mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

h2o: remove, nothing depends on it anymore 

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
This commit is contained in:
Peter van Dijk 2024-02-16 15:29:04 +01:00 committed by Rosen Penev
parent aa4fb5151a
commit d30a34bac1
11 changed files with 0 additions and 657 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
libs/h2o/Makefile
View File

@ -1,59 +0,0 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=h2o
PKG_VERSION:=2.2.6
PKG_RELEASE:=15
PKG_SOURCE_URL:=https://codeload.github.com/h2o/h2o/tar.gz/v${PKG_VERSION}?
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_HASH:=f8cbc1b530d85ff098f6efc2c3fdbc5e29baffb30614caac59d5c710f7bda201
PKG_MAINTAINER:=Peter van Dijk <peter.van.dijk@powerdns.com>
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
PKG_BUILD_DEPENDS:=libwslay
CMAKE_OPTIONS += \
-DBUILD_SHARED_LIBS=ON \
-DWITH_MRUBY=OFF
define Package/libh2o-evloop
SECTION:=libs
CATEGORY:=Libraries
TITLE:=H2O Library compiled with its own event loop
URL:=https://h2o.examp1e.net/
DEPENDS:=+libopenssl +zlib
endef
define Package/libh2o
SECTION:=libs
CATEGORY:=Libraries
TITLE:=H2O Library compiled with libuv
URL:=https://h2o.examp1e.net/
DEPENDS:=+libuv +libopenssl +zlib +libyaml
endef
define Build/InstallDev
$(call Build/InstallDev/cmake,$(1))
$(SED) 's,/usr/include,$$$${prefix}/include,g' $(1)/usr/lib/pkgconfig/libh2o-evloop.pc
$(SED) 's,/usr/lib,$$$${exec_prefix}/lib,g' $(1)/usr/lib/pkgconfig/libh2o-evloop.pc
$(SED) 's,/usr/include,$$$${prefix}/include,g' $(1)/usr/lib/pkgconfig/libh2o.pc
$(SED) 's,/usr/lib,$$$${exec_prefix}/lib,g' $(1)/usr/lib/pkgconfig/libh2o.pc
endef
define Package/libh2o-evloop/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libh2o-evloop.so* $(1)/usr/lib/
endef
define Package/libh2o/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libh2o.so* $(1)/usr/lib/
endef
$(eval $(call BuildPackage,libh2o-evloop))
$(eval $(call BuildPackage,libh2o))

22
libs/h2o/patches/100-socket_disable_npn.patch
View File

@ -1,22 +0,0 @@
--- a/include/h2o/socket.h
+++ b/include/h2o/socket.h
@@ -29,6 +29,7 @@ extern "C" {
#include <stdint.h>
#include <sys/socket.h>
#include <openssl/ssl.h>
+#include <openssl/opensslconf.h>
#include "h2o/cache.h"
#include "h2o/memory.h"
#include "h2o/openssl_backport.h"
@@ -44,7 +45,11 @@ extern "C" {
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
#define H2O_USE_ALPN 1
+#ifndef OPENSSL_NO_NEXTPROTONEG
#define H2O_USE_NPN 1
+#else
+#define H2O_USE_NPN 0
+#endif
#elif OPENSSL_VERSION_NUMBER >= 0x10001000L
#define H2O_USE_ALPN 0
#define H2O_USE_NPN 1

