Merge pull request #2581 from nghttp2/src-variant-sockaddr

src: Rewrite Address with std::variant

.clang-format

@@ -3,41 +3,96 @@ Language:        Cpp
 AccessModifierOffset: -2
 AlignAfterOpenBracket: Align
 AlignArrayOfStructures: None
-AlignConsecutiveMacros: None
-AlignConsecutiveAssignments: None
-AlignConsecutiveBitFields: None
-AlignConsecutiveDeclarations: None
+AlignConsecutiveAssignments:
+  Enabled:         false
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  AlignFunctionPointers: false
+  PadOperators:    true
+AlignConsecutiveBitFields:
+  Enabled:         false
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  AlignFunctionPointers: false
+  PadOperators:    true
+AlignConsecutiveDeclarations:
+  Enabled:         false
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  AlignFunctionPointers: false
+  PadOperators:    true
+AlignConsecutiveMacros:
+  Enabled:         false
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  AlignFunctionPointers: false
+  PadOperators:    true
+AlignConsecutiveShortCaseStatements:
+  Enabled:         false
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCaseArrows: false
+  AlignCaseColons: false
+AlignConsecutiveTableGenBreakingDAGArgColons:
+  Enabled:         false
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  AlignFunctionPointers: false
+  PadOperators:    false
+AlignConsecutiveTableGenCondOperatorColons:
+  Enabled:         false
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  AlignFunctionPointers: false
+  PadOperators:    false
+AlignConsecutiveTableGenDefinitionColons:
+  Enabled:         false
+  AcrossEmptyLines: false
+  AcrossComments:  false
+  AlignCompound:   false
+  AlignFunctionPointers: false
+  PadOperators:    false
 AlignEscapedNewlines: Right
 AlignOperands:   Align
-AlignTrailingComments: true
+AlignTrailingComments:
+  Kind:            Always
+  OverEmptyLines:  0
 AllowAllArgumentsOnNextLine: true
 AllowAllParametersOfDeclarationOnNextLine: true
-AllowShortEnumsOnASingleLine: true
+AllowBreakBeforeNoexceptSpecifier: Never
 AllowShortBlocksOnASingleLine: Never
+AllowShortCaseExpressionOnASingleLine: true
 AllowShortCaseLabelsOnASingleLine: false
+AllowShortCompoundRequirementOnASingleLine: true
+AllowShortEnumsOnASingleLine: true
 AllowShortFunctionsOnASingleLine: All
-AllowShortLambdasOnASingleLine: All
 AllowShortIfStatementsOnASingleLine: Never
+AllowShortLambdasOnASingleLine: All
 AllowShortLoopsOnASingleLine: false
 AlwaysBreakAfterDefinitionReturnType: None
-AlwaysBreakAfterReturnType: None
 AlwaysBreakBeforeMultilineStrings: false
-AlwaysBreakTemplateDeclarations: MultiLine
 AttributeMacros:
   - __capability
 BinPackArguments: true
 BinPackParameters: true
+BitFieldColonSpacing: Both
 BraceWrapping:
   AfterCaseLabel:  false
   AfterClass:      false
   AfterControlStatement: Never
   AfterEnum:       false
+  AfterExternBlock: false
   AfterFunction:   false
   AfterNamespace:  false
   AfterObjCDeclaration: false
   AfterStruct:     false
   AfterUnion:      false
-  AfterExternBlock: false
   BeforeCatch:     false
   BeforeElse:      false
   BeforeLambdaBody: false
@@ -46,33 +101,32 @@ BraceWrapping:
   SplitEmptyFunction: true
   SplitEmptyRecord: true
   SplitEmptyNamespace: true
-BreakBeforeBinaryOperators: None
-BreakBeforeConceptDeclarations: true
-BreakBeforeBraces: Attach
-BreakBeforeInheritanceComma: false
-BreakInheritanceList: BeforeColon
-BreakBeforeTernaryOperators: true
-BreakConstructorInitializersBeforeComma: false
-BreakConstructorInitializers: BeforeColon
+BreakAdjacentStringLiterals: true
+BreakAfterAttributes: Leave
 BreakAfterJavaFieldAnnotations: false
+BreakAfterReturnType: None
+BreakArrays:     true
+BreakBeforeBinaryOperators: None
+BreakBeforeConceptDeclarations: Always
+BreakBeforeBraces: Attach
+BreakBeforeInlineASMColon: OnlyMultiline
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializers: BeforeColon
+BreakFunctionDefinitionParameters: false
+BreakInheritanceList: BeforeColon
 BreakStringLiterals: true
+BreakTemplateDeclarations: MultiLine
 ColumnLimit:     80
 CommentPragmas:  '^ IWYU pragma:'
-QualifierAlignment: Leave
 CompactNamespaces: false
-ConstructorInitializerIndentWidth: 4
-ContinuationIndentWidth: 4
+ConstructorInitializerIndentWidth: 2
+ContinuationIndentWidth: 2
 Cpp11BracedListStyle: true
-DeriveLineEnding: true
 DerivePointerAlignment: false
 DisableFormat:   false
 EmptyLineAfterAccessModifier: Never
 EmptyLineBeforeAccessModifier: LogicalBlock
 ExperimentalAutoDetectBinPacking: false
-PackConstructorInitializers: NextLine
-BasedOnStyle:    ''
-ConstructorInitializerAllOnOneLineOrOnePerLine: false
-AllowAllConstructorInitializersOnNextLine: true
 FixNamespaceComments: true
 ForEachMacros:
   - foreach
@@ -97,21 +151,35 @@ IncludeCategories:
 IncludeIsMainRegex: '$'
 IncludeIsMainSourceRegex: ''
 IndentAccessModifiers: false
-IndentCaseLabels: false
 IndentCaseBlocks: false
+IndentCaseLabels: false
+IndentExternBlock: AfterExternBlock
 IndentGotoLabels: true
 IndentPPDirectives: AfterHash
-IndentExternBlock: AfterExternBlock
-IndentRequires:  false
+IndentRequiresClause: false
 IndentWidth:     2
 IndentWrappedFunctionNames: false
+InsertBraces:    false
+InsertNewlineAtEOF: false
 InsertTrailingCommas: None
+IntegerLiteralSeparator:
+  Binary:          0
+  BinaryMinDigits: 0
+  Decimal:         0
+  DecimalMinDigits: 0
+  Hex:             0
+  HexMinDigits:    0
 JavaScriptQuotes: Leave
 JavaScriptWrapImports: true
-KeepEmptyLinesAtTheStartOfBlocks: true
+KeepEmptyLines:
+  AtEndOfFile:     false
+  AtStartOfBlock:  false
+  AtStartOfFile:   true
 LambdaBodyIndentation: Signature
+LineEnding:      DeriveLF
 MacroBlockBegin: ''
 MacroBlockEnd:   ''
+MainIncludeChar: Quote
 MaxEmptyLinesToKeep: 1
 NamespaceIndentation: None
 ObjCBinPackProtocolList: Auto
@@ -119,34 +187,44 @@ ObjCBlockIndentWidth: 2
 ObjCBreakBeforeNestedBlockParam: true
 ObjCSpaceAfterProperty: false
 ObjCSpaceBeforeProtocolList: true
+PackConstructorInitializers: NextLine
 PenaltyBreakAssignment: 2
 PenaltyBreakBeforeFirstCallParameter: 19
 PenaltyBreakComment: 300
 PenaltyBreakFirstLessLess: 120
 PenaltyBreakOpenParenthesis: 0
+PenaltyBreakScopeResolution: 500
 PenaltyBreakString: 1000
 PenaltyBreakTemplateDeclaration: 10
 PenaltyExcessCharacter: 1000000
-PenaltyReturnTypeOnItsOwnLine: 60
 PenaltyIndentedWhitespace: 0
+PenaltyReturnTypeOnItsOwnLine: 60
 PointerAlignment: Right
 PPIndentWidth:   -1
+QualifierAlignment: Leave
 ReferenceAlignment: Pointer
 ReflowComments:  true
 RemoveBracesLLVM: false
+RemoveParentheses: Leave
+RemoveSemicolon: false
+RequiresClausePosition: OwnLine
+RequiresExpressionIndentation: OuterScope
 SeparateDefinitionBlocks: Leave
 ShortNamespaceLines: 1
+SkipMacroDefinitionBody: false
 SortIncludes:    Never
 SortJavaStaticImport: Before
-SortUsingDeclarations: true
+SortUsingDeclarations: LexicographicNumeric
 SpaceAfterCStyleCast: false
 SpaceAfterLogicalNot: false
 SpaceAfterTemplateKeyword: true
+SpaceAroundPointerQualifiers: Default
 SpaceBeforeAssignmentOperators: true
 SpaceBeforeCaseColon: false
 SpaceBeforeCpp11BracedList: false
 SpaceBeforeCtorInitializerColon: true
 SpaceBeforeInheritanceColon: true
+SpaceBeforeJsonColon: false
 SpaceBeforeParens: ControlStatements
 SpaceBeforeParensOptions:
   AfterControlStatements: true
@@ -155,32 +233,40 @@ SpaceBeforeParensOptions:
   AfterFunctionDeclarationName: false
   AfterIfMacros:   true
   AfterOverloadedOperator: false
+  AfterPlacementOperator: true
+  AfterRequiresInClause: false
+  AfterRequiresInExpression: false
   BeforeNonEmptyParentheses: false
-SpaceAroundPointerQualifiers: Default
 SpaceBeforeRangeBasedForLoopColon: true
+SpaceBeforeSquareBrackets: false
 SpaceInEmptyBlock: false
-SpaceInEmptyParentheses: false
 SpacesBeforeTrailingComments: 1
 SpacesInAngles:  Never
-SpacesInConditionalStatement: false
 SpacesInContainerLiterals: true
-SpacesInCStyleCastParentheses: false
 SpacesInLineCommentPrefix:
   Minimum:         1
   Maximum:         -1
-SpacesInParentheses: false
+SpacesInParens:  Never
+SpacesInParensOptions:
+  ExceptDoubleParentheses: false
+  InCStyleCasts:   false
+  InConditionalStatements: false
+  InEmptyParentheses: false
+  Other:           false
 SpacesInSquareBrackets: false
-SpaceBeforeSquareBrackets: false
-BitFieldColonSpacing: Both
 Standard:        Latest
 StatementAttributeLikeMacros:
   - Q_EMIT
 StatementMacros:
   - Q_UNUSED
   - QT_REQUIRE_VERSION
+  - munit_void_test_decl
+  - nghttp2_max_def
+  - nghttp2_min_def
+TableGenBreakInsideDAGArg: DontBreak
 TabWidth:        8
-UseCRLF:         false
 UseTab:          Never
+VerilogBreakBetweenInstancePorts: true
 WhitespaceSensitiveMacros:
   - STRINGIZE
   - PP_STRINGIZE

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+- package-ecosystem: "gomod"
+  directory: "/"
+  schedule:
+    interval: "weekly"

.github/workflows/android.yml

@@ -0,0 +1,24 @@
+name: android
+
+on:
+  push:
+    paths:
+    - Dockerfile.android
+    - .github/workflows/android.yml
+    branches:
+    - '**'
+
+permissions: read-all
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Build
+      uses: docker/build-push-action@v6
+      with:
+        file: Dockerfile.android

.github/workflows/build.yml

@@ -4,76 +4,100 @@ on: [push, pull_request]
 
 permissions: read-all
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
 env:
-  LIBBPF_VERSION: v1.2.0
-  OPENSSL1_VERSION: 1_1_1u+quic
-  OPENSSL3_VERSION: 3.1.0+quic
-  BORINGSSL_VERSION: 80dcb67d4481fb1194b9669917e35580c32dc388
-  NGHTTP3_VERSION: v0.13.0
-  NGTCP2_VERSION: v0.17.0
+  LIBBPF_VERSION: v1.6.2
+  OPENSSL1_VERSION: 1_1_1w+quic
+  OPENSSL3_VERSION: 3.6.0
+  BORINGSSL_VERSION: 9b86817b23dfbf6e0837df8862a4112c51b4ea3b
+  AWSLC_VERSION: v1.64.0
+  NGHTTP3_VERSION: v1.13.1
+  NGTCP2_VERSION: v1.18.0
+  WOLFSSL_VERSION: v5.8.4-stable
 
 jobs:
   build-cache:
     strategy:
       matrix:
-        os: [ubuntu-22.04, macos-12]
+        os: [ubuntu-24.04, ubuntu-24.04-arm, macos-14, macos-15]
 
     runs-on: ${{ matrix.os }}
 
     steps:
-    - uses: actions/checkout@v3
+    - name: Checkout
+      uses: actions/checkout@v6
     - name: Restore libbpf cache
       id: cache-libbpf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       if: runner.os == 'Linux'
       with:
         path: libbpf/build
-        key: ${{ runner.os }}-libbpf-${{ env.LIBBPF_VERSION }}
+        key: ${{ matrix.os }}-libbpf-${{ env.LIBBPF_VERSION }}
     - name: Restore OpenSSL v1.1.1 cache
       id: cache-openssl1
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: openssl1/build
-        key: ${{ runner.os }}-openssl-${{ env.OPENSSL1_VERSION }}
+        key: ${{ matrix.os }}-openssl-${{ env.OPENSSL1_VERSION }}
     - name: Restore OpenSSL v3.x cache
       id: cache-openssl3
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: openssl3/build
-        key: ${{ runner.os }}-openssl-${{ env.OPENSSL3_VERSION }}
+        key: ${{ matrix.os }}-openssl-${{ env.OPENSSL3_VERSION }}
     - name: Restore BoringSSL cache
       id: cache-boringssl
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: |
-          boringssl/build/crypto/libcrypto.a
-          boringssl/build/ssl/libssl.a
+          boringssl/build/libcrypto.a
+          boringssl/build/libssl.a
           boringssl/include
-        key: ${{ runner.os }}-boringssl-${{ env.BORINGSSL_VERSION }}
+        key: ${{ matrix.os }}-boringssl-${{ env.BORINGSSL_VERSION }}
+    - name: Restore aws-lc cache
+      id: cache-awslc
+      uses: actions/cache@v4
+      with:
+        path: |
+          aws-lc/build/crypto/libcrypto.a
+          aws-lc/build/ssl/libssl.a
+          aws-lc/include
+        key: ${{ matrix.os }}-awslc-${{ env.AWSLC_VERSION }}
+    - name: Restore wolfSSL cache
+      id: cache-wolfssl
+      uses: actions/cache@v4
+      with:
+        path: wolfssl/build
+        key: ${{ matrix.os }}-wolfssl-${{ env.WOLFSSL_VERSION }}
     - name: Restore nghttp3 cache
       id: cache-nghttp3
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: nghttp3/build
-        key: ${{ runner.os }}-nghttp3-${{ env.NGHTTP3_VERSION }}
+        key: ${{ matrix.os }}-nghttp3-${{ env.NGHTTP3_VERSION }}
     - name: Restore ngtcp2 + quictls/openssl v1.1.1 cache
       id: cache-ngtcp2-openssl1
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ngtcp2-openssl1/build
-        key: ${{ runner.os }}-ngtcp2-${{ env.NGTCP2_VERSION }}-openssl-${{ env.OPENSSL1_VERSION }}
+        key: ${{ matrix.os }}-ngtcp2-${{ env.NGTCP2_VERSION }}-openssl-${{ env.OPENSSL1_VERSION }}
     - name: Restore ngtcp2 + quictls/openssl v3.x cache
       id: cache-ngtcp2-openssl3
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ngtcp2-openssl3/build
-        key: ${{ runner.os }}-ngtcp2-${{ env.NGTCP2_VERSION }}-openssl-${{ env.OPENSSL3_VERSION }}
+        key: ${{ matrix.os }}-ngtcp2-${{ env.NGTCP2_VERSION }}-openssl-${{ env.OPENSSL3_VERSION }}
     - id: settings
       if: |
         (steps.cache-libbpf.outputs.cache-hit != 'true' && runner.os == 'Linux') ||
         steps.cache-openssl1.outputs.cache-hit != 'true' ||
         steps.cache-openssl3.outputs.cache-hit != 'true' ||
         steps.cache-boringssl.outputs.cache-hit != 'true' ||
+        steps.cache-awslc.outputs.cache-hit != 'true' ||
+        steps.cache-wolfssl.outputs.cache-hit != 'true' ||
         steps.cache-nghttp3.outputs.cache-hit != 'true' ||
         steps.cache-ngtcp2-openssl1.outputs.cache-hit != 'true' ||
         steps.cache-ngtcp2-openssl3.outputs.cache-hit != 'true'
@@ -82,9 +106,8 @@ jobs:
     - name: Linux setup
       if: runner.os == 'Linux' && steps.settings.outputs.needs-build == 'true'
       run: |
+        sudo apt-get update
         sudo apt-get install \
-          g++-12 \
-          clang-14 \
           autoconf \
           automake \
           autotools-dev \
@@ -99,72 +122,95 @@ jobs:
         brew install \
           autoconf \
           automake \
-          pkg-config \
           libtool
     - name: Build libbpf
       if: steps.cache-libbpf.outputs.cache-hit != 'true' && runner.os == 'Linux'
       run: |
-        git clone -b ${{ env.LIBBPF_VERSION }} https://github.com/libbpf/libbpf
+        git clone --recursive --shallow-submodules -b ${{ env.LIBBPF_VERSION }} https://github.com/libbpf/libbpf
         cd libbpf
         make -C src install PREFIX=$PWD/build
     - name: Build quictls/openssl v1.1.1
       if: steps.cache-openssl1.outputs.cache-hit != 'true'
       run: |
-        git clone --depth 1 -b OpenSSL_${{ env.OPENSSL1_VERSION }} https://github.com/quictls/openssl openssl1
+        git clone --recursive --shallow-submodules --depth 1 -b OpenSSL_${{ env.OPENSSL1_VERSION }} https://github.com/quictls/openssl openssl1
         cd openssl1
         ./config --prefix=$PWD/build
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)"
         make install_sw
-    - name: Build quictls/openssl v3.x
+    - name: Build openssl/openssl v3.x
       if: steps.cache-openssl3.outputs.cache-hit != 'true'
       run: |
-        git clone --depth 1 -b openssl-${{ env.OPENSSL3_VERSION }} https://github.com/quictls/openssl openssl3
+        git clone --recursive --shallow-submodules --depth 1 -b openssl-${{ env.OPENSSL3_VERSION }} https://github.com/openssl/openssl openssl3
         cd openssl3
-        ./config enable-ktls --prefix=$PWD/build --libdir=$PWD/build/lib
+        ./config enable-ktls --prefix=$PWD/build
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)"
         make install_sw
     - name: Build BoringSSL
       if: steps.cache-boringssl.outputs.cache-hit != 'true'
       run: |
-        git clone https://boringssl.googlesource.com/boringssl
+        mkdir boringssl
         cd boringssl
+        git init
+        git remote add origin https://boringssl.googlesource.com/boringssl
+        git fetch origin --depth 1 ${{ env.BORINGSSL_VERSION }}
         git checkout ${{ env.BORINGSSL_VERSION }}
         mkdir build
         cd build
         cmake -DCMAKE_POSITION_INDEPENDENT_CODE=ON ..
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)"
+    - name: Build aws-lc
+      if: steps.cache-awslc.outputs.cache-hit != 'true'
+      run: |
+        git clone --recursive --shallow-submodules --depth 1 -b "${AWSLC_VERSION}" https://github.com/aws/aws-lc
+        cd aws-lc
+        cmake -B build -DDISABLE_GO=ON
+        make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)" -C build
+    - name: Build wolfSSL
+      if: steps.cache-wolfssl.outputs.cache-hit != 'true'
+      run: |
+        git clone --depth 1 -b ${{ env.WOLFSSL_VERSION }} https://github.com/wolfSSL/wolfssl
+        cd wolfssl
+        autoreconf -i
+        ./configure --disable-dependency-tracking --prefix=$PWD/build \
+          --enable-all --enable-harden --disable-ech
+        make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)"
+        make install
     - name: Build nghttp3
       if: steps.cache-nghttp3.outputs.cache-hit != 'true'
       run: |
-        git clone --depth 1 -b ${{ env.NGHTTP3_VERSION}} https://github.com/ngtcp2/nghttp3
+        git clone --recursive --shallow-submodules --depth 1 -b ${{ env.NGHTTP3_VERSION}} https://github.com/ngtcp2/nghttp3
         cd nghttp3
         autoreconf -i
-        ./configure --prefix=$PWD/build --enable-lib-only
+        ./configure --disable-dependency-tracking --prefix=$PWD/build \
+          --enable-lib-only
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)" check
         make install
-    - name: Build ngtcp2 + quictls/openssl v1.1.1
+    - name: Build ngtcp2 + quictls/openssl v1.1.1 + BoringSSL
       if: steps.cache-ngtcp2-openssl1.outputs.cache-hit != 'true'
       run: |
-        git clone --depth 1 -b ${{ env.NGTCP2_VERSION }} https://github.com/ngtcp2/ngtcp2 ngtcp2-openssl1
+        git clone --recursive --shallow-submodules --depth 1 -b ${{ env.NGTCP2_VERSION }} https://github.com/ngtcp2/ngtcp2 ngtcp2-openssl1
         cd ngtcp2-openssl1
         autoreconf -i
         ./configure --prefix=$PWD/build --enable-lib-only \
-          PKG_CONFIG_PATH="../openssl1/build/lib/pkgconfig" \
+          PKG_CONFIG_PATH="../openssl1/build/lib/pkgconfig:../wolfssl/build/lib/pkgconfig" \
           BORINGSSL_CFLAGS="-I$PWD/../boringssl/include/" \
-          BORINGSSL_LIBS="-L$PWD/../boringssl/build/ssl -lssl -L$PWD/../boringssl/build/crypto -lcrypto" \
-          --with-boringssl
+          BORINGSSL_LIBS="-L$PWD/../boringssl/build -lssl -lcrypto" \
+          --disable-dependency-tracking \
+          --with-boringssl \
+          --with-wolfssl
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)" check
         make install
-    - name: Build ngtcp2 + quictls/openssl v3.x
+    - name: Build ngtcp2 + quictls/openssl v3.x + aws-lc
       if: steps.cache-ngtcp2-openssl3.outputs.cache-hit != 'true'
       run: |
-        git clone --depth 1 -b ${{ env.NGTCP2_VERSION }} https://github.com/ngtcp2/ngtcp2 ngtcp2-openssl3
+        git clone --recursive --shallow-submodules --depth 1 -b ${{ env.NGTCP2_VERSION }} https://github.com/ngtcp2/ngtcp2 ngtcp2-openssl3
         cd ngtcp2-openssl3
         autoreconf -i
         ./configure --prefix=$PWD/build --enable-lib-only \
-          PKG_CONFIG_PATH="../openssl3/build/lib/pkgconfig" \
-          BORINGSSL_CFLAGS="-I$PWD/../boringssl/include/" \
-          BORINGSSL_LIBS="-L$PWD/../boringssl/build/ssl -lssl -L$PWD/../boringssl/build/crypto -lcrypto" \
+          PKG_CONFIG_PATH="../openssl3/build/lib64/pkgconfig:../openssl3/build/lib/pkgconfig" \
+          BORINGSSL_CFLAGS="-I$PWD/../aws-lc/include/" \
+          BORINGSSL_LIBS="-L$PWD/../aws-lc/build/ssl -lssl -L$PWD/../aws-lc/build/crypto -lcrypto" \
+          --disable-dependency-tracking \
           --with-boringssl
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)" check
         make install
@@ -175,45 +221,77 @@ jobs:
 
     strategy:
       matrix:
-        os: [ubuntu-22.04, macos-12]
+        os: [ubuntu-24.04, macos-14, macos-15]
         compiler: [gcc, clang]
         buildtool: [autotools, cmake]
         http3: [http3, no-http3]
-        openssl: [openssl1, openssl3, boringssl]
+        openssl: [openssl1, openssl3, boringssl, awslc, wolfssl]
         exclude:
-        - os: macos-12
-          openssl: openssl3
         - http3: no-http3
           openssl: openssl3
-        - os: macos-12
+        - os: macos-14
+          compiler: gcc
+        - os: macos-15
           compiler: gcc
         - # disable macos cmake because of include path issue
-          os: macos-12
+          os: macos-14
           buildtool: cmake
-        - os: macos-12
+        - # disable macos cmake because of include path issue
+          os: macos-15
+          buildtool: cmake
+        - os: macos-14
+          openssl: boringssl
+        - os: macos-15
           openssl: boringssl
         - openssl: boringssl
           buildtool: cmake
         - openssl: boringssl
           compiler: gcc
+        - os: macos-14
+          openssl: awslc
+        - os: macos-15
+          openssl: awslc
+        - openssl: awslc
+          buildtool: cmake
+        - openssl: awslc
+          compiler: gcc
+        include:
+        - os: ubuntu-24.04
+          compiler: clang
+          buildtool: distcheck
+          http3: http3
+          openssl: awslc
+        - os: ubuntu-24.04-arm
+          compiler: clang
+          buildtool: autotools
+          http3: http3
+          openssl: wolfssl
+        - os: ubuntu-24.04-arm
+          compiler: gcc
+          buildtool: autotools
+          http3: http3
+          openssl: wolfssl
 
     runs-on: ${{ matrix.os }}
 
     steps:
-    - uses: actions/checkout@v3
+    - name: Checkout
+      uses: actions/checkout@v6
+      with:
+        submodules: recursive
     - name: Linux setup
       if: runner.os == 'Linux'
       run: |
+        sudo apt-get update
         sudo apt-get install \
-          g++-12 \
-          clang-14 \
+          g++-14 \
+          clang-19 \
           autoconf \
           automake \
           autotools-dev \
           libtool \
           pkg-config \
           zlib1g-dev \
-          libcunit1-dev \
           libssl-dev \
           libxml2-dev \
           libev-dev \
@@ -222,29 +300,32 @@ jobs:
           libjemalloc-dev \
           libc-ares-dev \
           libelf-dev \
+          libbrotli-dev \
           cmake \
           cmake-data
         echo 'CPPFLAGS=-fsanitize=address,undefined -fno-sanitize-recover=undefined -g' >> $GITHUB_ENV
         echo 'LDFLAGS=-fsanitize=address,undefined -fno-sanitize-recover=undefined' >> $GITHUB_ENV
+
+        # https://github.com/actions/runner-images/issues/9491#issuecomment-1989718917
+        # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
+        # high-entropy ASLR in much newer kernels that GitHub runners are
+        # using leading to random crashes: https://reviews.llvm.org/D148280
+        sudo sysctl vm.mmap_rnd_bits=28
     - name: MacOS setup
       if: runner.os == 'macOS'
       run: |
         brew install \
           libev \
-          libevent \
-          c-ares \
-          cunit \
           libressl \
           autoconf \
           automake \
-          pkg-config \
           libtool
         echo 'PKG_CONFIG_PATH=/usr/local/opt/libressl/lib/pkgconfig:/usr/local/opt/libxml2/lib/pkgconfig' >> $GITHUB_ENV
     - name: Setup clang (Linux)
       if: runner.os == 'Linux' && matrix.compiler == 'clang'
       run: |
-        echo 'CC=clang-14' >> $GITHUB_ENV
-        echo 'CXX=clang++-14' >> $GITHUB_ENV
+        echo 'CC=clang-19' >> $GITHUB_ENV
+        echo 'CXX=clang++-19' >> $GITHUB_ENV
     - name: Setup clang (MacOS)
       if: runner.os == 'macOS' && matrix.compiler == 'clang'
       run: |
@@ -253,59 +334,93 @@ jobs:
     - name: Setup gcc (Linux)
       if: runner.os == 'Linux' && matrix.compiler == 'gcc'
       run: |
-        echo 'CC=gcc-12' >> $GITHUB_ENV
-        echo 'CXX=g++-12' >> $GITHUB_ENV
+        echo 'CC=gcc-14' >> $GITHUB_ENV
+        echo 'CXX=g++-14' >> $GITHUB_ENV
+        # g++-12 is known to produce false positive warnings.
+        echo 'CXXFLAGS=-Wno-restrict' >> $GITHUB_ENV
     - name: Setup gcc (MacOS)
       if: runner.os == 'macOS' && matrix.compiler == 'gcc'
       run: |
         echo 'CC=gcc' >> $GITHUB_ENV
         echo 'CXX=g++' >> $GITHUB_ENV
     - name: Restore libbpf cache
-      uses: actions/cache/restore@v3
+      uses: actions/cache/restore@v4
       if: matrix.http3 == 'http3' && matrix.compiler == 'clang' && runner.os == 'Linux'
       with:
         path: libbpf/build
-        key: ${{ runner.os }}-libbpf-${{ env.LIBBPF_VERSION }}
+        key: ${{ matrix.os }}-libbpf-${{ env.LIBBPF_VERSION }}
         fail-on-cache-miss: true
     - name: Set libbpf variables
       if: matrix.http3 == 'http3' && matrix.compiler == 'clang' && runner.os == 'Linux'
       run: |
         cd libbpf
 
-        EXTRA_AUTOTOOLS_OPTS="--with-libbpf"
-        EXTRA_CMAKE_OPTS="-DWITH_LIBBPF=1"
+        EXTRA_AUTOTOOLS_OPTS="$EXTRA_AUTOTOOLS_OPTS --with-libbpf"
+        EXTRA_CMAKE_OPTS="$EXTRA_CMAKE_OPTS -DWITH_LIBBPF=1"
 
         echo 'EXTRA_AUTOTOOLS_OPTS='"$EXTRA_AUTOTOOLS_OPTS" >> $GITHUB_ENV
         echo 'EXTRA_CMAKE_OPTS='"$EXTRA_CMAKE_OPTS" >> $GITHUB_ENV
+    - name: Setup libev variables
+      if: runner.os == 'macOS'
+      run: |
+        LIBEV_CFLAGS="-I/opt/homebrew/Cellar/libev/4.33/include"
+        LIBEV_LIBS="-L/opt/homebrew/Cellar/libev/4.33/lib -lev"
+
+        echo 'LIBEV_CFLAGS='"$LIBEV_CFLAGS" >> $GITHUB_ENV
+        echo 'LIBEV_LIBS='"$LIBEV_LIBS" >> $GITHUB_ENV
     - name: Restore quictls/openssl v1.1.1 cache
-      uses: actions/cache/restore@v3
-      if: matrix.http3 == 'http3' && matrix.openssl == 'openssl1'
+      uses: actions/cache/restore@v4
+      if: matrix.openssl == 'openssl1'
       with:
         path: openssl1/build
-        key: ${{ runner.os }}-openssl-${{ env.OPENSSL1_VERSION }}
+        key: ${{ matrix.os }}-openssl-${{ env.OPENSSL1_VERSION }}
         fail-on-cache-miss: true
-    - name: Restore quictls/openssl v3.x cache
-      uses: actions/cache/restore@v3
-      if: matrix.http3 == 'http3' && matrix.openssl == 'openssl3'
+    - name: Restore openssl/openssl v3.x cache
+      uses: actions/cache/restore@v4
+      if: matrix.openssl == 'openssl3'
       with:
         path: openssl3/build
-        key: ${{ runner.os }}-openssl-${{ env.OPENSSL3_VERSION }}
+        key: ${{ matrix.os }}-openssl-${{ env.OPENSSL3_VERSION }}
         fail-on-cache-miss: true
     - name: Restore BoringSSL cache
-      uses: actions/cache/restore@v3
+      uses: actions/cache/restore@v4
       if: matrix.openssl == 'boringssl'
       with:
         path: |
-          boringssl/build/crypto/libcrypto.a
-          boringssl/build/ssl/libssl.a
+          boringssl/build/libcrypto.a
+          boringssl/build/libssl.a
           boringssl/include
-        key: ${{ runner.os }}-boringssl-${{ env.BORINGSSL_VERSION }}
+        key: ${{ matrix.os }}-boringssl-${{ env.BORINGSSL_VERSION }}
+        fail-on-cache-miss: true
+    - name: Restore aws-lc cache
+      uses: actions/cache/restore@v4
+      if: matrix.openssl == 'awslc'
+      with:
+        path: |
+          aws-lc/build/crypto/libcrypto.a
+          aws-lc/build/ssl/libssl.a
+          aws-lc/include
+        key: ${{ matrix.os }}-awslc-${{ env.AWSLC_VERSION }}
         fail-on-cache-miss: true
     - name: Set BoringSSL variables
       if: matrix.openssl == 'boringssl'
       run: |
         cd boringssl
 
+        OPENSSL_CFLAGS="-I$PWD/include/"
+        OPENSSL_LIBS="-L$PWD/build -lssl -lcrypto -pthread"
+        EXTRA_AUTOTOOLS_OPTS="$EXTRA_AUTOTOOLS_OPTS --without-neverbleed --without-jemalloc --disable-examples"
+
+        echo 'OPENSSL_CFLAGS='"$OPENSSL_CFLAGS" >> $GITHUB_ENV
+        echo 'OPENSSL_LIBS='"$OPENSSL_LIBS" >> $GITHUB_ENV
+        echo 'BORINGSSL_CFLAGS='"$OPENSSL_CFLAGS" >> $GITHUB_ENV
+        echo 'BORINGSSL_LIBS='"$OPENSSL_LIBS" >> $GITHUB_ENV
+        echo 'EXTRA_AUTOTOOLS_OPTS='"$EXTRA_AUTOTOOLS_OPTS" >> $GITHUB_ENV
+    - name: Set aws-lc variables
+      if: matrix.openssl == 'awslc'
+      run: |
+        cd aws-lc
+
         OPENSSL_CFLAGS="-I$PWD/include/"
         OPENSSL_LIBS="-L$PWD/build/ssl -lssl -L$PWD/build/crypto -lcrypto -pthread"
         EXTRA_AUTOTOOLS_OPTS="$EXTRA_AUTOTOOLS_OPTS --without-neverbleed --without-jemalloc"
@@ -315,112 +430,148 @@ jobs:
         echo 'BORINGSSL_CFLAGS='"$OPENSSL_CFLAGS" >> $GITHUB_ENV
         echo 'BORINGSSL_LIBS='"$OPENSSL_LIBS" >> $GITHUB_ENV
         echo 'EXTRA_AUTOTOOLS_OPTS='"$EXTRA_AUTOTOOLS_OPTS" >> $GITHUB_ENV
+    - name: Restore wolfSSL cache
+      uses: actions/cache/restore@v4
+      if: matrix.openssl == 'wolfssl'
+      with:
+        path: wolfssl/build
+        key: ${{ matrix.os }}-wolfssl-${{ env.WOLFSSL_VERSION }}
+        fail-on-cache-miss: true
+    - name: Set wolfSSL variables
+      if: matrix.openssl == 'wolfssl'
+      run: |
+        EXTRA_AUTOTOOLS_OPTS="$EXTRA_AUTOTOOLS_OPTS --with-wolfssl --without-neverbleed"
+        EXTRA_CMAKE_OPTS="$EXTRA_CMAKE_OPTS -DWITH_WOLFSSL=1 -DWITH_NEVERBLEED=0 -DENABLE_EXAMPLES=0"
+
+        echo 'EXTRA_AUTOTOOLS_OPTS='"$EXTRA_AUTOTOOLS_OPTS" >> $GITHUB_ENV
+        echo 'EXTRA_CMAKE_OPTS='"$EXTRA_CMAKE_OPTS" >> $GITHUB_ENV
     - name: Restore nghttp3 cache
-      uses: actions/cache/restore@v3
+      uses: actions/cache/restore@v4
       if: matrix.http3 == 'http3'
       with:
         path: nghttp3/build
-        key: ${{ runner.os }}-nghttp3-${{ env.NGHTTP3_VERSION }}
+        key: ${{ matrix.os }}-nghttp3-${{ env.NGHTTP3_VERSION }}
         fail-on-cache-miss: true
-    - name: Restore ngtcp2 + quictls/openssl v1.1.1 cache
-      uses: actions/cache/restore@v3
-      if: matrix.http3 == 'http3' && (matrix.openssl == 'openssl1' || matrix.openssl == 'boringssl')
+    - name: Restore ngtcp2 + quictls/openssl v1.1.1 cache + BoringSSL
+      uses: actions/cache/restore@v4
+      if: matrix.http3 == 'http3' && (matrix.openssl == 'openssl1' || matrix.openssl == 'boringssl' || matrix.openssl == 'wolfssl')
       with:
         path: ngtcp2-openssl1/build
-        key: ${{ runner.os }}-ngtcp2-${{ env.NGTCP2_VERSION }}-openssl-${{ env.OPENSSL1_VERSION }}
+        key: ${{ matrix.os }}-ngtcp2-${{ env.NGTCP2_VERSION }}-openssl-${{ env.OPENSSL1_VERSION }}
         fail-on-cache-miss: true
-    - name: Restore ngtcp2 + quictls/openssl v3.x cache
-      uses: actions/cache/restore@v3
-      if: matrix.http3 == 'http3' && matrix.openssl == 'openssl3'
+    - name: Restore ngtcp2 + quictls/openssl v3.x cache + aws-lc
+      uses: actions/cache/restore@v4
+      if: matrix.http3 == 'http3' && (matrix.openssl == 'openssl3' || matrix.openssl == 'awslc')
       with:
         path: ngtcp2-openssl3/build
-        key: ${{ runner.os }}-ngtcp2-${{ env.NGTCP2_VERSION }}-openssl-${{ env.OPENSSL3_VERSION }}
+        key: ${{ matrix.os }}-ngtcp2-${{ env.NGTCP2_VERSION }}-openssl-${{ env.OPENSSL3_VERSION }}
         fail-on-cache-miss: true
+    - name: Setup extra environment variables
+      if: matrix.http3 == 'no-http3'
+      run: |
+        PKG_CONFIG_PATH="$PWD/openssl1/build/lib/pkgconfig:$PWD/openssl3/build/lib64/pkgconfig:$PWD/openssl3/build/lib/pkgconfig:$PWD/wolfssl/build/lib/pkgconfig:$PKG_CONFIG_PATH"
+        LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/openssl1/build/lib -Wl,-rpath,$PWD/openssl3/build/lib64 -Wl,-rpath,$PWD/openssl3/build/lib"
+
+        echo 'PKG_CONFIG_PATH='"$PKG_CONFIG_PATH" >> $GITHUB_ENV
+        echo 'LDFLAGS='"$LDFLAGS" >> $GITHUB_ENV
     - name: Setup extra environment variables for HTTP/3
       if: matrix.http3 == 'http3'
       run: |
-        PKG_CONFIG_PATH="$PWD/openssl1/build/lib/pkgconfig:$PWD/openssl3/build/lib/pkgconfig:$PWD/nghttp3/build/lib/pkgconfig:$PWD/ngtcp2-openssl1/build/lib/pkgconfig:$PWD/ngtcp2-openssl3/build/lib/pkgconfig:$PWD/libbpf/build/lib64/pkgconfig:$PKG_CONFIG_PATH"
-        LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/openssl1/build/lib -Wl,-rpath,$PWD/openssl3/build/lib -Wl,-rpath,$PWD/libbpf/build/lib64"
-        EXTRA_AUTOTOOLS_OPTS="--enable-http3 $EXTRA_AUTOTOOLS_OPTS"
-        EXTRA_CMAKE_OPTS="-DENABLE_HTTP3=1 $EXTRA_CMAKE_OPTS"
+        PKG_CONFIG_PATH="$PWD/openssl1/build/lib/pkgconfig:$PWD/openssl3/build/lib64/pkgconfig:$PWD/openssl3/build/lib/pkgconfig:$PWD/wolfssl/build/lib/pkgconfig:$PWD/nghttp3/build/lib/pkgconfig:$PWD/ngtcp2-openssl1/build/lib/pkgconfig:$PWD/ngtcp2-openssl3/build/lib/pkgconfig:$PWD/libbpf/build/lib64/pkgconfig:$PKG_CONFIG_PATH"
+        LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/openssl1/build/lib -Wl,-rpath,$PWD/openssl3/build/lib64 -Wl,-rpath,$PWD/openssl3/build/lib -Wl,-rpath,$PWD/libbpf/build/lib64"
+        EXTRA_AUTOTOOLS_OPTS="$EXTRA_AUTOTOOLS_OPTS --enable-http3"
+        EXTRA_CMAKE_OPTS="$EXTRA_CMAKE_OPTS -DENABLE_HTTP3=1"
 
         echo 'PKG_CONFIG_PATH='"$PKG_CONFIG_PATH" >> $GITHUB_ENV
         echo 'LDFLAGS='"$LDFLAGS" >> $GITHUB_ENV
         echo 'EXTRA_AUTOTOOLS_OPTS='"$EXTRA_AUTOTOOLS_OPTS" >> $GITHUB_ENV
         echo 'EXTRA_CMAKE_OPTS='"$EXTRA_CMAKE_OPTS" >> $GITHUB_ENV
-    - name: Setup git submodules
-      run: |
-        git submodule update --init
     - name: Configure autotools
       run: |
         autoreconf -i
-        ./configure
+        ./configure --disable-dependency-tracking
+    - name: Make distribution and unpack
+      if: matrix.buildtool != 'distcheck'
+      run: |
+        make dist
+        VERSION=$(grep PACKAGE_VERSION config.h | cut -d' ' -f3 | tr -d '"')
+        tar xf nghttp2-$VERSION.tar.gz
+        cd nghttp2-$VERSION
+        echo 'NGHTTP2_BUILD_DIR='"$PWD" >> $GITHUB_ENV
     - name: Configure cmake (Linux)
       if: matrix.buildtool == 'cmake' && runner.os == 'Linux'
       run: |
-        make dist
-        VERSION=$(grep PACKAGE_VERSION config.h | cut -d' ' -f3 | tr -d '"')
-        tar xf nghttp2-$VERSION.tar.gz
-        cd nghttp2-$VERSION
-        echo 'NGHTTP2_CMAKE_DIR='"$PWD" >> $GITHUB_ENV
+        cd $NGHTTP2_BUILD_DIR
 
