From 84399d58a22585fe0f78794913ac1ac522dcf4d4 Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Thu, 15 Feb 2024 16:35:28 +0100 Subject: [PATCH 1/2] dnsdist: update to 1.9.0 Signed-off-by: Peter van Dijk --- net/dnsdist/Config.in | 8 -------- net/dnsdist/Makefile | 11 ++++------- 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/net/dnsdist/Config.in b/net/dnsdist/Config.in index 7eaec7ae9abacd..7a2aaf6daccb67 100644 --- a/net/dnsdist/Config.in +++ b/net/dnsdist/Config.in @@ -28,14 +28,6 @@ menu "Configuration" "Enables DNS over HTTPS Support for dnsdist" default y - config DNSDIST_DNS_OVER_HTTPS_OUTGOING - depends on DNSDIST_OPENSSL - depends on !DNSDIST_NOSSL - bool "Outgoing DNS over HTTPS Support" - help - "Enables Outgoing DNS over HTTPS Support for dnsdist" - default y - config DNSDIST_DNS_OVER_TLS depends on !DNSDIST_NOSSL bool "DNS over TLS Support" diff --git a/net/dnsdist/Makefile b/net/dnsdist/Makefile index 31bae41306e8d4..a669f14dfe97b4 100644 --- a/net/dnsdist/Makefile +++ b/net/dnsdist/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsdist -PKG_VERSION:=1.8.3 -PKG_RELEASE:=2 +PKG_VERSION:=1.9.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://downloads.powerdns.com/releases/ -PKG_HASH:=858323f2ed5181488bb7558fbf4f84ec7198600b070b2c5375d15d40695727f4 +PKG_HASH:=16bab15cad9245571806398a8e4a5dc32a92b6bb60e617c12fe958c945889c7c PKG_MAINTAINER:=Peter van Dijk PKG_LICENSE:=GPL-2.0-only @@ -75,9 +75,8 @@ define Package/dnsdist +DNSDIST_LIBEDIT:libedit \ +DNSDIST_DNSTAP:libfstrm \ +DNSDIST_GNUTLS:libgnutls \ - +DNSDIST_DNS_OVER_HTTPS:libh2o-evloop \ + +DNSDIST_DNS_OVER_HTTPS:libnghttp2 \ +DNSDIST_NET_SNMP:libnetsnmp \ - +DNSDIST_DNS_OVER_HTTPS_OUTGOING:libnghttp2 \ +DNSDIST_OPENSSL:libopenssl \ +DNSDIST_SODIUM:libsodium \ +DNSDIST_LMDB:lmdb \ @@ -95,7 +94,6 @@ define Package/dnsdist-full +libedit \ +libfstrm \ +libgnutls \ - +libh2o-evloop \ +libnetsnmp \ +libnghttp2 \ +libopenssl \ @@ -165,7 +163,6 @@ CONFIGURE_ARGS+= \ $(if $(call IsEnabled,DNSDIST_IPCIPHER),--enable,--disable)-ipcipher \ $(if $(call IsEnabled,DNSDIST_EBPF),--with,--without)-ebpf \ $(if $(call IsEnabled,DNSDIST_DNS_OVER_HTTPS),--enable-dns-over-https,) \ - $(if $(call IsEnabled,DNSDIST_DNS_OVER_HTTPS_OUTGOING),--with,--without)-nghttp2 $(eval $(call BuildPackage,dnsdist)) $(eval $(call BuildPackage,dnsdist-full)) From 27f505d9a3fccea37a0fadff739b4dea96d3916a Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Fri, 16 Feb 2024 15:29:04 +0100 Subject: [PATCH 2/2] h2o: remove, nothing depends on it anymore Signed-off-by: Peter van Dijk --- libs/h2o/Makefile | 59 ----- libs/h2o/patches/100-socket_disable_npn.patch | 22 -- .../200-libh2o-evloop_wslay-link.patch | 43 ---- .../patches/300-picotls-chacha-detect.patch | 17 -- .../h2o/patches/400-backtrace-detection.patch | 70 ------ libs/h2o/patches/500-openssl.patch | 96 --------- libs/h2o/patches/600-engine.patch | 28 --- libs/h2o/patches/700-no-mime-map.patch | 73 ------- .../patches/800-smaller-write-buffer.patch | 11 - libs/h2o/patches/900-cve-2023-44487.patch | 203 ------------------ libs/h2o/patches/901-bump-soname.patch | 35 --- 11 files changed, 657 deletions(-) delete mode 100644 libs/h2o/Makefile delete mode 100644 libs/h2o/patches/100-socket_disable_npn.patch delete mode 100644 libs/h2o/patches/200-libh2o-evloop_wslay-link.patch delete mode 100644 libs/h2o/patches/300-picotls-chacha-detect.patch delete mode 100644 libs/h2o/patches/400-backtrace-detection.patch delete mode 