43
libs/h2o/patches/200-libh2o-evloop_wslay-link.patch
View File

@ -1,43 +0,0 @@
From f7d5cb83826c7e2b1a3dc618b434d85df130a4d5 Mon Sep 17 00:00:00 2001
From: James Taylor <james@jtaylor.id.au>
Date: Tue, 10 Dec 2019 21:58:45 +1100
Subject: [PATCH] Explicitly link against WSLAY when available
When other libraries attempt to link against libh2o and libh2o-evloop that was
compiled with libwslay available, there are errors from missing symbols
associated with code which makes use of the wslay library. To rectify this,
explicitly link against libwslay during the build process.
Fixes #2105
Signed-off-by: James Taylor <james@jtaylor.id.au>
---
CMakeLists.txt | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -386,13 +386,21 @@ SET_TARGET_PROPERTIES(libh2o PROPERTIES
OUTPUT_NAME h2o
VERSION ${LIBRARY_VERSION}
SOVERSION ${LIBRARY_SOVERSION})
-TARGET_LINK_LIBRARIES(libh2o ${LIBUV_LIBRARIES} ${EXTRA_LIBS})
+IF (WSLAY_FOUND)
+ TARGET_LINK_LIBRARIES(libh2o ${WSLAY_LIBRARIES} ${LIBUV_LIBRARIES} ${EXTRA_LIBS})
+ELSE ()
+ TARGET_LINK_LIBRARIES(libh2o ${LIBUV_LIBRARIES} ${EXTRA_LIBS})
+ENDIF (WSLAY_FOUND)
SET_TARGET_PROPERTIES(libh2o-evloop PROPERTIES
OUTPUT_NAME h2o-evloop
COMPILE_FLAGS "-DH2O_USE_LIBUV=0"
VERSION ${LIBRARY_VERSION}
SOVERSION ${LIBRARY_SOVERSION})
-TARGET_LINK_LIBRARIES(libh2o-evloop ${EXTRA_LIBS})
+IF (WSLAY_FOUND)
+ TARGET_LINK_LIBRARIES(libh2o-evloop ${WSLAY_LIBRARIES} ${EXTRA_LIBS})
+ELSE ()
+ TARGET_LINK_LIBRARIES(libh2o-evloop ${EXTRA_LIBS})
+ENDIF (WSLAY_FOUND)
IF (OPENSSL_FOUND)
TARGET_INCLUDE_DIRECTORIES(libh2o PUBLIC ${OPENSSL_INCLUDE_DIR})

17
libs/h2o/patches/300-picotls-chacha-detect.patch
View File

@ -1,17 +0,0 @@
--- a/deps/picotls/include/picotls/openssl.h
+++ b/deps/picotls/include/picotls/openssl.h
@@ -26,11 +26,14 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/x509.h>
+#include <openssl/opensslconf.h>
#include "../picotls.h"
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
#define PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
#endif
+#endif
extern ptls_key_exchange_algorithm_t ptls_openssl_secp256r1;
extern ptls_key_exchange_algorithm_t *ptls_openssl_key_exchanges[];

70
libs/h2o/patches/400-backtrace-detection.patch
View File

@ -1,70 +0,0 @@
From 03dbd6757d043581b5d250107b6f1cda6ae203a9 Mon Sep 17 00:00:00 2001
From: Frederik Deweerdt <fdeweerdt@fastly.com>
Date: Wed, 25 Oct 2017 13:52:28 -0700
Subject: [PATCH] Autodetect backtrace and backtrace_symbols_fd
---
CMakeLists.txt | 13 +++++++++++++
src/main.c | 10 ++++++----
2 files changed, 19 insertions(+), 4 deletions(-)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -58,6 +58,19 @@ __sync_add_and_fetch(&a, 1);
return 0;
}" ARCH_SUPPORTS_64BIT_ATOMICS)
+CHECK_C_SOURCE_COMPILES("
+#include <execinfo.h>
+int main(void) {
+void *p[10];
+int ret = backtrace(p, 10);
+backtrace_symbols_fd(p, ret, 2);
+return 0;
+}" LIBC_HAS_BACKTRACE)
+
+IF (LIBC_HAS_BACKTRACE)
+ ADD_DEFINITIONS("-DLIBC_HAS_BACKTRACE")
+ENDIF ()
+
SET(WITH_BUNDLED_SSL_DEFAULT "ON")
IF ((NOT UNIX) OR CYGWIN)
SET(WITH_BUNDLED_SSL_DEFAULT "OFF")
--- a/src/main.c
+++ b/src/main.c
@@ -48,7 +48,7 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
-#ifdef __GLIBC__
+#ifdef LIBC_HAS_BACKTRACE
#include <execinfo.h>
#endif
#if H2O_USE_PICOTLS
@@ -1436,7 +1436,8 @@ static void on_sigterm(int signo)
notify_all_threads();
}
-#ifdef __GLIBC__
+#ifdef LIBC_HAS_BACKTRACE
+
static int popen_crash_handler(void)
{
char *cmd_fullpath = h2o_configurator_get_cmd_path(conf.crash_handler), *argv[] = {cmd_fullpath, NULL};
@@ -1488,13 +1489,14 @@ static void on_sigfatal(int signo)
raise(signo);
}
-#endif
+
+#endif /* LIBC_HAS_BACKTRACE */
static void setup_signal_handlers(void)
{
h2o_set_signal_handler(SIGTERM, on_sigterm);
h2o_set_signal_handler(SIGPIPE, SIG_IGN);
-#ifdef __GLIBC__
+#ifdef LIBC_HAS_BACKTRACE
if ((crash_handler_fd = popen_crash_handler()) == -1)
crash_handler_fd = 2;
h2o_set_signal_handler(SIGABRT, on_sigfatal);

