* [gentoo-commits] repo/gentoo:master commit in: www-servers/h2o/files/, www-servers/h2o/
@ 2018-07-04 13:57 Akinori Hattori
  0 siblings, 0 replies; 6+ messages in thread
From: Akinori Hattori @ 2018-07-04 13:57 UTC (permalink / raw
  To: gentoo-commits
commit:     56d9c51fe6a474950f04fe2597fc7d768c4c9d04
Author:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
AuthorDate: Wed Jul  4 13:56:33 2018 +0000
Commit:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
CommitDate: Wed Jul  4 13:56:33 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56d9c51f
www-servers/h2o: use system oniguruma
Closes: https://bugs.gentoo.org/655462
Package-Manager: Portage-2.3.40, Repoman-2.3.9
 www-servers/h2o/files/h2o-2.2-mruby.patch | 67 ++++++++++++++++++++++++++++
 www-servers/h2o/files/h2o-2.3-mruby.patch | 73 +++++++++++++++++++++++++++++++
 www-servers/h2o/h2o-2.2.4.ebuild          | 15 +++++--
 www-servers/h2o/h2o-9999.ebuild           | 12 ++++-
 4 files changed, 162 insertions(+), 5 deletions(-)
diff --git a/www-servers/h2o/files/h2o-2.2-mruby.patch b/www-servers/h2o/files/h2o-2.2-mruby.patch
new file mode 100644
index 00000000000..e542ba8b64d
--- /dev/null
+++ b/www-servers/h2o/files/h2o-2.2-mruby.patch
@@ -0,0 +1,67 @@
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -157,6 +157,16 @@
+     SET(WSLAY_LIBRARIES -lwslay)
+ ENDIF (NOT WSLAY_FOUND)
+ 
++IF (PKG_CONFIG_FOUND)
++    PKG_CHECK_MODULES(ONIG oniguruma)
++    IF (ONIG_FOUND)
++        LINK_DIRECTORIES(${ONIG_LIBRARY_DIRS})
++    ENDIF (ONIG_FOUND)
++ENDIF (PKG_CONFIG_FOUND)
++IF (NOT ONIG_FOUND AND WITH_RUBY)
++    MESSAGE(FATAL_ERROR "Oniguruma not found")
++ENDIF (NOT ONIG_FOUND AND WITH_RUBY)
++
+ IF (ZLIB_FOUND)
+     INCLUDE_DIRECTORIES(${ZLIB_INCLUDE_DIRS})
+     LINK_DIRECTORIES(${ZLIB_LIBRARY_DIRS})
+@@ -460,7 +470,7 @@
+     ELSE ()
+         SET(MRUBY_TOOLCHAIN "gcc")
+     ENDIF ()
+-    ADD_CUSTOM_TARGET(mruby MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby ruby minirake
++    ADD_CUSTOM_TARGET(mruby MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby ruby minirake -v
+         WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/deps/mruby)
+     LIST(APPEND STANDALONE_SOURCE_FILES
+         lib/handler/mruby.c
+@@ -491,7 +501,7 @@
+     # note: the paths need to be determined before libmruby.flags.mak is generated
+     TARGET_LINK_LIBRARIES(h2o
+         "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/lib/libmruby.a"
+-        "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/mrbgems/mruby-onig-regexp/onigmo-6.1.1/.libs/libonigmo.a"
++        ${ONIG_LIBRARIES}
+         "m")
+     ADD_DEPENDENCIES(h2o mruby)
+ ENDIF (WITH_MRUBY)
+--- a/deps/mruby-onig-regexp/mrbgem.rake
++++ b/deps/mruby-onig-regexp/mrbgem.rake
+@@ -101,9 +101,7 @@
+     cc.defines += ['HAVE_ONIGMO_H']
+   end
+ 
+-  if spec.respond_to? :search_package and spec.search_package 'onigmo'
+-    spec.cc.defines += ['HAVE_ONIGMO_H']
+-  elsif spec.respond_to? :search_package and spec.search_package 'oniguruma'
++  if spec.respond_to? :search_package and spec.search_package 'oniguruma'
+     spec.cc.defines += ['HAVE_ONIGURUMA_H']
+   elsif build.cc.respond_to? :search_header_path and build.cc.search_header_path 'oniguruma.h'
+     spec.linker.libraries << 'onig'
+--- a/misc/mruby_config.rb
++++ b/misc/mruby_config.rb
+@@ -15,13 +15,7 @@
+   # use mrbgems
+   Dir.glob("../mruby-*/mrbgem.rake") do |x|
+     g = File.basename File.dirname x
+-    if g == 'mruby-onig-regexp'
+-      conf.gem "../deps/#{g}" do |c|
+-        c.bundle_onigmo
+-      end
+-    else
+-      conf.gem "../deps/#{g}"
+-    end
++    conf.gem "../deps/#{g}"
+   end
+ 
+   # include all the core GEMs
diff --git a/www-servers/h2o/files/h2o-2.3-mruby.patch b/www-servers/h2o/files/h2o-2.3-mruby.patch
new file mode 100644
index 00000000000..a0ad25eba27
--- /dev/null
+++ b/www-servers/h2o/files/h2o-2.3-mruby.patch
@@ -0,0 +1,73 @@
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -174,6 +174,16 @@
+     SET(WSLAY_LIBRARIES -lwslay)
+ ENDIF (NOT WSLAY_FOUND)
+ 
++IF (PKG_CONFIG_FOUND)
++    PKG_CHECK_MODULES(ONIG oniguruma)
++    IF (ONIG_FOUND)
++        LINK_DIRECTORIES(${ONIG_LIBRARY_DIRS})
++    ENDIF (ONIG_FOUND)
++ENDIF (PKG_CONFIG_FOUND)
++IF (NOT ONIG_FOUND AND WITH_RUBY)
++    MESSAGE(FATAL_ERROR "Oniguruma not found")
++ENDIF (NOT ONIG_FOUND AND WITH_RUBY)
++
+ IF (ZLIB_FOUND)
+     INCLUDE_DIRECTORIES(${ZLIB_INCLUDE_DIRS})
+     LINK_DIRECTORIES(${ZLIB_LIBRARY_DIRS})
+@@ -533,7 +543,7 @@
+     ELSE ()
+         SET(MRUBY_TOOLCHAIN "gcc")
+     ENDIF ()
+-    ADD_CUSTOM_TARGET(mruby MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby MRUBY_ADDITIONAL_CONFIG=${MRUBY_ADDITIONAL_CONFIG} ruby minirake
++    ADD_CUSTOM_TARGET(mruby MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby MRUBY_ADDITIONAL_CONFIG=${MRUBY_ADDITIONAL_CONFIG} ruby minirake -v
+         WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/deps/mruby)
+     LIST(APPEND STANDALONE_SOURCE_FILES
+         lib/handler/mruby.c
+@@ -560,7 +570,7 @@
+     # note: the paths need to be determined before libmruby.flags.mak is generated
+     TARGET_LINK_LIBRARIES(h2o
+         "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/lib/libmruby.a"
+-        "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/mrbgems/mruby-onig-regexp/onigmo-6.1.2/.libs/libonigmo.a"
++        ${ONIG_LIBRARIES}
+         "m")
+     ADD_DEPENDENCIES(h2o mruby)
+ ENDIF (WITH_MRUBY)
+--- a/deps/mruby-onig-regexp/mrbgem.rake
++++ b/deps/mruby-onig-regexp/mrbgem.rake
+@@ -101,15 +101,9 @@
+     file "#{dir}/src/mruby_onig_regexp.c" => [:mruby_onig_regexp_with_compile_option, oniguruma_lib]
+   end
+ 
+-  if spec.respond_to? :search_package and spec.search_package 'onigmo'
+-    spec.cc.defines += ['HAVE_ONIGMO_H']
+-    spec.linker.libraries << 'onig'
+-  elsif spec.respond_to? :search_package and spec.search_package 'oniguruma'
++  if spec.respond_to? :search_package and spec.search_package 'oniguruma'
+     spec.cc.defines += ['HAVE_ONIGURUMA_H']
+     spec.linker.libraries << 'onig'
+-  elsif build.cc.respond_to? :search_header_path and build.cc.search_header_path 'onigmo.h'
+-    spec.cc.defines += ['HAVE_ONIGMO_H']
+-    spec.linker.libraries << 'onigmo'
+   elsif build.cc.respond_to? :search_header_path and build.cc.search_header_path 'oniguruma.h'
+     spec.cc.defines += ['HAVE_ONIGURUMA_H']
+     spec.linker.libraries << 'onig'
+--- a/misc/mruby_config.rb
++++ b/misc/mruby_config.rb
+@@ -15,13 +15,7 @@
+   # use mrbgems
+   Dir.glob("../mruby-*/mrbgem.rake") do |x|
+     g = File.basename File.dirname x
+-    if g == 'mruby-onig-regexp'
+-      conf.gem "../deps/#{g}" do |c|
+-        c.bundle_onigmo
+-      end
+-    else
+-      conf.gem "../deps/#{g}"
+-    end
++    conf.gem "../deps/#{g}"
+   end
+ 
+   # include all the core GEMs
diff --git a/www-servers/h2o/h2o-2.2.4.ebuild b/www-servers/h2o/h2o-2.2.4.ebuild
index 449ca5e6711..25c1690eeeb 100644
--- a/www-servers/h2o/h2o-2.2.4.ebuild
+++ b/www-servers/h2o/h2o-2.2.4.ebuild
@@ -5,7 +5,7 @@ EAPI="6"
 CMAKE_MAKEFILE_GENERATOR="emake"
 USE_RUBY="ruby23 ruby24"
 
-inherit cmake-utils ruby-single systemd user
+inherit cmake-utils ruby-single systemd toolchain-funcs user
 
 DESCRIPTION="H2O - the optimized HTTP/1, HTTP/2 server"
 HOMEPAGE="https://h2o.examp1e.net/"
@@ -22,11 +22,16 @@ RDEPEND="dev-lang/perl
 	libressl? ( dev-libs/libressl:0= )"
 DEPEND="${RDEPEND}
 	mruby? (
-		sys-devel/bison
 		${RUBY_DEPS}
+		dev-libs/oniguruma
+		sys-devel/bison
+		virtual/pkgconfig
 	)"
 