100644 libs/h2o/patches/500-openssl.patch delete mode 100644 libs/h2o/patches/600-engine.patch delete mode 100644 libs/h2o/patches/700-no-mime-map.patch delete mode 100644 libs/h2o/patches/800-smaller-write-buffer.patch delete mode 100644 libs/h2o/patches/900-cve-2023-44487.patch delete mode 100644 libs/h2o/patches/901-bump-soname.patch diff --git a/libs/h2o/Makefile b/libs/h2o/Makefile deleted file mode 100644 index 9ff131de3686c5..00000000000000 --- a/libs/h2o/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=h2o -PKG_VERSION:=2.2.6 -PKG_RELEASE:=15 - -PKG_SOURCE_URL:=https://codeload.github.com/h2o/h2o/tar.gz/v${PKG_VERSION}? -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_HASH:=f8cbc1b530d85ff098f6efc2c3fdbc5e29baffb30614caac59d5c710f7bda201 - -PKG_MAINTAINER:=Peter van Dijk -PKG_LICENSE:=MIT -PKG_LICENSE_FILES:=LICENSE - -include $(INCLUDE_DIR)/package.mk -include $(INCLUDE_DIR)/cmake.mk - -PKG_BUILD_DEPENDS:=libwslay - -CMAKE_OPTIONS += \ - -DBUILD_SHARED_LIBS=ON \ - -DWITH_MRUBY=OFF - -define Package/libh2o-evloop - SECTION:=libs - CATEGORY:=Libraries - TITLE:=H2O Library compiled with its own event loop - URL:=https://h2o.examp1e.net/ - DEPENDS:=+libopenssl +zlib -endef - -define Package/libh2o - SECTION:=libs - CATEGORY:=Libraries - TITLE:=H2O Library compiled with libuv - URL:=https://h2o.examp1e.net/ - DEPENDS:=+libuv +libopenssl +zlib +libyaml -endef - -define Build/InstallDev - $(call Build/InstallDev/cmake,$(1)) - $(SED) 's,/usr/include,$$$${prefix}/include,g' $(1)/usr/lib/pkgconfig/libh2o-evloop.pc - $(SED) 's,/usr/lib,$$$${exec_prefix}/lib,g' $(1)/usr/lib/pkgconfig/libh2o-evloop.pc - $(SED) 's,/usr/include,$$$${prefix}/include,g' $(1)/usr/lib/pkgconfig/libh2o.pc - $(SED) 's,/usr/lib,$$$${exec_prefix}/lib,g' $(1)/usr/lib/pkgconfig/libh2o.pc -endef - -define Package/libh2o-evloop/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libh2o-evloop.so* $(1)/usr/lib/ -endef - -define Package/libh2o/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libh2o.so* $(1)/usr/lib/ -endef - -$(eval $(call BuildPackage,libh2o-evloop)) -$(eval $(call BuildPackage,libh2o)) diff --git a/libs/h2o/patches/100-socket_disable_npn.patch b/libs/h2o/patches/100-socket_disable_npn.patch deleted file mode 100644 index d3f9c7169819e0..00000000000000 --- a/libs/h2o/patches/100-socket_disable_npn.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- a/include/h2o/socket.h -+++ b/include/h2o/socket.h -@@ -29,6 +29,7 @@ extern "C" { - #include - #include - #include -+#include - #include "h2o/cache.h" - #include "h2o/memory.h" - #include "h2o/openssl_backport.h" -@@ -44,7 +45,11 @@ extern "C" { - - #if OPENSSL_VERSION_NUMBER >= 0x10002000L - #define H2O_USE_ALPN 1 -+#ifndef OPENSSL_NO_NEXTPROTONEG - #define H2O_USE_NPN 1 -+#else -+#define H2O_USE_NPN 0 -+#endif - #elif OPENSSL_VERSION_NUMBER >= 0x10001000L - #define H2O_USE_ALPN 0 - #define H2O_USE_NPN 1 diff --git a/libs/h2o/patches/200-libh2o-evloop_wslay-link.patch b/libs/h2o/patches/200-libh2o-evloop_wslay-link.patch deleted file mode 100644 index d15a6b3e9a0042..00000000000000 --- a/libs/h2o/patches/200-libh2o-evloop_wslay-link.patch +++ /dev/null @@ -1,43 +0,0 @@ -From f7d5cb83826c7e2b1a3dc618b434d85df130a4d5 Mon Sep 17 00:00:00 2001 -From: James Taylor -Date: Tue, 10 Dec 2019 21:58:45 +1100 -Subject: [PATCH] Explicitly link against WSLAY when available - -When other libraries attempt to link against libh2o and libh2o-evloop that was -compiled with libwslay available, there