Hello community, here is the log from the commit of package nghttp2 for openSUSE:Factory checked in at 2018-04-17 11:13:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nghttp2 (Old) and /work/SRC/openSUSE:Factory/.nghttp2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nghttp2" Tue Apr 17 11:13:32 2018 rev:51 rq:596227 version:1.31.1 Changes: -------- --- /work/SRC/openSUSE:Factory/nghttp2/nghttp2.changes 2018-03-01 12:06:08.685681750 +0100 +++ /work/SRC/openSUSE:Factory/.nghttp2.new/nghttp2.changes 2018-04-17 11:13:45.812972600 +0200 @@ -1,0 +2,30 @@ +Fri Apr 13 08:40:38 UTC 2018 - [email protected] + +- Version umpdate to 1.31.1: + * Fix bsc#1088639 CVE-2018-1000168 + * https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/ + +------------------------------------------------------------------- +Mon Apr 9 10:16:47 UTC 2018 - [email protected] + +- Version update to 1.31.0: + * lib: Add nghttp2_session_set_user_data() public API function (GH-1137) + * src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro (GH-1128) + * nghttpx: Close listening socket on graceful shutdown + * nghttpx: Add an option to accept expired client certificate (GH-1126) + * nghttpx: Add mruby tls_client_not_before, and tls_client_not_after (GH-1123) + * nghttpx: Fix potential memory leak + * lib: Allow PING frame to be sent after GOAWAY (GH-1103) + * nghttpx: Fix bug that h1 backend idle timeout expires sooner + * nghttpx: Stop overwrite of first header on mruby call to env.req.set_header(..) (Patch from Dylan Plecki) (GH-1119) + * nghttpx: Add upgrade-scheme parameter to backend option (GH-1099) + * nghttpx: Fix missing ALPN validation (--npn-list) (GH-1094) + * nghttpx: Remember which resource is pushed for RFC 8297 (GH-1101) + +------------------------------------------------------------------- +Mon Apr 9 08:59:52 UTC 2018 - [email protected] + +- Drop spdylay dependency as it is deprecated since version 1.28.0 + and removed from cofnigure.ac since 1.29.0 + +------------------------------------------------------------------- Old: ---- nghttp2-1.29.0.tar.xz New: ---- nghttp2-1.31.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nghttp2.spec ++++++ --- /var/tmp/diff_new_pack.db15sl/_old 2018-04-17 11:13:47.048914637 +0200 +++ /var/tmp/diff_new_pack.db15sl/_new 2018-04-17 11:13:47.052914449 +0200 @@ -21,7 +21,7 @@ %define soname_asio libnghttp2_asio %define sover_asio 1 Name: nghttp2 -Version: 1.29.0 +Version: 1.31.1 Release: 0 Summary: Implementation of Hypertext Transfer Protocol version 2 in C License: MIT @@ -36,15 +36,14 @@ BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: pkgconfig +BuildRequires: python-rpm-macros BuildRequires: python3-Cython BuildRequires: python3-devel -BuildRequires: python-rpm-macros BuildRequires: python3-setuptools BuildRequires: pkgconfig(cunit) BuildRequires: pkgconfig(jansson) BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libev) -BuildRequires: pkgconfig(libspdylay) BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(openssl) @@ -122,6 +121,8 @@ %prep %setup -q %patch0 -p1 +# fix python shebang +sed -i -e 's:#!%{_bindir}/env python:#!%{_bindir}/python3:g' script/fetch-ocsp-response %build autoreconf -fiv ++++++ nghttp2-1.29.0.tar.xz -> nghttp2-1.31.1.tar.xz ++++++ ++++ 2013 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/AUTHORS new/nghttp2-1.31.1/AUTHORS --- old/nghttp2-1.29.0/AUTHORS 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/AUTHORS 2018-04-12 16:46:47.000000000 +0200 @@ -35,6 +35,7 @@ David Beitey David Weekly Dmitriy Vetutnev +Dylan Plecki Etienne Cimon Fabian Möller Fabian Wiesel diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/CMakeLists.txt new/nghttp2-1.31.1/CMakeLists.txt --- old/nghttp2-1.29.0/CMakeLists.txt 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/CMakeLists.txt 2018-04-12 16:46:47.000000000 +0200 @@ -24,13 +24,13 @@ cmake_minimum_required(VERSION 3.0) # XXX using 1.8.90 instead of 1.9.0-DEV -project(nghttp2 VERSION 1.29.0) +project(nghttp2 VERSION 1.31.1) # See versioning rule: # http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html -set(LT_CURRENT 29) +set(LT_CURRENT 30) set(LT_REVISION 1) -set(LT_AGE 15) +set(LT_AGE 16) set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH}) include(Version) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/ChangeLog new/nghttp2-1.31.1/ChangeLog --- old/nghttp2-1.29.0/ChangeLog 2017-12-19 15:36:03.000000000 +0100 +++ new/nghttp2-1.31.1/ChangeLog 2018-04-12 16:48:28.000000000 +0200 @@ -1,204 +1,23 @@ -commit 439b9b6c6a3120da7a75ace62e9223751f4342c0 (HEAD, tag: v1.29.0, origin/master, origin/HEAD, master) +commit 1e22b36c61d52bb0446a63f5994b1fbe8c7ce0db (HEAD, tag: v1.31.1, origin/v1.31.x, origin/HEAD, v1.31.x) Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-19 +AuthorDate: 2018-04-07 Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-19 +CommitDate: 2018-04-07 Update manual pages -commit 48498452925b7d0bc5d883a3f76d01855d53d0cf +commit 0f818baf61c5762093d23520f7ee513d6e9e942e Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-19 +AuthorDate: 2018-04-07 Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-19 +CommitDate: 2018-04-07 - Bump up version number to v1.29.0, LT revision to 29:1:15 + Bump up version number to 1.31.1 -commit d30f38163c996d7aae43519d9245d7d87fd9a783 +commit c411d16945d658a181d92ca36bfea30853edab37 Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-17 +AuthorDate: 2018-04-07 Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-17 +CommitDate: 2018-04-07 - Update manual pages - -commit cff9ebe1ddf53d61dd2c66d4f68b7b7265ecdac0 -Merge: 48f57407 4d1139f6 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-17 -Commit: GitHub <[email protected]> -CommitDate: 2017-12-17 - - Merge pull request #1091 from nghttp2/remove-spdy - - Remove SPDY - -commit 4d1139f65399c437700cf51bec98832e05a89f06 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-17 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-17 - - Remove SPDY - -commit 48f574076c9ef0104ed6e73ef02e30de46bd7b74 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-16 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-16 - - nghttpx: Update doc - -commit c1f14d73c7ae64391c024c3187984fbda2a51bbf -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-14 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-14 - - Update manual pages - -commit 216f4dad83a0fb0778b915c9d29f957438b0ba18 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-14 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-14 - - nghttpx: Remove redundant check - -commit a4e27d766b57ebb8ac4c34db9b6da2026252a0d8 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-14 