-PATCHES=( "${FILESDIR}"/${P}-libressl.patch )
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.2-mruby.patch
+	"${FILESDIR}"/${P}-libressl.patch
+)
 
 pkg_setup() {
 	enewgroup ${PN}
@@ -50,6 +55,10 @@ src_prepare() {
 	sed -i \
 		-e "s: ruby: ${ruby}:" \
 		CMakeLists.txt
+
+	sed -i "s:pkg-config:$(tc-getPKG_CONFIG):g" deps/mruby/lib/mruby/gem.rb
+	tc-export CC
+	export LD="$(tc-getCC)"
 }
 
 src_configure() {
diff --git a/www-servers/h2o/h2o-9999.ebuild b/www-servers/h2o/h2o-9999.ebuild
index 0d21e4e8bee..89f63062ca9 100644
--- a/www-servers/h2o/h2o-9999.ebuild
+++ b/www-servers/h2o/h2o-9999.ebuild
@@ -5,7 +5,7 @@ EAPI="6"
 CMAKE_MAKEFILE_GENERATOR="emake"
 USE_RUBY="ruby23 ruby24"
 
-inherit cmake-utils git-r3 ruby-single systemd user
+inherit cmake-utils git-r3 ruby-single systemd toolchain-funcs user
 
 DESCRIPTION="H2O - the optimized HTTP/1, HTTP/2 server"
 HOMEPAGE="https://h2o.examp1e.net/"
@@ -22,10 +22,14 @@ RDEPEND="dev-lang/perl
 	libressl? ( dev-libs/libressl:0= )"
 DEPEND="${RDEPEND}
 	mruby? (
-		sys-devel/bison
 		${RUBY_DEPS}
+		dev-libs/oniguruma
+		sys-devel/bison
+		virtual/pkgconfig
 	)"
 
+PATCHES=( "${FILESDIR}"/${PN}-2.3-mruby.patch )
+
 pkg_setup() {
 	enewgroup ${PN}
 	enewuser ${PN} -1 -1 -1 ${PN}
@@ -48,6 +52,10 @@ src_prepare() {
 	sed -i \
 		-e "s: ruby: ${ruby}:" \
 		CMakeLists.txt
+
+	sed -i "s:pkg-config:$(tc-getPKG_CONFIG):g" deps/mruby/lib/mruby/gem.rb
+	tc-export CC
+	export LD="$(tc-getCC)"
 }
 