-        cmake -DENABLE_WERROR=1 -DWITH_MRUBY=1 -DWITH_NEVERBLEED=1 -DENABLE_APP=1 $EXTRA_CMAKE_OPTS -DCPPFLAGS="$CPPFLAGS" -DLDFLAGS="$LDFLAGS" .
+        cmake -DENABLE_WERROR=1 -DWITH_MRUBY=1 -DWITH_NEVERBLEED=1 -DENABLE_APP=1 $EXTRA_CMAKE_OPTS -DCPPFLAGS="$CPPFLAGS" -DLDFLAGS="$LDFLAGS" -DBUILD_STATIC_LIBS=ON -DBUILD_TESTING=ON .
     - name: Configure cmake (MacOS)
       if: matrix.buildtool == 'cmake' && runner.os == 'macOS'
       run: |
-        make dist
-        VERSION=$(grep PACKAGE_VERSION config.h | cut -d' ' -f3 | tr -d '"')
-        tar xf nghttp2-$VERSION.tar.gz
-        cd nghttp2-$VERSION
-        echo 'NGHTTP2_CMAKE_DIR='"$PWD" >> $GITHUB_ENV
-
         # This fixes infamous 'stdio.h not found' error.
         echo 'SDKROOT='"$(xcrun --sdk macosx --show-sdk-path)" >> $GITHUB_ENV
 
-        cmake -DENABLE_WERROR=1 -DWITH_MRUBY=1 -DENABLE_APP=1 $EXTRA_CMAKE_OPTS -DCPPFLAGS="$CPPFLAGS" -DLDFLAGS="$LDFLAGS" .
+        cd $NGHTTP2_BUILD_DIR
+
+        cmake -DENABLE_WERROR=1 -DWITH_MRUBY=1 -DENABLE_APP=1 $EXTRA_CMAKE_OPTS -DCPPFLAGS="$CPPFLAGS" -DLDFLAGS="$LDFLAGS" -DBUILD_STATIC_LIBS=ON -DBUILD_TESTING=ON .
     - name: Build nghttp2 with autotools (Linux)
       if: matrix.buildtool == 'autotools' && runner.os == 'Linux'
       run: |
-        make -j"$(nproc)" distcheck \
-          DISTCHECK_CONFIGURE_FLAGS="--with-mruby --with-neverbleed --with-libev --enable-werror $EXTRA_AUTOTOOLS_OPTS CPPFLAGS=\"$CPPFLAGS\" LDFLAGS=\"$LDFLAGS\""
+        cd $NGHTTP2_BUILD_DIR
+
+        ./configure --disable-dependency-tracking --with-mruby --with-neverbleed --with-libev --with-libbrotlienc --with-libbrotlidec --enable-werror $EXTRA_AUTOTOOLS_OPTS
+        make -j"$(nproc)" check
     - name: Build nghttp2 with autotools (MacOS)
       if: matrix.buildtool == 'autotools' && runner.os == 'macOS'
       run: |
-        make -j"$(sysctl -n hw.ncpu)" distcheck \
-          DISTCHECK_CONFIGURE_FLAGS="--with-mruby --with-libev --enable-werror $EXTRA_AUTOTOOLS_OPTS CPPFLAGS=\"$CPPFLAGS\" LDFLAGS=\"$LDFLAGS\""
+        cd $NGHTTP2_BUILD_DIR
+
+        ./configure --disable-dependency-tracking --with-mruby --with-libev --with-libbrotlienc --with-libbrotlidec --enable-werror $EXTRA_AUTOTOOLS_OPTS
+        make -j"$(sysctl -n hw.ncpu)" check
+    - name: Build nghttp2 with autotools (distcheck)
+      if: matrix.buildtool == 'distcheck'
+      run: |
+        make -j"$(nproc)" distcheck \
+          DISTCHECK_CONFIGURE_FLAGS="--with-mruby --with-neverbleed --with-libev --with-libbrotlienc --with-libbrotlidec --enable-werror $EXTRA_AUTOTOOLS_OPTS CPPFLAGS=\"$CPPFLAGS\" LDFLAGS=\"$LDFLAGS\""
     - name: Build nghttp2 with cmake
       if: matrix.buildtool == 'cmake'
       run: |
-        cd $NGHTTP2_CMAKE_DIR
+        cd $NGHTTP2_BUILD_DIR
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)"
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)" check
-    - uses: actions/setup-go@v3
-      if: matrix.buildtool == 'cmake'
+    - uses: actions/setup-go@v6
+      if: matrix.buildtool != 'distcheck'
       with:
-        go-version-file: go.mod
+        go-version: "1.24"
     - name: Integration test
       # Integration tests for nghttpx; autotools erases build
       # artifacts.
-      if: matrix.buildtool == 'cmake'
+      if: matrix.buildtool != 'distcheck'
       run: |
-        cd $NGHTTP2_CMAKE_DIR/integration-tests
-        make itprep it
+        sudo sh -c 'echo "127.0.0.1 127.0.0.1.nip.io" >> /etc/hosts'
+        cd $NGHTTP2_BUILD_DIR/integration-tests
+        make it
 
   build-cross:
     strategy:
       matrix:
         host: [x86_64-w64-mingw32, i686-w64-mingw32]
 
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     env:
       HOST: ${{ matrix.host }}
 
     steps:
-    - uses: actions/checkout@v3
-    - name: Linux setup
+    - name: Checkout
+      uses: actions/checkout@v6
+      with:
+        submodules: recursive
+    - name: Prepare for i386
+      if: matrix.host == 'i686-w64-mingw32'
       run: |
         sudo dpkg --add-architecture i386
+    - name: Linux setup
+      run: |
         sudo apt-get update
         sudo apt-get install \
           gcc-mingw-w64 \
@@ -430,26 +581,19 @@ jobs:
           libtool \
           pkg-config \
           wine
-    - name: Build CUnit
-      run: |
-        curl -LO https://jaist.dl.sourceforge.net/project/cunit/CUnit/2.1-3/CUnit-2.1-3.tar.bz2
-        tar xf CUnit-2.1-3.tar.bz2
-        cd CUnit-2.1-3
-        ./bootstrap
-        ./configure --disable-shared --host="$HOST" --prefix="$PWD/build"
-        make -j$(nproc) install
     - name: Configure autotools
       run: |
         autoreconf -i && \
-        ./configure --enable-werror --enable-lib-only --with-cunit \
-          --host="$HOST" PKG_CONFIG_PATH="$PWD/CUnit-2.1-3/build/lib/pkgconfig"
+        ./configure --disable-dependency-tracking --enable-werror \
+          --enable-lib-only  --host="$HOST" \
+          CFLAGS="-g -O2 -D_WIN32_WINNT=0x0600" LIBS="-pthread"
     - name: Build nghttp2
       run: |
         make -j$(nproc)
         make -j$(nproc) check TESTS=""
     - name: Run tests
-      if: matrix.host == 'x86_64-w64-mingw32'
       run: |
+        export WINEPATH="/usr/${{ matrix.host }}/lib;$(winepath -w /usr/lib/x86_64-linux-gnu/wine/x86_64-windows)"
         cd tests
         wine main.exe
 
@@ -466,16 +610,84 @@ jobs:
     runs-on: windows-latest
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: microsoft/setup-msbuild@v1
-    - run: |
-        vcpkg --triplet=${{ matrix.arch }}-windows install cunit
+    - name: Checkout
+      uses: actions/checkout@v6
+      with:
+        submodules: recursive
+    - uses: microsoft/setup-msbuild@v2
     - name: Configure cmake
-      run: |
-        mkdir build
-        cd build
-        cmake -DCMAKE_TOOLCHAIN_FILE=C:/vcpkg/scripts/buildsystems/vcpkg.cmake -DCMAKE_GENERATOR_PLATFORM=${{ matrix.platform }} -DVCPKG_TARGET_TRIPLET=${{ matrix.arch}}-windows ..
+      run: cmake -B build -DCMAKE_TOOLCHAIN_FILE=C:/vcpkg/scripts/buildsystems/vcpkg.cmake -DCMAKE_GENERATOR_PLATFORM=${{ matrix.platform }} -DVCPKG_TARGET_TRIPLET=${{ matrix.arch}}-windows -DBUILD_STATIC_LIBS=ON -DBUILD_TESTING=ON
     - name: Build nghttp2
       run: |
         cmake --build build
         cmake --build build --target check
+
+  release:
+    if: github.ref_type == 'tag'
+
+    needs:
+    - build
+    - build-cross
+    - build-windows
+
+    permissions:
+      contents: write
+
+    runs-on: ubuntu-24.04
+
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+        submodules: recursive
+    - name: Make artifacts
+      run: |
+        ver='${{ github.ref_name }}'
+
+        prev_ver=$(git tag --sort v:refname | grep -v -F "${ver}" | \
+                   grep 'v[0-9]\+\.[0-9]\+\.0' | tail -n1)
+
+        echo -n "$GPG_KEY" | gpg --batch --pinentry-mode loopback --import
+        ./makerelease.sh "${ver}" "${prev_ver}"
+      env:
+        GPG_KEY: ${{ secrets.GPG_KEY }}
+        GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+    - name: Make release
+      uses: actions/github-script@v8
+      with:
+        script: |
+          const fs = require('fs')
+
+          let ver = '${{ github.ref_name }}'
+
+          let {data: release} = await github.rest.repos.createRelease({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            tag_name: ver,
+            name: `nghttp2 ${ver}`,
+            draft: true,
+            generate_release_notes: true,
+            discussion_category_name: 'Announcements',
+          })
+
+          let v = ver.substring(1)
+
+          let files = [
+            'checksums.txt',
+            `nghttp2-${v}.tar.bz2`,
+            `nghttp2-${v}.tar.bz2.asc`,
+            `nghttp2-${v}.tar.gz`,
+            `nghttp2-${v}.tar.gz.asc`,
+            `nghttp2-${v}.tar.xz`,
+            `nghttp2-${v}.tar.xz.asc`,
+          ]
+
+          await Promise.all(files.map(elem =>
+            github.rest.repos.uploadReleaseAsset({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              release_id: release.id,
+              name: elem,
+              data: fs.readFileSync(elem),
+            })
+          ))

.github/workflows/docker.yaml

@@ -0,0 +1,24 @@
+name: docker-build
+
+on:
+  push:
+    paths:
+    - docker/Dockerfile
+    branches:
+    - '**'
+
+permissions: read-all
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+
+    steps:
+    - uses: actions/checkout@v6
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+    - name: Build
+      uses: docker/build-push-action@v6
+      with:
+        context: docker
+        build-args: NGHTTP2_BRANCH=${{ github.ref_name }}

.github/workflows/fuzz.yml

@@ -5,6 +5,13 @@ jobs:
   Fuzzing:
     runs-on: ubuntu-latest
     steps:
+    - name: LLVM workaround
+      run: |
+        # https://github.com/actions/runner-images/issues/9491#issuecomment-1989718917
+        # Asan in llvm 14 provided in ubuntu 22.04 is incompatible with
+        # high-entropy ASLR in much newer kernels that GitHub runners are
+        # using leading to random crashes: https://reviews.llvm.org/D148280
+        sudo sysctl vm.mmap_rnd_bits=28
     - name: Build Fuzzers
       uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
       with:
@@ -17,7 +24,7 @@ jobs:
         fuzz-seconds: 600
         dry-run: false
     - name: Upload Crash
-      uses: actions/upload-artifact@v1
+      uses: actions/upload-artifact@v5
       if: failure()
       with:
         name: artifacts

.github/workflows/stale.yaml

@@ -0,0 +1,22 @@
+name: 'Close stale issues'
+
+on:
+  schedule:
+  - cron: '30 1 * * *'
+
+permissions:
+  issues: write
+  actions: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-24.04
+
+    steps:
+    - uses: actions/stale@v10
+      with:
+        stale-issue-message: 'This issue is stale because it has been open 30 days with no activity.  Remove stale label or comment or this will be closed in 7 days.'
+        days-before-stale: 30
+        days-before-close: 7
+        days-before-pr-stale: -1
+        exempt-all-milestones: true

.gitignore

@@ -42,6 +42,7 @@ rules.ninja
 lib*.so
 lib*.so.*
 lib*.a
+
 # generated by "make test" with cmake
 Testing/
 
@@ -54,3 +55,10 @@ _VC_ROOT/
 .depend.MSVC
 *.pyd
 *.egg-info/
+
+# Build Directories
+build/
+
+# IDEs
+cmake-*
+.idea/

.gitmodules

@@ -5,3 +5,9 @@
 	path = third-party/neverbleed
 	url = https://github.com/tatsuhiro-t/neverbleed.git
 	branch = nghttp2
+[submodule "tests/munit"]
+	path = tests/munit
+	url = https://github.com/ngtcp2/munit
+[submodule "third-party/urlparse"]
+	path = third-party/urlparse
+	url = https://github.com/ngtcp2/urlparse

AUTHORS

@@ -17,8 +17,10 @@ github issues [2].
 Adam Gołębiowski
 Alek Storm
 Alex Nalivko
+Alexandr Vlasov
 Alexandros Konstantinakis-Karmis
 Alexis La Goutte
+Alyssa Ross
 Amir Livneh
 Amir Pakdel
 Anders Bakken
@@ -28,10 +30,12 @@ Andy Davies
 Angus Gratton
 Anna Henningsen
 Ant Bryan
+Anthony Alayo
 Asra Ali
 Benedikt Christoph Wolters
 Benjamin Peterson
 Bernard Spil
+Bernhard Walle
 Brendan Heinonen
 Brian Card
 Brian Suh
@@ -42,6 +46,8 @@ Dave Reisner
 David Beitey
 David Korczynski
 David Weekly
+Deel
+Deep Chordia
 Dimitris Apostolou
 Dmitri Tikhonov
 Dmitriy Vetutnev
@@ -69,9 +75,12 @@ Jay Satiro
 Jeff 'Raid' Baitis
 Jianqing Wang
 Jim Morrison
+Jiwoo Park
+Jonas Kvinge
 Josh Braegger
 José F. Calcerrada
 Kamil Dudka
+Karthik Dasari
 Kazuho Oku
 Kenny (kang-yen) Peng
 Kenny Peng
@@ -81,9 +90,11 @@ LazyHamster
 Leo Neat
 Lorenz Nickel
 Lucas Pardue
+Lukas Märdian
 MATSUMOTO Ryosuke
 Marc Bachmann
 Marcelo Trylesinski
+Mark Boddington
 Matt Rudary
 Matt Way
 Michael Kaufmann
@@ -95,6 +106,7 @@ Nora Shoemaker
 Paweł Wegner
 Pedro Santos
 Peeyush Aggarwal
+Peng-Yu Chen
 Peter Wu
 Piotr Sikora
 PufferOverflow
@@ -106,9 +118,12 @@ Richard Wolfert
 Rick Lei
 Ross Smith II
 Rudi Heitbaum
+Ryan Carsten Schmidt
 Ryo Ota
 Scott Mitchell
 Sebastiaan Deckers
+Sergei Trofimovich
+Sergey Fedorov
 Shelley Vohr
 Simon Frankenberger
 Simone Basso
@@ -121,6 +136,7 @@ Syohei YOSHIDA
 Tapanito
 Tatsuhiko Kubo
 Tatsuhiro Tsujikawa
+Thomas Devoogdt
 Tobias Geerinckx-Rice
 Tom Harwood
 Tomas Krizek
@@ -130,18 +146,23 @@ Vernon Tang
 Viacheslav Biriukov
 Viktor Szakats
 Viktor Szépe
+Ville Vesilehto
 Wenfeng Liu
 William A Rowe Jr
 Xiaoguang Sun
+Zachary Turner
 Zhuoyun Wei
 acesso
 ayanamist
+bmarques1995
 bxshi
 clemahieu
 dalf
 dawg
 es
 fangdingjun
+feicong
+hrxi
 jwchoi
 kumagi
 lhuang04

CMakeLists.txt

@@ -22,15 +22,15 @@
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-cmake_minimum_required(VERSION 3.0)
+cmake_minimum_required(VERSION 3.14)
 # XXX using 1.8.90 instead of 1.9.0-DEV
-project(nghttp2 VERSION 1.55.1)
+project(nghttp2 VERSION 1.68.90 LANGUAGES C)
 
 # See versioning rule:
 #  https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
-set(LT_CURRENT  38)
-set(LT_REVISION 3)
-set(LT_AGE      24)
+set(LT_CURRENT  43)
+set(LT_REVISION 2)
+set(LT_AGE      29)
 
 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})
 include(Version)
@@ -51,28 +51,35 @@ if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
 endif()
 
 include(GNUInstallDirs)
+include(CMakeDependentOption)
 
 # For documentation
 find_package(Python3 COMPONENTS Interpreter)
 
 # Auto-detection of features that can be toggled
-find_package(OpenSSL 1.0.1)
-find_package(Libev 4.11)
-find_package(Libcares 1.7.5)
-find_package(ZLIB 1.2.3)
-find_package(Libngtcp2 0.0.0)
-find_package(Libngtcp2_crypto_quictls 0.0.0)
-if(LIBNGTCP2_CRYPTO_QUICTLS_FOUND)
-  set(HAVE_LIBNGTCP2_CRYPTO_QUICTLS 1)
+if(NOT ENABLE_LIB_ONLY)
+  enable_language(CXX)
+  find_package(Libev 4.11)
+  find_package(Libcares 1.7.5)
+  find_package(ZLIB 1.2.3)
+  find_package(Libbrotlienc 1.0.9)
+  find_package(Libbrotlidec 1.0.9)
 endif()
-find_package(Libnghttp3 0.0.0)
+
+if(WITH_WOLFSSL)
+  find_package(WolfSSL 5.7.0)
+else()
+  find_package(OpenSSL 1.1.1)
+endif()
+find_package(Libngtcp2 1.15.0)
+find_package(Libnghttp3 1.11.0)
 if(WITH_LIBBPF)
-  find_package(Libbpf 0.4.0)
+  find_package(Libbpf 0.7.0)
   if(NOT LIBBPF_FOUND)
     message(FATAL_ERROR "libbpf was requested (WITH_LIBBPF=1) but not found.")
   endif()
 endif()
-if(OPENSSL_FOUND AND LIBEV_FOUND AND ZLIB_FOUND)
+if((OPENSSL_FOUND OR WOLFSSL_FOUND) AND LIBEV_FOUND AND ZLIB_FOUND)
   set(ENABLE_APP_DEFAULT ON)
 else()
   set(ENABLE_APP_DEFAULT OFF)
@@ -117,30 +124,31 @@ else()
   set(HINT_NORETURN)
 endif()
 
-include(ExtractValidFlags)
-foreach(_cxx1x_flag -std=c++14)
-  extract_valid_cxx_flags(_cxx1x_flag_supported ${_cxx1x_flag})
-  if(_cxx1x_flag_supported)
-    set(CXX1XCXXFLAGS ${_cxx1x_flag})
-    break()
-  endif()
-endforeach()
-
-include(CMakePushCheckState)
-include(CheckCXXSourceCompiles)
-cmake_push_check_state()
-set(CMAKE_REQUIRED_DEFINITIONS "${CXX1XCXXFLAGS}")
-# Check that std::future is available.
-check_cxx_source_compiles("
-#include <vector>
-#include <future>
-int main() { std::vector<std::future<int>> v; }" HAVE_STD_FUTURE)
-# Check that std::map::emplace is available for g++-4.7.
-check_cxx_source_compiles("
-#include <map>
-int main() { std::map<int, int>().emplace(1, 2); }" HAVE_STD_MAP_EMPLACE)
-cmake_pop_check_state()
+if(NOT ENABLE_LIB_ONLY)
+  include(ExtractValidFlags)
+  foreach(_cxx1x_flag -std=c++20)
+    extract_valid_cxx_flags(_cxx1x_flag_supported ${_cxx1x_flag})
+    if(_cxx1x_flag_supported)
+      set(CXX1XCXXFLAGS ${_cxx1x_flag})
+      break()
+    endif()
+  endforeach()
 
+  include(CMakePushCheckState)
+  include(CheckCXXSourceCompiles)
+  cmake_push_check_state()
+  set(CMAKE_REQUIRED_DEFINITIONS "${CXX1XCXXFLAGS}")
+  # Check that std::future is available.
+  check_cxx_source_compiles("
+  #include <vector>
+  #include <future>
+  int main() { std::vector<std::future<int>> v; }" HAVE_STD_FUTURE)
+  # Check that std::chrono::time_zone is available.
+  check_cxx_source_compiles("
+  #include <chrono>
+  int main() { auto tz = std::chrono::current_zone(); (void)tz; }" HAVE_STD_CHRONO_TIME_ZONE)
+  cmake_pop_check_state()
+endif()
 
 # Checks for libraries.
 # Additional libraries required for programs under src directory.
@@ -162,17 +170,13 @@ endif()
 # XXX shouldn't ${CMAKE_DL_LIBS} be appended to OPENSSL_LIBRARIES instead of
 # APP_LIBRARIES if it is really specific to OpenSSL?
 
-find_package(CUnit 2.1)
 enable_testing()
-set(HAVE_CUNIT      ${CUNIT_FOUND})
-if(HAVE_CUNIT)
-  add_custom_target(check COMMAND ${CMAKE_CTEST_COMMAND})
-endif()
+add_custom_target(check COMMAND ${CMAKE_CTEST_COMMAND})
 
 # openssl (for src)
 include(CheckSymbolExists)
 set(HAVE_OPENSSL    ${OPENSSL_FOUND})
-if(OPENSSL_FOUND)
+if(NOT ENABLE_LIB_ONLY AND OPENSSL_FOUND)
   set(OPENSSL_INCLUDE_DIRS  ${OPENSSL_INCLUDE_DIR})
   cmake_push_check_state()
   set(CMAKE_REQUIRED_INCLUDES   "${OPENSSL_INCLUDE_DIR}")
@@ -180,15 +184,37 @@ if(OPENSSL_FOUND)
   if(WIN32)
     set(CMAKE_REQUIRED_LIBRARIES "${CMAKE_REQUIRED_LIBRARIES}" "ws2_32" "bcrypt")
   endif()
-  check_symbol_exists(SSL_is_quic "openssl/ssl.h" HAVE_SSL_IS_QUIC)
-  if(NOT HAVE_SSL_IS_QUIC)
-    message(WARNING "OpenSSL in ${OPENSSL_LIBRARIES} does not have SSL_is_quic.  HTTP/3 support cannot be enabled")
+  check_symbol_exists("LIBRESSL_VERSION_NUMBER" "openssl/opensslv.h" LIBRESSL_FOUND)
+  if(ENABLE_HTTP3)
+    check_symbol_exists(SSL_provide_quic_data "openssl/ssl.h" HAVE_SSL_PROVIDE_QUIC_DATA)
+    if(NOT HAVE_SSL_PROVIDE_QUIC_DATA)
+      check_symbol_exists(SSL_set_quic_tls_cbs "openssl/ssl.h" HAVE_SSL_SET_QUIC_TLS_CBS)
+      if(NOT HAVE_SSL_SET_QUIC_TLS_CBS)
+        message(WARNING "OpenSSL in ${OPENSSL_LIBRARIES} has neither SSL_provide_quic_data nor SSL_set_quic_tls_cbs.  HTTP/3 support cannot be enabled")
+      endif()
+    endif()
   endif()
   cmake_pop_check_state()
 else()
   set(OPENSSL_INCLUDE_DIRS  "")
   set(OPENSSL_LIBRARIES     "")
 endif()
+# wolfSSL (for src)
+set(HAVE_WOLFSSL ${WOLFSSL_FOUND})
+if(WOLFSSL_FOUND)
+  set(WOLFSSL_INCLUDE_DIRS ${WOLFSSL_INCLUDE_DIR})
+  cmake_push_check_state()
+  set(CMAKE_REQUIRED_INCLUDES   "${WOLFSSL_INCLUDE_DIR}")
+  set(CMAKE_REQUIRED_LIBRARIES  "${WOLFSSL_LIBRARIES}")
+  check_symbol_exists(SSL_provide_quic_data "wolfssl/options.h;wolfssl/ssl.h" HAVE_WOLFSSL_SSL_PROVIDE_QUIC_DATA)
+  if(NOT HAVE_WOLFSSL_SSL_PROVIDE_QUIC_DATA)
+    message(WARNING "wolfSSL in ${WOLFSSL_LIBRARIES} does not have SSL_provide_quic_data.  HTTP/3 support cannot be enabled")
+  endif()
+  cmake_pop_check_state()
+else()
+  set(WOLFSSL_INCLUDE_DIRS "")
+  set(WOLFSSL_LIBRARIES    "")
+endif()
 # libev (for src)
 set(HAVE_LIBEV      ${LIBEV_FOUND})
 set(HAVE_ZLIB       ${ZLIB_FOUND})
@@ -219,6 +245,13 @@ endif()
 # jemalloc
 set(HAVE_JEMALLOC   ${JEMALLOC_FOUND})
 
+# libbrotli (for src)
+set(HAVE_LIBBROTLIENC ${LIBBROTLIENC_FOUND})
+set(HAVE_LIBBROTLIDEC ${LIBBROTLIDEC_FOUND})
+if(LIBBROTLIENC_FOUND AND LIBBROTLIDEC_FOUND)
+  set(HAVE_LIBBROTLI 1)
+endif()
+
 # libbpf (for bpf)
 set(HAVE_LIBBPF ${LIBBPF_FOUND})
 if(LIBBPF_FOUND)
@@ -234,13 +267,45 @@ int main() { enum bpf_stats_type foo; (void)foo; }" HAVE_BPF_STATS_TYPE)
 endif()
 
 # The nghttp, nghttpd and nghttpx under src depend on zlib, OpenSSL and libev
-if(ENABLE_APP AND NOT (ZLIB_FOUND AND OPENSSL_FOUND AND LIBEV_FOUND))
+if(ENABLE_APP AND NOT (ZLIB_FOUND AND (OPENSSL_FOUND OR WOLFSSL_FOUND) AND LIBEV_FOUND))
   message(FATAL_ERROR "Applications were requested (ENABLE_APP=1) but dependencies are not met.")
 endif()
 
-# HTTP/3 requires quictls/openssl, libngtcp2, libngtcp2_crypto_quictls
-# and libnghttp3.
-if(ENABLE_HTTP3 AND NOT (HAVE_SSL_IS_QUIC AND LIBNGTCP2_FOUND AND LIBNGTCP2_CRYPTO_QUICTLS_FOUND AND LIBNGHTTP3_FOUND))
+if(ENABLE_HTTP3)
+  if(HAVE_SSL_PROVIDE_QUIC_DATA AND NOT LIBRESSL_FOUND)
+    find_package(Libngtcp2_crypto_quictls 1.15.0)
+    if(LIBNGTCP2_CRYPTO_QUICTLS_FOUND)
+      set(HAVE_LIBNGTCP2_CRYPTO_QUICTLS 1)
+    endif()
+  elseif(HAVE_SSL_PROVIDE_QUIC_DATA AND LIBRESSL_FOUND)
+    find_package(Libngtcp2_crypto_libressl 1.15.0)
+    if(LIBNGTCP2_CRYPTO_LIBRESSL_FOUND)
+      set(HAVE_LIBNGTCP2_CRYPTO_LIBRESSL 1)
+    endif()
+  elseif(HAVE_WOLFSSL_SSL_PROVIDE_QUIC_DATA)
+    find_package(Libngtcp2_crypto_wolfssl 1.15.0)
+    if(LIBNGTCP2_CRYPTO_WOLFSSL_FOUND)
+      set(HAVE_LIBNGTCP2_CRYPTO_WOLFSSL 1)
+    endif()
+  elseif(HAVE_SSL_SET_QUIC_TLS_CBS)
+    find_package(Libngtcp2_crypto_ossl 1.15.0)
+    if(LIBNGTCP2_CRYPTO_OSSL_FOUND)
+      set(HAVE_LIBNGTCP2_CRYPTO_OSSL 1)
+    endif()
+  endif()
+endif()
+
+# HTTP/3 requires libngtcp2 + nghttp3 + one of:
+#
+# - quictls/openssl + libngtcp2_crypto_quictls
+# - libressl + libngtcp2_crypto_libressl
+# - wolfSSL + libngtcp2_crypto_wolfssl
+# - openssl/openssl + libngtcp2_crypto_ossl
+if(ENABLE_HTTP3 AND NOT (LIBNGTCP2_FOUND AND LIBNGHTTP3_FOUND AND
+      ((HAVE_SSL_PROVIDE_QUIC_DATA AND NOT LIBRESSL_FOUND AND LIBNGTCP2_CRYPTO_QUICTLS_FOUND) OR
+	(HAVE_SSL_PROVIDE_QUIC_DATA AND LIBRESSL_FOUND AND LIBNGTCP2_CRYPTO_LIBRESSL_FOUND) OR
+	(HAVE_WOLFSSL_SSL_PROVIDE_QUIC_DATA AND LIBNGTCP2_CRYPTO_WOLFSSL_FOUND) OR
+	(HAVE_SSL_SET_QUIC_TLS_CBS AND LIBNGTCP2_CRYPTO_OSSL_FOUND))))
   message(FATAL_ERROR "HTTP/3 was requested (ENABLE_HTTP3=1) but dependencies are not met.")
 endif()
 
@@ -273,12 +338,13 @@ check_include_file("inttypes.h"     HAVE_INTTYPES_H)
 check_include_file("limits.h"       HAVE_LIMITS_H)
 check_include_file("netdb.h"        HAVE_NETDB_H)
 check_include_file("netinet/in.h"   HAVE_NETINET_IN_H)
+check_include_file("netinet/ip.h"   HAVE_NETINET_IP_H)
 check_include_file("pwd.h"          HAVE_PWD_H)
 check_include_file("sys/socket.h"   HAVE_SYS_SOCKET_H)
 check_include_file("sys/time.h"     HAVE_SYS_TIME_H)
 check_include_file("syslog.h"       HAVE_SYSLOG_H)
-check_include_file("time.h"         HAVE_TIME_H)
 check_include_file("unistd.h"       HAVE_UNISTD_H)
+check_include_file("windows.h"      HAVE_WINDOWS_H)
 
 include(CheckTypeSize)
 # Checks for typedefs, structures, and compiler characteristics.
@@ -308,15 +374,15 @@ endif()
 include(CheckStructHasMember)
 check_struct_has_member("struct tm" tm_gmtoff time.h HAVE_STRUCT_TM_TM_GMTOFF)
 
-# Check size of pointer to decide we need 8 bytes alignment adjustment.
-check_type_size("int *"   SIZEOF_INT_P)
-check_type_size("time_t"  SIZEOF_TIME_T)
-
 # Checks for library functions.
 include(CheckFunctionExists)
 check_function_exists(_Exit     HAVE__EXIT)
 check_function_exists(accept4   HAVE_ACCEPT4)
+check_function_exists(clock_gettime HAVE_CLOCK_GETTIME)
 check_function_exists(mkostemp  HAVE_MKOSTEMP)
+check_function_exists(pipe2     HAVE_PIPE2)
+
+check_symbol_exists(GetTickCount64 "windows.h;sysinfoapi.h" HAVE_GETTICKCOUNT64)
 
 include(CheckSymbolExists)
 # XXX does this correctly detect initgroups (un)availability on cygwin?
@@ -329,6 +395,8 @@ if(NOT HAVE_DECL_INITGROUPS AND HAVE_UNISTD_H)
   endif()
 endif()
 
+check_symbol_exists(CLOCK_MONOTONIC "time.h" HAVE_DECL_CLOCK_MONOTONIC)
+
 set(WARNCFLAGS)
 set(WARNCXXFLAGS)
 if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
@@ -338,65 +406,12 @@ if(CMAKE_C_COMPILER_ID MATCHES "MSVC")
   endif()
 else()
   if(ENABLE_WERROR)
-    extract_valid_c_flags(WARNCFLAGS    -Werror)
-    extract_valid_c_flags(WARNCXXFLAGS  -Werror)
+    set(WARNCFLAGS   "-Werror")
+    set(WARNCXXFLAGS "-Werror")
   endif()
 
-  # For C compiler
-  extract_valid_c_flags(WARNCFLAGS
-    -Wall
-    -Wextra
-    -Wmissing-prototypes
-    -Wstrict-prototypes
-    -Wmissing-declarations
-    -Wpointer-arith
-    -Wdeclaration-after-statement
-    -Wformat-security
-    -Wwrite-strings
-    -Wshadow
-    -Winline
-    -Wnested-externs
-    -Wfloat-equal
-    -Wundef
-    -Wendif-labels
-    -Wempty-body
-    -Wcast-align
-    -Wclobbered
-    -Wvla
-    -Wpragmas
-    -Wunreachable-code
-    -Waddress
-    -Wattributes
-    -Wdiv-by-zero
-    -Wshorten-64-to-32
-
-    -Wconversion
-    -Wextended-offsetof
-    -Wformat-nonliteral
-    -Wlanguage-extension-token
-    -Wmissing-field-initializers
-    -Wmissing-noreturn
-    -Wmissing-variable-declarations
-    # Not used because we cannot change public structs
-    # -Wpadded
-    -Wsign-conversion
-    # Not used because this basically disallows default case
-    # -Wswitch-enum
-    -Wunreachable-code-break
-    -Wunused-macros
-    -Wunused-parameter
-    -Wredundant-decls
-    # Only work with Clang for the moment
-    -Wheader-guard
-    # This is required because we pass format string as "const char*.
-    -Wno-format-nonliteral
-  )
-
-  extract_valid_cxx_flags(WARNCXXFLAGS
-    # For C++ compiler
-    -Wall
-    -Wformat-security
-  )
+  include(PickyWarningsC)
+  include(PickyWarningsCXX)
 endif()
 
 if(ENABLE_STATIC_CRT)
@@ -475,14 +490,15 @@ add_subdirectory(lib)
 add_subdirectory(third-party)
 add_subdirectory(src)
 add_subdirectory(examples)
-add_subdirectory(tests)
-#add_subdirectory(tests/testdata)
-add_subdirectory(integration-tests)
+if(CMAKE_PROJECT_NAME STREQUAL PROJECT_NAME AND BUILD_TESTING)
+  add_subdirectory(tests)
+  #add_subdirectory(tests/testdata)
+  add_subdirectory(integration-tests)
+endif()
 if(ENABLE_DOC)
   add_subdirectory(doc)
 endif()
 add_subdirectory(contrib)
-add_subdirectory(script)
 add_subdirectory(bpf)
 
 
@@ -501,19 +517,23 @@ message(STATUS "summary of build options:
       CXXFLAGS:       ${CMAKE_CXX_FLAGS_${_build_type}} ${CMAKE_CXX_FLAGS}
       WARNCFLAGS:     ${WARNCFLAGS}
       CXX1XCXXFLAGS:  ${CXX1XCXXFLAGS}
+      WARNCXXFLAGS:   ${WARNCXXFLAGS}
     Python:
       Python:          ${Python3_EXECUTABLE}
       Python3_VERSION: ${Python3_VERSION}
     Test:
-      CUnit:          ${HAVE_CUNIT} (LIBS='${CUNIT_LIBRARIES}')
       Failmalloc:     ${ENABLE_FAILMALLOC}
+      Build Test:     ${BUILD_TESTING}
     Libs:
       OpenSSL:        ${HAVE_OPENSSL} (LIBS='${OPENSSL_LIBRARIES}')
+      wolfSSL:        ${HAVE_WOLFSSL} (LIBS='${WOLFSSL_LIBRARIES}')
       Libxml2:        ${HAVE_LIBXML2} (LIBS='${LIBXML2_LIBRARIES}')
       Libev:          ${HAVE_LIBEV} (LIBS='${LIBEV_LIBRARIES}')
       Libc-ares:      ${HAVE_LIBCARES} (LIBS='${LIBCARES_LIBRARIES}')
       Libngtcp2:      ${HAVE_LIBNGTCP2} (LIBS='${LIBNGTCP2_LIBRARIES}')
       Libngtcp2_crypto_quictls: ${HAVE_LIBNGTCP2_CRYPTO_QUICTLS} (LIBS='${LIBNGTCP2_CRYPTO_QUICTLS_LIBRARIES}')
+      Libngtcp2_crypto_libressl: ${HAVE_LIBNGTCP2_CRYPTO_LIBRESSL} (LIBS='${LIBNGTCP2_CRYPTO_LIBRESSL_LIBRARIES}')
+      Libngtcp2_crypto_wolfssl: ${HAVE_LIBNGTCP2_CRYPTO_WOLFSSL} (LIBS='${LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARIES}')
       Libnghttp3:     ${HAVE_LIBNGHTTP3} (LIBS='${LIBNGHTTP3_LIBRARIES}')
       Libbpf:         ${HAVE_LIBBPF} (LIBS='${LIBBPF_LIBRARIES}')
       Libevent(SSL):  ${HAVE_LIBEVENT_OPENSSL} (LIBS='${LIBEVENT_OPENSSL_LIBRARIES}')
@@ -521,6 +541,8 @@ message(STATUS "summary of build options:
       Jemalloc:       ${HAVE_JEMALLOC} (LIBS='${JEMALLOC_LIBRARIES}')
       Zlib:           ${HAVE_ZLIB} (LIBS='${ZLIB_LIBRARIES}')
       Systemd:        ${HAVE_SYSTEMD} (LIBS='${SYSTEMD_LIBRARIES}')
+      Libbrotlienc:   ${HAVE_LIBBROTLIENC} (LIBS='${LIBBROTLIENC_LIBRARIES}')
+      Libbrotlidec:   ${HAVE_LIBBROTLIDEC} (LIBS='${LIBBROTLIDEC_LIBRARIES}')
     Third-party:
       http-parser:    ${ENABLE_THIRD_PARTY}
       MRuby:          ${HAVE_MRUBY}

CMakeOptions.txt

@@ -11,11 +11,12 @@ option(ENABLE_EXAMPLES  "Build examples"
   ${ENABLE_EXAMPLES_DEFAULT})
 option(ENABLE_FAILMALLOC "Build failmalloc test program" ON)
 option(ENABLE_LIB_ONLY  "Build libnghttp2 only.  This is a short hand for -DENABLE_APP=0 -DENABLE_EXAMPLES=0 -DENABLE_HPACK_TOOLS=0")
-option(ENABLE_STATIC_LIB "Build libnghttp2 in static mode also")
-option(ENABLE_SHARED_LIB "Build libnghttp2 as a shared library" ON)
+option(BUILD_SHARED_LIBS "Build libnghttp2 as a shared library" ON)
+option(BUILD_STATIC_LIBS "Build libnghttp2 in static mode also" OFF)
 option(ENABLE_STATIC_CRT "Build libnghttp2 against the MS LIBCMT[d]")
 option(ENABLE_HTTP3      "Enable HTTP/3 support" OFF)
 option(ENABLE_DOC "Build documentation" ON)
+cmake_dependent_option(BUILD_TESTING "Enable tests" ON "BUILD_STATIC_LIBS" OFF)
 
 option(WITH_LIBXML2     "Use libxml2"
   ${WITH_LIBXML2_DEFAULT})
@@ -24,5 +25,6 @@ option(WITH_JEMALLOC    "Use jemalloc"
 option(WITH_MRUBY       "Use mruby")
 option(WITH_NEVERBLEED  "Use neverbleed")
 option(WITH_LIBBPF      "Use libbpf")
+option(WITH_WOLFSSL     "Use wolfSSL")
 
