(it.protocol.start())
   try:
     await allFutures(futs)
     for fut in futs:
@@ -273,10 +269,7 @@ proc start*(m: MultistreamSelect) {.async: (raises: [CancelledError]).} =
     raise exc
 
 proc stop*(m: MultistreamSelect) {.async: (raises: []).} =
-  # Nim 1.6.18: Using `mapIt` results in a seq of `.Raising([CancelledError])`
-  var futs = newSeqOfCap[Future[void].Raising([])](m.handlers.len)
-  for it in m.handlers:
-    futs.add it.protocol.stop()
+  let futs = m.handlers.mapIt(it.protocol.stop())
   await noCancel allFutures(futs)
   for fut in futs:
     await fut

libp2p/muxers/mplex/lpchannel.nim

@@ -11,8 +11,7 @@
 
 import std/[oids, strformat]
 import pkg/[chronos, chronicles, metrics]
-import
-  ./coder, ../muxer, ../../stream/[bufferstream, connection, streamseq], ../../peerinfo
+import ./coder, ../muxer, ../../stream/[bufferstream, connection], ../../peerinfo
 
 export connection
 
@@ -87,7 +86,7 @@ proc open*(s: LPChannel) {.async: (raises: [CancelledError, LPStreamError]).} =
     raise exc
   except LPStreamError as exc:
     await s.conn.close()
-    raise exc
+    raise newException(LPStreamError, "Opening LPChannel failed: " & exc.msg, exc)
 
 method closed*(s: LPChannel): bool =
   s.closedLocal

libp2p/muxers/yamux/yamux.nim

@@ -12,6 +12,7 @@
 import sequtils, std/[tables]
 import chronos, chronicles, metrics, stew/[endians2, byteutils, objects]
 import ../muxer, ../../stream/connection
+import ../../utils/[zeroqueue, sequninit]
 
 export muxer
 
@@ -134,12 +135,11 @@ proc windowUpdate(
   )
 
 type
-  ToSend =
-    tuple[
-      data: seq[byte],
-      sent: int,
-      fut: Future[void].Raising([CancelledError, LPStreamError]),
-    ]
+  ToSend = ref object
+    data: seq[byte]
+    sent: int
+    fut: Future[void].Raising([CancelledError, LPStreamError])
+
   YamuxChannel* = ref object of Connection
     id: uint32
     recvWindow: int
@@ -151,7 +151,7 @@ type
     opened: bool
     isSending: bool
     sendQueue: seq[ToSend]
-    recvQueue: seq[byte]
+    recvQueue: ZeroQueue
     isReset: bool
     remoteReset: bool
     closedRemotely: AsyncEvent
@@ -217,6 +217,15 @@ method closeImpl*(channel: YamuxChannel) {.async: (raises: []).} =
         discard
     await channel.actuallyClose()
 
+proc clearQueues(channel: YamuxChannel, error: ref CatchableError = nil) =
+  for toSend in channel.sendQueue:
+    if error.isNil():
+      toSend.fut.complete()
+    else:
+      toSend.fut.fail(error)
+  channel.sendQueue = @[]
+  channel.recvQueue.clear()
+
 proc reset(channel: YamuxChannel, isLocal: bool = false) {.async: (raises: []).} =
   # If we reset locally, we want to flush up to a maximum of recvWindow
   # bytes. It's because the peer we're connected to can send us data before
@@ -226,10 +235,8 @@ proc reset(channel: YamuxChannel, isLocal: bool = false) {.async: (raises: []).}
   trace "Reset channel"
   channel.isReset = true
   channel.remoteReset = not isLocal
-  for (d, s, fut) in channel.sendQueue:
-    fut.fail(newLPStreamEOFError())
-  channel.sendQueue = @[]
-  channel.recvQueue = @[]
+  channel.clearQueues(newLPStreamEOFError())
+
   channel.sendWindow = 0
   if not channel.closedLocally:
     if isLocal and not channel.isSending:
@@ -257,7 +264,7 @@ proc updateRecvWindow(
     return
 
   let delta = channel.maxRecvWindow - inWindow
-  channel.recvWindow.inc(delta)
+  channel.recvWindow.inc(delta.int)
   await channel.conn.write(YamuxHeader.windowUpdate(channel.id, delta.uint32))
   trace "increasing the recvWindow", delta
 
@@ -278,8 +285,9 @@ method readOnce*(
         trace "stream is down when readOnce", channel = $channel
         newLPStreamConnDownError()
   if channel.isEof:
+    channel.clearQueues()
     raise newLPStreamRemoteClosedError()
-  if channel.recvQueue.len == 0:
+  if channel.recvQueue.isEmpty():
     channel.receivedData.clear()
     let
       closedRemotelyFut = channel.closedRemotely.wait()
@@ -290,28 +298,24 @@ method readOnce*(
       if not receivedDataFut.finished():
         await receivedDataFut.cancelAndWait()
     await closedRemotelyFut or receivedDataFut
-    if channel.closedRemotely.isSet() and channel.recvQueue.len == 0:
+    if channel.closedRemotely.isSet() and channel.recvQueue.isEmpty():
       channel.isEof = true
+      channel.clearQueues()
       return
         0 # we return 0 to indicate that the channel is closed for reading from now on
 
-  let toRead = min(channel.recvQueue.len, nbytes)
-
-  var p = cast[ptr UncheckedArray[byte]](pbytes)
-  toOpenArray(p, 0, nbytes - 1)[0 ..< toRead] =
-    channel.recvQueue.toOpenArray(0, toRead - 1)
-  channel.recvQueue = channel.recvQueue[toRead ..^ 1]
+  let consumed = channel.recvQueue.consumeTo(pbytes, nbytes)
 
   # We made some room in the recv buffer let the peer know
   await channel.updateRecvWindow()
   channel.activity = true
-  return toRead
+  return consumed
 
 proc gotDataFromRemote(
     channel: YamuxChannel, b: seq[byte]
 ) {.async: (raises: [CancelledError, LPStreamError]).} =
   channel.recvWindow -= b.len
-  channel.recvQueue = channel.recvQueue.concat(b)
+  channel.recvQueue.push(b)
   channel.receivedData.fire()
   when defined(libp2p_yamux_metrics):
     libp2p_yamux_recv_queue.observe(channel.recvQueue.len.int64)
@@ -320,17 +324,18 @@ proc gotDataFromRemote(
 proc setMaxRecvWindow*(channel: YamuxChannel, maxRecvWindow: int) =
   channel.maxRecvWindow = maxRecvWindow
 
-proc trySend(
-    channel: YamuxChannel
-) {.async: (raises: [CancelledError, LPStreamError]).} =
+proc sendLoop(channel: YamuxChannel) {.async: (raises: []).} =
   if channel.isSending:
     return
   channel.isSending = true
   defer:
     channel.isSending = false
 
-  while channel.sendQueue.len != 0:
-    channel.sendQueue.keepItIf(not (it.fut.cancelled() and it.sent == 0))
+  const NumBytesHeader = 12
+
+  while channel.sendQueue.len > 0:
+    channel.sendQueue.keepItIf(not it.fut.finished())
+
     if channel.sendWindow == 0:
       trace "trying to send while the sendWindow is empty"
       if channel.lengthSendQueueWithLimit() > channel.maxSendQueueSize:
@@ -342,54 +347,57 @@ proc trySend(
 
     let
       bytesAvailable = channel.lengthSendQueue()
-      toSend = min(channel.sendWindow, bytesAvailable)
+      numBytesToSend = min(channel.sendWindow, bytesAvailable)
     var
-      sendBuffer = newSeqUninitialized[byte](toSend + 12)
-      header = YamuxHeader.data(channel.id, toSend.uint32)
+      sendBuffer = newSeqUninit[byte](NumBytesHeader + numBytesToSend)
+      header = YamuxHeader.data(channel.id, numBytesToSend.uint32)
       inBuffer = 0
 
-    if toSend >= bytesAvailable and channel.closedLocally:
-      trace "last buffer we'll sent on this channel", toSend, bytesAvailable
+    if numBytesToSend >= bytesAvailable and channel.closedLocally:
+      trace "last buffer we will send on this channel", numBytesToSend, bytesAvailable
       header.flags.incl({Fin})
 
-    sendBuffer[0 ..< 12] = header.encode()
+    sendBuffer[0 ..< NumBytesHeader] = header.encode()
 
     var futures: seq[Future[void].Raising([CancelledError, LPStreamError])]
-    while inBuffer < toSend:
+    while inBuffer < numBytesToSend:
+      var toSend = channel.sendQueue[0]
       # concatenate the different message we try to send into one buffer
-      let (data, sent, fut) = channel.sendQueue[0]
-      let bufferToSend = min(data.len - sent, toSend - inBuffer)
+      let bufferToSend = min(toSend.data.len - toSend.sent, numBytesToSend - inBuffer)
 
-      sendBuffer.toOpenArray(12, 12 + toSend - 1)[
+      sendBuffer.toOpenArray(NumBytesHeader, NumBytesHeader + numBytesToSend - 1)[
         inBuffer ..< (inBuffer + bufferToSend)
-      ] = channel.sendQueue[0].data.toOpenArray(sent, sent + bufferToSend - 1)
+      ] = toSend.data.toOpenArray(toSend.sent, toSend.sent + bufferToSend - 1)
+
       channel.sendQueue[0].sent.inc(bufferToSend)
-      if channel.sendQueue[0].sent >= data.len:
+
+      if toSend.sent >= toSend.data.len:
         # if every byte of the message is in the buffer, add the write future to the
         # sequence of futures to be completed (or failed) when the buffer is sent
-        futures.add(fut)
+        futures.add(toSend.fut)
         channel.sendQueue.delete(0)
+
       inBuffer.inc(bufferToSend)
 
     trace "try to send the buffer", h = $header
-    channel.sendWindow.dec(toSend)
     try:
       await channel.conn.write(sendBuffer)
+      channel.sendWindow.dec(inBuffer)
     except CancelledError:
-      trace "cancelled sending the buffer"
-      for fut in futures.items():
-        fut.cancelSoon()
-      await channel.reset()
-      break
+      ## Just for compiler. This should never happen as sendLoop is started by asyncSpawn.
+      ## Therefore, no one owns that sendLoop's future and no one can cancel it.
+      discard
     except LPStreamError as exc:
-      trace "failed to send the buffer"
+      error "failed to send the buffer", description = exc.msg
       let connDown = newLPStreamConnDownError(exc)
-      for fut in futures.items():
+      for fut in futures:
         fut.fail(connDown)
       await channel.reset()
       break
-    for fut in futures.items():
+
+    for fut in futures:
       fut.complete()
+
     channel.activity = true
 
 method write*(
@@ -397,21 +405,29 @@ method write*(
 ): Future[void] {.async: (raises: [CancelledError, LPStreamError], raw: true).} =
   ## Write to yamux channel
   ##
-  result = newFuture[void]("Yamux Send")
+  var resFut = newFuture[void]("Yamux Send")
+
   if channel.remoteReset:
     trace "stream is reset when write", channel = $channel
-    result.fail(newLPStreamResetError())
-    return result
+    resFut.fail(newLPStreamResetError())
+    return resFut
+
   if channel.closedLocally or channel.isReset:
-    result.fail(newLPStreamClosedError())
-    return result
+    resFut.fail(newLPStreamClosedError())
+    return resFut
+
   if msg.len == 0:
-    result.complete()
-    return result
-  channel.sendQueue.add((msg, 0, result))
+    resFut.complete()
+    return resFut
+
+  channel.sendQueue.add(ToSend(data: msg, sent: 0, fut: resFut))
+
   when defined(libp2p_yamux_metrics):
     libp2p_yamux_send_queue.observe(channel.lengthSendQueue().int64)
-  asyncSpawn channel.trySend()
+
+  asyncSpawn channel.sendLoop()
+
+  return resFut
 
 proc open(channel: YamuxChannel) {.async: (raises: [CancelledError, LPStreamError]).} =
   ## Open a yamux channel by sending a window update with Syn or Ack flag
@@ -420,6 +436,8 @@ proc open(channel: YamuxChannel) {.async: (raises: [CancelledError, LPStreamErro
     trace "Try to open channel twice"
     return
   channel.opened = true
+  channel.isReset = false
+
   await channel.conn.write(
     YamuxHeader.windowUpdate(
       channel.id,
@@ -507,12 +525,19 @@ method close*(m: Yamux) {.async: (raises: []).} =
   if m.isClosed == true:
     trace "Already closed"
     return
-  m.isClosed = true
 
   trace "Closing yamux"
   let channels = toSeq(m.channels.values())
   for channel in channels:
-    await channel.reset(isLocal = true)
+    for toSend in channel.sendQueue:
+      toSend.fut.fail(newLPStreamEOFError())
+    channel.sendQueue = @[]
+    channel.sendWindow = 0
+    channel.closedLocally = true
+    channel.isReset = true
+    channel.opened = false
+    await channel.remoteClosed()
+    channel.receivedData.fire()
   try:
     await m.connection.write(YamuxHeader.goAway(NormalTermination))
   except CancelledError as exc:
@@ -520,6 +545,8 @@ method close*(m: Yamux) {.async: (raises: []).} =
   except LPStreamError as exc:
     trace "failed to send goAway", description = exc.msg
   await m.connection.close()
+
+  m.isClosed = true
   trace "Closed yamux"
 
 proc handleStream(m: Yamux, channel: YamuxChannel) {.async: (raises: []).} =
@@ -578,7 +605,7 @@ method handle*(m: Yamux) {.async: (raises: []).} =
                 raise
                   newException(YamuxError, "Peer exhausted the recvWindow after reset")
               if header.length > 0:
-                var buffer = newSeqUninitialized[byte](header.length)
+                var buffer = newSeqUninit[byte](header.length)
                 await m.connection.readExactly(addr buffer[0], int(header.length))
           do:
             raise newException(YamuxError, "Unknown stream ID: " & $header.streamId)
@@ -587,22 +614,24 @@ method handle*(m: Yamux) {.async: (raises: []).} =
         let channel =
           try:
             m.channels[header.streamId]
-          except KeyError:
+          except KeyError as e:
             raise newException(
               YamuxError,
-              "Stream was cleaned up before handling data: " & $header.streamId,
+              "Stream was cleaned up before handling data: " & $header.streamId & " : " &
+                e.msg,
+              e,
             )
 
         if header.msgType == WindowUpdate:
           channel.sendWindow += int(header.length)
-          await channel.trySend()
+          asyncSpawn channel.sendLoop()
         else:
           if header.length.int > channel.recvWindow.int:
             # check before allocating the buffer
             raise newException(YamuxError, "Peer exhausted the recvWindow")
 
           if header.length > 0:
-            var buffer = newSeqUninitialized[byte](header.length)
+            var buffer = newSeqUninit[byte](header.length)
             await m.connection.readExactly(addr buffer[0], int(header.length))
             trace "Msg Rcv", description = shortLog(buffer)
             await channel.gotDataFromRemote(buffer)

libp2p/nameresolving/dnsresolver.nim

@@ -15,7 +15,8 @@ import
   chronicles,
   stew/byteutils,
   dnsclientpkg/[protocol, types],
-  ../utility
+  ../utility,
+  ../utils/sequninit
 
 import nameresolver
 
@@ -37,18 +38,18 @@ proc questionToBuf(address: string, kind: QKind): seq[byte] =
     let dataLen = requestStream.getPosition()
     requestStream.setPosition(0)
 