 src_configure() {
^ permalink raw reply related	[flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: www-servers/h2o/files/, www-servers/h2o/
@ 2025-02-22  5:34 Akinori Hattori
  0 siblings, 0 replies; 6+ messages in thread
From: Akinori Hattori @ 2025-02-22  5:34 UTC (permalink / raw
  To: gentoo-commits
commit:     9c80329b5b4c18d11ed8e72dc5eff6acfed5b664
Author:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 22 05:33:05 2025 +0000
Commit:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
CommitDate: Sat Feb 22 05:33:05 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c80329b
www-servers/h2o: drop old
Bug: https://bugs.gentoo.org/919882
Signed-off-by: Akinori Hattori <hattya <AT> gentoo.org>
 www-servers/h2o/Manifest                           |   1 -
 www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch | 225 ---------------------
 www-servers/h2o/files/h2o-2.2-libressl.patch       |  54 -----
 www-servers/h2o/files/h2o-2.2-mruby.patch          |  57 ------
 www-servers/h2o/files/h2o-2.2-ruby30.patch         |  63 ------
 www-servers/h2o/h2o-2.2.6-r2.ebuild                | 107 ----------
 6 files changed, 507 deletions(-)
diff --git a/www-servers/h2o/Manifest b/www-servers/h2o/Manifest
index 6355ee2a3d76..105f74f90e99 100644
--- a/www-servers/h2o/Manifest
+++ b/www-servers/h2o/Manifest
@@ -1,3 +1,2 @@
-DIST h2o-2.2.6.tar.gz 16257760 BLAKE2B 8474751ca9832ddae2022710654ca58a93ebf9ca01afe934950209b04357b7548b05c598c49fe92684b2910fd6309d6fc3923a0b01cdeeb4b0dc65b08842255f SHA512 f2f28905c01782a0432c9dfdb2f21054e0a4741ac4c5f26802d4b439d0172840aa215aba5dc7c9af62275dcc24de105674a3819384dc38246e43ce3e8263eb20
 DIST h2o-2.3.0_pre20241014.tar.gz 30845679 BLAKE2B 9c0d21f31770dd0591690ab8b2fc5e08052cf0aa40046e9bb03158907c05cfd8121bdb140f175172da3a0c8653a09d2729581017f6cc20a53c0bbb534db6263b SHA512 d4d3cdf8553f8583fe3dd7fe9f34e055f0cef39a8c0fa370e837afbe11a7ff9fa0e907a2edf014ec494b663a6216f643daca19a1c23ff163a4c2514a45ccc706
 DIST h2o-2.3.0_pre20250130.tar.gz 30811885 BLAKE2B e40c59c9fc010412e613bd8059108f88b554131afd64a832c6e2db3ee0a9aa01b14451abee680d91b430a47550f32897dde367b86ee48397029d4b7890258e0e SHA512 3d855ed1571e11fb6b0ed3b0f85cd26a015448347423eb0b994f8803b23c73bf7b773b0d84b6a2b70f08c314496488ad02f358a2269478e86da18fc983c26ae1
diff --git a/www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch b/www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch
deleted file mode 100644
index 71a511ac9ed2..000000000000
--- a/www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch
+++ /dev/null
@@ -1,225 +0,0 @@
-https://github.com/h2o/h2o/pull/3293
-
-From 770208bbe3955c47e005a1e8cb08266e4a8dfc9a Mon Sep 17 00:00:00 2001
-From: Remi Gacogne <remi.gacogne@powerdns.com>
-Date: Tue, 10 Oct 2023 15:47:57 +0200
-Subject: [PATCH] [http2] delay processing requests upon observing suspicious
- behavior
-
-Backport of 94fbc54b6c9309912fe3d53e7b63408bbe9a1b0d to v2.2.x
----
- include/h2o.h                |  8 +++++++
- include/h2o/http2_internal.h |  8 +++++++
- lib/core/config.c            |  1 +
- lib/core/configurator.c      |  9 ++++++++
- lib/core/context.c           |  2 ++
- lib/http2/connection.c       | 41 ++++++++++++++++++++++++++++++++----
- 6 files changed, 65 insertions(+), 4 deletions(-)
-
-diff --git a/include/h2o.h b/include/h2o.h
-index 57877bd12c..409cd5c21c 100644
---- a/include/h2o.h
-+++ b/include/h2o.h
-@@ -378,6 +378,10 @@ struct st_h2o_globalconf_t {
-          * list of callbacks
-          */
-         h2o_protocol_callbacks_t callbacks;
-+        /**
-+         * milliseconds to delay processing requests when suspicious behavior is detected
-+         */
-+        uint64_t dos_delay;
-     } http2;
- 
-     struct {
-@@ -590,6 +594,10 @@ struct st_h2o_context_t {
-          * timeout entry used for graceful shutdown
-          */
-         h2o_timeout_entry_t _graceful_shutdown_timeout;
-+        /*
-+         * dos timeout
-+         */
-+        h2o_timeout_t dos_delay_timeout;
-         struct {
-             /**
-              * counter for http2 errors internally emitted by h2o
-diff --git a/include/h2o/http2_internal.h b/include/h2o/http2_internal.h
-index 5cfc4d8204..b9cf400929 100644
---- a/include/h2o/http2_internal.h
-+++ b/include/h2o/http2_internal.h
-@@ -179,6 +179,7 @@ struct st_h2o_http2_stream_t {
-         h2o_linklist_t link;
-         h2o_http2_scheduler_openref_t scheduler;
-     } _refs;
-+    unsigned reset_by_peer : 1;
-     h2o_send_state_t send_state; /* state of the ostream, only used in push mode */
-     /* placed at last since it is large and has it's own ctor */
-     h2o_req_t req;
-@@ -232,6 +233,13 @@ struct st_h2o_http2_conn_t {
-     } _write;
-     h2o_cache_t *push_memo;
-     h2o_http2_casper_t *casper;
-+    /**
-+     * DoS mitigation; the idea here is to delay processing requests when observing suspicious behavior
-+     */
-+    struct {
-+        h2o_timeout_entry_t process_delay;
-+        size_t reset_budget; /* RST_STREAM frames are considered suspicious when this value goes down to zero */
-+    } dos_mitigation;
- };
- 
- int h2o_http2_update_peer_settings(h2o_http2_settings_t *settings, const uint8_t *src, size_t len, const char **err_desc);
-diff --git a/lib/core/config.c b/lib/core/config.c
-index ce1d320183..08e43a6d30 100644
---- a/lib/core/config.c
-+++ b/lib/core/config.c
-@@ -189,6 +189,7 @@ void h2o_config_init(h2o_globalconf_t *config)
-     config->http2.latency_optimization.min_rtt = 50; // milliseconds
-     config->http2.latency_optimization.max_additional_delay = 10;
-     config->http2.latency_optimization.max_cwnd = 65535;
-+    config->http2.dos_delay = 100; /* 100ms processing delay when observing suspicious behavior */
-     config->http2.callbacks = H2O_HTTP2_CALLBACKS;
-     config->mimemap = h2o_mimemap_create();
- 
-diff --git a/lib/core/configurator.c b/lib/core/configurator.c
-index 891770cc2d..4731ba2707 100644
---- a/lib/core/configurator.c
-+++ b/lib/core/configurator.c
-@@ -531,6 +531,12 @@ static int on_config_http2_casper(h2o_configurator_command_t *cmd, h2o_configura
-     return 0;
- }
- 
-+
-+static int on_config_http2_dos_delay(h2o_configurator_command_t *cmd, h2o_configurator_context_t *ctx, yoml_t *node)
-+{
-+    return config_timeout(cmd, node, &ctx->globalconf->http2.dos_delay);
-+}
-+
- static int assert_is_mimetype(h2o_configurator_command_t *cmd, yoml_t *node)
- {
-     if (node->type != YOML_TYPE_SCALAR) {
-@@ -910,6 +916,9 @@ void h2o_configurator__init_core(h2o_globalconf_t *conf)
-                                         on_config_http2_push_preload);
-         h2o_configurator_define_command(&c->super, "http2-casper", H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_HOST,
-                                         on_config_http2_casper);
-+        h2o_configurator_define_command(&c->super, "http2-dos-delay",
-+                                        H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_EXPECT_SCALAR,
-+                                        on_config_http2_dos_delay);
-         h2o_configurator_define_command(&c->super, "file.mime.settypes",
-                                         (H2O_CONFIGURATOR_FLAG_ALL_LEVELS & ~H2O_CONFIGURATOR_FLAG_EXTENSION) |
-                                             H2O_CONFIGURATOR_FLAG_EXPECT_MAPPING,
-diff --git a/lib/core/context.c b/lib/core/context.c
-index 8d11013810..ac4b0aaf08 100644
---- a/lib/core/context.c
-+++ b/lib/core/context.c
-@@ -101,6 +101,7 @@ void h2o_context_init(h2o_context_t *ctx, h2o_loop_t *loop, h2o_globalconf_t *co
-     h2o_linklist_init_anchor(&ctx->http1._conns);
-     h2o_timeout_init(ctx->loop, &ctx->http2.idle_timeout, config->http2.idle_timeout);
-     h2o_timeout_init(ctx->loop, &ctx->http2.graceful_shutdown_timeout, config->http2.graceful_shutdown_timeout);
-+    h2o_timeout_init(ctx->loop, &ctx->http2.dos_delay_timeout, config->http2.dos_delay);
-     h2o_linklist_init_anchor(&ctx->http2._conns);
-     ctx->proxy.client_ctx.loop = loop;
-     h2o_timeout_init(ctx->loop, &ctx->proxy.io_timeout, config->proxy.io_timeout);
-@@ -146,6 +147,7 @@ void h2o_context_dispose(h2o_context_t *ctx)
-     h2o_timeout_dispose(ctx->loop, &ctx->http1.req_timeout);
-     h2o_timeout_dispose(ctx->loop, &ctx->http2.idle_timeout);
-     h2o_timeout_dispose(ctx->loop, &ctx->http2.graceful_shutdown_timeout);
-+    h2o_timeout_dispose(ctx->loop, &ctx->http2.dos_delay_timeout);
-     h2o_timeout_dispose(ctx->loop, &ctx->proxy.io_timeout);
-     /* what should we do here? assert(!h2o_linklist_is_empty(&ctx->http2._conns); */
- 
-diff --git a/lib/http2/connection.c b/lib/http2/connection.c
-index e2da293043..4910e33098 100644
---- a/lib/http2/connection.c
-+++ b/lib/http2/connection.c
-@@ -161,7 +161,6 @@ static void update_idle_timeout(h2o_http2_conn_t *conn)
-     h2o_timeout_unlink(&conn->_timeout_entry);
- 
-     if (conn->num_streams.pull.half_closed + conn->num_streams.push.half_closed == 0) {
--        assert(h2o_linklist_is_empty(&conn->_pending_reqs));
-         conn->_timeout_entry.cb = on_idle_timeout;
-         h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.idle_timeout, &conn->_timeout_entry);
-     }
-@@ -175,6 +174,9 @@ static int can_run_requests(h2o_http2_conn_t *conn)
- 
- static void run_pending_requests(h2o_http2_conn_t *conn)
- {
-+    if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
-+        return;
-+
-     while (!h2o_linklist_is_empty(&conn->_pending_reqs) && can_run_requests(conn)) {
-         /* fetch and detach a pending stream */
-         h2o_http2_stream_t *stream = H2O_STRUCT_FROM_MEMBER(h2o_http2_stream_t, _refs.link, conn->_pending_reqs.next);
-@@ -226,6 +228,16 @@ void h2o_http2_conn_unregister_stream(h2o_http2_conn_t *conn, h2o_http2_stream_t
-     assert(h2o_http2_scheduler_is_open(&stream->_refs.scheduler));
-     h2o_http2_scheduler_close(&stream->_refs.scheduler);
- 
-+    /* Decrement reset_budget if the stream was reset by peer, otherwise increment. By doing so, we penalize connections that
-+     * generate resets for >50% of requests. */
-+    if (stream->reset_by_peer) {
-+        if (conn->dos_mitigation.reset_budget > 0)
-+            --conn->dos_mitigation.reset_budget;
-+    } else {
-+        if (conn->dos_mitigation.reset_budget < conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection)
-+            ++conn->dos_mitigation.reset_budget;
-+    }
-+
-     switch (stream->state) {
-     case H2O_HTTP2_STREAM_STATE_IDLE:
-     case H2O_HTTP2_STREAM_STATE_RECV_HEADERS:
-@@ -272,6 +284,8 @@ void close_connection_now(h2o_http2_conn_t *conn)
-     h2o_hpack_dispose_header_table(&conn->_output_header_table);
-     assert(h2o_linklist_is_empty(&conn->_pending_reqs));
-     h2o_timeout_unlink(&conn->_timeout_entry);
-+    if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
-+        h2o_timeout_unlink(&conn->dos_mitigation.process_delay);
-     h2o_buffer_dispose(&conn->_write.buf);
-     if (conn->_write.buf_in_flight != NULL)
-         h2o_buffer_dispose(&conn->_write.buf_in_flight);
-@@ -797,11 +811,19 @@ static int handle_rst_stream_frame(h2o_http2_conn_t *conn, h2o_http2_frame_t *fr
-         return H2O_HTTP2_ERROR_PROTOCOL;
-     }
- 
--    stream = h2o_http2_conn_get_stream(conn, frame->stream_id);
--    if (stream != NULL) {
-+    if ((stream = h2o_http2_conn_get_stream(conn, frame->stream_id)) == NULL)
-+        return 0;
-+
-         /* reset the stream */
-+    stream->reset_by_peer = 1;
-         h2o_http2_stream_reset(conn, stream);
--    }
-+
-+    /* setup process delay if we've just ran out of reset budget */
-+    if (conn->dos_mitigation.reset_budget == 0 && conn->super.ctx->globalconf->http2.dos_delay != 0 &&
-+        !h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
-+        h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.dos_delay_timeout,
-+                       &conn->dos_mitigation.process_delay);
-+
-     /* TODO log */
- 
-     return 0;
-@@ -1204,6 +1226,14 @@ static h2o_iovec_t log_priority_actual_weight(h2o_req_t *req)
-     return h2o_iovec_init(s, len);
- }
- 
-+static void on_dos_process_delay(h2o_timeout_entry_t *timer)
-+{
-+    h2o_http2_conn_t *conn = H2O_STRUCT_FROM_MEMBER(h2o_http2_conn_t, dos_mitigation.process_delay, timer);
-+
-+    assert(!h2o_timeout_is_linked(&conn->dos_mitigation.process_delay));
-+    run_pending_requests(conn);
-+}
-+
- static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts, h2o_socket_t *sock, struct timeval connected_at)
- {
-     static const h2o_conn_callbacks_t callbacks = {
-@@ -1240,6 +1270,9 @@ static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts,
-     conn->_write.timeout_entry.cb = emit_writereq;
-     h2o_http2_window_init(&conn->_write.window, &conn->peer_settings);
- 
-+    conn->dos_mitigation.process_delay.cb = on_dos_process_delay;
-+    conn->dos_mitigation.reset_budget = conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection;
-+
-     return conn;
- }
- 
diff --git a/www-servers/h2o/files/h2o-2.2-libressl.patch b/www-servers/h2o/files/h2o-2.2-libressl.patch
deleted file mode 100644
index 59aca8df8550..000000000000
--- a/www-servers/h2o/files/h2o-2.2-libressl.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-https://bugs.gentoo.org/903001
-https://github.com/h2o/neverbleed/pull/51
-https://github.com/h2o/neverbleed/commit/e1005c16e11b2ca358c86df2a4226632a2992d55
-https://github.com/h2o/h2o/pull/3214
-https://github.com/h2o/h2o/commit/83f89f2fe7c5399b88386a940b2a675742478aca
-https://github.com/h2o/h2o/pull/2062
-https://github.com/h2o/h2o/commit/e61e9c8296e894a479268d041985e65433c17e67
-
-From 81494ee75e8f533c9fbf841d0dfe83f8eeba7bbd Mon Sep 17 00:00:00 2001
-From: Kazuho Oku <kazuhooku@gmail.com>
-Date: Mon, 13 Mar 2023 18:56:12 +0900
-Subject: [PATCH] libressl 3.5 and above have opaque RSA struct
-
----
- deps/neverbleed/neverbleed.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/neverbleed.c b/neverbleed.c
-index d7cd979..74d7aa3 100644
---- a/deps/neverbleed/neverbleed.c
-+++ b/deps/neverbleed/neverbleed.c
-@@ -45,7 +45,7 @@
- #endif
- #include "neverbleed.h"
- 
--#if (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
-+#if defined(LIBRESSL_VERSION_NUMBER) ? LIBRESSL_VERSION_NUMBER >= 0x3050000fL : OPENSSL_VERSION_NUMBER >= 0x1010000fL
- #define OPENSSL_1_1_API 1
- #else
- #define OPENSSL_1_1_API 0
-Silence compiler warning. The get_session_cb has had const since LibreSSL 2.8.
-
-From b408b9e015627394003a04577dd7ee7e870d1797 Mon Sep 17 00:00:00 2001
-From: David Carlier <devnexen@gmail.com>
-Date: Thu, 30 May 2019 15:05:44 +0100
-Subject: [PATCH] LibreSSL little build warning fix proposal
-
----
- lib/common/socket.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/common/socket.c b/lib/common/socket.c
-index 172b75026f..45c18591b7 100644
---- a/lib/common/socket.c
-+++ b/lib/common/socket.c
-@@ -946,7 +946,7 @@ static void create_ossl(h2o_socket_t *sock)
- }
- 
- static SSL_SESSION *on_async_resumption_get(SSL *ssl,
--#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
-+#if !defined(LIBRESSL_VERSION_NUMBER) ? OPENSSL_VERSION_NUMBER >= 0x1010000fL : LIBRESSL_VERSION_NUMBER > 0x2070000f
-                                             const
- #endif
-                                             unsigned char *data,
diff --git a/www-servers/h2o/files/h2o-2.2-mruby.patch b/www-servers/h2o/files/h2o-2.2-mruby.patch
deleted file mode 100644
index 92e7a8e7f1d7..000000000000
--- a/www-servers/h2o/files/h2o-2.2-mruby.patch
+++ /dev/null
@@ -1,57 +0,0 @@
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -157,6 +157,19 @@
-     SET(WSLAY_LIBRARIES -lwslay)
- ENDIF (NOT WSLAY_FOUND)
- 
-+IF (PKG_CONFIG_FOUND)
-+    PKG_CHECK_MODULES(ONIG onigmo)
-+    IF (NOT ONIG_FOUND)
-+	PKG_CHECK_MODULES(ONIG oniguruma)
-+    ENDIF (NOT ONIG_FOUND)
-+    IF (ONIG_FOUND)
-+        LINK_DIRECTORIES(${ONIG_LIBRARY_DIRS})
-+    ENDIF (ONIG_FOUND)
-+ENDIF (PKG_CONFIG_FOUND)
-+IF (NOT ONIG_FOUND AND WITH_MRUBY)
-+    MESSAGE(FATAL_ERROR "Onigmo/Oniguruma not found")
-+ENDIF (NOT ONIG_FOUND AND WITH_MRUBY)
-+
- IF (ZLIB_FOUND)
-     INCLUDE_DIRECTORIES(${ZLIB_INCLUDE_DIRS})
-     LINK_DIRECTORIES(${ZLIB_LIBRARY_DIRS})
-@@ -460,7 +473,7 @@
-     ELSE ()
-         SET(MRUBY_TOOLCHAIN "gcc")
-     ENDIF ()
--    ADD_CUSTOM_TARGET(mruby MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby ruby minirake
-+    ADD_CUSTOM_TARGET(mruby MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby ruby minirake -v
-         WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/deps/mruby)
-     LIST(APPEND STANDALONE_SOURCE_FILES
-         lib/handler/mruby.c
-@@ -491,7 +504,7 @@
-     # note: the paths need to be determined before libmruby.flags.mak is generated
-     TARGET_LINK_LIBRARIES(h2o
-         "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/lib/libmruby.a"
--        "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/mrbgems/mruby-onig-regexp/onigmo-6.1.1/.libs/libonigmo.a"
-+        ${ONIG_LIBRARIES}
-         "m")
-     ADD_DEPENDENCIES(h2o mruby)
- ENDIF (WITH_MRUBY)
---- a/misc/mruby_config.rb
-+++ b/misc/mruby_config.rb
-@@ -15,13 +15,7 @@
-   # use mrbgems
-   Dir.glob("../mruby-*/mrbgem.rake") do |x|
-     g = File.basename File.dirname x
--    if g == 'mruby-onig-regexp'
--      conf.gem "../deps/#{g}" do |c|
--        c.bundle_onigmo
--      end
--    else
--      conf.gem "../deps/#{g}"
--    end
-+    conf.gem "../deps/#{g}"
-   end
- 
-   # include all the core GEMs
diff --git a/www-servers/h2o/files/h2o-2.2-ruby30.patch b/www-servers/h2o/files/h2o-2.2-ruby30.patch
deleted file mode 100644
index 47692d68bba5..000000000000
--- a/www-servers/h2o/files/h2o-2.2-ruby30.patch
+++ /dev/null
@@ -1,63 +0,0 @@
---- a/deps/mruby/Rakefile
-+++ b/deps/mruby/Rakefile
-@@ -37,15 +37,15 @@
- task :default => :all
- 
- bin_path = ENV['INSTALL_DIR'] || "#{MRUBY_ROOT}/bin"
--FileUtils.mkdir_p bin_path, { :verbose => $verbose }
-+FileUtils.mkdir_p bin_path, :verbose => $verbose
- 
- depfiles = MRuby.targets['host'].bins.map do |bin|
-   install_path = MRuby.targets['host'].exefile("#{bin_path}/#{bin}")
-   source_path = MRuby.targets['host'].exefile("#{MRuby.targets['host'].build_dir}/bin/#{bin}")
- 
-   file install_path => source_path do |t|
--    FileUtils.rm_f t.name, { :verbose => $verbose }
--    FileUtils.cp t.prerequisites.first, t.name, { :verbose => $verbose }
-+    FileUtils.rm_f t.name, :verbose => $verbose
-+    FileUtils.cp t.prerequisites.first, t.name, :verbose => $verbose
-   end
- 
-   install_path
-@@ -78,8 +78,8 @@
-         install_path = MRuby.targets['host'].exefile("#{bin_path}/#{bin}")
- 
-         file install_path => exec do |t|
--          FileUtils.rm_f t.name, { :verbose => $verbose }
--          FileUtils.cp t.prerequisites.first, t.name, { :verbose => $verbose }
-+          FileUtils.rm_f t.name, :verbose => $verbose
-+          FileUtils.cp t.prerequisites.first, t.name, :verbose => $verbose
-         end
-         depfiles += [ install_path ]
-       elsif target == MRuby.targets['host-debug']
-@@ -87,8 +87,8 @@
-           install_path = MRuby.targets['host-debug'].exefile("#{bin_path}/#{bin}")