 # vim: ft=cmake:

Dockerfile.android

@@ -12,21 +12,21 @@
 
 
 # Only use standalone-toolchain for reduce size
-FROM ubuntu:22.04
-MAINTAINER Tatsuhiro Tsujikawa
+FROM ubuntu:24.04
+LABEL org.opencontainers.image.authors="Tatsuhiro Tsujikawa"
 
-ENV NDK_VERSION r25b
-ENV NDK /root/android-ndk-$NDK_VERSION
-ENV TOOLCHAIN $NDK/toolchains/llvm/prebuilt/linux-x86_64
-ENV TARGET aarch64-linux-android
-ENV API 33
-ENV AR $TOOLCHAIN/bin/llvm-ar
-ENV CC $TOOLCHAIN/bin/$TARGET$API-clang
-ENV CXX $TOOLCHAIN/bin/$TARGET$API-clang++
-ENV LD $TOOLCHAIN/bin/ld
-ENV RANDLIB $TOOLCHAIN/bin/llvm-ranlib
-ENV STRIP $TOOLCHAIN/bin/llvm-strip
-ENV PREFIX /root/usr/local
+ARG NDK_VERSION=r27c
+ARG NDK=/root/android-ndk-$NDK_VERSION
+ARG TOOLCHAIN=$NDK/toolchains/llvm/prebuilt/linux-x86_64
+ARG TARGET=aarch64-linux-android
+ARG API=33
+ARG AR=$TOOLCHAIN/bin/llvm-ar
+ARG CC=$TOOLCHAIN/bin/$TARGET$API-clang
+ARG CXX=$TOOLCHAIN/bin/$TARGET$API-clang++
+ARG LD=$TOOLCHAIN/bin/ld
+ARG RANDLIB=$TOOLCHAIN/bin/llvm-ranlib
+ARG STRIP=$TOOLCHAIN/bin/llvm-strip
+ARG PREFIX=/root/usr/local
 
 WORKDIR /root
 RUN apt-get update && \
@@ -42,11 +42,11 @@ RUN curl -L -O https://dl.google.com/android/repository/android-ndk-$NDK_VERSION
    rm android-ndk-$NDK_VERSION-linux.zip
 
 # Setup version of libraries
-ENV OPENSSL_VERSION 1.1.1q
-ENV LIBEV_VERSION 4.33
-ENV ZLIB_VERSION 1.2.13
-ENV CARES_VERSION 1.18.1
-ENV NGHTTP2_VERSION master
+ARG OPENSSL_VERSION=1.1.1w
+ARG LIBEV_VERSION=4.33
+ARG ZLIB_VERSION=1.3.1
+ARG CARES_VERSION=1.18.1
+ARG NGHTTP2_VERSION=master
 
 WORKDIR /root/build
 RUN curl -L -O https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz && \
@@ -65,6 +65,7 @@ RUN curl -L -O http://dist.schmorp.de/libev/Attic/libev-$LIBEV_VERSION.tar.gz &&
 
 WORKDIR /root/build/libev-$LIBEV_VERSION
 RUN ./configure \
+    --disable-dependency-tracking \
     --host=$TARGET \
     --build=`dpkg-architecture -qDEB_BUILD_GNU_TYPE` \
     --prefix=$PREFIX \
@@ -75,7 +76,7 @@ RUN ./configure \
     make install
 
 WORKDIR /root/build
-RUN curl -L -O https://zlib.net/zlib-$ZLIB_VERSION.tar.gz && \
+RUN curl -L -O https://github.com/madler/zlib/releases/download/v$ZLIB_VERSION/zlib-$ZLIB_VERSION.tar.gz && \
     tar xf zlib-$ZLIB_VERSION.tar.gz && \
     rm zlib-$ZLIB_VERSION.tar.gz
 
@@ -90,12 +91,13 @@ RUN HOST=$TARGET \
 
 
 WORKDIR /root/build
-RUN curl -L -O https://c-ares.haxx.se/download/c-ares-$CARES_VERSION.tar.gz && \
+RUN curl -L -O https://github.com/c-ares/c-ares/releases/download/cares-1_18_1/c-ares-$CARES_VERSION.tar.gz && \
     tar xf c-ares-$CARES_VERSION.tar.gz && \
     rm c-ares-$CARES_VERSION.tar.gz
 
 WORKDIR /root/build/c-ares-$CARES_VERSION
 RUN ./configure \
+      --disable-dependency-tracking \
       --host=$TARGET \
       --build=`dpkg-architecture -qDEB_BUILD_GNU_TYPE` \
       --prefix=$PREFIX \
@@ -103,10 +105,11 @@ RUN ./configure \
     make install
 
 WORKDIR /root/build
-RUN git clone https://github.com/nghttp2/nghttp2 -b $NGHTTP2_VERSION --depth 1
+RUN git clone --recursive --shallow-submodules https://github.com/nghttp2/nghttp2 -b $NGHTTP2_VERSION --depth 1
 WORKDIR /root/build/nghttp2
 RUN autoreconf -i && \
     ./configure \
+    --disable-dependency-tracking \
     --enable-app \
     --disable-shared \
     --host=$TARGET \
@@ -116,6 +119,6 @@ RUN autoreconf -i && \
     --disable-threads \
       CPPFLAGS="-fPIE -I$PREFIX/include" \
       PKG_CONFIG_LIBDIR="$PREFIX/lib/pkgconfig" \
-      LDFLAGS="-fPIE -pie -L$PREFIX/lib" && \
+      LDFLAGS="-static-libstdc++ -static-libgcc -fPIE -pie -L$PREFIX/lib" && \
     make && \
     $STRIP src/nghttpx src/nghttpd src/nghttp

Makefile.am

@@ -20,8 +20,8 @@
 # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-SUBDIRS = lib third-party src bpf examples tests integration-tests \
-	doc contrib script
+SUBDIRS = lib tests third-party src bpf examples integration-tests \
+	doc contrib
 
 ACLOCAL_AMFLAGS = -I m4
 
@@ -35,7 +35,6 @@ EXTRA_DIST = nghttpx.conf.sample proxy.pac.sample android-config android-env \
 	cmake/ExtractValidFlags.cmake \
 	cmake/FindJemalloc.cmake \
 	cmake/FindLibev.cmake \
-	cmake/FindCUnit.cmake \
 	cmake/Version.cmake \
 	cmake/FindLibevent.cmake \
 	cmake/FindJansson.cmake \
@@ -44,7 +43,14 @@ EXTRA_DIST = nghttpx.conf.sample proxy.pac.sample android-config android-env \
 	cmake/FindLibbpf.cmake \
 	cmake/FindLibnghttp3.cmake \
 	cmake/FindLibngtcp2.cmake \
-	cmake/FindLibngtcp2_crypto_quictls.cmake
+	cmake/FindLibngtcp2_crypto_quictls.cmake \
+	cmake/FindLibbrotlienc.cmake \
+	cmake/FindLibbrotlidec.cmake \
+	cmake/FindLibngtcp2_crypto_wolfssl.cmake \
+	cmake/FindLibngtcp2_crypto_ossl.cmake \
+	cmake/FindWolfSSL.cmake \
+	cmake/PickyWarningsC.cmake \
+	cmake/PickyWarningsCXX.cmake
 
 .PHONY: clang-format
 
@@ -55,5 +61,5 @@ clang-format:
 	CLANGFORMAT=`git config --get clangformat.binary`; \
 	test -z $${CLANGFORMAT} && CLANGFORMAT="clang-format"; \
 	$${CLANGFORMAT} -i lib/*.{c,h} lib/includes/nghttp2/*.h \
-	src/*.{c,cc,h} examples/*.{c,cc} \
+	src/*.{c,cc,h} examples/*.c \
 	tests/*.{c,h} bpf/*.c fuzz/*.cc

README.rst

@@ -29,11 +29,10 @@ Public Test Server
 The following endpoints are available to try out our nghttp2
 implementation.
 
-* https://nghttp2.org/ (TLS + ALPN/NPN and HTTP/3)
+* https://nghttp2.org/ (TLS + ALPN and HTTP/3)
 
-  This endpoint supports ``h2``, ``h2-16``, ``h2-14``, and
-  ``http/1.1`` via ALPN/NPN and requires TLSv1.2 for HTTP/2
-  connection.
+  This endpoint supports ``h2`` and ``http/1.1`` via ALPN and requires
+  TLSv1.2 for HTTP/2 connection.
 
   It also supports HTTP/3.
 
@@ -48,11 +47,6 @@ The following package is required to build the libnghttp2 library:
 
 * pkg-config >= 0.20
 
-To build and run the unit test programs, the following package is
-required:
-
-* cunit >= 2.1
-
 To build the documentation, you need to install:
 
 * sphinx (http://sphinx-doc.org/)
@@ -66,15 +60,12 @@ To build and run the application programs (``nghttp``, ``nghttpd``,
 ``nghttpx`` and ``h2load``) in the ``src`` directory, the following packages
 are required:
 
-* OpenSSL >= 1.0.1
+* OpenSSL >= 1.1.1; or wolfSSL >= 5.7.0; or LibreSSL >= 3.8.1; or
+  aws-lc >= 1.19.0; or BoringSSL
 * libev >= 4.11
 * zlib >= 1.2.3
 * libc-ares >= 1.7.5
 
-ALPN support requires OpenSSL >= 1.0.2 (released 22 January 2015).
-LibreSSL >= 2.2.0 can be used instead of OpenSSL, but OpenSSL has more
-features than LibreSSL at the time of this writing.
-
 To enable ``-a`` option (getting linked assets from the downloaded
 resource) in ``nghttp``, the following package is required:
 
@@ -103,10 +94,15 @@ To mitigate heap fragmentation in long running server programs
      Alpine Linux currently does not support malloc replacement
      due to musl limitations. See details in issue `#762 <https://github.com/nghttp2/nghttp2/issues/762>`_.
 
+For BoringSSL or aws-lc build, to enable :rfc:`8879` TLS Certificate
+Compression in applications, the following library is required:
+
+* libbrotli-dev >= 1.0.9
+
 To enable mruby support for nghttpx, `mruby
 <https://github.com/mruby/mruby>`_ is required.  We need to build
 mruby with C++ ABI explicitly turned on, and probably need other
-mrgems, mruby is manged by git submodule under third-party/mruby
+mrgems, mruby is managed by git submodule under third-party/mruby
 directory.  Currently, mruby support for nghttpx is disabled by
 default.  To enable mruby support, use ``--with-mruby`` configure
 option.  Note that at the time of this writing, libmruby-dev and mruby
@@ -118,20 +114,21 @@ required:
 * bison
 
 nghttpx supports `neverbleed <https://github.com/h2o/neverbleed>`_,
-privilege separation engine for OpenSSL / LibreSSL.  In short, it
-minimizes the risk of private key leakage when serious bug like
-Heartbleed is exploited.  The neverbleed is disabled by default.  To
-enable it, use ``--with-neverbleed`` configure option.
+privilege separation engine for OpenSSL.  In short, it minimizes the
+risk of private key leakage when serious bug like Heartbleed is
+exploited.  The neverbleed is disabled by default.  To enable it, use
+``--with-neverbleed`` configure option.
 
 To enable the experimental HTTP/3 support for h2load and nghttpx, the
 following libraries are required:
 
-* `OpenSSL with QUIC support
-  <https://github.com/quictls/openssl/tree/OpenSSL_1_1_1u+quic>`_; or
+* `quictls
+  <https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_; or
+  wolfSSL; or LibreSSL (does not support 0RTT); or aws-lc; or
   `BoringSSL <https://boringssl.googlesource.com/boringssl/>`_ (commit
-  80dcb67d4481fb1194b9669917e35580c32dc388)
-* `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ 0.17.x
-* `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ 0.13.x
+  9b86817b23dfbf6e0837df8862a4112c51b4ea3b); or OpenSSL >= 3.5.0
+* `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.16.0
+* `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ >= 1.12.0
 
 Use ``--enable-http3`` configure option to enable HTTP/3 feature for
 h2load and nghttpx.
@@ -146,14 +143,14 @@ Use ``--with-libbpf`` configure option to build eBPF program.
 libelf-dev is needed to build libbpf.
 
 For Ubuntu 20.04, you can build libbpf from `the source code
-<https://github.com/libbpf/libbpf/releases/tag/v1.2.0>`_.  nghttpx
-requires eBPF program for reloading its configuration and hot swapping
-its executable.
+<https://github.com/libbpf/libbpf/releases>`_.  nghttpx requires eBPF
+program for reloading its configuration and hot swapping its
+executable.
 
 Compiling libnghttp2 C source code requires a C99 compiler.  gcc 4.8
-is known to be adequate.  In order to compile the C++ source code, gcc
->= 6.0 or clang >= 6.0 is required.  C++ source code requires C++14
-language features.
+is known to be adequate.  In order to compile the C++ source code,
+C++20 compliant compiler is required.  At least g++ >= 12 and
+clang++ >= 18 are known to work.
 
 .. note::
 
@@ -207,7 +204,7 @@ required packages:
 
     sudo apt-get install g++ clang make binutils autoconf automake \
       autotools-dev libtool pkg-config \
-      zlib1g-dev libcunit1-dev libssl-dev libxml2-dev libev-dev \
+      zlib1g-dev libssl-dev libxml2-dev libev-dev \
       libevent-dev libjansson-dev \
       libc-ares-dev libjemalloc-dev libsystemd-dev \
       ruby-dev bison libelf-dev
@@ -339,23 +336,24 @@ connections alive during reload.
 
 The detailed steps to build HTTP/3 enabled h2load and nghttpx follow.
 
-Build custom OpenSSL:
+Build aws-lc:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b OpenSSL_1_1_1u+quic https://github.com/quictls/openssl
-   $ cd openssl
-   $ ./config --prefix=$PWD/build --openssldir=/etc/ssl
-   $ make -j$(nproc)
-   $ make install_sw
+   $ git clone --depth 1 -b v1.64.0 https://github.com/aws/aws-lc
+   $ cd aws-lc
+   $ cmake -B build -DDISABLE_GO=ON --install-prefix=$PWD/opt
+   $ make -j$(nproc) -C build
+   $ cmake --install build
    $ cd ..
 
 Build nghttp3:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v0.13.0 https://github.com/ngtcp2/nghttp3
+   $ git clone --depth 1 -b v1.13.1 https://github.com/ngtcp2/nghttp3
    $ cd nghttp3
+   $ git submodule update --init --depth 1
    $ autoreconf -i
    $ ./configure --prefix=$PWD/build --enable-lib-only
    $ make -j$(nproc)
@@ -366,11 +364,13 @@ Build ngtcp2:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v0.17.0 https://github.com/ngtcp2/ngtcp2
+   $ git clone --depth 1 -b v1.18.0 https://github.com/ngtcp2/ngtcp2
    $ cd ngtcp2
+   $ git submodule update --init --depth 1
    $ autoreconf -i
-   $ ./configure --prefix=$PWD/build --enable-lib-only \
-         PKG_CONFIG_PATH="$PWD/../openssl/build/lib/pkgconfig"
+   $ ./configure --prefix=$PWD/build --enable-lib-only --with-boringssl \
+         BORINGSSL_CFLAGS="-I$PWD/../aws-lc/opt/include" \
+         BORINGSSL_LIBS="-L$PWD/../aws-lc/opt/lib -lssl -lcrypto"
    $ make -j$(nproc)
    $ make install
    $ cd ..
@@ -380,7 +380,7 @@ from source:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v1.2.0 https://github.com/libbpf/libbpf
+   $ git clone --depth 1 -b v1.6.2 https://github.com/libbpf/libbpf
    $ cd libbpf
    $ PREFIX=$PWD/build make -C src install
    $ cd ..
@@ -393,10 +393,10 @@ Build nghttp2:
    $ cd nghttp2
    $ git submodule update --init
    $ autoreconf -i
-   $ ./configure --with-mruby --with-neverbleed --enable-http3 --with-libbpf \
-         CC=clang-14 CXX=clang++-14 \
-         PKG_CONFIG_PATH="$PWD/../openssl/build/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig:$PWD/../ngtcp2/build/lib/pkgconfig:$PWD/../libbpf/build/lib64/pkgconfig" \
-         LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/../openssl/build/lib -Wl,-rpath,$PWD/../libbpf/build/lib64"
+   $ ./configure --with-mruby --enable-http3 --with-libbpf \
+         CC=clang-19 CXX=clang++-19 \
+         PKG_CONFIG_PATH="$PWD/../aws-lc/opt/lib/pkgconfig:$PWD/../nghttp3/build/lib/pkgconfig:$PWD/../ngtcp2/build/lib/pkgconfig:$PWD/../libbpf/build/lib64/pkgconfig" \
+         LDFLAGS="$LDFLAGS -Wl,-rpath,$PWD/../aws-lc/opt/lib -Wl,-rpath,$PWD/../libbpf/build/lib64"
    $ make -j$(nproc)
 
 The eBPF program ``reuseport_kern.o`` should be found under bpf
@@ -481,7 +481,7 @@ Previously nghttp2 library did not send client magic, which is first
 24 bytes byte string of client connection preface, and client
 applications have to send it by themselves.  Since v1.0.0, client
 magic is sent by library via first call of ``nghttp2_session_send()``
-or ``nghttp2_session_mem_send()``.
+or ``nghttp2_session_mem_send2()``.
 
 The client applications which send client magic must remove the
 relevant code.
@@ -539,7 +539,7 @@ nghttp - client
 +++++++++++++++
 
 ``nghttp`` is a HTTP/2 client.  It can connect to the HTTP/2 server
-with prior knowledge, HTTP Upgrade and NPN/ALPN TLS extension.
+with prior knowledge, HTTP Upgrade and ALPN TLS extension.
 
 It has verbose output mode for framing information.  Here is sample
 output from ``nghttp`` client:
@@ -765,8 +765,8 @@ nghttpd - server
 By default, it uses SSL/TLS connection.  Use ``--no-tls`` option to
 disable it.
 
-``nghttpd`` only accepts HTTP/2 connections via NPN/ALPN or direct
-HTTP/2 connections.  No HTTP Upgrade is supported.
+``nghttpd`` only accepts HTTP/2 connections via ALPN or direct HTTP/2
+connections.  No HTTP Upgrade is supported.
 
 The ``-p`` option allows users to configure server push.
 
@@ -846,10 +846,10 @@ to know how to migrate from earlier releases.
 
 ``nghttpx`` implements `important performance-oriented features
 <https://istlsfastyet.com/#server-performance>`_ in TLS, such as
-session IDs, session tickets (with automatic key rotation), OCSP
-stapling, dynamic record sizing, ALPN/NPN, forward secrecy and HTTP/2.
-``nghttpx`` also offers the functionality to share session cache and
-ticket keys among multiple ``nghttpx`` instances via memcached.
+session IDs, session tickets (with automatic key rotation), dynamic
+record sizing, ALPN, forward secrecy and HTTP/2.  ``nghttpx`` also
+offers the functionality to share ticket keys among multiple
+``nghttpx`` instances via memcached.
 
 ``nghttpx`` has 2 operation modes:
 
@@ -974,12 +974,15 @@ threads to avoid saturating a single core on client side.
    servers.
 
 If the experimental HTTP/3 is enabled, h2load can send requests to
-HTTP/3 server.  To do this, specify ``h3`` to ``--npn-list`` option
+HTTP/3 server.  To do this, specify ``h3`` to ``--alpn-list`` option
 like so:
 
 .. code-block:: text
 
-    $ h2load --npn-list h3 https://127.0.0.1:4433
+    $ h2load --alpn-list h3 https://127.0.0.1:4433
+
+For nghttp2 v1.58 or earlier, use ``--npn-list`` instead of
+``--alpn-list``.
 
 HPACK tools
 -----------
@@ -1445,23 +1448,10 @@ See `Contribution Guidelines
 <https://nghttp2.org/documentation/contribute.html>`_ for more
 details.
 
-Reporting vulnerability
------------------------
+Versioning
+----------
 
-If you find a vulnerability in our software, please send the email to
-"tatsuhiro.t at gmail dot com" about its details instead of submitting
-issues on github issue page.  It is a standard practice not to
-disclose vulnerability information publicly until a fixed version is
-released, or mitigation is worked out.
-
-In the future, we may setup a dedicated mail address for this purpose.
-
-Release schedule
-----------------
-
-In general, we follow `Semantic Versioning <http://semver.org/>`_.  We
-release MINOR version update every month, and usually we ship it
-around 25th day of every month.
+In general, we follow `Semantic Versioning <http://semver.org/>`_.
 
 We may release PATCH releases between the regular releases, mainly for
 severe security bug fixes.

SECURITY.md

@@ -0,0 +1,31 @@
+# Security Process
+
+If you find a vulnerability in our software, please report it via
+GitHub "Private vulnerability reporting" feature at
+https://github.com/nghttp2/nghttp2/security instead of submitting
+issues on github issue page.  It is a standard practice not to
+disclose vulnerability information publicly until a fixed version is
+released, or mitigation is worked out.
+
+If we identify that the reported issue is really a vulnerability, we
+open a new security advisory draft using [GitHub security
+feature](https://github.com/nghttp2/nghttp2/security) and discuss the
+mitigation and bug fixes there.  The fixes are committed to the
+private repository.
+
+We write the security advisory and get CVE number from GitHub
+privately.  We also discuss the disclosure date to the public.
+
+We make a new release with the fix at the same time when the
+vulnerability is disclosed to public.
+
+At least 7 days before the public disclosure date, we open a new issue
+on [nghttp2 issue tracker](https://github.com/nghttp2/nghttp2/issues)
+which notifies that the upcoming release will have a security fix.
+The `SECURITY` label is attached to this kind of issue.  The issue is
+not opened if a vulnerability is already disclosed, and it is publicly
+known that nghttp2 is affected by that.
+
+Before few hours of new release, we merge the fixes to the master
+branch (and/or a release branch if necessary) and make a new release.
+Security advisory is disclosed on GitHub.

bpf/reuseport_kern.c

@@ -42,11 +42,6 @@
    License is Public Domain.  Commit hash:
    12e7744b4919e9d55de75b7ab566326a1c8e7a67 */
 
-#define AES_BLOCKLEN                                                           \
-  16 /* Block length in bytes - AES is 128b block                              \
-        only */
-
-#define AES_KEYLEN 16 /* Key length in bytes */
 #define AES_keyExpSize 176
 
 struct AES_ctx {
@@ -57,7 +52,6 @@ struct AES_ctx {
    in AES. Value=4 */
 #define Nb 4
 
-#define Nk 4  /* The number of 32 bit words in a key. */
 #define Nr 10 /* The number of rounds in AES Cipher. */
 
 /* state - array holding the intermediate results during
@@ -68,126 +62,27 @@ typedef __u8 state_t[4][4];
    read-only storage instead of RAM The numbers below can be computed
    dynamically trading ROM for RAM - This can be useful in (embedded)
    bootloader applications, where ROM is often limited. */
-static const __u8 sbox[256] = {
-    /* 0 1 2 3 4 5 6 7 8 9 A B C D E F */
-    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b,
-    0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
-    0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, 0xfd, 0x93, 0x26,
-    0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
-    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2,
-    0xeb, 0x27, 0xb2, 0x75, 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
-    0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x00, 0xed,
-    0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
-    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f,
-    0x50, 0x3c, 0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
-    0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0x0c, 0x13, 0xec,
-    0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
-    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14,
-    0xde, 0x5e, 0x0b, 0xdb, 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
-    0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 0xe7, 0xc8, 0x37, 0x6d,
-    0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
-    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f,
-    0x4b, 0xbd, 0x8b, 0x8a, 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
-    0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11,
-    0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
-    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f,
-    0xb0, 0x54, 0xbb, 0x16};
-
 static const __u8 rsbox[256] = {
-    0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e,
-    0x81, 0xf3, 0xd7, 0xfb, 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
-    0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, 0x54, 0x7b, 0x94, 0x32,
-    0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
-    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49,
-    0x6d, 0x8b, 0xd1, 0x25, 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
-    0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, 0x6c, 0x70, 0x48, 0x50,
-    0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
-    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05,
-    0xb8, 0xb3, 0x45, 0x06, 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
-    0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, 0x3a, 0x91, 0x11, 0x41,
-    0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
-    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8,
-    0x1c, 0x75, 0xdf, 0x6e, 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
-    0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, 0xfc, 0x56, 0x3e, 0x4b,
-    0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
-    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59,
-    0x27, 0x80, 0xec, 0x5f, 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
-    0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, 0xa0, 0xe0, 0x3b, 0x4d,
-    0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
-    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63,
-    0x55, 0x21, 0x0c, 0x7d};
-
-/* The round constant word array, Rcon[i], contains the values given
-   by x to the power (i-1) being powers of x (x is denoted as {02}) in
-   the field GF(2^8) */
-static const __u8 Rcon[11] = {0x8d, 0x01, 0x02, 0x04, 0x08, 0x10,
-                              0x20, 0x40, 0x80, 0x1b, 0x36};
-
-#define getSBoxValue(num) (sbox[(num)])
-
-/* This function produces Nb(Nr+1) round keys. The round keys are used
-   in each round to decrypt the states. */
-static void KeyExpansion(__u8 *RoundKey, const __u8 *Key) {
-  unsigned i, j, k;
-  __u8 tempa[4]; /* Used for the column/row operations */
-
-  /* The first round key is the key itself. */
-  for (i = 0; i < Nk; ++i) {
-    RoundKey[(i * 4) + 0] = Key[(i * 4) + 0];
-    RoundKey[(i * 4) + 1] = Key[(i * 4) + 1];
-    RoundKey[(i * 4) + 2] = Key[(i * 4) + 2];
-    RoundKey[(i * 4) + 3] = Key[(i * 4) + 3];
-  }
-
-  /* All other round keys are found from the previous round keys. */
-  for (i = Nk; i < Nb * (Nr + 1); ++i) {
-    {
-      k = (i - 1) * 4;
-      tempa[0] = RoundKey[k + 0];
-      tempa[1] = RoundKey[k + 1];
-      tempa[2] = RoundKey[k + 2];
-      tempa[3] = RoundKey[k + 3];
-    }
-
-    if (i % Nk == 0) {
-      /* This function shifts the 4 bytes in a word to the left once.
-         [a0,a1,a2,a3] becomes [a1,a2,a3,a0] */
-
-      /* Function RotWord() */
-      {
-        const __u8 u8tmp = tempa[0];
-        tempa[0] = tempa[1];
-        tempa[1] = tempa[2];
-        tempa[2] = tempa[3];
-        tempa[3] = u8tmp;
-      }
-
-      /* SubWord() is a function that takes a four-byte input word and
-         applies the S-box to each of the four bytes to produce an
-         output word. */
-
-      /* Function Subword() */
-      {
-        tempa[0] = getSBoxValue(tempa[0]);
-        tempa[1] = getSBoxValue(tempa[1]);
-        tempa[2] = getSBoxValue(tempa[2]);
-        tempa[3] = getSBoxValue(tempa[3]);
-      }
-
-      tempa[0] = tempa[0] ^ Rcon[i / Nk];
-    }
-    j = i * 4;
-    k = (i - Nk) * 4;
-    RoundKey[j + 0] = RoundKey[k + 0] ^ tempa[0];
-    RoundKey[j + 1] = RoundKey[k + 1] ^ tempa[1];
-    RoundKey[j + 2] = RoundKey[k + 2] ^ tempa[2];
-    RoundKey[j + 3] = RoundKey[k + 3] ^ tempa[3];
-  }
-}
-
-static void AES_init_ctx(struct AES_ctx *ctx, const __u8 *key) {
-  KeyExpansion(ctx->RoundKey, key);
-}
+  0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81,
+  0xf3, 0xd7, 0xfb, 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e,
+  0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23,
+  0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, 0x08, 0x2e, 0xa1, 0x66,
+  0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25, 0x72,
+  0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65,
+  0xb6, 0x92, 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46,
+  0x57, 0xa7, 0x8d, 0x9d, 0x84, 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
+  0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06, 0xd0, 0x2c, 0x1e, 0x8f, 0xca,
+  0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, 0x3a, 0x91,
+  0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6,
+  0x73, 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8,
+  0x1c, 0x75, 0xdf, 0x6e, 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f,
+  0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2,
+  0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, 0x1f, 0xdd, 0xa8,
+  0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
+  0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93,
+  0xc9, 0x9c, 0xef, 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb,
+  0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6,
+  0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d};
 
 /* This function adds the round key to state.  The round key is added
    to the state by an XOR function. */
@@ -428,7 +323,7 @@ struct {
   __uint(max_entries, 255);
   __type(key, __u64);
   __type(value, __u32);
-} cid_prefix_map SEC(".maps");
+} worker_id_map SEC(".maps");
 
 struct {
   __uint(type, BPF_MAP_TYPE_REUSEPORT_SOCKARRAY);
@@ -439,11 +334,18 @@ struct {
 
 struct {
   __uint(type, BPF_MAP_TYPE_ARRAY);
-  __uint(max_entries, 3);
+  __uint(max_entries, 1);
   __type(key, __u32);
   __type(value, __u64);
 } sk_info SEC(".maps");
 
+struct {
+  __uint(type, BPF_MAP_TYPE_ARRAY);
+  __uint(max_entries, 1);
+  __type(key, __u32);
+  __type(value, struct AES_ctx);
+} aes_key SEC(".maps");
+
 typedef struct quic_hd {
   __u8 *dcid;
   __u32 dcidlen;
@@ -451,11 +353,11 @@ typedef struct quic_hd {
   __u8 type;
 } quic_hd;
 
-#define SV_DCIDLEN 20
+#define SV_DCIDLEN 17
 #define MAX_DCIDLEN 20
 #define MIN_DCIDLEN 8
-#define CID_PREFIXLEN 8
-#define CID_PREFIX_OFFSET 1
+#define WORKER_IDLEN 8
+#define WORKER_ID_OFFSET 1
 
 enum {
   NGTCP2_PKT_INITIAL = 0x0,
@@ -573,14 +475,39 @@ static __u32 sk_index_from_dcid(const quic_hd *qhd,
 SEC("sk_reuseport")
 int select_reuseport(struct sk_reuseport_md *reuse_md) {
   __u32 sk_index, *psk_index;
-  __u64 *pnum_socks, *pkey;
-  __u32 zero = 0, key_high_idx = 1, key_low_idx = 2;
+  __u64 *pnum_socks;
+  __u32 zero = 0;
   int rv;
   quic_hd qhd;
   __u8 qpktbuf[6 + MAX_DCIDLEN];
-  struct AES_ctx aes_ctx;
-  __u8 key[AES_KEYLEN];
-  __u8 *cid_prefix;
+  struct AES_ctx *aes_ctx;
+  __u8 *worker_id;
+  __u16 remote_port;
+  __u8 *data = reuse_md->data;
+
+  /* Packets less than 22 bytes never be a valid QUIC packet. */
+  if (reuse_md->len < sizeof(struct udphdr) + 22) {
+    return SK_DROP;
+  }
+
+  if (reuse_md->data + sizeof(struct udphdr) > reuse_md->data_end) {
+    return SK_DROP;
+  }
+
+  remote_port = (data[0] << 8) + data[1];
+
+  switch (remote_port) {
+  case 1900:
+  case 5353:
+  case 11211:
+  case 20800:
+  case 27015:
+    return SK_DROP;
+  default:
+    if (remote_port < 1024) {
+      return SK_DROP;
+    }
+  }
 
   if (bpf_skb_load_bytes(reuse_md, sizeof(struct udphdr), qpktbuf,
                          sizeof(qpktbuf)) != 0) {
@@ -592,35 +519,24 @@ int select_reuseport(struct sk_reuseport_md *reuse_md) {
     return SK_DROP;
   }
 
-  pkey = bpf_map_lookup_elem(&sk_info, &key_high_idx);
-  if (pkey == NULL) {
+  aes_ctx = bpf_map_lookup_elem(&aes_key, &zero);
+  if (aes_ctx == NULL) {
     return SK_DROP;
   }
 
-  __builtin_memcpy(key, pkey, sizeof(*pkey));
-
-  pkey = bpf_map_lookup_elem(&sk_info, &key_low_idx);
-  if (pkey == NULL) {
-    return SK_DROP;
-  }
-
-  __builtin_memcpy(key + sizeof(*pkey), pkey, sizeof(*pkey));
-
   rv = parse_quic(&qhd, qpktbuf, qpktbuf + sizeof(qpktbuf));
   if (rv != 0) {
     return SK_DROP;
   }
 
-  AES_init_ctx(&aes_ctx, key);
-
   switch (qhd.type) {
   case NGTCP2_PKT_INITIAL:
   case NGTCP2_PKT_0RTT:
     if (qhd.dcidlen == SV_DCIDLEN) {
-      cid_prefix = qhd.dcid + CID_PREFIX_OFFSET;
-      AES_ECB_decrypt(&aes_ctx, cid_prefix);
+      worker_id = qhd.dcid + WORKER_ID_OFFSET;
+      AES_ECB_decrypt(aes_ctx, worker_id);
 
-      psk_index = bpf_map_lookup_elem(&cid_prefix_map, cid_prefix);
+      psk_index = bpf_map_lookup_elem(&worker_id_map, worker_id);
       if (psk_index != NULL) {
         sk_index = *psk_index;
 
@@ -637,10 +553,10 @@ int select_reuseport(struct sk_reuseport_md *reuse_md) {
       return SK_DROP;
     }
 
-    cid_prefix = qhd.dcid + CID_PREFIX_OFFSET;
-    AES_ECB_decrypt(&aes_ctx, cid_prefix);
+    worker_id = qhd.dcid + WORKER_ID_OFFSET;
+    AES_ECB_decrypt(aes_ctx, worker_id);
 