96
libs/h2o/patches/500-openssl.patch
View File

@ -1,96 +0,0 @@
--- a/deps/neverbleed/neverbleed.c
+++ b/deps/neverbleed/neverbleed.c
@@ -36,6 +36,7 @@
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
+#include <openssl/engine.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
#include <openssl/rsa.h>
--- a/deps/picotls/lib/openssl.c
+++ b/deps/picotls/lib/openssl.c
@@ -36,6 +36,7 @@
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/rand.h>
+#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
@@ -941,7 +942,7 @@ int ptls_openssl_encrypt_ticket(ptls_buf
Exit:
if (cctx != NULL)
- EVP_CIPHER_CTX_cleanup(cctx);
+ EVP_CIPHER_CTX_reset(cctx);
if (hctx != NULL)
HMAC_CTX_free(hctx);
return ret;
@@ -1011,7 +1012,7 @@ int ptls_openssl_decrypt_ticket(ptls_buf
Exit:
if (cctx != NULL)
- EVP_CIPHER_CTX_cleanup(cctx);
+ EVP_CIPHER_CTX_reset(cctx);
if (hctx != NULL)
HMAC_CTX_free(hctx);
return ret;
--- a/src/main.c
+++ b/src/main.c
@@ -45,6 +45,7 @@
#include <sys/types.h>
#include <sys/un.h>
#include <sys/wait.h>
+#include <openssl/dh.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
@@ -1827,7 +1828,7 @@ static h2o_iovec_t on_extra_status(void
" \"listeners\": %zu,\n"
" \"worker-threads\": %zu,\n"
" \"num-sessions\": %lu",
- SSLeay_version(SSLEAY_VERSION), current_time, restart_time, (uint64_t)(now - conf.launch_time), generation,
+ OpenSSL_version(OPENSSL_VERSION), current_time, restart_time, (uint64_t)(now - conf.launch_time), generation,
num_connections(0), conf.max_connections, conf.num_listeners, conf.num_threads, num_sessions(0));
assert(ret.len < BUFSIZE);
@@ -2008,7 +2009,7 @@ int main(int argc, char **argv)
break;
case 'v':
printf("h2o version " H2O_VERSION "\n");
- printf("OpenSSL: %s\n", SSLeay_version(SSLEAY_VERSION));
+ printf("OpenSSL: %s\n", OpenSSL_version(OPENSSL_VERSION));
#if H2O_USE_MRUBY
printf(
"mruby: YES\n"); /* TODO determine the way to obtain the version of mruby (that is being linked dynamically) */
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -911,6 +911,7 @@ void ssl_setup_session_resumption(SSL_CT
#endif
}
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
static pthread_mutex_t *mutexes;
static void lock_callback(int mode, int n, const char *file, int line)
@@ -937,9 +938,11 @@ static int add_lock_callback(int *num, i
return __sync_add_and_fetch(num, amount);
}
+#endif
void init_openssl(void)
{
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
int nlocks = CRYPTO_num_locks(), i;
mutexes = h2o_mem_alloc(sizeof(*mutexes) * nlocks);
for (i = 0; i != nlocks; ++i)
@@ -953,6 +956,7 @@ void init_openssl(void)
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
+#endif
cache_init_defaults();
#if H2O_USE_SESSION_TICKETS