- 
-           file install_path => exec do |t|
--            FileUtils.rm_f t.name, { :verbose => $verbose }
--            FileUtils.cp t.prerequisites.first, t.name, { :verbose => $verbose }
-+            FileUtils.rm_f t.name, :verbose => $verbose
-+            FileUtils.cp t.prerequisites.first, t.name, :verbose => $verbose
-           end
-           depfiles += [ install_path ]
-         end
-@@ -127,16 +127,16 @@
- desc "clean all built and in-repo installed artifacts"
- task :clean do
-   MRuby.each_target do |t|
--    FileUtils.rm_rf t.build_dir, { :verbose => $verbose }
-+    FileUtils.rm_rf t.build_dir, :verbose => $verbose
-   end
--  FileUtils.rm_f depfiles, { :verbose => $verbose }
-+  FileUtils.rm_f depfiles, :verbose => $verbose
-   puts "Cleaned up target build folder"
- end
- 
- desc "clean everything!"
- task :deep_clean => ["clean"] do
-   MRuby.each_target do |t|
--    FileUtils.rm_rf t.gem_clone_dir, { :verbose => $verbose }
-+    FileUtils.rm_rf t.gem_clone_dir, :verbose => $verbose
-   end
-   puts "Cleaned up mrbgems build folder"
- end
diff --git a/www-servers/h2o/h2o-2.2.6-r2.ebuild b/www-servers/h2o/h2o-2.2.6-r2.ebuild
deleted file mode 100644
index 45ad42c87a40..000000000000
--- a/www-servers/h2o/h2o-2.2.6-r2.ebuild
+++ /dev/null
@@ -1,107 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="8"
-CMAKE_MAKEFILE_GENERATOR="emake"
-SSL_DEPS_SKIP=1
-USE_RUBY="ruby31 ruby32"
-
-inherit cmake ruby-single ssl-cert systemd toolchain-funcs
-
-DESCRIPTION="H2O - the optimized HTTP/1, HTTP/2 server"
-HOMEPAGE="https://h2o.examp1e.net/"
-SRC_URI="https://github.com/${PN}/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
-
-LICENSE="MIT"
-SLOT="0"
-KEYWORDS="amd64 x86"
-IUSE="libh2o +mruby"
-
-RDEPEND="acct-group/h2o
-	acct-user/h2o
-	dev-lang/perl
-	dev-libs/openssl:0=
-	!sci-libs/libh2o
-	sys-libs/zlib
-	libh2o? ( dev-libs/libuv )"
-DEPEND="${RDEPEND}
-	mruby? (
-		${RUBY_DEPS}
-		|| (
-			dev-libs/onigmo
-			dev-libs/oniguruma
-		)
-	)"
-BDEPEND="libh2o? ( virtual/pkgconfig )
-	mruby? (
-		app-alternatives/yacc
-		virtual/pkgconfig
-	)"
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-2.2-libressl.patch #903001
-	"${FILESDIR}"/${PN}-2.2-mruby.patch
-	"${FILESDIR}"/${PN}-2.2-ruby30.patch
-	"${FILESDIR}"/${PN}-2.2-CVE-2023-44487.patch
-)
-
-src_prepare() {
-	cmake_src_prepare
-
-	local ruby="ruby"
-	if use mruby; then
-		for ruby in ${RUBY_TARGETS_PREFERENCE}; do
-			if has_version dev-lang/ruby:${ruby:4:1}.${ruby:5}; then
-				break
-			fi
-			ruby=
-		done
-		[[ -z ${ruby} ]] && die "no suitable ruby version found"
-	fi
-
-	sed -i \
-		-e "/INSTALL/s:\(/doc/${PN}\) :\1/html :" \
-		-e "/INSTALL/s:\(/doc\)/${PN}:\1/${PF}:" \
-		-e "s: ruby: ${ruby}:" \
-		CMakeLists.txt
-
-	sed -i "s:pkg-config:$(tc-getPKG_CONFIG):g" deps/mruby/lib/mruby/gem.rb
-	tc-export CC
-	export LD="$(tc-getCC)"
-}
-
-src_configure() {
-	local mycmakeargs=(
-		-DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/${PN}
-		-DWITH_MRUBY=$(usex mruby)
-		-DWITHOUT_LIBS=$(usex !libh2o)
-		-DBUILD_SHARED_LIBS=$(usex libh2o)
-	)
-	cmake_src_configure
-}
-
-src_install() {
-	cmake_src_install
-
-	keepdir /var/www/localhost/htdocs
-
-	insinto /etc/${PN}
-	doins "${FILESDIR}"/${PN}.conf
-
-	newinitd "${FILESDIR}"/${PN}.initd ${PN}
-	systemd_dounit "${FILESDIR}"/${PN}.service
-
-	insinto /etc/logrotate.d
-	newins "${FILESDIR}"/${PN}.logrotate ${PN}
-
-	keepdir /var/log/${PN}
-	fowners ${PN}:${PN} /var/log/${PN}
-	fperms 0750 /var/log/${PN}
-}
-
-pkg_postinst() {
-	if [[ ! -f "${EROOT}"/etc/ssl/${PN}/server.key ]]; then
-		install_cert /etc/ssl/${PN}/server
-		chown ${PN}:${PN} "${EROOT}"/etc/ssl/${PN}/server.*
-	fi
-}
^ permalink raw reply related	[flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: www-servers/h2o/files/, www-servers/h2o/
@ 2023-10-22 13:44 Akinori Hattori
  0 siblings, 0 replies; 6+ messages in thread
From: Akinori Hattori @ 2023-10-22 13:44 UTC (permalink / raw
  To: gentoo-commits
commit:     24f20ce718815bfd0a2db32f9fb116ec81a9e58c
Author:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 22 13:38:38 2023 +0000
Commit:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
CommitDate: Sun Oct 22 13:38:38 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24f20ce7
www-servers/h2o: fix CVE-2023-44487
Bug: https://bugs.gentoo.org/915567
Signed-off-by: Akinori Hattori <hattya <AT> gentoo.org>
 www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch | 225 +++++++++++++++++++++
 www-servers/h2o/h2o-2.2.6-r2.ebuild                | 107 ++++++++++
 2 files changed, 332 insertions(+)
diff --git a/www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch b/www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch
new file mode 100644
index 000000000000..71a511ac9ed2
--- /dev/null
+++ b/www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch
@@ -0,0 +1,225 @@
+https://github.com/h2o/h2o/pull/3293
+
+From 770208bbe3955c47e005a1e8cb08266e4a8dfc9a Mon Sep 17 00:00:00 2001
+From: Remi Gacogne <remi.gacogne@powerdns.com>
+Date: Tue, 10 Oct 2023 15:47:57 +0200
+Subject: [PATCH] [http2] delay processing requests upon observing suspicious
+ behavior
+
+Backport of 94fbc54b6c9309912fe3d53e7b63408bbe9a1b0d to v2.2.x
+---
+ include/h2o.h                |  8 +++++++
+ include/h2o/http2_internal.h |  8 +++++++
+ lib/core/config.c            |  1 +
+ lib/core/configurator.c      |  9 ++++++++
+ lib/core/context.c           |  2 ++
+ lib/http2/connection.c       | 41 ++++++++++++++++++++++++++++++++----
+ 6 files changed, 65 insertions(+), 4 deletions(-)
+
+diff --git a/include/h2o.h b/include/h2o.h
+index 57877bd12c..409cd5c21c 100644
+--- a/include/h2o.h
++++ b/include/h2o.h
+@@ -378,6 +378,10 @@ struct st_h2o_globalconf_t {
+          * list of callbacks
+          */
+         h2o_protocol_callbacks_t callbacks;
++        /**
++         * milliseconds to delay processing requests when suspicious behavior is detected
++         */
++        uint64_t dos_delay;
+     } http2;
+ 
+     struct {
+@@ -590,6 +594,10 @@ struct st_h2o_context_t {
+          * timeout entry used for graceful shutdown
+          */
+         h2o_timeout_entry_t _graceful_shutdown_timeout;
++        /*
++         * dos timeout
++         */
++        h2o_timeout_t dos_delay_timeout;
+         struct {
+             /**
+              * counter for http2 errors internally emitted by h2o
+diff --git a/include/h2o/http2_internal.h b/include/h2o/http2_internal.h
+index 5cfc4d8204..b9cf400929 100644
+--- a/include/h2o/http2_internal.h
++++ b/include/h2o/http2_internal.h
+@@ -179,6 +179,7 @@ struct st_h2o_http2_stream_t {
+         h2o_linklist_t link;
+         h2o_http2_scheduler_openref_t scheduler;
+     } _refs;
++    unsigned reset_by_peer : 1;
+     h2o_send_state_t send_state; /* state of the ostream, only used in push mode */
+     /* placed at last since it is large and has it's own ctor */
+     h2o_req_t req;
+@@ -232,6 +233,13 @@ struct st_h2o_http2_conn_t {
+     } _write;
+     h2o_cache_t *push_memo;
+     h2o_http2_casper_t *casper;
++    /**
++     * DoS mitigation; the idea here is to delay processing requests when observing suspicious behavior
++     */
++    struct {
++        h2o_timeout_entry_t process_delay;
++        size_t reset_budget; /* RST_STREAM frames are considered suspicious when this value goes down to zero */
++    } dos_mitigation;
+ };
+ 
+ int h2o_http2_update_peer_settings(h2o_http2_settings_t *settings, const uint8_t *src, size_t len, const char **err_desc);
+diff --git a/lib/core/config.c b/lib/core/config.c
+index ce1d320183..08e43a6d30 100644
+--- a/lib/core/config.c
++++ b/lib/core/config.c
+@@ -189,6 +189,7 @@ void h2o_config_init(h2o_globalconf_t *config)
+     config->http2.latency_optimization.min_rtt = 50; // milliseconds
+     config->http2.latency_optimization.max_additional_delay = 10;
+     config->http2.latency_optimization.max_cwnd = 65535;
++    config->http2.dos_delay = 100; /* 100ms processing delay when observing suspicious behavior */
+     config->http2.callbacks = H2O_HTTP2_CALLBACKS;
+     config->mimemap = h2o_mimemap_create();
+ 
+diff --git a/lib/core/configurator.c b/lib/core/configurator.c
+index 891770cc2d..4731ba2707 100644
+--- a/lib/core/configurator.c
++++ b/lib/core/configurator.c
+@@ -531,6 +531,12 @@ static int on_config_http2_casper(h2o_configurator_command_t *cmd, h2o_configura
+     return 0;
+ }
+ 
++
++static int on_config_http2_dos_delay(h2o_configurator_command_t *cmd, h2o_configurator_context_t *ctx, yoml_t *node)
++{
++    return config_timeout(cmd, node, &ctx->globalconf->http2.dos_delay);
++}
++
+ static int assert_is_mimetype(h2o_configurator_command_t *cmd, yoml_t *node)
+ {
+     if (node->type != YOML_TYPE_SCALAR) {
+@@ -910,6 +916,9 @@ void h2o_configurator__init_core(h2o_globalconf_t *conf)
+                                         on_config_http2_push_preload);
+         h2o_configurator_define_command(&c->super, "http2-casper", H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_HOST,
+                                         on_config_http2_casper);
++        h2o_configurator_define_command(&c->super, "http2-dos-delay",
++                                        H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_EXPECT_SCALAR,
++                                        on_config_http2_dos_delay);
+         h2o_configurator_define_command(&c->super, "file.mime.settypes",
+                                         (H2O_CONFIGURATOR_FLAG_ALL_LEVELS & ~H2O_CONFIGURATOR_FLAG_EXTENSION) |
+                                             H2O_CONFIGURATOR_FLAG_EXPECT_MAPPING,
+diff --git a/lib/core/context.c b/lib/core/context.c
+index 8d11013810..ac4b0aaf08 100644
+--- a/lib/core/context.c
++++ b/lib/core/context.c
+@@ -101,6 +101,7 @@ void h2o_context_init(h2o_context_t *ctx, h2o_loop_t *loop, h2o_globalconf_t *co
+     h2o_linklist_init_anchor(&ctx->http1._conns);
+     h2o_timeout_init(ctx->loop, &ctx->http2.idle_timeout, config->http2.idle_timeout);
+     h2o_timeout_init(ctx->loop, &ctx->http2.graceful_shutdown_timeout, config->http2.graceful_shutdown_timeout);
++    h2o_timeout_init(ctx->loop, &ctx->http2.dos_delay_timeout, config->http2.dos_delay);
+     h2o_linklist_init_anchor(&ctx->http2._conns);
+     ctx->proxy.client_ctx.loop = loop;
+     h2o_timeout_init(ctx->loop, &ctx->proxy.io_timeout, config->proxy.io_timeout);
+@@ -146,6 +147,7 @@ void h2o_context_dispose(h2o_context_t *ctx)
+     h2o_timeout_dispose(ctx->loop, &ctx->http1.req_timeout);
+     h2o_timeout_dispose(ctx->loop, &ctx->http2.idle_timeout);
+     h2o_timeout_dispose(ctx->loop, &ctx->http2.graceful_shutdown_timeout);
++    h2o_timeout_dispose(ctx->loop, &ctx->http2.dos_delay_timeout);
+     h2o_timeout_dispose(ctx->loop, &ctx->proxy.io_timeout);
+     /* what should we do here? assert(!h2o_linklist_is_empty(&ctx->http2._conns); */
+ 
+diff --git a/lib/http2/connection.c b/lib/http2/connection.c
+index e2da293043..4910e33098 100644
+--- a/lib/http2/connection.c
++++ b/lib/http2/connection.c
+@@ -161,7 +161,6 @@ static void update_idle_timeout(h2o_http2_conn_t *conn)
+     h2o_timeout_unlink(&conn->_timeout_entry);
+ 
+     if (conn->num_streams.pull.half_closed + conn->num_streams.push.half_closed == 0) {
+-        assert(h2o_linklist_is_empty(&conn->_pending_reqs));
+         conn->_timeout_entry.cb = on_idle_timeout;
+         h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.idle_timeout, &conn->_timeout_entry);
+     }
+@@ -175,6 +174,9 @@ static int can_run_requests(h2o_http2_conn_t *conn)
+ 
+ static void run_pending_requests(h2o_http2_conn_t *conn)
+ {
++    if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
++        return;
++
+     while (!h2o_linklist_is_empty(&conn->_pending_reqs) && can_run_requests(conn)) {
+         /* fetch and detach a pending stream */
+         h2o_http2_stream_t *stream = H2O_STRUCT_FROM_MEMBER(h2o_http2_stream_t, _refs.link, conn->_pending_reqs.next);
+@@ -226,6 +228,16 @@ void h2o_http2_conn_unregister_stream(h2o_http2_conn_t *conn, h2o_http2_stream_t
+     assert(h2o_http2_scheduler_is_open(&stream->_refs.scheduler));
+     h2o_http2_scheduler_close(&stream->_refs.scheduler);
+ 
++    /* Decrement reset_budget if the stream was reset by peer, otherwise increment. By doing so, we penalize connections that
++     * generate resets for >50% of requests. */
++    if (stream->reset_by_peer) {
++        if (conn->dos_mitigation.reset_budget > 0)
++            --conn->dos_mitigation.reset_budget;
++    } else {
++        if (conn->dos_mitigation.reset_budget < conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection)
++            ++conn->dos_mitigation.reset_budget;
++    }
++
+     switch (stream->state) {
+     case H2O_HTTP2_STREAM_STATE_IDLE:
+     case H2O_HTTP2_STREAM_STATE_RECV_HEADERS:
+@@ -272,6 +284,8 @@ void close_connection_now(h2o_http2_conn_t *conn)
+     h2o_hpack_dispose_header_table(&conn->_output_header_table);
+     assert(h2o_linklist_is_empty(&conn->_pending_reqs));
+     h2o_timeout_unlink(&conn->_timeout_entry);
++    if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
++        h2o_timeout_unlink(&conn->dos_mitigation.process_delay);
+     h2o_buffer_dispose(&conn->_write.buf);
+     if (conn->_write.buf_in_flight != NULL)
+         h2o_buffer_dispose(&conn->_write.buf_in_flight);
+@@ -797,11 +811,19 @@ static int handle_rst_stream_frame(h2o_http2_conn_t *conn, h2o_http2_frame_t *fr
+         return H2O_HTTP2_ERROR_PROTOCOL;
+     }
+ 
+-    stream = h2o_http2_conn_get_stream(conn, frame->stream_id);
+-    if (stream != NULL) {
++    if ((stream = h2o_http2_conn_get_stream(conn, frame->stream_id)) == NULL)
++        return 0;
++
+         /* reset the stream */
++    stream->reset_by_peer = 1;
+         h2o_http2_stream_reset(conn, stream);
+-    }
++
++    /* setup process delay if we've just ran out of reset budget */
++    if (conn->dos_mitigation.reset_budget == 0 && conn->super.ctx->globalconf->http2.dos_delay != 0 &&
++        !h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
++        h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.dos_delay_timeout,
++                       &conn->dos_mitigation.process_delay);
++
+     /* TODO log */
+ 
+     return 0;
+@@ -1204,6 +1226,14 @@ static h2o_iovec_t log_priority_actual_weight(h2o_req_t *req)
+     return h2o_iovec_init(s, len);
+ }
+ 
++static void on_dos_process_delay(h2o_timeout_entry_t *timer)
++{
++    h2o_http2_conn_t *conn = H2O_STRUCT_FROM_MEMBER(h2o_http2_conn_t, dos_mitigation.process_delay, timer);
++
++    assert(!h2o_timeout_is_linked(&conn->dos_mitigation.process_delay));
++    run_pending_requests(conn);
++}
++
+ static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts, h2o_socket_t *sock, struct timeval connected_at)
+ {
+     static const h2o_conn_callbacks_t callbacks = {
+@@ -1240,6 +1270,9 @@ static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts,
+     conn->_write.timeout_entry.cb = emit_writereq;
+     h2o_http2_window_init(&conn->_write.window, &conn->peer_settings);
+ 
++    conn->dos_mitigation.process_delay.cb = on_dos_process_delay;
++    conn->dos_mitigation.reset_budget = conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection;
++
+     return conn;
+ }
+ 
diff --git a/www-servers/h2o/h2o-2.2.6-r2.ebuild b/www-servers/h2o/h2o-2.2.6-r2.ebuild
new file mode 100644
index 000000000000..36b649162128
--- /dev/null
+++ b/www-servers/h2o/h2o-2.2.6-r2.ebuild
@@ -0,0 +1,107 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="8"
+CMAKE_MAKEFILE_GENERATOR="emake"
+SSL_DEPS_SKIP=1
+USE_RUBY="ruby31 ruby32"
+
+inherit cmake ruby-single ssl-cert systemd toolchain-funcs
+
+DESCRIPTION="H2O - the optimized HTTP/1, HTTP/2 server"
+HOMEPAGE="https://h2o.examp1e.net/"
+SRC_URI="https://github.com/${PN}/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="libh2o +mruby"
+
+RDEPEND="acct-group/h2o
+	acct-user/h2o
+	dev-lang/perl
+	dev-libs/openssl:0=
+	!sci-libs/libh2o
+	sys-libs/zlib
+	libh2o? ( dev-libs/libuv )"
+DEPEND="${RDEPEND}
+	mruby? (
+		${RUBY_DEPS}
+		|| (
+			dev-libs/onigmo
+			dev-libs/oniguruma
+		)
+	)"
+BDEPEND="libh2o? ( virtual/pkgconfig )
+	mruby? (
+		sys-devel/bison
+		virtual/pkgconfig
+	)"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.2-libressl.patch #903001
+	"${FILESDIR}"/${PN}-2.2-mruby.patch
+	"${FILESDIR}"/${PN}-2.2-ruby30.patch
+	"${FILESDIR}"/${PN}-2.2-CVE-2023-44487.patch
+)
+
+src_prepare() {
+	cmake_src_prepare
+
+	local ruby="ruby"
+	if use mruby; then
+		for ruby in ${RUBY_TARGETS_PREFERENCE}; do
+			if has_version dev-lang/ruby:${ruby:4:1}.${ruby:5}; then
+				break
+			fi
+			ruby=
+		done
+		[[ -z ${ruby} ]] && die "no suitable ruby version found"
+	fi
+
+	sed -i \
+		-e "/INSTALL/s:\(/doc/${PN}\) :\1/html :" \
+		-e "/INSTALL/s:\(/doc\)/${PN}:\1/${PF}:" \
+		-e "s: ruby: ${ruby}:" \
+		CMakeLists.txt
+
+	sed -i "s:pkg-config:$(tc-getPKG_CONFIG):g" deps/mruby/lib/mruby/gem.rb
+	tc-export CC
+	export LD="$(tc-getCC)"
+}
+
+src_configure() {
+	local mycmakeargs=(
+		-DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/${PN}
+		-DWITH_MRUBY=$(usex mruby)
+		-DWITHOUT_LIBS=$(usex !libh2o)
+		-DBUILD_SHARED_LIBS=$(usex libh2o)
+	)
+	cmake_src_configure
+}
+
+src_install() {
+	cmake_src_install
+
+	keepdir /var/www/localhost/htdocs
+
+	insinto /etc/${PN}
+	doins "${FILESDIR}"/${PN}.conf
+
+	newinitd "${FILESDIR}"/${PN}.initd ${PN}
+	systemd_dounit "${FILESDIR}"/${PN}.service
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/${PN}.logrotate ${PN}
+
+	keepdir /var/log/${PN}
+	fowners ${PN}:${PN} /var/log/${PN}
+	fperms 0750 /var/log/${PN}
+}
+
+pkg_postinst() {
+	if [[ ! -f "${EROOT}"/etc/ssl/${PN}/server.key ]]; then
+		install_cert /etc/ssl/${PN}/server
+		chown ${PN}:${PN} "${EROOT}"/etc/ssl/${PN}/server.*
+	fi
+}
^ permalink raw reply related	[flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: www-servers/h2o/files/, www-servers/h2o/
@ 2022-08-06  0:45 Akinori Hattori
  0 siblings, 0 replies; 6+ messages in thread
From: Akinori Hattori @ 2022-08-06  0:45 UTC (permalink / raw
  To: gentoo-commits
commit:     cb0e78c9a028d19e02eb696e3a85090a73887f83
Author:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
AuthorDate: Sat Aug  6 00:43:01 2022 +0000
Commit:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
CommitDate: Sat Aug  6 00:43:01 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb0e78c9
www-servers/h2o: update
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Akinori Hattori <hattya <AT> gentoo.org>
 www-servers/h2o/files/h2o-2.3-mruby.patch | 28 ++++++++++++++--------------
 www-servers/h2o/h2o-9999.ebuild           | 12 ++++++++----
 2 files changed, 22 insertions(+), 18 deletions(-)
diff --git a/www-servers/h2o/files/h2o-2.3-mruby.patch b/www-servers/h2o/files/h2o-2.3-mruby.patch
index 3db3ebae8806..4f64565a675a 100644
--- a/www-servers/h2o/files/h2o-2.3-mruby.patch
+++ b/www-servers/h2o/files/h2o-2.3-mruby.patch
@@ -1,6 +1,6 @@
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
-@@ -174,6 +174,19 @@
+@@ -237,6 +237,19 @@
      SET(WSLAY_LIBRARIES -lwslay)
  ENDIF (NOT WSLAY_FOUND)
  