-    psk_index = bpf_map_lookup_elem(&cid_prefix_map, cid_prefix);
+    psk_index = bpf_map_lookup_elem(&worker_id_map, worker_id);
     if (psk_index == NULL) {
       sk_index = sk_index_from_dcid(&qhd, reuse_md, *pnum_socks);
 

cmake/FindCUnit.cmake

@@ -1,40 +0,0 @@
-# - Try to find cunit
-# Once done this will define
-#  CUNIT_FOUND        - System has cunit
-#  CUNIT_INCLUDE_DIRS - The cunit include directories
-#  CUNIT_LIBRARIES    - The libraries needed to use cunit
-
-find_package(PkgConfig QUIET)
-pkg_check_modules(PC_CUNIT QUIET cunit)
-
-find_path(CUNIT_INCLUDE_DIR
-  NAMES CUnit/CUnit.h
-  HINTS ${PC_CUNIT_INCLUDE_DIRS}
-)
-find_library(CUNIT_LIBRARY
-  NAMES cunit
-  HINTS ${PC_CUNIT_LIBRARY_DIRS}
-)
-
-if(CUNIT_INCLUDE_DIR)
-  set(_version_regex "^#define[ \t]+CU_VERSION[ \t]+\"([^\"]+)\".*")
-  file(STRINGS "${CUNIT_INCLUDE_DIR}/CUnit/CUnit.h"
-    CUNIT_VERSION REGEX "${_version_regex}")
-  string(REGEX REPLACE "${_version_regex}" "\\1"
-    CUNIT_VERSION "${CUNIT_VERSION}")
-  unset(_version_regex)
-endif()
-
-include(FindPackageHandleStandardArgs)
-# handle the QUIETLY and REQUIRED arguments and set CUNIT_FOUND to TRUE
-# if all listed variables are TRUE and the requested version matches.
-find_package_handle_standard_args(CUnit REQUIRED_VARS
-                                  CUNIT_LIBRARY CUNIT_INCLUDE_DIR
-                                  VERSION_VAR CUNIT_VERSION)
-
-if(CUNIT_FOUND)
-  set(CUNIT_LIBRARIES     ${CUNIT_LIBRARY})
-  set(CUNIT_INCLUDE_DIRS  ${CUNIT_INCLUDE_DIR})
-endif()
-
-mark_as_advanced(CUNIT_INCLUDE_DIR CUNIT_LIBRARY)

cmake/FindLibbrotlidec.cmake

@@ -0,0 +1,36 @@
+# - Try to find libbrotlidec
+# Once done this will define
+#  LIBBROTLIDEC_FOUND        - System has libbrotlidec
+#  LIBBROTLIDEC_INCLUDE_DIRS - The libbrotlidec include directories
+#  LIBBROTLIDEC_LIBRARIES    - The libraries needed to use libbrotlidec
+
+find_package(PkgConfig QUIET)
+pkg_check_modules(PC_LIBBROTLIDEC QUIET libbrotlidec)
+
+find_path(LIBBROTLIDEC_INCLUDE_DIR
+  NAMES brotli/decode.h
+  HINTS ${PC_LIBBROTLIDEC_INCLUDE_DIRS}
+)
+find_library(LIBBROTLIDEC_LIBRARY
+  NAMES brotlidec
+  HINTS ${PC_LIBBROTLIDEC_LIBRARY_DIRS}
+)
+
+if(PC_LIBBROTLIDEC_FOUND)
+  set(LIBBROTLIDEC_VERSION ${PC_LIBBROTLIDEC_VERSION})
+endif()
+
+include(FindPackageHandleStandardArgs)
+# handle the QUIETLY and REQUIRED arguments and set LIBBROTLIDEC_FOUND
+# to TRUE if all listed variables are TRUE and the requested version
+# matches.
+find_package_handle_standard_args(Libbrotlidec REQUIRED_VARS
+                                  LIBBROTLIDEC_LIBRARY LIBBROTLIDEC_INCLUDE_DIR
+                                  VERSION_VAR LIBBROTLIDEC_VERSION)
+
+if(LIBBROTLIDEC_FOUND)
+  set(LIBBROTLIDEC_LIBRARIES     ${LIBBROTLIDEC_LIBRARY})
+  set(LIBBROTLIDEC_INCLUDE_DIRS  ${LIBBROTLIDEC_INCLUDE_DIR})
+endif()
+
+mark_as_advanced(LIBBROTLIDEC_INCLUDE_DIR LIBBROTLIDEC_LIBRARY)

cmake/FindLibbrotlienc.cmake

@@ -0,0 +1,36 @@
+# - Try to find libbrotlienc
+# Once done this will define
+#  LIBBROTLIENC_FOUND        - System has libbrotlienc
+#  LIBBROTLIENC_INCLUDE_DIRS - The libbrotlienc include directories
+#  LIBBROTLIENC_LIBRARIES    - The libraries needed to use libbrotlienc
+
+find_package(PkgConfig QUIET)
+pkg_check_modules(PC_LIBBROTLIENC QUIET libbrotlienc)
+
+find_path(LIBBROTLIENC_INCLUDE_DIR
+  NAMES brotli/encode.h
+  HINTS ${PC_LIBBROTLIENC_INCLUDE_DIRS}
+)
+find_library(LIBBROTLIENC_LIBRARY
+  NAMES brotlienc
+  HINTS ${PC_LIBBROTLIENC_LIBRARY_DIRS}
+)
+
+if(PC_LIBBROTLIENC_FOUND)
+  set(LIBBROTLIENC_VERSION ${PC_LIBBROTLIENC_VERSION})
+endif()
+
+include(FindPackageHandleStandardArgs)
+# handle the QUIETLY and REQUIRED arguments and set LIBBROTLIENC_FOUND
+# to TRUE if all listed variables are TRUE and the requested version
+# matches.
+find_package_handle_standard_args(Libbrotlienc REQUIRED_VARS
+                                  LIBBROTLIENC_LIBRARY LIBBROTLIENC_INCLUDE_DIR
+                                  VERSION_VAR LIBBROTLIENC_VERSION)
+
+if(LIBBROTLIENC_FOUND)
+  set(LIBBROTLIENC_LIBRARIES     ${LIBBROTLIENC_LIBRARY})
+  set(LIBBROTLIENC_INCLUDE_DIRS  ${LIBBROTLIENC_INCLUDE_DIR})
+endif()
+
+mark_as_advanced(LIBBROTLIENC_INCLUDE_DIR LIBBROTLIENC_LIBRARY)

cmake/FindLibcares.cmake

@@ -17,12 +17,18 @@ find_library(LIBCARES_LIBRARY
 )
 
 if(LIBCARES_INCLUDE_DIR)
-  set(_version_regex "^#define[ \t]+ARES_VERSION_STR[ \t]+\"([^\"]+)\".*")
-  file(STRINGS "${LIBCARES_INCLUDE_DIR}/ares_version.h"
-    LIBCARES_VERSION REGEX "${_version_regex}")
-  string(REGEX REPLACE "${_version_regex}" "\\1"
-    LIBCARES_VERSION "${LIBCARES_VERSION}")
-  unset(_version_regex)
+  file(READ "${LIBCARES_INCLUDE_DIR}/ares_version.h" _ares_version_h)
+  string(REGEX REPLACE ".*#define[ \t]+ARES_VERSION_MAJOR[ \t]+([0-9]+).*" "\\1"
+    _ares_version_major ${_ares_version_h})
+  string(REGEX REPLACE ".*#define[ \t]+ARES_VERSION_MINOR[ \t]+([0-9]+).*" "\\1"
+    _ares_version_minor ${_ares_version_h})
+  string(REGEX REPLACE ".*#define[ \t]+ARES_VERSION_PATCH[ \t]+([0-9]+).*" "\\1"
+    _ares_version_patch ${_ares_version_h})
+  set(LIBCARES_VERSION "${_ares_version_major}.${_ares_version_minor}.${_ares_version_patch}")
+  unset(_ares_version_patch)
+  unset(_ares_version_minor)
+  unset(_ares_version_major)
+  unset(_ares_version_h)
 endif()
 
 include(FindPackageHandleStandardArgs)

cmake/FindLibngtcp2_crypto_libressl.cmake

@@ -0,0 +1,43 @@
+# - Try to find libngtcp2_crypto_libressl
+# Once done this will define
+#  LIBNGTCP2_CRYPTO_LIBRESSL_FOUND        - System has libngtcp2_crypto_libressl
+#  LIBNGTCP2_CRYPTO_LIBRESSL_INCLUDE_DIRS - The libngtcp2_crypto_libressl include directories
+#  LIBNGTCP2_CRYPTO_LIBRESSL_LIBRARIES    - The libraries needed to use libngtcp2_crypto_libressl
+
+find_package(PkgConfig QUIET)
+pkg_check_modules(PC_LIBNGTCP2_CRYPTO_LIBRESSL QUIET libngtcp2_crypto_libressl)
+
+find_path(LIBNGTCP2_CRYPTO_LIBRESSL_INCLUDE_DIR
+  NAMES ngtcp2/ngtcp2_crypto_quictls.h
+  HINTS ${PC_LIBNGTCP2_CRYPTO_LIBRESSL_INCLUDE_DIRS}
+)
+find_library(LIBNGTCP2_CRYPTO_LIBRESSL_LIBRARY
+  NAMES ngtcp2_crypto_libressl
+  HINTS ${PC_LIBNGTCP2_CRYPTO_LIBRESSL_LIBRARY_DIRS}
+)
+
+if(LIBNGTCP2_CRYPTO_LIBRESSL_INCLUDE_DIR)
+  set(_version_regex "^#define[ \t]+NGTCP2_VERSION[ \t]+\"([^\"]+)\".*")
+  file(STRINGS "${LIBNGTCP2_CRYPTO_LIBRESSL_INCLUDE_DIR}/ngtcp2/version.h"
+    LIBNGTCP2_CRYPTO_LIBRESSL_VERSION REGEX "${_version_regex}")
+  string(REGEX REPLACE "${_version_regex}" "\\1"
+    LIBNGTCP2_CRYPTO_LIBRESSL_VERSION "${LIBNGTCP2_CRYPTO_LIBRESSL_VERSION}")
+  unset(_version_regex)
+endif()
+
+include(FindPackageHandleStandardArgs)
+# handle the QUIETLY and REQUIRED arguments and set
+# LIBNGTCP2_CRYPTO_LIBRESSL_FOUND to TRUE if all listed variables are
+# TRUE and the requested version matches.
+find_package_handle_standard_args(Libngtcp2_crypto_libressl REQUIRED_VARS
+                                  LIBNGTCP2_CRYPTO_LIBRESSL_LIBRARY
+                                  LIBNGTCP2_CRYPTO_LIBRESSL_INCLUDE_DIR
+                                  VERSION_VAR LIBNGTCP2_CRYPTO_LIBRESSL_VERSION)
+
+if(LIBNGTCP2_CRYPTO_LIBRESSL_FOUND)
+  set(LIBNGTCP2_CRYPTO_LIBRESSL_LIBRARIES ${LIBNGTCP2_CRYPTO_LIBRESSL_LIBRARY})
+  set(LIBNGTCP2_CRYPTO_LIBRESSL_INCLUDE_DIRS ${LIBNGTCP2_CRYPTO_LIBRESSL_INCLUDE_DIR})
+endif()
+
+mark_as_advanced(LIBNGTCP2_CRYPTO_LIBRESSL_INCLUDE_DIR
+                 LIBNGTCP2_CRYPTO_LIBRESSL_LIBRARY)

cmake/FindLibngtcp2_crypto_ossl.cmake

@@ -0,0 +1,43 @@
+# - Try to find libngtcp2_crypto_ossl
+# Once done this will define
+#  LIBNGTCP2_CRYPTO_OSSL_FOUND        - System has libngtcp2_crypto_ossl
+#  LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIRS - The libngtcp2_crypto_ossl include directories
+#  LIBNGTCP2_CRYPTO_OSSL_LIBRARIES    - The libraries needed to use libngtcp2_crypto_ossl
+
+find_package(PkgConfig QUIET)
+pkg_check_modules(PC_LIBNGTCP2_CRYPTO_OSSL QUIET libngtcp2_crypto_ossl)
+
+find_path(LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR
+  NAMES ngtcp2/ngtcp2_crypto_ossl.h
+  HINTS ${PC_LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIRS}
+)
+find_library(LIBNGTCP2_CRYPTO_OSSL_LIBRARY
+  NAMES ngtcp2_crypto_ossl
+  HINTS ${PC_LIBNGTCP2_CRYPTO_OSSL_LIBRARY_DIRS}
+)
+
+if(LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR)
+  set(_version_regex "^#define[ \t]+NGTCP2_VERSION[ \t]+\"([^\"]+)\".*")
+  file(STRINGS "${LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR}/ngtcp2/version.h"
+    LIBNGTCP2_CRYPTO_OSSL_VERSION REGEX "${_version_regex}")
+  string(REGEX REPLACE "${_version_regex}" "\\1"
+    LIBNGTCP2_CRYPTO_OSSL_VERSION "${LIBNGTCP2_CRYPTO_OSSL_VERSION}")
+  unset(_version_regex)
+endif()
+
+include(FindPackageHandleStandardArgs)
+# handle the QUIETLY and REQUIRED arguments and set
+# LIBNGTCP2_CRYPTO_OSSL_FOUND to TRUE if all listed variables are
+# TRUE and the requested version matches.
+find_package_handle_standard_args(Libngtcp2_crypto_ossl REQUIRED_VARS
+                                  LIBNGTCP2_CRYPTO_OSSL_LIBRARY
+                                  LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR
+                                  VERSION_VAR LIBNGTCP2_CRYPTO_OSSL_VERSION)
+
+if(LIBNGTCP2_CRYPTO_OSSL_FOUND)
+  set(LIBNGTCP2_CRYPTO_OSSL_LIBRARIES ${LIBNGTCP2_CRYPTO_OSSL_LIBRARY})
+  set(LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIRS ${LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR})
+endif()
+
+mark_as_advanced(LIBNGTCP2_CRYPTO_OSSL_INCLUDE_DIR
+                 LIBNGTCP2_CRYPTO_OSSL_LIBRARY)

cmake/FindLibngtcp2_crypto_wolfssl.cmake

@@ -0,0 +1,43 @@
+# - Try to find libngtcp2_crypto_wolfssl
+# Once done this will define
+#  LIBNGTCP2_CRYPTO_WOLFSSL_FOUND        - System has libngtcp2_crypto_wolfssl
+#  LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIRS - The libngtcp2_crypto_wolfssl include directories
+#  LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARIES    - The libraries needed to use libngtcp2_crypto_wolfssl
+
+find_package(PkgConfig QUIET)
+pkg_check_modules(PC_LIBNGTCP2_CRYPTO_WOLFSSL QUIET libngtcp2_crypto_wolfssl)
+
+find_path(LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIR
+  NAMES ngtcp2/ngtcp2_crypto_wolfssl.h
+  HINTS ${PC_LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIRS}
+)
+find_library(LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARY
+  NAMES ngtcp2_crypto_wolfssl
+  HINTS ${PC_LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARY_DIRS}
+)
+
+if(LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIR)
+  set(_version_regex "^#define[ \t]+NGTCP2_VERSION[ \t]+\"([^\"]+)\".*")
+  file(STRINGS "${LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIR}/ngtcp2/version.h"
+    LIBNGTCP2_CRYPTO_WOLFSSL_VERSION REGEX "${_version_regex}")
+  string(REGEX REPLACE "${_version_regex}" "\\1"
+    LIBNGTCP2_CRYPTO_WOLFSSL_VERSION "${LIBNGTCP2_CRYPTO_WOLFSSL_VERSION}")
+  unset(_version_regex)
+endif()
+
+include(FindPackageHandleStandardArgs)
+# handle the QUIETLY and REQUIRED arguments and set
+# LIBNGTCP2_CRYPTO_WOLFSSL_FOUND to TRUE if all listed variables are
+# TRUE and the requested version matches.
+find_package_handle_standard_args(Libngtcp2_crypto_wolfssl REQUIRED_VARS
+                                  LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARY
+                                  LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIR
+                                  VERSION_VAR LIBNGTCP2_CRYPTO_WOLFSSL_VERSION)
+
+if(LIBNGTCP2_CRYPTO_WOLFSSL_FOUND)
+  set(LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARIES ${LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARY})
+  set(LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIRS ${LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIR})
+endif()
+
+mark_as_advanced(LIBNGTCP2_CRYPTO_WOLFSSL_INCLUDE_DIR
+                 LIBNGTCP2_CRYPTO_WOLFSSL_LIBRARY)

cmake/FindWolfSSL.cmake

@@ -0,0 +1,41 @@
+# - Try to find wolfssl
+# Once done this will define
+#  WOLFSSL_FOUND        - System has wolfssl
+#  WOLFSSL_INCLUDE_DIRS - The wolfssl include directories
+#  WOLFSSL_LIBRARIES    - The libraries needed to use wolfssl
+
+find_package(PkgConfig QUIET)
+pkg_check_modules(PC_WOLFSSL QUIET wolfssl)
+
+find_path(WOLFSSL_INCLUDE_DIR
+  NAMES wolfssl/ssl.h
+  HINTS ${PC_WOLFSSL_INCLUDE_DIRS}
+)
+find_library(WOLFSSL_LIBRARY
+  NAMES wolfssl
+  HINTS ${PC_WOLFSSL_LIBRARY_DIRS}
+)
+
+if(WOLFSSL_INCLUDE_DIR)
+  set(_version_regex "^#define[ \t]+LIBWOLFSSL_VERSION_STRING[ \t]+\"([^\"]+)\".*")
+  file(STRINGS "${WOLFSSL_INCLUDE_DIR}/wolfssl/version.h"
+    WOLFSSL_VERSION REGEX "${_version_regex}")
+  string(REGEX REPLACE "${_version_regex}" "\\1"
+    WOLFSSL_VERSION "${WOLFSSL_VERSION}")
+  unset(_version_regex)
+endif()
+
+include(FindPackageHandleStandardArgs)
+# handle the QUIETLY and REQUIRED arguments and set WOLFSSL_FOUND
+# to TRUE if all listed variables are TRUE and the requested version
+# matches.
+find_package_handle_standard_args(WolfSSL REQUIRED_VARS
+                                  WOLFSSL_LIBRARY WOLFSSL_INCLUDE_DIR
+                                  VERSION_VAR WOLFSSL_VERSION)
+
+if(WOLFSSL_FOUND)
+  set(WOLFSSL_LIBRARIES     ${WOLFSSL_LIBRARY})
+  set(WOLFSSL_INCLUDE_DIRS  ${WOLFSSL_INCLUDE_DIR})
+endif()
+
+mark_as_advanced(WOLFSSL_INCLUDE_DIR WOLFSSL_LIBRARY)

cmake/PickyWarningsC.cmake

@@ -0,0 +1,162 @@
+# nghttp2
+#
+# Copyright (c) 2023 nghttp2 contributors
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# C
+
+include(CheckCCompilerFlag)
+
+if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR CMAKE_C_COMPILER_ID MATCHES "Clang")
+
+  # https://clang.llvm.org/docs/DiagnosticsReference.html
+  # https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html
+
+  # WPICKY_ENABLE = Options we want to enable as-is.
+  # WPICKY_DETECT = Options we want to test first and enable if available.
+
+  # Prefer the -Wextra alias with clang.
+  if(CMAKE_C_COMPILER_ID MATCHES "Clang")
+    set(WPICKY_ENABLE "-Wextra")
+  else()
+    set(WPICKY_ENABLE "-W")
+  endif()
+
+  list(APPEND WPICKY_ENABLE
+    -Wall
+  )
+
+  # ----------------------------------
+  # Add new options here, if in doubt:
+  # ----------------------------------
+  set(WPICKY_DETECT
+  )
+
+  # Assume these options always exist with both clang and gcc.
+  # Require clang 3.0 / gcc 2.95 or later.
+  list(APPEND WPICKY_ENABLE
+    -Wconversion                         # clang  3.0  gcc  2.95
+    -Winline                             # clang  1.0  gcc  1.0
+    -Wmissing-declarations               # clang  1.0  gcc  2.7
+    -Wmissing-prototypes                 # clang  1.0  gcc  1.0
+    -Wnested-externs                     # clang  1.0  gcc  2.7
+    -Wpointer-arith                      # clang  1.0  gcc  1.4
+    -Wshadow                             # clang  1.0  gcc  2.95
+    -Wundef                              # clang  1.0  gcc  2.95
+    -Wwrite-strings                      # clang  1.0  gcc  1.4
+  )
+
+  # Always enable with clang, version dependent with gcc
+  set(WPICKY_COMMON_OLD
+    -Waddress                            # clang  3.0  gcc  4.3
+    -Wattributes                         # clang  3.0  gcc  4.1
+    -Wcast-align                         # clang  1.0  gcc  4.2
+    -Wdeclaration-after-statement        # clang  1.0  gcc  3.4
+    -Wdiv-by-zero                        # clang  3.0  gcc  4.1
+    -Wempty-body                         # clang  3.0  gcc  4.3
+    -Wendif-labels                       # clang  1.0  gcc  3.3
+    -Wfloat-equal                        # clang  1.0  gcc  2.96 (3.0)
+    -Wformat-nonliteral                  # clang  3.0  gcc  4.1
+    -Wformat-security                    # clang  3.0  gcc  4.1
+    -Wmissing-field-initializers         # clang  3.0  gcc  4.1
+    -Wmissing-noreturn                   # clang  3.0  gcc  4.1
+    -Wno-format-nonliteral               # clang  1.0  gcc  2.96 (3.0)        # This is required because we pass format string as "const char*"
+  # -Wpadded                             # clang  3.0  gcc  4.1               # Not used because we cannot change public structs
+    -Wredundant-decls                    # clang  3.0  gcc  4.1
+    -Wsign-conversion                    # clang  3.0  gcc  4.3
+    -Wstrict-prototypes                  # clang  1.0  gcc  3.3
+  # -Wswitch-enum                        # clang  3.0  gcc  4.1               # Not used because this basically disallows default case
+    -Wunreachable-code                   # clang  3.0  gcc  4.1
+    -Wunused-parameter                   # clang  3.0  gcc  4.1
+    -Wvla                                # clang  2.8  gcc  4.3
+  )
+
+  set(WPICKY_COMMON
+    -Wpragmas                            # clang  3.5  gcc  4.1  appleclang  6.0
+  )
+
+  if(CMAKE_C_COMPILER_ID MATCHES "Clang")
+    list(APPEND WPICKY_ENABLE
+      ${WPICKY_COMMON_OLD}
+      -Wshorten-64-to-32                 # clang  1.0
+      -Wlanguage-extension-token         # clang  3.0
+    )
+    # Enable based on compiler version
+    if((CMAKE_C_COMPILER_ID STREQUAL "Clang"      AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 3.6) OR
+       (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 6.3))
+      list(APPEND WPICKY_ENABLE
+        ${WPICKY_COMMON}
+        -Wunreachable-code-break         # clang  3.5            appleclang  6.0
+        -Wheader-guard                   # clang  3.4            appleclang  5.1
+      )
+    endif()
+    if((CMAKE_C_COMPILER_ID STREQUAL "Clang"      AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 3.9) OR
+       (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 8.3))
+      list(APPEND WPICKY_ENABLE
+        -Wmissing-variable-declarations  # clang  3.2            appleclang  4.6
+      )
+    endif()
+    if((CMAKE_C_COMPILER_ID STREQUAL "Clang"      AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 5.0) OR
+       (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 9.4))
+      list(APPEND WPICKY_ENABLE
+      )
+    endif()
+    if((CMAKE_C_COMPILER_ID STREQUAL "Clang"      AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 7.0) OR
+       (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 10.3))
+      list(APPEND WPICKY_ENABLE
+      )
+    endif()
+  else()  # gcc
+    list(APPEND WPICKY_DETECT
+      ${WPICKY_COMMON}
+    )
+    # Enable based on compiler version
+    if(NOT CMAKE_C_COMPILER_VERSION VERSION_LESS 4.3)
+      list(APPEND WPICKY_ENABLE
+        ${WPICKY_COMMON_OLD}
+        -Wclobbered                      #             gcc  4.3
+      )
+    endif()
+  endif()
+
+  #
+
+  unset(_wpicky)
+
+  foreach(_CCOPT IN LISTS WPICKY_ENABLE)
+    set(_wpicky "${_wpicky} ${_CCOPT}")
+  endforeach()
+
+  foreach(_CCOPT IN LISTS WPICKY_DETECT)
+    # surprisingly, CHECK_C_COMPILER_FLAG needs a new variable to store each new
+    # test result in.
+    string(MAKE_C_IDENTIFIER "OPT${_CCOPT}" _optvarname)
+    # GCC only warns about unknown -Wno- options if there are also other diagnostic messages,
+    # so test for the positive form instead
+    string(REPLACE "-Wno-" "-W" _CCOPT_ON "${_CCOPT}")
+    check_c_compiler_flag(${_CCOPT_ON} ${_optvarname})
+    if(${_optvarname})
+      set(_wpicky "${_wpicky} ${_CCOPT}")
+    endif()
+  endforeach()
+
+  set(WARNCFLAGS "${WARNCFLAGS} ${_wpicky}")
+endif()

cmake/PickyWarningsCXX.cmake

@@ -0,0 +1,121 @@
+# nghttp2
+#
+# Copyright (c) 2023 nghttp2 contributors
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# C++
+
+include(CheckCXXCompilerFlag)
+
+if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_GNUCXX OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+
+  # https://clang.llvm.org/docs/DiagnosticsReference.html
+  # https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html
+
+  # WPICKY_ENABLE = Options we want to enable as-is.
+  # WPICKY_DETECT = Options we want to test first and enable if available.
+
+  set(WPICKY_ENABLE "-Wall")
+
+  # ----------------------------------
+  # Add new options here, if in doubt:
+  # ----------------------------------
+  set(WPICKY_DETECT
+  )
+
+  # Assume these options always exist with both clang and gcc.
+  # Require clang 3.0 / gcc 2.95 or later.
+  list(APPEND WPICKY_ENABLE
+  )
+
+  # Always enable with clang, version dependent with gcc
+  set(WPICKY_COMMON_OLD
+    -Wformat-security                    # clang  3.0  gcc  4.1
+  )
+
+  set(WPICKY_COMMON
+  )
+
+  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    list(APPEND WPICKY_ENABLE
+      ${WPICKY_COMMON_OLD}
+    )
+    list(APPEND WPICKY_ENABLE
+      # clang++-18 warns this when building with wolfSSL >= v5.7.6-stable.
+      -Wno-extern-c-compat
+    )
+    # Enable based on compiler version
+    if((CMAKE_CXX_COMPILER_ID STREQUAL "Clang"      AND NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 3.6) OR
+       (CMAKE_CXX_COMPILER_ID STREQUAL "AppleClang" AND NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 6.3))
+      list(APPEND WPICKY_ENABLE
+        ${WPICKY_COMMON}
+      )
+    endif()
+    if((CMAKE_CXX_COMPILER_ID STREQUAL "Clang"      AND NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 3.9) OR
+       (CMAKE_CXX_COMPILER_ID STREQUAL "AppleClang" AND NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 8.3))
+      list(APPEND WPICKY_ENABLE
+      )
+    endif()
+    if((CMAKE_CXX_COMPILER_ID STREQUAL "Clang"      AND NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 5.0) OR
+       (CMAKE_CXX_COMPILER_ID STREQUAL "AppleClang" AND NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 9.4))
+      list(APPEND WPICKY_ENABLE
+      )
+    endif()
+    if((CMAKE_CXX_COMPILER_ID STREQUAL "Clang"      AND NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 7.0) OR
+       (CMAKE_CXX_COMPILER_ID STREQUAL "AppleClang" AND NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 10.3))
+      list(APPEND WPICKY_ENABLE
+      )
+    endif()
+  else()  # gcc
+    list(APPEND WPICKY_DETECT
+      ${WPICKY_COMMON}
+    )
+    # Enable based on compiler version
+    if(NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 4.3)
+      list(APPEND WPICKY_ENABLE
+        ${WPICKY_COMMON_OLD}
+      )
+    endif()
+  endif()
+
+  #
+
+  unset(_wpicky)
+
+  foreach(_CCOPT IN LISTS WPICKY_ENABLE)
+    set(_wpicky "${_wpicky} ${_CCOPT}")
+  endforeach()
+
+  foreach(_CCOPT IN LISTS WPICKY_DETECT)
+    # surprisingly, CHECK_CXX_COMPILER_FLAG needs a new variable to store each new
+    # test result in.
+    string(MAKE_C_IDENTIFIER "OPT${_CCOPT}" _optvarname)
+    # GCC only warns about unknown -Wno- options if there are also other diagnostic messages,
+    # so test for the positive form instead
+    string(REPLACE "-Wno-" "-W" _CCOPT_ON "${_CCOPT}")
+    check_cxx_compiler_flag(${_CCOPT_ON} ${_optvarname})
+    if(${_optvarname})
+      set(_wpicky "${_wpicky} ${_CCOPT}")
+    endif()
+  endforeach()
+
+  set(WARNCXXFLAGS "${WARNCXXFLAGS} ${_wpicky}")
+endif()

cmakeconfig.h.in

@@ -4,8 +4,8 @@
 /* Define to `int' if <sys/types.h> does not define. */
 #cmakedefine ssize_t @ssize_t@
 
-/* Define to 1 if you have the `std::map::emplace`. */
-#cmakedefine HAVE_STD_MAP_EMPLACE 1
+/* Define to 1 if you have the `std::chrono::time_zone`. */
+#cmakedefine HAVE_STD_CHRONO_TIME_ZONE 1
 
 /* Define to 1 if you have `libjansson` library. */
 #cmakedefine HAVE_JANSSON 1
@@ -19,24 +19,30 @@
 /* Define to 1 if you have `neverbleed` library. */
 #cmakedefine HAVE_NEVERBLEED 1
 
-/* sizeof(int *) */
-#cmakedefine SIZEOF_INT_P   @SIZEOF_INT_P@
-
-/* sizeof(time_t) */
-#cmakedefine SIZEOF_TIME_T  @SIZEOF_TIME_T@
-
 /* Define to 1 if you have the `_Exit` function. */
 #cmakedefine HAVE__EXIT 1
 
 /* Define to 1 if you have the `accept4` function. */
 #cmakedefine HAVE_ACCEPT4 1
 
+/* Define to 1 if you have the `clock_gettime` function. */
+#cmakedefine HAVE_CLOCK_GETTIME 1
+
 /* Define to 1 if you have the `mkostemp` function. */
 #cmakedefine HAVE_MKOSTEMP 1
 
+/* Define to 1 if you have the `pipe2` function. */
+#cmakedefine HAVE_PIPE2 1
+
+/* Define to 1 if you have the `GetTickCount64` function. */
+#cmakedefine HAVE_GETTICKCOUNT64 1
+
 /* Define to 1 if you have the `initgroups` function. */
 #cmakedefine01 HAVE_DECL_INITGROUPS
 
+/* Define to 1 if you have the `CLOCK_MONOTONIC` defined. */
+#cmakedefine01 HAVE_DECL_CLOCK_MONOTONIC
+
 /* Define to 1 to enable debug output. */
 #cmakedefine DEBUGBUILD 1
 
@@ -61,6 +67,9 @@
 /* Define to 1 if you have the <netinet/in.h> header file. */
 #cmakedefine HAVE_NETINET_IN_H 1
 
+/* Define to 1 if you have the <netinet/ip.h> header file. */
+#cmakedefine HAVE_NETINET_IP_H 1
+
 /* Define to 1 if you have the <pwd.h> header file. */
 #cmakedefine HAVE_PWD_H 1
 
@@ -73,12 +82,12 @@
 /* Define to 1 if you have the <syslog.h> header file. */
 #cmakedefine HAVE_SYSLOG_H 1
 
-/* Define to 1 if you have the <time.h> header file. */
-#cmakedefine HAVE_TIME_H 1
-
 /* Define to 1 if you have the <unistd.h> header file. */
 #cmakedefine HAVE_UNISTD_H 1
 
+/* Define to 1 if you have the <windows.h> header file. */
+#cmakedefine HAVE_WINDOWS_H 1
+
 /* Define to 1 if HTTP/3 is enabled. */
 #cmakedefine ENABLE_HTTP3 1
 
@@ -91,5 +100,17 @@
 /* Define to 1 if you have `libngtcp2_crypto_quictls` library. */
 #cmakedefine HAVE_LIBNGTCP2_CRYPTO_QUICTLS
 
+/* Define to 1 if you have `libngtcp2_crypto_libressl` library. */
+#cmakedefine HAVE_LIBNGTCP2_CRYPTO_LIBRESSL
+
+/* Define to 1 if you have `libngtcp2_crypto_wolfssl` library. */
+#cmakedefine HAVE_LIBNGTCP2_CRYPTO_WOLFSSL 1
+
 /* Define to 1 if you have `libev` library. */
 #cmakedefine HAVE_LIBEV 1
+
+/* Define to 1 if you have `libbrotlienc` and `libbrotlidec` libraries. */
+#cmakedefine HAVE_LIBBROTLI 1
+
+/* Define to 1 if you have `wolfssl` library. */
+#cmakedefine HAVE_WOLFSSL 1

configure.ac

@@ -25,7 +25,7 @@ dnl Do not change user variables!
 dnl https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
 
 AC_PREREQ(2.61)
-AC_INIT([nghttp2], [1.55.1], [t-tujikawa@users.sourceforge.net])
+AC_INIT([nghttp2], [1.69.0-DEV], [t-tujikawa@users.sourceforge.net])
 AC_CONFIG_AUX_DIR([.])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([config.h])
@@ -38,15 +38,15 @@ AC_CANONICAL_BUILD
 AC_CANONICAL_HOST
 AC_CANONICAL_TARGET
 
-AM_INIT_AUTOMAKE([subdir-objects])
+AM_INIT_AUTOMAKE([subdir-objects tar-pax])
 
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 
 dnl See versioning rule:
 dnl  https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
-AC_SUBST(LT_CURRENT, 38)
-AC_SUBST(LT_REVISION, 3)
-AC_SUBST(LT_AGE, 24)
+AC_SUBST(LT_CURRENT, 43)
+AC_SUBST(LT_REVISION, 2)
+AC_SUBST(LT_AGE, 29)
 
 major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/[^0-9]//g"`
 minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/[^0-9]//g"`
@@ -127,6 +127,11 @@ AC_ARG_WITH([libcares],
                     [Use libc-ares [default=check]])],
     [request_libcares=$withval], [request_libcares=check])
 
+AC_ARG_WITH([wolfssl],
+    [AS_HELP_STRING([--with-wolfssl],
+                    [Use wolfSSL [default=check]])],
+    [request_wolfssl=$withval], [request_wolfssl=check])
+
 AC_ARG_WITH([openssl],
     [AS_HELP_STRING([--with-openssl],
                     [Use openssl [default=check]])],
@@ -137,11 +142,6 @@ AC_ARG_WITH([libev],
                     [Use libev [default=check]])],
     [request_libev=$withval], [request_libev=check])
 
-AC_ARG_WITH([cunit],
-    [AS_HELP_STRING([--with-cunit],
-                    [Use cunit [default=check]])],
-    [request_cunit=$withval], [request_cunit=check])
-
 AC_ARG_WITH([jemalloc],
     [AS_HELP_STRING([--with-jemalloc],
                     [Use jemalloc [default=check]])],
@@ -177,6 +177,16 @@ AC_ARG_WITH([libbpf],
                     [Use libbpf [default=no]])],
     [request_libbpf=$withval], [request_libbpf=no])
 
+AC_ARG_WITH([libbrotlienc],
+    [AS_HELP_STRING([--with-libbrotlienc],
+                    [Use libbrotlienc [default=no]])],
+    [request_libbrotlienc=$withval], [request_libbrotlienc=no])
+
+AC_ARG_WITH([libbrotlidec],
+    [AS_HELP_STRING([--with-libbrotlidec],
+                    [Use libbrotlidec [default=no]])],
+    [request_libbrotlidec=$withval], [request_libbrotlidec=no])
+
 dnl Define variables
 AC_ARG_VAR([LIBEV_CFLAGS], [C compiler flags for libev, skipping any checks])
 AC_ARG_VAR([LIBEV_LIBS], [linker flags for libev, skipping any checks])
@@ -233,7 +243,7 @@ fi
 save_CXXFLAGS="$CXXFLAGS"
 CXXFLAGS=
 
-AX_CXX_COMPILE_STDCXX([14], [noext], [optional])
+AX_CXX_COMPILE_STDCXX([20], [], [optional])
 
 CXX1XCXXFLAGS="$CXXFLAGS"
 CXXFLAGS="$save_CXXFLAGS"
@@ -262,55 +272,40 @@ std::vector<std::future<int>> v;
     [have_std_future=no
      AC_MSG_RESULT([no])])
 
-# Check that std::map::emplace is available for g++-4.7.
-AC_MSG_CHECKING([whether std::map::emplace is available])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM(
-[[
-#include <map>
-]],
-[[
-std::map<int, int>().emplace(1, 2);
-]])],
-    [AC_DEFINE([HAVE_STD_MAP_EMPLACE], [1],
-               [Define to 1 if you have the `std::map::emplace`.])
-     have_std_map_emplace=yes
-     AC_MSG_RESULT([yes])],
-    [have_std_map_emplace=no
-     AC_MSG_RESULT([no])])
-
-# Check that std::atomic_* overloads for std::shared_ptr are
-# available.
-AC_MSG_CHECKING([whether std::atomic_* overloads for std::shared_ptr are available])
+# Check that std::atomic<std::shared_ptr<T>> is supported.
+AC_MSG_CHECKING([whether std::atomic<std::shared_ptr<T>> is supported])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM(
 [[
 #include <memory>
 ]],
 [[
-auto a = std::make_shared<int>(1000000007);
-auto p = std::atomic_load(&a);
+auto a = std::atomic<std::shared_ptr<int>>(std::make_shared<int>(1000000007));
+auto p = a.load();
 ++*p;
-std::atomic_store(&a, p);
+a.store(p);
 ]])],
     [AC_DEFINE([HAVE_ATOMIC_STD_SHARED_PTR], [1],
-               [Define to 1 if you have the std::atomic_* overloads for std::shared_ptr.])
+               [Define to 1 if you have the std::atomic<std::shared_ptr<T>> is supported.])
      have_atomic_std_shared_ptr=yes
      AC_MSG_RESULT([yes])],
     [have_atomic_std_shared_ptr=no
      AC_MSG_RESULT([no])])
 
-# Check that thread_local storage specifier is available
-AC_MSG_CHECKING([whether thread_local storage class specifier is available.])
+# Check that std::chrono::time_zone is available.
+AC_MSG_CHECKING([whether std::chrono::time_zone is available])
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM(
-,
 [[
-thread_local int a = 0;
-(void)a;
+#include <chrono>
+]],
+[[
+auto tz = std::chrono::current_zone();
+(void)tz;
 ]])],
-    [AC_DEFINE([HAVE_THREAD_LOCAL], [1],
-               [Define to 1 if you have thread_local storage specifier.])
-     have_thread_local=yes
+    [AC_DEFINE([HAVE_STD_CHRONO_TIME_ZONE], [1],
+               [Define to 1 if you have the `std::chrono::time_zone`.])
+     have_std_chrono_time_zone=yes
      AC_MSG_RESULT([yes])],
-    [have_Thread_local=no
+    [have_std_chrono_time_zone=no
      AC_MSG_RESULT([no])])
 
 CXXFLAGS=$save_CXXFLAGS
@@ -329,7 +324,7 @@ case "$host_os" in
   *android*)
     android_build=yes
     # android does not need -pthread, but needs following 2 libs for C++
-    APPLDFLAGS="$APPLDFLAGS -lstdc++ -latomic"
+    APPLDFLAGS="$APPLDFLAGS -latomic"
     ;;
   *)
     PTHREAD_LDFLAGS="-pthread"
@@ -377,43 +372,6 @@ case "${host_os}" in
     ;;
 esac
 
-# cunit
-have_cunit=no
-if test "x${request_cunit}" != "xno"; then
-  PKG_CHECK_MODULES([CUNIT], [cunit >= 2.1], [have_cunit=yes], [have_cunit=no])
-  # If pkg-config does not find cunit, check it using AC_CHECK_LIB.  We
-  # do this because Debian (Ubuntu) lacks pkg-config file for cunit.
-  if test "x${have_cunit}" = "xno"; then
-    AC_MSG_WARN([${CUNIT_PKG_ERRORS}])
-    AC_CHECK_LIB([cunit], [CU_initialize_registry],
-                 [have_cunit=yes], [have_cunit=no])
-    if test "x${have_cunit}" = "xyes"; then
-      CUNIT_LIBS="-lcunit"
-      CUNIT_CFLAGS=""
-      AC_SUBST([CUNIT_LIBS])
-      AC_SUBST([CUNIT_CFLAGS])
-    fi
-  fi
-  if test "x${have_cunit}" = "xyes"; then
-    # cunit in Mac OS X requires ncurses. Note that in Mac OS X, test
-    # program can be built without -lncurses, but it emits runtime
-    # error.
-    case "${build}" in
-      *-apple-darwin*)
-        CUNIT_LIBS="$CUNIT_LIBS -lncurses"
-        AC_SUBST([CUNIT_LIBS])
-        ;;
-    esac
-  fi
-fi
-
-if test "x${request_cunit}" = "xyes" &&
-   test "x${have_cunit}" != "xyes"; then
-  AC_MSG_ERROR([cunit was requested (--with-cunit) but not found])
-fi
-
-AM_CONDITIONAL([HAVE_CUNIT], [ test "x${have_cunit}" = "xyes" ])
-
 # libev (for src)
 have_libev=no
 if test "x${request_libev}" != "xno"; then
@@ -444,30 +402,55 @@ if test "x${request_libev}" = "xyes" &&
   AC_MSG_ERROR([libev was requested (--with-libev) but not found])
 fi
 
+if test "x${request_openssl}" = "xyes" &&
+   test "x${request_wolfssl}" = "xyes"; then
+  AC_MSG_ERROR([Requesting both OpenSSL and wolfSSL is not allowed])
+fi
+
 # openssl (for src)
 have_openssl=no
-if test "x${request_openssl}" != "xno"; then
-  PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.0.1],
+if test "x${request_openssl}" != "xno" &&
+   test "x${request_wolfssl}" != "xyes"; then
+  PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.1.1],
                     [have_openssl=yes], [have_openssl=no])
   if test "x${have_openssl}" = "xno"; then
     AC_MSG_NOTICE($OPENSSL_PKG_ERRORS)
   else
-    save_CFLAGS="$CFLAGS"
+    # Use C++ compiler because boringssl needs C++ runtime.
+    AC_LANG_PUSH(C++)
+
+    save_CXXFLAGS="$CXXFLAGS"
     save_LIBS="$LIBS"
-    CFLAGS="$OPENSSL_CFLAGS $CFLAGS"
+    CXXFLAGS="$OPENSSL_CFLAGS $CXXFLAGS"
     LIBS="$OPENSSL_LIBS $LIBS"
 
-    # quictls/openssl has SSL_is_quic.
-    have_ssl_is_quic=no
-    AC_MSG_CHECKING([for SSL_is_quic])
+    # quictls/openssl has SSL_provide_quic_data.  boringssl also has
+    # it.  We will deal with it later.
+    have_ssl_provide_quic_data=no
+    AC_MSG_CHECKING([for SSL_provide_quic_data])
     AC_LINK_IFELSE([AC_LANG_PROGRAM([[
       #include <openssl/ssl.h>
     ]], [[
-      SSL *ssl = NULL;
-      SSL_is_quic(ssl);
+      SSL_provide_quic_data(NULL, (ssl_encryption_level_t)0, NULL, 0);
     ]])],
-    [AC_MSG_RESULT([yes]); have_ssl_is_quic=yes],
-    [AC_MSG_RESULT([no]); have_ssl_is_quic=no])
+    [AC_MSG_RESULT([yes]); have_ssl_provide_quic_data=yes],
+    [AC_MSG_RESULT([no]); have_ssl_provide_quic_data=no])
+
+    # Check whether this is libressl or not
+    AC_CHECK_DECLS([LIBRESSL_VERSION_NUMBER],
+                   [have_libressl=yes], [have_libressl=no],
+    [[
+    #include <openssl/opensslv.h>
+    ]])
+
+    AC_MSG_CHECKING([for SSL_set_quic_tls_cbs])
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+      #include <openssl/ssl.h>
+    ]], [[
+      SSL_set_quic_tls_cbs(NULL, NULL, NULL);
+    ]])],
+    [AC_MSG_RESULT([yes]); have_ossl_quic=yes],
+    [AC_MSG_RESULT([no]); have_ossl_quic=no])
 
     # boringssl has SSL_set_quic_early_data_context.
     AC_MSG_CHECKING([for SSL_set_quic_early_data_context])
@@ -480,8 +463,10 @@ if test "x${request_openssl}" != "xno"; then
     [AC_MSG_RESULT([yes]); have_boringssl_quic=yes],
     [AC_MSG_RESULT([no]); have_boringssl_quic=no])
 
-    CFLAGS="$save_CFLAGS"
+    CXXFLAGS="$save_CXXFLAGS"
     LIBS="$save_LIBS"
+
+    AC_LANG_POP()
   fi
 fi
 
@@ -490,10 +475,49 @@ if test "x${request_openssl}" = "xyes" &&
   AC_MSG_ERROR([openssl was requested (--with-openssl) but not found])
 fi
 
