Update contrib/libs/nghttp2 to 1.60.0

dc09b3de054bebe8fb18770f38700230574d4d69

contrib/libs/nghttp2/AUTHORS

@@ -112,6 +112,7 @@ Rudi Heitbaum
 Ryo Ota
 Scott Mitchell
 Sebastiaan Deckers
+Sergey Fedorov
 Shelley Vohr
 Simon Frankenberger
 Simone Basso

contrib/libs/nghttp2/README.rst

@@ -48,11 +48,6 @@ The following package is required to build the libnghttp2 library:
 
 * pkg-config >= 0.20
 
-To build and run the unit test programs, the following package is
-required:
-
-* cunit >= 2.1
-
 To build the documentation, you need to install:
 
 * sphinx (http://sphinx-doc.org/)
@@ -100,6 +95,11 @@ To mitigate heap fragmentation in long running server programs
      Alpine Linux currently does not support malloc replacement
      due to musl limitations. See details in issue `#762 <https://github.com/nghttp2/nghttp2/issues/762>`_.
 
+For BoringSSL or aws-lc build, to enable :rfc:`8879` TLS Certificate
+Compression in applications, the following library is required:
+
+* libbrotli-dev >= 1.0.9
+
 To enable mruby support for nghttpx, `mruby
 <https://github.com/mruby/mruby>`_ is required.  We need to build
 mruby with C++ ABI explicitly turned on, and probably need other
@@ -127,7 +127,7 @@ following libraries are required:
   <https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_; or
   LibreSSL (does not support 0RTT); or aws-lc; or
   `BoringSSL <https://boringssl.googlesource.com/boringssl/>`_ (commit
-  f42be90d665b6a376177648ccbb76fbbd6497c13)
+  8e6a26d128484b886e6dcbfa558b993d38950bb5)
 * `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.0.0
 * `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ >= 1.1.0
 
@@ -205,7 +205,7 @@ required packages:
 
     sudo apt-get install g++ clang make binutils autoconf automake \
       autotools-dev libtool pkg-config \
-      zlib1g-dev libcunit1-dev libssl-dev libxml2-dev libev-dev \
+      zlib1g-dev libssl-dev libxml2-dev libev-dev \
       libevent-dev libjansson-dev \
       libc-ares-dev libjemalloc-dev libsystemd-dev \
       ruby-dev bison libelf-dev
@@ -337,23 +337,24 @@ connections alive during reload.
 
 The detailed steps to build HTTP/3 enabled h2load and nghttpx follow.
 
-Build custom OpenSSL:
+Build aws-lc:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b OpenSSL_1_1_1w+quic https://github.com/quictls/openssl
-   $ cd openssl
-   $ ./config --prefix=$PWD/build --openssldir=/etc/ssl
-   $ make -j$(nproc)
-   $ make install_sw
+   $ git clone --depth 1 -b v1.21.0 https://github.com/aws/aws-lc
+   $ cd aws-lc
+   $ cmake -B build -DDISABLE_GO=ON --install-prefix=$PWD/opt
+   $ make -j$(nproc) -C build
+   $ cmake --install build
    $ cd ..
 
 Build nghttp3:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v1.1.0 https://github.com/ngtcp2/nghttp3
+   $ git clone --depth 1 -b v1.2.0 https://github.com/ngtcp2/nghttp3
    $ cd nghttp3
+   $ git submodule update --init --depth 1
    $ autoreconf -i
    $ ./configure --prefix=$PWD/build --enable-lib-only
    $ make -j$(nproc)
@@ -364,11 +365,13 @@ Build ngtcp2:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v1.2.0 https://github.com/ngtcp2/ngtcp2
+   $ git clone --depth 1 -b v1.3.0 https://github.com/ngtcp2/ngtcp2
    $ cd ngtcp2
+   $ git submodule update --init --depth 1
    $ autoreconf -i
-   $ ./configure --prefix=$PWD/build --enable-lib-only \
-         PKG_CONFIG_PATH="$PWD/../openssl/build/lib/pkgconfig"
+   $ ./configure --prefix=$PWD/build --enable-lib-only --with-boringssl \
+         BORINGSSL_CFLAGS="-I$PWD/../aws-lc/opt/include" \
+         BORINGSSL_LIBS="-L$PWD/../aws-lc/opt/lib -lssl -lcrypto"
    $ make -j$(nproc)
    $ make install
    $ cd ..
@@ -391,10 +394,10 @@ Build nghttp2:
    $ cd nghttp2
    $ git submodule update --init
    $ autoreconf -i
-   $ ./configure --with-mruby --with-neverbleed --enable-http3 --with-libbpf \
-         CC=clang-14 CXX=clang++-14 \
-         PKG_CONFIG_PATH="$PWD/../openssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig:$PWD/../ngtcp2/build/lib/pkgconfig:$PWD/../libbpf/build/lib64/pkgconfig" \
-         LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/../openssl/build/lib -Wl,-rpath,$PWD/../libbpf/build/lib64"
+   $ ./configure --with-mruby --enable-http3 --with-libbpf \
+         CC=clang-15 CXX=clang++-15 \
+         PKG_CONFIG_PATH="$PWD/../aws-lc/opt/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig:$PWD/../ngtcp2/build/lib/pkgconfig:$PWD/../libbpf/build/lib64/pkgconfig" \
+         LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/../aws-lc/opt/lib -Wl,-rpath,$PWD/../libbpf/build/lib64"
    $ make -j$(nproc)
 
 The eBPF program ``reuseport_kern.o`` should be found under bpf
@@ -479,7 +482,7 @@ Previously nghttp2 library did not send client magic, which is first
 24 bytes byte string of client connection preface, and client
 applications have to send it by themselves.  Since v1.0.0, client
 magic is sent by library via first call of ``nghttp2_session_send()``
-or ``nghttp2_session_mem_send()``.
+or ``nghttp2_session_mem_send2()``.
 
 The client applications which send client magic must remove the
 relevant code.
@@ -1446,17 +1449,6 @@ See `Contribution Guidelines
 <https://nghttp2.org/documentation/contribute.html>`_ for more
 details.
 
-Reporting vulnerability
------------------------
-
-If you find a vulnerability in our software, please send the email to
-"tatsuhiro.t at gmail dot com" about its details instead of submitting
-issues on github issue page.  It is a standard practice not to
-disclose vulnerability information publicly until a fixed version is
-released, or mitigation is worked out.
-
-In the future, we may setup a dedicated mail address for this purpose.
-
 Versioning
 ----------
 

contrib/libs/nghttp2/SECURITY.md

@@ -0,0 +1,31 @@
+# Security Process
+
+If you find a vulnerability in our software, please report it via
+GitHub "Private vulnerability reporting" feature at
+https://github.com/nghttp2/nghttp2/security instead of submitting
+issues on github issue page.  It is a standard practice not to
+disclose vulnerability information publicly until a fixed version is
+released, or mitigation is worked out.
+
+If we identify that the reported issue is really a vulnerability, we
+open a new security advisory draft using [GitHub security
+feature](https://github.com/nghttp2/nghttp2/security) and discuss the
+mitigation and bug fixes there.  The fixes are committed to the
+private repository.
+
+We write the security advisory and get CVE number from GitHub
+privately.  We also discuss the disclosure date to the public.
+
+We make a new release with the fix at the same time when the
+vulnerability is disclosed to public.
+
+At least 7 days before the public disclosure date, we open a new issue
+on [nghttp2 issue tracker](https://github.com/nghttp2/nghttp2/issues)
+which notifies that the upcoming release will have a security fix.
+The `SECURITY` label is attached to this kind of issue.  The issue is
+not opened if a vulnerability is already disclosed, and it is publicly
+known that nghttp2 is affected by that.
+
+Before few hours of new release, we merge the fixes to the master
+branch (and/or a release branch if necessary) and make a new release.
+Security advisory is disclosed on GitHub.

contrib/libs/nghttp2/config-linux.h

@@ -73,6 +73,9 @@
 /* Define to 1 if you have `libbpf` library. */
 /* #undef HAVE_LIBBPF */
 
+/* Define to 1 if you have `libbrotlienc` and `libbrotlidec` libraries. */
+/* #undef HAVE_LIBBROTLI */
+
 /* Define to 1 if you have `libev` library. */
 #define HAVE_LIBEV 1
 
@@ -260,7 +263,7 @@
 #define PACKAGE_NAME "nghttp2"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "nghttp2 1.59.0"
+#define PACKAGE_STRING "nghttp2 1.60.0"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "nghttp2"
@@ -269,7 +272,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.59.0"
+#define PACKAGE_VERSION "1.60.0"
 
 /* Define to 1 if all of the C90 standard headers exist (not just the ones
    required in a freestanding environment). This macro is provided for
@@ -368,7 +371,7 @@
 
 
 /* Version number of package */
-#define VERSION "1.59.0"
+#define VERSION "1.60.0"
 
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */

contrib/libs/nghttp2/lib/includes/nghttp2/nghttp2ver.h

@@ -29,7 +29,7 @@
  * @macro
  * Version number of the nghttp2 library release
  */
-#define NGHTTP2_VERSION "1.59.0"
+#define NGHTTP2_VERSION "1.60.0"
 
 /**
  * @macro
@@ -37,6 +37,6 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define NGHTTP2_VERSION_NUM 0x013b00
+#define NGHTTP2_VERSION_NUM 0x013c00
 
 #endif /* NGHTTP2VER_H */

contrib/libs/nghttp2/lib/nghttp2_buf.c

@@ -430,7 +430,7 @@ int nghttp2_bufs_orb_hold(nghttp2_bufs *bufs, uint8_t b) {
   return 0;
 }
 
-ssize_t nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out) {
+nghttp2_ssize nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out) {
   size_t len;
   nghttp2_buf_chain *chain;
   nghttp2_buf *buf;
@@ -462,7 +462,7 @@ ssize_t nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out) {
 
   *out = res;
 
-  return (ssize_t)len;
+  return (nghttp2_ssize)len;
 }
 
 size_t nghttp2_bufs_remove_copy(nghttp2_bufs *bufs, uint8_t *out) {

contrib/libs/nghttp2/lib/nghttp2_buf.h

@@ -349,7 +349,7 @@ int nghttp2_bufs_orb_hold(nghttp2_bufs *bufs, uint8_t b);
  * NGHTTP2_ERR_NOMEM
  *     Out of memory
  */
-ssize_t nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out);
+nghttp2_ssize nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out);
 
 /*
  * Copies all data stored in |bufs| to |out|.  This function assumes

contrib/libs/nghttp2/lib/nghttp2_callbacks.c

@@ -45,11 +45,21 @@ void nghttp2_session_callbacks_set_send_callback(
   cbs->send_callback = send_callback;
 }
 
+void nghttp2_session_callbacks_set_send_callback2(
+    nghttp2_session_callbacks *cbs, nghttp2_send_callback2 send_callback) {
+  cbs->send_callback2 = send_callback;
+}
+
 void nghttp2_session_callbacks_set_recv_callback(
     nghttp2_session_callbacks *cbs, nghttp2_recv_callback recv_callback) {
   cbs->recv_callback = recv_callback;
 }
 
+void nghttp2_session_callbacks_set_recv_callback2(
+    nghttp2_session_callbacks *cbs, nghttp2_recv_callback2 recv_callback) {
+  cbs->recv_callback2 = recv_callback;
+}
+
 void nghttp2_session_callbacks_set_on_frame_recv_callback(
     nghttp2_session_callbacks *cbs,
     nghttp2_on_frame_recv_callback on_frame_recv_callback) {
@@ -128,12 +138,24 @@ void nghttp2_session_callbacks_set_select_padding_callback(
   cbs->select_padding_callback = select_padding_callback;
 }
 
+void nghttp2_session_callbacks_set_select_padding_callback2(
+    nghttp2_session_callbacks *cbs,
+    nghttp2_select_padding_callback2 select_padding_callback) {
+  cbs->select_padding_callback2 = select_padding_callback;
+}
+
 void nghttp2_session_callbacks_set_data_source_read_length_callback(
     nghttp2_session_callbacks *cbs,
     nghttp2_data_source_read_length_callback data_source_read_length_callback) {
   cbs->read_length_callback = data_source_read_length_callback;
 }
 
+void nghttp2_session_callbacks_set_data_source_read_length_callback2(
+    nghttp2_session_callbacks *cbs, nghttp2_data_source_read_length_callback2
+                                        data_source_read_length_callback) {
+  cbs->read_length_callback2 = data_source_read_length_callback;
+}
+
 void nghttp2_session_callbacks_set_on_begin_frame_callback(
     nghttp2_session_callbacks *cbs,
     nghttp2_on_begin_frame_callback on_begin_frame_callback) {
@@ -152,6 +174,12 @@ void nghttp2_session_callbacks_set_pack_extension_callback(
   cbs->pack_extension_callback = pack_extension_callback;
 }
 
+void nghttp2_session_callbacks_set_pack_extension_callback2(
+    nghttp2_session_callbacks *cbs,
+    nghttp2_pack_extension_callback2 pack_extension_callback) {
+  cbs->pack_extension_callback2 = pack_extension_callback;
+}
+
 void nghttp2_session_callbacks_set_unpack_extension_callback(
     nghttp2_session_callbacks *cbs,
     nghttp2_unpack_extension_callback unpack_extension_callback) {

contrib/libs/nghttp2/lib/nghttp2_callbacks.h

@@ -35,20 +35,34 @@
  * Callback functions.
  */
 struct nghttp2_session_callbacks {
+  /**
+   * Deprecated.  Use send_callback2 instead.  Callback function
+   * invoked when the session wants to send data to the remote peer.
+   * This callback is not necessary if the application uses solely
+   * `nghttp2_session_mem_send()` to serialize data to transmit.
+   */
+  nghttp2_send_callback send_callback;
   /**
    * Callback function invoked when the session wants to send data to
    * the remote peer.  This callback is not necessary if the
-   * application uses solely `nghttp2_session_mem_send()` to serialize
-   * data to transmit.
+   * application uses solely `nghttp2_session_mem_send2()` to
+   * serialize data to transmit.
    */
-  nghttp2_send_callback send_callback;
+  nghttp2_send_callback2 send_callback2;
+  /**
+   * Deprecated.  Use recv_callback2 instead.  Callback function
+   * invoked when the session wants to receive data from the remote
+   * peer.  This callback is not necessary if the application uses
+   * solely `nghttp2_session_mem_recv()` to process received data.
+   */
+  nghttp2_recv_callback recv_callback;
   /**
    * Callback function invoked when the session wants to receive data
    * from the remote peer.  This callback is not necessary if the
-   * application uses solely `nghttp2_session_mem_recv()` to process
+   * application uses solely `nghttp2_session_mem_recv2()` to process
    * received data.
    */
-  nghttp2_recv_callback recv_callback;
+  nghttp2_recv_callback2 recv_callback2;
   /**
    * Callback function invoked by `nghttp2_session_recv()` when a
    * frame is received.
@@ -99,23 +113,40 @@ struct nghttp2_session_callbacks {
    */
   nghttp2_on_invalid_header_callback on_invalid_header_callback;
   nghttp2_on_invalid_header_callback2 on_invalid_header_callback2;
+  /**
+   * Deprecated.  Use select_padding_callback2 instead.  Callback
+   * function invoked when the library asks application how many
+   * padding bytes are required for the transmission of the given
+   * frame.
+   */
+  nghttp2_select_padding_callback select_padding_callback;
   /**
    * Callback function invoked when the library asks application how
    * many padding bytes are required for the transmission of the given
    * frame.
    */
-  nghttp2_select_padding_callback select_padding_callback;
+  nghttp2_select_padding_callback2 select_padding_callback2;
   /**
-   * The callback function used to determine the length allowed in
+   * Deprecated.  Use read_length_callback2 instead.  The callback
+   * function used to determine the length allowed in
    * `nghttp2_data_source_read_callback()`
    */
   nghttp2_data_source_read_length_callback read_length_callback;
+  /**
+   * The callback function used to determine the length allowed in
+   * `nghttp2_data_source_read_callback2()`
+   */
+  nghttp2_data_source_read_length_callback2 read_length_callback2;
   /**
    * Sets callback function invoked when a frame header is received.
    */
   nghttp2_on_begin_frame_callback on_begin_frame_callback;
   nghttp2_send_data_callback send_data_callback;
+  /**
+   * Deprecated.  Use pack_extension_callback2 instead.
+   */
   nghttp2_pack_extension_callback pack_extension_callback;
+  nghttp2_pack_extension_callback2 pack_extension_callback2;
   nghttp2_unpack_extension_callback unpack_extension_callback;
   nghttp2_on_extension_chunk_recv_callback on_extension_chunk_recv_callback;
   nghttp2_error_callback error_callback;