@@ -20,31 +20,31 @@
  IF (ZLIB_FOUND)
      INCLUDE_DIRECTORIES(${ZLIB_INCLUDE_DIRS})
      LINK_DIRECTORIES(${ZLIB_LIBRARY_DIRS})
-@@ -533,7 +546,7 @@
-     ELSE ()
-         SET(MRUBY_TOOLCHAIN "gcc")
-     ENDIF ()
--    ADD_CUSTOM_TARGET(mruby MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby MRUBY_ADDITIONAL_CONFIG=${MRUBY_ADDITIONAL_CONFIG} ruby minirake
-+    ADD_CUSTOM_TARGET(mruby MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby MRUBY_ADDITIONAL_CONFIG=${MRUBY_ADDITIONAL_CONFIG} ruby minirake -v
-         WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/deps/mruby)
-     LIST(APPEND STANDALONE_SOURCE_FILES
-         lib/handler/mruby.c
-@@ -560,7 +573,7 @@
+@@ -743,7 +756,7 @@
+     ADD_CUSTOM_TARGET(mruby
+         # deps/mruby/tasks/toolchains/clang.rake looks for CC, CXX and LD.
+         # There are no C++ files in deps/mruby, use the C compiler for linking.
+-        MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER} LD=${CMAKE_C_COMPILER} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby MRUBY_ADDITIONAL_CONFIG=${MRUBY_ADDITIONAL_CONFIG} ruby minirake
++        MRUBY_TOOLCHAIN=${MRUBY_TOOLCHAIN} CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER} LD=${CMAKE_C_COMPILER} MRUBY_CONFIG=${CMAKE_CURRENT_SOURCE_DIR}/misc/mruby_config.rb MRUBY_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR}/mruby MRUBY_ADDITIONAL_CONFIG=${MRUBY_ADDITIONAL_CONFIG} ruby minirake -v
+         WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/deps/mruby
+         BYPRODUCTS "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/lib/libmruby.a"
+                    "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/mrbgems/mruby-onig-regexp/onigmo-6.2.0/.libs/libonigmo.a"
+@@ -777,7 +790,7 @@
      # note: the paths need to be determined before libmruby.flags.mak is generated
      TARGET_LINK_LIBRARIES(h2o
          "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/lib/libmruby.a"
--        "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/mrbgems/mruby-onig-regexp/onigmo-6.1.2/.libs/libonigmo.a"
+-        "${CMAKE_CURRENT_BINARY_DIR}/mruby/host/mrbgems/mruby-onig-regexp/onigmo-6.2.0/.libs/libonigmo.a"
 +        ${ONIG_LIBRARIES}
          "m")
      ADD_DEPENDENCIES(h2o mruby)
  ENDIF (WITH_MRUBY)
 --- a/deps/mruby-onig-regexp/mrbgem.rake
 +++ b/deps/mruby-onig-regexp/mrbgem.rake
-@@ -103,10 +103,8 @@
+@@ -108,10 +108,8 @@
  