+# wolfSSL (for src)
+have_wolfssl=no
+if test "x${request_wolfssl}" != "xno" &&
+   test "x${request_openssl}" != "xyes" &&
+   test "x${have_openssl}" != "xyes"; then
+  PKG_CHECK_MODULES([WOLFSSL], [wolfssl >= 5.7.0],
+                    [have_wolfssl=yes], [have_wolfssl=no])
+  if test "x${have_wolfssl}" = "xno"; then
+    AC_MSG_NOTICE($WOLFSSL_PKG_ERRORS)
+  else
+    AC_DEFINE([HAVE_WOLFSSL], [1],
+              [Define to 1 if you have 'wolfssl' library.])
+
+    save_CFLAGS="$CFLAGS"
+    save_LIBS="$LIBS"
+    CFLAGS="$WOLFSSL_CFLAGS $CFLAGS"
+    LIBS="$WOLFSSL_LIBS $LIBS"
+
+    have_wolfssl_quic=no
+    AC_MSG_CHECKING([for wolfSSL QUIC])
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+      #include <wolfssl/options.h>
+      #include <wolfssl/openssl/ssl.h>
+    ]], [[
+      SSL_provide_quic_data(NULL, 0, NULL, 0);
+    ]])],
+    [AC_MSG_RESULT([yes]); have_wolfssl_quic=yes],
+    [AC_MSG_RESULT([no]); have_wolfssl_quic=no])
+
+    CFLAGS="$save_CFLAGS"
+    LIBS="$save_LIBS"
+  fi
+fi
+
+if test "x${request_wolfssl}" = "xyes" &&
+   test "x${have_wolfssl}" != "xyes"; then
+  AC_MSG_ERROR([wolfSSL was requested (--with-wolfssl) but not found])
+fi
+
 # c-ares (for src)
 have_libcares=no
 if test "x${request_libcares}" != "xno"; then
-  PKG_CHECK_MODULES([LIBCARES], [libcares >= 1.7.5], [have_libcares=yes],
+  PKG_CHECK_MODULES([LIBCARES], [libcares >= 1.16.0], [have_libcares=yes],
                     [have_libcares=no])
   if test "x${have_libcares}" = "xno"; then
     AC_MSG_NOTICE($LIBCARES_PKG_ERRORS)
@@ -508,7 +532,7 @@ fi
 # ngtcp2 (for src)
 have_libngtcp2=no
 if test "x${request_libngtcp2}" != "xno"; then
-  PKG_CHECK_MODULES([LIBNGTCP2], [libngtcp2 >= 0.17.0], [have_libngtcp2=yes],
+  PKG_CHECK_MODULES([LIBNGTCP2], [libngtcp2 >= 1.16.0], [have_libngtcp2=yes],
                     [have_libngtcp2=no])
   if test "x${have_libngtcp2}" = "xno"; then
     AC_MSG_NOTICE($LIBNGTCP2_PKG_ERRORS)
@@ -520,12 +544,36 @@ if test "x${request_libngtcp2}" = "xyes" &&
   AC_MSG_ERROR([libngtcp2 was requested (--with-libngtcp2) but not found])
 fi
 
+# ngtcp2_crypto_wolfssl (for src)
+have_libngtcp2_crypto_wolfssl=no
+if test "x${have_wolfssl_quic}" = "xyes" &&
+   test "x${request_libngtcp2}" != "xno"; then
+  PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_WOLFSSL],
+                    [libngtcp2_crypto_wolfssl >= 1.16.0],
+                    [have_libngtcp2_crypto_wolfssl=yes],
+                    [have_libngtcp2_crypto_wolfssl=no])
+  if test "x${have_libngtcp2_crypto_wolfssl}" = "xno"; then
+    AC_MSG_NOTICE($LIBNGTCP2_CRYPTO_WOLFSSL_PKG_ERRORS)
+  else
+    AC_DEFINE([HAVE_LIBNGTCP2_CRYPTO_WOLFSSL], [1],
+              [Define to 1 if you have `libngtcp2_crypto_wolfssl` library.])
+  fi
+fi
+
+if test "x${have_wolfssl_quic}" = "xyes" &&
+   test "x${request_libngtcp2}" = "xyes" &&
+   test "x${have_libngtcp2_crypto_wolfssl}" != "xyes"; then
+  AC_MSG_ERROR([libngtcp2_crypto_wolfssl was requested (--with-libngtcp2) but not found])
+fi
+
 # ngtcp2_crypto_quictls (for src)
 have_libngtcp2_crypto_quictls=no
-if test "x${have_ssl_is_quic}" = "xyes" &&
+if test "x${have_ssl_provide_quic_data}" = "xyes" &&
+   test "x${have_libressl}" != "xyes" &&
+   test "x${have_boringssl_quic}" != "xyes" &&
    test "x${request_libngtcp2}" != "xno"; then
   PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_QUICTLS],
-                    [libngtcp2_crypto_quictls >= 0.17.0],
+                    [libngtcp2_crypto_quictls >= 1.16.0],
                     [have_libngtcp2_crypto_quictls=yes],
                     [have_libngtcp2_crypto_quictls=no])
   if test "x${have_libngtcp2_crypto_quictls}" = "xno"; then
@@ -536,12 +584,38 @@ if test "x${have_ssl_is_quic}" = "xyes" &&
   fi
 fi
 
-if test "x${have_ssl_is_quic}" = "xyes" &&
+if test "x${have_ssl_provide_quic_data}" = "xyes" &&
+   test "x${have_libressl}" != "xyes" &&
+   test "x${have_boringssl_quic}" != "xyes" &&
    test "x${request_libngtcp2}" = "xyes" &&
    test "x${have_libngtcp2_crypto_quictls}" != "xyes"; then
   AC_MSG_ERROR([libngtcp2_crypto_quictls was requested (--with-libngtcp2) but not found])
 fi
 
+# ngtcp2_crypto_libressl (for src)
+have_libngtcp2_crypto_libressl=no
+if test "x${have_ssl_provide_quic_data}" = "xyes" &&
+   test "x${have_libressl}" = "xyes" &&
+   test "x${request_libngtcp2}" != "xno"; then
+  PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_LIBRESSL],
+                    [libngtcp2_crypto_libressl >= 1.16.0],
+                    [have_libngtcp2_crypto_libressl=yes],
+                    [have_libngtcp2_crypto_libressl=no])
+  if test "x${have_libngtcp2_crypto_libressl}" = "xno"; then
+    AC_MSG_NOTICE($LIBNGTCP2_CRYPTO_LIBRESSL_PKG_ERRORS)
+  else
+    AC_DEFINE([HAVE_LIBNGTCP2_CRYPTO_LIBRESSL], [1],
+              [Define to 1 if you have `libngtcp2_crypto_libressl` library.])
+  fi
+fi
+
+if test "x${have_ssl_provide_quic_data}" = "xyes" &&
+   test "x${have_libressl}" = "xyes" &&
+   test "x${request_libngtcp2}" = "xyes" &&
+   test "x${have_libngtcp2_crypto_libressl}" != "xyes"; then
+  AC_MSG_ERROR([libngtcp2_crypto_libressl was requested (--with-libngtcp2) but not found])
+fi
+
 # ngtcp2_crypto_boringssl (for src)
 have_libngtcp2_crypto_boringssl=no
 if test "x${have_boringssl_quic}" = "xyes" &&
@@ -564,10 +638,32 @@ if test "x${have_boringssl_quic}" = "xyes" &&
   AC_MSG_ERROR([libngtcp2_crypto_boringssl was requested (--with-libngtcp2) but not found])
 fi
 
+# ngtcp2_crypto_ossl (for src)
+have_libngtcp2_crypto_ossl=no
+if test "x${have_ossl_quic}" = "xyes" &&
+   test "x${request_libngtcp2}" != "xno"; then
+  PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_OSSL],
+                    [libngtcp2_crypto_ossl >= 1.16.0],
+                    [have_libngtcp2_crypto_ossl=yes],
+                    [have_libngtcp2_crypto_ossl=no])
+  if test "x${have_libngtcp2_crypto_ossl}" = "xno"; then
+    AC_MSG_NOTICE($LIBNGTCP2_CRYPTO_OSSL_PKG_ERRORS)
+  else
+    AC_DEFINE([HAVE_LIBNGTCP2_CRYPTO_OSSL], [1],
+              [Define to 1 if you have `libngtcp2_crypto_ossl` library.])
+  fi
+fi
+
+if test "x${have_ossl_quic}" = "xyes" &&
+   test "x${request_libngtcp2}" = "xyes" &&
+   test "x${have_libngtcp2_crypto_ossl}" != "xyes"; then
+  AC_MSG_ERROR([libngtcp2_crypto_ossl was requested (--with-libngtcp2) but not found])
+fi
+
 # nghttp3 (for src)
 have_libnghttp3=no
 if test "x${request_libnghttp3}" != "xno"; then
-  PKG_CHECK_MODULES([LIBNGHTTP3], [libnghttp3 >= 0.13.0], [have_libnghttp3=yes],
+  PKG_CHECK_MODULES([LIBNGHTTP3], [libnghttp3 >= 1.12.0], [have_libnghttp3=yes],
                     [have_libnghttp3=no])
   if test "x${have_libnghttp3}" = "xno"; then
     AC_MSG_NOTICE($LIBNGHTTP3_PKG_ERRORS)
@@ -624,6 +720,47 @@ fi
 
 AM_CONDITIONAL([HAVE_LIBBPF], [ test "x${have_libbpf}" = "xyes" ])
 
+# libbrotlienc (for src)
+have_libbrotlienc=no
+if test "x${request_libbrotlienc}" != "xno"; then
+  PKG_CHECK_MODULES([LIBBROTLIENC], [libbrotlienc >= 1.0.9],
+                    [have_libbrotlienc=yes],
+                    [have_libbrotlienc=no])
+  if test "x${have_libbrotlienc}" = "xno"; then
+    AC_MSG_NOTICE($LIBBROTLIENC_PKG_ERRORS)
+  fi
+fi
+
+if test "x${request_libbrotlienc}" = "xyes" &&
+   test "x${have_libbrotlienc}" != "xyes"; then
+  AC_MSG_ERROR([libbrotlienc was requested (--with-libbrotlienc) but not found])
+fi
+
+# libbrotlidec (for src)
+have_libbrotlidec=no
+if test "x${request_libbrotlidec}" != "xno"; then
+  PKG_CHECK_MODULES([LIBBROTLIDEC], [libbrotlidec >= 1.0.9],
+                    [have_libbrotlidec=yes],
+                    [have_libbrotlidec=no])
+  if test "x${have_libbrotlidec}" = "xno"; then
+    AC_MSG_NOTICE($LIBBROTLIDEC_PKG_ERRORS)
+  fi
+fi
+
+if test "x${request_libbrotlidec}" = "xyes" &&
+   test "x${have_libbrotlidec}" != "xyes"; then
+  AC_MSG_ERROR([libbrotlidec was requested (--with-libbrotlidec) but not found])
+fi
+
+have_libbrotli=no
+if test "x${have_libbrotlienc}" = "xyes" &&
+   test "x${have_libbrotlidec}" = "xyes"; then
+  have_libbrotli=yes
+
+  AC_DEFINE([HAVE_LIBBROTLI], [1],
+            [Define to 1 if you have `libbrotlienc` and `libbrotlidec` libraries.])
+fi
+
 # libevent_openssl (for examples)
 # 2.0.8 is required because we use evconnlistener_set_error_cb()
 have_libevent_openssl=no
@@ -736,7 +873,7 @@ fi
 enable_app=no
 if test "x${request_app}" != "xno" &&
    test "x${have_zlib}" = "xyes" &&
-   test "x${have_openssl}" = "xyes" &&
+   (test "x${have_openssl}" = "xyes" || test "x${have_wolfssl}" = "xyes") &&
    test "x${have_libev}" = "xyes" &&
    test "x${have_libcares}" = "xyes"; then
   enable_app=yes
@@ -752,11 +889,12 @@ AM_CONDITIONAL([ENABLE_APP], [ test "x${enable_app}" = "xyes" ])
 # Check HTTP/3 support
 enable_http3=no
 if test "x${request_http3}" != "xno" &&
-   (test "x${have_ssl_is_quic}" = "xyes" ||
-    test "x${have_boringssl_quic}" = "xyes") &&
    test "x${have_libngtcp2}" = "xyes" &&
-   (test "x${have_libngtcp2_crypto_quictls}" = "xyes" ||
-    test "x${have_libngtcp2_crypto_boringssl}" = "xyes") &&
+   (test "x${have_libngtcp2_crypto_wolfssl}" = "xyes" ||
+    test "x${have_libngtcp2_crypto_quictls}" = "xyes" ||
+    test "x${have_libngtcp2_crypto_libressl}" = "xyes" ||
+    test "x${have_libngtcp2_crypto_boringssl}" = "xyes" ||
+    test "x${have_libngtcp2_crypto_ossl}" = "xyes") &&
    test "x${have_libnghttp3}" = "xyes"; then
   enable_http3=yes
   AC_DEFINE([ENABLE_HTTP3], [1], [Define to 1 if HTTP/3 is enabled.])
@@ -847,6 +985,7 @@ AC_CHECK_HEADERS([ \
   limits.h \
   netdb.h \
   netinet/in.h \
+  netinet/ip.h \
   pwd.h \
   stddef.h \
   stdint.h \
@@ -855,8 +994,8 @@ AC_CHECK_HEADERS([ \
   sys/socket.h \
   sys/time.h \
   syslog.h \
-  time.h \
   unistd.h \
+  windows.h \
 ])
 
 # Checks for typedefs, structures, and compiler characteristics.
@@ -906,12 +1045,6 @@ if test "x$have_struct_tm_tm_gmtoff" = "xyes"; then
             [Define to 1 if you have `struct tm.tm_gmtoff` member.])
 fi
 
-# Check size of pointer to decide we need 8 bytes alignment
-# adjustment.
-AC_CHECK_SIZEOF([int *])
-
-AC_CHECK_SIZEOF([time_t])
-
 # Checks for library functions.
 
 # Don't check malloc, since it does not play nicely with C++ stdlib
@@ -928,6 +1061,7 @@ AC_FUNC_STRNLEN
 AC_CHECK_FUNCS([ \
   _Exit \
   accept4 \
+  clock_gettime \
   dup2 \
   getcwd \
   getpwnam \
@@ -936,6 +1070,7 @@ AC_CHECK_FUNCS([ \
   memmove \
   memset \
   mkostemp \
+  pipe2 \
   socket \
   sqrt \
   strchr \
@@ -953,6 +1088,25 @@ AC_CHECK_FUNCS([ \
 AC_CHECK_FUNC([timerfd_create],
               [have_timerfd_create=yes], [have_timerfd_create=no])
 
+AC_MSG_CHECKING([checking for GetTickCount64])
+AC_LINK_IFELSE([AC_LANG_PROGRAM(
+[[
+#include <windows.h>
+]],
+[[
+GetTickCount64();
+]])],
+[have_gettickcount64=yes],
+[have_gettickcount64=no])
+
+if test "x${have_gettickcount64}" = "xyes"; then
+  AC_MSG_RESULT([yes])
+  AC_DEFINE([HAVE_GETTICKCOUNT64], [1],
+            [Define to 1 if you have `GetTickCount64` function.])
+else
+  AC_MSG_RESULT([no])
+fi
+
 # For cygwin: we can link initgroups, so AC_CHECK_FUNCS succeeds, but
 # cygwin disables initgroups due to feature test macro magic with our
 # configuration.  FreeBSD declares initgroups() in unistd.h.
@@ -963,6 +1117,10 @@ AC_CHECK_DECLS([initgroups], [], [], [[
   #include <grp.h>
 ]])
 
+AC_CHECK_DECLS([CLOCK_MONOTONIC], [], [], [[
+#include <time.h>
+]])
+
 save_CFLAGS=$CFLAGS
 save_CXXFLAGS=$CXXFLAGS
 
@@ -1017,6 +1175,7 @@ if test "x$werror" != "xno"; then
     # Only work with Clang for the moment
     AX_CHECK_COMPILE_FLAG([-Wheader-guard], [CFLAGS="$CFLAGS -Wheader-guard"])
     AX_CHECK_COMPILE_FLAG([-Wsometimes-uninitialized], [CFLAGS="$CFLAGS -Wsometimes-uninitialized"])
+    AX_CHECK_COMPILE_FLAG([-Wextra-semi], [CFLAGS="$CFLAGS -Wextra-semi"])
 
     # This is required because we pass format string as "const char*.
     AX_CHECK_COMPILE_FLAG([-Wno-format-nonliteral], [CFLAGS="$CFLAGS -Wno-format-nonliteral"])
@@ -1027,9 +1186,13 @@ if test "x$werror" != "xno"; then
     AX_CHECK_COMPILE_FLAG([-Werror], [CXXFLAGS="$CXXFLAGS -Werror"])
     AX_CHECK_COMPILE_FLAG([-Wformat-security], [CXXFLAGS="$CXXFLAGS -Wformat-security"])
     AX_CHECK_COMPILE_FLAG([-Wsometimes-uninitialized], [CXXFLAGS="$CXXFLAGS -Wsometimes-uninitialized"])
+    AX_CHECK_COMPILE_FLAG([-Wextra-semi], [CXXFLAGS="$CXXFLAGS -Wextra-semi"])
+    AX_CHECK_COMPILE_FLAG([-Wconversion], [CXXFLAGS="$CXXFLAGS -Wconversion"])
     # Disable noexcept-type warning of g++-7.  This is not harmful as
     # long as all source files are compiled with the same compiler.
     AX_CHECK_COMPILE_FLAG([-Wno-noexcept-type], [CXXFLAGS="$CXXFLAGS -Wno-noexcept-type"])
+    # clang++-18 warns this when building with wolfSSL >= v5.7.6-stable.
+    AX_CHECK_COMPILE_FLAG([-Wno-extern-c-compat], [CXXFLAGS="$CXXFLAGS -Wno-extern-c-compat"])
     AC_LANG_POP()
 fi
 
@@ -1096,7 +1259,6 @@ AC_CONFIG_FILES([
   doc/nghttp2ver.h.rst
   doc/contribute.rst
   contrib/Makefile
-  script/Makefile
 ])
 AC_OUTPUT
 
@@ -1136,16 +1298,18 @@ AC_MSG_NOTICE([summary of build options:
       Python:         ${PYTHON}
       PYTHON_VERSION: ${PYTHON_VERSION}
     Test:
-      CUnit:          ${have_cunit} (CFLAGS='${CUNIT_CFLAGS}' LIBS='${CUNIT_LIBS}')
       Failmalloc:     ${enable_failmalloc}
     Libs:
+      wolfSSL:        ${have_wolfssl} (CFLAGS='${WOLFSSL_CFLAGS}' LIBS='${WOLFSSL_LIBS}')
       OpenSSL:        ${have_openssl} (CFLAGS='${OPENSSL_CFLAGS}' LIBS='${OPENSSL_LIBS}')
       Libxml2:        ${have_libxml2} (CFLAGS='${LIBXML2_CFLAGS}' LIBS='${LIBXML2_LIBS}')
       Libev:          ${have_libev} (CFLAGS='${LIBEV_CFLAGS}' LIBS='${LIBEV_LIBS}')
       Libc-ares:      ${have_libcares} (CFLAGS='${LIBCARES_CFLAGS}' LIBS='${LIBCARES_LIBS}')
       libngtcp2:      ${have_libngtcp2} (CFLAGS='${LIBNGTCP2_CFLAGS}' LIBS='${LIBNGTCP2_LIBS}')
       libngtcp2_crypto_quictls: ${have_libngtcp2_crypto_quictls} (CFLAGS='${LIBNGTCP2_CRYPTO_QUICTLS_CFLAGS}' LIBS='${LIBNGTCP2_CRYPTO_QUICTLS_LIBS}')
+      libngtcp2_crypto_libressl: ${have_libngtcp2_crypto_libressl} (CFLAGS='${LIBNGTCP2_CRYPTO_LIBRESSL_CFLAGS}' LIBS='${LIBNGTCP2_CRYPTO_LIBRESSL_LIBS}')
       libngtcp2_crypto_boringssl: ${have_libngtcp2_crypto_boringssl} (CFLAGS='${LIBNGTCP2_CRYPTO_BORINGSSL_CFLAGS}' LIBS='${LIBNGTCP2_CRYPTO_BORINGSSL_LIBS}')
+      libngtcp2_crypto_ossl: ${have_libngtcp2_crypto_ossl} (CFLAGS='${LIBNGTCP2_CRYPTO_OSSL_CFLAGS}' LIBS='${LIBNGTCP2_CRYPTO_OSSL_LIBS}')
       libnghttp3:     ${have_libnghttp3} (CFLAGS='${LIBNGHTTP3_CFLAGS}' LIBS='${LIBNGHTTP3_LIBS}')
       libbpf:         ${have_libbpf} (CFLAGS='${LIBBPF_CFLAGS}' LIBS='${LIBBPF_LIBS}')
       Libevent(SSL):  ${have_libevent_openssl} (CFLAGS='${LIBEVENT_OPENSSL_CFLAGS}' LIBS='${LIBEVENT_OPENSSL_LIBS}')
@@ -1153,6 +1317,8 @@ AC_MSG_NOTICE([summary of build options:
       Jemalloc:       ${have_jemalloc} (CFLAGS='${JEMALLOC_CFLAGS}' LIBS='${JEMALLOC_LIBS}')
       Zlib:           ${have_zlib} (CFLAGS='${ZLIB_CFLAGS}' LIBS='${ZLIB_LIBS}')
       Systemd:        ${have_libsystemd} (CFLAGS='${SYSTEMD_CFLAGS}' LIBS='${SYSTEMD_LIBS}')
+      Libbrotlienc:   ${have_libbrotlienc} (CFLAGS="${LIBBROTLIENC_CFLAGS}' LIBS='${LIBBROTLIENC_LIBS}')
+      Libbrotlidec:   ${have_libbrotlidec} (CFLAGS="${LIBBROTLIDEC_CFLAGS}' LIBS='${LIBBROTLIDEC_LIBS}')
     Third-party:
       http-parser:    ${enable_third_party}
       MRuby:          ${have_mruby} (CFLAGS='${LIBMRUBY_CFLAGS}' LIBS='${LIBMRUBY_LIBS}')

doc/Makefile.am

@@ -33,6 +33,7 @@ APIDOCS= \
 	nghttp2_check_header_value_rfc9113.rst \
 	nghttp2_check_method.rst \
 	nghttp2_check_path.rst \
+	nghttp2_extpri_parse_priority.rst \
 	nghttp2_hd_deflate_bound.rst \
 	nghttp2_hd_deflate_change_table_size.rst \
 	nghttp2_hd_deflate_del.rst \
@@ -41,7 +42,9 @@ APIDOCS= \
 	nghttp2_hd_deflate_get_num_table_entries.rst \
 	nghttp2_hd_deflate_get_table_entry.rst \
 	nghttp2_hd_deflate_hd.rst \
+	nghttp2_hd_deflate_hd2.rst \
 	nghttp2_hd_deflate_hd_vec.rst \
+	nghttp2_hd_deflate_hd_vec2.rst \
 	nghttp2_hd_deflate_new.rst \
 	nghttp2_hd_deflate_new2.rst \
 	nghttp2_hd_inflate_change_table_size.rst \
@@ -53,6 +56,7 @@ APIDOCS= \
 	nghttp2_hd_inflate_get_table_entry.rst \
 	nghttp2_hd_inflate_hd.rst \
 	nghttp2_hd_inflate_hd2.rst \
+	nghttp2_hd_inflate_hd3.rst \
 	nghttp2_hd_inflate_new.rst \
 	nghttp2_hd_inflate_new2.rst \
 	nghttp2_http2_strerror.rst \
@@ -73,9 +77,13 @@ APIDOCS= \
 	nghttp2_option_set_peer_max_concurrent_streams.rst \
 	nghttp2_option_set_server_fallback_rfc7540_priorities.rst \
 	nghttp2_option_set_user_recv_extension_type.rst \
+	nghttp2_option_set_max_continuations.rst \
 	nghttp2_option_set_max_outbound_ack.rst \
 	nghttp2_option_set_max_settings.rst \
+	nghttp2_option_set_stream_reset_rate_limit.rst \
+	nghttp2_option_set_glitch_rate_limit.rst \
 	nghttp2_pack_settings_payload.rst \
+	nghttp2_pack_settings_payload2.rst \
 	nghttp2_priority_spec_check_default.rst \
 	nghttp2_priority_spec_default_init.rst \
 	nghttp2_priority_spec_init.rst \
@@ -84,10 +92,12 @@ APIDOCS= \
 	nghttp2_rcbuf_incref.rst \
 	nghttp2_rcbuf_is_static.rst \
 	nghttp2_select_next_protocol.rst \
+	nghttp2_select_alpn.rst \
 	nghttp2_session_callbacks_del.rst \
 	nghttp2_session_callbacks_new.rst \
 	nghttp2_session_callbacks_set_before_frame_send_callback.rst \
 	nghttp2_session_callbacks_set_data_source_read_length_callback.rst \
+	nghttp2_session_callbacks_set_data_source_read_length_callback2.rst \
 	nghttp2_session_callbacks_set_error_callback.rst \
 	nghttp2_session_callbacks_set_error_callback2.rst \
 	nghttp2_session_callbacks_set_on_begin_frame_callback.rst \
@@ -104,9 +114,14 @@ APIDOCS= \
 	nghttp2_session_callbacks_set_on_invalid_header_callback2.rst \
 	nghttp2_session_callbacks_set_on_stream_close_callback.rst \
 	nghttp2_session_callbacks_set_pack_extension_callback.rst \
+	nghttp2_session_callbacks_set_pack_extension_callback2.rst \
+	nghttp2_session_callbacks_set_rand_callback.rst \
 	nghttp2_session_callbacks_set_recv_callback.rst \
+	nghttp2_session_callbacks_set_recv_callback2.rst \
 	nghttp2_session_callbacks_set_select_padding_callback.rst \
+	nghttp2_session_callbacks_set_select_padding_callback2.rst \
 	nghttp2_session_callbacks_set_send_callback.rst \
+	nghttp2_session_callbacks_set_send_callback2.rst \
 	nghttp2_session_callbacks_set_send_data_callback.rst \
 	nghttp2_session_callbacks_set_unpack_extension_callback.rst \
 	nghttp2_session_change_extpri_stream_priority.rst \
@@ -124,6 +139,7 @@ APIDOCS= \
 	nghttp2_session_find_stream.rst \
 	nghttp2_session_get_effective_local_window_size.rst \
 	nghttp2_session_get_effective_recv_data_length.rst \
+	nghttp2_session_get_extpri_stream_priority.rst \
 	nghttp2_session_get_hd_deflate_dynamic_table_size.rst \
 	nghttp2_session_get_hd_inflate_dynamic_table_size.rst \
 	nghttp2_session_get_last_proc_stream_id.rst \
@@ -142,7 +158,9 @@ APIDOCS= \
 	nghttp2_session_get_stream_remote_window_size.rst \
 	nghttp2_session_get_stream_user_data.rst \
 	nghttp2_session_mem_recv.rst \
+	nghttp2_session_mem_recv2.rst \
 	nghttp2_session_mem_send.rst \
+	nghttp2_session_mem_send2.rst \
 	nghttp2_session_recv.rst \
 	nghttp2_session_resume_data.rst \
 	nghttp2_session_send.rst \
@@ -170,6 +188,7 @@ APIDOCS= \
 	nghttp2_strerror.rst \
 	nghttp2_submit_altsvc.rst \
 	nghttp2_submit_data.rst \
+	nghttp2_submit_data2.rst \
 	nghttp2_submit_extension.rst \
 	nghttp2_submit_goaway.rst \
 	nghttp2_submit_headers.rst \
@@ -179,7 +198,9 @@ APIDOCS= \
 	nghttp2_submit_priority_update.rst \
 	nghttp2_submit_push_promise.rst \
 	nghttp2_submit_request.rst \
+	nghttp2_submit_request2.rst \
 	nghttp2_submit_response.rst \
+	nghttp2_submit_response2.rst \
 	nghttp2_submit_rst_stream.rst \
 	nghttp2_submit_settings.rst \
 	nghttp2_submit_shutdown_notice.rst \
@@ -208,7 +229,6 @@ EXTRA_DIST = \
 	sources/h2load-howto.rst \
 	sources/building-android-binary.rst \
 	sources/contribute.rst \
-	sources/security.rst \
 	_exts/rubydomain/LICENSE.rubydomain \
 	_exts/rubydomain/__init__.py \
 	_exts/rubydomain/rubydomain.py \

doc/README.rst

@@ -68,7 +68,7 @@ The example follows::
      * Callback function invoked when |session| wants to send data to
      * remote peer.
      */
-    typedef ssize_t (*nghttp2_send_callback)
+    typedef nghttp2_ssize (*nghttp2_send_callback2)
     (nghttp2_session *session,
      const uint8_t *data, size_t length, int flags, void *user_data);
 
@@ -111,7 +111,7 @@ The example follows::
 
 ``@struct`` is used to refer to the struct. Currently, only struct
 typedefs are supported. The comment block is used for the document for
-the struct type itself.To document each member, put comment block
+the struct type itself. To document each member, put comment block
 starting with the line ``/**`` and ending with the ``*/`` just before
 the member.  When the line starts with ``}`` is encountered, the
 ``mkapiref.py`` extracts strings next to ``}`` as the name of struct.