are errors from missing symbols -associated with code which makes use of the wslay library. To rectify this, -explicitly link against libwslay during the build process. - -Fixes #2105 - -Signed-off-by: James Taylor ---- - CMakeLists.txt | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -386,13 +386,21 @@ SET_TARGET_PROPERTIES(libh2o PROPERTIES - OUTPUT_NAME h2o - VERSION ${LIBRARY_VERSION} - SOVERSION ${LIBRARY_SOVERSION}) --TARGET_LINK_LIBRARIES(libh2o ${LIBUV_LIBRARIES} ${EXTRA_LIBS}) -+IF (WSLAY_FOUND) -+ TARGET_LINK_LIBRARIES(libh2o ${WSLAY_LIBRARIES} ${LIBUV_LIBRARIES} ${EXTRA_LIBS}) -+ELSE () -+ TARGET_LINK_LIBRARIES(libh2o ${LIBUV_LIBRARIES} ${EXTRA_LIBS}) -+ENDIF (WSLAY_FOUND) - SET_TARGET_PROPERTIES(libh2o-evloop PROPERTIES - OUTPUT_NAME h2o-evloop - COMPILE_FLAGS "-DH2O_USE_LIBUV=0" - VERSION ${LIBRARY_VERSION} - SOVERSION ${LIBRARY_SOVERSION}) --TARGET_LINK_LIBRARIES(libh2o-evloop ${EXTRA_LIBS}) -+IF (WSLAY_FOUND) -+ TARGET_LINK_LIBRARIES(libh2o-evloop ${WSLAY_LIBRARIES} ${EXTRA_LIBS}) -+ELSE () -+ TARGET_LINK_LIBRARIES(libh2o-evloop ${EXTRA_LIBS}) -+ENDIF (WSLAY_FOUND) - - IF (OPENSSL_FOUND) - TARGET_INCLUDE_DIRECTORIES(libh2o PUBLIC ${OPENSSL_INCLUDE_DIR}) diff --git a/libs/h2o/patches/300-picotls-chacha-detect.patch b/libs/h2o/patches/300-picotls-chacha-detect.patch deleted file mode 100644 index 5fc7932850422e..00000000000000 --- a/libs/h2o/patches/300-picotls-chacha-detect.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- a/deps/picotls/include/picotls/openssl.h -+++ b/deps/picotls/include/picotls/openssl.h -@@ -26,11 +26,14 @@ - #include - #include - #include -+#include - #include "../picotls.h" - - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) - #define PTLS_OPENSSL_HAVE_CHACHA20_POLY1305 - #endif -+#endif - - extern ptls_key_exchange_algorithm_t ptls_openssl_secp256r1; - extern ptls_key_exchange_algorithm_t *ptls_openssl_key_exchanges[]; diff --git a/libs/h2o/patches/400-backtrace-detection.patch b/libs/h2o/patches/400-backtrace-detection.patch deleted file mode 100644 index d74937f17be947..00000000000000 --- a/libs/h2o/patches/400-backtrace-detection.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 03dbd6757d043581b5d250107b6f1cda6ae203a9 Mon Sep 17 00:00:00 2001 -From: Frederik Deweerdt -Date: Wed, 25 Oct 2017 13:52:28 -0700 -Subject: [PATCH] Autodetect backtrace and backtrace_symbols_fd - ---- - CMakeLists.txt | 13 +++++++++++++ - src/main.c | 10 ++++++---- - 2 files changed, 19 insertions(+), 4 deletions(-) - ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -58,6 +58,19 @@ __sync_add_and_fetch(&a, 1); - return 0; - }" ARCH_SUPPORTS_64BIT_ATOMICS) - -+CHECK_C_SOURCE_COMPILES(" -+#include -+int main(void) { -+void *p[10]; -+int ret = backtrace(p, 10); -+backtrace_symbols_fd(p, ret, 2); -+return 0; -+}" LIBC_HAS_BACKTRACE) -+ -+IF (LIBC_HAS_BACKTRACE) -+ ADD_DEFINITIONS("-DLIBC_HAS_BACKTRACE") -+ENDIF () -+ - SET(WITH_BUNDLED_SSL_DEFAULT "ON") - IF ((NOT UNIX) OR CYGWIN) - SET(WITH_BUNDLED_SSL_DEFAULT "OFF") ---- a/src/main.c -+++ b/src/main.c -@@ -48,7 +48,7 @@ - #include - #include - #include --#ifdef __GLIBC__ -+#ifdef LIBC_HAS_BACKTRACE - #include - #endif - #if H2O_USE_PICOTLS -@@ -1436,7 +1436,8 @@ static void on_sigterm(int signo) - notify_all_threads(); - } - --#ifdef __GLIBC__ -+#ifdef LIBC_HAS_BACKTRACE -+ - static int popen_crash_handler(void) - { - char *cmd_fullpath = h2o_configurator_get_cmd_path(conf.crash_handler), *argv[] = {cmd_fullpath, NULL}; -@@ -1488,13 +1489,14 @@ static void on_sigfatal(int signo) - - raise(signo); - } --#endif -+ -+#endif /* LIBC_HAS_BACKTRACE */ - - static void setup_signal_handlers(void) - { - h2o_set_signal_handler(SIGTERM, on_sigterm); - h2o_set_signal_handler(SIGPIPE, SIG_IGN); --#ifdef __GLIBC__ -+#ifdef LIBC_HAS_BACKTRACE - if ((crash_handler_fd = popen_crash_handler()) == -1) - crash_handler_fd = 2; - h2o_set_signal_handler(SIGABRT, on_sigfatal); diff --git a/libs/h2o/patches/500-openssl.patch b/libs/h2o/patches/500-openssl.patch deleted file mode 100644 index 609077ee235eed..00000000000000 --- a/libs/h2o/patches/500-openssl.patch +++ /dev/null @@ -1,96 +0,0 @@ ---- a/deps/neverbleed/neverbleed.c -+++ b/deps/neverbleed/neverbleed.c -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - #include - #include - #include ---- a/deps/picotls/lib/openssl.c -+++ b/deps/picotls/lib/openssl.c -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -941,7 +942,7 @@ int ptls_openssl_encrypt_ticket(ptls_buf - - Exit: - if (cctx != NULL) -- EVP_CIPHER_CTX_cleanup(cctx); -+ EVP_CIPHER_CTX_reset(cctx); - if (hctx != NULL) - HMAC_CTX_free(hctx); - return ret; -@@ -1011,7 +1012,7 @@ int ptls_openssl_decrypt_ticket(ptls_buf - - Exit: - if (cctx != NULL) -- EVP_CIPHER_CTX_cleanup(cctx); -+ EVP_CIPHER_CTX_reset(cctx); - if (hctx != NULL) - HMAC_CTX_free(hctx); - return ret; ---- a/src/main.c -+++ b/src/main.c -@@ -45,6 +45,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1827,7 +1828,7 @@ static h2o_iovec_t on_extra_status(void - " \"listeners\": %zu,\n" - " \"worker-threads\": %zu,\n" - " \"num-sessions\": %lu", -- SSLeay_version(SSLEAY_VERSION), current_time, restart_time, (uint64_t)(now - conf.launch_time), generation, -+ OpenSSL_version(OPENSSL_VERSION), current_time, restart_time, (uint64_t)(now - conf.launch_time), generation, - num_connections(0), conf.max_connections, conf.num_listeners, conf.num_threads, num_sessions(0)); - assert(ret.len < BUFSIZE); - -@@ -2008,7 +2009,7 @@ int main(int argc, char **argv) - break; - case 'v': - printf("h2o version " H2O_VERSION "\n"); -- printf("OpenSSL: %s\n", SSLeay_version(SSLEAY_VERSION)); -+ printf("OpenSSL: %s\n", OpenSSL_version(OPENSSL_VERSION)); - #if H2O_USE_MRUBY - printf( - "mruby: YES\n"); /* TODO determine the way to obtain the version of mruby (that is being linked dynamically) */ ---- a/src/ssl.c -+++ b/src/ssl.c -@@ -911,6 +911,7 @@ void ssl_setup_session_resumption(SSL_CT - #endif - } - -+#if OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER) - static pthread_mutex_t *mutexes; - - static void lock_callback(int mode, int n, const char *file, int line) -@@ -937,9 +938,11 @@ static int add_lock_callback(int *num, i - - return __sync_add_and_fetch(num, amount); - } -+#endif - - void init_openssl(void) - { -+#if OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER) - int nlocks = CRYPTO_num_locks(), i; - mutexes = h2o_mem_alloc(sizeof(*mutexes) * nlocks); - for (i = 0; i != nlocks; ++i) -@@ -953,6 +956,7 @@ void init_openssl(void) - SSL_load_error_strings(); - SSL_library_init(); - OpenSSL_add_all_algorithms(); -+#endif - - cache_init_defaults(); - #if H2O_USE_SESSION_TICKETS diff --git a/libs/h2o/patches/600-engine.patch b/libs/h2o/patches/600-engine.patch deleted file mode 100644 index 90f677d97bbf0a..00000000000000 --- a/libs/h2o/patches/600-engine.