    if spec.respond_to? :search_package and spec.search_package 'onigmo'
      spec.cc.defines += ['HAVE_ONIGMO_H']
--    spec.linker.libraries << 'onig'
+-    spec.linker.libraries << 'onigmo'
    elsif spec.respond_to? :search_package and spec.search_package 'oniguruma'
      spec.cc.defines += ['HAVE_ONIGURUMA_H']
 -    spec.linker.libraries << 'onig'
diff --git a/www-servers/h2o/h2o-9999.ebuild b/www-servers/h2o/h2o-9999.ebuild
index cd6fd817fc38..fc47d03e7abb 100644
--- a/www-servers/h2o/h2o-9999.ebuild
+++ b/www-servers/h2o/h2o-9999.ebuild
@@ -1,8 +1,7 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="8"
-CMAKE_MAKEFILE_GENERATOR="emake"
 SSL_DEPS_SKIP=1
 USE_RUBY="ruby26 ruby27"
 
@@ -20,10 +19,14 @@ IUSE="libh2o +mruby"
 RDEPEND="acct-group/h2o
 	acct-user/h2o
 	dev-lang/perl
+	dev-libs/openssl:0=
 	!sci-libs/libh2o
+	sys-libs/libcap
 	sys-libs/zlib
-	libh2o? ( dev-libs/libuv )
-	dev-libs/openssl:0="
+	libh2o? (
+		app-arch/brotli
+		dev-libs/libuv
+	)"
 DEPEND="${RDEPEND}
 	mruby? (
 		${RUBY_DEPS}
@@ -66,6 +69,7 @@ src_prepare() {
 src_configure() {
 	local mycmakeargs=(
 		-DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/${PN}
+		-DWITH_CCACHE=OFF
 		-DWITH_MRUBY=$(usex mruby)
 		-DWITHOUT_LIBS=$(usex !libh2o)
 		-DBUILD_SHARED_LIBS=$(usex libh2o)
^ permalink raw reply related	[flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: www-servers/h2o/files/, www-servers/h2o/
@ 2018-07-04 13:24 Akinori Hattori
  0 siblings, 0 replies; 6+ messages in thread
From: Akinori Hattori @ 2018-07-04 13:24 UTC (permalink / raw
  To: gentoo-commits
commit:     c68e501b8b299cdd5dbd42f6f26dcd32fbb911a3
Author:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
AuthorDate: Wed Jul  4 12:59:44 2018 +0000
Commit:     Akinori Hattori <hattya <AT> gentoo <DOT> org>
CommitDate: Wed Jul  4 13:23:46 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c68e501b
www-servers/h2o: tidy
Package-Manager: Portage-2.3.40, Repoman-2.3.9
 www-servers/h2o/files/h2o.logrotate |  7 ++++--
 www-servers/h2o/h2o-2.2.4.ebuild    | 44 ++++++++++++++++---------------------
 www-servers/h2o/h2o-9999.ebuild     | 36 ++++++++++++++++--------------
 www-servers/h2o/metadata.xml        |  1 +
 4 files changed, 44 insertions(+), 44 deletions(-)
diff --git a/www-servers/h2o/files/h2o.logrotate b/www-servers/h2o/files/h2o.logrotate
index b901bcfacb1..166b6e7f17b 100644
--- a/www-servers/h2o/files/h2o.logrotate
+++ b/www-servers/h2o/files/h2o.logrotate
@@ -1,8 +1,11 @@
+# h2o logrotate script for Gentoo
+
 /var/log/h2o/*.log {
 	missingok
-	delaycompress
+	notifempty
 	sharedscripts
+	delaycompress
 	postrotate
-		test -r $(grep pid-file "/etc/h2o/h2o.conf" | cut -d' ' -f2) && kill -HUP $(pidof h2o)
+		/bin/kill -HUP $(grep pid-file "/etc/h2o/h2o.conf" | cut -d' ' -f2 | cat) 2>/dev/null || true
 	endscript
 }
diff --git a/www-servers/h2o/h2o-2.2.4.ebuild b/www-servers/h2o/h2o-2.2.4.ebuild
index 10c508037d7..579c8e92940 100644
--- a/www-servers/h2o/h2o-2.2.4.ebuild
+++ b/www-servers/h2o/h2o-2.2.4.ebuild
@@ -1,14 +1,14 @@
 # Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=6
+EAPI="6"
 CMAKE_MAKEFILE_GENERATOR="emake"
 USE_RUBY="ruby23 ruby24"
 