doc/_exts/rubydomain/__init__.py

@@ -1,14 +0,0 @@
-# -*- coding: utf-8 -*-
-"""
-    sphinxcontrib
-    ~~~~~~~~~~~~~
-
-    This package is a namespace package that contains all extensions
-    distributed in the ``sphinx-contrib`` distribution.
-
-    :copyright: Copyright 2007-2009 by the Sphinx team, see AUTHORS.
-    :license: BSD, see LICENSE for details.
-"""
-
-__import__('pkg_resources').declare_namespace(__name__)
-

doc/bash_completion/h2load

@@ -8,7 +8,7 @@ _h2load()
     _get_comp_words_by_ref cur prev
     case $cur in
         -*)
-            COMPREPLY=( $( compgen -W '--requests --clients --threads --input-file --max-concurrent-streams --max-frame-size --window-bits --connection-window-bits --header --ciphers --tls13-ciphers --no-tls-proto --data --rate --rate-period --duration --warm-up-time --connection-active-timeout --connection-inactivity-timeout --timing-script-file --base-uri --npn-list --h1 --header-table-size --encoder-header-table-size --log-file --qlog-file-base --connect-to --rps --groups --no-udp-gso --max-udp-payload-size --ktls --verbose --version --help ' -- "$cur" ) )
+            COMPREPLY=( $( compgen -W '--requests --clients --threads --input-file --max-concurrent-streams --max-frame-size --window-bits --connection-window-bits --header --ciphers --tls13-ciphers --no-tls-proto --data --rate --rate-period --duration --warm-up-time --connection-active-timeout --connection-inactivity-timeout --timing-script-file --base-uri --alpn-list --h1 --header-table-size --encoder-header-table-size --log-file --qlog-file-base --connect-to --rps --groups --no-udp-gso --max-udp-payload-size --ktls --sni --verbose --version --help ' -- "$cur" ) )
             ;;
         *)
             _filedir

doc/bash_completion/nghttp

@@ -8,7 +8,7 @@ _nghttp()
     _get_comp_words_by_ref cur prev
     case $cur in
         -*)
-            COMPREPLY=( $( compgen -W '--verbose --null-out --remote-name --timeout --window-bits --connection-window-bits --get-assets --stat --header --trailer --cert --key --data --multiply --upgrade --weight --peer-max-concurrent-streams --header-table-size --encoder-header-table-size --padding --har --color --continuation --no-content-length --no-dep --hexdump --no-push --max-concurrent-streams --expect-continue --no-verify-peer --ktls --no-rfc7540-pri --version --help ' -- "$cur" ) )
+            COMPREPLY=( $( compgen -W '--verbose --null-out --remote-name --timeout --window-bits --connection-window-bits --get-assets --stat --header --trailer --cert --key --data --multiply --upgrade --extpri --peer-max-concurrent-streams --header-table-size --encoder-header-table-size --padding --har --color --continuation --no-content-length --hexdump --no-push --max-concurrent-streams --expect-continue --no-verify-peer --ktls --version --help ' -- "$cur" ) )
             ;;
         *)
             _filedir

doc/bash_completion/nghttpd

@@ -8,7 +8,7 @@ _nghttpd()
     _get_comp_words_by_ref cur prev
     case $cur in
         -*)
-            COMPREPLY=( $( compgen -W '--address --daemon --verify-client --htdocs --verbose --no-tls --header-table-size --encoder-header-table-size --color --push --padding --max-concurrent-streams --workers --error-gzip --window-bits --connection-window-bits --dh-param-file --early-response --trailer --hexdump --echo-upload --mime-types-file --no-content-length --ktls --no-rfc7540-pri --version --help ' -- "$cur" ) )
+            COMPREPLY=( $( compgen -W '--address --daemon --verify-client --htdocs --verbose --no-tls --header-table-size --encoder-header-table-size --color --push --padding --max-concurrent-streams --workers --error-gzip --window-bits --connection-window-bits --dh-param-file --early-response --trailer --hexdump --echo-upload --mime-types-file --no-content-length --groups --ktls --version --help ' -- "$cur" ) )
             ;;
         *)
             _filedir

doc/bash_completion/nghttpx

@@ -8,7 +8,7 @@ _nghttpx()
     _get_comp_words_by_ref cur prev
     case $cur in
         -*)
-            COMPREPLY=( $( compgen -W '--backend --frontend --backlog --backend-address-family --backend-http-proxy-uri --workers --single-thread --read-rate --read-burst --write-rate --write-burst --worker-read-rate --worker-read-burst --worker-write-rate --worker-write-burst --worker-frontend-connections --backend-connections-per-host --backend-connections-per-frontend --rlimit-nofile --rlimit-memlock --backend-request-buffer --backend-response-buffer --fastopen --no-kqueue --frontend-http2-read-timeout --frontend-http3-read-timeout --frontend-read-timeout --frontend-write-timeout --frontend-keep-alive-timeout --stream-read-timeout --stream-write-timeout --backend-read-timeout --backend-write-timeout --backend-connect-timeout --backend-keep-alive-timeout --listener-disable-timeout --frontend-http2-setting-timeout --backend-http2-settings-timeout --backend-max-backoff --ciphers --tls13-ciphers --client-ciphers --tls13-client-ciphers --ecdh-curves --insecure --cacert --private-key-passwd-file --subcert --dh-param-file --npn-list --verify-client --verify-client-cacert --verify-client-tolerate-expired --client-private-key-file --client-cert-file --tls-min-proto-version --tls-max-proto-version --tls-ticket-key-file --tls-ticket-key-memcached --tls-ticket-key-memcached-address-family --tls-ticket-key-memcached-interval --tls-ticket-key-memcached-max-retry --tls-ticket-key-memcached-max-fail --tls-ticket-key-cipher --tls-ticket-key-memcached-cert-file --tls-ticket-key-memcached-private-key-file --fetch-ocsp-response-file --ocsp-update-interval --ocsp-startup --no-verify-ocsp --no-ocsp --tls-session-cache-memcached --tls-session-cache-memcached-address-family --tls-session-cache-memcached-cert-file --tls-session-cache-memcached-private-key-file --tls-dyn-rec-warmup-threshold --tls-dyn-rec-idle-timeout --no-http2-cipher-block-list --client-no-http2-cipher-block-list --tls-sct-dir --psk-secrets --client-psk-secrets --tls-no-postpone-early-data --tls-max-early-data --tls-ktls --frontend-http2-max-concurrent-streams --backend-http2-max-concurrent-streams --frontend-http2-window-size --frontend-http2-connection-window-size --backend-http2-window-size --backend-http2-connection-window-size --http2-no-cookie-crumbling --padding --no-server-push --frontend-http2-optimize-write-buffer-size --frontend-http2-optimize-window-size --frontend-http2-encoder-dynamic-table-size --frontend-http2-decoder-dynamic-table-size --backend-http2-encoder-dynamic-table-size --backend-http2-decoder-dynamic-table-size --http2-proxy --log-level --accesslog-file --accesslog-syslog --accesslog-format --accesslog-write-early --errorlog-file --errorlog-syslog --syslog-facility --add-x-forwarded-for --strip-incoming-x-forwarded-for --no-add-x-forwarded-proto --no-strip-incoming-x-forwarded-proto --add-forwarded --strip-incoming-forwarded --forwarded-by --forwarded-for --no-via --no-strip-incoming-early-data --no-location-rewrite --host-rewrite --altsvc --http2-altsvc --add-request-header --add-response-header --request-header-field-buffer --max-request-header-fields --response-header-field-buffer --max-response-header-fields --error-page --server-name --no-server-rewrite --redirect-https-port --require-http-scheme --api-max-request-body --dns-cache-timeout --dns-lookup-timeout --dns-max-try --frontend-max-requests --frontend-http2-dump-request-header --frontend-http2-dump-response-header --frontend-frame-debug --daemon --pid-file --user --single-process --max-worker-processes --worker-process-grace-shutdown-period --mruby-file --ignore-per-pattern-mruby-error --frontend-quic-idle-timeout --frontend-quic-debug-log --quic-bpf-program-file --frontend-quic-early-data --frontend-quic-qlog-dir --frontend-quic-require-token --frontend-quic-congestion-controller --frontend-quic-secret-file --quic-server-id --frontend-quic-initial-rtt --no-quic-bpf --frontend-http3-window-size --frontend-http3-connection-window-size --frontend-http3-max-window-size --frontend-http3-max-connection-window-size --frontend-http3-max-concurrent-streams --conf --include --version --help ' -- "$cur" ) )
+            COMPREPLY=( $( compgen -W '--backend --frontend --backlog --backend-address-family --backend-http-proxy-uri --workers --single-thread --read-rate --read-burst --write-rate --write-burst --worker-read-rate --worker-read-burst --worker-write-rate --worker-write-burst --worker-frontend-connections --backend-connections-per-host --backend-connections-per-frontend --rlimit-nofile --rlimit-memlock --backend-request-buffer --backend-response-buffer --fastopen --no-kqueue --frontend-http2-idle-timeout --frontend-http3-idle-timeout --frontend-write-timeout --frontend-keep-alive-timeout --frontend-header-timeout --stream-read-timeout --stream-write-timeout --backend-read-timeout --backend-write-timeout --backend-connect-timeout --backend-keep-alive-timeout --listener-disable-timeout --frontend-http2-setting-timeout --backend-http2-settings-timeout --backend-max-backoff --ciphers --tls13-ciphers --client-ciphers --tls13-client-ciphers --groups --insecure --cacert --private-key-passwd-file --subcert --dh-param-file --alpn-list --verify-client --verify-client-cacert --verify-client-tolerate-expired --client-private-key-file --client-cert-file --tls-min-proto-version --tls-max-proto-version --tls-ticket-key-file --tls-ticket-key-memcached --tls-ticket-key-memcached-address-family --tls-ticket-key-memcached-interval --tls-ticket-key-memcached-max-retry --tls-ticket-key-memcached-max-fail --tls-ticket-key-cipher --tls-ticket-key-memcached-cert-file --tls-ticket-key-memcached-private-key-file --tls-dyn-rec-warmup-threshold --tls-dyn-rec-idle-timeout --no-http2-cipher-block-list --client-no-http2-cipher-block-list --tls-sct-dir --psk-secrets --client-psk-secrets --tls-no-postpone-early-data --tls-max-early-data --tls-ktls --frontend-http2-max-concurrent-streams --backend-http2-max-concurrent-streams --frontend-http2-window-size --frontend-http2-connection-window-size --backend-http2-window-size --backend-http2-connection-window-size --http2-no-cookie-crumbling --padding --no-server-push --frontend-http2-optimize-write-buffer-size --frontend-http2-optimize-window-size --frontend-http2-encoder-dynamic-table-size --frontend-http2-decoder-dynamic-table-size --backend-http2-encoder-dynamic-table-size --backend-http2-decoder-dynamic-table-size --http2-proxy --log-level --accesslog-file --accesslog-syslog --accesslog-format --accesslog-write-early --errorlog-file --errorlog-syslog --syslog-facility --add-x-forwarded-for --strip-incoming-x-forwarded-for --no-add-x-forwarded-proto --no-strip-incoming-x-forwarded-proto --add-forwarded --strip-incoming-forwarded --forwarded-by --forwarded-for --no-via --no-strip-incoming-early-data --no-location-rewrite --host-rewrite --altsvc --http2-altsvc --add-request-header --add-response-header --request-header-field-buffer --max-request-header-fields --response-header-field-buffer --max-response-header-fields --error-page --server-name --no-server-rewrite --redirect-https-port --require-http-scheme --api-max-request-body --dns-cache-timeout --dns-lookup-timeout --dns-max-try --frontend-max-requests --frontend-http2-dump-request-header --frontend-http2-dump-response-header --frontend-frame-debug --daemon --pid-file --user --single-process --max-worker-processes --worker-process-grace-shutdown-period --mruby-file --ignore-per-pattern-mruby-error --frontend-quic-idle-timeout --frontend-quic-debug-log --quic-bpf-program-file --frontend-quic-early-data --frontend-quic-qlog-dir --frontend-quic-require-token --frontend-quic-congestion-controller --frontend-quic-secret-file --quic-server-id --frontend-quic-initial-rtt --no-quic-bpf --frontend-http3-window-size --frontend-http3-connection-window-size --frontend-http3-max-window-size --frontend-http3-max-connection-window-size --frontend-http3-max-concurrent-streams --conf --include --version --help ' -- "$cur" ) )
             ;;
         *)
             _filedir

doc/h2load.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "H2LOAD" "1" "Jul 14, 2023" "1.55.1" "nghttp2"
+.TH "H2LOAD" "1" "Oct 25, 2025" "1.68.0" "nghttp2"
 .SH NAME
 h2load \- HTTP/2 benchmarking tool
 .SH SYNOPSIS
@@ -109,9 +109,9 @@ Default: \fB16K\fP
 .TP
 .B \-w, \-\-window\-bits=<N>
 Sets the stream level initial window size to (2**<N>)\-1.
-For QUIC, <N> is capped to 26 (roughly 64MiB).
-.sp
-Default: \fB30\fP
+For  QUIC, <N>  is  capped to  26  (roughly 64MiB).   It
+defaults  to  24 (16MiB)  for  QUIC,  and 30  for  other
+protocols.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -255,20 +255,19 @@ input files as usual.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-npn\-list=<LIST>
+.B \-\-alpn\-list=<LIST>
 Comma delimited list of  ALPN protocol identifier sorted
 in the  order of preference.  That  means most desirable
-protocol comes  first.  This  is used  in both  ALPN and
-NPN.  The parameter must be  delimited by a single comma
-only  and any  white spaces  are  treated as  a part  of
-protocol string.
+protocol comes  first.  The parameter must  be delimited
+by a single comma only  and any white spaces are treated
+as a part of protocol string.
 .sp
-Default: \fBh2,h2\-16,h2\-14,http/1.1\fP
+Default: \fBh2,http/1.1\fP
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-h1
-Short        hand         for        \fI\%\-\-npn\-list\fP=http/1.1
+Short        hand        for        \fI\%\-\-alpn\-list\fP=http/1.1
 \fI\%\-\-no\-tls\-proto\fP=http/1.1,    which   effectively    force
 http/1.1 for both http and https URI.
 .UNINDENT
@@ -345,6 +344,12 @@ Enable ktls.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-sni=<DNSNAME>
+Send  <DNSNAME> in  TLS  SNI, overriding  the host  name
+specified in URI.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-v, \-\-verbose
 Output debug information.
 .UNINDENT
@@ -383,7 +388,7 @@ The number of requests completed.
 .TP
 .B succeeded
 The number of requests completed successfully.  Only HTTP status
-code 2xx or3xx are considered as success.
+code 2xx or 3xx are considered as success.
 .TP
 .B failed
 The number of requests failed, including HTTP level failures

doc/h2load.1.rst

@@ -83,9 +83,9 @@ OPTIONS
 .. option:: -w, --window-bits=<N>
 
     Sets the stream level initial window size to (2\*\*<N>)-1.
-    For QUIC, <N> is capped to 26 (roughly 64MiB).
-
-    Default: ``30``
+    For  QUIC, <N>  is  capped to  26  (roughly 64MiB).   It
+    defaults  to  24 (16MiB)  for  QUIC,  and 30  for  other
+    protocols.
 
 .. option:: -W, --connection-window-bits=<N>
 
@@ -213,20 +213,19 @@ OPTIONS
     the first  URI appeared  in the  command line  or inside
     input files as usual.
 
-.. option:: --npn-list=<LIST>
+.. option:: --alpn-list=<LIST>
 
     Comma delimited list of  ALPN protocol identifier sorted
     in the  order of preference.  That  means most desirable
-    protocol comes  first.  This  is used  in both  ALPN and
-    NPN.  The parameter must be  delimited by a single comma
-    only  and any  white spaces  are  treated as  a part  of
-    protocol string.
+    protocol comes  first.  The parameter must  be delimited
+    by a single comma only  and any white spaces are treated
+    as a part of protocol string.
 
-    Default: ``h2,h2-16,h2-14,http/1.1``
+    Default: ``h2,http/1.1``
 
 .. option:: --h1
 
-    Short        hand         for        :option:`--npn-list`\=http/1.1
+    Short        hand        for        :option:`--alpn-list`\=http/1.1
     :option:`--no-tls-proto`\=http/1.1,    which   effectively    force
     http/1.1 for both http and https URI.
 
@@ -291,6 +290,11 @@ OPTIONS
 
     Enable ktls.
 
+.. option:: --sni=<DNSNAME>
+
+    Send  <DNSNAME> in  TLS  SNI, overriding  the host  name
+    specified in URI.
+
 .. option:: -v, --verbose
 
     Output debug information.
@@ -327,7 +331,7 @@ requests
     The number of requests completed.
   succeeded
     The number of requests completed successfully.  Only HTTP status
-    code 2xx or3xx are considered as success.
+    code 2xx or 3xx are considered as success.
   failed
     The number of requests failed, including HTTP level failures
     (non-successful HTTP status code).

doc/h2load.h2r

@@ -12,7 +12,7 @@ requests
     The number of requests completed.
   succeeded
     The number of requests completed successfully.  Only HTTP status
-    code 2xx or3xx are considered as success.
+    code 2xx or 3xx are considered as success.
   failed
     The number of requests failed, including HTTP level failures
     (non-successful HTTP status code).

doc/nghttp.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "NGHTTP" "1" "Jul 14, 2023" "1.55.1" "nghttp2"
+.TH "NGHTTP" "1" "Oct 25, 2025" "1.68.0" "nghttp2"
 .SH NAME
 nghttp \- HTTP/2 client
 .SH SYNOPSIS
@@ -141,14 +141,15 @@ HTTP upgrade request is performed with OPTIONS method.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-p, \-\-weight=<WEIGHT>
-Sets  weight of  given  URI.  This  option  can be  used
-multiple times, and  N\-th \fI\%\-p\fP option sets  weight of N\-th
-URI in the command line.  If  the number of \fI\%\-p\fP option is
-less than the number of URI, the last \fI\%\-p\fP option value is
-repeated.  If there is no \fI\%\-p\fP option, default weight, 16,
-is assumed.  The valid value range is
-[1, 256], inclusive.
+.B \-\-extpri=<PRI>
+Sets RFC 9218 priority of  given URI.  <PRI> must be the
+wire format  of priority  header field  (e.g., \(dqu=3,i\(dq).
+This  option  can  be  used  multiple  times,  and  N\-th
+\fI\%\-\-extpri\fP option sets priority of N\-th URI in the command
+line.  If  the number  of this option  is less  than the
+number of  URI, the last  option value is  repeated.  If
+there  is   no  \fI\%\-\-extpri\fP  option,  urgency   is  3,  and
+incremental is false.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -205,11 +206,6 @@ Don\(aqt send content\-length header field.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-no\-dep
-Don\(aqt send dependency based priority hint to server.
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-hexdump
 Display the  incoming traffic in  hexadecimal (Canonical
 hex+ASCII display).  If SSL/TLS  is used, decrypted data
@@ -247,11 +243,6 @@ Enable ktls.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-no\-rfc7540\-pri
-Disable RFC7540 priorities.
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-version
 Display version information and exit.
 .UNINDENT
@@ -268,63 +259,6 @@ The <DURATION> argument is an integer and an optional unit (e.g., 1s
 is 1 second and 500ms is 500 milliseconds).  Units are h, m, s or ms
 (hours, minutes, seconds and milliseconds, respectively).  If a unit
 is omitted, a second is used as unit.
-.SH DEPENDENCY BASED PRIORITY
-.sp
-nghttp sends priority hints to server by default unless
-\fI\%\-\-no\-dep\fP is used.  nghttp mimics the way Firefox employs to
-manages dependency using idle streams.  We follows the behaviour of
-Firefox Nightly as of April, 2015, and nghttp\(aqs behaviour is very
-static and could be different from Firefox in detail.  But reproducing
-the same behaviour of Firefox is not our goal.  The goal is provide
-the easy way to test out the dependency priority in server
-implementation.
-.sp
-When connection is established, nghttp sends 5 PRIORITY frames to idle
-streams 3, 5, 7, 9 and 11 to create \(dqanchor\(dq nodes in dependency
-tree:
-.INDENT 0.0
-.INDENT 3.5
-.sp
-.nf
-.ft C
-         +\-\-\-\-\-+
-         |id=0 |
-         +\-\-\-\-\-+
-        ^   ^   ^
- w=201 /    |    \e w=1
-      /     |     \e
-     / w=101|      \e
- +\-\-\-\-\-+ +\-\-\-\-\-+ +\-\-\-\-\-+
- |id=3 | |id=5 | |id=7 |
- +\-\-\-\-\-+ +\-\-\-\-\-+ +\-\-\-\-\-+
-    ^               ^
-w=1 |           w=1 |
-    |               |
- +\-\-\-\-\-+         +\-\-\-\-\-+
- |id=11|         |id=9 |
- +\-\-\-\-\-+         +\-\-\-\-\-+
-.ft P
-.fi
-.UNINDENT
-.UNINDENT
-.sp
-In the above figure, \fBid\fP means stream ID, and \fBw\fP means weight.
-The stream 0 is non\-existence stream, and forms the root of the tree.
-The stream 7 and 9 are not used for now.
-.sp
-The URIs given in the command\-line depend on stream 11 with the weight
-given in \fI\%\-p\fP option, which defaults to 16.
-.sp
-If \fI\%\-a\fP option is used, nghttp parses the resource pointed by
-URI given in command\-line as html, and extracts resource links from
-it.  When requesting those resources, nghttp uses dependency according
-to its resource type.
-.sp
-For CSS, and Javascript files inside \(dqhead\(dq element, they depend on
-stream 3 with the weight 2.  The Javascript files outside \(dqhead\(dq
-element depend on stream 5 with the weight 2.  The mages depend on
-stream 11 with the weight 12.  The other resources (e.g., icon) depend
-on stream 11 with the weight 2.
 .SH SEE ALSO
 .sp
 \fBnghttpd(1)\fP, \fBnghttpx(1)\fP, \fBh2load(1)\fP

doc/nghttp.1.rst

@@ -105,15 +105,16 @@ OPTIONS
     if the request URI has https scheme.  If :option:`-d` is used, the
     HTTP upgrade request is performed with OPTIONS method.
 
-.. option:: -p, --weight=<WEIGHT>
+.. option:: --extpri=<PRI>
 
-    Sets  weight of  given  URI.  This  option  can be  used
-    multiple times, and  N-th :option:`-p` option sets  weight of N-th
-    URI in the command line.  If  the number of :option:`-p` option is
-    less than the number of URI, the last :option:`-p` option value is
-    repeated.  If there is no :option:`-p` option, default weight, 16,
-    is assumed.  The valid value range is
-    [1, 256], inclusive.
+    Sets RFC 9218 priority of  given URI.  <PRI> must be the
+    wire format  of priority  header field  (e.g., "u=3,i").
+    This  option  can  be  used  multiple  times,  and  N-th
+    :option:`--extpri` option sets priority of N-th URI in the command
+    line.  If  the number  of this option  is less  than the
+    number of  URI, the last  option value is  repeated.  If
+    there  is   no  :option:`--extpri`  option,  urgency   is  3,  and
+    incremental is false.
 
 .. option:: -M, --peer-max-concurrent-streams=<N>
 
@@ -160,10 +161,6 @@ OPTIONS
 
     Don't send content-length header field.
 
-.. option:: --no-dep
-
-    Don't send dependency based priority hint to server.
-
 .. option:: --hexdump
 
     Display the  incoming traffic in  hexadecimal (Canonical
@@ -195,10 +192,6 @@ OPTIONS
 
     Enable ktls.
 
-.. option:: --no-rfc7540-pri
-
-    Disable RFC7540 priorities.
-
 .. option:: --version
 
     Display version information and exit.
@@ -217,59 +210,6 @@ is 1 second and 500ms is 500 milliseconds).  Units are h, m, s or ms
 (hours, minutes, seconds and milliseconds, respectively).  If a unit
 is omitted, a second is used as unit.
 
-DEPENDENCY BASED PRIORITY
--------------------------
-
-nghttp sends priority hints to server by default unless
-:option:`--no-dep` is used.  nghttp mimics the way Firefox employs to
-manages dependency using idle streams.  We follows the behaviour of
-Firefox Nightly as of April, 2015, and nghttp's behaviour is very
-static and could be different from Firefox in detail.  But reproducing
-the same behaviour of Firefox is not our goal.  The goal is provide
-the easy way to test out the dependency priority in server
-implementation.
-
-When connection is established, nghttp sends 5 PRIORITY frames to idle
-streams 3, 5, 7, 9 and 11 to create "anchor" nodes in dependency
-tree:
-
-.. code-block:: text
-
-                      +-----+
-                      |id=0 |
-                      +-----+
-                     ^   ^   ^
-              w=201 /    |    \ w=1
-                   /     |     \
-                  / w=101|      \
-              +-----+ +-----+ +-----+
-              |id=3 | |id=5 | |id=7 |
-              +-----+ +-----+ +-----+
-                 ^               ^
-             w=1 |           w=1 |
-                 |               |
-              +-----+         +-----+
-              |id=11|         |id=9 |
-              +-----+         +-----+
-
-In the above figure, ``id`` means stream ID, and ``w`` means weight.
-The stream 0 is non-existence stream, and forms the root of the tree.
-The stream 7 and 9 are not used for now.
-
-The URIs given in the command-line depend on stream 11 with the weight
-given in :option:`-p` option, which defaults to 16.
-
-If :option:`-a` option is used, nghttp parses the resource pointed by
-URI given in command-line as html, and extracts resource links from
-it.  When requesting those resources, nghttp uses dependency according
-to its resource type.
-
-For CSS, and Javascript files inside "head" element, they depend on
-stream 3 with the weight 2.  The Javascript files outside "head"
-element depend on stream 5 with the weight 2.  The mages depend on
-stream 11 with the weight 12.  The other resources (e.g., icon) depend
-on stream 11 with the weight 2.
-
 SEE ALSO
 --------
 

doc/nghttp.h2r

@@ -1,56 +1,3 @@
-DEPENDENCY BASED PRIORITY
--------------------------
-
-nghttp sends priority hints to server by default unless
-:option:`--no-dep` is used.  nghttp mimics the way Firefox employs to
-manages dependency using idle streams.  We follows the behaviour of
-Firefox Nightly as of April, 2015, and nghttp's behaviour is very
-static and could be different from Firefox in detail.  But reproducing
-the same behaviour of Firefox is not our goal.  The goal is provide
-the easy way to test out the dependency priority in server
-implementation.
-
-When connection is established, nghttp sends 5 PRIORITY frames to idle
-streams 3, 5, 7, 9 and 11 to create "anchor" nodes in dependency
-tree:
-
-.. code-block:: text
-
-                      +-----+
-                      |id=0 |
-                      +-----+
-                     ^   ^   ^
-              w=201 /    |    \ w=1
-                   /     |     \
-                  / w=101|      \
-              +-----+ +-----+ +-----+
-              |id=3 | |id=5 | |id=7 |
-              +-----+ +-----+ +-----+
-                 ^               ^
-             w=1 |           w=1 |
-                 |               |
-              +-----+         +-----+
-              |id=11|         |id=9 |
-              +-----+         +-----+
-
-In the above figure, ``id`` means stream ID, and ``w`` means weight.
-The stream 0 is non-existence stream, and forms the root of the tree.
-The stream 7 and 9 are not used for now.
-
-The URIs given in the command-line depend on stream 11 with the weight
-given in :option:`-p` option, which defaults to 16.
-
-If :option:`-a` option is used, nghttp parses the resource pointed by
-URI given in command-line as html, and extracts resource links from
-it.  When requesting those resources, nghttp uses dependency according
-to its resource type.
-
-For CSS, and Javascript files inside "head" element, they depend on
-stream 3 with the weight 2.  The Javascript files outside "head"
-element depend on stream 5 with the weight 2.  The mages depend on
-stream 11 with the weight 12.  The other resources (e.g., icon) depend
-on stream 11 with the weight 2.
-
 SEE ALSO
 --------
 

doc/nghttpd.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "NGHTTPD" "1" "Jul 14, 2023" "1.55.1" "nghttp2"
+.TH "NGHTTPD" "1" "Oct 25, 2025" "1.68.0" "nghttp2"
 .SH NAME
 nghttpd \- HTTP/2 server
 .SH SYNOPSIS
@@ -204,13 +204,15 @@ Don\(aqt send content\-length header field.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-ktls
-Enable ktls.
+.B \-\-groups=<GROUPS>
+Specify the supported groups.
+.sp
+Default: \fBX25519:P\-256:P\-384:P\-521\fP
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-no\-rfc7540\-pri
-Disable RFC7540 priorities.
+.B \-\-ktls
+Enable ktls.
 .UNINDENT
 .INDENT 0.0
 .TP

doc/nghttpd.1.rst

@@ -159,14 +159,16 @@ OPTIONS
 
     Don't send content-length header field.
 
+.. option:: --groups=<GROUPS>
+
+    Specify the supported groups.
+
+    Default: ``X25519:P-256:P-384:P-521``
+
 .. option:: --ktls
 
     Enable ktls.
 
-.. option:: --no-rfc7540-pri
-
-    Disable RFC7540 priorities.
-
 .. option:: --version
 
     Display version information and exit.

doc/nghttpx.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "NGHTTPX" "1" "Jul 14, 2023" "1.55.1" "nghttp2"
+.TH "NGHTTPX" "1" "Oct 25, 2025" "1.68.0" "nghttp2"
 .SH NAME
 nghttpx \- HTTP/2 proxy
 .SH SYNOPSIS
@@ -46,8 +46,7 @@ Set  path  to  server\(aqs private  key.   Required  unless
 .TP
 .B <CERT>
 Set  path  to  server\(aqs  certificate.   Required  unless
-\(dqno\-tls\(dq  parameter is  used in  \fI\%\-\-frontend\fP option.   To
-make OCSP stapling work, this must be an absolute path.
+\(dqno\-tls\(dq  parameter is  used in  \fI\%\-\-frontend\fP option.
 .UNINDENT
 .SH OPTIONS
 .sp
@@ -371,7 +370,7 @@ Default: \fBauto\fP
 .TP
 .B \-\-backend\-http\-proxy\-uri=<URI>
 Specify      proxy       URI      in       the      form
-\fI\%http:/\fP/[<USER>:<PASS>@]<PROXY>:<PORT>.    If   a   proxy
+\X'tty: link http:/'\fI\%http:/\fP\X'tty: link'/[<USER>:<PASS>@]<PROXY>:<PORT>.    If   a   proxy
 requires  authentication,  specify  <USER>  and  <PASS>.
 Note that  they must be properly  percent\-encoded.  This
 proxy  is used  when the  backend connection  is HTTP/2.
@@ -555,27 +554,24 @@ this option will be simply ignored.
 .SS Timeout
 .INDENT 0.0
 .TP
-.B \-\-frontend\-http2\-read\-timeout=<DURATION>
-Specify read timeout for HTTP/2 frontend connection.
+.B \-\-frontend\-http2\-idle\-timeout=<DURATION>
+Specify idle timeout for HTTP/2 frontend connection.  If
+no active streams exist for this duration, connection is
+closed.
 .sp
 Default: \fB3m\fP
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-frontend\-http3\-read\-timeout=<DURATION>
-Specify read timeout for HTTP/3 frontend connection.
+.B \-\-frontend\-http3\-idle\-timeout=<DURATION>
+Specify idle timeout for HTTP/3 frontend connection.  If
+no active streams exist for this duration, connection is
+closed.
 .sp
 Default: \fB3m\fP
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-frontend\-read\-timeout=<DURATION>
-Specify read timeout for HTTP/1.1 frontend connection.
-.sp
-Default: \fB1m\fP
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-frontend\-write\-timeout=<DURATION>
 Specify write timeout for all frontend connections.
 .sp
@@ -591,6 +587,17 @@ Default: \fB1m\fP
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-frontend\-header\-timeout=<DURATION>
+Specify  duration  that the  server  waits  for an  HTTP
+request  header fields  to be  received completely.   On
+timeout, HTTP/1 and HTTP/2  connections are closed.  For
+HTTP/3,  the  stream  is shutdown,  and  the  connection
+itself is left intact.
+.sp
+Default: \fB1m\fP
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-stream\-read\-timeout=<DURATION>
 Specify  read timeout  for HTTP/2  streams.  0  means no
 timeout.
@@ -680,8 +687,8 @@ Default: \fB2m\fP
 .B \-\-ciphers=<SUITE>
 Set allowed  cipher list  for frontend  connection.  The
 format of the string is described in OpenSSL ciphers(1).
-This option  sets cipher suites for  TLSv1.2 or earlier.
-Use \fI\%\-\-tls13\-ciphers\fP for TLSv1.3.
+This  option  sets  cipher   suites  for  TLSv1.2.   Use
+\fI\%\-\-tls13\-ciphers\fP for TLSv1.3.
 .sp
 Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384\fP
 .UNINDENT
@@ -691,7 +698,7 @@ Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:EC
 Set allowed  cipher list  for frontend  connection.  The
 format of the string is described in OpenSSL ciphers(1).
 This  option  sets  cipher   suites  for  TLSv1.3.   Use
-\fI\%\-\-ciphers\fP for TLSv1.2 or earlier.
+\fI\%\-\-ciphers\fP for TLSv1.2.
 .sp
 Default: \fBTLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\fP
 .UNINDENT
@@ -700,8 +707,8 @@ Default: \fBTLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_
 .B \-\-client\-ciphers=<SUITE>
 Set  allowed cipher  list for  backend connection.   The
 format of the string is described in OpenSSL ciphers(1).
-This option  sets cipher suites for  TLSv1.2 or earlier.
-Use \fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.3.
+This  option  sets  cipher   suites  for  TLSv1.2.   Use
+\fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.3.
 .sp
 Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384\fP
 .UNINDENT
@@ -711,15 +718,15 @@ Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:EC
 Set  allowed cipher  list for  backend connection.   The
 format of the string is described in OpenSSL ciphers(1).
 This  option  sets  cipher   suites  for  TLSv1.3.   Use
-\fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.2 or earlier.
+\fI\%\-\-client\-ciphers\fP for TLSv1.2.
 .sp
 Default: \fBTLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\fP
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-ecdh\-curves=<LIST>
-Set  supported  curve  list  for  frontend  connections.
-<LIST> is a  colon separated list of curve  NID or names
+.B \-\-groups=<LIST>
+Set the  supported group list for  frontend connections.
+<LIST> is a  colon separated list of group  NID or names
 in the preference order.  The supported curves depend on
 the  linked  OpenSSL  library.  This  function  requires
 OpenSSL >= 1.0.2.
@@ -737,12 +744,10 @@ enabled for backend connections.
 .B \-\-cacert=<PATH>
 Set path to trusted CA  certificate file.  It is used in
 backend  TLS connections  to verify  peer\(aqs certificate.
-It is also used to  verify OCSP response from the script
-set by \fI\%\-\-fetch\-ocsp\-response\-file\fP\&.  The  file must be in
-PEM format.   It can contain multiple  certificates.  If
-the  linked OpenSSL  is configured  to load  system wide
-certificates, they  are loaded at startup  regardless of
-this option.
+The file must be in PEM format.  It can contain multiple
+certificates.  If  the linked  OpenSSL is  configured to
+load  system  wide  certificates,  they  are  loaded  at
+startup regardless of this option.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -757,13 +762,12 @@ password protected it\(aqll be requested interactively.
 Specify  additional certificate  and  private key  file.
 nghttpx will  choose certificates based on  the hostname
 indicated by client using TLS SNI extension.  If nghttpx
-is  built with  OpenSSL  >= 1.0.2,  the shared  elliptic
-curves (e.g., P\-256) between  client and server are also
-taken into  consideration.  This allows nghttpx  to send
-ECDSA certificate  to modern clients, while  sending RSA
-based certificate to older  clients.  This option can be
-used  multiple  times.   To  make  OCSP  stapling  work,
-<CERTPATH> must be absolute path.
+is built with OpenSSL >= 1.0.2, the signature algorithms
+(e.g., ECDSA+SHA256) presented by  client are also taken
+into consideration.  This allows  nghttpx to send ML\-DSA
+or ECDSA  certificate to  modern clients,  while sending
+RSA based certificate to older clients.  This option can
+be used multiple times.
 .sp
 Additional parameter  can be specified in  <PARAM>.  The
 available <PARAM> is \(dqsct\-dir=<DIR>\(dq.
@@ -783,15 +787,14 @@ available.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-npn\-list=<LIST>
+.B \-\-alpn\-list=<LIST>
 Comma delimited list of  ALPN protocol identifier sorted
 in the  order of preference.  That  means most desirable
-protocol comes  first.  This  is used  in both  ALPN and
-NPN.  The parameter must be  delimited by a single comma
-only  and any  white spaces  are  treated as  a part  of
-protocol string.
+protocol comes  first.  The parameter must  be delimited
+by a single comma only  and any white spaces are treated
+as a part of protocol string.
 .sp
-Default: \fBh2,h2\-16,h2\-14,http/1.1\fP
+Default: \fBh2,http/1.1\fP
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -833,12 +836,8 @@ done in  case\-insensitive manner.  The  versions between
 \fI\%\-\-tls\-min\-proto\-version\fP and  \fI\%\-\-tls\-max\-proto\-version\fP are
 enabled.  If the protocol list advertised by client does
 not  overlap  this range,  you  will  receive the  error
-message \(dqunknown protocol\(dq.  If a protocol version lower
-than TLSv1.2 is specified, make sure that the compatible
-ciphers are  included in \fI\%\-\-ciphers\fP option.   The default
-cipher  list  only   includes  ciphers  compatible  with
-TLSv1.2 or above.  The available versions are:
-TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
+message \(dqunknown protocol\(dq.  The available versions are:
+TLSv1.3 and TLSv1.2
 .sp
 Default: \fBTLSv1.2\fP
 .UNINDENT
@@ -851,7 +850,7 @@ done in  case\-insensitive manner.  The  versions between
 enabled.  If the protocol list advertised by client does
 not  overlap  this range,  you  will  receive the  error
 message \(dqunknown protocol\(dq.  The available versions are:
-TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
+TLSv1.3 and TLSv1.2
 .sp
 Default: \fBTLSv1.3\fP
 .UNINDENT
@@ -955,72 +954,6 @@ get TLS ticket keys.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-fetch\-ocsp\-response\-file=<PATH>
-Path to  fetch\-ocsp\-response script file.  It  should be
-absolute path.
-.sp
-Default: \fB/usr/local/share/nghttp2/fetch\-ocsp\-response\fP
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-ocsp\-update\-interval=<DURATION>
-Set interval to update OCSP response cache.
-.sp
-Default: \fB4h\fP
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-ocsp\-startup
-Start  accepting connections  after initial  attempts to
-get OCSP responses  finish.  It does not  matter some of
-the  attempts  fail.  This  feature  is  useful if  OCSP
-responses   must    be   available    before   accepting
-connections.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-no\-verify\-ocsp
-nghttpx does not verify OCSP response.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-no\-ocsp
-Disable OCSP stapling.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-tls\-session\-cache\-memcached=<HOST>,<PORT>[;tls]
-Specify  address of  memcached server  to store  session
-cache.   This  enables   shared  session  cache  between
-multiple   nghttpx  instances.    Optionally,  memcached
-connection can be encrypted with TLS by specifying \(dqtls\(dq
-parameter.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-tls\-session\-cache\-memcached\-address\-family=(auto|IPv4|IPv6)
-Specify address family of memcached connections to store
-session cache.  If  \(dqauto\(dq is given, both  IPv4 and IPv6
-are considered.   If \(dqIPv4\(dq is given,  only IPv4 address
-is considered.  If \(dqIPv6\(dq is given, only IPv6 address is
-considered.
-.sp
-Default: \fBauto\fP
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-tls\-session\-cache\-memcached\-cert\-file=<PATH>
-Path to client certificate  for memcached connections to
-store session cache.
-.UNINDENT
-.INDENT 0.0
-.TP
-.B \-\-tls\-session\-cache\-memcached\-private\-key\-file=<PATH>
-Path to client private  key for memcached connections to
-store session cache.
-.UNINDENT
-.INDENT 0.0
-.TP
 .B \-\-tls\-dyn\-rec\-warmup\-threshold=<SIZE>
 Specify the  threshold size for TLS  dynamic record size
 behaviour.  During  a TLS  session, after  the threshold
@@ -1050,7 +983,7 @@ Default: \fB1s\fP
 .B \-\-no\-http2\-cipher\-block\-list
 Allow  block  listed  cipher suite  on  frontend  HTTP/2
 connection.                                          See
-\fI\%https://tools.ietf.org/html/rfc7540#appendix\-A\fP  for  the
+\X'tty: link https://tools.ietf.org/html/rfc7540#appendix-A'\fI\%https://tools.ietf.org/html/rfc7540#appendix\-A\fP\X'tty: link'  for  the
 complete HTTP/2 cipher suites block list.
 .UNINDENT
 .INDENT 0.0
@@ -1058,7 +991,7 @@ complete HTTP/2 cipher suites block list.
 .B \-\-client\-no\-http2\-cipher\-block\-list
 Allow  block  listed  cipher  suite  on  backend  HTTP/2
 connection.                                          See
-\fI\%https://tools.ietf.org/html/rfc7540#appendix\-A\fP  for  the
+\X'tty: link https://tools.ietf.org/html/rfc7540#appendix-A'\fI\%https://tools.ietf.org/html/rfc7540#appendix\-A\fP\X'tty: link'  for  the
 complete HTTP/2 cipher suites block list.
 .UNINDENT
 .INDENT 0.0
@@ -1128,8 +1061,7 @@ Default: \fB16K\fP
 .INDENT 0.0
 .TP
 .B \-\-tls\-ktls
-Enable   ktls.    For   server,  ktls   is   enable   if
-\fI\%\-\-tls\-session\-cache\-memcached\fP is not configured.
+Enable ktls.
 .UNINDENT
 .SS HTTP/2
 .INDENT 0.0
@@ -1546,18 +1478,20 @@ in HTTP/2 frontend.
 .TP
 .B \-\-add\-request\-header=<HEADER>
 Specify additional header field to add to request header
-set.  This  option just  appends header field  and won\(aqt
-replace anything  already set.  This option  can be used
-several  times   to  specify  multiple   header  fields.
+set.   The field  name must  be lowercase.   This option
+just  appends header  field and  won\(aqt replace  anything
+already set.  This  option can be used  several times to
+specify multiple header fields.
 Example: \fI\%\-\-add\-request\-header\fP=\(dqfoo: bar\(dq
 .UNINDENT
 .INDENT 0.0
 .TP
 .B \-\-add\-response\-header=<HEADER>
 Specify  additional  header  field to  add  to  response
-header set.   This option just appends  header field and
-won\(aqt replace anything already  set.  This option can be
-used several  times to  specify multiple  header fields.
+header  set.  The  field name  must be  lowercase.  This
+option  just  appends  header field  and  won\(aqt  replace
+anything already  set.  This option can  be used several
+times to specify multiple header fields.
 Example: \fI\%\-\-add\-response\-header\fP=\(dqfoo: bar\(dq
 .UNINDENT
 .INDENT 0.0
@@ -1666,7 +1600,7 @@ initial  DNS  query.  For  the  2nd  and later  queries,
 server is  given time based  on this timeout, and  it is
 scaled linearly.
 .sp
-Default: \fB5s\fP
+Default: \fB250ms\fP
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -1674,7 +1608,7 @@ Default: \fB5s\fP
 Set the number of DNS query before nghttpx gives up name
 lookup.
 .sp
-Default: \fB2\fP
+Default: \fB3\fP
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -1832,8 +1766,8 @@ NEW_TOKEN frame in the previous connection.
 .TP
 .B \-\-frontend\-quic\-congestion\-controller=<CC>
 Specify a congestion controller algorithm for a frontend
-QUIC connection.  <CC> should  be one of \(dqcubic\(dq, \(dqbbr\(dq,
-and \(dqbbr2\(dq.
+QUIC  connection.   <CC>  should be  either  \(dqcubic\(dq  or
+\(dqbbr\(dq.
 .sp
 Default: \fBcubic\fP
 .UNINDENT
@@ -1845,12 +1779,12 @@ as QUIC keying materials.  It is used to derive keys for
 encrypting tokens and Connection IDs.  It is not used to
 encrypt  QUIC  packets.  Each  line  of  this file  must
 contain  exactly  136  bytes  hex\-encoded  string  (when
-decoded the byte string is  68 bytes long).  The first 2
+decoded the byte string is  68 bytes long).  The first 3
 bits of  decoded byte  string are  used to  identify the
 keying material.  An  empty line or a  line which starts
 \(aq#\(aq  is ignored.   The file  can contain  more than  one
-keying materials.  Because the  identifier is 2 bits, at
-most 4 keying materials are  read and the remaining data
+keying materials.  Because the  identifier is 3 bits, at
+most 8 keying materials are  read and the remaining data
 is discarded.  The first keying  material in the file is
 primarily  used for  encryption and  decryption for  new
 connection.  The other ones are used to decrypt data for
@@ -1994,11 +1928,9 @@ request header field, do this:
 .INDENT 7.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 add\-request\-header=foo: bar
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -2006,11 +1938,9 @@ instead of:
 .INDENT 7.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 add\-request\-header=\(dqfoo: bar\(dq
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -2107,20 +2037,18 @@ than main process.
 .SH SERVER PUSH
 .sp
 nghttpx supports HTTP/2 server push in default mode with Link header
-field.  nghttpx looks for Link header field (\fI\%RFC 5988\fP) in response headers from
+field.  nghttpx looks for Link header field (\X'tty: link http://tools.ietf.org/html/rfc5988'\fI\%RFC 5988\fP\X'tty: link') in response headers from
 backend server and extracts URI\-reference with parameter
-\fBrel=preload\fP (see \fI\%preload\fP)
+\fBrel=preload\fP (see \X'tty: link http://w3c.github.io/preload/#interoperability-with-http-link-header'\fI\%preload\fP\X'tty: link')
 and pushes those URIs to the frontend client. Here is a sample Link
 header field to initiate server push:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 Link: </fonts/font.woff>; rel=preload
 Link: </css/theme.css>; rel=preload
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -2151,35 +2079,6 @@ specified socket already exists in the file system, nghttpx first
 deletes it.  However, if SIGUSR2 is used to execute new binary and
 both old and new configurations use same filename, new binary does not
 delete the socket and continues to use it.
-.SH OCSP STAPLING
-.sp
-OCSP query is done using external Python script
-\fBfetch\-ocsp\-response\fP, which has been originally developed in Perl
-as part of h2o project (\fI\%https://github.com/h2o/h2o\fP), and was
-translated into Python.
-.sp
-The script file is usually installed under
-\fB$(prefix)/share/nghttp2/\fP directory.  The actual path to script can
-be customized using \fI\%\-\-fetch\-ocsp\-response\-file\fP option.
-.sp
-If OCSP query is failed, previous OCSP response, if any, is continued
-to be used.
-.sp
-\fI\%\-\-fetch\-ocsp\-response\-file\fP option provides wide range of
-possibility to manage OCSP response.  It can take an arbitrary script
-or executable.  The requirement is that it supports the command\-line
-interface of \fBfetch\-ocsp\-response\fP script, and it must return a
-valid DER encoded OCSP response on success.  It must return exit code
-0 on success, and 75 for temporary error, and the other error code for
-generic failure.  For large cluster of servers, it is not efficient
-for each server to perform OCSP query using \fBfetch\-ocsp\-response\fP\&.
-Instead, you can retrieve OCSP response in some way, and store it in a
-disk or a shared database.  Then specify a program in
-\fI\%\-\-fetch\-ocsp\-response\-file\fP to fetch it from those stores.
-This could provide a way to share the OCSP response between fleet of
-servers, and also any OCSP query strategy can be applied which may be
-beyond the ability of nghttpx itself or \fBfetch\-ocsp\-response\fP
-script.
 .SH TLS SESSION RESUMPTION
 .sp
 nghttpx supports TLS session resumption through both session ID and
@@ -2187,16 +2086,6 @@ session ticket.
 .SS SESSION ID RESUMPTION
 .sp
 By default, session ID is shared by all worker threads.
-.sp
-If \fI\%\-\-tls\-session\-cache\-memcached\fP is given, nghttpx will
-insert serialized session data to memcached with
-\fBnghttpx:tls\-session\-cache:\fP + lowercase hex string of session ID
-as a memcached entry key, with expiry time 12 hours.  Session timeout
-is set to 12 hours.
-.sp
-By default, connections to memcached server are not encrypted.  To
-enable encryption, use \fBtls\fP keyword in
-\fI\%\-\-tls\-session\-cache\-memcached\fP option.
 .SS TLS SESSION TICKET RESUMPTION
 .sp
 By default, session ticket is shared by all worker threads.  The
@@ -2215,8 +2104,7 @@ memcached is the binary format described below:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 +\-\-\-\-\-\-\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
 | VERSION (4)  |LEN (2)|KEY(48 or 80) ...
 +\-\-\-\-\-\-\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
@@ -2224,8 +2112,7 @@ memcached is the binary format described below:
                |                        |
                +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
                (LEN, KEY) pair can be repeated
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -2251,15 +2138,15 @@ automatically.  To rotate key, one has to restart nghttpx (see
 SIGNALS).
 .SH CERTIFICATE TRANSPARENCY
 .sp
-nghttpx supports TLS \fBsigned_certificate_timestamp\fP extension (\fI\%RFC
-6962\fP).  The relevant options
+nghttpx supports TLS \fBsigned_certificate_timestamp\fP extension (\X'tty: link https://tools.ietf.org/html/rfc6962'\fI\%RFC
+6962\fP\X'tty: link').  The relevant options
 are \fI\%\-\-tls\-sct\-dir\fP and \fBsct\-dir\fP parameter in
 \fI\%\-\-subcert\fP\&.  They takes a directory, and nghttpx reads all
 files whose extension is \fB\&.sct\fP under the directory.  The \fB*.sct\fP
 files are encoded as \fBSignedCertificateTimestamp\fP struct described
-in \fI\%section 3.2 of RFC 69662\fP\&.  This format is
-the same one used by \fI\%nginx\-ct\fP and \fI\%mod_ssl_ct\fP\&.
-\fI\%ct\-submit\fP can be
+in \X'tty: link https://tools.ietf.org/html/rfc6962#section-3.2'\fI\%section 3.2 of RFC 69662\fP\X'tty: link'\&.  This format is
+the same one used by \X'tty: link https://github.com/grahamedgecombe/nginx-ct'\fI\%nginx\-ct\fP\X'tty: link' and \X'tty: link https://httpd.apache.org/docs/trunk/mod/mod_ssl_ct.html'\fI\%mod_ssl_ct\fP\X'tty: link'\&.
+\X'tty: link https://github.com/grahamedgecombe/ct-submit'\fI\%ct\-submit\fP\X'tty: link' can be
 used to submit certificates to log servers, and obtain the
 \fBSignedCertificateTimestamp\fP struct which can be used with nghttpx.
 .SH MRUBY SCRIPTING
@@ -2503,7 +2390,7 @@ On assignment, copy of given value is assigned.  The path does
 not include authority component of URI.  This may include
 query component.  nghttpx makes certain normalization for
 path.  It decodes percent\-encoding for unreserved characters
-(see \fI\%https://tools.ietf.org/html/rfc3986#section\-2.3\fP), and
+(see \X'tty: link https://tools.ietf.org/html/rfc3986#section-2.3'\fI\%https://tools.ietf.org/html/rfc3986#section\-2.3\fP\X'tty: link'), and
 resolves \(dq..\(dq and \(dq.\(dq.  But it may leave characters which
 should be percent\-encoded as is. So be careful when comparing
 path against desired string.
@@ -2642,8 +2529,7 @@ Modify request path:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 class App
   def on_req(env)
     env.req.path = \(dq/apps#{env.req.path}\(dq
@@ -2651,8 +2537,7 @@ class App
 end
 
 App.new
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .sp
@@ -2663,8 +2548,7 @@ addresses:
 .INDENT 0.0
 .INDENT 3.5
 .sp
-.nf
-.ft C
+.EX
 class App
   def on_req(env)
     allowed_clients = [\(dq127.0.0.1\(dq, \(dq::1\(dq]
@@ -2678,8 +2562,7 @@ class App
 end
 
 App.new
-.ft P
-.fi
+.EE
 .UNINDENT
 .UNINDENT
 .SH API ENDPOINTS

doc/nghttpx.1.rst

@@ -25,8 +25,7 @@ A reverse proxy for HTTP/3, HTTP/2, and HTTP/1.
 .. describe:: <CERT>
 
     Set  path  to  server's  certificate.   Required  unless
-    "no-tls"  parameter is  used in  :option:`--frontend` option.   To
-    make OCSP stapling work, this must be an absolute path.
+    "no-tls"  parameter is  used in  :option:`--frontend` option.
 
 
 OPTIONS
@@ -522,24 +521,22 @@ Performance
 Timeout
 ~~~~~~~
 
-.. option:: --frontend-http2-read-timeout=<DURATION>
+.. option:: --frontend-http2-idle-timeout=<DURATION>
 
-    Specify read timeout for HTTP/2 frontend connection.
+    Specify idle timeout for HTTP/2 frontend connection.  If
+    no active streams exist for this duration, connection is
+    closed.
 
