Merge branch 'upstream/master' into clone/allow-no-npn

CMakeLists.txt

@@ -24,13 +24,13 @@
 
 cmake_minimum_required(VERSION 3.0)
 # XXX using 1.8.90 instead of 1.9.0-DEV
-project(nghttp2 VERSION 1.30.90)
+project(nghttp2 VERSION 1.31.90)
 
 # See versioning rule:
 #  http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
-set(LT_CURRENT  29)
-set(LT_REVISION 2)
-set(LT_AGE      15)
+set(LT_CURRENT  30)
+set(LT_REVISION 0)
+set(LT_AGE      16)
 
 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})
 include(Version)

CMakeOptions.txt

@@ -14,6 +14,7 @@ option(ENABLE_PYTHON_BINDINGS "Build Python bindings"
   ${ENABLE_PYTHON_BINDINGS_DEFAULT})
 option(ENABLE_FAILMALLOC "Build failmalloc test program" ON)
 option(ENABLE_LIB_ONLY  "Build libnghttp2 only.  This is a short hand for -DENABLE_APP=0 -DENABLE_EXAMPLES=0 -DENABLE_HPACK_TOOLS=0 -DENABLE_PYTHON_BINDINGS=0")
+option(ENABLE_STATIC_LIB "Build libnghttp2 in static mode also")
 
 option(WITH_LIBXML2     "Use libxml2"
   ${WITH_LIBXML2_DEFAULT})

README.rst

@@ -951,7 +951,7 @@ output_length
     The length of the compressed header block.
 
 percentage_of_original_size
-    ``input_length`` / ``output_length`` * 100
+    ``output_length`` / ``input_length`` * 100
 
 wire
     The compressed header block as a hex string.

configure.ac

@@ -25,7 +25,7 @@ dnl Do not change user variables!
 dnl http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
 
 AC_PREREQ(2.61)
-AC_INIT([nghttp2], [1.31.0-DEV], [t-tujikawa@users.sourceforge.net])
+AC_INIT([nghttp2], [1.32.0-DEV], [t-tujikawa@users.sourceforge.net])
 AC_CONFIG_AUX_DIR([.])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([config.h])
@@ -44,9 +44,9 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 
 dnl See versioning rule:
 dnl  http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
-AC_SUBST(LT_CURRENT, 29)
-AC_SUBST(LT_REVISION, 2)
-AC_SUBST(LT_AGE, 15)
+AC_SUBST(LT_CURRENT, 30)
+AC_SUBST(LT_REVISION, 0)
+AC_SUBST(LT_AGE, 16)
 
 major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/[^0-9]//g"`
 minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/[^0-9]//g"`

doc/Makefile.am

@@ -143,6 +143,7 @@ APIDOCS= \
 	nghttp2_session_set_local_window_size.rst \
 	nghttp2_session_set_next_stream_id.rst \
 	nghttp2_session_set_stream_user_data.rst \
+	nghttp2_session_set_user_data.rst \
 	nghttp2_session_terminate_session.rst \
 	nghttp2_session_terminate_session2.rst \
 	nghttp2_session_upgrade.rst \