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-14 - - Revert "nghttpx: Use an existing h2 backend connection as much as possible" - - This reverts commit f507b5eee4b40a6621b39e8519c22a8d741794de. - - Balancing load is more important at the moment. - -commit 96df14d2ecb87e87e802d16e5b1388c0958c01e6 -Merge: 96ea9cda 2365f12e -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-14 -Commit: GitHub <[email protected]> -CommitDate: 2017-12-14 - - Merge pull request #1084 from dvetutnev/cmake_module_path - - Fix CMAKE_MODULE_PATH - -commit 2365f12e394541d22ba806f23313d73d4e976830 -Author: Dmitriy Vetutnev <[email protected]> -AuthorDate: 2017-12-06 -Commit: Dmitriy Vetutnev <[email protected]> -CommitDate: 2017-12-06 - - Fix CMAKE_MODULE_PATH - -commit 96ea9cdaf78cefcbc220c6cad03d644061cfce16 -Merge: a9416999 03f7ec0f -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-03 -Commit: GitHub <[email protected]> -CommitDate: 2017-12-03 - - Merge pull request #1083 from nghttp2/nghttpx-api-tmp-file - - nghttpx: Write API request body in temporary file - -commit 03f7ec0f60dd75121578a15d8320ace7def3a279 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-02 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-03 - - nghttpx: Write API request body in temporary file - -commit a9416999628c5fa6cc226e5dffdfe750de30637e -Merge: 04348ff2 2056e812 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-02 -Commit: GitHub <[email protected]> -CommitDate: 2017-12-02 - - Merge pull request #1082 from nghttp2/nghttpx-increase-api-max-request-body - - nghttpx: Increase api-max-request-body - -commit 2056e812bd6cbf3d4918d1d65d85cb02bde8220c -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-02 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-02 - - nghttpx: Increase api-max-request-body - -commit 04348ff20e42db67a1819dda03f709e45985cdad -Merge: d8e378fe 1ebb6810 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-01 -Commit: GitHub <[email protected]> -CommitDate: 2017-12-01 - - Merge pull request #1081 from nghttp2/nghttpx-faster-parse-config - - nghttpx: Faster configuration loading with lots of backends - -commit d8e378fea95780e66394dc9d471facbc7e891e34 -Merge: 2a694b27 a3ebeeaf -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-01 -Commit: GitHub <[email protected]> -CommitDate: 2017-12-01 - - Merge pull request #1080 from nghttp2/nghttpx-fix-crash-with-backend-http-proxy-uri - - nghttpx: Fix crash with --backend-http-proxy-uri option - -commit 1ebb6810a1aca7ec641e602924fb2ecb90f59f51 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-01 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-01 - - nghttpx: Faster configuration loading with lots of backends - -commit 2a694b270a37806e3f7431b0f64949fdd047c559 -Merge: 97f1735c 422ad1be -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-01 -Commit: GitHub <[email protected]> -CommitDate: 2017-12-01 - - Merge pull request #1077 from nghttp2/refused-stream - - Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY - -commit a3ebeeafbab4c871a7856e2a6e4fdde497b24060 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-12-01 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-12-01 - - nghttpx: Fix crash with --backend-http-proxy-uri option - -commit 422ad1be3253fb263a70b159e2e85d803f8a2d85 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-11-30 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-11-30 - - Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY - - The error code NGHTTP2_REFUSED_STREAM is passed to - nghttp2_on_stream_close callback when a stream is closed because its - stream ID is strictly larger than incoming or outgoing GOAWAY. - -commit 97f1735cf5a15ae107aeed9bbf8d06ad7dc5a3c2 -Author: Tatsuhiro Tsujikawa <[email protected]> -AuthorDate: 2017-11-25 -Commit: Tatsuhiro Tsujikawa <[email protected]> -CommitDate: 2017-11-25 - - Bump up version number to 1.29.0 + Fix frame handling diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/configure.ac new/nghttp2-1.31.1/configure.ac --- old/nghttp2-1.29.0/configure.ac 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/configure.ac 2018-04-12 16:46:47.000000000 +0200 @@ -25,7 +25,7 @@ dnl http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html AC_PREREQ(2.61) -AC_INIT([nghttp2], [1.29.0], [[email protected]]) +AC_INIT([nghttp2], [1.31.1], [[email protected]]) AC_CONFIG_AUX_DIR([.]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h]) @@ -44,9 +44,9 @@ dnl See versioning rule: dnl http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html -AC_SUBST(LT_CURRENT, 29) +AC_SUBST(LT_CURRENT, 30) AC_SUBST(LT_REVISION, 1) -AC_SUBST(LT_AGE, 15) +AC_SUBST(LT_AGE, 16) major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/[^0-9]//g"` minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/[^0-9]//g"` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/Makefile.am new/nghttp2-1.31.1/doc/Makefile.am --- old/nghttp2-1.29.0/doc/Makefile.am 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/doc/Makefile.am 2018-04-12 16:46:47.000000000 +0200 @@ -143,6 +143,7 @@ nghttp2_session_set_local_window_size.rst \ nghttp2_session_set_next_stream_id.rst \ nghttp2_session_set_stream_user_data.rst \ + nghttp2_session_set_user_data.rst \ nghttp2_session_terminate_session.rst \ nghttp2_session_terminate_session2.rst \ nghttp2_session_upgrade.rst \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/bash_completion/nghttpx new/nghttp2-1.31.1/doc/bash_completion/nghttpx --- old/nghttp2-1.29.0/doc/bash_completion/nghttpx 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/doc/bash_completion/nghttpx 2018-04-12 16:46:47.000000000 +0200 @@ -8,7 +8,7 @@ _get_comp_words_by_ref cur prev case $cur in -*) - COMPREPLY=( $( compgen -W '--worker-read-rate --include --frontend-http2-dump-response-header --tls-ticket-key-file --verify-client-cacert --max-response-header-fields --backend-http2-window-size --frontend-keep-alive-timeout --backend-request-buffer --max-request-header-fields --fastopen --backend-connect-timeout --tls-max-proto-version --conf --dns-lookup-timeout --backend-http2-max-concurrent-streams --worker-write-burst --npn-list --dns-max-try --fetch-ocsp-response-file --no-via --tls-session-cache-memcached-cert-file --no-http2-cipher-black-list --mruby-file --client-no-http2-cipher-black-list --stream-read-timeout --client-ciphers --ocsp-update-interval --forwarded-for --accesslog-syslog --dns-cache-timeout --frontend-http2-read-timeout --listener-disable-timeout --ciphers --client-psk-secrets --strip-incoming-x-forwarded-for --no-server-rewrite --private-key-passwd-file --backend-keep-alive-timeout --backend-http-proxy-uri --frontend-max-requests --rlimit-nofile --no-strip-incoming-x-forwarded-proto --tls-ticket-key-memcached-cert-file --no-verify-ocsp --forwarded-by --tls-session-cache-memcached-private-key-file --error-page --ocsp-startup --backend-write-timeout --tls-dyn-rec-warmup-threshold --tls-ticket-key-memcached-max-retry --frontend-http2-window-size --http2-no-cookie-crumbling --worker-read-burst --dh-param-file --accesslog-format --errorlog-syslog --redirect-https-port --request-header-field-buffer --api-max-request-body --frontend-http2-decoder-dynamic-table-size --errorlog-file --frontend-http2-max-concurrent-streams --psk-secrets --frontend-write-timeout --tls-ticket-key-cipher --read-burst --no-add-x-forwarded-proto --backend --server-name --insecure --backend-max-backoff --log-level --host-rewrite --tls-ticket-key-memcached-interval --frontend-http2-setting-timeout --frontend-http2-connection-window-size --worker-frontend-connections --syslog-facility --no-server-push --no-location-rewrite --single-thread --tls-session-cache-memcached --no-ocsp --backend-response-buffer --tls-min-proto-version --workers --add-forwarded --worker-write-rate --add-request-header --backend-http2-settings-timeout --subcert --ecdh-curves --no-kqueue --help --frontend-frame-debug --tls-sct-dir --pid-file --frontend-http2-dump-request-header --daemon --write-rate --altsvc --backend-http2-decoder-dynamic-table-size --user --add-x-forwarded-for --frontend-read-timeout --tls-ticket-key-memcached-max-fail --backlog --write-burst --backend-connections-per-host --response-header-field-buffer --tls-ticket-key-memcached-address-family --padding --tls-session-cache-memcached-address-family --stream-write-timeout --cacert --tls-ticket-key-memcached-private-key-file --accesslog-write-early --backend-address-family --backend-http2-connection-window-size --version --add-response-header --backend-read-timeout --frontend-http2-optimize-window-size --frontend --accesslog-file --http2-proxy --backend-http2-encoder-dynamic-table-size --client-private-key-file --single-process --client-cert-file --tls-ticket-key-memcached --tls-dyn-rec-idle-timeout --frontend-http2-optimize-write-buffer-size --verify-client --frontend-http2-encoder-dynamic-table-size --read-rate --backend-connections-per-frontend --strip-incoming-forwarded ' -- "$cur" ) ) + COMPREPLY=( $( compgen -W '--worker-read-rate --include --frontend-http2-dump-response-header --tls-ticket-key-file --verify-client-cacert --max-response-header-fields --backend-http2-window-size --frontend-keep-alive-timeout --backend-request-buffer --max-request-header-fields --backend-connect-timeout --tls-max-proto-version --conf --dns-lookup-timeout --backend-http2-max-concurrent-streams --worker-write-burst --npn-list --dns-max-try --fetch-ocsp-response-file --no-via --tls-session-cache-memcached-cert-file --no-http2-cipher-black-list --mruby-file --add-forwarded --client-no-http2-cipher-black-list --stream-read-timeout --client-ciphers --ocsp-update-interval --forwarded-for --accesslog-syslog --dns-cache-timeout --frontend-http2-read-timeout --listener-disable-timeout --ciphers --client-psk-secrets --strip-incoming-x-forwarded-for --no-server-rewrite --private-key-passwd-file --backend-keep-alive-timeout --backend-http-proxy-uri --frontend-max-requests --rlimit-nofile --no-strip-incoming-x-forwarded-proto --tls-ticket-key-memcached-cert-file --no-verify-ocsp --forwarded-by --tls-session-cache-memcached-private-key-file --error-page --ocsp-startup --backend-write-timeout --tls-dyn-rec-warmup-threshold --tls-ticket-key-memcached-max-retry --frontend-http2-window-size --http2-no-cookie-crumbling --worker-read-burst --dh-param-file --accesslog-format --errorlog-syslog --redirect-https-port --request-header-field-buffer --api-max-request-body --frontend-http2-decoder-dynamic-table-size --errorlog-file --frontend-http2-max-concurrent-streams --psk-secrets --frontend-write-timeout --tls-ticket-key-cipher --read-burst --no-add-x-forwarded-proto --backend --server-name --insecure --backend-max-backoff --log-level --host-rewrite --tls-ticket-key-memcached-interval --frontend-http2-setting-timeout --frontend-http2-connection-window-size --worker-frontend-connections --syslog-facility --fastopen --no-location-rewrite --single-thread --tls-session-cache-memcached --no-ocsp --backend-response-buffer --tls-min-proto-version --workers --add-x-forwarded-for --no-server-push --worker-write-rate --add-request-header --backend-http2-settings-timeout --subcert --ecdh-curves --no-kqueue --help --frontend-frame-debug --tls-sct-dir --pid-file --frontend-http2-dump-request-header --daemon --write-rate --altsvc --backend-http2-decoder-dynamic-table-size --user --verify-client-tolerate-expired --frontend-read-timeout --tls-ticket-key-memcached-max-fail --backlog --write-burst --backend-connections-per-host --response-header-field-buffer --tls-ticket-key-memcached-address-family --padding --tls-session-cache-memcached-address-family --stream-write-timeout --cacert --tls-ticket-key-memcached-private-key-file --accesslog-write-early --backend-address-family --backend-http2-connection-window-size --version --add-response-header --backend-read-timeout --frontend-http2-optimize-window-size --frontend --accesslog-file --http2-proxy --backend-http2-encoder-dynamic-table-size --client-private-key-file --single-process --client-cert-file --tls-ticket-key-memcached --tls-dyn-rec-idle-timeout --frontend-http2-optimize-write-buffer-size --verify-client --frontend-http2-encoder-dynamic-table-size --read-rate --backend-connections-per-frontend --strip-incoming-forwarded ' -- "$cur" ) ) ;; *) _filedir diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/h2load.1 new/nghttp2-1.31.1/doc/h2load.1 --- old/nghttp2-1.29.0/doc/h2load.1 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/doc/h2load.1 2018-04-12 16:46:47.000000000 +0200 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "H2LOAD" "1" "Dec 19, 2017" "1.29.0" "nghttp2" +.TH "H2LOAD" "1" "Apr 07, 2018" "1.31.1" "nghttp2" .SH NAME h2load \- HTTP/2 benchmarking tool . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttp.1 new/nghttp2-1.31.1/doc/nghttp.1 --- old/nghttp2-1.29.0/doc/nghttp.1 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/doc/nghttp.1 2018-04-12 16:46:47.000000000 +0200 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTP" "1" "Dec 19, 2017" "1.29.0" "nghttp2" +.TH "NGHTTP" "1" "Apr 07, 2018" "1.31.1" "nghttp2" .SH NAME nghttp \- HTTP/2 client . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttp2_session_set_user_data.rst new/nghttp2-1.31.1/doc/nghttp2_session_set_user_data.rst --- old/nghttp2-1.29.0/doc/nghttp2_session_set_user_data.