     Default: ``3m``
 
-.. option:: --frontend-http3-read-timeout=<DURATION>
+.. option:: --frontend-http3-idle-timeout=<DURATION>
 
-    Specify read timeout for HTTP/3 frontend connection.
+    Specify idle timeout for HTTP/3 frontend connection.  If
+    no active streams exist for this duration, connection is
+    closed.
 
     Default: ``3m``
 
-.. option:: --frontend-read-timeout=<DURATION>
-
-    Specify read timeout for HTTP/1.1 frontend connection.
-
-    Default: ``1m``
-
 .. option:: --frontend-write-timeout=<DURATION>
 
     Specify write timeout for all frontend connections.
@@ -553,6 +550,16 @@ Timeout
 
     Default: ``1m``
 
+.. option:: --frontend-header-timeout=<DURATION>
+
+    Specify  duration  that the  server  waits  for an  HTTP
+    request  header fields  to be  received completely.   On
+    timeout, HTTP/1 and HTTP/2  connections are closed.  For
+    HTTP/3,  the  stream  is shutdown,  and  the  connection
+    itself is left intact.
+
+    Default: ``1m``
+
 .. option:: --stream-read-timeout=<DURATION>
 
     Specify  read timeout  for HTTP/2  streams.  0  means no
@@ -636,8 +643,8 @@ SSL/TLS
 
     Set allowed  cipher list  for frontend  connection.  The
     format of the string is described in OpenSSL ciphers(1).
-    This option  sets cipher suites for  TLSv1.2 or earlier.
-    Use :option:`--tls13-ciphers` for TLSv1.3.
+    This  option  sets  cipher   suites  for  TLSv1.2.   Use
+    :option:`--tls13-ciphers` for TLSv1.3.
 
     Default: ``ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384``
 
@@ -646,7 +653,7 @@ SSL/TLS
     Set allowed  cipher list  for frontend  connection.  The
     format of the string is described in OpenSSL ciphers(1).
     This  option  sets  cipher   suites  for  TLSv1.3.   Use
-    :option:`--ciphers` for TLSv1.2 or earlier.
+    :option:`--ciphers` for TLSv1.2.
 
     Default: ``TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256``
 
@@ -654,8 +661,8 @@ SSL/TLS
 
     Set  allowed cipher  list for  backend connection.   The
     format of the string is described in OpenSSL ciphers(1).
-    This option  sets cipher suites for  TLSv1.2 or earlier.
-    Use :option:`--tls13-client-ciphers` for TLSv1.3.
+    This  option  sets  cipher   suites  for  TLSv1.2.   Use
+    :option:`--tls13-client-ciphers` for TLSv1.3.
 
     Default: ``ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384``
 
@@ -664,14 +671,14 @@ SSL/TLS
     Set  allowed cipher  list for  backend connection.   The
     format of the string is described in OpenSSL ciphers(1).
     This  option  sets  cipher   suites  for  TLSv1.3.   Use
-    :option:`--tls13-client-ciphers` for TLSv1.2 or earlier.
+    :option:`--client-ciphers` for TLSv1.2.
 
     Default: ``TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256``
 
-.. option:: --ecdh-curves=<LIST>
+.. option:: --groups=<LIST>
 
-    Set  supported  curve  list  for  frontend  connections.
-    <LIST> is a  colon separated list of curve  NID or names
+    Set the  supported group list for  frontend connections.
+    <LIST> is a  colon separated list of group  NID or names
     in the preference order.  The supported curves depend on
     the  linked  OpenSSL  library.  This  function  requires
     OpenSSL >= 1.0.2.
@@ -687,12 +694,10 @@ SSL/TLS
 
     Set path to trusted CA  certificate file.  It is used in
     backend  TLS connections  to verify  peer's certificate.
-    It is also used to  verify OCSP response from the script
-    set by :option:`--fetch-ocsp-response-file`\.  The  file must be in
-    PEM format.   It can contain multiple  certificates.  If
-    the  linked OpenSSL  is configured  to load  system wide
-    certificates, they  are loaded at startup  regardless of
-    this option.
+    The file must be in PEM format.  It can contain multiple
+    certificates.  If  the linked  OpenSSL is  configured to
+    load  system  wide  certificates,  they  are  loaded  at
+    startup regardless of this option.
 
 .. option:: --private-key-passwd-file=<PATH>
 
@@ -705,13 +710,12 @@ SSL/TLS
     Specify  additional certificate  and  private key  file.
     nghttpx will  choose certificates based on  the hostname
     indicated by client using TLS SNI extension.  If nghttpx
-    is  built with  OpenSSL  >= 1.0.2,  the shared  elliptic
-    curves (e.g., P-256) between  client and server are also
-    taken into  consideration.  This allows nghttpx  to send
-    ECDSA certificate  to modern clients, while  sending RSA
-    based certificate to older  clients.  This option can be
-    used  multiple  times.   To  make  OCSP  stapling  work,
-    <CERTPATH> must be absolute path.
+    is built with OpenSSL >= 1.0.2, the signature algorithms
+    (e.g., ECDSA+SHA256) presented by  client are also taken
+    into consideration.  This allows  nghttpx to send ML-DSA
+    or ECDSA  certificate to  modern clients,  while sending
+    RSA based certificate to older clients.  This option can
+    be used multiple times.
 
     Additional parameter  can be specified in  <PARAM>.  The
     available <PARAM> is "sct-dir=<DIR>".
@@ -728,16 +732,15 @@ SSL/TLS
     Without  this   option,  DHE   cipher  suites   are  not
     available.
 
-.. option:: --npn-list=<LIST>
+.. option:: --alpn-list=<LIST>
 
     Comma delimited list of  ALPN protocol identifier sorted
     in the  order of preference.  That  means most desirable
-    protocol comes  first.  This  is used  in both  ALPN and
-    NPN.  The parameter must be  delimited by a single comma
-    only  and any  white spaces  are  treated as  a part  of
-    protocol string.
+    protocol comes  first.  The parameter must  be delimited
+    by a single comma only  and any white spaces are treated
+    as a part of protocol string.
 
-    Default: ``h2,h2-16,h2-14,http/1.1``
+    Default: ``h2,http/1.1``
 
 .. option:: --verify-client
 
@@ -773,12 +776,8 @@ SSL/TLS
     :option:`--tls-min-proto-version` and  :option:`\--tls-max-proto-version` are
     enabled.  If the protocol list advertised by client does
     not  overlap  this range,  you  will  receive the  error
-    message "unknown protocol".  If a protocol version lower
-    than TLSv1.2 is specified, make sure that the compatible
-    ciphers are  included in :option:`--ciphers` option.   The default
-    cipher  list  only   includes  ciphers  compatible  with
-    TLSv1.2 or above.  The available versions are:
-    TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
+    message "unknown protocol".  The available versions are:
+    TLSv1.3 and TLSv1.2
 
     Default: ``TLSv1.2``
 
@@ -790,7 +789,7 @@ SSL/TLS
     enabled.  If the protocol list advertised by client does
     not  overlap  this range,  you  will  receive the  error
     message "unknown protocol".  The available versions are:
-    TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
+    TLSv1.3 and TLSv1.2
 
     Default: ``TLSv1.3``
 
@@ -883,63 +882,6 @@ SSL/TLS
     Path to client private  key for memcached connections to
     get TLS ticket keys.
 
-.. option:: --fetch-ocsp-response-file=<PATH>
-
-    Path to  fetch-ocsp-response script file.  It  should be
-    absolute path.
-
-    Default: ``/usr/local/share/nghttp2/fetch-ocsp-response``
-
-.. option:: --ocsp-update-interval=<DURATION>
-
-    Set interval to update OCSP response cache.
-
-    Default: ``4h``
-
-.. option:: --ocsp-startup
-
-    Start  accepting connections  after initial  attempts to
-    get OCSP responses  finish.  It does not  matter some of
-    the  attempts  fail.  This  feature  is  useful if  OCSP
-    responses   must    be   available    before   accepting
-    connections.
-
-.. option:: --no-verify-ocsp
-
-    nghttpx does not verify OCSP response.
-
-.. option:: --no-ocsp
-
-    Disable OCSP stapling.
-
-.. option:: --tls-session-cache-memcached=<HOST>,<PORT>[;tls]
-
-    Specify  address of  memcached server  to store  session
-    cache.   This  enables   shared  session  cache  between
-    multiple   nghttpx  instances.    Optionally,  memcached
-    connection can be encrypted with TLS by specifying "tls"
-    parameter.
-
-.. option:: --tls-session-cache-memcached-address-family=(auto|IPv4|IPv6)
-
-    Specify address family of memcached connections to store
-    session cache.  If  "auto" is given, both  IPv4 and IPv6
-    are considered.   If "IPv4" is given,  only IPv4 address
-    is considered.  If "IPv6" is given, only IPv6 address is
-    considered.
-
-    Default: ``auto``
-
-.. option:: --tls-session-cache-memcached-cert-file=<PATH>
-
-    Path to client certificate  for memcached connections to
-    store session cache.
-
-.. option:: --tls-session-cache-memcached-private-key-file=<PATH>
-
-    Path to client private  key for memcached connections to
-    store session cache.
-
 .. option:: --tls-dyn-rec-warmup-threshold=<SIZE>
 
     Specify the  threshold size for TLS  dynamic record size
@@ -1039,8 +981,7 @@ SSL/TLS
 
 .. option:: --tls-ktls
 
-    Enable   ktls.    For   server,  ktls   is   enable   if
-    :option:`--tls-session-cache-memcached` is not configured.
+    Enable ktls.
 
 
 HTTP/2
@@ -1402,17 +1343,19 @@ HTTP
 .. option:: --add-request-header=<HEADER>
 
     Specify additional header field to add to request header
-    set.  This  option just  appends header field  and won't
-    replace anything  already set.  This option  can be used
-    several  times   to  specify  multiple   header  fields.
+    set.   The field  name must  be lowercase.   This option
+    just  appends header  field and  won't replace  anything
+    already set.  This  option can be used  several times to
+    specify multiple header fields.
     Example: :option:`--add-request-header`\="foo: bar"
 
 .. option:: --add-response-header=<HEADER>
 
     Specify  additional  header  field to  add  to  response
-    header set.   This option just appends  header field and
-    won't replace anything already  set.  This option can be
-    used several  times to  specify multiple  header fields.
+    header  set.  The  field name  must be  lowercase.  This
+    option  just  appends  header field  and  won't  replace
+    anything already  set.  This option can  be used several
+    times to specify multiple header fields.
     Example: :option:`--add-response-header`\="foo: bar"
 
 .. option:: --request-header-field-buffer=<SIZE>
@@ -1515,14 +1458,14 @@ DNS
     server is  given time based  on this timeout, and  it is
     scaled linearly.
 
-    Default: ``5s``
+    Default: ``250ms``
 
 .. option:: --dns-max-try=<N>
 
     Set the number of DNS query before nghttpx gives up name
     lookup.
 
-    Default: ``2``
+    Default: ``3``
 
 .. option:: --frontend-max-requests=<N>
 
@@ -1673,8 +1616,8 @@ HTTP/3 and QUIC
 .. option:: --frontend-quic-congestion-controller=<CC>
 
     Specify a congestion controller algorithm for a frontend
-    QUIC connection.  <CC> should  be one of "cubic", "bbr",
-    and "bbr2".
+    QUIC  connection.   <CC>  should be  either  "cubic"  or
+    "bbr".
 
     Default: ``cubic``
 
@@ -1685,12 +1628,12 @@ HTTP/3 and QUIC
     encrypting tokens and Connection IDs.  It is not used to
     encrypt  QUIC  packets.  Each  line  of  this file  must
     contain  exactly  136  bytes  hex-encoded  string  (when
-    decoded the byte string is  68 bytes long).  The first 2
+    decoded the byte string is  68 bytes long).  The first 3
     bits of  decoded byte  string are  used to  identify the
     keying material.  An  empty line or a  line which starts
     '#'  is ignored.   The file  can contain  more than  one
-    keying materials.  Because the  identifier is 2 bits, at
-    most 4 keying materials are  read and the remaining data
+    keying materials.  Because the  identifier is 3 bits, at
+    most 8 keying materials are  read and the remaining data
     is discarded.  The first keying  material in the file is
     primarily  used for  encryption and  decryption for  new
     connection.  The other ones are used to decrypt data for
@@ -1962,37 +1905,6 @@ deletes it.  However, if SIGUSR2 is used to execute new binary and
 both old and new configurations use same filename, new binary does not
 delete the socket and continues to use it.
 
-OCSP STAPLING
--------------
-
-OCSP query is done using external Python script
-``fetch-ocsp-response``, which has been originally developed in Perl
-as part of h2o project (https://github.com/h2o/h2o), and was
-translated into Python.
-
-The script file is usually installed under
-``$(prefix)/share/nghttp2/`` directory.  The actual path to script can
-be customized using :option:`--fetch-ocsp-response-file` option.
-
-If OCSP query is failed, previous OCSP response, if any, is continued
-to be used.
-
-:option:`--fetch-ocsp-response-file` option provides wide range of
-possibility to manage OCSP response.  It can take an arbitrary script
-or executable.  The requirement is that it supports the command-line
-interface of ``fetch-ocsp-response`` script, and it must return a
-valid DER encoded OCSP response on success.  It must return exit code
-0 on success, and 75 for temporary error, and the other error code for
-generic failure.  For large cluster of servers, it is not efficient
-for each server to perform OCSP query using ``fetch-ocsp-response``.
-Instead, you can retrieve OCSP response in some way, and store it in a
-disk or a shared database.  Then specify a program in
-:option:`--fetch-ocsp-response-file` to fetch it from those stores.
-This could provide a way to share the OCSP response between fleet of
-servers, and also any OCSP query strategy can be applied which may be
-beyond the ability of nghttpx itself or ``fetch-ocsp-response``
-script.
-
 TLS SESSION RESUMPTION
 ----------------------
 
@@ -2004,16 +1916,6 @@ SESSION ID RESUMPTION
 
 By default, session ID is shared by all worker threads.
 
-If :option:`--tls-session-cache-memcached` is given, nghttpx will
-insert serialized session data to memcached with
-``nghttpx:tls-session-cache:`` + lowercase hex string of session ID
-as a memcached entry key, with expiry time 12 hours.  Session timeout
-is set to 12 hours.
-
-By default, connections to memcached server are not encrypted.  To
-enable encryption, use ``tls`` keyword in
-:option:`--tls-session-cache-memcached` option.
-
 TLS SESSION TICKET RESUMPTION
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

doc/nghttpx.h2r

@@ -156,37 +156,6 @@ deletes it.  However, if SIGUSR2 is used to execute new binary and
 both old and new configurations use same filename, new binary does not
 delete the socket and continues to use it.
 
-OCSP STAPLING
--------------
-
-OCSP query is done using external Python script
-``fetch-ocsp-response``, which has been originally developed in Perl
-as part of h2o project (https://github.com/h2o/h2o), and was
-translated into Python.
-
-The script file is usually installed under
-``$(prefix)/share/nghttp2/`` directory.  The actual path to script can
-be customized using :option:`--fetch-ocsp-response-file` option.
-
-If OCSP query is failed, previous OCSP response, if any, is continued
-to be used.
-
-:option:`--fetch-ocsp-response-file` option provides wide range of
-possibility to manage OCSP response.  It can take an arbitrary script
-or executable.  The requirement is that it supports the command-line
-interface of ``fetch-ocsp-response`` script, and it must return a
-valid DER encoded OCSP response on success.  It must return exit code
-0 on success, and 75 for temporary error, and the other error code for
-generic failure.  For large cluster of servers, it is not efficient
-for each server to perform OCSP query using ``fetch-ocsp-response``.
-Instead, you can retrieve OCSP response in some way, and store it in a
-disk or a shared database.  Then specify a program in
-:option:`--fetch-ocsp-response-file` to fetch it from those stores.
-This could provide a way to share the OCSP response between fleet of
-servers, and also any OCSP query strategy can be applied which may be
-beyond the ability of nghttpx itself or ``fetch-ocsp-response``
-script.
-
 TLS SESSION RESUMPTION
 ----------------------
 
@@ -198,16 +167,6 @@ SESSION ID RESUMPTION
 
 By default, session ID is shared by all worker threads.
 
-If :option:`--tls-session-cache-memcached` is given, nghttpx will
-insert serialized session data to memcached with
-``nghttpx:tls-session-cache:`` + lowercase hex string of session ID
-as a memcached entry key, with expiry time 12 hours.  Session timeout
-is set to 12 hours.
-
-By default, connections to memcached server are not encrypted.  To
-enable encryption, use ``tls`` keyword in
-:option:`--tls-session-cache-memcached` option.
-
 TLS SESSION TICKET RESUMPTION
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

doc/programmers-guide.rst

@@ -40,28 +40,28 @@ most event-based architecture applications use is single thread per
 core, and handling one connection I/O is done by single thread.
 
 To feed input to :type:`nghttp2_session` object, one can use
-`nghttp2_session_recv()` or `nghttp2_session_mem_recv()` functions.
+`nghttp2_session_recv()` or `nghttp2_session_mem_recv2()` functions.
 They behave similarly, and the difference is that
 `nghttp2_session_recv()` will use :type:`nghttp2_read_callback` to get
-input.  On the other hand, `nghttp2_session_mem_recv()` will take
-input as its parameter.  If in doubt, use `nghttp2_session_mem_recv()`
-since it is simpler, and could be faster since it avoids calling
-callback function.
+input.  On the other hand, `nghttp2_session_mem_recv2()` will take
+input as its parameter.  If in doubt, use
+`nghttp2_session_mem_recv2()` since it is simpler, and could be faster
+since it avoids calling callback function.
 
 To get output from :type:`nghttp2_session` object, one can use
-`nghttp2_session_send()` or `nghttp2_session_mem_send()`.  The
+`nghttp2_session_send()` or `nghttp2_session_mem_send2()`.  The
 difference between them is that the former uses
 :type:`nghttp2_send_callback` to pass output to an application.  On
 the other hand, the latter returns the output to the caller.  If in
-doubt, use `nghttp2_session_mem_send()` since it is simpler.  But
+doubt, use `nghttp2_session_mem_send2()` since it is simpler.  But
 `nghttp2_session_send()` might be easier to use if the output buffer
 an application has is fixed sized.
 
-In general, an application should call `nghttp2_session_mem_send()`
+In general, an application should call `nghttp2_session_mem_send2()`
 when it gets input from underlying connection.  Since there is great
 chance to get something pushed into transmission queue while the call
-of `nghttp2_session_mem_send()`, it is recommended to call
-`nghttp2_session_mem_recv()` after `nghttp2_session_mem_send()`.
+of `nghttp2_session_mem_send2()`, it is recommended to call
+`nghttp2_session_mem_recv2()` after `nghttp2_session_mem_send2()`.
 
 There is a question when we are safe to close HTTP/2 session without
 waiting for the closure of underlying connection.  We offer 2 API
@@ -70,7 +70,7 @@ calls for this: `nghttp2_session_want_read()` and
 can destroy :type:`nghttp2_session`, and then close the underlying
 connection.  But make sure that the buffered output has been
 transmitted to the peer before closing the connection when
-`nghttp2_session_mem_send()` is used, since
+`nghttp2_session_mem_send2()` is used, since
 `nghttp2_session_want_write()` does not take into account the
 transmission of the buffered data outside of :type:`nghttp2_session`.
 
@@ -87,18 +87,18 @@ The header files are also available online: :doc:`nghttp2.h` and
 Remarks
 -------
 
-Do not call `nghttp2_session_send()`, `nghttp2_session_mem_send()`,
-`nghttp2_session_recv()` or `nghttp2_session_mem_recv()` from the
+Do not call `nghttp2_session_send()`, `nghttp2_session_mem_send2()`,
+`nghttp2_session_recv()` or `nghttp2_session_mem_recv2()` from the
 nghttp2 callback functions directly or indirectly. It will lead to the
 crash.  You can submit requests or frames in the callbacks then call
 these functions outside the callbacks.
 
-`nghttp2_session_send()` and `nghttp2_session_mem_send()` send first
+`nghttp2_session_send()` and `nghttp2_session_mem_send2()` send first
 24 bytes of client magic string (MAGIC)
 (:macro:`NGHTTP2_CLIENT_MAGIC`) on client configuration.  The
 applications are responsible to send SETTINGS frame as part of
 connection preface using `nghttp2_submit_settings()`.  Similarly,
-`nghttp2_session_recv()` and `nghttp2_session_mem_recv()` consume
+`nghttp2_session_recv()` and `nghttp2_session_mem_recv2()` consume
 MAGIC on server configuration unless
 `nghttp2_option_set_no_recv_client_magic()` is used with nonzero
 option value.
@@ -222,7 +222,7 @@ above, the following code does not work:
 
 .. code-block:: c
 
-    nghttp2_submit_response(...)
+    nghttp2_submit_response2(...)
     nghttp2_submit_rst_stream(...)
 
 RST_STREAM cancels HEADERS (and DATA), and just RST_STREAM is sent.
@@ -258,9 +258,9 @@ For example, we will illustrate how to send `ALTSVC
       const char *field;
     } alt_svc;
 
-    ssize_t pack_extension_callback(nghttp2_session *session, uint8_t *buf,
-                                    size_t len, const nghttp2_frame *frame,
-                                    void *user_data) {
+    nghttp2_ssize pack_extension_callback(nghttp2_session *session, uint8_t *buf,
+                                          size_t len, const nghttp2_frame *frame,
+                                          void *user_data) {
       const alt_svc *altsvc = (const alt_svc *)frame->ext.payload;
       size_t originlen = strlen(altsvc->origin);
       size_t fieldlen = strlen(altsvc->field);
@@ -482,45 +482,26 @@ be called as usual.
 Stream priorities
 -----------------
 
-By default, the stream prioritization scheme described in :rfc:`7540`
-is used.  This scheme has been formally deprecated by :rfc:`9113`.  In
-order to disable it, send
+The stream prioritization scheme described in :rfc:`7540`, which has
+been formally deprecated by :rfc:`9113`, has been removed.  An
+application is advised to send
 :enum:`nghttp2_settings_id.NGHTTP2_SETTINGS_NO_RFC7540_PRIORITIES` of
-value of 1 via `nghttp2_submit_settings()`.  This settings ID is
-defined by :rfc:`9218`.  The sender of this settings value disables
-RFC 7540 priorities, and instead it enables RFC 9218 Extensible
-Prioritization Scheme.  This new prioritization scheme has 2 methods
-to convey the stream priorities to a remote endpoint: Priority header
-field and PRIORITY_UPDATE frame.  nghttp2 supports both methods.  In
-order to receive and process PRIORITY_UPDATE frame, server has to call
-``nghttp2_option_set_builtin_recv_extension_type(option,
-NGHTTP2_PRIORITY_UPDATE)`` (see the above section), and pass the
-option to `nghttp2_session_server_new2()` or
+value of 1 via `nghttp2_submit_settings()`, and migrate to
+:rfc:`9218`.
+
+The sender of this settings value disables :rfc:`7540` priorities, and
+instead it enables :rfc:`9218` Extensible Prioritization Scheme.  This
+new prioritization scheme has 2 methods to convey the stream
+priorities to a remote endpoint: Priority header field and
+PRIORITY_UPDATE frame.  nghttp2 supports both methods.  In order to
+receive and process PRIORITY_UPDATE frame, server has to call
+`nghttp2_option_set_builtin_recv_extension_type()` with
+NGHTTP2_PRIORITY_UPDATE as type argument (see the above section), and
+pass the option to `nghttp2_session_server_new2()` or
 `nghttp2_session_server_new3()` to create a server session.  Client
-can send Priority header field via `nghttp2_submit_request()`.  It can
-also send PRIORITY_UPDATE frame via
+can send Priority header field via `nghttp2_submit_request2()`.  It
+can also send PRIORITY_UPDATE frame via
 `nghttp2_submit_priority_update()`.  Server processes Priority header
 field in a request header field and updates the stream priority unless
 HTTP messaging rule enforcement is disabled (see
 `nghttp2_option_set_no_http_messaging()`).
-
-For the purpose of smooth migration from RFC 7540 priorities, client
-is advised to send
-:enum:`nghttp2_settings_id.NGHTTP2_SETTINGS_NO_RFC7540_PRIORITIES` of
-value of 1.  Until it receives the first server SETTINGS frame, it can
-send both RFC 7540 and RFC 9128 priority signals.  If client receives
-SETTINGS_NO_RFC7540_PRIORITIES of value of 0, or it is omitted ,
-client stops sending PRIORITY_UPDATE frame.  Priority header field
-will be sent in anyway since it is an end-to-end signal.  If
-SETTINGS_NO_RFC7540_PRIORITIES of value of 1 is received, client stops
-sending RFC 7540 priority signals.  This is the advice described in
-:rfc:`9218#section-2.1.1`.
-
-Server has an optional mechanism to fallback to RFC 7540 priorities.
-By default, if server sends SETTINGS_NO_RFC7540_PRIORITIES of value of
-1, it completely disables RFC 7540 priorities and no fallback.  By
-setting nonzero value to
-`nghttp2_option_set_server_fallback_rfc7540_priorities()`, server
-falls back to RFC 7540 priorities if it sends
-SETTINGS_NO_RFC7540_PRIORITIES value of value of 1, and client omits
-SETTINGS_NO_RFC7540_PRIORITIES in its SETTINGS frame.

doc/security.rst

@@ -1 +0,0 @@
-.. include:: ../doc/sources/security.rst

doc/sources/contribute.rst

@@ -26,7 +26,7 @@ Coding style
 We use clang-format to format source code consistently.  The
 clang-format configuration file .clang-format is located at the root
 directory.  Since clang-format produces slightly different results
-between versions, we currently use clang-format-14.
+between versions, we currently use clang-format-19.
 
 To detect any violation to the coding style, we recommend to setup git
 pre-commit hook to check coding style of the changes you introduced.
@@ -34,7 +34,7 @@ The pre-commit file is located at the root directory.  Copy it under
 .git/hooks and make sure that it is executable.  The pre-commit script
 uses clang-format-diff.py to detect any style errors.  If it is not in
 your PATH or it exists under different name (e.g.,
-clang-format-diff-14 in debian), either add it to PATH variable or add
+clang-format-diff-18 in debian), either add it to PATH variable or add
 git option ``clangformatdiff.binary`` to point to the script.
 
 For emacs users, integrating clang-format to emacs is very easy.

doc/sources/h2load-howto.rst

@@ -30,8 +30,8 @@ In order to set benchmark settings, specify following 3 options.
 :option:`-m`
    The max concurrent streams to issue per client.  Default: 1
 
-For SSL/TLS connection, the protocol will be negotiated via ALPN/NPN.
-You can set specific protocols in :option:`--npn-list` option.  For
+For SSL/TLS connection, the protocol will be negotiated via ALPN.  You
+can set specific protocols in :option:`--alpn-list` option.  For
 cleartext connection, the default protocol is HTTP/2.  To change the
 protocol in cleartext connection, use :option:`--no-tls-proto` option.
 For convenience, :option:`--h1` option forces HTTP/1.1 for both
@@ -139,4 +139,4 @@ h2load supports HTTP/3 if it is built with HTTP/3 enabled.  HTTP/3
 support is experimental.
 
 In order to send HTTP/3 request, specify ``h3`` to
-:option:`--npn-list`.
+:option:`--alpn-list`.

doc/sources/index.rst

@@ -18,7 +18,6 @@ Contents:
 
    package_README
    contribute
-   security
    building-android-binary
    tutorial-client
    tutorial-server

doc/sources/nghttpx-howto.rst

@@ -20,7 +20,7 @@ known as "HTTP/2 router".
 By default, frontend connection is encrypted using SSL/TLS.  So
 server's private key and certificate must be supplied to the command
 line (or through configuration file).  In this case, the frontend
-protocol selection will be done via ALPN or NPN.
+protocol selection will be done via ALPN.
 
 To turn off encryption on frontend connection, use ``no-tls`` keyword
 in :option:`--frontend` option.  HTTP/2 and HTTP/1 are available on
@@ -167,8 +167,7 @@ Enable SSL/TLS on memcached connection
 
 By default, memcached connection is not encrypted.  To enable
 encryption, use ``tls`` keyword in
-:option:`--tls-ticket-key-memcached` for TLS ticket key, and
-:option:`--tls-session-cache-memcached` for TLS session cache.
+:option:`--tls-ticket-key-memcached`.
 
 Specifying additional server certificates
 -----------------------------------------
@@ -546,8 +545,8 @@ keys in order to keep the existing connections alive during reload.
 The construction of Connection ID closely follows Block Cipher CID
 Algorithm described in `QUIC-LB draft
 <https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers>`_.
-A Connection ID that nghttpx generates is always 20 bytes long.  It
-uses first 2 bits as a configuration ID.  The remaining bits in the
+A Connection ID that nghttpx generates is always 17 bytes long.  It
+uses first 3 bits as a configuration ID.  The remaining bits in the
 first byte are reserved and random.  The next 4 bytes are server ID.
 The next 4 bytes are used to route UDP datagram to a correct
 ``SO_REUSEPORT`` socket.  The remaining bytes are randomly generated.

doc/sources/security.rst

@@ -1,38 +0,0 @@
-Security Process
-================
-
-If you find a vulnerability in our software, please send the email to
-"tatsuhiro.t at gmail dot com" about its details instead of submitting
-issues on github issue page.  It is a standard practice not to
-disclose vulnerability information publicly until a fixed version is
-released, or mitigation is worked out.  In the future, we may setup a
-dedicated mail address for this purpose.
-
-If we identify that the reported issue is really a vulnerability, we
-open a new security advisory draft using `GitHub security feature
-<https://github.com/nghttp2/nghttp2/security>`_ and discuss the
-mitigation and bug fixes there.  The fixes are committed to the
-private repository.
-
-We write the security advisory and get CVE number from GitHub
-privately.  We also discuss the disclosure date to the public.
-
-We make a new release with the fix at the same time when the
-vulnerability is disclosed to public.
-
-At least 7 days before the public disclosure date, we will post
-security advisory (which includes all the details of the vulnerability
-and the possible mitigation strategies) and the patches to fix the
-issue to `distros@openwall
-<https://oss-security.openwall.org/wiki/mailing-lists/distros>`_
-mailing list.  We also open a new issue on `nghttp2 issue tracker
-<https://github.com/nghttp2/nghttp2/issues>`_ which notifies that the
-upcoming release will have a security fix.  The ``SECURITY`` label is
-attached to this kind of issue.
-
-Before few hours of new release, we merge the fixes to the master
-branch (and/or a release branch if necessary) and make a new release.
-Security advisory is disclosed on GitHub.  We also post the
-vulnerability information to `oss-security
-<https://oss-security.openwall.org/wiki/mailing-lists/oss-security>`_
-mailing list.

doc/sources/tutorial-client.rst

@@ -18,34 +18,8 @@ note that nghttp2 itself does not depend on libevent.
 
 The client starts with some libevent and OpenSSL setup in the
 ``main()`` and ``run()`` functions. This setup isn't specific to
-nghttp2, but one thing you should look at is setup of the NPN
-callback.  The NPN callback is used by the client to select the next
-application protocol over TLS. In this tutorial, we use the
-`nghttp2_select_next_protocol()` helper function to select the HTTP/2
-protocol the library supports::
-
-    static int select_next_proto_cb(SSL *ssl _U_, unsigned char **out,
-                                    unsigned char *outlen, const unsigned char *in,
-                                    unsigned int inlen, void *arg _U_) {
-      if (nghttp2_select_next_protocol(out, outlen, in, inlen) <= 0) {
-        errx(1, "Server did not advertise " NGHTTP2_PROTO_VERSION_ID);
-      }
-      return SSL_TLSEXT_ERR_OK;
-    }
-
-If you are following TLS related RFC, you know that NPN is not the
-standardized way to negotiate HTTP/2.  NPN itself is not event
-published as RFC.  The standard way to negotiate HTTP/2 is ALPN,
-Application-Layer Protocol Negotiation Extension, defined in `RFC 7301
-<https://tools.ietf.org/html/rfc7301>`_.  The one caveat of ALPN is
-that OpenSSL >= 1.0.2 is required.  We use macro to enable/disable
-ALPN support depending on OpenSSL version.  OpenSSL's ALPN
-implementation does not require callback function like the above.  But
-we have to instruct OpenSSL SSL_CTX to use ALPN, which we'll talk
-about soon.
-
-The callback is added to the SSL_CTX object using
-``SSL_CTX_set_next_proto_select_cb()``::
+nghttp2, but one thing you should look at is setup of ALPN.  Client
+tells application protocols that it supports to server via ALPN::
 
     static SSL_CTX *create_ssl_ctx(void) {
       SSL_CTX *ssl_ctx;
@@ -58,11 +32,8 @@ The callback is added to the SSL_CTX object using
                           SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
                               SSL_OP_NO_COMPRESSION |
                               SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
-      SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
 
-    #if OPENSSL_VERSION_NUMBER >= 0x10002000L
       SSL_CTX_set_alpn_protos(ssl_ctx, (const unsigned char *)"\x02h2", 3);
-    #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 
       return ssl_ctx;
     }
@@ -92,7 +63,7 @@ structure is defined as follows::
       /* The NULL-terminated URI string to retrieve. */
       const char *uri;
       /* Parsed result of the |uri| */
-      struct http_parser_url *u;
+      urlparse_url *u;
       /* The authority portion of the |uri|, not NULL-terminated */
       char *authority;
       /* The path portion of the |uri|, including query, not
@@ -155,12 +126,7 @@ underlying network socket::
 
         ssl = bufferevent_openssl_get_ssl(session_data->bev);
 
-        SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
-    #if OPENSSL_VERSION_NUMBER >= 0x10002000L
-        if (alpn == NULL) {
-          SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);
-        }
-    #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
+        SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);
 
         if (alpn == NULL || alpnlen != 2 || memcmp("h2", alpn, 2) != 0) {
           fprintf(stderr, "h2 is not negotiated\n");
@@ -205,7 +171,7 @@ session object and several callbacks::
 
       nghttp2_session_callbacks_new(&callbacks);
 
-      nghttp2_session_callbacks_set_send_callback(callbacks, send_callback);
+      nghttp2_session_callbacks_set_send_callback2(callbacks, send_callback);
 
       nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
                                                            on_frame_recv_callback);
@@ -271,17 +237,17 @@ HTTP request in the ``submit_request()`` function::
       int32_t stream_id;
       http2_stream_data *stream_data = session_data->stream_data;
       const char *uri = stream_data->uri;
-      const struct http_parser_url *u = stream_data->u;
+      const urlparse_url *u = stream_data->u;
       nghttp2_nv hdrs[] = {
           MAKE_NV2(":method", "GET"),
-          MAKE_NV(":scheme", &uri[u->field_data[UF_SCHEMA].off],
-                  u->field_data[UF_SCHEMA].len),
+          MAKE_NV(":scheme", &uri[u->field_data[URLPARSE_SCHEMA].off],
+                  u->field_data[URLPARSE_SCHEMA].len),
           MAKE_NV(":authority", stream_data->authority, stream_data->authoritylen),
           MAKE_NV(":path", stream_data->path, stream_data->pathlen)};
       fprintf(stderr, "Request headers:\n");
       print_headers(stderr, hdrs, ARRLEN(hdrs));
-      stream_id = nghttp2_submit_request(session_data->session, NULL, hdrs,
-                                         ARRLEN(hdrs), NULL, stream_data);
+      stream_id = nghttp2_submit_request2(session_data->session, NULL, hdrs,
+                                          ARRLEN(hdrs), NULL, stream_data);
       if (stream_id < 0) {
         errx(1, "Could not submit HTTP request: %s", nghttp2_strerror(stream_id));
       }
@@ -292,11 +258,11 @@ HTTP request in the ``submit_request()`` function::
 We build the HTTP request header fields in ``hdrs``, which is an array
 of :type:`nghttp2_nv`. There are four header fields to be sent:
 ``:method``, ``:scheme``, ``:authority``, and ``:path``. To queue the
-HTTP request, we call `nghttp2_submit_request()`. The ``stream_data``
+HTTP request, we call `nghttp2_submit_request2()`. The ``stream_data``
 is passed via the *stream_user_data* parameter, which is helpfully
 later passed back to callback functions.
 
-`nghttp2_submit_request()` returns the newly assigned stream ID for
+`nghttp2_submit_request2()` returns the newly assigned stream ID for
 the request.
 
 The next bufferevent callback is ``readcb()``, which is invoked when
@@ -304,12 +270,12 @@ data is available to read from the bufferevent input buffer::
 
     static void readcb(struct bufferevent *bev, void *ptr) {
       http2_session_data *session_data = (http2_session_data *)ptr;
-      ssize_t readlen;
+      nghttp2_ssize readlen;
       struct evbuffer *input = bufferevent_get_input(bev);
       size_t datalen = evbuffer_get_length(input);
       unsigned char *data = evbuffer_pullup(input, -1);
 
-      readlen = nghttp2_session_mem_recv(session_data->session, data, datalen);
+      readlen = nghttp2_session_mem_recv2(session_data->session, data, datalen);
       if (readlen < 0) {
         warnx("Fatal error: %s", nghttp2_strerror((int)readlen));
         delete_http2_session_data(session_data);
@@ -327,8 +293,8 @@ data is available to read from the bufferevent input buffer::
     }
 
 In this function we feed all unprocessed, received data to the nghttp2
-session object using the `nghttp2_session_mem_recv()` function.
-`nghttp2_session_mem_recv()` processes the received data and may
+session object using the `nghttp2_session_mem_recv2()` function.
+`nghttp2_session_mem_recv2()` processes the received data and may
 invoke nghttp2 callbacks and queue frames for transmission.  Since
 there may be pending frames for transmission, we call immediately
 ``session_send()`` to send them.  ``session_send()`` is defined as
@@ -347,15 +313,16 @@ follows::
 
 The `nghttp2_session_send()` function serializes pending frames into
 wire format and calls the ``send_callback()`` function to send them.
-``send_callback()`` has type :type:`nghttp2_send_callback` and is
+``send_callback()`` has type :type:`nghttp2_send_callback2` and is
 defined as::
 
-    static ssize_t send_callback(nghttp2_session *session _U_, const uint8_t *data,
-                                 size_t length, int flags _U_, void *user_data) {
+    static nghttp2_ssize send_callback(nghttp2_session *session _U_,
+                                       const uint8_t *data, size_t length,
+                                       int flags _U_, void *user_data) {
       http2_session_data *session_data = (http2_session_data *)user_data;
       struct bufferevent *bev = session_data->bev;
       bufferevent_write(bev, data, length);
-      return (ssize_t)length;
+      return (nghttp2_ssize)length;
     }
 
 Since we use bufferevent to abstract network I/O, we just write the

doc/sources/tutorial-hpack.rst

@@ -24,11 +24,11 @@ deflater object for the dynamic header table.  If in doubt, just
 specify 4096 here, which is the default upper bound of dynamic header
 table buffer size.
 