-    var buf = newSeq[byte](dataLen)
+    var buf = newSeqUninit[byte](dataLen)
     discard requestStream.readData(addr buf[0], dataLen)
     buf
   except IOError as exc:
     info "Failed to created DNS buffer", description = exc.msg
-    newSeq[byte](0)
+    newSeqUninit[byte](0)
   except OSError as exc:
     info "Failed to created DNS buffer", description = exc.msg
-    newSeq[byte](0)
+    newSeqUninit[byte](0)
   except ValueError as exc:
     info "Failed to created DNS buffer", description = exc.msg
-    newSeq[byte](0)
+    newSeqUninit[byte](0)
 
 proc getDnsResponse(
     dnsServer: TransportAddress, address: string, kind: QKind
@@ -78,23 +79,23 @@ proc getDnsResponse(
 
     try:
       await receivedDataFuture.wait(5.seconds) #unix default
-    except AsyncTimeoutError:
-      raise newException(IOError, "DNS server timeout")
+    except AsyncTimeoutError as e:
+      raise newException(IOError, "DNS server timeout: " & e.msg, e)
 
     let rawResponse = sock.getMessage()
     try:
       parseResponse(string.fromBytes(rawResponse))
     except IOError as exc:
-      raise exc
+      raise newException(IOError, "Failed to parse DNS response: " & exc.msg, exc)
     except OSError as exc:
-      raise exc
+      raise newException(OSError, "Failed to parse DNS response: " & exc.msg, exc)
     except ValueError as exc:
-      raise exc
+      raise newException(ValueError, "Failed to parse DNS response: " & exc.msg, exc)
     except Exception as exc:
       # Nim 1.6: parseResponse can has a raises: [Exception, ..] because of
       # https://github.com/nim-lang/Nim/commit/035134de429b5d99c5607c5fae912762bebb6008
       # it can't actually raise though
-      raiseAssert exc.msg
+      raiseAssert "Exception parsing DN response: " & exc.msg
   finally:
     await sock.closeWait()
 

libp2p/peerid.nim

@@ -11,6 +11,7 @@
 
 {.push raises: [].}
 {.push public.}
+{.used.}
 
 import
   std/[hashes, strutils],
@@ -23,7 +24,8 @@ import
   ./multicodec,
   ./multihash,
   ./vbuffer,
-  ./protobuf/minprotobuf
+  ./protobuf/minprotobuf,
+  ./utils/sequninit
 
 export results, utility
 
@@ -141,7 +143,7 @@ func init*(pid: var PeerId, data: string): bool =
   ## Initialize peer id from base58 encoded string representation.
   ##
   ## Returns ``true`` if peer was successfully initialiazed.
-  var p = newSeq[byte](len(data) + 4)
+  var p = newSeqUninit[byte](len(data) + 4)
   var length = 0
   if Base58.decode(data, p, length) == Base58Status.Success:
     p.setLen(length)

libp2p/peeridauth/client.nim

@@ -0,0 +1,345 @@
+# Nim-Libp2p
+# Copyright (c) 2025 Status Research & Development GmbH
+# Licensed under either of
+#  * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE))
+#  * MIT license ([LICENSE-MIT](LICENSE-MIT))
+# at your option.
+# This file may not be copied, modified, or distributed except according to
+# those terms.
+
+{.push raises: [].}
+
+import base64, json, strutils, uri, times, stew/byteutils
+import chronos, chronos/apps/http/httpclient, results, chronicles
+import ../peerinfo, ../crypto/crypto, ../varint.nim
+
+logScope:
+  topics = "libp2p peeridauth"
+
+const
+  NimLibp2pUserAgent = "nim-libp2p"
+  PeerIDAuthPrefix* = "libp2p-PeerID"
+  ChallengeCharset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+  ChallengeDefaultLen = 48
+
+export Domain
+
+type PeerIDAuthClient* = ref object of RootObj
+  session: HttpSessionRef
+  rng: ref HmacDrbgContext
+
+type PeerIDAuthError* = object of LPError
+
+type PeerIDAuthResponse* = object
+  status*: int
+  headers*: HttpTable
+  body*: seq[byte]
+
+type BearerToken* = object
+  token*: string
+  expires*: Opt[DateTime]
+
+type PeerIDAuthOpaque* = string
+type PeerIDAuthSignature* = string
+type PeerIDAuthChallenge* = string
+
+type PeerIDAuthAuthenticationResponse* = object
+  challengeClient*: PeerIDAuthChallenge
+  opaque*: PeerIDAuthOpaque
+  serverPubkey*: PublicKey
+
+type PeerIDAuthAuthorizationResponse* = object
+  sig*: PeerIDAuthSignature
+  bearer*: BearerToken
+  response*: PeerIDAuthResponse
+
+type SigParam = object
+  k: string
+  v: seq[byte]
+
+proc new*(
+    T: typedesc[PeerIDAuthClient], rng: ref HmacDrbgContext = newRng()
+): PeerIDAuthClient =
+  PeerIDAuthClient(session: HttpSessionRef.new(), rng: rng)
+
+proc sampleChar(
+    ctx: var HmacDrbgContext, choices: string
+): char {.raises: [ValueError].} =
+  ## Samples a random character from the input string using the DRBG context
+  if choices.len == 0:
+    raise newException(ValueError, "Cannot sample from an empty string")
+  var idx: uint32
+  ctx.generate(idx)
+  return choices[uint32(idx mod uint32(choices.len))]
+
+proc randomChallenge(
+    rng: ref HmacDrbgContext, challengeLen: int = ChallengeDefaultLen
+): PeerIDAuthChallenge {.raises: [PeerIDAuthError].} =
+  var rng = rng[]
+  var challenge = ""
+  try:
+    for _ in 0 ..< challengeLen:
+      challenge.add(rng.sampleChar(ChallengeCharset))
+  except ValueError as exc:
+    raise newException(PeerIDAuthError, "Failed to generate challenge", exc)
+  PeerIDAuthChallenge(challenge)
+
+proc extractField(data, key: string): string {.raises: [PeerIDAuthError].} =
+  # Helper to extract quoted value from key
+  for segment in data.split(","):
+    if key in segment:
+      return segment.split("=", 1)[1].strip(chars = {' ', '"'})
+  raise newException(PeerIDAuthError, "Failed to find " & key & " in " & data)
+
+proc genDataToSign(
+    parts: seq[SigParam], prefix: string = PeerIDAuthPrefix
+): seq[byte] {.raises: [PeerIDAuthError].} =
+  var buf: seq[byte] = prefix.toBytes()
+  for p in parts:
+    let varintLen = PB.encodeVarint(hint(p.k.len + p.v.len + 1)).valueOr:
+      raise newException(PeerIDAuthError, "could not encode fields length to varint")
+    buf.add varintLen
+    buf.add (p.k & "=").toBytes()
+    buf.add p.v
+  return buf
+
+proc getSigParams(
+    clientSender: bool, hostname: string, challenge: string, publicKey: PublicKey
+): seq[SigParam] =
+  if clientSender:
+    @[
+      SigParam(k: "challenge-client", v: challenge.toBytes()),
+      SigParam(k: "hostname", v: hostname.toBytes()),
+      SigParam(k: "server-public-key", v: publicKey.getBytes().get()),
+    ]
+  else:
+    @[
+      SigParam(k: "challenge-server", v: challenge.toBytes()),
+      SigParam(k: "client-public-key", v: publicKey.getBytes().get()),
+      SigParam(k: "hostname", v: hostname.toBytes()),
+    ]
+
+proc sign(
+    privateKey: PrivateKey,
+    challenge: PeerIDAuthChallenge,
+    publicKey: PublicKey,
+    hostname: string,
+    clientSender: bool = true,
+): PeerIDAuthSignature {.raises: [PeerIDAuthError].} =
+  let bytesToSign =
+    getSigParams(clientSender, hostname, challenge, publicKey).genDataToSign()
+  PeerIDAuthSignature(
+    base64.encode(privateKey.sign(bytesToSign).get().getBytes(), safe = true)
+  )
+
+proc checkSignature*(
+    serverSig: PeerIDAuthSignature,
+    serverPublicKey: PublicKey,
+    challengeServer: PeerIDAuthChallenge,
+    clientPublicKey: PublicKey,
+    hostname: string,
+): bool {.raises: [PeerIDAuthError].} =
+  let bytesToSign =
+    getSigParams(false, hostname, challengeServer, clientPublicKey).genDataToSign()
+  var serverSignature: Signature
+  try:
+    if not serverSignature.init(base64.decode(serverSig).toBytes()):
+      raise newException(
+        PeerIDAuthError, "Failed to initialize Signature from base64 encoded sig"
+      )
+  except ValueError as exc:
+    raise newException(PeerIDAuthError, "Failed to decode server's signature", exc)
+
+  serverSignature.verify(
+    bytesToSign.toOpenArray(0, bytesToSign.len - 1), serverPublicKey
+  )
+
+method post*(
+    self: PeerIDAuthClient, uri: Uri, payload: string, authHeader: string
+): Future[PeerIDAuthResponse] {.async: (raises: [HttpError, CancelledError]), base.} =
+  let rawResponse = await HttpClientRequestRef
+  .post(
+    self.session,
+    $uri,
+    body = payload,
+    headers = [
+      ("Content-Type", "application/json"),
+      ("User-Agent", NimLibp2pUserAgent),
+      ("Authorization", authHeader),
+    ],
+  )
+  .get()
+  .send()
+
+  PeerIDAuthResponse(
+    status: rawResponse.status,
+    headers: rawResponse.headers,
+    body: await rawResponse.getBodyBytes(),
+  )
+
+method get*(
+    self: PeerIDAuthClient, uri: Uri
+): Future[PeerIDAuthResponse] {.
+    async: (raises: [PeerIDAuthError, HttpError, CancelledError]), base
+.} =
+  if self.session.isNil():
+    raise newException(PeerIDAuthError, "Session is nil")
+  let req = HttpClientRequestRef.get(self.session, $uri).valueOr:
+    raise newException(PeerIDAuthError, "Could not get request obj")
+  let rawResponse = await req.send()
+  PeerIDAuthResponse(
+    status: rawResponse.status,
+    headers: rawResponse.headers,
+    body: await rawResponse.getBodyBytes(),
+  )
+
+proc requestAuthentication*(
+    self: PeerIDAuthClient, uri: Uri
+): Future[PeerIDAuthAuthenticationResponse] {.
+    async: (raises: [PeerIDAuthError, CancelledError])
+.} =
+  let response =
+    try:
+      await self.get(uri)
+    except HttpError as exc:
+      raise newException(PeerIDAuthError, "Failed to start PeerID Auth", exc)
+
+  let wwwAuthenticate = response.headers.getString("WWW-Authenticate")
+  if wwwAuthenticate == "":
+    raise newException(PeerIDAuthError, "WWW-authenticate not present in response")
+
+  let serverPubkey: PublicKey =
+    try:
+      PublicKey.init(decode(extractField(wwwAuthenticate, "public-key")).toBytes()).valueOr:
+        raise newException(PeerIDAuthError, "Failed to initialize server public-key")
+    except ValueError as exc:
+      raise newException(PeerIDAuthError, "Failed to decode server public-key", exc)
+
+  PeerIDAuthAuthenticationResponse(
+    challengeClient: extractField(wwwAuthenticate, "challenge-client"),
+    opaque: extractField(wwwAuthenticate, "opaque"),
+    serverPubkey: serverPubkey,
+  )
+
+proc pubkeyBytes*(pubkey: PublicKey): seq[byte] {.raises: [PeerIDAuthError].} =
+  try:
+    pubkey.getBytes().valueOr:
+      raise
+        newException(PeerIDAuthError, "Failed to get bytes from PeerInfo's publicKey")
+  except ValueError as exc:
+    raise newException(
+      PeerIDAuthError, "Failed to get bytes from PeerInfo's publicKey", exc
+    )
+
+proc parse3339DateTime(
+    timeStr: string
+): DateTime {.raises: [ValueError, TimeParseError].} =
+  let parts = timeStr.split('.')
+  let base = parse(parts[0], "yyyy-MM-dd'T'HH:mm:ss")
+  let millis = parseInt(parts[1].strip(chars = {'Z'}))
+  result = base + initDuration(milliseconds = millis)
+
+proc requestAuthorization*(
+    self: PeerIDAuthClient,
+    peerInfo: PeerInfo,
+    uri: Uri,
+    challengeClient: PeerIDAuthChallenge,
+    challengeServer: PeerIDAuthChallenge,
+    serverPubkey: PublicKey,
+    opaque: PeerIDAuthOpaque,
+    payload: auto,
+): Future[PeerIDAuthAuthorizationResponse] {.
+    async: (raises: [PeerIDAuthError, CancelledError])
+.} =
+  let clientPubkeyB64 = peerInfo.publicKey.pubkeyBytes().encode(safe = true)
+  let sig = peerInfo.privateKey.sign(challengeClient, serverPubkey, uri.hostname)
+  let authHeader =
+    PeerIDAuthPrefix & " public-key=\"" & clientPubkeyB64 & "\"" & ", opaque=\"" & opaque &
+    "\"" & ", challenge-server=\"" & challengeServer & "\"" & ", sig=\"" & sig & "\""
+  let response =
+    try:
+      await self.post(uri, $payload, authHeader)
+    except HttpError as exc:
+      raise newException(
+        PeerIDAuthError, "Failed to send Authorization for PeerID Auth", exc
+      )
+
+  let authenticationInfo = response.headers.getString("authentication-info")
+
+  let bearerExpires =
+    try:
+      Opt.some(parse3339DateTime(extractField(authenticationInfo, "expires")))
+    except ValueError, PeerIDAuthError, TimeParseError:
+      Opt.none(DateTime)
+
+  PeerIDAuthAuthorizationResponse(
+    sig: PeerIDAuthSignature(extractField(authenticationInfo, "sig")),
+    bearer: BearerToken(
+      token: extractField(authenticationInfo, "bearer"), expires: bearerExpires
+    ),
+    response: response,
+  )
+
+proc sendWithoutBearer(
+    self: PeerIDAuthClient, uri: Uri, peerInfo: PeerInfo, payload: auto
+): Future[(BearerToken, PeerIDAuthResponse)] {.
+    async: (raises: [PeerIDAuthError, CancelledError])
+.} =
+  # Authenticate in three ways as per the PeerID Auth spec
+  # https://github.com/libp2p/specs/blob/master/http/peer-id-auth.md
+
+  let authenticationResponse = await self.requestAuthentication(uri)
+
+  let challengeServer = self.rng.randomChallenge()
+  let authorizationResponse = await self.requestAuthorization(
+    peerInfo, uri, authenticationResponse.challengeClient, challengeServer,
+    authenticationResponse.serverPubkey, authenticationResponse.opaque, payload,
+  )
+
+  if not checkSignature(
+    authorizationResponse.sig, authenticationResponse.serverPubkey, challengeServer,
+    peerInfo.publicKey, uri.hostname,
+  ):
+    raise newException(PeerIDAuthError, "Failed to validate server's signature")
+
+  return (authorizationResponse.bearer, authorizationResponse.response)
+
+proc sendWithBearer(
+    self: PeerIDAuthClient,
+    uri: Uri,
+    peerInfo: PeerInfo,
+    payload: auto,
+    bearer: BearerToken,
+): Future[(BearerToken, PeerIDAuthResponse)] {.
+    async: (raises: [PeerIDAuthError, CancelledError])
+.} =
+  if bearer.expires.isSome() and DateTime(bearer.expires.get) <= now():
+    raise newException(PeerIDAuthError, "Bearer expired")
+  let authHeader = PeerIDAuthPrefix & " bearer=\"" & bearer.token & "\""
+  let response =
+    try:
+      await self.post(uri, $payload, authHeader)
+    except HttpError as exc:
+      raise newException(
+        PeerIDAuthError, "Failed to send request with bearer token for PeerID Auth", exc
+      )
+  return (bearer, response)
+
+proc send*(
+    self: PeerIDAuthClient,
+    uri: Uri,
+    peerInfo: PeerInfo,
+    payload: auto,
+    bearer: Opt[BearerToken] = Opt.none(BearerToken),
+): Future[(BearerToken, PeerIDAuthResponse)] {.
+    async: (raises: [PeerIDAuthError, CancelledError])
+.} =
+  if bearer.isSome():
+    await self.sendWithBearer(uri, peerInfo, payload, bearer.get)
+  else:
+    await self.sendWithoutBearer(uri, peerInfo, payload)
+
+proc close*(
+    self: PeerIDAuthClient
+): Future[void] {.async: (raises: [CancelledError]).} =
+  await self.session.closeWait()

libp2p/peeridauth/mockclient.nim

@@ -0,0 +1,40 @@
+# Nim-Libp2p
+# Copyright (c) 2025 Status Research & Development GmbH
+# Licensed under either of
+#  * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE))
+#  * MIT license ([LICENSE-MIT](LICENSE-MIT))
+# at your option.
+# This file may not be copied, modified, or distributed except according to
+# those terms.
+
+{.push raises: [].}
+
+import uri
+import chronos, chronos/apps/http/httpclient
+import ../crypto/crypto, ./client
+
+export client
+
+type MockPeerIDAuthClient* = ref object of PeerIDAuthClient
+  mockedStatus*: int
+  mockedHeaders*: HttpTable
+  mockedBody*: seq[byte]
+
+proc new*(
+    T: typedesc[MockPeerIDAuthClient], rng: ref HmacDrbgContext
+): MockPeerIDAuthClient {.raises: [PeerIDAuthError].} =
+  MockPeerIDAuthClient(session: HttpSessionRef.new(), rng: rng)
+
+method post*(
+    self: MockPeerIDAuthClient, uri: Uri, payload: string, authHeader: string
+): Future[PeerIDAuthResponse] {.async: (raises: [HttpError, CancelledError]).} =
+  PeerIDAuthResponse(
+    status: self.mockedStatus, headers: self.mockedHeaders, body: self.mockedBody
+  )
+
+method get*(
+    self: MockPeerIDAuthClient, uri: Uri
+): Future[PeerIDAuthResponse] {.async: (raises: [HttpError, CancelledError]).} =
+  PeerIDAuthResponse(
+    status: self.mockedStatus, headers: self.mockedHeaders, body: self.mockedBody
+  )

libp2p/peerinfo.nim

@@ -52,12 +52,16 @@ func shortLog*(p: PeerInfo): auto =
 chronicles.formatIt(PeerInfo):
   shortLog(it)
 