doc/bash_completion/nghttpx

@@ -8,7 +8,7 @@ _nghttpx()
     _get_comp_words_by_ref cur prev
     case $cur in
         -*)
-            COMPREPLY=( $( compgen -W '--worker-read-rate --include --frontend-http2-dump-response-header --tls-ticket-key-file --verify-client-cacert --max-response-header-fields --backend-http2-window-size --frontend-keep-alive-timeout --backend-request-buffer --max-request-header-fields --fastopen --backend-connect-timeout --tls-max-proto-version --conf --dns-lookup-timeout --backend-http2-max-concurrent-streams --worker-write-burst --npn-list --dns-max-try --fetch-ocsp-response-file --no-via --tls-session-cache-memcached-cert-file --no-http2-cipher-black-list --mruby-file --client-no-http2-cipher-black-list --stream-read-timeout --client-ciphers --ocsp-update-interval --forwarded-for --accesslog-syslog --dns-cache-timeout --frontend-http2-read-timeout --listener-disable-timeout --ciphers --client-psk-secrets --strip-incoming-x-forwarded-for --no-server-rewrite --private-key-passwd-file --backend-keep-alive-timeout --backend-http-proxy-uri --frontend-max-requests --rlimit-nofile --no-strip-incoming-x-forwarded-proto --tls-ticket-key-memcached-cert-file --no-verify-ocsp --forwarded-by --tls-session-cache-memcached-private-key-file --error-page --ocsp-startup --backend-write-timeout --tls-dyn-rec-warmup-threshold --tls-ticket-key-memcached-max-retry --frontend-http2-window-size --http2-no-cookie-crumbling --worker-read-burst --dh-param-file --accesslog-format --errorlog-syslog --redirect-https-port --request-header-field-buffer --api-max-request-body --frontend-http2-decoder-dynamic-table-size --errorlog-file --frontend-http2-max-concurrent-streams --psk-secrets --frontend-write-timeout --tls-ticket-key-cipher --read-burst --no-add-x-forwarded-proto --backend --server-name --insecure --backend-max-backoff --log-level --host-rewrite --tls-ticket-key-memcached-interval --frontend-http2-setting-timeout --frontend-http2-connection-window-size --worker-frontend-connections --syslog-facility --no-server-push --no-location-rewrite --single-thread --tls-session-cache-memcached --no-ocsp --backend-response-buffer --tls-min-proto-version --workers --add-forwarded --worker-write-rate --add-request-header --backend-http2-settings-timeout --subcert --ecdh-curves --no-kqueue --help --frontend-frame-debug --tls-sct-dir --pid-file --frontend-http2-dump-request-header --daemon --write-rate --altsvc --backend-http2-decoder-dynamic-table-size --user --add-x-forwarded-for --frontend-read-timeout --tls-ticket-key-memcached-max-fail --backlog --write-burst --backend-connections-per-host --response-header-field-buffer --tls-ticket-key-memcached-address-family --padding --tls-session-cache-memcached-address-family --stream-write-timeout --cacert --tls-ticket-key-memcached-private-key-file --accesslog-write-early --backend-address-family --backend-http2-connection-window-size --version --add-response-header --backend-read-timeout --frontend-http2-optimize-window-size --frontend --accesslog-file --http2-proxy --backend-http2-encoder-dynamic-table-size --client-private-key-file --single-process --client-cert-file --tls-ticket-key-memcached --tls-dyn-rec-idle-timeout --frontend-http2-optimize-write-buffer-size --verify-client --frontend-http2-encoder-dynamic-table-size --read-rate --backend-connections-per-frontend --strip-incoming-forwarded ' -- "$cur" ) )
+            COMPREPLY=( $( compgen -W '--worker-read-rate --include --frontend-http2-dump-response-header --tls-ticket-key-file --verify-client-cacert --max-response-header-fields --backend-http2-window-size --frontend-keep-alive-timeout --backend-request-buffer --max-request-header-fields --backend-connect-timeout --tls-max-proto-version --conf --dns-lookup-timeout --backend-http2-max-concurrent-streams --worker-write-burst --npn-list --dns-max-try --fetch-ocsp-response-file --no-via --tls-session-cache-memcached-cert-file --no-http2-cipher-black-list --mruby-file --add-forwarded --client-no-http2-cipher-black-list --stream-read-timeout --client-ciphers --ocsp-update-interval --forwarded-for --accesslog-syslog --dns-cache-timeout --frontend-http2-read-timeout --listener-disable-timeout --ciphers --client-psk-secrets --strip-incoming-x-forwarded-for --no-server-rewrite --private-key-passwd-file --backend-keep-alive-timeout --backend-http-proxy-uri --frontend-max-requests --rlimit-nofile --no-strip-incoming-x-forwarded-proto --tls-ticket-key-memcached-cert-file --no-verify-ocsp --forwarded-by --tls-session-cache-memcached-private-key-file --error-page --ocsp-startup --backend-write-timeout --tls-dyn-rec-warmup-threshold --tls-ticket-key-memcached-max-retry --frontend-http2-window-size --http2-no-cookie-crumbling --worker-read-burst --dh-param-file --accesslog-format --errorlog-syslog --redirect-https-port --request-header-field-buffer --api-max-request-body --frontend-http2-decoder-dynamic-table-size --errorlog-file --frontend-http2-max-concurrent-streams --psk-secrets --frontend-write-timeout --tls-ticket-key-cipher --read-burst --no-add-x-forwarded-proto --backend --server-name --insecure --backend-max-backoff --log-level --host-rewrite --tls-ticket-key-memcached-interval --frontend-http2-setting-timeout --frontend-http2-connection-window-size --worker-frontend-connections --syslog-facility --fastopen --no-location-rewrite --single-thread --tls-session-cache-memcached --no-ocsp --backend-response-buffer --tls-min-proto-version --workers --add-x-forwarded-for --no-server-push --worker-write-rate --add-request-header --backend-http2-settings-timeout --subcert --ecdh-curves --no-kqueue --help --frontend-frame-debug --tls-sct-dir --pid-file --frontend-http2-dump-request-header --daemon --write-rate --altsvc --backend-http2-decoder-dynamic-table-size --user --verify-client-tolerate-expired --frontend-read-timeout --tls-ticket-key-memcached-max-fail --backlog --write-burst --backend-connections-per-host --response-header-field-buffer --tls-ticket-key-memcached-address-family --padding --tls-session-cache-memcached-address-family --stream-write-timeout --cacert --tls-ticket-key-memcached-private-key-file --accesslog-write-early --backend-address-family --backend-http2-connection-window-size --version --add-response-header --backend-read-timeout --frontend-http2-optimize-window-size --frontend --accesslog-file --http2-proxy --backend-http2-encoder-dynamic-table-size --client-private-key-file --single-process --client-cert-file --tls-ticket-key-memcached --tls-dyn-rec-idle-timeout --frontend-http2-optimize-write-buffer-size --verify-client --frontend-http2-encoder-dynamic-table-size --read-rate --backend-connections-per-frontend --strip-incoming-forwarded ' -- "$cur" ) )
             ;;
         *)
             _filedir