28
libs/h2o/patches/600-engine.patch
View File

@ -1,28 +0,0 @@
--- a/deps/neverbleed/neverbleed.c
+++ b/deps/neverbleed/neverbleed.c
@@ -1486,6 +1486,7 @@ int neverbleed_init(neverbleed_t *nb, ch
close(pipe_fds[0]);
pipe_fds[0] = -1;
+#ifndef OPENSSL_NO_ENGINE
/* setup engine */
if ((nb->engine = ENGINE_new()) == NULL || !ENGINE_set_id(nb->engine, "neverbleed") ||
!ENGINE_set_name(nb->engine, "privilege separation software engine") || !ENGINE_set_RSA(nb->engine, rsa_method)
@@ -1497,6 +1498,7 @@ int neverbleed_init(neverbleed_t *nb, ch
goto Fail;
}
ENGINE_add(nb->engine);
+#endif
/* setup thread key */
pthread_key_create(&nb->thread_key, dispose_thread_data);
@@ -1515,7 +1517,9 @@ Fail:
if (listen_fd != -1)
close(listen_fd);
if (nb->engine != NULL) {
+#ifndef OPENSSL_NO_ENGINE
ENGINE_free(nb->engine);
+#endif
nb->engine = NULL;
}
return -1;

73
libs/h2o/patches/700-no-mime-map.patch
View File

@ -1,73 +0,0 @@
--- a/lib/core/config.c
+++ b/lib/core/config.c
@@ -1,3 +1,4 @@
+
/*
* Copyright (c) 2014-2016 DeNA Co., Ltd.
*
@@ -37,7 +38,9 @@ static h2o_hostconf_t *create_hostconf(h
hostconf->http2.push_preload = 1; /* enabled by default */
h2o_config_init_pathconf(&hostconf->fallback_path, globalconf, NULL, globalconf->mimemap);
hostconf->mimemap = globalconf->mimemap;
- h2o_mem_addref_shared(hostconf->mimemap);
+ if (hostconf->mimemap) {
+ h2o_mem_addref_shared(hostconf->mimemap);
+ }
return hostconf;
}
@@ -54,7 +57,9 @@ static void destroy_hostconf(h2o_hostcon
}
free(hostconf->paths.entries);
h2o_config_dispose_pathconf(&hostconf->fallback_path);
- h2o_mem_release_shared(hostconf->mimemap);
+ if (hostconf->mimemap) {
+ h2o_mem_release_shared(hostconf->mimemap);
+ }
free(hostconf);
}
@@ -136,8 +141,10 @@ void h2o_config_init_pathconf(h2o_pathco
h2o_chunked_register(pathconf);
if (path != NULL)
pathconf->path = h2o_strdup(NULL, path, SIZE_MAX);
- h2o_mem_addref_shared(mimemap);
- pathconf->mimemap = mimemap;
+ if (mimemap) {
+ h2o_mem_addref_shared(mimemap);
+ pathconf->mimemap = mimemap;
+ }
pathconf->error_log.emit_request_errors = 1;
}
@@ -190,7 +197,7 @@ void h2o_config_init(h2o_globalconf_t *c
config->http2.latency_optimization.max_additional_delay = 10;
config->http2.latency_optimization.max_cwnd = 65535;
config->http2.callbacks = H2O_HTTP2_CALLBACKS;
- config->mimemap = h2o_mimemap_create();
+ // config->mimemap = h2o_mimemap_create();
h2o_configurator__init_core(config);
}
@@ -279,7 +286,9 @@ void h2o_config_dispose(h2o_globalconf_t
}
free(config->hosts);
- h2o_mem_release_shared(config->mimemap);
+ if (config->mimemap) {
+ h2o_mem_release_shared(config->mimemap);
+ }
h2o_configurator__dispose_configurators(config);
}
--- a/lib/core/request.c
+++ b/lib/core/request.c
@@ -486,7 +486,7 @@ void h2o_req_fill_mime_attributes(h2o_re
ssize_t content_type_index;
h2o_mimemap_type_t *mime;
- if (req->res.mime_attr != NULL)
+ if (req->res.mime_attr != NULL || req->pathconf->mimemap == NULL)
return;
if ((content_type_index = h2o_find_header(&req->res.headers, H2O_TOKEN_CONTENT_TYPE, -1)) != -1 &&