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/deps/neverbleed/neverbleed.c -+++ b/deps/neverbleed/neverbleed.c -@@ -1486,6 +1486,7 @@ int neverbleed_init(neverbleed_t *nb, ch - close(pipe_fds[0]); - pipe_fds[0] = -1; - -+#ifndef OPENSSL_NO_ENGINE - /* setup engine */ - if ((nb->engine = ENGINE_new()) == NULL || !ENGINE_set_id(nb->engine, "neverbleed") || - !ENGINE_set_name(nb->engine, "privilege separation software engine") || !ENGINE_set_RSA(nb->engine, rsa_method) -@@ -1497,6 +1498,7 @@ int neverbleed_init(neverbleed_t *nb, ch - goto Fail; - } - ENGINE_add(nb->engine); -+#endif - - /* setup thread key */ - pthread_key_create(&nb->thread_key, dispose_thread_data); -@@ -1515,7 +1517,9 @@ Fail: - if (listen_fd != -1) - close(listen_fd); - if (nb->engine != NULL) { -+#ifndef OPENSSL_NO_ENGINE - ENGINE_free(nb->engine); -+#endif - nb->engine = NULL; - } - return -1; diff --git a/libs/h2o/patches/700-no-mime-map.patch b/libs/h2o/patches/700-no-mime-map.patch deleted file mode 100644 index 7fccfa6fb4be65..00000000000000 --- a/libs/h2o/patches/700-no-mime-map.patch +++ /dev/null @@ -1,73 +0,0 @@ ---- a/lib/core/config.c -+++ b/lib/core/config.c -@@ -1,3 +1,4 @@ -+ - /* - * Copyright (c) 2014-2016 DeNA Co., Ltd. - * -@@ -37,7 +38,9 @@ static h2o_hostconf_t *create_hostconf(h - hostconf->http2.push_preload = 1; /* enabled by default */ - h2o_config_init_pathconf(&hostconf->fallback_path, globalconf, NULL, globalconf->mimemap); - hostconf->mimemap = globalconf->mimemap; -- h2o_mem_addref_shared(hostconf->mimemap); -+ if (hostconf->mimemap) { -+ h2o_mem_addref_shared(hostconf->mimemap); -+ } - return hostconf; - } - -@@ -54,7 +57,9 @@ static void destroy_hostconf(h2o_hostcon - } - free(hostconf->paths.entries); - h2o_config_dispose_pathconf(&hostconf->fallback_path); -- h2o_mem_release_shared(hostconf->mimemap); -+ if (hostconf->mimemap) { -+ h2o_mem_release_shared(hostconf->mimemap); -+ } - - free(hostconf); - } -@@ -136,8 +141,10 @@ void h2o_config_init_pathconf(h2o_pathco - h2o_chunked_register(pathconf); - if (path != NULL) - pathconf->path = h2o_strdup(NULL, path, SIZE_MAX); -- h2o_mem_addref_shared(mimemap); -- pathconf->mimemap = mimemap; -+ if (mimemap) { -+ h2o_mem_addref_shared(mimemap); -+ pathconf->mimemap = mimemap; -+ } - pathconf->error_log.emit_request_errors = 1; - } - -@@ -190,7 +197,7 @@ void h2o_config_init(h2o_globalconf_t *c - config->http2.latency_optimization.max_additional_delay = 10; - config->http2.latency_optimization.max_cwnd = 65535; - config->http2.callbacks = H2O_HTTP2_CALLBACKS; -- config->mimemap = h2o_mimemap_create(); -+ // config->mimemap = h2o_mimemap_create(); - - h2o_configurator__init_core(config); - } -@@ -279,7 +286,9 @@ void h2o_config_dispose(h2o_globalconf_t - } - free(config->hosts); - -- h2o_mem_release_shared(config->mimemap); -+ if (config->mimemap) { -+ h2o_mem_release_shared(config->mimemap); -+ } - h2o_configurator__dispose_configurators(config); - } - ---- a/lib/core/request.c -+++ b/lib/core/request.c -@@ -486,7 +486,7 @@ void h2o_req_fill_mime_attributes(h2o_re - ssize_t content_type_index; - h2o_mimemap_type_t *mime; - -- if (req->res.mime_attr != NULL) -+ if (req->res.mime_attr != NULL || req->pathconf->mimemap == NULL) - return; - - if ((content_type_index = h2o_find_header(&req->res.headers, H2O_TOKEN_CONTENT_TYPE, -1)) != -1 && diff --git a/libs/h2o/patches/800-smaller-write-buffer.patch b/libs/h2o/patches/800-smaller-write-buffer.patch deleted file mode 100644 index 5527ad57dad2e7..00000000000000 --- a/libs/h2o/patches/800-smaller-write-buffer.