doc/h2load.1

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "H2LOAD" "1" "Feb 02, 2018" "1.30.0" "nghttp2"
+.TH "H2LOAD" "1" "Feb 27, 2018" "1.31.0" "nghttp2"
 .SH NAME
 h2load \- HTTP/2 benchmarking tool
 .

doc/nghttp.1

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTP" "1" "Feb 02, 2018" "1.30.0" "nghttp2"
+.TH "NGHTTP" "1" "Feb 27, 2018" "1.31.0" "nghttp2"
 .SH NAME
 nghttp \- HTTP/2 client
 .

doc/nghttpd.1

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPD" "1" "Feb 02, 2018" "1.30.0" "nghttp2"
+.TH "NGHTTPD" "1" "Feb 27, 2018" "1.31.0" "nghttp2"
 .SH NAME
 nghttpd \- HTTP/2 server
 .

doc/nghttpx.1

@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPX" "1" "Feb 02, 2018" "1.30.0" "nghttp2"
+.TH "NGHTTPX" "1" "Feb 27, 2018" "1.31.0" "nghttp2"
 .SH NAME
 nghttpx \- HTTP/2 proxy
 .
@@ -698,6 +698,14 @@ can contain multiple certificates.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-verify\-client\-tolerate\-expired
+Accept  expired  client  certificate.   Operator  should
+handle  the expired  client  certificate  by some  means
+(e.g.,  mruby  script).   Otherwise, this  option  might
+cause a security risk.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-client\-private\-key\-file=<PATH>
 Path to  file that contains  client private key  used in
 backend client authentication.
@@ -996,7 +1004,7 @@ option.  But be aware its implications.
 Set the maximum number of  the concurrent streams in one
 frontend HTTP/2 session.
 .sp
-Default: \(ga\(ga 100\(ga\(ga
+Default: \fB100\fP
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -2030,6 +2038,18 @@ Return the serial number of a client certificate.
 .UNINDENT
 .INDENT 7.0
 .TP
+.B attribute [R] tls_client_not_before
+Return the start date of a client certificate in seconds since
+the epoch.
+.UNINDENT
+.INDENT 7.0
+.TP
+.B attribute [R] tls_client_not_after
+Return the end date of a client certificate in seconds since
+the epoch.
+.UNINDENT
+.INDENT 7.0
+.TP
 .B attribute [R] tls_cipher
 Return a TLS cipher negotiated in this connection.
 .UNINDENT

doc/nghttpx.1.rst

@@ -644,6 +644,13 @@ SSL/TLS
     client certificate.  The file must be in PEM format.  It
     can contain multiple certificates.
 
+.. option:: --verify-client-tolerate-expired
+
+    Accept  expired  client  certificate.   Operator  should
+    handle  the expired  client  certificate  by some  means
+    (e.g.,  mruby  script).   Otherwise, this  option  might
+    cause a security risk.
+
 .. option:: --client-private-key-file=<PATH>
 
     Path to  file that contains  client private key  used in
@@ -917,7 +924,7 @@ HTTP/2
     Set the maximum number of  the concurrent streams in one
     frontend HTTP/2 session.
 