 inherit cmake-utils ruby-single systemd user
 
-DESCRIPTION="An optimized HTTP server with support for HTTP/1.x and HTTP/2"
-HOMEPAGE="https://h2o.examp1e.net"
+DESCRIPTION="H2O - the optimized HTTP/1, HTTP/2 server"
+HOMEPAGE="https://h2o.examp1e.net/"
 SRC_URI="https://github.com/${PN}/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
 
 LICENSE="MIT"
@@ -16,7 +16,8 @@ SLOT="0"
 KEYWORDS="~amd64 ~x86"
 IUSE="libressl +mruby"
 
-RDEPEND="
+RDEPEND="dev-lang/perl
+	sys-libs/zlib
 	!libressl? ( dev-libs/openssl:0= )
 	libressl? ( dev-libs/libressl:0= )"
 DEPEND="${RDEPEND}
@@ -28,22 +29,14 @@ DEPEND="${RDEPEND}
 PATCHES=( "${FILESDIR}"/${P}-libressl.patch )
 
 pkg_setup() {
-	enewgroup h2o
-	enewuser h2o -1 -1 -1 h2o
-}
-
-src_prepare() {
-	# Leave optimization level to user CFLAGS
-	sed -i 's/-O2 -g ${CC_WARNING_FLAGS} //g' ./CMakeLists.txt \
-		|| die "sed fix failed!"
-
-	cmake-utils_src_prepare
+	enewgroup ${PN}
+	enewuser ${PN} -1 -1 -1 ${PN}
 }
 
 src_configure() {
 	local mycmakeargs=(
-		-DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/h2o
-		-DWITH_MRUBY="$(usex mruby)"
+		-DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/${PN}
+		-DWITH_MRUBY=$(usex mruby)
 		-DWITHOUT_LIBS=ON
 	)
 	cmake-utils_src_configure
@@ -52,17 +45,18 @@ src_configure() {
 src_install() {
 	cmake-utils_src_install
 
-	newinitd "${FILESDIR}"/h2o.initd h2o
-	systemd_dounit "${FILESDIR}"/h2o.service
-
-	insinto /etc/h2o
-	doins "${FILESDIR}"/h2o.conf
+	keepdir /var/www/localhost/htdocs
 
-	keepdir /var/log/h2o
-	fperms 0700 /var/log/h2o
+	insinto /etc/${PN}
+	doins "${FILESDIR}"/${PN}.conf
 
-	keepdir /var/www/localhost/htdocs
+	newinitd "${FILESDIR}"/${PN}.initd ${PN}
+	systemd_dounit "${FILESDIR}"/${PN}.service
 
 	insinto /etc/logrotate.d
-	newins "${FILESDIR}"/h2o.logrotate h2o
+	newins "${FILESDIR}"/${PN}.logrotate ${PN}
+
+	keepdir /var/log/${PN}
+	fowners ${PN}:${PN} /var/log/${PN}
+	fperms 0750 /var/log/${PN}
 }
diff --git a/www-servers/h2o/h2o-9999.ebuild b/www-servers/h2o/h2o-9999.ebuild
index b0583fd8855..d6c5d65d823 100644
--- a/www-servers/h2o/h2o-9999.ebuild
+++ b/www-servers/h2o/h2o-9999.ebuild
@@ -1,14 +1,14 @@
 # Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=6
+EAPI="6"
 CMAKE_MAKEFILE_GENERATOR="emake"
 USE_RUBY="ruby23 ruby24"
 
 inherit cmake-utils git-r3 ruby-single systemd user
 
-DESCRIPTION="An optimized HTTP server with support for HTTP/1.x and HTTP/2"
-HOMEPAGE="https://h2o.examp1e.net"
+DESCRIPTION="H2O - the optimized HTTP/1, HTTP/2 server"
+HOMEPAGE="https://h2o.examp1e.net/"
 EGIT_REPO_URI="https://github.com/${PN}/${PN}.git"
 
 LICENSE="MIT"
@@ -16,7 +16,8 @@ SLOT="0"
 KEYWORDS=""
 IUSE="libressl +mruby"
 
-RDEPEND="
+RDEPEND="dev-lang/perl
+	sys-libs/zlib
 	!libressl? ( dev-libs/openssl:0= )
 	libressl? ( dev-libs/libressl:0= )"
 DEPEND="${RDEPEND}
@@ -26,14 +27,14 @@ DEPEND="${RDEPEND}
 	)"
 
 pkg_setup() {
-	enewgroup h2o
-	enewuser h2o -1 -1 -1 h2o
+	enewgroup ${PN}
+	enewuser ${PN} -1 -1 -1 ${PN}
 }
 
 src_configure() {
 	local mycmakeargs=(
-		-DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/h2o
-		-DWITH_MRUBY="$(usex mruby)"
+		-DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/${PN}
+		-DWITH_MRUBY=$(usex mruby)
 		-DWITHOUT_LIBS=ON
 	)
 	cmake-utils_src_configure
@@ -42,17 +43,18 @@ src_configure() {
 src_install() {
 	cmake-utils_src_install
 
-	newinitd "${FILESDIR}"/h2o.initd h2o
-	systemd_dounit "${FILESDIR}"/h2o.service
-
-	insinto /etc/h2o
-	doins "${FILESDIR}"/h2o.conf
+	keepdir /var/www/localhost/htdocs
 
-	keepdir /var/log/h2o
-	fperms 0700 /var/log/h2o
+	insinto /etc/${PN}
+	doins "${FILESDIR}"/${PN}.conf
 
-	keepdir /var/www/localhost/htdocs
+	newinitd "${FILESDIR}"/${PN}.initd ${PN}
+	systemd_dounit "${FILESDIR}"/${PN}.service
 