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/nghttp2-1.31.1/doc/nghttp2_session_set_user_data.rst 2018-04-12 16:50:00.000000000 +0200 @@ -0,0 +1,15 @@ + +nghttp2_session_set_user_data +============================= + +Synopsis +-------- + +*#include <nghttp2/nghttp2.h>* + +.. function:: void nghttp2_session_set_user_data(nghttp2_session *session, void *user_data) + + + Sets *user_data* to *session*, overwriting the existing user data + specified in `nghttp2_session_client_new()`, or + `nghttp2_session_server_new()`. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttpd.1 new/nghttp2-1.31.1/doc/nghttpd.1 --- old/nghttp2-1.29.0/doc/nghttpd.1 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/doc/nghttpd.1 2018-04-12 16:46:47.000000000 +0200 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPD" "1" "Dec 19, 2017" "1.29.0" "nghttp2" +.TH "NGHTTPD" "1" "Apr 07, 2018" "1.31.1" "nghttp2" .SH NAME nghttpd \- HTTP/2 server . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttpx.1 new/nghttp2-1.31.1/doc/nghttpx.1 --- old/nghttp2-1.29.0/doc/nghttpx.1 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/doc/nghttpx.1 2018-04-12 16:46:47.000000000 +0200 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPX" "1" "Dec 19, 2017" "1.29.0" "nghttp2" +.TH "NGHTTPX" "1" "Apr 07, 2018" "1.31.1" "nghttp2" .SH NAME nghttpx \- HTTP/2 proxy . @@ -228,6 +228,13 @@ "redirect\-if\-no\-tls" parameter to all backends explicitly if this feature is desired. .sp +If "upgrade\-scheme" parameter is used along with "tls" +parameter, HTTP/2 :scheme pseudo header field is changed +to "https" from "http" when forwarding a request to this +particular backend. This is a workaround for a backend +server which requires "https" :scheme pseudo header +field on TLS encrypted connection. +.sp Since ";" and ":" are used as delimiter, <PATTERN> must not contain these characters. Since ";" has special meaning in shell, the option value must be quoted. @@ -691,6 +698,14 @@ .UNINDENT .INDENT 0.0 .TP +.B \-\-verify\-client\-tolerate\-expired +Accept expired client certificate. Operator should +handle the expired client certificate by some means +(e.g., mruby script). Otherwise, this option might +cause a security risk. +.UNINDENT +.INDENT 0.0 +.TP .B \-\-client\-private\-key\-file=<PATH> Path to file that contains client private key used in backend client authentication. @@ -989,7 +1004,7 @@ Set the maximum number of the concurrent streams in one frontend HTTP/2 session. .sp -Default: \(ga\(ga 100\(ga\(ga +Default: \fB100\fP .UNINDENT .INDENT 0.0 .TP @@ -2023,6 +2038,18 @@ .UNINDENT .INDENT 7.0 .TP +.B attribute [R] tls_client_not_before +Return the start date of a client certificate in seconds since +the epoch. +.UNINDENT +.INDENT 7.0 +.TP +.B attribute [R] tls_client_not_after +Return the end date of a client certificate in seconds since +the epoch. +.UNINDENT +.INDENT 7.0 +.TP .B attribute [R] tls_cipher Return a TLS cipher negotiated in this connection. .UNINDENT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/doc/nghttpx.1.rst new/nghttp2-1.31.1/doc/nghttpx.1.rst --- old/nghttp2-1.29.0/doc/nghttpx.1.rst 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/doc/nghttpx.1.rst 2018-04-12 16:46:47.000000000 +0200 @@ -212,6 +212,13 @@ "redirect-if-no-tls" parameter to all backends explicitly if this feature is desired. + If "upgrade-scheme" parameter is used along with "tls" + parameter, HTTP/2 :scheme pseudo header field is changed + to "https" from "http" when forwarding a request to this + particular backend. This is a workaround for a backend + server which requires "https" :scheme pseudo header + field on TLS encrypted connection. + Since ";" and ":" are used as delimiter, <PATTERN> must not contain these characters. Since ";" has special meaning in shell, the option value must be quoted. @@ -637,6 +644,13 @@ client certificate. The file must be in PEM format. It can contain multiple certificates. +.. option:: --verify-client-tolerate-expired + + Accept expired client certificate. Operator should + handle the expired client certificate by some means + (e.g., mruby script). Otherwise, this option might + cause a security risk. + .. option:: --client-private-key-file=<PATH> Path to file that contains client private key used in @@ -910,7 +924,7 @@ Set the maximum number of the concurrent streams in one frontend HTTP/2 session. - Default: `` 100`` + Default: ``100`` .. option:: --backend-http2-max-concurrent-streams=<N> @@ -1852,6 +1866,16 @@ Return the serial number of a client certificate. + .. rb:attr_reader:: tls_client_not_before + + Return the start date of a client certificate in seconds since + the epoch. + + .. rb:attr_reader:: tls_client_not_after + + Return the end date of a client certificate in seconds since + the epoch. + .. rb:attr_reader:: tls_cipher Return a TLS cipher negotiated in this connection. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/lib/includes/nghttp2/nghttp2.h new/nghttp2-1.31.1/lib/includes/nghttp2/nghttp2.h --- old/nghttp2-1.29.0/lib/includes/nghttp2/nghttp2.h 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/lib/includes/nghttp2/nghttp2.h 2018-04-12 16:46:47.000000000 +0200 @@ -3084,6 +3084,16 @@ /** * @function * + * Sets |user_data| to |session|, overwriting the existing user data + * specified in `nghttp2_session_client_new()`, or + * `nghttp2_session_server_new()`. + */ +NGHTTP2_EXTERN void nghttp2_session_set_user_data(nghttp2_session *session, + void *user_data); + +/** + * @function + * * Returns the number of frames in the outbound queue. This does not * include the deferred DATA frames. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/lib/includes/nghttp2/nghttp2ver.h new/nghttp2-1.31.1/lib/includes/nghttp2/nghttp2ver.h --- old/nghttp2-1.29.0/lib/includes/nghttp2/nghttp2ver.h 2017-12-19 15:36:24.000000000 +0100 +++ new/nghttp2-1.31.1/lib/includes/nghttp2/nghttp2ver.h 2018-04-12 16:49:58.000000000 +0200 @@ -29,7 +29,7 @@ * @macro * Version number of the nghttp2 library release */ -#define NGHTTP2_VERSION "1.29.0" +#define NGHTTP2_VERSION "1.31.1" /** * @macro @@ -37,6 +37,6 @@ * release. This is a 24 bit number with 8 bits for major number, 8 bits * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. */ -#define NGHTTP2_VERSION_NUM 0x011d00 +#define NGHTTP2_VERSION_NUM 0x011f01 #endif /* NGHTTP2VER_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/lib/nghttp2_frame.c new/nghttp2-1.31.1/lib/nghttp2_frame.c --- old/nghttp2-1.29.0/lib/nghttp2_frame.c 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/lib/nghttp2_frame.c 2018-04-12 16:46:47.000000000 +0200 @@ -215,6 +215,9 @@ nghttp2_ext_altsvc *altsvc; altsvc = frame->payload; + if (altsvc == NULL) { + return; + } /* We use the same buffer for altsvc->origin and altsvc->field_value. */ nghttp2_mem_free(mem, altsvc->origin); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/lib/nghttp2_session.c new/nghttp2-1.31.1/lib/nghttp2_session.c --- old/nghttp2-1.29.0/lib/nghttp2_session.c 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/lib/nghttp2_session.c 2018-04-12 16:46:47.000000000 +0200 @@ -2225,8 +2225,9 @@ assert(session->obq_flood_counter_ > 0); --session->obq_flood_counter_; } - - if (session_is_closing(session)) { + /* PING frame is allowed to be sent unless termination GOAWAY is + sent */ + if (session->goaway_flags & NGHTTP2_GOAWAY_TERM_ON_SEND) { return NGHTTP2_ERR_SESSION_CLOSING; } nghttp2_frame_pack_ping(&session->aob.framebufs, &frame->ping); @@ -7520,3 +7521,7 @@ nghttp2_session_get_hd_deflate_dynamic_table_size(nghttp2_session *session) { return nghttp2_hd_deflate_get_dynamic_table_size(&session->hd_deflater); } + +void nghttp2_session_set_user_data(nghttp2_session *session, void *user_data) { + session->user_data = user_data; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/http2.cc new/nghttp2-1.31.1/src/http2.cc --- old/nghttp2-1.29.0/src/http2.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/http2.cc 2018-04-12 16:46:47.000000000 +0200 @@ -36,6 +36,8 @@ return StringRef::from_lit("Continue"); case 101: return StringRef::from_lit("Switching Protocols"); + case 103: + return StringRef::from_lit("Early Hints"); case 200: return StringRef::from_lit("OK"); case 201: @@ -140,6 +142,8 @@ return StringRef::from_lit("100"); case 101: return StringRef::from_lit("101"); + case 103: + return StringRef::from_lit("103"); case 200: return StringRef::from_lit("200"); case 201: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx.cc new/nghttp2-1.31.1/src/shrpx.cc --- old/nghttp2-1.29.0/src/shrpx.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx.cc 2018-04-12 16:46:47.000000000 +0200 @@ -573,9 +573,14 @@ case EXEC_BINARY_SIGNAL: exec_binary(); return; - case GRACEFUL_SHUTDOWN_SIGNAL: + case GRACEFUL_SHUTDOWN_SIGNAL: { + auto &listenerconf = get_config()->conn.listener; + for (auto &addr : listenerconf.addrs) { + close(addr.fd); + } ipc_send(wp, SHRPX_IPC_GRACEFUL_SHUTDOWN); return; + } case RELOAD_SIGNAL: reload_config(wp); return; @@ -1815,6 +1820,13 @@ "redirect-if-no-tls" parameter to all backends explicitly if this feature is desired. + If "upgrade-scheme" parameter is used along with "tls" + parameter, HTTP/2 :scheme pseudo header field is changed + to "https" from "http" when forwarding a request to this + particular backend. This is a workaround for a backend + server which requires "https" :scheme pseudo header + field on TLS encrypted connection. + Since ";" and ":" are used as delimiter, <PATTERN> must not contain these characters. Since ";" has special meaning in shell, the option value must be quoted. @@ -2130,6 +2142,11 @@ Path to file that contains CA certificates to verify client certificate. The file must be in PEM format. It can contain multiple certificates. + --verify-client-tolerate-expired + Accept expired client certificate. Operator should + handle the expired client certificate by some means + (e.g., mruby script). Otherwise, this option might + cause a security risk. --client-private-key-file=<PATH> Path to file that contains client private key used in backend client authentication. @@ -2349,7 +2366,7 @@ -c, --frontend-http2-max-concurrent-streams=<N> Set the maximum number of the concurrent streams in one frontend HTTP/2 session. - Default: )" + Default: )" << config->http2.upstream.max_concurrent_streams << R"( --backend-http2-max-concurrent-streams=<N> Set the maximum number of the concurrent streams in one @@ -3399,6 +3416,8 @@ {SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO.c_str(), no_argument, &flag, 158}, {SHRPX_OPT_SINGLE_PROCESS.c_str(), no_argument, &flag, 159}, + {SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED.c_str(), no_argument, &flag, + 160}, {nullptr, 0, nullptr, 0}}; int option_index = 0; @@ -4160,6 +4179,11 @@ cmdcfgs.emplace_back(SHRPX_OPT_SINGLE_PROCESS, StringRef::from_lit("yes")); break; + case 160: + // --verify-client-tolerate-expired + cmdcfgs.emplace_back(SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED, + StringRef::from_lit("yes")); + break; default: break; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_client_handler.cc new/nghttp2-1.31.1/src/shrpx_client_handler.cc --- old/nghttp2-1.29.0/src/shrpx_client_handler.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_client_handler.cc 2018-04-12 16:46:47.000000000 +0200 @@ -556,28 +556,20 @@ } #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L - if (next_proto == nullptr) { - if (LOG_ENABLED(INFO)) { - CLOG(INFO, this) << "No protocol negotiated. Fallback to HTTP/1.1"; - } + StringRef proto; - upstream_ = make_unique<HttpsUpstream>(this); - alpn_ = StringRef::from_lit("http/1.1"); + if (next_proto) { + proto = StringRef{next_proto, next_proto_len}; - // At this point, input buffer is already filled with some bytes. - // The read callback is not called until new data come. So consume - // input buffer here. - if (on_read() != 0) { - return -1; + if (LOG_ENABLED(INFO)) { + CLOG(INFO, this) << "The negotiated next protocol: " << proto; + } + } else { + if (LOG_ENABLED(INFO)) { + CLOG(INFO, this) << "No protocol negotiated. Fallback to HTTP/1.1"; } - return 0; - } - - auto proto = StringRef{next_proto, next_proto_len}; - - if (LOG_ENABLED(INFO)) { - CLOG(INFO, this) << "The negotiated next protocol: " << proto; + proto = StringRef::from_lit("http/1.1"); } if (!tls::in_proto_list(get_config()->tls.npn_list, proto)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_config.cc new/nghttp2-1.31.1/src/shrpx_config.cc --- old/nghttp2-1.29.0/src/shrpx_config.