-    Default: `` 100``
+    Default: ``100``
 
 .. option:: --backend-http2-max-concurrent-streams=<N>
 
@@ -1859,6 +1866,16 @@ respectively.
 
         Return the serial number of a client certificate.
 
+    .. rb:attr_reader:: tls_client_not_before
+
+        Return the start date of a client certificate in seconds since
+        the epoch.
+
+    .. rb:attr_reader:: tls_client_not_after
+
+        Return the end date of a client certificate in seconds since
+        the epoch.
+
     .. rb:attr_reader:: tls_cipher
 
         Return a TLS cipher negotiated in this connection.

lib/CMakeLists.txt

@@ -49,7 +49,7 @@ target_include_directories(nghttp2 INTERFACE
     "${CMAKE_CURRENT_SOURCE_DIR}/includes"
     )
 
-if(HAVE_CUNIT)
+if(HAVE_CUNIT OR ENABLE_STATIC_LIB)
   # Static library (for unittests because of symbol visibility)
   add_library(nghttp2_static STATIC ${NGHTTP2_SOURCES})
   set_target_properties(nghttp2_static PROPERTIES
@@ -58,6 +58,10 @@ if(HAVE_CUNIT)
     ARCHIVE_OUTPUT_NAME nghttp2
   )
   target_compile_definitions(nghttp2_static PUBLIC "-DNGHTTP2_STATICLIB")
+  if(ENABLE_STATIC_LIB)
+    install(TARGETS nghttp2_static
+      DESTINATION "${CMAKE_INSTALL_LIBDIR}")
+  endif()
 endif()
 
 install(TARGETS nghttp2

lib/includes/nghttp2/nghttp2.h

@@ -3081,6 +3081,16 @@ NGHTTP2_EXTERN int
 nghttp2_session_set_stream_user_data(nghttp2_session *session,
                                      int32_t stream_id, void *stream_user_data);
 
+/**
+ * @function
+ *
+ * Sets |user_data| to |session|, overwriting the existing user data
+ * specified in `nghttp2_session_client_new()`, or
+ * `nghttp2_session_server_new()`.
+ */
+NGHTTP2_EXTERN void nghttp2_session_set_user_data(nghttp2_session *session,
+                                                  void *user_data);
+
 /**
  * @function
  *

lib/nghttp2_http.c

@@ -244,7 +244,7 @@ static int http_response_on_header(nghttp2_stream *stream, nghttp2_hd_nv *nv,
       return NGHTTP2_ERR_HTTP_HEADER;
     }
     stream->status_code = (int16_t)parse_uint(nv->value->base, nv->value->len);
-    if (stream->status_code == -1) {
+    if (stream->status_code == -1 || stream->status_code == 101) {
       return NGHTTP2_ERR_HTTP_HEADER;
     }
     break;

lib/nghttp2_session.c

@@ -7521,3 +7521,7 @@ size_t
 nghttp2_session_get_hd_deflate_dynamic_table_size(nghttp2_session *session) {
   return nghttp2_hd_deflate_get_dynamic_table_size(&session->hd_deflater);
 }
+
+void nghttp2_session_set_user_data(nghttp2_session *session, void *user_data) {
+  session->user_data = user_data;
+}

src/shrpx.cc

@@ -573,9 +573,14 @@ void signal_cb(struct ev_loop *loop, ev_signal *w, int revents) {
   case EXEC_BINARY_SIGNAL:
     exec_binary();
     return;
-  case GRACEFUL_SHUTDOWN_SIGNAL:
+  case GRACEFUL_SHUTDOWN_SIGNAL: {
+    auto &listenerconf = get_config()->conn.listener;
+    for (auto &addr : listenerconf.addrs) {
+      close(addr.fd);
+    }
     ipc_send(wp, SHRPX_IPC_GRACEFUL_SHUTDOWN);
     return;
+  }
   case RELOAD_SIGNAL:
     reload_config(wp);
     return;
@@ -2361,7 +2366,7 @@ HTTP/2:
   -c, --frontend-http2-max-concurrent-streams=<N>
               Set the maximum number of  the concurrent streams in one
               frontend HTTP/2 session.
-              Default:  )"
+              Default: )"
       << config->http2.upstream.max_concurrent_streams << R"(
   --backend-http2-max-concurrent-streams=<N>
               Set the maximum number of  the concurrent streams in one

src/shrpx_connection_handler.cc

@@ -452,6 +452,8 @@ void ConnectionHandler::add_acceptor(std::unique_ptr<AcceptHandler> h) {
   acceptors_.push_back(std::move(h));
 }
 