11
libs/h2o/patches/800-smaller-write-buffer.patch
View File

@ -1,11 +0,0 @@
--- a/include/h2o/http2_internal.h
+++ b/include/h2o/http2_internal.h
@@ -33,7 +33,7 @@
typedef struct st_h2o_http2_conn_t h2o_http2_conn_t;
typedef struct st_h2o_http2_stream_t h2o_http2_stream_t;
-#define H2O_HTTP2_DEFAULT_OUTBUF_SIZE 81920 /* the target size of each write call; connection flow control window + alpha */
+#define H2O_HTTP2_DEFAULT_OUTBUF_SIZE 8192 /* the target size of each write call; connection flow control window + alpha */
#define H2O_HTTP2_DEFAULT_OUTBUF_SOFT_MAX_SIZE 524288 /* 512KB; stops reading if size exceeds this value */
/* hpack */

203
libs/h2o/patches/900-cve-2023-44487.patch
View File

@ -1,203 +0,0 @@
commit d07b601a5549798f8e500582336756e04dfd25c5
Author: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue Oct 10 15:47:57 2023 +0200
[http2] delay processing requests upon observing suspicious behavior
Backport of 94fbc54b6c9309912fe3d53e7b63408bbe9a1b0d to v2.2.x
--- a/include/h2o.h
+++ b/include/h2o.h
@@ -378,6 +378,10 @@ struct st_h2o_globalconf_t {
* list of callbacks
*/
h2o_protocol_callbacks_t callbacks;
+ /**
+ * milliseconds to delay processing requests when suspicious behavior is detected
+ */
+ uint64_t dos_delay;
} http2;
struct {
@@ -590,6 +594,10 @@ struct st_h2o_context_t {
* timeout entry used for graceful shutdown
*/
h2o_timeout_entry_t _graceful_shutdown_timeout;
+ /*
+ * dos timeout
+ */
+ h2o_timeout_t dos_delay_timeout;
struct {
/**
* counter for http2 errors internally emitted by h2o
--- a/include/h2o/http2_internal.h
+++ b/include/h2o/http2_internal.h
@@ -179,6 +179,7 @@ struct st_h2o_http2_stream_t {
h2o_linklist_t link;
h2o_http2_scheduler_openref_t scheduler;
} _refs;
+ unsigned reset_by_peer : 1;
h2o_send_state_t send_state; /* state of the ostream, only used in push mode */
/* placed at last since it is large and has it's own ctor */
h2o_req_t req;
@@ -232,6 +233,13 @@ struct st_h2o_http2_conn_t {
} _write;
h2o_cache_t *push_memo;
h2o_http2_casper_t *casper;
+ /**
+ * DoS mitigation; the idea here is to delay processing requests when observing suspicious behavior
+ */
+ struct {
+ h2o_timeout_entry_t process_delay;
+ size_t reset_budget; /* RST_STREAM frames are considered suspicious when this value goes down to zero */
+ } dos_mitigation;
};
int h2o_http2_update_peer_settings(h2o_http2_settings_t *settings, const uint8_t *src, size_t len, const char **err_desc);
--- a/lib/core/config.c
+++ b/lib/core/config.c
@@ -196,6 +196,7 @@ void h2o_config_init(h2o_globalconf_t *c
config->http2.latency_optimization.min_rtt = 50; // milliseconds
config->http2.latency_optimization.max_additional_delay = 10;
config->http2.latency_optimization.max_cwnd = 65535;
+ config->http2.dos_delay = 100; /* 100ms processing delay when observing suspicious behavior */
config->http2.callbacks = H2O_HTTP2_CALLBACKS;
// config->mimemap = h2o_mimemap_create();
--- a/lib/core/configurator.c
+++ b/lib/core/configurator.c
@@ -531,6 +531,12 @@ static int on_config_http2_casper(h2o_co
return 0;
}
+
+static int on_config_http2_dos_delay(h2o_configurator_command_t *cmd, h2o_configurator_context_t *ctx, yoml_t *node)
+{
+ return config_timeout(cmd, node, &ctx->globalconf->http2.dos_delay);
+}
+
static int assert_is_mimetype(h2o_configurator_command_t *cmd, yoml_t *node)
{
if (node->type != YOML_TYPE_SCALAR) {
@@ -910,6 +916,9 @@ void h2o_configurator__init_core(h2o_glo
on_config_http2_push_preload);
h2o_configurator_define_command(&c->super, "http2-casper", H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_HOST,
on_config_http2_casper);
+ h2o_configurator_define_command(&c->super, "http2-dos-delay",
+ H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_EXPECT_SCALAR,
+ on_config_http2_dos_delay);
h2o_configurator_define_command(&c->super, "file.mime.settypes",
(H2O_CONFIGURATOR_FLAG_ALL_LEVELS & ~H2O_CONFIGURATOR_FLAG_EXTENSION) |
H2O_CONFIGURATOR_FLAG_EXPECT_MAPPING,
--- a/lib/core/context.c
+++ b/lib/core/context.c
@@ -101,6 +101,7 @@ void h2o_context_init(h2o_context_t *ctx
h2o_linklist_init_anchor(&ctx->http1._conns);
h2o_timeout_init(ctx->loop, &ctx->http2.idle_timeout, config->http2.idle_timeout);
h2o_timeout_init(ctx->loop, &ctx->http2.graceful_shutdown_timeout, config->http2.graceful_shutdown_timeout);