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_config.cc 2018-04-12 16:46:47.000000000 +0200 @@ -814,6 +814,7 @@ bool tls; bool dns; bool redirect_if_not_tls; + bool upgrade_scheme; }; namespace { @@ -918,6 +919,8 @@ out.dns = true; } else if (util::strieq_l("redirect-if-not-tls", param)) { out.redirect_if_not_tls = true; + } else if (util::strieq_l("upgrade-scheme", param)) { + out.upgrade_scheme = true; } else if (!param.empty()) { LOG(ERROR) << "backend: " << param << ": unknown keyword"; return -1; @@ -977,6 +980,7 @@ addr.tls = params.tls; addr.sni = make_string_ref(downstreamconf.balloc, params.sni); addr.dns = params.dns; + addr.upgrade_scheme = params.upgrade_scheme; auto &routerconf = downstreamconf.router; auto &router = routerconf.router; @@ -2169,6 +2173,11 @@ break; case 30: switch (name[29]) { + case 'd': + if (util::strieq_l("verify-client-tolerate-expire", name, 29)) { + return SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED; + } + break; case 'r': if (util::strieq_l("strip-incoming-x-forwarded-fo", name, 29)) { return SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR; @@ -3551,6 +3560,10 @@ config->tls.ocsp.no_verify = util::strieq_l("yes", optarg); return 0; + case SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED: + config->tls.client_verify.tolerate_expired = util::strieq_l("yes", optarg); + + return 0; case SHRPX_OPTID_CONF: LOG(WARN) << "conf: ignored"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_config.h new/nghttp2-1.31.1/src/shrpx_config.h --- old/nghttp2-1.29.0/src/shrpx_config.h 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_config.h 2018-04-12 16:46:47.000000000 +0200 @@ -343,6 +343,8 @@ StringRef::from_lit("no-strip-incoming-x-forwarded-proto"); constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup"); constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp"); +constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED = + StringRef::from_lit("verify-client-tolerate-expired"); constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8; @@ -461,6 +463,10 @@ bool tls; // true if dynamic DNS is enabled bool dns; + // true if :scheme pseudo header field should be upgraded to secure + // variant (e.g., "https") when forwarding request to a backend + // connected by TLS connection. + bool upgrade_scheme; }; // Mapping hash to idx which is an index into @@ -598,6 +604,8 @@ // certificate validation StringRef cacert; bool enabled; + // true if we accept an expired client certificate. + bool tolerate_expired; } client_verify; // Client (backend connection) TLS configuration. @@ -1121,6 +1129,7 @@ SHRPX_OPTID_USER, SHRPX_OPTID_VERIFY_CLIENT, SHRPX_OPTID_VERIFY_CLIENT_CACERT, + SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED, SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS, SHRPX_OPTID_WORKER_READ_BURST, SHRPX_OPTID_WORKER_READ_RATE, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_connection_handler.cc new/nghttp2-1.31.1/src/shrpx_connection_handler.cc --- old/nghttp2-1.29.0/src/shrpx_connection_handler.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_connection_handler.cc 2018-04-12 16:46:47.000000000 +0200 @@ -452,6 +452,8 @@ acceptors_.push_back(std::move(h)); } +void ConnectionHandler::delete_acceptor() { acceptors_.clear(); } + void ConnectionHandler::enable_acceptor() { for (auto &a : acceptors_) { a->enable(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_connection_handler.h new/nghttp2-1.31.1/src/shrpx_connection_handler.h --- old/nghttp2-1.29.0/src/shrpx_connection_handler.h 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_connection_handler.h 2018-04-12 16:46:47.000000000 +0200 @@ -117,6 +117,7 @@ struct ev_loop *get_loop() const; Worker *get_single_worker() const; void add_acceptor(std::unique_ptr<AcceptHandler> h); + void delete_acceptor(); void enable_acceptor(); void disable_acceptor(); void sleep_acceptor(ev_tstamp t); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_downstream.h new/nghttp2-1.31.1/src/shrpx_downstream.h --- old/nghttp2-1.29.0/src/shrpx_downstream.h 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_downstream.h 2018-04-12 16:46:47.000000000 +0200 @@ -32,6 +32,7 @@ #include <string> #include <memory> #include <chrono> +#include <algorithm> #include <ev.h> @@ -207,7 +208,40 @@ unconsumed_body_length -= len; } + // returns true if a resource denoted by scheme, authority, and path + // has already been pushed. + bool is_resource_pushed(const StringRef &scheme, const StringRef &authority, + const StringRef &path) const { + if (!pushed_resources) { + return false; + } + return std::find(std::begin(*pushed_resources), std::end(*pushed_resources), + std::make_tuple(scheme, authority, path)) != + std::end(*pushed_resources); + } + + // remember that a resource denoted by scheme, authority, and path + // is pushed. + void resource_pushed(const StringRef &scheme, const StringRef &authority, + const StringRef &path) { + if (!pushed_resources) { + pushed_resources = make_unique< + std::vector<std::tuple<StringRef, StringRef, StringRef>>>(); + } + pushed_resources->emplace_back(scheme, authority, path); + } + FieldStore fs; + // array of the tuple of scheme, authority, and path of pushed + // resource. This is required because RFC 8297 says that server + // typically includes header fields appeared in non-final response + // header fields in final response header fields. Without checking + // that a particular resource has already been pushed, or not, we + // end up pushing the same resource at least twice. It is unknown + // that we should use more complex data structure (e.g., std::set) + // to find the resources faster. + std::unique_ptr<std::vector<std::tuple<StringRef, StringRef, StringRef>>> + pushed_resources; // the length of response body received so far int64_t recv_body_length; // The number of bytes not consumed by the application yet. This is diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_http2_downstream_connection.cc new/nghttp2-1.31.1/src/shrpx_http2_downstream_connection.cc --- old/nghttp2-1.29.0/src/shrpx_http2_downstream_connection.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_http2_downstream_connection.cc 2018-04-12 16:46:47.000000000 +0200 @@ -291,7 +291,14 @@ if (req.method != HTTP_CONNECT) { assert(!req.scheme.empty()); - nva.push_back(http2::make_nv_ls_nocopy(":scheme", req.scheme)); + auto addr = http2session_->get_addr(); + assert(addr); + // We will handle more protocol scheme upgrade in the future. + if (addr->tls && addr->upgrade_scheme && req.scheme == "http") { + nva.push_back(http2::make_nv_ll(":scheme", "https")); + } else { + nva.push_back(http2::make_nv_ls_nocopy(":scheme", req.scheme)); + } if (req.method == HTTP_OPTIONS && req.path.empty()) { nva.push_back(http2::make_nv_ll(":path", "*")); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_http2_upstream.cc new/nghttp2-1.31.1/src/shrpx_http2_upstream.cc --- old/nghttp2-1.29.0/src/shrpx_http2_upstream.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_http2_upstream.cc 2018-04-12 16:46:47.000000000 +0200 @@ -2039,7 +2039,7 @@ int rv; const auto &req = downstream->request(); - const auto &resp = downstream->response(); + auto &resp = downstream->response(); auto base = http2::get_pure_path_component(req.path); if (base.empty()) { @@ -2069,10 +2069,16 @@ authority = req.authority; } + if (resp.is_resource_pushed(scheme, authority, path)) { + continue; + } + rv = submit_push_promise(scheme, authority, path, downstream); if (rv != 0) { return -1; } + + resp.resource_pushed(scheme, authority, path); } } return 0; @@ -2182,12 +2188,20 @@ authority = req.authority; } + auto &resp = downstream->response(); + + if (resp.is_resource_pushed(scheme, authority, path)) { + return 0; + } + rv = submit_push_promise(scheme, authority, path, downstream); if (rv != 0) { return -1; } + resp.resource_pushed(scheme, authority, path); + return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_http_downstream_connection.cc new/nghttp2-1.31.1/src/shrpx_http_downstream_connection.cc --- old/nghttp2-1.29.0/src/shrpx_http_downstream_connection.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_http_downstream_connection.cc 2018-04-12 16:46:47.000000000 +0200 @@ -782,8 +782,10 @@ auto conn = static_cast<Connection *>(w->data); auto dconn = static_cast<HttpDownstreamConnection *>(conn->data); - // We don't have to check conn->expired_rt() since we restart timer - // when connection gets idle. + if (w == &conn->rt && !conn->expired_rt()) { + return; + } + if (LOG_ENABLED(INFO)) { DCLOG(INFO, dconn) << "Idle connection timeout"; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_mruby_module_env.cc new/nghttp2-1.31.1/src/shrpx_mruby_module_env.cc --- old/nghttp2-1.29.0/src/shrpx_mruby_module_env.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_mruby_module_env.cc 2018-04-12 16:46:47.000000000 +0200 @@ -260,6 +260,58 @@ } // namespace namespace { +mrb_value env_get_tls_client_not_before(mrb_state *mrb, mrb_value self) { + auto data = static_cast<MRubyAssocData *>(mrb->ud); + auto downstream = data->downstream; + auto upstream = downstream->get_upstream(); + auto handler = upstream->get_client_handler(); + auto ssl = handler->get_ssl(); + + if (!ssl) { + return mrb_fixnum_value(0); + } + + auto x = SSL_get_peer_certificate(ssl); + if (!x) { + return mrb_fixnum_value(0); + } + + time_t t; + if (tls::get_x509_not_before(t, x) != 0) { + return mrb_fixnum_value(0); + } + + return mrb_fixnum_value(t); +} +} // namespace + +namespace { +mrb_value env_get_tls_client_not_after(mrb_state *mrb, mrb_value self) { + auto data = static_cast<MRubyAssocData *>(mrb->ud); + auto downstream = data->downstream; + auto upstream = downstream->get_upstream(); + auto handler = upstream->get_client_handler(); + auto ssl = handler->get_ssl(); + + if (!ssl) { + return mrb_fixnum_value(0); + } + + auto x = SSL_get_peer_certificate(ssl); + if (!x) { + return mrb_fixnum_value(0); + } + + time_t t; + if (tls::get_x509_not_after(t, x) != 0) { + return mrb_fixnum_value(0); + } + + return mrb_fixnum_value(t); +} +} // namespace + +namespace { mrb_value env_get_tls_cipher(mrb_state *mrb, mrb_value self) { auto data = static_cast<MRubyAssocData *>(mrb->ud); auto downstream = data->downstream; @@ -374,6 +426,10 @@ env_get_tls_client_subject_name, MRB_ARGS_NONE()); mrb_define_method(mrb, env_class, "tls_client_serial", env_get_tls_client_serial, MRB_ARGS_NONE()); + mrb_define_method(mrb, env_class, "tls_client_not_before", + env_get_tls_client_not_before, MRB_ARGS_NONE()); + mrb_define_method(mrb, env_class, "tls_client_not_after", + env_get_tls_client_not_after, MRB_ARGS_NONE()); mrb_define_method(mrb, env_class, "tls_cipher", env_get_tls_cipher, MRB_ARGS_NONE()); mrb_define_method(mrb, env_class, "tls_protocol", env_get_tls_protocol, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_mruby_module_request.cc new/nghttp2-1.31.1/src/shrpx_mruby_module_request.cc --- old/nghttp2-1.29.0/src/shrpx_mruby_module_request.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_mruby_module_request.cc 2018-04-12 16:46:47.000000000 +0200 @@ -246,8 +246,9 @@ continue; } if (i != p) { - headers[p++] = std::move(kv); + headers[p] = std::move(kv); } + ++p; } headers.resize(p); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_mruby_module_response.cc new/nghttp2-1.31.1/src/shrpx_mruby_module_response.cc --- old/nghttp2-1.29.0/src/shrpx_mruby_module_response.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_mruby_module_response.cc 2018-04-12 16:46:47.000000000 +0200 @@ -138,8 +138,9 @@ continue; } if (i != p) { - headers[p++] = std::move(kv); + headers[p] = std::move(kv); } + ++p; } headers.resize(p); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_tls.cc new/nghttp2-1.31.1/src/shrpx_tls.cc --- old/nghttp2-1.29.0/src/shrpx_tls.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_tls.cc 2018-04-12 16:46:47.000000000 +0200 @@ -64,6 +64,7 @@ #include "tls.h" #include "template.h" #include "ssl_compat.h" +#include "timegm.h" using namespace nghttp2; @@ -94,6 +95,12 @@ if (!preverify_ok) { int err = X509_STORE_CTX_get_error(ctx); int depth = X509_STORE_CTX_get_error_depth(ctx); + if (err == X509_V_ERR_CERT_HAS_EXPIRED && depth == 0 && + get_config()->tls.client_verify.tolerate_expired) { + LOG(INFO) << "The client certificate has expired, but is accepted by " + "configuration"; + return 1; + } LOG(ERROR) << "client certificate verify error:num=" << err << ":" << X509_verify_cert_error_string(err) << ":depth=" << depth; } @@ -1934,6 +1941,8 @@ return StringRef{}; } + auto b_deleter = defer(BIO_free, b); + // Not documented, but it seems that X509_NAME_print_ex returns the // number of bytes written into b. auto slen = X509_NAME_print_ex(b, nm, 0, XN_FLAG_RFC2253); @@ -1943,7 +1952,6 @@ auto iov = make_byte_ref(balloc, slen + 1); BIO_read(b, iov.base, slen); - BIO_free(b); iov.base[slen] = '\0'; return StringRef{iov.base, static_cast<size_t>(slen)}; } @@ -1991,6 +1999,74 @@ #endif // !OPENSSL_1_1_API } +namespace { +// Performs conversion from |at| to time_t. The result is stored in +// |t|. This function returns 0 if it succeeds, or -1. +int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) { + int rv; + +#if OPENSSL_1_1_1_API + struct tm tm; + rv = ASN1_TIME_to_tm(at, &tm); + if (rv != 1) { + return -1; + } + + t = nghttp2_timegm(&tm); +#else // !OPENSSL_1_1_1_API + auto b = BIO_new(BIO_s_mem()); + if (!b) { + return -1; + } + + auto bio_deleter = defer(BIO_free, b); + + rv = ASN1_TIME_print(b, at); + if (rv != 1) { + return -1; + } + + unsigned char *s; + auto slen = BIO_get_mem_data(b, &s); + auto tt = util::parse_openssl_asn1_time_print( + StringRef{s, static_cast<size_t>(slen)}); + if (tt == 0) { + return -1; + } + + t = tt; +#endif // !OPENSSL_1_1_1_API + + return 0; +} +} // namespace + +int get_x509_not_before(time_t &t, X509 *x) { +#if OPENSSL_1_1_API + auto at = X509_get0_notBefore(x); +#else // !OPENSSL_1_1_API + auto at = X509_get_notBefore(x); +#endif // !OPENSSL_1_1_API + if (!at) { + return -1; + } + + return time_t_from_asn1_time(t, at); +} + +int get_x509_not_after(time_t &t, X509 *x) { +#if OPENSSL_1_1_API + auto at = X509_get0_notAfter(x); +#else // !OPENSSL_1_1_API + auto at = X509_get_notAfter(x); +#endif // !OPENSSL_1_1_API + if (!at) { + return -1; + } + + return time_t_from_asn1_time(t, at); +} + } // namespace tls } // namespace shrpx diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_tls.h new/nghttp2-1.31.1/src/shrpx_tls.h --- old/nghttp2-1.29.0/src/shrpx_tls.h 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_tls.h 2018-04-12 16:46:47.000000000 +0200 @@ -288,6 +288,14 @@ // number, it returns an empty string. number StringRef get_x509_serial(BlockAllocator &balloc, X509 *x); +// Fills NotBefore of |x| in |t|. This function returns 0 if it +// succeeds, or -1. +int get_x509_not_before(time_t &t, X509 *x); + +// Fills NotAfter of |x| in |t|. This function returns 0 if it +// succeeds, or -1. +int get_x509_not_after(time_t &t, X509 *x); + } // namespace tls } // namespace shrpx diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_worker.cc new/nghttp2-1.31.1/src/shrpx_worker.cc --- old/nghttp2-1.29.0/src/shrpx_worker.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_worker.cc 2018-04-12 16:46:47.000000000 +0200 @@ -70,10 +70,10 @@ // DownstreamKey is used to index SharedDownstreamAddr in order to // find the same configuration. -using DownstreamKey = - std::tuple<std::vector<std::tuple<StringRef, StringRef, size_t, size_t, - shrpx_proto, uint16_t, bool, bool, bool>>, - bool, int, StringRef, StringRef, int>; +using DownstreamKey = std::tuple< + std::vector<std::tuple<StringRef, StringRef, size_t, size_t, shrpx_proto, + uint16_t, bool, bool, bool, bool>>, + bool, int, StringRef, StringRef, int>; namespace { DownstreamKey create_downstream_key( @@ -93,6 +93,7 @@ std::get<6>(*p) = a.host_unix; std::get<7>(*p) = a.tls; std::get<8>(*p) = a.dns; + std::get<9>(*p) = a.upgrade_scheme; ++p; } std::sort(std::begin(addrs), std::end(addrs)); @@ -220,6 +221,7 @@ dst_addr.fall = src_addr.fall; dst_addr.rise = src_addr.rise; dst_addr.dns = src_addr.dns; + dst_addr.upgrade_scheme = src_addr.upgrade_scheme; auto shared_addr_ptr = shared_addr.get(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_worker.h new/nghttp2-1.31.1/src/shrpx_worker.h --- old/nghttp2-1.29.0/src/shrpx_worker.h 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_worker.h 2018-04-12 16:46:47.000000000 +0200 @@ -115,6 +115,10 @@ bool tls; // true if dynamic DNS is enabled bool dns; + // true if :scheme pseudo header field should be upgraded to secure + // variant (e.g., "https") when forwarding request to a backend + // connected by TLS connection. + bool upgrade_scheme; }; // Simplified weighted fair queuing. Actually we don't use queue here diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/shrpx_worker_process.cc new/nghttp2-1.31.1/src/shrpx_worker_process.cc --- old/nghttp2-1.29.0/src/shrpx_worker_process.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/shrpx_worker_process.cc 2018-04-12 16:46:47.000000000 +0200 @@ -114,12 +114,10 @@ conn_handler->set_graceful_shutdown(true); - conn_handler->disable_acceptor(); - - // After disabling accepting new connection, dispatch incoming - // connection in backlog. - + // TODO What happens for the connections not established in the + // kernel? conn_handler->accept_pending_connection(); + conn_handler->delete_acceptor(); conn_handler->graceful_shutdown_worker(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/util.cc new/nghttp2-1.31.1/src/util.cc --- old/nghttp2-1.29.0/src/util.cc 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/util.cc 2018-04-12 16:46:47.000000000 +0200 @@ -70,9 +70,16 @@ namespace util { -#ifdef _WIN32 +#ifndef _WIN32 +namespace { +int nghttp2_inet_pton(int af, const char *src, void *dst) { + return inet_pton(af, src, dst); +} +} // namespace +#else // _WIN32 +namespace { // inet_pton-wrapper for Windows -static int inet_pton(int af, const char *src, void *dst) { +int nghttp2_inet_pton(int af, const char *src, void *dst) { #if _WIN32_WINNT >= 0x0600 return InetPtonA(af, src, dst); #else @@ -88,6 +95,7 @@ return 0; #endif } +} // namespace #endif // _WIN32 const char UPPER_XDIGITS[] = "0123456789ABCDEF"; @@ -407,6 +415,15 @@ #endif // !_WIN32 } +time_t parse_openssl_asn1_time_print(const StringRef &s) { + tm tm{}; + auto r = strptime(s.c_str(), "%b %d %H:%M:%S %Y GMT", &tm); + if (r == nullptr) { + return 0; + } + return nghttp2_timegm_without_yday(&tm); +} + char upcase(char c) { if ('a' <= c && c <= 'z') { return c - 'a' + 'A'; @@ -653,7 +670,7 @@ int rv; std::array<uint8_t, sizeof(struct in6_addr)> dst; - rv = inet_pton(family, hostname, dst.data()); + rv = nghttp2_inet_pton(family, hostname, dst.data()); return rv == 1; } @@ -950,7 +967,7 @@ bool ipv6_numeric_addr(const char *host) { uint8_t dst[16]; - return inet_pton(AF_INET6, host, dst) == 1; + return nghttp2_inet_pton(AF_INET6, host, dst) == 1; } namespace { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/src/util.h new/nghttp2-1.31.1/src/util.h --- old/nghttp2-1.29.0/src/util.h 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/src/util.h 2018-04-12 16:46:47.000000000 +0200 @@ -196,6 +196,11 @@ time_t parse_http_date(const StringRef &s); +// Parses time formatted as "MMM DD HH:MM:SS YYYY [GMT]" (e.g., Feb 3 +// 00:55:52 2015 GMT), which is specifically used by OpenSSL +// ASN1_TIME_print(). +time_t parse_openssl_asn1_time_print(const StringRef &s); + char upcase(char c); inline char lowcase(char c) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/nghttp2-1.29.0/tests/nghttp2_session_test.c new/nghttp2-1.31.1/tests/nghttp2_session_test.c --- old/nghttp2-1.29.0/tests/nghttp2_session_test.c 2017-12-19 15:35:50.000000000 +0100 +++ new/nghttp2-1.31.1/tests/nghttp2_session_test.c 2018-04-12 16:46:47.000000000 +0200 @@ -2297,6 +2297,31 @@ nghttp2_session_del(session); + /* send too large frame */ + nghttp2_buf_reset(&buf); + + nghttp2_session_client_new2(&session, &callbacks, &ud, option); + + session->local_settings.max_frame_size = NGHTTP2_MAX_FRAME_SIZE_MIN - 1; + + nghttp2_frame_hd_init(&hd, NGHTTP2_MAX_FRAME_SIZE_MIN + 1, NGHTTP2_ALTSVC, + NGHTTP2_FLAG_NONE, 0); + nghttp2_frame_pack_frame_hd(buf.last, &hd); + buf.last += NGHTTP2_FRAME_HDLEN; + nghttp2_put_uint16be(buf.last, sizeof(origin) - 1); + buf.last += 2; + buf.last = nghttp2_cpymem(buf.last, origin, sizeof(origin) - 1); + memset(buf.last, 0, nghttp2_buf_avail(&buf)); + buf.last += nghttp2_buf_avail(&buf); + + ud.frame_recv_cb_called = 0; + rv = nghttp2_session_mem_recv(session, buf.pos, nghttp2_buf_len(&buf)); + + CU_ASSERT((ssize_t)nghttp2_buf_len(&buf) == rv); + CU_ASSERT(0 == ud.frame_recv_cb_called); + + nghttp2_session_del(session); + /* received by server */ nghttp2_buf_reset(&buf);