+void ConnectionHandler::delete_acceptor() { acceptors_.clear(); }
+
 void ConnectionHandler::enable_acceptor() {
   for (auto &a : acceptors_) {
     a->enable();

src/shrpx_connection_handler.h

@@ -117,6 +117,7 @@ public:
   struct ev_loop *get_loop() const;
   Worker *get_single_worker() const;
   void add_acceptor(std::unique_ptr<AcceptHandler> h);
+  void delete_acceptor();
   void enable_acceptor();
   void disable_acceptor();
   void sleep_acceptor(ev_tstamp t);

src/shrpx_worker_process.cc

@@ -114,12 +114,10 @@ void graceful_shutdown(ConnectionHandler *conn_handler) {
 
   conn_handler->set_graceful_shutdown(true);
 
-  conn_handler->disable_acceptor();
-
-  // After disabling accepting new connection, dispatch incoming
-  // connection in backlog.
-
+  // TODO What happens for the connections not established in the
+  // kernel?
   conn_handler->accept_pending_connection();
+  conn_handler->delete_acceptor();
 
   conn_handler->graceful_shutdown_worker();
 

src/util.cc

@@ -70,9 +70,16 @@ namespace nghttp2 {
 
 namespace util {
 
-#ifdef _WIN32
+#ifndef _WIN32
+namespace {
+int nghttp2_inet_pton(int af, const char *src, void *dst) {
+  return inet_pton(af, src, dst);
+}
+} // namespace
+#else // _WIN32
+namespace {
 // inet_pton-wrapper for Windows
-static int inet_pton(int af, const char *src, void *dst) {
+int nghttp2_inet_pton(int af, const char *src, void *dst) {
 #if _WIN32_WINNT >= 0x0600
   return InetPtonA(af, src, dst);
 #else
@@ -88,6 +95,7 @@ static int inet_pton(int af, const char *src, void *dst) {
   return 0;
 #endif
 }
+} // namespace
 #endif // _WIN32
 
 const char UPPER_XDIGITS[] = "0123456789ABCDEF";
@@ -662,7 +670,7 @@ bool numeric_host(const char *hostname, int family) {
   int rv;
   std::array<uint8_t, sizeof(struct in6_addr)> dst;
 
-  rv = inet_pton(family, hostname, dst.data());
+  rv = nghttp2_inet_pton(family, hostname, dst.data());
 
   return rv == 1;
 }
@@ -959,7 +967,7 @@ int get_socket_error(int fd) {
 
 bool ipv6_numeric_addr(const char *host) {
   uint8_t dst[16];
-  return inet_pton(AF_INET6, host, dst) == 1;
+  return nghttp2_inet_pton(AF_INET6, host, dst) == 1;
 }
 
 namespace {

tests/nghttp2_session_test.c

@@ -10437,6 +10437,7 @@ void test_nghttp2_http_mandatory_headers(void) {
                                     MAKE_NV("content-length", "0")};
   const nghttp2_nv clnonzero204_resnv[] = {MAKE_NV(":status", "204"),
                                            MAKE_NV("content-length", "100")};
+  const nghttp2_nv status101_resnv[] = {MAKE_NV(":status", "101")};
 
   /* test case for request */
   const nghttp2_nv nopath_reqnv[] = {MAKE_NV(":scheme", "https"),
@@ -10551,6 +10552,12 @@ void test_nghttp2_http_mandatory_headers(void) {
       session, &deflater, 21, NGHTTP2_STREAM_OPENING, clnonzero204_resnv,
       ARRLEN(clnonzero204_resnv));
 
+  /* status code 101 should not be used in HTTP/2 because it is used
+     for HTTP Upgrade which HTTP/2 removes. */
+  check_nghttp2_http_recv_headers_fail(session, &deflater, 23,
+                                       NGHTTP2_STREAM_OPENING, status101_resnv,
+                                       ARRLEN(status101_resnv));
+
   nghttp2_hd_deflate_free(&deflater);
 
   nghttp2_session_del(session);