+ h2o_timeout_init(ctx->loop, &ctx->http2.dos_delay_timeout, config->http2.dos_delay);
h2o_linklist_init_anchor(&ctx->http2._conns);
ctx->proxy.client_ctx.loop = loop;
h2o_timeout_init(ctx->loop, &ctx->proxy.io_timeout, config->proxy.io_timeout);
@@ -146,6 +147,7 @@ void h2o_context_dispose(h2o_context_t *
h2o_timeout_dispose(ctx->loop, &ctx->http1.req_timeout);
h2o_timeout_dispose(ctx->loop, &ctx->http2.idle_timeout);
h2o_timeout_dispose(ctx->loop, &ctx->http2.graceful_shutdown_timeout);
+ h2o_timeout_dispose(ctx->loop, &ctx->http2.dos_delay_timeout);
h2o_timeout_dispose(ctx->loop, &ctx->proxy.io_timeout);
/* what should we do here? assert(!h2o_linklist_is_empty(&ctx->http2._conns); */
--- a/lib/http2/connection.c
+++ b/lib/http2/connection.c
@@ -161,7 +161,6 @@ static void update_idle_timeout(h2o_http
h2o_timeout_unlink(&conn->_timeout_entry);
if (conn->num_streams.pull.half_closed + conn->num_streams.push.half_closed == 0) {
- assert(h2o_linklist_is_empty(&conn->_pending_reqs));
conn->_timeout_entry.cb = on_idle_timeout;
h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.idle_timeout, &conn->_timeout_entry);
}
@@ -175,6 +174,9 @@ static int can_run_requests(h2o_http2_co
static void run_pending_requests(h2o_http2_conn_t *conn)
{
+ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
+ return;
+
while (!h2o_linklist_is_empty(&conn->_pending_reqs) && can_run_requests(conn)) {
/* fetch and detach a pending stream */
h2o_http2_stream_t *stream = H2O_STRUCT_FROM_MEMBER(h2o_http2_stream_t, _refs.link, conn->_pending_reqs.next);
@@ -226,6 +228,16 @@ void h2o_http2_conn_unregister_stream(h2
assert(h2o_http2_scheduler_is_open(&stream->_refs.scheduler));
h2o_http2_scheduler_close(&stream->_refs.scheduler);
+ /* Decrement reset_budget if the stream was reset by peer, otherwise increment. By doing so, we penalize connections that
+ * generate resets for >50% of requests. */
+ if (stream->reset_by_peer) {
+ if (conn->dos_mitigation.reset_budget > 0)
+ --conn->dos_mitigation.reset_budget;
+ } else {
+ if (conn->dos_mitigation.reset_budget < conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection)
+ ++conn->dos_mitigation.reset_budget;
+ }
+
switch (stream->state) {
case H2O_HTTP2_STREAM_STATE_IDLE:
case H2O_HTTP2_STREAM_STATE_RECV_HEADERS:
@@ -272,6 +284,8 @@ void close_connection_now(h2o_http2_conn
h2o_hpack_dispose_header_table(&conn->_output_header_table);
assert(h2o_linklist_is_empty(&conn->_pending_reqs));
h2o_timeout_unlink(&conn->_timeout_entry);
+ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
+ h2o_timeout_unlink(&conn->dos_mitigation.process_delay);
h2o_buffer_dispose(&conn->_write.buf);
if (conn->_write.buf_in_flight != NULL)
h2o_buffer_dispose(&conn->_write.buf_in_flight);
@@ -797,11 +811,19 @@ static int handle_rst_stream_frame(h2o_h
return H2O_HTTP2_ERROR_PROTOCOL;
}
- stream = h2o_http2_conn_get_stream(conn, frame->stream_id);
- if (stream != NULL) {
+ if ((stream = h2o_http2_conn_get_stream(conn, frame->stream_id)) == NULL)
+ return 0;
+
/* reset the stream */
+ stream->reset_by_peer = 1;
h2o_http2_stream_reset(conn, stream);
- }
+
+ /* setup process delay if we've just ran out of reset budget */
+ if (conn->dos_mitigation.reset_budget == 0 && conn->super.ctx->globalconf->http2.dos_delay != 0 &&
+ !h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
+ h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.dos_delay_timeout,
+ &conn->dos_mitigation.process_delay);
+
/* TODO log */
return 0;
@@ -1204,6 +1226,14 @@ static h2o_iovec_t log_priority_actual_w
return h2o_iovec_init(s, len);
}
+static void on_dos_process_delay(h2o_timeout_entry_t *timer)
+{
+ h2o_http2_conn_t *conn = H2O_STRUCT_FROM_MEMBER(h2o_http2_conn_t, dos_mitigation.process_delay, timer);
+
+ assert(!h2o_timeout_is_linked(&conn->dos_mitigation.process_delay));
+ run_pending_requests(conn);
+}
+
static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts, h2o_socket_t *sock, struct timeval connected_at)
{
static const h2o_conn_callbacks_t callbacks = {
@@ -1240,6 +1270,9 @@ static h2o_http2_conn_t *create_conn(h2o
conn->_write.timeout_entry.cb = emit_writereq;
h2o_http2_window_init(&conn->_write.window, &conn->peer_settings);
+ conn->dos_mitigation.process_delay.cb = on_dos_process_delay;
+ conn->dos_mitigation.reset_budget = conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection;
+
return conn;
}

35
libs/h2o/patches/901-bump-soname.patch
View File

@ -1,35 +0,0 @@
commit e47cd15ff1fec9211088c809cb92593800dd4da2
Author: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Wed Oct 11 11:39:48 2023 +0200
bump soname
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -29,9 +29,9 @@ SET(VERSION_MINOR "2")
SET(VERSION_PATCH "6")
SET(VERSION_PRERELEASE "")
SET(VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}${VERSION_PRERELEASE}")
-SET(LIBRARY_VERSION_MAJOR "0")
-SET(LIBRARY_VERSION_MINOR "13")
-SET(LIBRARY_VERSION_PATCH "6")
+SET(LIBRARY_VERSION_MAJOR "1")
+SET(LIBRARY_VERSION_MINOR "0")
+SET(LIBRARY_VERSION_PATCH "0")
SET(LIBRARY_VERSION "${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}.${LIBRARY_VERSION_PATCH}${VERSION_PRERELEASE}")
SET(LIBRARY_SOVERSION "${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}")
--- a/include/h2o/version.h
+++ b/include/h2o/version.h
@@ -28,8 +28,8 @@
#define H2O_VERSION_MINOR 2
#define H2O_VERSION_PATCH 6
-#define H2O_LIBRARY_VERSION_MAJOR 0
-#define H2O_LIBRARY_VERSION_MINOR 13
-#define H2O_LIBRARY_VERSION_PATCH 6
+#define H2O_LIBRARY_VERSION_MAJOR 1
+#define H2O_LIBRARY_VERSION_MINOR 0
+#define H2O_LIBRARY_VERSION_PATCH 0
#endif