+proc expandAddrs*(
+    p: PeerInfo
+): Future[seq[MultiAddress]] {.async: (raises: [CancelledError]).} =
+  var addrs = p.listenAddrs
+  for mapper in p.addressMappers:
+    addrs = await mapper(addrs)
+  addrs
+
 proc update*(p: PeerInfo) {.async: (raises: [CancelledError]).} =
-  # p.addrs.len == 0 overrides addrs only if it is the first time update is being executed or if the field is empty.
-  # p.addressMappers.len == 0 is for when all addressMappers have been removed,
-  # and we wish to have addrs in its initial state, i.e., a copy of listenAddrs.
-  if p.addrs.len == 0 or p.addressMappers.len == 0:
-    p.addrs = p.listenAddrs
+  p.addrs = p.listenAddrs
   for mapper in p.addressMappers:
     p.addrs = await mapper(p.addrs)
 
@@ -101,8 +105,10 @@ proc new*(
   let pubkey =
     try:
       key.getPublicKey().tryGet()
-    except CatchableError:
-      raise newException(PeerInfoError, "invalid private key")
+    except CatchableError as e:
+      raise newException(
+        PeerInfoError, "invalid private key creating PeerInfo: " & e.msg, e
+      )
 
   let peerId = PeerId.init(key).tryGet()
 

libp2p/protobuf/minprotobuf.nim

@@ -12,6 +12,7 @@
 {.push raises: [].}
 
 import ../varint, ../utility, stew/endians2, results
+import ../utils/sequninit
 export results, utility
 
 {.push public.}
@@ -142,18 +143,17 @@ proc initProtoBuffer*(
   result.options = options
 
 proc initProtoBuffer*(options: set[ProtoFlags] = {}): ProtoBuffer =
-  ## Initialize ProtoBuffer with new sequence of capacity ``cap``.
-  result.buffer = newSeq[byte]()
+  ## Initialize ProtoBuffer with new sequence of capacity ``cap``
   result.options = options
   if WithVarintLength in options:
     # Our buffer will start from position 10, so we can store length of buffer
     # in [0, 9].
-    result.buffer.setLen(10)
+    result.buffer = newSeqUninit[byte](10)
     result.offset = 10
   elif {WithUint32LeLength, WithUint32BeLength} * options != {}:
     # Our buffer will start from position 4, so we can store length of buffer
     # in [0, 3].
-    result.buffer.setLen(4)
+    result.buffer = newSeqUninit[byte](4)
     result.offset = 4
 
 proc write*[T: ProtoScalar](pb: var ProtoBuffer, field: int, value: T) =

libp2p/protocols/connectivity/autonat/client.nim

@@ -9,7 +9,7 @@
 
 {.push raises: [].}
 
-import stew/results
+import results
 import chronos, chronicles
 import ../../../switch, ../../../multiaddress, ../../../peerid
 import core
@@ -87,7 +87,7 @@ method dialMe*(
   except CancelledError as e:
     raise e
   except CatchableError as e:
-    raise newException(AutonatError, "read Dial response failed", e)
+    raise newException(AutonatError, "read Dial response failed: " & e.msg, e)
 
   let response = getResponseOrRaise(AutonatMsg.decode(respBytes))
 

libp2p/protocols/connectivity/autonat/server.nim

@@ -105,7 +105,7 @@ proc tryDial(
     autonat.sem.release()
     for f in futs:
       if not f.finished():
-        f.cancel()
+        f.cancelSoon()
 
 proc handleDial(autonat: Autonat, conn: Connection, msg: AutonatMsg): Future[void] =
   let dial = msg.dial.valueOr:

libp2p/protocols/connectivity/dcutr/client.nim

@@ -11,7 +11,7 @@
 
 import std/sequtils
 
-import stew/results
+import results
 import chronos, chronicles
 
 import core
@@ -107,7 +107,9 @@ proc startSync*(
       description = err.msg
     raise newException(
       DcutrError,
-      "Unexpected error when Dcutr initiator tried to connect to the remote peer", err,
+      "Unexpected error when Dcutr initiator tried to connect to the remote peer: " &
+        err.msg,
+      err,
     )
   finally:
     if stream != nil:

libp2p/protocols/connectivity/dcutr/server.nim

@@ -10,8 +10,8 @@
 {.push raises: [].}
 
 import std/[sets, sequtils]
-import stew/[results, objects]
-import chronos, chronicles
+import stew/objects
+import results, chronos, chronicles
 
 import core
 import

libp2p/protocols/connectivity/relay/client.nim

@@ -148,7 +148,7 @@ proc dialPeerV1*(
     raise exc
   except LPStreamError as exc:
     trace "error writing hop request", description = exc.msg
-    raise newException(RelayV1DialError, "error writing hop request", exc)
+    raise newException(RelayV1DialError, "error writing hop request: " & exc.msg, exc)
 
   let msgRcvFromRelayOpt =
     try:
@@ -158,7 +158,8 @@ proc dialPeerV1*(
     except LPStreamError as exc:
       trace "error reading stop response", description = exc.msg
       await sendStatus(conn, StatusV1.HopCantOpenDstStream)
-      raise newException(RelayV1DialError, "error reading stop response", exc)
+      raise
+        newException(RelayV1DialError, "error reading stop response: " & exc.msg, exc)
 
   try:
     let msgRcvFromRelay = msgRcvFromRelayOpt.valueOr:
@@ -173,10 +174,16 @@ proc dialPeerV1*(
       )
   except RelayV1DialError as exc:
     await sendStatus(conn, StatusV1.HopCantOpenDstStream)
-    raise exc
+    raise newException(
+      RelayV1DialError,
+      "Hop can't open destination stream after sendStatus: " & exc.msg,
+      exc,
+    )
   except ValueError as exc:
     await sendStatus(conn, StatusV1.HopCantOpenDstStream)
-    raise newException(RelayV1DialError, exc.msg)
+    raise newException(
+      RelayV1DialError, "Exception reading msg in dialPeerV1: " & exc.msg, exc
+    )
   result = conn
 
 proc dialPeerV2*(
@@ -199,7 +206,8 @@ proc dialPeerV2*(
       raise exc
     except CatchableError as exc:
       trace "error reading stop response", description = exc.msg
-      raise newException(RelayV2DialError, exc.msg)
+      raise
+        newException(RelayV2DialError, "Exception decoding HopMessage: " & exc.msg, exc)
 
   if msgRcvFromRelay.msgType != HopMessageType.Status:
     raise newException(RelayV2DialError, "Unexpected stop response")

libp2p/protocols/connectivity/relay/relay.nim

@@ -422,6 +422,6 @@ method stop*(r: Relay): Future[void] {.async: (raises: [], raw: true).} =
     warn "Stopping relay without starting it"
     return fut
   r.started = false
-  r.reservationLoop.cancel()
+  r.reservationLoop.cancelSoon()
   r.reservationLoop = nil
   fut

libp2p/protocols/connectivity/relay/rtransport.nim

@@ -31,7 +31,7 @@ type RelayTransport* = ref object of Transport
 
 method start*(
     self: RelayTransport, ma: seq[MultiAddress]
-) {.async: (raises: [LPError, transport.TransportError]).} =
+) {.async: (raises: [LPError, transport.TransportError, CancelledError]).} =
   if self.selfRunning:
     trace "Relay transport already running"
     return
@@ -76,7 +76,7 @@ proc dial*(
     if not dstPeerId.init(($(sma[^1].tryGet())).split('/')[2]):
       raise newException(RelayDialError, "Destination doesn't exist")
   except RelayDialError as e:
-    raise e
+    raise newException(RelayDialError, "dial address not valid: " & e.msg, e)
   except CatchableError:
     raise newException(RelayDialError, "dial address not valid")
 
@@ -100,13 +100,13 @@ proc dial*(
     raise e
   except DialFailedError as e:
     safeClose(rc)
-    raise newException(RelayDialError, "dial relay peer failed", e)
+    raise newException(RelayDialError, "dial relay peer failed: " & e.msg, e)
   except RelayV1DialError as e:
     safeClose(rc)
-    raise e
+    raise newException(RelayV1DialError, "dial relay v1 failed: " & e.msg, e)
   except RelayV2DialError as e:
     safeClose(rc)
-    raise e
+    raise newException(RelayV2DialError, "dial relay v2 failed: " & e.msg, e)
 
 method dial*(
     self: RelayTransport,
@@ -121,7 +121,8 @@ method dial*(
     except CancelledError as e:
       raise e
     except CatchableError as e:
-      raise newException(transport.TransportDialError, e.msg, e)
+      raise
+        newException(transport.TransportDialError, "Caught error in dial: " & e.msg, e)
 
 method handles*(self: RelayTransport, ma: MultiAddress): bool {.gcsafe.} =
   try:

libp2p/protocols/connectivity/relay/utils.nim

@@ -69,8 +69,8 @@ proc bridge*(
     while not connSrc.closed() and not connDst.closed():
       try: # https://github.com/status-im/nim-chronos/issues/516
         discard await race(futSrc, futDst)
-      except ValueError:
-        raiseAssert("Futures list is not empty")
+      except ValueError as e:
+        raiseAssert("Futures list is not empty: " & e.msg)
       if futSrc.finished():
         bufRead = await futSrc
         if bufRead > 0:

libp2p/protocols/kademlia.nim

@@ -0,0 +1,3 @@
+import ./kademlia/kademlia
+
+export kademlia

libp2p/protocols/kademlia/consts.nim

@@ -0,0 +1,10 @@
+import chronos
+
+const
+  IdLength* = 32 # 256-bit IDs
+  DefaultReplic* = 20 ## replication parameter, aka `k` in the spec
+  alpha* = 10 # concurrency parameter
+  ttl* = 24.hours
+  maxBuckets* = 256
+
+const KadCodec* = "/ipfs/kad/1.0.0"