 	insinto /etc/logrotate.d
-	newins "${FILESDIR}"/h2o.logrotate h2o
+	newins "${FILESDIR}"/${PN}.logrotate ${PN}
+
+	keepdir /var/log/${PN}
+	fowners ${PN}:${PN} /var/log/${PN}
+	fperms 0750 /var/log/${PN}
 }
diff --git a/www-servers/h2o/metadata.xml b/www-servers/h2o/metadata.xml
index af6fee5b3de..6a34529b48f 100644
--- a/www-servers/h2o/metadata.xml
+++ b/www-servers/h2o/metadata.xml
@@ -3,6 +3,7 @@
 <pkgmetadata>
 	<maintainer type="person">
 		<email>hattya@gentoo.org</email>
+		<name>Akinori Hattori</name>
 	</maintainer>
 	<longdescription lang="en">
 		H2O is a new generation HTTP server. Not only is it very fast,
^ permalink raw reply related	[flat|nested] 6+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: www-servers/h2o/files/, www-servers/h2o/
@ 2017-07-05 19:51 Michał Górny
  0 siblings, 0 replies; 6+ messages in thread
From: Michał Górny @ 2017-07-05 19:51 UTC (permalink / raw
  To: gentoo-commits
commit:     7de7699a136a5f2092f9050ba3f53ff2965e7cfb
Author:     csmk <csmk <AT> chaoslab <DOT> org>
AuthorDate: Fri Jun 30 12:45:51 2017 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Wed Jul  5 19:49:53 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7de7699a
www-servers/h2o: New package
H2O is a new generation HTTP server that provides quicker
response to users with less CPU utilization when compared to
older generation of web servers. Designed from ground-up,
the server takes full advantage of HTTP/2 features including
prioritized content serving and server push, promising
outstanding experience to the visitors of your web site.
Base for ebuild from https://github.com/csmk/frabjous.
Bug: https://bugs.gentoo.org/623160
Closes: https://github.com/gentoo/gentoo/pull/5015
 www-servers/h2o/Manifest            |  1 +
 www-servers/h2o/files/h2o.conf      | 30 ++++++++++++++++
 www-servers/h2o/files/h2o.initd     | 51 +++++++++++++++++++++++++++
 www-servers/h2o/files/h2o.logrotate |  8 +++++
 www-servers/h2o/files/h2o.service   | 13 +++++++
 www-servers/h2o/h2o-2.2.2.ebuild    | 69 +++++++++++++++++++++++++++++++++++++
 www-servers/h2o/h2o-9999.ebuild     | 69 +++++++++++++++++++++++++++++++++++++
 www-servers/h2o/metadata.xml        | 23 +++++++++++++
 8 files changed, 264 insertions(+)
diff --git a/www-servers/h2o/Manifest b/www-servers/h2o/Manifest
new file mode 100644
index 00000000000..21a5c58c1c4
--- /dev/null
+++ b/www-servers/h2o/Manifest
@@ -0,0 +1 @@
+DIST h2o-2.2.2.tar.gz 16192602 SHA256 cf45780058566bd63d90ad0b52b1d15f8515519090753398b9bcf770162a0433 SHA512 b5cc08f2be7056bbac4370f9b6ccb1ba0ad4ea61ce67e946a4f26b8f9c0a575f603c899b1a88f17d1065e0e72e1d1094199200ed24b4f3644a3c7df34aa04b51 WHIRLPOOL d9aff2d3e7caa0334efbac86a807fe8ecd5f146ae56315a5194b8de653ae4f91d33cad754714cd38fadd1c59d87cafe30c1f5f6cb2102362a7647ebd3f18dc84
diff --git a/www-servers/h2o/files/h2o.conf b/www-servers/h2o/files/h2o.conf
new file mode 100644
index 00000000000..ccca5dd2de5
--- /dev/null
+++ b/www-servers/h2o/files/h2o.conf
@@ -0,0 +1,30 @@
+# see /usr/share/doc/h2o/index.html for detailed documentation
+# see h2o --help for command-line options and settings
+
+user: h2o
+pid-file: /run/h2o.pid
+access-log: /var/log/h2o/access.log
+error-log: /var/log/h2o/error.log
+
+# httpoxy mitigation (https://httpoxy.org)
+# see https://github.com/h2o/h2o/pull/996
+setenv:
+  HTTP_PROXY: ""
+
+listen: 80
+
+#listen:
+#  port: 443
+#    ssl:
+#      minimum-version: TLSv1.2
+#      certificate-file: /etc/h2o/server.crt
+#      key-file: /etc/h2o/server.key
+
+hosts:
+  "localhost:80":
+    paths:
+      "/":
+        file.dir: /var/www/localhost/htdocs
+      "/doc":
+        file.dir: /usr/share/doc/h2o/
+        file.index: [ 'index.html' ]
diff --git a/www-servers/h2o/files/h2o.initd b/www-servers/h2o/files/h2o.initd
new file mode 100644
index 00000000000..ad598a5f619
--- /dev/null
+++ b/www-servers/h2o/files/h2o.initd
@@ -0,0 +1,51 @@
+#!/sbin/openrc-run
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="configtest"
+extra_started_commands="reload"
+description="An optimized HTTP/1.x, HTTP/2 server"
+description_configtest="Run H2O' internal config check"
+description_reload="Reload the H2O configuration or upgrade the binary without losing connections"
+
+: ${config:="/etc/h2o/h2o.conf"}
+pidfile=$(grep pid-file "${config}" | cut -d' ' -f2)
+
+name="H2O"
+command="/usr/bin/h2o"
+command_args="-m daemon -c ${config}"
+required_files="$config"
+
+depend() {
+	use net
+	after logger
+}
+
+start_pre() {
+	if [ "${RC_CMD}" != "restart" ]; then
+		configtest || return 1
+	fi
+}
+
+stop_pre() {
+	if [ "${RC_CMD}" = "restart" ]; then
+		configtest || return 1
+	fi
+}
+
+reload() {
+	configtest || return 1
+	ebegin "Refreshing ${name} configuration"
+	kill -HUP $(cat ${pidfile}) &>/dev/null
+	eend $? "Failed to reload ${name}"
+}
+
+configtest() {
+	ebegin "Checking ${name} configuration"
+
+	if ! ${command} -c ${config} -t &>/dev/null; then
+		${command} -c ${config} -t
+	fi
+
+	eend $? "Failed, please correct the errors above"
+}
diff --git a/www-servers/h2o/files/h2o.logrotate b/www-servers/h2o/files/h2o.logrotate
new file mode 100644
index 00000000000..b901bcfacb1
--- /dev/null
+++ b/www-servers/h2o/files/h2o.logrotate
@@ -0,0 +1,8 @@
+/var/log/h2o/*.log {
+	missingok
+	delaycompress
+	sharedscripts
+	postrotate
+		test -r $(grep pid-file "/etc/h2o/h2o.conf" | cut -d' ' -f2) && kill -HUP $(pidof h2o)
+	endscript
+}
diff --git a/www-servers/h2o/files/h2o.service b/www-servers/h2o/files/h2o.service
new file mode 100644
index 00000000000..fe32c45cd90
--- /dev/null
+++ b/www-servers/h2o/files/h2o.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=An optimized HTTP/1.x, HTTP/2 server
+After=network-online.target nss-lookup.target remote-fs.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/h2o -c /etc/h2o/h2o.conf -m master
+SyslogLevel=notice
+PrivateTmp=true
+LimitNOFILE=infinity
+
+[Install]
+WantedBy=multi-user.target
diff --git a/www-servers/h2o/h2o-2.2.2.ebuild b/www-servers/h2o/h2o-2.2.2.ebuild
new file mode 100644
index 00000000000..d0735cc9677
--- /dev/null
+++ b/www-servers/h2o/h2o-2.2.2.ebuild
@@ -0,0 +1,69 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit cmake-utils systemd user
+
+DESCRIPTION="An optimized HTTP server with support for HTTP/1.x and HTTP/2"
+HOMEPAGE="https://h2o.examp1e.net"
+SRC_URI="https://github.com/h2o/h2o/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="libressl +mruby"
+
+RDEPEND="
+	!libressl? ( dev-libs/openssl:0= )
+	libressl? ( dev-libs/libressl:0= )"
+DEPEND="${RDEPEND}
+	mruby? (
+		sys-devel/bison
+		|| (
+			dev-lang/ruby:2.4
+			dev-lang/ruby:2.3
+			dev-lang/ruby:2.2
+			dev-lang/ruby:2.1
+		)
+	)"
+
+pkg_setup() {
+	enewgroup h2o
+	enewuser h2o -1 -1 -1 h2o
+}
+
+src_prepare() {
+	# Leave optimization level to user CFLAGS
+	sed -i 's/-O2 -g ${CC_WARNING_FLAGS} //g' ./CMakeLists.txt \
+		|| die "sed fix failed!"
+
+	default
+}
+
+src_configure() {
+	local mycmakeargs=(
+		-DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/h2o
+		-DWITH_MRUBY="$(usex mruby)"
+		-DWITHOUT_LIBS=ON
+	)
+	cmake-utils_src_configure
+}
+
+src_install() {
+	cmake-utils_src_install
+
+	newinitd "${FILESDIR}"/h2o.initd h2o
+	systemd_dounit "${FILESDIR}"/h2o.service
+
+	insinto /etc/h2o
+	doins "${FILESDIR}"/h2o.conf
+
+	keepdir /var/log/h2o
+	fperms 0700 /var/log/h2o
+
+	keepdir /var/www/localhost/htdocs
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/h2o.logrotate h2o
+}
diff --git a/www-servers/h2o/h2o-9999.ebuild b/www-servers/h2o/h2o-9999.ebuild
new file mode 100644
index 00000000000..6171018d54c
--- /dev/null
+++ b/www-servers/h2o/h2o-9999.ebuild
@@ -0,0 +1,69 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit cmake-utils git-r3 systemd user
+
+DESCRIPTION="An optimized HTTP server with support for HTTP/1.x and HTTP/2"
+HOMEPAGE="https://h2o.examp1e.net"
+EGIT_REPO_URI=( {https,git}://github.com/h2o/h2o.git )
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS=""
+IUSE="libressl +mruby"
+
+RDEPEND="
+	!libressl? ( dev-libs/openssl:0= )
+	libressl? ( dev-libs/libressl:0= )"
+DEPEND="${RDEPEND}
+	mruby? (
+		sys-devel/bison
+		|| (
+			dev-lang/ruby:2.4
+			dev-lang/ruby:2.3
+			dev-lang/ruby:2.2
+			dev-lang/ruby:2.1
+		)
+	)"
+
+pkg_setup() {
+	enewgroup h2o
+	enewuser h2o -1 -1 -1 h2o
+}
+
+src_prepare() {
+	# Leave optimization level to user CFLAGS
+	sed -i 's/-O2 -g ${CC_WARNING_FLAGS} //g' ./CMakeLists.txt \
+		|| die "sed fix failed!"
+
+	default
+}
+
+src_configure() {
+	local mycmakeargs=(
+		-DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/h2o
+		-DWITH_MRUBY="$(usex mruby)"
+		-DWITHOUT_LIBS=ON
+	)
+	cmake-utils_src_configure
+}
+
+src_install() {
+	cmake-utils_src_install
+
+	newinitd "${FILESDIR}"/h2o.initd h2o
+	systemd_dounit "${FILESDIR}"/h2o.service
+
+	insinto /etc/h2o
+	doins "${FILESDIR}"/h2o.conf
+
+	keepdir /var/log/h2o
+	fperms 0700 /var/log/h2o
+
+	keepdir /var/www/localhost/htdocs
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/h2o.logrotate h2o
+}
diff --git a/www-servers/h2o/metadata.xml b/www-servers/h2o/metadata.xml
new file mode 100644
index 00000000000..a6705b14e84
--- /dev/null
+++ b/www-servers/h2o/metadata.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>csmk@chaoslab.org</email>
+		<name>Ian Moone</name>
+	</maintainer>
+	<maintainer type="project">
+		<email>proxy-maint@gentoo.org</email>
+		<name>Proxy Maintainers</name>
+	</maintainer>
+	<longdescription lang="en">
+		H2O is a new generation HTTP server. Not only is it very fast,
+		it also provides much quicker response to end-users
+		when compared to older generations of HTTP servers.
+	</longdescription>
+	<use>
+		<flag name="mruby">Enable support for mruby</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">h2o/h2o</remote-id>
+	</upstream>
+</pkgmetadata>
^ permalink raw reply related	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-02-22  5:34 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-04 13:57 [gentoo-commits] repo/gentoo:master commit in: www-servers/h2o/files/, www-servers/h2o/ Akinori Hattori
  -- strict thread matches above, loose matches on Subject: below --
2025-02-22  5:34 Akinori Hattori
2023-10-22 13:44 Akinori Hattori
2022-08-06  0:45 Akinori Hattori
2018-07-04 13:24 Akinori Hattori
2017-07-05 19:51 Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox