summaryrefslogtreecommitdiff
path: root/www-servers/h2o
diff options
context:
space:
mode:
Diffstat (limited to 'www-servers/h2o')
-rw-r--r--www-servers/h2o/Manifest4
-rw-r--r--www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch225
-rw-r--r--www-servers/h2o/h2o-2.2.6-r2.ebuild107
-rw-r--r--www-servers/h2o/h2o-9999.ebuild2
4 files changed, 336 insertions, 2 deletions
diff --git a/www-servers/h2o/Manifest b/www-servers/h2o/Manifest
index ef88eb3f90fc..1e2691053972 100644
--- a/www-servers/h2o/Manifest
+++ b/www-servers/h2o/Manifest
@@ -1,3 +1,4 @@
+AUX h2o-2.2-CVE-2023-44487.patch 10281 BLAKE2B 8de372faab97f790623e3b4c72519b684d1bc104d4cd98d5804b00459f1e16f7f4e248e2decbc2ff07c36c6f3f05c014a5a5e798afed0b2ada9d1afef476e4a9 SHA512 bf858f0ae7126fc0da8f2a2062e698e5e0c14a62f6d109e581c47e58115f0efc31c6a3c91a09343819eda702aa9fe608bfbcc1f9e95237c195a9f51eac31a683
AUX h2o-2.2-libressl.patch 2098 BLAKE2B 18bd0375a4c44ab7d744899cfaaa983ec2d494a9d58f5d358fb2157fc3b919a977a216e22c26aaa9908d8addda27871832f97093bffd4b4faf10e9d95ae51a6d SHA512 0970aa90e07c762ba586f7d071dc5b4183336adb2602c95dcff568124a9bd737aefc9ecc812f6b006edc6e4c4f9cbc664e6af96c7d6f09681f65e8eac552ac7a
AUX h2o-2.2-mruby.patch 2034 BLAKE2B 78ab2c8080c017ae03b33366aed553e8d47581bc04b274adc7a7e18bc79ddb5a95266ce13824a8286d9b52d4432b0895598301bd07aa42b1d7e4cbb4d46d98a9 SHA512 724186190756292ce9589a5aae28fd9ae089e377beccb1a2a6562d3d764777dec820413f31d820f61691a529dbdac0dcb55b2e395e46629b2656496bea9c182a
AUX h2o-2.2-ruby30.patch 2452 BLAKE2B c94318a2493a6e121da571b81cd641021dea43fec30f3d9acf791e697d7daa194d2c4b8120a9281028cbb01a47b8b3ccddb6364f5e0a2004ad4a7d127276e1e1 SHA512 b44c64d5ede422a18df63dac5c9129bbc21b59179b657af09c2a6cc246247d17fee8ad1ecf4d2aec55df855bdfefcc102d07b21d8002023474df5627c9de961d
@@ -8,5 +9,6 @@ AUX h2o.logrotate 230 BLAKE2B 44eeaf3b0e60104d4f87c7110815a30f907a6fd676e75a2068
AUX h2o.service 364 BLAKE2B 9995cde4d79e5998624a2cadfc6ec3e954d4609458cc267628c2fbcb44dccd78277bddc032a784a00445c6b399fafc1ee629920355bf7aa84d26b1010bd103b0 SHA512 475b1e7b616eae335e094451532b0de5aa9cf9abc4999aaa44a9a35c43def4fb060ee5e728409bc33960f8ad3a81e6f549783906ac7ebad5b72cb7422ffb96a2
DIST h2o-2.2.6.tar.gz 16257760 BLAKE2B 8474751ca9832ddae2022710654ca58a93ebf9ca01afe934950209b04357b7548b05c598c49fe92684b2910fd6309d6fc3923a0b01cdeeb4b0dc65b08842255f SHA512 f2f28905c01782a0432c9dfdb2f21054e0a4741ac4c5f26802d4b439d0172840aa215aba5dc7c9af62275dcc24de105674a3819384dc38246e43ce3e8263eb20
EBUILD h2o-2.2.6-r1.ebuild 2257 BLAKE2B 0cbdbc6bb0fc88ae941e78a6c6e6f34f89fa29708d1bb25055bce6495ec546625ff7fda74ebb7d6f4920403a42bb291b7affff8d5ce9d632358efe26a7ce1c9a SHA512 66173eb7f54d5b41e035a7d39dcdaaf15291fee7c25021607ed2adadc882b3c3ac01f6552422af9f62b4d65d850cd419b4e07a6acaa569db7c2f7bf4200472ca
-EBUILD h2o-9999.ebuild 2122 BLAKE2B 1353a3a7bd8a0bd6b52e875fffd6c480540c97a3c39d77ee0af5c2b7624f1b23d391e84e38bd9da0c3a497bfe207312f9282bf592b8c93991d56e1f78215d3fa SHA512 88e6945fee76033780c9c542cd09b8246e92dcca9d75d186fe189b5b04eefac84a22a1196a6960d001774a921589ea97ce1ee3fd37a913b5b940e080a201eddb
+EBUILD h2o-2.2.6-r2.ebuild 2298 BLAKE2B 37567c57d4620266cd1ec628befc74b1c4990814dd7d4b1a63d61d8713672fc26282f8f8fc94c42dd41af6861d4ea9774996bc1f74b69f96a76cfc8f7d547325 SHA512 8411067fbb2554602ee65084ca46d374e87ee203388d7ea2fae485ed0aecbad887eafb62bc6d970d60664b15b904b4b25523609a68f12c2435d1e2f6b285dcf2
+EBUILD h2o-9999.ebuild 2115 BLAKE2B 9ad67a1773bf599d700718d4bf743566b599ccafd1a0c6cd3ccfede2846155c4673fc63d107cb7ad78ef8f50acbc99281e69d0764b21ab7b07a1b9577d49a41f SHA512 b99a88c8a43a5704a8b1ff4e9a08ff9589d2357ce272543bad1759bf6a784619a8f3d3d7bf6b0d102875cd106f6d42a4960179a91b95ba97079be80e12665d77
MISC metadata.xml 665 BLAKE2B 8f3b7754ea54384656357283be7c0e35516579a4f0c8c9e727bef5189390d20de61c43d2c42bc1bcdc311c2670dee5c20a50b2f9354cb1986f8681f3acf86d02 SHA512 10abcf052f63ceba53b5c95a8ff79970c19fc8a094345806cd7fc461a10b1d94ec7b48925709e2fc9980fcd3630731b577e2d879981c240d9dd96cd840bb376c
diff --git a/www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch b/www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch
new file mode 100644
index 000000000000..71a511ac9ed2
--- /dev/null
+++ b/www-servers/h2o/files/h2o-2.2-CVE-2023-44487.patch
@@ -0,0 +1,225 @@
+https://github.com/h2o/h2o/pull/3293
+
+From 770208bbe3955c47e005a1e8cb08266e4a8dfc9a Mon Sep 17 00:00:00 2001
+From: Remi Gacogne <remi.gacogne@powerdns.com>
+Date: Tue, 10 Oct 2023 15:47:57 +0200
+Subject: [PATCH] [http2] delay processing requests upon observing suspicious
+ behavior
+
+Backport of 94fbc54b6c9309912fe3d53e7b63408bbe9a1b0d to v2.2.x
+---
+ include/h2o.h | 8 +++++++
+ include/h2o/http2_internal.h | 8 +++++++
+ lib/core/config.c | 1 +
+ lib/core/configurator.c | 9 ++++++++
+ lib/core/context.c | 2 ++
+ lib/http2/connection.c | 41 ++++++++++++++++++++++++++++++++----
+ 6 files changed, 65 insertions(+), 4 deletions(-)
+
+diff --git a/include/h2o.h b/include/h2o.h
+index 57877bd12c..409cd5c21c 100644
+--- a/include/h2o.h
++++ b/include/h2o.h
+@@ -378,6 +378,10 @@ struct st_h2o_globalconf_t {
+ * list of callbacks
+ */
+ h2o_protocol_callbacks_t callbacks;
++ /**
++ * milliseconds to delay processing requests when suspicious behavior is detected
++ */
++ uint64_t dos_delay;
+ } http2;
+
+ struct {
+@@ -590,6 +594,10 @@ struct st_h2o_context_t {
+ * timeout entry used for graceful shutdown
+ */
+ h2o_timeout_entry_t _graceful_shutdown_timeout;
++ /*
++ * dos timeout
++ */
++ h2o_timeout_t dos_delay_timeout;
+ struct {
+ /**
+ * counter for http2 errors internally emitted by h2o
+diff --git a/include/h2o/http2_internal.h b/include/h2o/http2_internal.h
+index 5cfc4d8204..b9cf400929 100644
+--- a/include/h2o/http2_internal.h
++++ b/include/h2o/http2_internal.h
+@@ -179,6 +179,7 @@ struct st_h2o_http2_stream_t {
+ h2o_linklist_t link;
+ h2o_http2_scheduler_openref_t scheduler;
+ } _refs;
++ unsigned reset_by_peer : 1;
+ h2o_send_state_t send_state; /* state of the ostream, only used in push mode */
+ /* placed at last since it is large and has it's own ctor */
+ h2o_req_t req;
+@@ -232,6 +233,13 @@ struct st_h2o_http2_conn_t {
+ } _write;
+ h2o_cache_t *push_memo;
+ h2o_http2_casper_t *casper;
++ /**
++ * DoS mitigation; the idea here is to delay processing requests when observing suspicious behavior
++ */
++ struct {
++ h2o_timeout_entry_t process_delay;
++ size_t reset_budget; /* RST_STREAM frames are considered suspicious when this value goes down to zero */
++ } dos_mitigation;
+ };
+
+ int h2o_http2_update_peer_settings(h2o_http2_settings_t *settings, const uint8_t *src, size_t len, const char **err_desc);
+diff --git a/lib/core/config.c b/lib/core/config.c
+index ce1d320183..08e43a6d30 100644
+--- a/lib/core/config.c
++++ b/lib/core/config.c
+@@ -189,6 +189,7 @@ void h2o_config_init(h2o_globalconf_t *config)
+ config->http2.latency_optimization.min_rtt = 50; // milliseconds
+ config->http2.latency_optimization.max_additional_delay = 10;
+ config->http2.latency_optimization.max_cwnd = 65535;
++ config->http2.dos_delay = 100; /* 100ms processing delay when observing suspicious behavior */
+ config->http2.callbacks = H2O_HTTP2_CALLBACKS;
+ config->mimemap = h2o_mimemap_create();
+
+diff --git a/lib/core/configurator.c b/lib/core/configurator.c
+index 891770cc2d..4731ba2707 100644
+--- a/lib/core/configurator.c
++++ b/lib/core/configurator.c
+@@ -531,6 +531,12 @@ static int on_config_http2_casper(h2o_configurator_command_t *cmd, h2o_configura
+ return 0;
+ }
+
++
++static int on_config_http2_dos_delay(h2o_configurator_command_t *cmd, h2o_configurator_context_t *ctx, yoml_t *node)
++{
++ return config_timeout(cmd, node, &ctx->globalconf->http2.dos_delay);
++}
++
+ static int assert_is_mimetype(h2o_configurator_command_t *cmd, yoml_t *node)
+ {
+ if (node->type != YOML_TYPE_SCALAR) {
+@@ -910,6 +916,9 @@ void h2o_configurator__init_core(h2o_globalconf_t *conf)
+ on_config_http2_push_preload);
+ h2o_configurator_define_command(&c->super, "http2-casper", H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_HOST,
+ on_config_http2_casper);
++ h2o_configurator_define_command(&c->super, "http2-dos-delay",
++ H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_EXPECT_SCALAR,
++ on_config_http2_dos_delay);
+ h2o_configurator_define_command(&c->super, "file.mime.settypes",
+ (H2O_CONFIGURATOR_FLAG_ALL_LEVELS & ~H2O_CONFIGURATOR_FLAG_EXTENSION) |
+ H2O_CONFIGURATOR_FLAG_EXPECT_MAPPING,
+diff --git a/lib/core/context.c b/lib/core/context.c
+index 8d11013810..ac4b0aaf08 100644
+--- a/lib/core/context.c
++++ b/lib/core/context.c
+@@ -101,6 +101,7 @@ void h2o_context_init(h2o_context_t *ctx, h2o_loop_t *loop, h2o_globalconf_t *co
+ h2o_linklist_init_anchor(&ctx->http1._conns);
+ h2o_timeout_init(ctx->loop, &ctx->http2.idle_timeout, config->http2.idle_timeout);
+ h2o_timeout_init(ctx->loop, &ctx->http2.graceful_shutdown_timeout, config->http2.graceful_shutdown_timeout);
++ h2o_timeout_init(ctx->loop, &ctx->http2.dos_delay_timeout, config->http2.dos_delay);
+ h2o_linklist_init_anchor(&ctx->http2._conns);
+ ctx->proxy.client_ctx.loop = loop;
+ h2o_timeout_init(ctx->loop, &ctx->proxy.io_timeout, config->proxy.io_timeout);
+@@ -146,6 +147,7 @@ void h2o_context_dispose(h2o_context_t *ctx)
+ h2o_timeout_dispose(ctx->loop, &ctx->http1.req_timeout);
+ h2o_timeout_dispose(ctx->loop, &ctx->http2.idle_timeout);
+ h2o_timeout_dispose(ctx->loop, &ctx->http2.graceful_shutdown_timeout);
++ h2o_timeout_dispose(ctx->loop, &ctx->http2.dos_delay_timeout);
+ h2o_timeout_dispose(ctx->loop, &ctx->proxy.io_timeout);
+ /* what should we do here? assert(!h2o_linklist_is_empty(&ctx->http2._conns); */
+
+diff --git a/lib/http2/connection.c b/lib/http2/connection.c
+index e2da293043..4910e33098 100644
+--- a/lib/http2/connection.c
++++ b/lib/http2/connection.c
+@@ -161,7 +161,6 @@ static void update_idle_timeout(h2o_http2_conn_t *conn)
+ h2o_timeout_unlink(&conn->_timeout_entry);
+
+ if (conn->num_streams.pull.half_closed + conn->num_streams.push.half_closed == 0) {
+- assert(h2o_linklist_is_empty(&conn->_pending_reqs));
+ conn->_timeout_entry.cb = on_idle_timeout;
+ h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.idle_timeout, &conn->_timeout_entry);
+ }
+@@ -175,6 +174,9 @@ static int can_run_requests(h2o_http2_conn_t *conn)
+
+ static void run_pending_requests(h2o_http2_conn_t *conn)
+ {
++ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
++ return;
++
+ while (!h2o_linklist_is_empty(&conn->_pending_reqs) && can_run_requests(conn)) {
+ /* fetch and detach a pending stream */
+ h2o_http2_stream_t *stream = H2O_STRUCT_FROM_MEMBER(h2o_http2_stream_t, _refs.link, conn->_pending_reqs.next);
+@@ -226,6 +228,16 @@ void h2o_http2_conn_unregister_stream(h2o_http2_conn_t *conn, h2o_http2_stream_t
+ assert(h2o_http2_scheduler_is_open(&stream->_refs.scheduler));
+ h2o_http2_scheduler_close(&stream->_refs.scheduler);
+
++ /* Decrement reset_budget if the stream was reset by peer, otherwise increment. By doing so, we penalize connections that
++ * generate resets for >50% of requests. */
++ if (stream->reset_by_peer) {
++ if (conn->dos_mitigation.reset_budget > 0)
++ --conn->dos_mitigation.reset_budget;
++ } else {
++ if (conn->dos_mitigation.reset_budget < conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection)
++ ++conn->dos_mitigation.reset_budget;
++ }
++
+ switch (stream->state) {
+ case H2O_HTTP2_STREAM_STATE_IDLE:
+ case H2O_HTTP2_STREAM_STATE_RECV_HEADERS:
+@@ -272,6 +284,8 @@ void close_connection_now(h2o_http2_conn_t *conn)
+ h2o_hpack_dispose_header_table(&conn->_output_header_table);
+ assert(h2o_linklist_is_empty(&conn->_pending_reqs));
+ h2o_timeout_unlink(&conn->_timeout_entry);
++ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
++ h2o_timeout_unlink(&conn->dos_mitigation.process_delay);
+ h2o_buffer_dispose(&conn->_write.buf);
+ if (conn->_write.buf_in_flight != NULL)
+ h2o_buffer_dispose(&conn->_write.buf_in_flight);
+@@ -797,11 +811,19 @@ static int handle_rst_stream_frame(h2o_http2_conn_t *conn, h2o_http2_frame_t *fr
+ return H2O_HTTP2_ERROR_PROTOCOL;
+ }
+
+- stream = h2o_http2_conn_get_stream(conn, frame->stream_id);
+- if (stream != NULL) {
++ if ((stream = h2o_http2_conn_get_stream(conn, frame->stream_id)) == NULL)
++ return 0;
++
+ /* reset the stream */
++ stream->reset_by_peer = 1;
+ h2o_http2_stream_reset(conn, stream);
+- }
++
++ /* setup process delay if we've just ran out of reset budget */
++ if (conn->dos_mitigation.reset_budget == 0 && conn->super.ctx->globalconf->http2.dos_delay != 0 &&
++ !h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
++ h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.dos_delay_timeout,
++ &conn->dos_mitigation.process_delay);
++
+ /* TODO log */
+
+ return 0;
+@@ -1204,6 +1226,14 @@ static h2o_iovec_t log_priority_actual_weight(h2o_req_t *req)
+ return h2o_iovec_init(s, len);
+ }
+
++static void on_dos_process_delay(h2o_timeout_entry_t *timer)
++{
++ h2o_http2_conn_t *conn = H2O_STRUCT_FROM_MEMBER(h2o_http2_conn_t, dos_mitigation.process_delay, timer);
++
++ assert(!h2o_timeout_is_linked(&conn->dos_mitigation.process_delay));
++ run_pending_requests(conn);
++}
++
+ static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts, h2o_socket_t *sock, struct timeval connected_at)
+ {
+ static const h2o_conn_callbacks_t callbacks = {
+@@ -1240,6 +1270,9 @@ static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts,
+ conn->_write.timeout_entry.cb = emit_writereq;
+ h2o_http2_window_init(&conn->_write.window, &conn->peer_settings);
+
++ conn->dos_mitigation.process_delay.cb = on_dos_process_delay;
++ conn->dos_mitigation.reset_budget = conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection;
++
+ return conn;
+ }
+
diff --git a/www-servers/h2o/h2o-2.2.6-r2.ebuild b/www-servers/h2o/h2o-2.2.6-r2.ebuild
new file mode 100644
index 000000000000..36b649162128
--- /dev/null
+++ b/www-servers/h2o/h2o-2.2.6-r2.ebuild
@@ -0,0 +1,107 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="8"
+CMAKE_MAKEFILE_GENERATOR="emake"
+SSL_DEPS_SKIP=1
+USE_RUBY="ruby31 ruby32"
+
+inherit cmake ruby-single ssl-cert systemd toolchain-funcs
+
+DESCRIPTION="H2O - the optimized HTTP/1, HTTP/2 server"
+HOMEPAGE="https://h2o.examp1e.net/"
+SRC_URI="https://github.com/${PN}/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="libh2o +mruby"
+
+RDEPEND="acct-group/h2o
+ acct-user/h2o
+ dev-lang/perl
+ dev-libs/openssl:0=
+ !sci-libs/libh2o
+ sys-libs/zlib
+ libh2o? ( dev-libs/libuv )"
+DEPEND="${RDEPEND}
+ mruby? (
+ ${RUBY_DEPS}
+ || (
+ dev-libs/onigmo
+ dev-libs/oniguruma
+ )
+ )"
+BDEPEND="libh2o? ( virtual/pkgconfig )
+ mruby? (
+ sys-devel/bison
+ virtual/pkgconfig
+ )"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-2.2-libressl.patch #903001
+ "${FILESDIR}"/${PN}-2.2-mruby.patch
+ "${FILESDIR}"/${PN}-2.2-ruby30.patch
+ "${FILESDIR}"/${PN}-2.2-CVE-2023-44487.patch
+)
+
+src_prepare() {
+ cmake_src_prepare
+
+ local ruby="ruby"
+ if use mruby; then
+ for ruby in ${RUBY_TARGETS_PREFERENCE}; do
+ if has_version dev-lang/ruby:${ruby:4:1}.${ruby:5}; then
+ break
+ fi
+ ruby=
+ done
+ [[ -z ${ruby} ]] && die "no suitable ruby version found"
+ fi
+
+ sed -i \
+ -e "/INSTALL/s:\(/doc/${PN}\) :\1/html :" \
+ -e "/INSTALL/s:\(/doc\)/${PN}:\1/${PF}:" \
+ -e "s: ruby: ${ruby}:" \
+ CMakeLists.txt
+
+ sed -i "s:pkg-config:$(tc-getPKG_CONFIG):g" deps/mruby/lib/mruby/gem.rb
+ tc-export CC
+ export LD="$(tc-getCC)"
+}
+
+src_configure() {
+ local mycmakeargs=(
+ -DCMAKE_INSTALL_SYSCONFDIR="${EPREFIX}"/etc/${PN}
+ -DWITH_MRUBY=$(usex mruby)
+ -DWITHOUT_LIBS=$(usex !libh2o)
+ -DBUILD_SHARED_LIBS=$(usex libh2o)
+ )
+ cmake_src_configure
+}
+
+src_install() {
+ cmake_src_install
+
+ keepdir /var/www/localhost/htdocs
+
+ insinto /etc/${PN}
+ doins "${FILESDIR}"/${PN}.conf
+
+ newinitd "${FILESDIR}"/${PN}.initd ${PN}
+ systemd_dounit "${FILESDIR}"/${PN}.service
+
+ insinto /etc/logrotate.d
+ newins "${FILESDIR}"/${PN}.logrotate ${PN}
+
+ keepdir /var/log/${PN}
+ fowners ${PN}:${PN} /var/log/${PN}
+ fperms 0750 /var/log/${PN}
+}
+
+pkg_postinst() {
+ if [[ ! -f "${EROOT}"/etc/ssl/${PN}/server.key ]]; then
+ install_cert /etc/ssl/${PN}/server
+ chown ${PN}:${PN} "${EROOT}"/etc/ssl/${PN}/server.*
+ fi
+}
diff --git a/www-servers/h2o/h2o-9999.ebuild b/www-servers/h2o/h2o-9999.ebuild
index c66917cd3a44..5d8a81f064f1 100644
--- a/www-servers/h2o/h2o-9999.ebuild
+++ b/www-servers/h2o/h2o-9999.ebuild
@@ -3,7 +3,7 @@
EAPI="8"
SSL_DEPS_SKIP=1
-USE_RUBY="ruby27 ruby30 ruby31"
+USE_RUBY="ruby31 ruby32"
inherit cmake git-r3 ruby-single ssl-cert systemd toolchain-funcs