libp2p/protocols/kademlia/kademlia.nim

@@ -0,0 +1,224 @@
+import chronos
+import chronicles
+import sequtils
+import ../../peerid
+import ./consts
+import ./xordistance
+import ./routingtable
+import ./lookupstate
+import ./requests
+import ./keys
+import ../protocol
+import ../../switch
+import ./protobuf
+import ../../utils/heartbeat
+import std/[options, tables]
+import results
+
+logScope:
+  topics = "kad-dht"
+
+type KadDHT* = ref object of LPProtocol
+  switch: Switch
+  rng: ref HmacDrbgContext
+  rtable*: RoutingTable
+  maintenanceLoop: Future[void]
+
+const MaxMsgSize = 4096
+
+proc sendFindNode(
+    kad: KadDHT, peerId: PeerId, addrs: seq[MultiAddress], targetId: Key
+): Future[Message] {.
+    async: (raises: [CancelledError, DialFailedError, ValueError, LPStreamError])
+.} =
+  let conn =
+    if addrs.len == 0:
+      await kad.switch.dial(peerId, KadCodec)
+    else:
+      await kad.switch.dial(peerId, addrs, KadCodec)
+
+  defer:
+    await conn.close()
+
+  let msg = Message(msgType: MessageType.findNode, key: some(targetId.getBytes()))
+
+  await conn.writeLp(msg.encode().buffer)
+
+  let reply = Message.decode(await conn.readLp(MaxMsgSize)).tryGet()
+
+  if reply.msgType != MessageType.findNode:
+    raise newException(ValueError, "unexpected message type in reply: " & $reply)
+
+  return reply
+
+proc waitRepliesOrTimeouts(
+    pendingFutures: Table[PeerId, Future[Message]]
+): Future[(seq[Message], seq[PeerId])] {.async: (raises: [CancelledError]).} =
+  await allFutures(toSeq(pendingFutures.values))
+
+  var receivedReplies: seq[Message] = @[]
+  var failedPeers: seq[PeerId] = @[]
+
+  for (peerId, replyFut) in pendingFutures.pairs:
+    try:
+      receivedReplies.add(await replyFut)
+    except CatchableError:
+      failedPeers.add(peerId)
+      error "could not send find_node to peer", peerId, err = getCurrentExceptionMsg()
+
+  return (receivedReplies, failedPeers)
+
+proc findNode*(
+    kad: KadDHT, targetId: Key
+): Future[seq[PeerId]] {.async: (raises: [CancelledError]).} =
+  #debug "findNode", target = target
+  # TODO: should it return a single peer instead? read spec
+
+  var initialPeers = kad.rtable.findClosestPeers(targetId, DefaultReplic)
+  var state = LookupState.init(targetId, initialPeers)
+  var addrTable: Table[PeerId, seq[MultiAddress]] =
+    initTable[PeerId, seq[MultiAddress]]()
+
+  while not state.done:
+    let toQuery = state.selectAlphaPeers()
+    var pendingFutures = initTable[PeerId, Future[Message]]()
+
+    for peer in toQuery:
+      if pendingFutures.hasKey(peer):
+        continue
+
+      state.markPending(peer)
+
+      pendingFutures[peer] = kad
+        .sendFindNode(peer, addrTable.getOrDefault(peer, @[]), targetId)
+        .wait(5.seconds)
+
+      state.activeQueries.inc
+
+    let (successfulReplies, timedOutPeers) = await waitRepliesOrTimeouts(pendingFutures)
+
+    for msg in successfulReplies:
+      for peer in msg.closerPeers:
+        addrTable[PeerId.init(peer.id).get()] = peer.addrs
+      state.updateShortlist(
+        msg,
+        proc(p: PeerInfo) =
+          discard kad.rtable.insert(p.peerId)
+          kad.switch.peerStore[AddressBook][p.peerId] = p.addrs
+          # TODO: add TTL to peerstore, otherwise we can spam it with junk
+        ,
+      )
+
+    for timedOut in timedOutPeers:
+      state.markFailed(timedOut)
+
+    state.done = state.checkConvergence()
+
+  return state.selectClosestK()
+
+proc bootstrap*(
+    kad: KadDHT, bootstrapNodes: seq[PeerInfo]
+) {.async: (raises: [CancelledError]).} =
+  for b in bootstrapNodes:
+    try:
+      await kad.switch.connect(b.peerId, b.addrs)
+      debug "connected to bootstrap peer", peerId = b.peerId
+    except CatchableError as e:
+      error "failed to connect to bootstrap peer", peerId = b.peerId, error = e.msg
+
+    try:
+      let msg =
+        await kad.sendFindNode(b.peerId, b.addrs, kad.rtable.selfId).wait(5.seconds)
+      for peer in msg.closerPeers:
+        let p = PeerId.init(peer.id).tryGet()
+        discard kad.rtable.insert(p)
+        kad.switch.peerStore[AddressBook][p] = peer.addrs
+
+      # bootstrap node replied succesfully. Adding to routing table
+      discard kad.rtable.insert(b.peerId)
+    except CatchableError as e:
+      error "bootstrap failed for peer", peerId = b.peerId, exc = e.msg
+
+  try:
+    # Adding some random node to prepopulate the table
+    discard await kad.findNode(PeerId.random(kad.rng).tryGet().toKey())
+    info "bootstrap lookup complete"
+  except CatchableError as e:
+    error "bootstrap lookup failed", error = e.msg
+
+proc refreshBuckets(kad: KadDHT) {.async: (raises: [CancelledError]).} =
+  for i in 0 ..< kad.rtable.buckets.len:
+    if kad.rtable.buckets[i].isStale():
+      let randomKey = randomKeyInBucketRange(kad.rtable.selfId, i, kad.rng)
+      discard await kad.findNode(randomKey)
+
+proc maintainBuckets(kad: KadDHT) {.async: (raises: [CancelledError]).} =
+  heartbeat "refresh buckets", 10.minutes:
+    await kad.refreshBuckets()
+
+proc new*(
+    T: typedesc[KadDHT], switch: Switch, rng: ref HmacDrbgContext = newRng()
+): T {.raises: [].} =
+  var rtable = RoutingTable.init(switch.peerInfo.peerId.toKey())
+  let kad = T(rng: rng, switch: switch, rtable: rtable)
+
+  kad.codec = KadCodec
+  kad.handler = proc(
+      conn: Connection, proto: string
+  ) {.async: (raises: [CancelledError]).} =
+    try:
+      while not conn.atEof:
+        let
+          buf = await conn.readLp(MaxMsgSize)
+          msg = Message.decode(buf).tryGet()
+
+        case msg.msgType
+        of MessageType.findNode:
+          let targetIdBytes = msg.key.get()
+          let targetId = PeerId.init(targetIdBytes).tryGet()
+          let closerPeers = kad.rtable.findClosest(targetId.toKey(), DefaultReplic)
+          let responsePb = encodeFindNodeReply(closerPeers, switch)
+          await conn.writeLp(responsePb.buffer)
+
+          # Peer is useful. adding to rtable
+          discard kad.rtable.insert(conn.peerId)
+        else:
+          raise newException(LPError, "unhandled kad-dht message type")
+    except CancelledError as exc:
+      raise exc
+    except CatchableError:
+      discard
+      # TODO: figure out why this fails:
+      # error "could not handle request",
+      #   peerId = conn.PeerId, err = getCurrentExceptionMsg()
+    finally:
+      await conn.close()
+
+  return kad
+
+method start*(
+    kad: KadDHT
+): Future[void] {.async: (raises: [CancelledError], raw: true).} =
+  let fut = newFuture[void]()
+  fut.complete()
+  if kad.started:
+    warn "Starting kad-dht twice"
+    return fut
+
+  kad.maintenanceLoop = kad.maintainBuckets()
+  kad.started = true
+
+  info "kad-dht started"
+
+  fut
+
+method stop*(kad: KadDHT): Future[void] {.async: (raises: [], raw: true).} =
+  let fut = newFuture[void]()
+  fut.complete()
+  if not kad.started:
+    return fut
+
+  kad.started = false
+  kad.maintenanceLoop.cancelSoon()
+  kad.maintenanceLoop = nil
+  return fut

libp2p/protocols/kademlia/keys.nim

@@ -0,0 +1,53 @@
+import ../../peerid
+import ./consts
+import chronicles
+import stew/byteutils
+
+type
+  KeyType* {.pure.} = enum
+    Unhashed
+    Raw
+    PeerId
+
+  Key* = object
+    case kind*: KeyType
+    of KeyType.PeerId:
+      peerId*: PeerId
+    of KeyType.Raw, KeyType.Unhashed:
+      data*: array[IdLength, byte]
+
+proc toKey*(s: seq[byte]): Key =
+  doAssert s.len == IdLength
+  var data: array[IdLength, byte]
+  for i in 0 ..< IdLength:
+    data[i] = s[i]
+  return Key(kind: KeyType.Raw, data: data)
+
+proc toKey*(p: PeerId): Key =
+  return Key(kind: KeyType.PeerId, peerId: p)
+
+proc toPeerId*(k: Key): PeerId {.raises: [ValueError].} =
+  if k.kind != KeyType.PeerId:
+    raise newException(ValueError, "not a peerId")
+  k.peerId
+
+proc getBytes*(k: Key): seq[byte] =
+  return
+    case k.kind
+    of KeyType.PeerId:
+      k.peerId.getBytes()
+    of KeyType.Raw, KeyType.Unhashed:
+      @(k.data)
+
+template `==`*(a, b: Key): bool =
+  a.getBytes() == b.getBytes() and a.kind == b.kind
+
+proc shortLog*(k: Key): string =
+  case k.kind
+  of KeyType.PeerId:
+    "PeerId:" & $k.peerId
+  of KeyType.Raw, KeyType.Unhashed:
+    $k.kind & ":" & toHex(k.data)
+
+chronicles.formatIt(Key):
+  shortLog(it)

libp2p/protocols/kademlia/lookupstate.nim

@@ -0,0 +1,117 @@
+import sequtils
+import ./consts
+import ./protobuf
+import ./xordistance
+import ./keys
+import ../../[peerid, peerinfo]
+import algorithm
+import chronicles
+
+type
+  LookupNode* = object
+    peerId: PeerId
+    distance: XorDistance
+    queried: bool # have we already queried this node?
+    pending: bool # is there an active request rn?
+    failed: bool # did the query timeout or error?
+
+  LookupState* = object
+    targetId: Key
+    shortlist: seq[LookupNode] # current known closest node
+    activeQueries*: int # how many queries in flight
+    alpha: int # parallelism level
+    repliCount: int ## aka `k` in the spec: number of closest nodes to find
+    done*: bool # has lookup converged
+
+proc alreadyInShortlist(state: LookupState, peer: Peer): bool =
+  return state.shortlist.anyIt(it.peerId.getBytes() == peer.id)
+
+proc updateShortlist*(
+    state: var LookupState, msg: Message, onInsert: proc(p: PeerInfo) {.gcsafe.}
+) =
+  for newPeer in msg.closerPeers.filterIt(not alreadyInShortlist(state, it)):
+    let peerInfo = PeerInfo(peerId: PeerId.init(newPeer.id).get(), addrs: newPeer.addrs)
+    try:
+      onInsert(peerInfo)
+      state.shortlist.add(
+        LookupNode(
+          peerId: peerInfo.peerId,
+          distance: xorDistance(peerInfo.peerId, state.targetId),
+          queried: false,
+          pending: false,
+          failed: false,
+        )
+      )
+    except Exception as exc:
+      debug "could not update shortlist", err = exc.msg
+
+  state.shortlist.sort(
+    proc(a, b: LookupNode): int =
+      cmp(a.distance, b.distance)
+  )
+
+  state.activeQueries.dec
+
+proc markFailed*(state: var LookupState, peerId: PeerId) =
+  for p in mitems(state.shortlist):
+    if p.peerId == peerId:
+      p.failed = true
+      p.pending = false
+      p.queried = true
+      state.activeQueries.dec
+      break
+
+proc markPending*(state: var LookupState, peerId: PeerId) =
+  for p in mitems(state.shortlist):
+    if p.peerId == peerId:
+      p.pending = true
+      p.queried = true
+      break
+
+proc selectAlphaPeers*(state: LookupState): seq[PeerId] =
+  var selected: seq[PeerId] = @[]
+  for p in state.shortlist:
+    if not p.queried and not p.failed and not p.pending:
+      selected.add(p.peerId)
+      if selected.len >= state.alpha:
+        break
+  return selected
+
+proc init*(T: type LookupState, targetId: Key, initialPeers: seq[PeerId]): T =
+  var res = LookupState(
+    targetId: targetId,
+    shortlist: @[],
+    activeQueries: 0,
+    alpha: alpha,
+    repliCount: DefaultReplic,
+    done: false,
+  )
+  for p in initialPeers:
+    res.shortlist.add(
+      LookupNode(
+        peerId: p,
+        distance: xorDistance(p, targetId),
+        queried: false,
+        pending: false,
+        failed: false,
+      )
+    )
+
+  res.shortlist.sort(
+    proc(a, b: LookupNode): int =
+      cmp(a.distance, b.distance)
+  )
+  return res
+
+proc checkConvergence*(state: LookupState): bool =
+  let ready = state.activeQueries == 0
+  let noNew = selectAlphaPeers(state).len == 0
+  return ready and noNew
+
+proc selectClosestK*(state: LookupState): seq[PeerId] =
+  var res: seq[PeerId] = @[]
+  for p in state.shortlist.filterIt(not it.failed):
+    res.add(p.peerId)
+    if res.len >= state.repliCount:
+      break
+  return res

libp2p/protocols/kademlia/protobuf.nim

@@ -0,0 +1,163 @@
+import ../../protobuf/minprotobuf
+import ../../varint
+import ../../utility
+import results
+import ../../multiaddress
+import stew/objects
+import stew/assign2
+import options
+
+type
+  Record* {.public.} = object
+    key*: Option[seq[byte]]
+    value*: Option[seq[byte]]
+    timeReceived*: Option[string]
+
+  MessageType* = enum
+    putValue = 0
+    getValue = 1
+    addProvider = 2
+    getProviders = 3
+    findNode = 4
+    ping = 5 # Deprecated
+
+  ConnectionType* = enum
+    notConnected = 0
+    connected = 1
+    canConnect = 2 # Unused
+    cannotConnect = 3 # Unused
+
+  Peer* {.public.} = object
+    id*: seq[byte]
+    addrs*: seq[MultiAddress]
+    connection*: ConnectionType
+
+  Message* {.public.} = object
+    msgType*: MessageType
+    key*: Option[seq[byte]]
+    record*: Option[Record]
+    closerPeers*: seq[Peer]
+    providerPeers*: seq[Peer]
+
+proc write*(pb: var ProtoBuffer, field: int, value: Record) {.raises: [], gcsafe.}
+
+proc writeOpt*[T](
+  pb: var ProtoBuffer, field: int, opt: Option[T]
+) {.raises: [], gcsafe.}
+
+proc encode*(record: Record): ProtoBuffer {.raises: [].} =
+  var pb = initProtoBuffer()
+  pb.writeOpt(1, record.key)
+  pb.writeOpt(2, record.value)
+  pb.writeOpt(5, record.timeReceived)
+  pb.finish()
+  return pb
+
+proc encode*(peer: Peer): ProtoBuffer {.raises: [].} =
+  var pb = initProtoBuffer()
+  pb.write(1, peer.id)
+  for address in peer.addrs:
+    pb.write(2, address.data.buffer)
+  pb.write(3, uint32(ord(peer.connection)))
+  pb.finish()
+  return pb
+
+proc encode*(msg: Message): ProtoBuffer {.raises: [], gcsafe.} =
+  var pb = initProtoBuffer()
+
+  pb.write(1, uint32(ord(msg.msgType)))
+
+  pb.writeOpt(2, msg.key)
+
+  msg.record.withValue(record):
+    pb.writeOpt(3, msg.record)
+
+  for peer in msg.closerPeers:
+    pb.write(8, peer.encode())
+
+  for peer in msg.providerPeers:
+    pb.write(9, peer.encode())
+
+  pb.finish()
+
+  return pb
+
+proc writeOpt*[T](
+    pb: var ProtoBuffer, field: int, opt: Option[T]
+) {.raises: [], gcsafe.} =
+  opt.withValue(v):
+    pb.write(field, v)
+
+proc write*(pb: var ProtoBuffer, field: int, value: Record) {.raises: [], gcsafe.} =
+  pb.write(field, value.encode())
+
+proc getOptionField[T: ProtoScalar | string | seq[byte]](
+    pb: ProtoBuffer, field: int, output: var Option[T]
+): ProtoResult[void] =
+  var f: T
+  if ?pb.getField(field, f):
+    assign(output, some(f))
+  ok()
+
+proc decode*(T: type Record, pb: ProtoBuffer): ProtoResult[Option[T]] =
+  var r: Record
+  ?pb.getOptionField(1, r.key)
+  ?pb.getOptionField(2, r.value)
+  ?pb.getOptionField(5, r.timeReceived)
+  return ok(some(r))
+
+proc decode*(T: type Peer, pb: ProtoBuffer): ProtoResult[Option[T]] =
+  var
+    p: Peer
+    id: seq[byte]
+
+  ?pb.getRequiredField(1, p.id)
+
+  discard ?pb.getRepeatedField(2, p.addrs)
+
+  var connVal: uint32
+  if ?pb.getField(3, connVal):
+    var connType: ConnectionType
+    if not checkedEnumAssign(connType, connVal):
+      return err(ProtoError.BadWireType)
+    p.connection = connType
+
+  return ok(some(p))
+
+proc decode*(T: type Message, buf: seq[byte]): ProtoResult[T] =
+  var
+    m: Message
+    key: seq[byte]
+    recPb: seq[byte]
+    closerPbs: seq[seq[byte]]
+    providerPbs: seq[seq[byte]]
+
+  var pb = initProtoBuffer(buf)
+
+  var msgTypeVal: uint32
+  ?pb.getRequiredField(1, msgTypeVal)
+
+  var msgType: MessageType
+  if not checkedEnumAssign(msgType, msgTypeVal):
+    return err(ProtoError.BadWireType)
+
+  m.msgType = msgType
+
+  ?pb.getOptionField(2, m.key)
+
+  if ?pb.getField(3, recPb):
+    assign(m.record, ?Record.decode(initProtoBuffer(recPb)))
+
+  discard ?pb.getRepeatedField(8, closerPbs)
+  for ppb in closerPbs:
+    let peerOpt = ?Peer.decode(initProtoBuffer(ppb))
+    peerOpt.withValue(peer):
+      m.closerPeers.add(peer)
+
+  discard ?pb.getRepeatedField(9, providerPbs)
+  for ppb in providerPbs:
+    let peer = ?Peer.decode(initProtoBuffer(ppb))
+    peer.withValue(peer):
+      m.providerPeers.add(peer)
+
+  return ok(m)

libp2p/protocols/kademlia/requests.nim

@@ -0,0 +1,34 @@
+import ../../peerid
+import ../../switch
+import ../../peerstore
+import ./protobuf
+import ../../protobuf/minprotobuf
+import ./keys
+
+proc encodeFindNodeReply*(
+    closerPeers: seq[Key], switch: Switch
+): ProtoBuffer {.raises: [].} =
+  var msg: Message
+  msg.msgType = MessageType.findNode
+  for peer in closerPeers:
+    let peer =
+      try:
+        peer.toPeerId()
+      except ValueError:
+        continue
+    let addrs = switch.peerStore[AddressBook][peer]
+    if addrs.len == 0:
+      continue
+
+    let p = Peer(
+      id: peer.getBytes(),
+      addrs: addrs,
+      connection:
+        # TODO: this should likely be optional as it can reveal the network graph of a node
+        if switch.isConnected(peer):
+          ConnectionType.connected
+        else:
+          ConnectionType.notConnected,
+    )
+    msg.closerPeers.add(p)
+  return msg.encode()

libp2p/protocols/kademlia/routingtable.nim

@@ -0,0 +1,133 @@
+import algorithm
+import bearssl/rand
+import chronos
+import chronicles
+import ./consts
+import ./keys
+import ./xordistance
+import ../../peerid
+import sequtils
+import ../../utils/sequninit
+
+logScope:
+  topics = "kad-dht rtable"
+
+type
+  NodeEntry* = object
+    nodeId*: Key
+    lastSeen*: Moment
+
+  Bucket* = object
+    peers*: seq[NodeEntry]
+
+  RoutingTable* = ref object
+    selfId*: Key
+    buckets*: seq[Bucket]
+
+proc `$`*(rt: RoutingTable): string =
+  "selfId(" & $rt.selfId & ") buckets(" & $rt.buckets & ")"
+
+proc init*(T: typedesc[RoutingTable], selfId: Key): T =
+  return RoutingTable(selfId: selfId, buckets: @[])
+
+proc bucketIndex*(selfId, key: Key): int =
+  return xorDistance(selfId, key).leadingZeros
+
+proc peerIndexInBucket(bucket: var Bucket, nodeId: Key): Opt[int] =
+  for i, p in bucket.peers:
+    if p.nodeId == nodeId:
+      return Opt.some(i)
+  return Opt.none(int)
+
+proc insert*(rtable: var RoutingTable, nodeId: Key): bool =
+  if nodeId == rtable.selfId:
+    return false # No self insertion
+
+  let idx = bucketIndex(rtable.selfId, nodeId)
+  if idx >= maxBuckets:
+    trace "cannot insert node. max buckets have been reached",
+      nodeId, bucketIdx = idx, maxBuckets
+    return false
+
+  if idx >= rtable.buckets.len:
+    # expand buckets lazily if needed
+    rtable.buckets.setLen(idx + 1)
+
+  var bucket = rtable.buckets[idx]
+  let keyx = peerIndexInBucket(bucket, nodeId)
+  if keyx.isSome:
+    bucket.peers[keyx.unsafeValue].lastSeen = Moment.now()
+  elif bucket.peers.len < DefaultReplic:
+    bucket.peers.add(NodeEntry(nodeId: nodeId, lastSeen: Moment.now()))
+  else:
+    # TODO: eviction policy goes here, rn we drop the node
+    trace "cannot insert node in bucket, dropping node",
+      nodeId, bucket = DefaultReplic, bucketIdx = idx
+    return false
+
+  rtable.buckets[idx] = bucket
+  return true
+
+proc insert*(rtable: var RoutingTable, peerId: PeerId): bool =
+  insert(rtable, peerId.toKey())
+
+proc findClosest*(rtable: RoutingTable, targetId: Key, count: int): seq[Key] =
+  var allNodes: seq[Key] = @[]
+
+  for bucket in rtable.buckets:
+    for p in bucket.peers:
+      allNodes.add(p.nodeId)
+
+  allNodes.sort(
+    proc(a, b: Key): int =
+      cmp(xorDistance(a, targetId), xorDistance(b, targetId))
+  )
+
+  return allNodes[0 ..< min(count, allNodes.len)]
+
+proc findClosestPeers*(rtable: RoutingTable, targetId: Key, count: int): seq[PeerId] =
+  findClosest(rtable, targetId, count).mapIt(it.peerId)
+
+proc isStale*(bucket: Bucket): bool =
+  if bucket.peers.len == 0:
+    return true
+  for p in bucket.peers:
+    if Moment.now() - p.lastSeen > 30.minutes:
+      return true
+  return false
+
+proc randomKeyInBucketRange*(
+    selfId: Key, bucketIndex: int, rng: ref HmacDrbgContext
+): Key =
+  var raw = selfId.getBytes()
+
+  # zero out higher bits
+  for i in 0 ..< bucketIndex:
+    let byteIdx = i div 8
+    let bitInByte = 7 - (i mod 8)
+    raw[byteIdx] = raw[byteIdx] and not (1'u8 shl bitInByte)
+
+  # flip the target bit
+  let tgtByte = bucketIndex div 8
+  let tgtBitInByte = 7 - (bucketIndex mod 8)
+  raw[tgtByte] = raw[tgtByte] xor (1'u8 shl tgtBitInByte)
+
+  # randomize all less significant bits
+  let totalBits = raw.len * 8
+  let lsbStart = bucketIndex + 1
+  let lsbBytes = (totalBits - lsbStart + 7) div 8
+  var randomBuf = newSeqUninit[byte](lsbBytes)
+  hmacDrbgGenerate(rng[], randomBuf)
+
+  for i in lsbStart ..< totalBits:
+    let byteIdx = i div 8
+    let bitInByte = 7 - (i mod 8)
+    let lsbByte = (i - lsbStart) div 8
+    let lsbBit = 7 - ((i - lsbStart) mod 8)
+    let randBit = (randomBuf[lsbByte] shr lsbBit) and 1
+    if randBit == 1:
+      raw[byteIdx] = raw[byteIdx] or (1'u8 shl bitInByte)
+    else:
+      raw[byteIdx] = raw[byteIdx] and not (1'u8 shl bitInByte)
+
+  return raw.toKey()

libp2p/protocols/kademlia/xordistance.nim

@@ -0,0 +1,55 @@
+import ./consts
+import ./keys
+import nimcrypto/sha2
+import ../../peerid
+
+type XorDistance* = array[IdLength, byte]
+
+proc countLeadingZeroBits*(b: byte): int =
+  for i in 0 .. 7:
+    if (b and (0x80'u8 shr i)) != 0:
+      return i
+  return 8
+
+proc leadingZeros*(dist: XorDistance): int =
+  for i in 0 ..< dist.len:
+    if dist[i] != 0:
+      return i * 8 + countLeadingZeroBits(dist[i])
+  return dist.len * 8
+
+proc cmp*(a, b: XorDistance): int =
+  for i in 0 ..< IdLength:
+    if a[i] < b[i]:
+      return -1
+    elif a[i] > b[i]:
+      return 1
+  return 0
+
+proc `<`*(a, b: XorDistance): bool =
+  cmp(a, b) < 0
+
+proc `<=`*(a, b: XorDistance): bool =
+  cmp(a, b) <= 0
+
+proc hashFor(k: Key): seq[byte] =
+  return
+    @(
+      case k.kind
+      of KeyType.PeerId:
+        sha256.digest(k.peerId.getBytes()).data
+      of KeyType.Raw:
+        sha256.digest(k.data).data
+      of KeyType.Unhashed:
+        k.data
+    )
+
+proc xorDistance*(a, b: Key): XorDistance =
+  let hashA = a.hashFor()
+  let hashB = b.hashFor()
+  var response: XorDistance
+  for i in 0 ..< hashA.len:
+    response[i] = hashA[i] xor hashB[i]
+  return response
+
+proc xorDistance*(a: PeerId, b: Key): XorDistance =
+  xorDistance(a.toKey(), b)

libp2p/protocols/perf/client.nim

@@ -12,39 +12,85 @@
 import chronos, chronicles, sequtils
 import stew/endians2
 import ./core, ../../stream/connection
+when defined(libp2p_quic_support):
+  import ../../transports/quictransport
 
 logScope:
   topics = "libp2p perf"
 
-type PerfClient* = ref object of RootObj
+type Stats* = object
+  isFinal*: bool
+  uploadBytes*: uint
+  downloadBytes*: uint
+  duration*: Duration
+
+type PerfClient* = ref object
+  stats: Stats
+
+proc new*(T: typedesc[PerfClient]): T =
+  return T()
+
+proc currentStats*(p: PerfClient): Stats =
+  return p.stats
 
 proc perf*(
-    _: typedesc[PerfClient],
-    conn: Connection,
-    sizeToWrite: uint64 = 0,
-    sizeToRead: uint64 = 0,
+    p: PerfClient, conn: Connection, sizeToWrite: uint64 = 0, sizeToRead: uint64 = 0
 ): Future[Duration] {.public, async: (raises: [CancelledError, LPStreamError]).} =
-  var
-    size = sizeToWrite
-    buf: array[PerfSize, byte]
-  let start = Moment.now()
   trace "starting performance benchmark", conn, sizeToWrite, sizeToRead
 
-  await conn.write(toSeq(toBytesBE(sizeToRead)))
-  while size > 0:
-    let toWrite = min(size, PerfSize)
-    await conn.write(buf[0 ..< toWrite])
-    size -= toWrite
+  p.stats = Stats()
 
-  await conn.close()
+  try:
+    var
+      size = sizeToWrite
+      buf: array[PerfSize, byte]
 
-  size = sizeToRead
+    let start = Moment.now()
 
-  while size > 0:
-    let toRead = min(size, PerfSize)
-    await conn.readExactly(addr buf[0], toRead.int)
-    size = size - toRead
+    await conn.write(toSeq(toBytesBE(sizeToRead)))
+    while size > 0:
+      let toWrite = min(size, PerfSize)
+      await conn.write(buf[0 ..< toWrite])
+      size -= toWrite.uint
 
-  let duration = Moment.now() - start
-  trace "finishing performance benchmark", duration
-  return duration
+      # set stats using copy value to avoid race condition
+      var statsCopy = p.stats
+      statsCopy.duration = Moment.now() - start
+      statsCopy.uploadBytes += toWrite.uint
+      p.stats = statsCopy
+
+    # Close connection after writing for TCP, but not for QUIC
+    when defined(libp2p_quic_support):
+      if not (conn of QuicStream):
+        await conn.close()
+      # For QUIC streams, don't close yet - let server manage lifecycle
+    else:
+      await conn.close()
+
+    size = sizeToRead
+
+    while size > 0:
+      let toRead = min(size, PerfSize)
+      await conn.readExactly(addr buf[0], toRead.int)
+      size = size - toRead.uint
+
+      # set stats using copy value to avoid race condition
+      var statsCopy = p.stats
+      statsCopy.duration = Moment.now() - start
+      statsCopy.downloadBytes += toRead.uint
+      p.stats = statsCopy
+
+    # Close QUIC connections after read phase
+    when defined(libp2p_quic_support):
+      if conn of QuicStream:
+        await conn.close()
+  except CancelledError as e:
+    raise e
+  except LPStreamError as e:
+    raise e
+  finally:
+    p.stats.isFinal = true
+
+  trace "finishing performance benchmark", duration = p.stats.duration
+
+  return p.stats.duration

libp2p/protocols/perf/server.nim

@@ -14,6 +14,8 @@
 import chronos, chronicles
 import stew/endians2
 import ./core, ../protocol, ../../stream/connection, ../../utility
+when defined(libp2p_quic_support):
+  import ../../transports/quictransport
 
 export chronicles, connection
 
@@ -36,9 +38,31 @@ proc new*(T: typedesc[Perf]): T {.public.} =
 
       var toReadBuffer: array[PerfSize, byte]
       try:
-        while true:
-          bytesRead += await conn.readOnce(addr toReadBuffer[0], PerfSize)
-      except CatchableError as exc:
+        # Different handling for QUIC vs TCP streams
+        when defined(libp2p_quic_support):
+          if conn of QuicStream:
+            # QUIC needs timeout-based approach to detect end of upload
+            while not conn.atEof:
+              let readFut = conn.readOnce(addr toReadBuffer[0], PerfSize)
+              let read = readFut.read()
+              if read == 0:
+                break
+              bytesRead += read
+          else:
+            # TCP streams handle EOF properly
+            while true:
+              let read = await conn.readOnce(addr toReadBuffer[0], PerfSize)
+              if read == 0:
+                break
+              bytesRead += read
+        else:
+          # TCP streams handle EOF properly
+          while true:
+            let read = await conn.readOnce(addr toReadBuffer[0], PerfSize)
+            if read == 0:
+              break
+            bytesRead += read
+      except CatchableError:
         discard
 
       var buf: array[PerfSize, byte]

libp2p/protocols/pubsub/bandwidth.nim

@@ -0,0 +1,37 @@
+import chronos
+import std/atomics
+
+const DefaultAlpha = 0.3
+const InitialRate = 2_500_000 #bytes per second
+
+type
+  ExponentialMovingAverage* = ref object
+    alpha: float
+    value: Atomic[float64]
+
+  BandwidthTracking* = ref object
+    download*: ExponentialMovingAverage
+
+proc init*(T: type[ExponentialMovingAverage], alpha: float = DefaultAlpha): T =
+  let e = ExponentialMovingAverage(alpha: alpha)
+  e.value.store(InitialRate)
+  return e
+
+proc init*(T: type[BandwidthTracking], alpha: float = DefaultAlpha): T =
+  BandwidthTracking(download: ExponentialMovingAverage())
+
+proc update*(e: var ExponentialMovingAverage, startAt: Moment, bytes: int) =
+  let elapsedTime = Moment.now() - startAt
+  let curSample = float(bytes * 1000) / elapsedTime.milliseconds.float
+  let oldSample = e.value.load()
+  let ema = e.alpha * curSample + (1.0 - e.alpha) * oldSample
+  e.value.store(ema)
+
+proc value*(e: var ExponentialMovingAverage): float =
+  e.value.load()
+
+proc calculateReceiveTimeMs*(msgLen: int64, dataRate: int64 = InitialRate): int64 =
+  let txTime = ((msgLen * 1000) div dataRate)
+  #ideally (RTT * 2) + 5% TxTime ? Need many testruns to precisely adjust safety margin
+  let margin = 250 + (txTime.float64 * 0.05)
+  result = txTime + margin.int64

libp2p/protocols/pubsub/floodsub.nim

@@ -185,14 +185,17 @@ method init*(f: FloodSub) =
     try:
       await f.handleConn(conn, proto)
     except CancelledError as exc:
-      trace "Unexpected cancellation in floodsub handler", conn
+      trace "Unexpected cancellation in floodsub handler", conn, description = exc.msg
       raise exc
 
   f.handler = handler
   f.codec = FloodSubCodec
 
 method publish*(
-    f: FloodSub, topic: string, data: seq[byte]
+    f: FloodSub,
+    topic: string,
+    data: seq[byte],
+    publishParams: Option[PublishParams] = none(PublishParams),
 ): Future[int] {.async: (raises: []).} =
   # base returns always 0
   discard await procCall PubSub(f).publish(topic, data)

libp2p/protocols/pubsub/gossipsub.nim

@@ -29,10 +29,13 @@ import
   ../../utility,
   ../../switch
 
-import stew/results
+when defined(libp2p_gossipsub_1_4):
+  import ./bandwidth
+
+import results
 export results
 
-import ./gossipsub/[types, scoring, behavior], ../../utils/heartbeat
+import ./gossipsub/[types, scoring, behavior, preamblestore], ../../utils/heartbeat
 
 export types, scoring, behavior, pubsub
 
@@ -51,6 +54,10 @@ declareCounter(
 declareCounter(
   libp2p_gossipsub_idontwant_saved_messages, "number of duplicates avoided by idontwant"
 )
+declareCounter(
+  libp2p_gossipsub_imreceiving_saved_messages,
+  "number of duplicates avoided by imreceiving",
+)
 declareCounter(
   libp2p_gossipsub_saved_bytes,
   "bytes saved by gossipsub optimizations",
@@ -218,10 +225,14 @@ method init*(g: GossipSub) =
     try:
       await g.handleConn(conn, proto)
     except CancelledError as exc:
-      trace "Unexpected cancellation in gossipsub handler", conn
+      trace "Unexpected cancellation in gossipsub handler", conn, description = exc.msg
       raise exc
 
   g.handler = handler
+
+  when defined(libp2p_gossipsub_1_4):
+    g.codecs &= GossipSubCodec_14
+
   g.codecs &= GossipSubCodec_12
   g.codecs &= GossipSubCodec_11
   g.codecs &= GossipSubCodec_10
@@ -240,6 +251,9 @@ method onNewPeer*(g: GossipSub, peer: PubSubPeer) =
   peer.iHaveBudget = IHavePeerBudget
   peer.pingBudget = PingsPeerBudget
 
+  when defined(libp2p_gossipsub_1_4):
+    peer.preambleBudget = PreamblePeerBudget
+
 method onPubSubPeerEvent*(
     p: GossipSub, peer: PubSubPeer, event: PubSubPeerEvent
 ) {.gcsafe.} =
@@ -346,11 +360,14 @@ proc handleControl(g: GossipSub, peer: PubSubPeer, control: ControlMessage) =
 
   var respControl: ControlMessage
   g.handleIDontWant(peer, control.idontwant)
+  when defined(libp2p_gossipsub_1_4):
+    g.handlePreamble(peer, control.preamble)
+    g.handleIMReceiving(peer, control.imreceiving)
   let iwant = g.handleIHave(peer, control.ihave)
   if iwant.messageIDs.len > 0:
     respControl.iwant.add(iwant)
   respControl.prune.add(g.handleGraft(peer, control.graft))
-  let messages = g.handleIWant(peer, control.iwant)
+  let (messages, msgIDs) = g.handleIWant(peer, control.iwant)
 
   let
     isPruneNotEmpty = respControl.prune.len > 0
@@ -371,13 +388,34 @@ proc handleControl(g: GossipSub, peer: PubSubPeer, control: ControlMessage) =
     g.send(peer, RPCMsg(control: some(respControl)), isHighPriority = true)
 
   if messages.len > 0:
-    for smsg in messages:
+    when defined(libp2p_gossipsub_1_4):
+      var preambles: seq[ControlPreamble]
+
+    for i, smsg in messages:
       let topic = smsg.topic
       if g.knownTopics.contains(topic):
         libp2p_pubsub_broadcast_messages.inc(labelValues = [topic])
       else:
         libp2p_pubsub_broadcast_messages.inc(labelValues = ["generic"])
 
+      when defined(libp2p_gossipsub_1_4):
+        # should we send preamble here? (Not in specs so far)
+        # So receiver will send IMReciving only for preambles received from mesh members
+        preambles.add(
+          ControlPreamble(
+            topicID: smsg.topic,
+            messageID: msgIDs[i],
+            messageLength: smsg.data.len.uint32,
+          )
+        )
+
+    when defined(libp2p_gossipsub_1_4):
+      g.broadcast(
+        @[peer],
+        RPCMsg(control: some(ControlMessage(preamble: preambles))),
+        isHighPriority = true,
+      )
+
     # iwant replies have lower priority
     trace "sending iwant reply messages", peer
     g.send(peer, RPCMsg(messages: messages), isHighPriority = false)
@@ -411,6 +449,34 @@ proc sendIDontWant(
     isHighPriority = true,
   )
 
+when defined(libp2p_gossipsub_1_4):
+  const preambleMessageSizeThreshold* = 40 * 1024 # 40KiB
+
+  proc sendPreamble(
+      g: GossipSub, msg: Message, msgId: MessageId, toSendPeers: var HashSet[PubSubPeer]
+  ) =
+    if msg.data.len < preambleMessageSizeThreshold:
+      return
+
+    g.broadcast(
+      toSendPeers.filterIt(it.codec == GossipSubCodec_14),
+      RPCMsg(
+        control: some(
+          ControlMessage(
+            preamble:
+              @[
+                ControlPreamble(
+                  topicID: msg.topic,
+                  messageID: msgId,
+                  messageLength: msg.data.len.uint32,
+                )
+              ]
+          )
+        )
+      ),
+      isHighPriority = true,
+    )
+
 const iDontWantMessageSizeThreshold* = 512
 
 proc isLargeMessage(msg: Message, msgId: MessageId): bool =
@@ -489,6 +555,28 @@ proc validateAndRelay(
 
     toSendPeers.exclIfIt(isMsgInIdontWant(it))
 
+    when defined(libp2p_gossipsub_1_4):
+      proc isMsgInIMReceiving(it: PubSubPeer): bool =
+        if it.heIsReceivings.hasKey(msgId):
+          libp2p_gossipsub_imreceiving_saved_messages.inc
+          return true
+        return false
+
+      proc deferSend(deferPeers: HashSet[PubSubPeer]) {.async.} =
+        let receiveTimeMs = calculateReceiveTimeMs(msg.data.len)
+        await sleepAsync(receiveTimeMs.milliseconds)
+        for deferPeer in deferPeers:
+          if not deferPeer.isMsgInIdontWant:
+            #No need to send preamble at timeout
+            g.broadcast(@[deferPeer], RPCMsg(messages: @[msg]), isHighPriority = false)
+
+      let allPeers = toSendPeers
+      toSendPeers.exclIfIt(isMsgInIMReceiving(it))
+      g.sendPreamble(msg, msgId, toSendPeers)
+      if not PullOperation:
+        let receivingPeers = allPeers - toSendPeers
+        asyncSpawn deferSend(receivingPeers)
+
     # In theory, if topics are the same in all messages, we could batch - we'd
     # also have to be careful to only include validated messages
     g.broadcast(toSendPeers, RPCMsg(messages: @[msg]), isHighPriority = false)
@@ -602,6 +690,14 @@ method rpcHandler*(
       msgId = msgIdResult.get
       msgIdSalted = g.salt(msgId)
 
+    when defined(libp2p_gossipsub_1_4):
+      if msg.data.len > preambleMessageSizeThreshold:
+        g.ongoingReceives.del(msgId)
+        g.ongoingIWantReceives.del(msgId)
+        var startTime: Moment
+        if peer.heIsSendings.pop(msgId, startTime):
+          peer.bandwidthTracking.download.update(startTime, msg.data.len)
+
     if g.addSeen(msgIdSalted):
       trace "Dropping already-seen message", msgId = shortLog(msgId), peer
 
@@ -702,24 +798,27 @@ method onTopicSubscription*(g: GossipSub, topic: string, subscribed: bool) =
     # Send unsubscribe (in reverse order to sub/graft)
     procCall PubSub(g).onTopicSubscription(topic, subscribed)
 
-method publish*(
+proc makePeersForPublishUsingCustomConn(
+    g: GossipSub, topic: string
+): HashSet[PubSubPeer] =
+  assert g.customConnCallbacks.isSome,
+    "GossipSub misconfiguration: useCustomConn was true, but no customConnCallbacks provided"
+
+  trace "Selecting peers via custom connection callback"
+
+  return g.customConnCallbacks.get().customPeerSelectionCB(
+      g.gossipsub.getOrDefault(topic),
+      g.subscribedDirectPeers.getOrDefault(topic),
+      g.mesh.getOrDefault(topic),
+      g.fanout.getOrDefault(topic),
+    )
+
+proc makePeersForPublishDefault(
     g: GossipSub, topic: string, data: seq[byte]
-): Future[int] {.async: (raises: []).} =
-  logScope:
-    topic
-
-  if topic.len <= 0: # data could be 0/empty
-    debug "Empty topic, skipping publish"
-    return 0
-
-  # base returns always 0
-  discard await procCall PubSub(g).publish(topic, data)
-
-  trace "Publishing message on topic", data = data.shortLog
-
+): HashSet[PubSubPeer] =
   var peers: HashSet[PubSubPeer]
 
-  # add always direct peers
+  # Always include direct peers
   peers.incl(g.subscribedDirectPeers.getOrDefault(topic))
 
   if topic in g.topics: # if we're subscribed use the mesh
@@ -769,6 +868,34 @@ method publish*(
     # ultimately is not sent)
     g.lastFanoutPubSub[topic] = Moment.fromNow(g.parameters.fanoutTTL)
 
+  return peers
+
+method publish*(
+    g: GossipSub,
+    topic: string,
+    data: seq[byte],
+    publishParams: Option[PublishParams] = none(PublishParams),
+): Future[int] {.async: (raises: []).} =
+  logScope:
+    topic
+
+  if topic.len <= 0: # data could be 0/empty
+    debug "Empty topic, skipping publish"
+    return 0
+
+  # base returns always 0
+  discard await procCall PubSub(g).publish(topic, data)
+
+  trace "Publishing message on topic", data = data.shortLog
+
+  let pubParams = publishParams.get(PublishParams())
+
+  var peers =
+    if pubParams.useCustomConn:
+      g.makePeersForPublishUsingCustomConn(topic)
+    else:
+      g.makePeersForPublishDefault(topic, data)
+
   if peers.len == 0:
     let topicPeers = g.gossipsub.getOrDefault(topic).toSeq()
     debug "No peers for topic, skipping publish",
@@ -802,12 +929,22 @@ method publish*(
     trace "Dropping already-seen message"
     return 0
 
-  g.mcache.put(msgId, msg)
+  if not pubParams.skipMCache:
+    g.mcache.put(msgId, msg)
 
-  if g.parameters.sendIDontWantOnPublish and isLargeMessage(msg, msgId):
-    g.sendIDontWant(msg, msgId, peers)
+  if g.parameters.sendIDontWantOnPublish:
+    if isLargeMessage(msg, msgId):
+      g.sendIDontWant(msg, msgId, peers)
 
-  g.broadcast(peers, RPCMsg(messages: @[msg]), isHighPriority = true)
+    when defined(libp2p_gossipsub_1_4):
+      g.sendPreamble(msg, msgId, peers)
+
+  g.broadcast(
+    peers,
+    RPCMsg(messages: @[msg]),
+    isHighPriority = true,
+    useCustomConn = pubParams.useCustomConn,
+  )
 
   if g.knownTopics.contains(topic):
     libp2p_pubsub_messages_published.inc(peers.len.int64, labelValues = [topic])
@@ -861,6 +998,8 @@ method start*(
   g.heartbeatFut = g.heartbeat()
   g.scoringHeartbeatFut = g.scoringHeartbeat()
   g.directPeersLoop = g.maintainDirectPeers()
+  when defined(libp2p_gossipsub_1_4):
+    g.preambleExpirationFut = g.preambleExpirationHeartbeat()
   g.started = true
   fut
 
@@ -875,6 +1014,9 @@ method stop*(g: GossipSub): Future[void] {.async: (raises: [], raw: true).} =
     return fut
 
   # stop heartbeat interval
+  when defined(libp2p_gossipsub_1_4):
+    g.preambleExpirationFut.cancelSoon()
+
   g.directPeersLoop.cancelSoon()
   g.scoringHeartbeatFut.cancelSoon()
   g.heartbeatFut.cancelSoon()

libp2p/protocols/pubsub/gossipsub/behavior.nim

@@ -24,6 +24,9 @@ import
     signed_envelope,
     utils/heartbeat,
   ]
+when defined(libp2p_gossipsub_1_4):
+  import ./preamblestore
+  import ../bandwidth
 
 logScope:
   topics = "libp2p gossipsub"
@@ -60,6 +63,13 @@ declareCounter(
   labels = ["topic"],
 )
 declareGauge(libp2p_gossipsub_received_iwants, "received iwants", labels = ["kind"])
+declareCounter(
+  libp2p_gossipsub_preamble_saved_iwants,
+  "number of iwant requests avoided by preamble",
+  labels = ["topic"],
+)
+
+const MaxHeIsReceiving = 50
 
 proc grafted*(g: GossipSub, p: PubSubPeer, topic: string) =
   g.withPeerStats(p.peerId) do(stats: var PeerStats):
@@ -277,6 +287,11 @@ proc handlePrune*(g: GossipSub, peer: PubSubPeer, prunes: seq[ControlPrune]) =
       for handler in g.routingRecordsHandler:
         handler(peer.peerId, topic, routingRecords)
 
+when defined(libp2p_gossipsub_1_4):
+  proc addPossiblePeerToQuery(g: GossipSub, peer: PubSubPeer, messageId: MessageId) =
+    g.ongoingReceives.addPossiblePeerToQuery(messageId, peer)
+    g.ongoingIWantReceives.addPossiblePeerToQuery(messageId, peer)
+
 proc handleIHave*(
     g: GossipSub, peer: PubSubPeer, ihaves: seq[ControlIHave]
 ): ControlIWant =
@@ -294,6 +309,14 @@ proc handleIHave*(
             if peer.iHaveBudget <= 0:
               break
             elif msgId notin res.messageIDs:
+              when defined(libp2p_gossipsub_1_4):
+                if g.ongoingReceives.hasKey(msgId) or
+                    g.ongoingIWantReceives.hasKey(msgId):
+                  g.addPossiblePeerToQuery(peer, msgId)
+                  libp2p_gossipsub_preamble_saved_iwants.inc(
+                    labelValues = [ihave.topicID]
+                  )
+                  continue
               res.messageIDs.add(msgId)
               dec peer.iHaveBudget
               trace "requested message via ihave", messageID = msgId
@@ -305,16 +328,18 @@ proc handleIHave*(
 proc handleIDontWant*(g: GossipSub, peer: PubSubPeer, iDontWants: seq[ControlIWant]) =
   for dontWant in iDontWants:
     for messageId in dontWant.messageIDs:
-      if peer.iDontWants[^1].len > 1000:
+      if peer.iDontWants[0].len >= IDontWantMaxCount:
         break
-      peer.iDontWants[^1].incl(g.salt(messageId))
+      peer.iDontWants[0].incl(g.salt(messageId))
+      when defined(libp2p_gossipsub_1_4):
+        peer.heIsReceivings.del(messageId)
+        g.addPossiblePeerToQuery(peer, messageId)
 
 proc handleIWant*(
     g: GossipSub, peer: PubSubPeer, iwants: seq[ControlIWant]
-): seq[Message] =
-  var
-    messages: seq[Message]
-    invalidRequests = 0
+): tuple[messages: seq[Message], ids: seq[MessageId]] =
+  var response: tuple[messages: seq[Message], ids: seq[MessageId]]
+  var invalidRequests = 0
   if peer.score < g.parameters.gossipThreshold:
     trace "iwant: ignoring low score peer", peer, score = peer.score
   else:
@@ -328,14 +353,101 @@ proc handleIWant*(
           invalidRequests.inc()
           if invalidRequests > 20:
             libp2p_gossipsub_received_iwants.inc(1, labelValues = ["skipped"])
-            return messages
+            return response
           continue
         let msg = g.mcache.get(mid).valueOr:
           libp2p_gossipsub_received_iwants.inc(1, labelValues = ["unknown"])
           continue
         libp2p_gossipsub_received_iwants.inc(1, labelValues = ["correct"])
-        messages.add(msg)
-  return messages
+        response.messages.add(msg)
+        response.ids.add(mid)
+  return response
+
+when defined(libp2p_gossipsub_1_4):
+  proc medianDownloadRate*(p: var HashSet[PubSubPeer]): float =
+    if p.len == 0:
+      return 0
+
+    let vals = p.toSeq().mapIt(it.bandwidthTracking.download.value()).sorted()
+    echo vals
+    let mid = vals.len div 2
+    if vals.len mod 2 == 0:
+      (vals[mid - 1] + vals[mid]) / 2
+    else:
+      vals[mid]
+
+  proc handlePreamble*(
+      g: GossipSub, peer: PubSubPeer, preambles: seq[ControlPreamble]
+  ) =
+    let starts = Moment.now()
+
+    for preamble in preambles:
+      dec peer.preambleBudget
+      if peer.preambleBudget <= 0:
+        return
+      if g.hasSeen(g.salt(preamble.messageID)):
+        continue
+      elif peer.heIsSendings.hasKey(preamble.messageID):
+        continue
+      elif g.ongoingReceives.hasKey(preamble.messageID):
+        #TODO: add to conflicts_watch if length is different
+        continue
+      else:
+        peer.heIsSendings[preamble.messageID] = starts
+        var toSendPeers = HashSet[PubSubPeer]()
+        g.mesh.withValue(preamble.topicID, peers):
+          toSendPeers.incl(peers[])
+        toSendPeers.incl(g.subscribedDirectPeers.getOrDefault(preamble.topicID))
+        var peers = toSendPeers.filterIt(it.codec == GossipSubCodec_14)
+        let bytesPerSecond = peer.bandwidthTracking.download.value()
+        let transmissionTimeMs =
+          calculateReceiveTimeMs(preamble.messageLength.int64, bytesPerSecond.int64)
+        let expires = starts + transmissionTimeMs.milliseconds
+
+        #We send imreceiving only if received from mesh members
+        if peer notin peers:
+          if not g.ongoingIWantReceives.hasKey(preamble.messageID):
+            g.ongoingIWantReceives[preamble.messageID] =
+              PreambleInfo.init(preamble, peer, starts, expires)
+
+          trace "preamble: ignoring out of mesh peer", peer
+          continue
+
+        g.ongoingReceives[preamble.messageID] =
+          PreambleInfo.init(preamble, peer, starts, expires)
+
+        #Send imreceiving only if received from faster mesh members
+        if bytesPerSecond >= toSendPeers.medianDownloadRate():
+          g.broadcast(
+            peers,
+            RPCMsg(
+              control: some(
+                ControlMessage(
+                  imreceiving:
+                    @[
+                      ControlIMReceiving(
+                        messageID: preamble.messageID,
+                        messageLength: preamble.messageLength,
+                      )
+                    ]
+                )
+              )
+            ),
+            isHighPriority = true,
+          )
+
+  proc handleIMReceiving*(
+      g: GossipSub, peer: PubSubPeer, imreceivings: seq[ControlIMReceiving]
+  ) =
+    for imreceiving in imreceivings:
+      if peer.heIsReceivings.len > MaxHeIsReceiving:
+        break
+      #Ignore if message length is different
+      g.ongoingReceives.withValue(imreceiving.messageID, pInfo):
+        if pInfo.messageLength != imreceiving.messageLength:
+          continue
+      peer.heIsReceivings[imreceiving.messageID] = imreceiving.messageLength
+      #No need to check mcache. In that case, we might have already transmitted/transmitting
 
 proc commitMetrics(metrics: var MeshMetrics) =
   libp2p_gossipsub_low_peers_topics.set(metrics.lowPeersTopics)
@@ -457,8 +569,8 @@ proc rebalanceMesh*(g: GossipSub, topic: string, metrics: ptr MeshMetrics = nil)
     prunes = toSeq(
       try:
         g.mesh[topic]
-      except KeyError:
-        raiseAssert "have peers"
+      except KeyError as e:
+        raiseAssert "have peers: " & e.msg
     )
     # avoid pruning peers we are currently grafting in this heartbeat
     prunes.keepIf do(x: PubSubPeer) -> bool:
@@ -513,8 +625,8 @@ proc rebalanceMesh*(g: GossipSub, topic: string, metrics: ptr MeshMetrics = nil)
     var peers = toSeq(
       try:
         g.mesh[topic]
-      except KeyError:
-        raiseAssert "have peers"
+      except KeyError as e:
+        raiseAssert "have peers: " & e.msg
     )
     # grafting so high score has priority
     peers.sort(byScore, SortOrder.Descending)
@@ -538,8 +650,8 @@ proc rebalanceMesh*(g: GossipSub, topic: string, metrics: ptr MeshMetrics = nil)
               it.peerId notin backingOff:
             avail.add(it)
 
-            # by spec, grab only 2
-            if avail.len > 1:
+            # by spec, grab only up to MaxOpportunisticGraftPeers
+            if avail.len >= MaxOpportunisticGraftPeers:
               break
 
       for peer in avail:
@@ -690,7 +802,7 @@ proc getGossipPeers*(g: GossipSub): Table[PubSubPeer, ControlMessage] =
     for peer in allPeers:
       control.mgetOrPut(peer, ControlMessage()).ihave.add(ihave)
       for msgId in ihave.messageIDs:
-        peer.sentIHaves[^1].incl(msgId)
+        peer.sentIHaves[0].incl(msgId)
 
   libp2p_gossipsub_cache_window_size.set(cacheWindowSize.int64)
 
@@ -710,6 +822,9 @@ proc onHeartbeat(g: GossipSub) =
       peer.iHaveBudget = IHavePeerBudget
       peer.pingBudget = PingsPeerBudget
 
+      when defined(libp2p_gossipsub_1_4):
+        peer.preambleBudget = PreamblePeerBudget
+
   var meshMetrics = MeshMetrics()
 
   for t in toSeq(g.topics.keys):
@@ -777,3 +892,72 @@ proc heartbeat*(g: GossipSub) {.async: (raises: [CancelledError]).} =
     for trigger in g.heartbeatEvents:
       trace "firing heartbeat event", instance = cast[int](g)
       trigger.fire()
+
+when defined(libp2p_gossipsub_1_4):
+  proc preambleExpirationHeartbeat*(
+      g: GossipSub
+  ) {.async: (raises: [CancelledError]).} =
+    heartbeat "GossipSub: Preamble Expiration", 200.milliseconds:
+      trace "running preamble expiration heartbeat", instance = cast[int](g)
+
+      while true:
+        var expiredOngoingReceive = g.ongoingReceives.popExpired(Moment.now()).valueOr:
+          break
+
+        if not expiredOngoingReceive.sender.isNil:
+          let sender = expiredOngoingReceive.sender
+          if g.peers.hasKey(sender.peerId):
+            sender.behaviourPenalty += 0.1
+
+        if PullOperation:
+          var possiblePeers = expiredOngoingReceive.possiblePeersToQuery()
+          g.rng.shuffle(possiblePeers)
+
+          var peer: PubSubPeer = nil
+          for peerId in possiblePeers:
+            try:
+              if g.peers.hasKey(peerId) and g.peers[peerId].codec == GossipSubCodec_14:
+                peer = g.peers[peerId]
+                break
+            except KeyError:
+              assert false, "checked with hasKey"
+
+          if peer.isNil:
+            trace "no peer available to send IWANT for an expiredOngoingReceive",
+              messageID = expiredOngoingReceive.messageId
+            continue
+
+          let starts = Moment.now()
+
+          g.broadcast(
+            @[peer],
+            RPCMsg(
+              control: some(
+                ControlMessage(
+                  iwant: @[ControlIWant(messageIDs: @[expiredOngoingReceive.messageId])]
+                )
+              )
+            ),
+            isHighPriority = true,
+          )
+
+          let bytesPerSecond = peer.bandwidthTracking.download.value()
+          let transmissionTimeMs = calculateReceiveTimeMs(
+            expiredOngoingReceive.messageLength.int64, bytesPerSecond.int64
+          )
+          let expires = starts + transmissionTimeMs.milliseconds
+
+          # Setting new data before reinserting the preamble
+          expiredOngoingReceive.startsAt = starts
+          expiredOngoingReceive.expiresAt = expires
+          expiredOngoingReceive.sender = peer
+          g.ongoingIWantReceives[expiredOngoingReceive.messageId] =
+            expiredOngoingReceive
+
+      while true:
+        let expiredOngoingIWantReceived = g.ongoingIWantReceives.popExpired(
+          Moment.now()
+        ).valueOr:
+          break
+        # TODO: use expiredOngoingIWantReceived
+        # TODO: what should we do here?

libp2p/protocols/pubsub/gossipsub/preamblestore.nim

@@ -0,0 +1,104 @@
+import std/[tables, heapqueue, sets, options]
+import ./types
+import chronos
+import ../rpc/messages
+import ../../../peerid
+import ../pubsubpeer
+
+proc `<`(a, b: PreambleInfo): bool =
+  a.expiresAt < b.expiresAt
+
+proc init*(T: typedesc[PeerSet]): T =
+  PeerSet(order: @[], peers: initHashSet[PeerId]())
+
+proc init*(
+    T: typedesc[PreambleInfo],
+    preamble: ControlPreamble,
+    sender: PubSubPeer,
+    startsAt: Moment,
+    expiresAt: Moment,
+): T =
+  PreambleInfo(
+    messageId: preamble.messageID,
+    messageLength: preamble.messageLength,
+    topicId: preamble.topicID,
+    sender: sender,
+    startsAt: startsAt,
+    expiresAt: expiresAt,
+    peerSet: PeerSet.init(),
+  )
+
+proc init*(T: typedesc[PreambleStore]): T =
+  result.byId = initTable[MessageId, PreambleInfo]()
+  result.heap = initHeapQueue[PreambleInfo]()
+
+proc insert*(ps: var PreambleStore, msgId: MessageId, info: PreambleInfo) =
+  try:
+    if ps.byId.hasKey(msgId):
+      ps.byId[msgId].deleted = true
+    ps.byId[msgId] = info
+    ps.heap.push(info)
+  except KeyError:
+    assert false, "checked with hasKey"
+
+proc hasKey*(ps: var PreambleStore, msgId: MessageId): bool =
+  return ps.byId.hasKey(msgId)
+
+proc `[]`*(ps: var PreambleStore, msgId: MessageId): PreambleInfo =
+  ps.byId[msgId]
+
+proc `[]=`*(ps: var PreambleStore, msgId: MessageId, entry: PreambleInfo) =
+  insert(ps, msgId, entry)
+
+proc del*(ps: var PreambleStore, msgId: MessageId) =
+  try:
+    if ps.byId.hasKey(msgId):
+      ps.byId[msgId].deleted = true
+      ps.byId.del(msgId)
+  except KeyError:
+    assert false, "checked with hasKey"
+
+proc len*(ps: var PreambleStore): int =
+  return ps.byId.len
+
+proc popExpired*(ps: var PreambleStore, now: Moment): Option[PreambleInfo] =
+  while ps.heap.len > 0:
+    if ps.heap[0].deleted:
+      discard ps.heap.pop()
+    elif ps.heap[0].expiresAt <= now:
+      let top = ps.heap.pop()
+      ps.byId.del(top.messageId)
+      return some(top)
+    else:
+      return none(PreambleInfo)
+
+template withValue*(ps: var PreambleStore, key: MessageId, value, body: untyped) =
+  try:
+    if ps.hasKey(key):
+      let value {.inject.} = ps.byId[key]
+      body
+  except system.KeyError:
+    assert false, "checked with in"
+
+const maxPossiblePeersOnPeerSet = 6
+
+proc addPossiblePeerToQuery*(
+    ps: var PreambleStore, msgId: MessageId, peer: PubSubPeer
+) =
+  if not ps.hasKey(msgId):
+    return
+
+  try:
+    var preamble = ps[msgId]
+    if not preamble.peerSet.peers.contains(peer.peerId):
+      if preamble.peerSet.order.len == maxPossiblePeersOnPeerSet:
+        let evicted: PeerId = preamble.peerSet.order[0]
+        preamble.peerSet.order.delete(0)
+        preamble.peerSet.peers.excl(evicted)
+      preamble.peerSet.order.add(peer.peerId)
+      preamble.peerSet.peers.incl(peer.peerId)
+  except KeyError:
+    assert false, "checked with hasKey"
+
+proc possiblePeersToQuery*(preamble: PreambleInfo): seq[PeerId] =
+  preamble.peerSet.order

libp2p/protocols/pubsub/gossipsub/types.nim

@@ -10,7 +10,7 @@
 {.push raises: [].}
 
 import chronos
-import std/[options, tables, sets]
+import std/[options, tables, sets, heapqueue]
 import ".."/[floodsub, peertable, mcache, pubsubpeer]
 import "../rpc"/[messages]
 import "../../.."/[peerid, multiaddress, utility]
@@ -18,6 +18,7 @@ import "../../.."/[peerid, multiaddress, utility]
 export options, tables, sets
 
 const
+  GossipSubCodec_14* = "/meshsub/1.4.0"
   GossipSubCodec_12* = "/meshsub/1.2.0"
   GossipSubCodec_11* = "/meshsub/1.1.0"
   GossipSubCodec_10* = "/meshsub/1.0.0"
@@ -46,10 +47,15 @@ const
   BackoffSlackTime* = 2 # seconds
   PingsPeerBudget* = 100 # maximum of 6.4kb/heartbeat (6.4kb/s with default 1 second/hb)
   IHavePeerBudget* = 10
+  PreamblePeerBudget* = 10
+  PullOperation* = true
   # the max amount of IHave to expose, not by spec, but go as example
   # rust sigp: https://github.com/sigp/rust-libp2p/blob/f53d02bc873fef2bf52cd31e3d5ce366a41d8a8c/protocols/gossipsub/src/config.rs#L572
   # go: https://github.com/libp2p/go-libp2p-pubsub/blob/08c17398fb11b2ab06ca141dddc8ec97272eb772/gossipsub.go#L155
   IHaveMaxLength* = 5000
+  IDontWantMaxCount* = 1000
+    # maximum number of IDontWant messages in one slot of the history
+  MaxOpportunisticGraftPeers* = 2
 
 type
   TopicInfo* = object # gossip 1.1 related
@@ -62,6 +68,24 @@ type
     meshFailurePenalty*: float64
     invalidMessageDeliveries*: float64
 
+  PeerSet* = object
+    order*: seq[PeerId]
+    peers*: HashSet[PeerId]
+
+  PreambleInfo* = ref object
+    messageId*: MessageId
+    messageLength*: uint32
+    topicId*: string
+    sender*: PubSubPeer
+    startsAt*: Moment
+    expiresAt*: Moment
+    deleted*: bool # tombstone marker
+    peerSet*: PeerSet
+
+  PreambleStore* = object
+    byId*: Table[MessageId, PreambleInfo]
+    heap*: HeapQueue[PreambleInfo]
+
   TopicParams* {.public.} = object
     topicWeight*: float64
 
@@ -159,6 +183,7 @@ type
 
   BackoffTable* = Table[string, Table[PeerId, Moment]]
   ValidationSeenTable* = Table[SaltedId, HashSet[PubSubPeer]]
+  OngoingReceivesStore* = PreambleStore
 
   RoutingRecordsPair* = tuple[id: PeerId, record: Option[PeerRecord]]
   RoutingRecordsHandler* = proc(
@@ -178,6 +203,9 @@ type
     mcache*: MCache # messages cache
     validationSeen*: ValidationSeenTable # peers who sent us message in validation
     heartbeatFut*: Future[void] # cancellation future for heartbeat interval
+    when defined(libp2p_gossipsub_1_4):
+      preambleExpirationFut*: Future[void]
+      # cancellation future for preamble expiration heartbeat interval
     scoringHeartbeatFut*: Future[void]
       # cancellation future for scoring heartbeat interval
     heartbeatRunning*: bool
@@ -191,6 +219,11 @@ type
 
     heartbeatEvents*: seq[AsyncEvent]
 
+    when defined(libp2p_gossipsub_1_4):
+      ongoingReceives*: OngoingReceivesStore # list of messages we are receiving
+      ongoingIWantReceives*: OngoingReceivesStore
+        # list of iwant replies we are receiving
+
   MeshMetrics* = object # scratch buffers for metrics
     otherPeersPerTopicMesh*: int64
     otherPeersPerTopicFanout*: int64

libp2p/protocols/pubsub/peertable.nim

@@ -9,13 +9,25 @@
 
 {.push raises: [].}
 
-import std/[tables, sets, sequtils]
+import std/[tables, sets, sequtils, strutils]
 import ./pubsubpeer, ../../peerid
 
 export tables, sets
 
 type PeerTable* = Table[string, HashSet[PubSubPeer]] # topic string to peer map
 
+proc `$`*(table: PeerTable): string =
+  result.add("PeerTable ")
+  result.add("topics (" & $table.len & ")")
+
+  for topic, peers in table:
+    result.add(" topic: ")
+    result.add($topic)
+    result.add(" peers: ")
+    result.add("(" & $peers.len & ") [")
+    result.add(peers.mapIt($it).join(", "))
+    result.add("]")
+
 proc hasPeerId*(t: PeerTable, topic: string, peerId: PeerId): bool =
   if topic in t:
     try:

libp2p/protocols/pubsub/pubsub.nim

@@ -31,7 +31,7 @@ import
   ../../errors,
   ../../utility
 
-import stew/results
+import results
 export results
 
 export tables, sets
@@ -145,6 +145,10 @@ type
     ## we have to store it, which may be an attack vector.
     ## This callback can be used to reject topic we're not interested in
 
+  PublishParams* = object
+    useCustomConn*: bool
+    skipMCache*: bool
+
   PubSub* {.public.} = ref object of LPProtocol
     switch*: Switch # the switch used to dial/connect to peers
     peerInfo*: PeerInfo # this peer's info
@@ -176,6 +180,7 @@ type
     rng*: ref HmacDrbgContext
 
     knownTopics*: HashSet[string]
+    customConnCallbacks*: Option[CustomConnectionCallbacks]
 
 method unsubscribePeer*(p: PubSub, peerId: PeerId) {.base, gcsafe.} =
   ## handle peer disconnects
@@ -187,7 +192,11 @@ method unsubscribePeer*(p: PubSub, peerId: PeerId) {.base, gcsafe.} =
   libp2p_pubsub_peers.set(p.peers.len.int64)
 
 proc send*(
-    p: PubSub, peer: PubSubPeer, msg: RPCMsg, isHighPriority: bool
+    p: PubSub,
+    peer: PubSubPeer,
+    msg: RPCMsg,
+    isHighPriority: bool,
+    useCustomConn: bool = false,
 ) {.raises: [].} =
   ## This procedure attempts to send a `msg` (of type `RPCMsg`) to the specified remote peer in the PubSub network.
   ##
@@ -200,13 +209,14 @@ proc send*(
   ## priority messages have been sent.
 
   trace "sending pubsub message to peer", peer, payload = shortLog(msg)
-  peer.send(msg, p.anonymize, isHighPriority)
+  peer.send(msg, p.anonymize, isHighPriority, useCustomConn)
 
 proc broadcast*(
     p: PubSub,
     sendPeers: auto, # Iteratble[PubSubPeer]
     msg: RPCMsg,
     isHighPriority: bool,
+    useCustomConn: bool = false,
 ) {.raises: [].} =
   ## This procedure attempts to send a `msg` (of type `RPCMsg`) to a specified group of peers in the PubSub network.
   ##
@@ -261,12 +271,12 @@ proc broadcast*(
 
   if anyIt(sendPeers, it.hasObservers):
     for peer in sendPeers:
-      p.send(peer, msg, isHighPriority)
+      p.send(peer, msg, isHighPriority, useCustomConn)
   else:
     # Fast path that only encodes message once
     let encoded = encodeRpcMsg(msg, p.anonymize)
     for peer in sendPeers:
-      asyncSpawn peer.sendEncoded(encoded, isHighPriority)
+      asyncSpawn peer.sendEncoded(encoded, isHighPriority, useCustomConn)
 
 proc sendSubs*(
     p: PubSub, peer: PubSubPeer, topics: openArray[string], subscribe: bool
@@ -373,8 +383,14 @@ method getOrCreatePeer*(
     p.onPubSubPeerEvent(peer, event)
 
   # create new pubsub peer
-  let pubSubPeer =
-    PubSubPeer.new(peerId, getConn, onEvent, protoNegotiated, p.maxMessageSize)
+  let pubSubPeer = PubSubPeer.new(
+    peerId,
+    getConn,
+    onEvent,
+    protoNegotiated,
+    p.maxMessageSize,
+    customConnCallbacks = p.customConnCallbacks,
+  )
   debug "created new pubsub peer", peerId
 
   p.peers[peerId] = pubSubPeer
@@ -558,7 +574,10 @@ proc subscribe*(p: PubSub, topic: string, handler: TopicHandler) {.public.} =
   p.updateTopicMetrics(topic)
 
 method publish*(
-    p: PubSub, topic: string, data: seq[byte]
+    p: PubSub,
+    topic: string,
+    data: seq[byte],
+    publishParams: Option[PublishParams] = none(PublishParams),
 ): Future[int] {.base, async: (raises: []), public.} =
   ## publish to a ``topic``
   ##
@@ -648,6 +667,8 @@ proc init*[PubParams: object | bool](
     maxMessageSize: int = 1024 * 1024,
     rng: ref HmacDrbgContext = newRng(),
     parameters: PubParams = false,
+    customConnCallbacks: Option[CustomConnectionCallbacks] =
+      none(CustomConnectionCallbacks),
 ): P {.raises: [InitializationError], public.} =
   let pubsub =
     when PubParams is bool:
@@ -663,6 +684,7 @@ proc init*[PubParams: object | bool](
         maxMessageSize: maxMessageSize,
         rng: rng,
         topicsHigh: int.high,
+        customConnCallbacks: customConnCallbacks,
       )
     else:
       P(
@@ -678,6 +700,7 @@ proc init*[PubParams: object | bool](
         maxMessageSize: maxMessageSize,
         rng: rng,
         topicsHigh: int.high,
+        customConnCallbacks: customConnCallbacks,
       )
 
   proc peerEventHandler(

libp2p/protocols/pubsub/pubsubpeer.nim

@@ -9,8 +9,8 @@
 
 {.push raises: [].}
 
-import std/[sequtils, strutils, tables, hashes, options, sets, deques]
-import stew/results
+import std/[sequtils, tables, hashes, options, sets, deques]
+import results
 import chronos, chronicles, nimcrypto/sha2, metrics
 import chronos/ratelimit
 import
@@ -20,7 +20,12 @@ import
   ../../stream/connection,
   ../../crypto/crypto,
   ../../protobuf/minprotobuf,
-  ../../utility
+  ../../utility,
+  ../../utils/sequninit,
+  ./bandwidth
+
+when defined(libp2p_gossipsub_1_4):
+  import ./bandwidth
 
 export peerid, connection, deques
 
@@ -95,6 +100,21 @@ type
     # Task for processing non-priority message queue.
     sendNonPriorityTask: Future[void]
 
+  CustomConnCreationProc* = proc(
+    destAddr: Option[MultiAddress], destPeerId: PeerId, codec: string
+  ): Connection {.gcsafe, raises: [].}
+
+  CustomPeerSelectionProc* = proc(
+    allPeers: HashSet[PubSubPeer],
+    directPeers: HashSet[PubSubPeer],
+    meshPeers: HashSet[PubSubPeer],
+    fanoutPeers: HashSet[PubSubPeer],
+  ): HashSet[PubSubPeer] {.gcsafe, raises: [].}
+
+  CustomConnectionCallbacks* = object
+    customConnCreationCB*: CustomConnCreationProc
+    customPeerSelectionCB*: CustomPeerSelectionProc
+
   PubSubPeer* = ref object of RootObj
     getConn*: GetConn # callback to establish a new send connection
     onEvent*: OnEvent # Connectivity updates for peer
@@ -106,6 +126,9 @@ type
     handler*: RPCHandler
     observers*: ref seq[PubSubObserver] # ref as in smart_ptr
 
+    when defined(libp2p_gossipsub_1_4):
+      bandwidthTracking*: BandwidthTracking
+
     score*: float64
     sentIHaves*: Deque[HashSet[MessageId]]
     iDontWants*: Deque[HashSet[SaltedId]]
@@ -119,10 +142,16 @@ type
     behaviourPenalty*: float64 # the eventual penalty score
     overheadRateLimitOpt*: Opt[TokenBucket]
 
+    when defined(libp2p_gossipsub_1_4):
+      preambleBudget*: int
+      heIsReceivings*: Table[MessageId, uint32]
+      heIsSendings*: Table[MessageId, Moment]
+
     rpcmessagequeue: RpcMessageQueue
     maxNumElementsInNonPriorityQueue*: int
       # The max number of elements allowed in the non-priority queue.
     disconnected: bool
+    customConnCallbacks*: Option[CustomConnectionCallbacks]
 
   RPCHandler* =
     proc(peer: PubSubPeer, data: seq[byte]): Future[void] {.async: (raises: []).}
@@ -143,6 +172,9 @@ proc getAgent*(peer: PubSubPeer): string =
     else:
       "unknown"
 
+proc `$`*(p: PubSubPeer): string =
+  $p.peerId
+
 func hash*(p: PubSubPeer): Hash =
   p.peerId.hash
 
@@ -205,7 +237,7 @@ proc handle*(p: PubSubPeer, conn: Connection) {.async: (raises: []).} =
           conn, peer = p, closed = conn.closed, data = data.shortLog
 
         await p.handler(p, data)
-        data = newSeq[byte]() # Release memory
+        data = newSeqUninit[byte](0) # Release memory
     except PeerRateLimitError as exc:
       debug "Peer rate limit exceeded, exiting read while",
         conn, peer = p, description = exc.msg
@@ -214,10 +246,10 @@ proc handle*(p: PubSubPeer, conn: Connection) {.async: (raises: []).} =
         conn, peer = p, closed = conn.closed, description = exc.msg
     finally:
       await conn.close()
-  except CancelledError:
+  except CancelledError as e:
     # This is top-level procedure which will work as separate task, so it
     # do not need to propagate CancelledError.
-    trace "Unexpected cancellation in PubSubPeer.handle"
+    trace "Unexpected cancellation in PubSubPeer.handle", description = e.msg
   finally:
     debug "exiting pubsub read loop", conn, peer = p, closed = conn.closed
 
@@ -250,7 +282,7 @@ proc connectOnce(
         await p.getConn().wait(5.seconds)
       except AsyncTimeoutError as error:
         trace "getConn timed out", description = error.msg
-        raise (ref LPError)(msg: "Cannot establish send connection")
+        raise (ref LPError)(msg: "Cannot establish send connection: " & error.msg)
 
     # When the send channel goes up, subscriptions need to be sent to the
     # remote peer - if we had multiple channels up and one goes down, all
@@ -331,13 +363,10 @@ proc sendMsgContinue(conn: Connection, msgFut: Future[void]) {.async: (raises: [
   try:
     await msgFut
     trace "sent pubsub message to remote", conn
-  except CatchableError as exc: # never cancelled
-    # Because we detach the send call from the currently executing task using
-    # asyncSpawn, no exceptions may leak out of it
-    trace "Unable to send to remote", conn, description = exc.msg
+  except CatchableError as exc:
+    trace "Unexpected exception in sendMsgContinue", conn, description = exc.msg
     # Next time sendConn is used, it will be have its close flag set and thus
     # will be recycled
-
     await conn.close() # This will clean up the send connection
 
 proc sendMsgSlow(p: PubSubPeer, msg: seq[byte]) {.async: (raises: [CancelledError]).} =
@@ -356,21 +385,43 @@ proc sendMsgSlow(p: PubSubPeer, msg: seq[byte]) {.async: (raises: [CancelledErro
   trace "sending encoded msg to peer", conn, encoded = shortLog(msg)
   await sendMsgContinue(conn, conn.writeLp(msg))
 
-proc sendMsg(p: PubSubPeer, msg: seq[byte]): Future[void] {.async: (raises: []).} =
-  if p.sendConn != nil and not p.sendConn.closed():
-    # Fast path that avoids copying msg (which happens for {.async.})
-    let conn = p.sendConn
+proc sendMsg(
+    p: PubSubPeer, msg: seq[byte], useCustomConn: bool = false
+): Future[void] {.async: (raises: []).} =
+  type ConnectionType = enum
+    ctCustom
+    ctSend
+    ctSlow
 
-    trace "sending encoded msg to peer", conn, encoded = shortLog(msg)
+  var slowPath = false
+  let (conn, connType) =
+    if useCustomConn and p.customConnCallbacks.isSome:
+      let address = p.address
+      (
+        p.customConnCallbacks.get().customConnCreationCB(address, p.peerId, p.codec),
+        ctCustom,
+      )
+    elif p.sendConn != nil and not p.sendConn.closed():
+      (p.sendConn, ctSend)
+    else:
+      slowPath = true
+      (nil, ctSlow)
+
+  if not slowPath:
+    trace "sending encoded msg to peer",
+      conntype = $connType, conn = conn, encoded = shortLog(msg)
     let f = conn.writeLp(msg)
     if not f.completed():
       sendMsgContinue(conn, f)
     else:
       f
   else:
+    trace "sending encoded msg to peer via slow path"
     sendMsgSlow(p, msg)
 
-proc sendEncoded*(p: PubSubPeer, msg: seq[byte], isHighPriority: bool): Future[void] =
+proc sendEncoded*(
+    p: PubSubPeer, msg: seq[byte], isHighPriority: bool, useCustomConn: bool = false
+): Future[void] =
   ## Asynchronously sends an encoded message to a specified `PubSubPeer`.
   ##
   ## Parameters:
@@ -399,7 +450,7 @@ proc sendEncoded*(p: PubSubPeer, msg: seq[byte], isHighPriority: bool): Future[v
       maxSize = p.maxMessageSize, msgSize = msg.len
     Future[void].completed()
   elif isHighPriority or emptyQueues:
-    let f = p.sendMsg(msg)
+    let f = p.sendMsg(msg, useCustomConn)
     if not f.finished:
       p.rpcmessagequeue.sendPriorityQueue.addLast(f)
       when defined(pubsubpeer_queue_metrics):
@@ -458,7 +509,11 @@ iterator splitRPCMsg(
     trace "message too big to sent", peer, rpcMsg = shortLog(currentRPCMsg)
 
 proc send*(
-    p: PubSubPeer, msg: RPCMsg, anonymize: bool, isHighPriority: bool
+    p: PubSubPeer,
+    msg: RPCMsg,
+    anonymize: bool,
+    isHighPriority: bool,
+    useCustomConn: bool = false,
 ) {.raises: [].} =
   ## Asynchronously sends an `RPCMsg` to a specified `PubSubPeer` with an option for anonymization.
   ##
@@ -489,11 +544,11 @@ proc send*(
 
   if encoded.len > p.maxMessageSize and msg.messages.len > 1:
     for encodedSplitMsg in splitRPCMsg(p, msg, p.maxMessageSize, anonymize):
-      asyncSpawn p.sendEncoded(encodedSplitMsg, isHighPriority)
+      asyncSpawn p.sendEncoded(encodedSplitMsg, isHighPriority, useCustomConn)
   else:
     # If the message size is within limits, send it as is
     trace "sending msg to peer", peer = p, rpcMsg = shortLog(msg)
-    asyncSpawn p.sendEncoded(encoded, isHighPriority)
+    asyncSpawn p.sendEncoded(encoded, isHighPriority, useCustomConn)
 
 proc canAskIWant*(p: PubSubPeer, msgId: MessageId): bool =
   for sentIHave in p.sentIHaves.mitems():
@@ -552,6 +607,8 @@ proc new*(
     maxMessageSize: int,
     maxNumElementsInNonPriorityQueue: int = DefaultMaxNumElementsInNonPriorityQueue,
     overheadRateLimitOpt: Opt[TokenBucket] = Opt.none(TokenBucket),
+    customConnCallbacks: Option[CustomConnectionCallbacks] =
+      none(CustomConnectionCallbacks),
 ): T =
   result = T(
     getConn: getConn,
@@ -563,7 +620,13 @@ proc new*(
     overheadRateLimitOpt: overheadRateLimitOpt,
     rpcmessagequeue: RpcMessageQueue.new(),
     maxNumElementsInNonPriorityQueue: maxNumElementsInNonPriorityQueue,
+    customConnCallbacks: customConnCallbacks,
   )
+
+  when defined(libp2p_gossipsub_1_4):
+    result.bandwidthTracking =
+      BandwidthTracking(download: ExponentialMovingAverage.init())
+
   result.sentIHaves.addFirst(default(HashSet[MessageId]))
   result.iDontWants.addFirst(default(HashSet[SaltedId]))
   result.startSendNonPriorityTask()