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/include/h2o/http2_internal.h -+++ b/include/h2o/http2_internal.h -@@ -33,7 +33,7 @@ - typedef struct st_h2o_http2_conn_t h2o_http2_conn_t; - typedef struct st_h2o_http2_stream_t h2o_http2_stream_t; - --#define H2O_HTTP2_DEFAULT_OUTBUF_SIZE 81920 /* the target size of each write call; connection flow control window + alpha */ -+#define H2O_HTTP2_DEFAULT_OUTBUF_SIZE 8192 /* the target size of each write call; connection flow control window + alpha */ - #define H2O_HTTP2_DEFAULT_OUTBUF_SOFT_MAX_SIZE 524288 /* 512KB; stops reading if size exceeds this value */ - - /* hpack */ diff --git a/libs/h2o/patches/900-cve-2023-44487.patch b/libs/h2o/patches/900-cve-2023-44487.patch deleted file mode 100644 index d5489d5a62f7fb..00000000000000 --- a/libs/h2o/patches/900-cve-2023-44487.patch +++ /dev/null @@ -1,203 +0,0 @@ -commit d07b601a5549798f8e500582336756e04dfd25c5 -Author: Remi Gacogne -Date: Tue Oct 10 15:47:57 2023 +0200 - - [http2] delay processing requests upon observing suspicious behavior - - Backport of 94fbc54b6c9309912fe3d53e7b63408bbe9a1b0d to v2.2.x - ---- a/include/h2o.h -+++ b/include/h2o.h -@@ -378,6 +378,10 @@ struct st_h2o_globalconf_t { - * list of callbacks - */ - h2o_protocol_callbacks_t callbacks; -+ /** -+ * milliseconds to delay processing requests when suspicious behavior is detected -+ */ -+ uint64_t dos_delay; - } http2; - - struct { -@@ -590,6 +594,10 @@ struct st_h2o_context_t { - * timeout entry used for graceful shutdown - */ - h2o_timeout_entry_t _graceful_shutdown_timeout; -+ /* -+ * dos timeout -+ */ -+ h2o_timeout_t dos_delay_timeout; - struct { - /** - * counter for http2 errors internally emitted by h2o ---- a/include/h2o/http2_internal.h -+++ b/include/h2o/http2_internal.h -@@ -179,6 +179,7 @@ struct st_h2o_http2_stream_t { - h2o_linklist_t link; - h2o_http2_scheduler_openref_t scheduler; - } _refs; -+ unsigned reset_by_peer : 1; - h2o_send_state_t send_state; /* state of the ostream, only used in push mode */ - /* placed at last since it is large and has it's own ctor */ - h2o_req_t req; -@@ -232,6 +233,13 @@ struct st_h2o_http2_conn_t { - } _write; - h2o_cache_t *push_memo; - h2o_http2_casper_t *casper; -+ /** -+ * DoS mitigation; the idea here is to delay processing requests when observing suspicious behavior -+ */ -+ struct { -+ h2o_timeout_entry_t process_delay; -+ size_t reset_budget; /* RST_STREAM frames are considered suspicious when this value goes down to zero */ -+ } dos_mitigation; - }; - - int h2o_http2_update_peer_settings(h2o_http2_settings_t *settings, const uint8_t *src, size_t len, const char **err_desc); ---- a/lib/core/config.c -+++ b/lib/core/config.c -@@ -196,6 +196,7 @@ void h2o_config_init(h2o_globalconf_t *c - config->http2.latency_optimization.min_rtt = 50; // milliseconds - config->http2.latency_optimization.max_additional_delay = 10; - config->http2.latency_optimization.max_cwnd = 65535; -+ config->http2.dos_delay = 100; /* 100ms processing delay when observing suspicious behavior */ - config->http2.callbacks = H2O_HTTP2_CALLBACKS; - // config->mimemap = h2o_mimemap_create(); - ---- a/lib/core/configurator.c -+++ b/lib/core/configurator.c -@@ -531,6 +531,12 @@ static int on_config_http2_casper(h2o_co - return 0; - } - -+ -+static int on_config_http2_dos_delay(h2o_configurator_command_t *cmd, h2o_configurator_context_t *ctx, yoml_t *node) -+{ -+ return config_timeout(cmd, node, &ctx->globalconf->http2.dos_delay); -+} -+ - static int assert_is_mimetype(h2o_configurator_command_t *cmd, yoml_t *node) - { - if (node->type != YOML_TYPE_SCALAR) { -@@ -910,6 +916,9 @@ void h2o_configurator__init_core(h2o_glo - on_config_http2_push_preload); - h2o_configurator_define_command(&c->super, "http2-casper", H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_HOST, - on_config_http2_casper); -+ h2o_configurator_define_command(&c->super, "http2-dos-delay", -+ H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_EXPECT_SCALAR, -+ on_config_http2_dos_delay); - h2o_configurator_define_command(&c->super, "file.mime.settypes", - (H2O_CONFIGURATOR_FLAG_ALL_LEVELS & ~H2O_CONFIGURATOR_FLAG_EXTENSION) | - H2O_CONFIGURATOR_FLAG_EXPECT_MAPPING, ---- a/lib/core/context.c -+++ b/lib/core/context.c -@@ -101,6 +101,7 @@ void h2o_context_init(h2o_context_t *ctx - h2o_linklist_init_anchor(&ctx->http1._conns); - h2o_timeout_init(ctx->loop, &ctx->http2.idle_timeout, config->http2.idle_timeout); - h2o_timeout_init(ctx->loop, &ctx->http2.graceful_shutdown_timeout, config->http2.graceful_shutdown_timeout); -+ h2o_timeout_init(ctx->loop, &ctx->http2.dos_delay_timeout, config->http2.dos_delay); - h2o_linklist_init_anchor(&ctx->http2._conns); - ctx->proxy.client_ctx.loop = loop; - h2o_timeout_init(ctx->loop, &ctx->proxy.io_timeout, config->proxy.io_timeout); -@@ -146,6 +147,7 @@ void h2o_context_dispose(h2o_context_t * - h2o_timeout_dispose(ctx->loop, &ctx->http1.req_timeout); - h2o_timeout_dispose(ctx->loop, &ctx->http2.idle_timeout); - h2o_timeout_dispose(ctx->loop, &ctx->http2.graceful_shutdown_timeout); -+ h2o_timeout_dispose(ctx->loop, &ctx->http2.dos_delay_timeout); - h2o_timeout_dispose(ctx->loop, &ctx->proxy.io_timeout); - /* what should we do here? assert(!h2o_linklist_is_empty(&ctx->http2._conns); */ - ---- a/lib/http2/connection.c -+++ b/lib/http2/connection.c -@@ -161,7 +161,6 @@ static void update_idle_timeout(h2o_http - h2o_timeout_unlink(&conn->_timeout_entry); - - if (conn->num_streams.pull.half_closed + conn->num_streams.push.half_closed == 0) { -- assert(h2o_linklist_is_empty(&conn->_pending_reqs)); - conn->_timeout_entry.cb = on_idle_timeout; - h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.idle_timeout, &conn->_timeout_entry); - } -@@ -175,6 +174,9 @@ static int can_run_requests(h2o_http2_co - - static void run_pending_requests(h2o_http2_conn_t *conn) - { -+ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay)) -+ return; -+ - while (!h2o_linklist_is_empty(&conn->_pending_reqs) && can_run_requests(conn)) { - /* fetch and detach a pending stream */ - h2o_http2_stream_t *stream = H2O_STRUCT_FROM_MEMBER(h2o_http2_stream_t, _refs.link, conn->_pending_reqs.next); -@@ -226,6 +228,16 @@ void h2o_http2_conn_unregister_stream(h2 - assert(h2o_http2_scheduler_is_open(&stream->_refs.scheduler)); - h2o_http2_scheduler_close(&stream->_refs.scheduler); - -+ /* Decrement reset_budget if the stream was reset by peer, otherwise increment. By doing so, we penalize connections that -+ * generate resets for >50% of requests. */ -+ if (stream->reset_by_peer) { -+ if (conn->dos_mitigation.reset_budget > 0) -+ --conn->dos_mitigation.reset_budget; -+ } else { -+ if (conn->dos_mitigation.reset_budget < conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection) -+ ++conn->dos_mitigation.reset_budget; -+ } -+ - switch (stream->state) { - case H2O_HTTP2_STREAM_STATE_IDLE: - case H2O_HTTP2_STREAM_STATE_RECV_HEADERS: -@@ -272,6 +284,8 @@ void close_connection_now(h2o_http2_conn - h2o_hpack_dispose_header_table(&conn->_output_header_table); - assert(h2o_linklist_is_empty(&conn->_pending_reqs)); - h2o_timeout_unlink(&conn->_timeout_entry); -+ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay)) -+ h2o_timeout_unlink(&conn->dos_mitigation.process_delay); - h2o_buffer_dispose(&conn->_write.buf); - if (conn->_write.buf_in_flight != NULL) - h2o_buffer_dispose(&conn->_write.buf_in_flight); -@@ -797,11 +811,19 @@ static int handle_rst_stream_frame(h2o_h - return H2O_HTTP2_ERROR_PROTOCOL; - } - -- stream = h2o_http2_conn_get_stream(conn, frame->stream_id); -- if (stream != NULL) { -+ if ((stream = h2o_http2_conn_get_stream(conn, frame->stream_id)) == NULL) -+ return 0; -+ - /* reset the stream */ -+ stream->reset_by_peer = 1; - h2o_http2_stream_reset(conn, stream); -- } -+ -+ /* setup process delay if we've just ran out of reset budget */ -+ if (conn->dos_mitigation.reset_budget == 0 && conn->super.ctx->globalconf->http2.dos_delay != 0 && -+ !h2o_timeout_is_linked(&conn->dos_mitigation.process_delay)) -+ h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.dos_delay_timeout, -+ &conn->dos_mitigation.process_delay); -+ - /* TODO log */ - - return 0; -@@ -1204,6 +1226,14 @@ static h2o_iovec_t log_priority_actual_w - return h2o_iovec_init(s, len); - } - -+static void on_dos_process_delay(h2o_timeout_entry_t *timer) -+{ -+ h2o_http2_conn_t *conn = H2O_STRUCT_FROM_MEMBER(h2o_http2_conn_t, dos_mitigation.process_delay, timer); -+ -+ assert(!h2o_timeout_is_linked(&conn->dos_mitigation.process_delay)); -+ run_pending_requests(conn); -+} -+ - static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts, h2o_socket_t *sock, struct timeval connected_at) - { - static const h2o_conn_callbacks_t callbacks = { -@@ -1240,6 +1270,9 @@ static h2o_http2_conn_t *create_conn(h2o - conn->_write.timeout_entry.cb = emit_writereq; - h2o_http2_window_init(&conn->_write.window, &conn->peer_settings); - -+ conn->dos_mitigation.process_delay.cb = on_dos_process_delay; -+ conn->dos_mitigation.reset_budget = conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection; -+ - return conn; - } - diff --git a/libs/h2o/patches/901-bump-soname.patch b/libs/h2o/patches/901-bump-soname.patch deleted file mode 100644 index 6ae3c225baf569..00000000000000 --- a/libs/h2o/patches/901-bump-soname.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit e47cd15ff1fec9211088c809cb92593800dd4da2 -Author: Peter van Dijk -Date: Wed Oct 11 11:39:48 2023 +0200 - - bump soname - ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -29,9 +29,9 @@ SET(VERSION_MINOR "2") - SET(VERSION_PATCH "6") - SET(VERSION_PRERELEASE "") - SET(VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}${VERSION_PRERELEASE}") --SET(LIBRARY_VERSION_MAJOR "0") --SET(LIBRARY_VERSION_MINOR "13") --SET(LIBRARY_VERSION_PATCH "6") -+SET(LIBRARY_VERSION_MAJOR "1") -+SET(LIBRARY_VERSION_MINOR "0") -+SET(LIBRARY_VERSION_PATCH "0") - SET(LIBRARY_VERSION "${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}.${LIBRARY_VERSION_PATCH}${VERSION_PRERELEASE}") - SET(LIBRARY_SOVERSION "${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}") - ---- a/include/h2o/version.h -+++ b/include/h2o/version.h -@@ -28,8 +28,8 @@ - #define H2O_VERSION_MINOR 2 - #define H2O_VERSION_PATCH 6 - --#define H2O_LIBRARY_VERSION_MAJOR 0 --#define H2O_LIBRARY_VERSION_MINOR 13 --#define H2O_LIBRARY_VERSION_PATCH 6 -+#define H2O_LIBRARY_VERSION_MAJOR 1 -+#define H2O_LIBRARY_VERSION_MINOR 0 -+#define H2O_LIBRARY_VERSION_PATCH 0 - - #endif