-To encode header fields, use the `nghttp2_hd_deflate_hd()` function::
+To encode header fields, use the `nghttp2_hd_deflate_hd2()` function::
 
-    ssize_t nghttp2_hd_deflate_hd(nghttp2_hd_deflater *deflater,
-                                  uint8_t *buf, size_t buflen,
-                                  const nghttp2_nv *nva, size_t nvlen);
+    nghttp2_ssize nghttp2_hd_deflate_hd2(nghttp2_hd_deflater *deflater,
+                                         uint8_t *buf, size_t buflen,
+                                         const nghttp2_nv *nva, size_t nvlen);
 
 The *deflater* is the deflater object initialized by
 `nghttp2_hd_deflate_new()` described above. The encoded byte string is
@@ -44,7 +44,7 @@ cookies), set the :macro:`NGHTTP2_NV_FLAG_NO_INDEX` flag in
 sensitive header fields by compression based attacks: This is achieved
 by not inserting the header field into the dynamic header table.
 
-`nghttp2_hd_deflate_hd()` processes all headers given in *nva*.  The
+`nghttp2_hd_deflate_hd2()` processes all headers given in *nva*.  The
 *nva* must include all request or response header fields to be sent in
 one HEADERS (or optionally following (multiple) CONTINUATION
 frame(s)).  The *buf* must have enough space to store the encoded
@@ -55,13 +55,13 @@ of the encoded result length, use `nghttp2_hd_deflate_bound()`::
                                     const nghttp2_nv *nva, size_t nvlen);
 
 Pass this function the same parameters (*deflater*, *nva*, and
-*nvlen*) which will be passed to `nghttp2_hd_deflate_hd()`.
+*nvlen*) which will be passed to `nghttp2_hd_deflate_hd2()`.
 
-Subsequent calls to `nghttp2_hd_deflate_hd()` will use the current
+Subsequent calls to `nghttp2_hd_deflate_hd2()` will use the current
 encoder state and perform differential encoding, which yields HPAC's
 fundamental compression gain.
 
-If `nghttp2_hd_deflate_hd()` fails, the failure is fatal and any
+If `nghttp2_hd_deflate_hd2()` fails, the failure is fatal and any
 further calls with the same deflater object will fail.  Thus it's very
 important to use `nghttp2_hd_deflate_bound()` to determine the
 required size of the output buffer.
@@ -78,14 +78,14 @@ header data.  To initialize the object, use
 
     int nghttp2_hd_inflate_new(nghttp2_hd_inflater **inflater_ptr);
 
-To inflate header data, use `nghttp2_hd_inflate_hd2()`::
+To inflate header data, use `nghttp2_hd_inflate_hd3()`::
 
-    ssize_t nghttp2_hd_inflate_hd2(nghttp2_hd_inflater *inflater,
-                                   nghttp2_nv *nv_out, int *inflate_flags,
-                                   const uint8_t *in, size_t inlen,
-                                   int in_final);
+    nghttp2_ssize nghttp2_hd_inflate_hd3(nghttp2_hd_inflater *inflater,
+					 nghttp2_nv *nv_out, int *inflate_flags,
+					 const uint8_t *in, size_t inlen,
+					 int in_final);
 
-`nghttp2_hd_inflate_hd2()` reads a stream of bytes and outputs a
+`nghttp2_hd_inflate_hd3()` reads a stream of bytes and outputs a
 single header field at a time. Multiple calls are normally required to
 read a full stream of bytes and output all of the header fields.
 
@@ -119,7 +119,7 @@ If *in_final* is zero and the :macro:`NGHTTP2_HD_INFLATE_EMIT` flag is
 not set, it indicates that all given data was processed.  The caller
 is required to pass additional data.
 
-Example usage of `nghttp2_hd_inflate_hd2()` is shown in the
+Example usage of `nghttp2_hd_inflate_hd3()` is shown in the
 `inflate_header_block()` function in `deflate.c`_.
 
 Finally, to delete a :type:`nghttp2_hd_inflater` object, use

doc/sources/tutorial-server.rst

@@ -21,41 +21,18 @@ note that nghttp2 itself does not depend on libevent.
 
 The server starts with some libevent and OpenSSL setup in the
 ``main()`` and ``run()`` functions. This setup isn't specific to
-nghttp2, but one thing you should look at is setup of the NPN
-callback. The NPN callback is used by the server to advertise which
-application protocols the server supports to a client.  In this
-example program, when creating the ``SSL_CTX`` object, we store the
-application protocol name in the wire format of NPN in a statically
-allocated buffer. This is safe because we only create one ``SSL_CTX``
-object in the program's entire lifetime.
+nghttp2, but one thing you should look at is setup of ALPN callback.
+The ALPN callback is used by the server to select application
+protocols offered by client.  In ALPN, client sends the list of
+supported application protocols, and server selects one of them.  We
+provide the callback for it::
 
-If you are following TLS related RFC, you know that NPN is not the
-standardized way to negotiate HTTP/2.  NPN itself is not even
-published as RFC.  The standard way to negotiate HTTP/2 is ALPN,
-Application-Layer Protocol Negotiation Extension, defined in `RFC 7301
-<https://tools.ietf.org/html/rfc7301>`_.  The one caveat of ALPN is
-that OpenSSL >= 1.0.2 is required.  We use macro to enable/disable
-ALPN support depending on OpenSSL version.  In ALPN, client sends the
-list of supported application protocols, and server selects one of
-them.  We provide the callback for it::
-
-    static unsigned char next_proto_list[256];
-    static size_t next_proto_list_len;
-
-    static int next_proto_cb(SSL *s _U_, const unsigned char **data,
-                             unsigned int *len, void *arg _U_) {
-      *data = next_proto_list;
-      *len = (unsigned int)next_proto_list_len;
-      return SSL_TLSEXT_ERR_OK;
-    }
-
-    #if OPENSSL_VERSION_NUMBER >= 0x10002000L
     static int alpn_select_proto_cb(SSL *ssl _U_, const unsigned char **out,
                                     unsigned char *outlen, const unsigned char *in,
                                     unsigned int inlen, void *arg _U_) {
       int rv;
 
-      rv = nghttp2_select_next_protocol((unsigned char **)out, outlen, in, inlen);
+      rv = nghttp2_select_alpn(out, outlen, in, inlen);
 
       if (rv != 1) {
         return SSL_TLSEXT_ERR_NOACK;
@@ -63,7 +40,6 @@ them.  We provide the callback for it::
 
       return SSL_TLSEXT_ERR_OK;
     }
-    #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 
     static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
       SSL_CTX *ssl_ctx;
@@ -73,33 +49,14 @@ them.  We provide the callback for it::
 
       ...
 
-      next_proto_list[0] = NGHTTP2_PROTO_VERSION_ID_LEN;
-      memcpy(&next_proto_list[1], NGHTTP2_PROTO_VERSION_ID,
-             NGHTTP2_PROTO_VERSION_ID_LEN);
-      next_proto_list_len = 1 + NGHTTP2_PROTO_VERSION_ID_LEN;
-
-      SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, NULL);
-
-    #if OPENSSL_VERSION_NUMBER >= 0x10002000L
       SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, NULL);
-    #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 
       return ssl_ctx;
     }
 
-The wire format of NPN is a sequence of length prefixed strings, with
-exactly one byte used to specify the length of each protocol
-identifier.  In this tutorial, we advertise the specific HTTP/2
-protocol version the current nghttp2 library supports, which is
-exported in the identifier :macro:`NGHTTP2_PROTO_VERSION_ID`. The
-``next_proto_cb()`` function is the server-side NPN callback. In the
-OpenSSL implementation, we just assign the pointer to the NPN buffers
-we filled in earlier. The NPN callback function is set to the
-``SSL_CTX`` object using ``SSL_CTX_set_next_protos_advertised_cb()``.
-
-In ``alpn_select_proto_cb()``, we use `nghttp2_select_next_protocol()`
-to select application protocol.  The `nghttp2_select_next_protocol()`
-returns 1 only if it selected h2 (ALPN identifier for HTTP/2), and out
+In ``alpn_select_proto_cb()``, we use `nghttp2_select_alpn()` to
+select application protocol.  The `nghttp2_select_alpn()` returns 1
+only if it selected h2 (ALPN identifier for HTTP/2), and out
 parameters were assigned accordingly.
 
 Next, let's take a look at the main structures used by the example
@@ -213,12 +170,7 @@ underlying network socket::
 
         ssl = bufferevent_openssl_get_ssl(session_data->bev);
 
-        SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
-    #if OPENSSL_VERSION_NUMBER >= 0x10002000L
-        if (alpn == NULL) {
-          SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);
-        }
-    #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
+        SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);
 
         if (alpn == NULL || alpnlen != 2 || memcmp("h2", alpn, 2) != 0) {
           fprintf(stderr, "%s h2 is not negotiated\n", session_data->client_addr);
@@ -268,7 +220,7 @@ session object and several callbacks::
 
       nghttp2_session_callbacks_new(&callbacks);
 
-      nghttp2_session_callbacks_set_send_callback(callbacks, send_callback);
+      nghttp2_session_callbacks_set_send_callback2(callbacks, send_callback);
 
       nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
                                                            on_frame_recv_callback);
@@ -323,12 +275,12 @@ this pending data. To process the received data, we call the
 ``session_recv()`` function::
 
     static int session_recv(http2_session_data *session_data) {
-      ssize_t readlen;
+      nghttp2_ssize readlen;
       struct evbuffer *input = bufferevent_get_input(session_data->bev);
       size_t datalen = evbuffer_get_length(input);
       unsigned char *data = evbuffer_pullup(input, -1);
 
-      readlen = nghttp2_session_mem_recv(session_data->session, data, datalen);
+      readlen = nghttp2_session_mem_recv2(session_data->session, data, datalen);
       if (readlen < 0) {
         warnx("Fatal error: %s", nghttp2_strerror((int)readlen));
         return -1;
@@ -344,9 +296,9 @@ this pending data. To process the received data, we call the
     }
 
 In this function, we feed all unprocessed but already received data to
-the nghttp2 session object using the `nghttp2_session_mem_recv()`
-function. The `nghttp2_session_mem_recv()` function processes the data
-and may both invoke the previously setup callbacks and also queue
+the nghttp2 session object using the `nghttp2_session_mem_recv2()`
+function. The `nghttp2_session_mem_recv2()` function processes the
+data and may both invoke the previously setup callbacks and also queue
 outgoing frames. To send any pending outgoing frames, we immediately
 call ``session_send()``.
 
@@ -364,11 +316,12 @@ The ``session_send()`` function is defined as follows::
 
 The `nghttp2_session_send()` function serializes the frame into wire
 format and calls the ``send_callback()``, which is of type
-:type:`nghttp2_send_callback`.  The ``send_callback()`` is defined as
+:type:`nghttp2_send_callback2`.  The ``send_callback()`` is defined as
 follows::
 
-    static ssize_t send_callback(nghttp2_session *session _U_, const uint8_t *data,
-                                 size_t length, int flags _U_, void *user_data) {
+    static nghttp2_ssize send_callback(nghttp2_session *session _U_,
+                                       const uint8_t *data, size_t length,
+                                       int flags _U_, void *user_data) {
       http2_session_data *session_data = (http2_session_data *)user_data;
       struct bufferevent *bev = session_data->bev;
       /* Avoid excessive buffering in server side. */
@@ -377,7 +330,7 @@ follows::
         return NGHTTP2_ERR_WOULDBLOCK;
       }
       bufferevent_write(bev, data, length);
-      return (ssize_t)length;
+      return (nghttp2_ssize)length;
     }
 
 Since we use bufferevent to abstract network I/O, we just write the
@@ -557,11 +510,11 @@ Sending the file content is performed by the ``send_response()`` function::
     static int send_response(nghttp2_session *session, int32_t stream_id,
                              nghttp2_nv *nva, size_t nvlen, int fd) {
       int rv;
-      nghttp2_data_provider data_prd;
+      nghttp2_data_provider2 data_prd;
       data_prd.source.fd = fd;
       data_prd.read_callback = file_read_callback;
 
-      rv = nghttp2_submit_response(session, stream_id, nva, nvlen, &data_prd);
+      rv = nghttp2_submit_response2(session, stream_id, nva, nvlen, &data_prd);
       if (rv != 0) {
         warnx("Fatal error: %s", nghttp2_strerror(rv));
         return -1;
@@ -569,7 +522,7 @@ Sending the file content is performed by the ``send_response()`` function::
       return 0;
     }
 
-nghttp2 uses the :type:`nghttp2_data_provider` structure to send the
+nghttp2 uses the :type:`nghttp2_data_provider2` structure to send the
 entity body to the remote peer. The ``source`` member of this
 structure is a union, which can be either a void pointer or an int
 (which is intended to be used as file descriptor). In this example
@@ -577,11 +530,11 @@ server, we use it as a file descriptor. We also set the
 ``file_read_callback()`` callback function to read the contents of the
 file::
 
-    static ssize_t file_read_callback(nghttp2_session *session _U_,
-                                      int32_t stream_id _U_, uint8_t *buf,
-                                      size_t length, uint32_t *data_flags,
-                                      nghttp2_data_source *source,
-                                      void *user_data _U_) {
+    static nghttp2_ssize file_read_callback(nghttp2_session *session _U_,
+                                            int32_t stream_id _U_, uint8_t *buf,
+                                            size_t length, uint32_t *data_flags,
+                                            nghttp2_data_source *source,
+                                            void *user_data _U_) {
       int fd = source->fd;
       ssize_t r;
       while ((r = read(fd, buf, length)) == -1 && errno == EINTR)
@@ -592,7 +545,7 @@ file::
       if (r == 0) {
         *data_flags |= NGHTTP2_DATA_FLAG_EOF;
       }
-      return r;
+      return (nghttp2_ssize)r;
     }
 
 If an error occurs while reading the file, we return
@@ -601,8 +554,8 @@ library to send RST_STREAM to the stream.  When all data has been
 read, the :macro:`NGHTTP2_DATA_FLAG_EOF` flag is set to signal nghttp2
 that we have finished reading the file.
 
-The `nghttp2_submit_response()` function is used to send the response to the
-remote peer.
+The `nghttp2_submit_response2()` function is used to send the response
+to the remote peer.
 
 The ``on_stream_close_callback()`` function is invoked when the stream
 is about to close::

docker/Dockerfile

@@ -1,78 +1,84 @@
-FROM debian:11 as build
+FROM debian:12 as build
+
+ARG NGHTTP2_BRANCH=master
 
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        git clang make binutils autoconf automake autotools-dev libtool \
-        pkg-config \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        git clang-19 make binutils autoconf automake autotools-dev libtool \
+        pkg-config cmake cmake-data \
         zlib1g-dev libev-dev libjemalloc-dev ruby-dev libc-ares-dev bison \
-        libelf-dev
+        libelf-dev libbrotli-dev
 
-RUN git clone --depth 1 -b OpenSSL_1_1_1u+quic https://github.com/quictls/openssl && \
-    cd openssl && \
-    ./config --openssldir=/etc/ssl && \
-    make -j$(nproc) && \
-    make install_sw && \
+RUN git clone --recursive --shallow-submodules --depth 1 -b v1.64.0 https://github.com/aws/aws-lc && \
+    cd aws-lc && \
+    export CC=clang-19 CXX=clang++-19 && \
+    cmake -B build -DDISABLE_GO=ON && \
+    make -j$(nproc) -C build && \
+    cmake --install build && \
     cd .. && \
-    rm -rf openssl
+    rm -rf aws-lc
 
-RUN git clone --depth 1 -b v0.13.0 https://github.com/ngtcp2/nghttp3 && \
+RUN git clone --recursive --shallow-submodules --depth 1 -b v1.13.1 https://github.com/ngtcp2/nghttp3 && \
     cd nghttp3 && \
     autoreconf -i && \
-    ./configure --enable-lib-only && \
+    ./configure --disable-dependency-tracking --enable-lib-only \
+        CC=clang-19 CXX=clang++-19 && \
     make -j$(nproc) && \
     make install-strip && \
     cd .. && \
     rm -rf nghttp3
 
-RUN git clone --depth 1 -b v0.17.0 https://github.com/ngtcp2/ngtcp2 && \
+RUN git clone --recursive --shallow-submodules --depth 1 -b v1.18.0 https://github.com/ngtcp2/ngtcp2 && \
     cd ngtcp2 && \
     autoreconf -i && \
-    ./configure --enable-lib-only \
+    ./configure --disable-dependency-tracking --enable-lib-only \
+        --with-boringssl \
+        CC=clang-19 CXX=clang++-19 \
         LIBTOOL_LDFLAGS="-static-libtool-libs" \
-        OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a -ldl -lpthread" \
+        BORINGSSL_LIBS="-l:libssl.a -l:libcrypto.a" \
         PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig" && \
     make -j$(nproc) && \
     make install-strip && \
     cd .. && \
     rm -rf ngtcp2
 
-RUN git clone --depth 1 -b v1.2.0 https://github.com/libbpf/libbpf && \
+RUN git clone --depth 1 -b v1.6.2 https://github.com/libbpf/libbpf && \
     cd libbpf && \
-    PREFIX=/usr/local make -C src install && \
+    CC=clang-19 PREFIX=/usr/local make -C src install && \
     cd .. && \
     rm -rf libbpf
 
-RUN git clone --depth 1 https://github.com/nghttp2/nghttp2.git && \
+RUN git clone --recursive --shallow-submodules --depth 1 -b $NGHTTP2_BRANCH https://github.com/nghttp2/nghttp2 && \
     cd nghttp2 && \
-    git submodule update --init && \
     autoreconf -i && \
-    ./configure --disable-examples --disable-hpack-tools \
-        --with-mruby --with-neverbleed \
+    ./configure --disable-dependency-tracking --disable-examples \
+        --disable-hpack-tools \
+        --with-mruby \
         --enable-http3 --with-libbpf \
-        CC=clang CXX=clang++ \
+        --with-libbrotlienc --with-libbrotlidec \
+        CC=clang-19 CXX=clang++-19 \
         LIBTOOL_LDFLAGS="-static-libtool-libs" \
-        OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a -ldl -pthread" \
+        OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a" \
         LIBEV_LIBS="-l:libev.a" \
         JEMALLOC_LIBS="-l:libjemalloc.a" \
         LIBCARES_LIBS="-l:libcares.a" \
         ZLIB_LIBS="-l:libz.a" \
         LIBBPF_LIBS="-L/usr/local/lib64 -l:libbpf.a -l:libelf.a" \
+        LIBBROTLIENC_LIBS="-l:libbrotlienc.a -l:libbrotlicommon.a" \
+        LIBBROTLIDEC_LIBS="-l:libbrotlidec.a -l:libbrotlicommon.a" \
         LDFLAGS="-static-libgcc -static-libstdc++" \
         PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig" && \
     make -j$(nproc) install-strip && \
     cd .. && \
     rm -rf nghttp2
 
-FROM gcr.io/distroless/base-debian11
+FROM gcr.io/distroless/base-nossl-debian12
 
-COPY --from=build \
-    /usr/local/share/nghttp2/ \
-    /usr/local/share/nghttp2/
-COPY --from=build \
+COPY --from=build --link \
     /usr/local/bin/h2load \
     /usr/local/bin/nghttpx \
     /usr/local/bin/nghttp \
     /usr/local/bin/nghttpd \
     /usr/local/bin/
-COPY --from=build /usr/local/lib/nghttp2/reuseport_kern.o \
+COPY --from=build --link /usr/local/lib/nghttp2/reuseport_kern.o \
     /usr/local/lib/nghttp2/

examples/CMakeLists.txt

@@ -8,7 +8,7 @@ if(ENABLE_EXAMPLES)
 
   include_directories(
     ${CMAKE_CURRENT_SOURCE_DIR}
-    "${CMAKE_CURRENT_SOURCE_DIR}/../third-party"
+    "${CMAKE_CURRENT_SOURCE_DIR}/../third-party/urlparse"
     "${CMAKE_CURRENT_SOURCE_DIR}/../third-party/llhttp/include"
 
     ${LIBEVENT_INCLUDE_DIRS}
@@ -23,15 +23,15 @@ if(ENABLE_EXAMPLES)
   )
 
   add_executable(client           client.c $<TARGET_OBJECTS:llhttp>
-    $<TARGET_OBJECTS:url-parser>
+    $<TARGET_OBJECTS:urlparse>
   )
   add_executable(libevent-client  libevent-client.c $<TARGET_OBJECTS:llhttp>
-    $<TARGET_OBJECTS:url-parser>
+    $<TARGET_OBJECTS:urlparse>
   )
   add_executable(libevent-server  libevent-server.c $<TARGET_OBJECTS:llhttp>
-    $<TARGET_OBJECTS:url-parser>
+    $<TARGET_OBJECTS:urlparse>
   )
   add_executable(deflate          deflate.c $<TARGET_OBJECTS:llhttp>
-    $<TARGET_OBJECTS:url-parser>
+    $<TARGET_OBJECTS:urlparse>
   )
 endif()

examples/Makefile.am

@@ -30,13 +30,13 @@ AM_CXXFLAGS = $(WARNCXXFLAGS) $(CXX1XCXXFLAGS)
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/lib/includes \
 	-I$(top_builddir)/lib/includes \
-	-I$(top_srcdir)/third-party \
+	-I$(top_srcdir)/third-party/urlparse \
 	@LIBEVENT_OPENSSL_CFLAGS@ \
 	@OPENSSL_CFLAGS@ \
 	@DEFS@
 AM_LDFLAGS = @LIBTOOL_LDFLAGS@
 LDADD = $(top_builddir)/lib/libnghttp2.la \
-	$(top_builddir)/third-party/liburl-parser.la \
+	$(top_builddir)/third-party/liburlparse.la \
 	@LIBEVENT_OPENSSL_LIBS@ \
 	@OPENSSL_LIBS@ \
 	@APPLDFLAGS@

examples/client.c

@@ -28,26 +28,26 @@
  */
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <inttypes.h>
 #include <stdlib.h>
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif /* HAVE_UNISTD_H */
+#endif /* defined(HAVE_UNISTD_H) */
 #ifdef HAVE_FCNTL_H
 #  include <fcntl.h>
-#endif /* HAVE_FCNTL_H */
+#endif /* defined(HAVE_FCNTL_H) */
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif /* HAVE_SYS_SOCKET_H */
+#endif /* defined(HAVE_SYS_SOCKET_H) */
 #ifdef HAVE_NETDB_H
 #  include <netdb.h>
-#endif /* HAVE_NETDB_H */
+#endif /* defined(HAVE_NETDB_H) */
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif /* HAVE_NETINET_IN_H */
+#endif /* defined(HAVE_NETINET_IN_H) */
 #include <netinet/tcp.h>
 #include <poll.h>
 #include <signal.h>
@@ -56,6 +56,7 @@
 #include <string.h>
 #include <errno.h>
 
+#define NGHTTP2_NO_SSIZE_T
 #include <nghttp2/nghttp2.h>
 
 #include <openssl/ssl.h>
@@ -66,14 +67,14 @@ enum { IO_NONE, WANT_READ, WANT_WRITE };
 
 #define MAKE_NV(NAME, VALUE)                                                   \
   {                                                                            \
-    (uint8_t *)NAME, (uint8_t *)VALUE, sizeof(NAME) - 1, sizeof(VALUE) - 1,    \
-        NGHTTP2_NV_FLAG_NONE                                                   \
+    (uint8_t *)NAME,   (uint8_t *)VALUE,     sizeof(NAME) - 1,                 \
+    sizeof(VALUE) - 1, NGHTTP2_NV_FLAG_NONE,                                   \
   }
 
 #define MAKE_NV_CS(NAME, VALUE)                                                \
   {                                                                            \
-    (uint8_t *)NAME, (uint8_t *)VALUE, sizeof(NAME) - 1, strlen(VALUE),        \
-        NGHTTP2_NV_FLAG_NONE                                                   \
+    (uint8_t *)NAME, (uint8_t *)VALUE,     sizeof(NAME) - 1,                   \
+    strlen(VALUE),   NGHTTP2_NV_FLAG_NONE,                                     \
   }
 
 struct Connection {
@@ -154,13 +155,14 @@ static void diec(const char *func, int error_code) {
 }
 
 /*
- * The implementation of nghttp2_send_callback type. Here we write
+ * The implementation of nghttp2_send_callback2 type. Here we write
  * |data| with size |length| to the network and return the number of
  * bytes actually written. See the documentation of
  * nghttp2_send_callback for the details.
  */
-static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
-                             size_t length, int flags, void *user_data) {
+static nghttp2_ssize send_callback(nghttp2_session *session,
+                                   const uint8_t *data, size_t length,
+                                   int flags, void *user_data) {
   struct Connection *connection;
   int rv;
   (void)session;
@@ -174,7 +176,7 @@ static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
     int err = SSL_get_error(connection->ssl, rv);
     if (err == SSL_ERROR_WANT_WRITE || err == SSL_ERROR_WANT_READ) {
       connection->want_io =
-          (err == SSL_ERROR_WANT_READ ? WANT_READ : WANT_WRITE);
+        (err == SSL_ERROR_WANT_READ ? WANT_READ : WANT_WRITE);
       rv = NGHTTP2_ERR_WOULDBLOCK;
     } else {
       rv = NGHTTP2_ERR_CALLBACK_FAILURE;
@@ -184,13 +186,14 @@ static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
 }
 
 /*
- * The implementation of nghttp2_recv_callback type. Here we read data
- * from the network and write them in |buf|. The capacity of |buf| is
- * |length| bytes. Returns the number of bytes stored in |buf|. See
- * the documentation of nghttp2_recv_callback for the details.
+ * The implementation of nghttp2_recv_callback2 type. Here we read
+ * data from the network and write them in |buf|. The capacity of
+ * |buf| is |length| bytes. Returns the number of bytes stored in
+ * |buf|. See the documentation of nghttp2_recv_callback for the
+ * details.
  */
-static ssize_t recv_callback(nghttp2_session *session, uint8_t *buf,
-                             size_t length, int flags, void *user_data) {
+static nghttp2_ssize recv_callback(nghttp2_session *session, uint8_t *buf,
+                                   size_t length, int flags, void *user_data) {
   struct Connection *connection;
   int rv;
   (void)session;
@@ -204,7 +207,7 @@ static ssize_t recv_callback(nghttp2_session *session, uint8_t *buf,
     int err = SSL_get_error(connection->ssl, rv);
     if (err == SSL_ERROR_WANT_WRITE || err == SSL_ERROR_WANT_READ) {
       connection->want_io =
-          (err == SSL_ERROR_WANT_READ ? WANT_READ : WANT_WRITE);
+        (err == SSL_ERROR_WANT_READ ? WANT_READ : WANT_WRITE);
       rv = NGHTTP2_ERR_WOULDBLOCK;
     } else {
       rv = NGHTTP2_ERR_CALLBACK_FAILURE;
@@ -328,9 +331,9 @@ static int on_data_chunk_recv_callback(nghttp2_session *session, uint8_t flags,
  * recv_callback is also required.
  */
 static void setup_nghttp2_callbacks(nghttp2_session_callbacks *callbacks) {
-  nghttp2_session_callbacks_set_send_callback(callbacks, send_callback);
+  nghttp2_session_callbacks_set_send_callback2(callbacks, send_callback);
 
-  nghttp2_session_callbacks_set_recv_callback(callbacks, recv_callback);
+  nghttp2_session_callbacks_set_recv_callback2(callbacks, recv_callback);
 
   nghttp2_session_callbacks_set_on_frame_send_callback(callbacks,
                                                        on_frame_send_callback);
@@ -339,35 +342,12 @@ static void setup_nghttp2_callbacks(nghttp2_session_callbacks *callbacks) {
                                                        on_frame_recv_callback);
 
   nghttp2_session_callbacks_set_on_stream_close_callback(
-      callbacks, on_stream_close_callback);
+    callbacks, on_stream_close_callback);
 
   nghttp2_session_callbacks_set_on_data_chunk_recv_callback(
-      callbacks, on_data_chunk_recv_callback);
+    callbacks, on_data_chunk_recv_callback);
 }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
-/*
- * Callback function for TLS NPN. Since this program only supports
- * HTTP/2 protocol, if server does not offer HTTP/2 the nghttp2
- * library supports, we terminate program.
- */
-static int select_next_proto_cb(SSL *ssl, unsigned char **out,
-                                unsigned char *outlen, const unsigned char *in,
-                                unsigned int inlen, void *arg) {
-  int rv;
-  (void)ssl;
-  (void)arg;
-
-  /* nghttp2_select_next_protocol() selects HTTP/2 protocol the
-     nghttp2 library supports. */
-  rv = nghttp2_select_next_protocol(out, outlen, in, inlen);
-  if (rv <= 0) {
-    die("Server did not advertise HTTP/2 protocol");
-  }
-  return SSL_TLSEXT_ERR_OK;
-}
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
-
 /*
  * Setup SSL/TLS context.
  */
@@ -376,14 +356,8 @@ static void init_ssl_ctx(SSL_CTX *ssl_ctx) {
   SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
   SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
   SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
-  /* Set NPN callback */
-#ifndef OPENSSL_NO_NEXTPROTONEG
-  SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
   SSL_CTX_set_alpn_protos(ssl_ctx, (const unsigned char *)"\x02h2", 3);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
 }
 
 static void ssl_handshake(SSL *ssl, int fd) {
@@ -487,8 +461,8 @@ static void submit_request(struct Connection *connection, struct Request *req) {
                             MAKE_NV("accept", "*/*"),
                             MAKE_NV("user-agent", "nghttp2/" NGHTTP2_VERSION)};
 
-  stream_id = nghttp2_submit_request(connection->session, NULL, nva,
-                                     sizeof(nva) / sizeof(nva[0]), NULL, req);
+  stream_id = nghttp2_submit_request2(connection->session, NULL, nva,
+                                      sizeof(nva) / sizeof(nva[0]), NULL, req);
 
   if (stream_id < 0) {
     diec("nghttp2_submit_request", stream_id);
@@ -719,19 +693,6 @@ int main(int argc, char **argv) {
   act.sa_handler = SIG_IGN;
   sigaction(SIGPIPE, &act, 0);
 
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-  /* No explicit initialization is required. */
-#elif defined(OPENSSL_IS_BORINGSSL)
-  CRYPTO_library_init();
-#else  /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) &&                          \
-          !defined(OPENSSL_IS_BORINGSSL) */
-  OPENSSL_config(NULL);
-  SSL_load_error_strings();
-  SSL_library_init();
-  OpenSSL_add_all_algorithms();
-#endif /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) &&                          \
-          !defined(OPENSSL_IS_BORINGSSL) */
-
   rv = parse_uri(&uri, argv[1]);
   if (rv != 0) {
     die("parse_uri failed");

examples/deflate.c

@@ -24,17 +24,18 @@
  */
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* !HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <stdio.h>
 #include <string.h>
 
+#define NGHTTP2_NO_SSIZE_T
 #include <nghttp2/nghttp2.h>
 
 #define MAKE_NV(K, V)                                                          \
   {                                                                            \
-    (uint8_t *)K, (uint8_t *)V, sizeof(K) - 1, sizeof(V) - 1,                  \
-        NGHTTP2_NV_FLAG_NONE                                                   \
+    (uint8_t *)K,  (uint8_t *)V,         sizeof(K) - 1,                        \
+    sizeof(V) - 1, NGHTTP2_NV_FLAG_NONE,                                       \
   }
 
 static void deflate(nghttp2_hd_deflater *deflater,
@@ -50,9 +51,9 @@ int main(void) {
   nghttp2_hd_inflater *inflater;
   /* Define 1st header set.  This is looks like a HTTP request. */
   nghttp2_nv nva1[] = {
-      MAKE_NV(":scheme", "https"), MAKE_NV(":authority", "example.org"),
-      MAKE_NV(":path", "/"), MAKE_NV("user-agent", "libnghttp2"),
-      MAKE_NV("accept-encoding", "gzip, deflate")};
+    MAKE_NV(":scheme", "https"), MAKE_NV(":authority", "example.org"),
+    MAKE_NV(":path", "/"), MAKE_NV("user-agent", "libnghttp2"),
+    MAKE_NV("accept-encoding", "gzip, deflate")};
   /* Define 2nd header set */
   nghttp2_nv nva2[] = {MAKE_NV(":scheme", "https"),
                        MAKE_NV(":authority", "example.org"),
@@ -93,7 +94,7 @@ int main(void) {
 static void deflate(nghttp2_hd_deflater *deflater,
                     nghttp2_hd_inflater *inflater, const nghttp2_nv *const nva,
                     size_t nvlen) {
-  ssize_t rv;
+  nghttp2_ssize rv;
   uint8_t *buf;
   size_t buflen;
   size_t outlen;
@@ -118,10 +119,10 @@ static void deflate(nghttp2_hd_deflater *deflater,
   buflen = nghttp2_hd_deflate_bound(deflater, nva, nvlen);
   buf = malloc(buflen);
 
-  rv = nghttp2_hd_deflate_hd(deflater, buf, buflen, nva, nvlen);
+  rv = nghttp2_hd_deflate_hd2(deflater, buf, buflen, nva, nvlen);
 
   if (rv < 0) {
-    fprintf(stderr, "nghttp2_hd_deflate_hd() failed with error: %s\n",
+    fprintf(stderr, "nghttp2_hd_deflate_hd2() failed with error: %s\n",
             nghttp2_strerror((int)rv));
 
     free(buf);
@@ -166,17 +167,18 @@ static void deflate(nghttp2_hd_deflater *deflater,
 
 int inflate_header_block(nghttp2_hd_inflater *inflater, uint8_t *in,
                          size_t inlen, int final) {
-  ssize_t rv;
+  nghttp2_ssize rv;
 
   for (;;) {
     nghttp2_nv nv;
     int inflate_flags = 0;
     size_t proclen;
 
-    rv = nghttp2_hd_inflate_hd(inflater, &nv, &inflate_flags, in, inlen, final);
+    rv =
+      nghttp2_hd_inflate_hd3(inflater, &nv, &inflate_flags, in, inlen, final);
 
     if (rv < 0) {
-      fprintf(stderr, "inflate failed with error code %zd", rv);
+      fprintf(stderr, "inflate failed with error code %td", rv);
       return -1;
     }
 

examples/libevent-client.c

@@ -31,26 +31,26 @@
     }
 #  define warnx(format, args...) fprintf(stderr, format "\n", ##args)
 char *strndup(const char *s, size_t size);
-#endif
+#endif /* defined(__sgi) */
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <sys/types.h>
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif /* HAVE_UNISTD_H */
+#endif /* defined(HAVE_UNISTD_H) */
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif /* HAVE_SYS_SOCKET_H */
+#endif /* defined(HAVE_SYS_SOCKET_H) */
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif /* HAVE_NETINET_IN_H */
+#endif /* defined(HAVE_NETINET_IN_H) */
 #include <netinet/tcp.h>
 #ifndef __sgi
 #  include <err.h>
-#endif
+#endif /* !defined(__sgi) */
 #include <signal.h>
 #include <string.h>
 
@@ -63,9 +63,10 @@ char *strndup(const char *s, size_t size);
 #include <event2/bufferevent_ssl.h>
 #include <event2/dns.h>
 
+#define NGHTTP2_NO_SSIZE_T
 #include <nghttp2/nghttp2.h>
 
-#include "url-parser/url_parser.h"
+#include "urlparse.h"
 
 #define ARRLEN(x) (sizeof(x) / sizeof(x[0]))
 
@@ -73,7 +74,7 @@ typedef struct {
   /* The NULL-terminated URI string to retrieve. */
   const char *uri;
   /* Parsed result of the |uri| */
-  struct http_parser_url *u;
+  urlparse_url *u;
   /* The authority portion of the |uri|, not NULL-terminated */
   char *authority;
   /* The path portion of the |uri|, including query, not
@@ -95,7 +96,7 @@ typedef struct {
 } http2_session_data;
 
 static http2_stream_data *create_http2_stream_data(const char *uri,
-                                                   struct http_parser_url *u) {
+                                                   urlparse_url *u) {
   /* MAX 5 digits (max 65535) + 1 ':' + 1 NULL (because of snprintf) */
   size_t extra = 7;
   http2_stream_data *stream_data = malloc(sizeof(http2_stream_data));
@@ -104,39 +105,41 @@ static http2_stream_data *create_http2_stream_data(const char *uri,
   stream_data->u = u;
   stream_data->stream_id = -1;
 
-  stream_data->authoritylen = u->field_data[UF_HOST].len;
+  stream_data->authoritylen = u->field_data[URLPARSE_HOST].len;
   stream_data->authority = malloc(stream_data->authoritylen + extra);
-  memcpy(stream_data->authority, &uri[u->field_data[UF_HOST].off],
-         u->field_data[UF_HOST].len);
-  if (u->field_set & (1 << UF_PORT)) {
-    stream_data->authoritylen +=
-        (size_t)snprintf(stream_data->authority + u->field_data[UF_HOST].len,
-                         extra, ":%u", u->port);
+  memcpy(stream_data->authority, &uri[u->field_data[URLPARSE_HOST].off],
+         u->field_data[URLPARSE_HOST].len);
+  if (u->field_set & (1 << URLPARSE_PORT)) {
+    stream_data->authoritylen += (size_t)snprintf(
+      stream_data->authority + u->field_data[URLPARSE_HOST].len, extra, ":%u",
+      u->port);
   }
 
   /* If we don't have path in URI, we use "/" as path. */
   stream_data->pathlen = 1;
-  if (u->field_set & (1 << UF_PATH)) {
-    stream_data->pathlen = u->field_data[UF_PATH].len;
+  if (u->field_set & (1 << URLPARSE_PATH)) {
+    stream_data->pathlen = u->field_data[URLPARSE_PATH].len;
   }
-  if (u->field_set & (1 << UF_QUERY)) {
+  if (u->field_set & (1 << URLPARSE_QUERY)) {
     /* +1 for '?' character */
-    stream_data->pathlen += (size_t)(u->field_data[UF_QUERY].len + 1);
+    stream_data->pathlen += (size_t)(u->field_data[URLPARSE_QUERY].len + 1);
   }
 
   stream_data->path = malloc(stream_data->pathlen);
-  if (u->field_set & (1 << UF_PATH)) {
-    memcpy(stream_data->path, &uri[u->field_data[UF_PATH].off],
-           u->field_data[UF_PATH].len);
+  if (u->field_set & (1 << URLPARSE_PATH)) {
+    memcpy(stream_data->path, &uri[u->field_data[URLPARSE_PATH].off],
+           u->field_data[URLPARSE_PATH].len);
   } else {
     stream_data->path[0] = '/';
   }
-  if (u->field_set & (1 << UF_QUERY)) {
-    stream_data->path[stream_data->pathlen - u->field_data[UF_QUERY].len - 1] =
-        '?';
+  if (u->field_set & (1 << URLPARSE_QUERY)) {
+    stream_data
+      ->path[stream_data->pathlen - u->field_data[URLPARSE_QUERY].len - 1] =
+      '?';
     memcpy(stream_data->path + stream_data->pathlen -
-               u->field_data[UF_QUERY].len,
-           &uri[u->field_data[UF_QUERY].off], u->field_data[UF_QUERY].len);
+             u->field_data[URLPARSE_QUERY].len,
+           &uri[u->field_data[URLPARSE_QUERY].off],
+           u->field_data[URLPARSE_QUERY].len);
   }
 
   return stream_data;
@@ -196,18 +199,19 @@ static void print_headers(FILE *f, nghttp2_nv *nva, size_t nvlen) {
   fprintf(f, "\n");
 }
 
-/* nghttp2_send_callback. Here we transmit the |data|, |length| bytes,
-   to the network. Because we are using libevent bufferevent, we just
-   write those bytes into bufferevent buffer. */
-static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
-                             size_t length, int flags, void *user_data) {
+/* nghttp2_send_callback2. Here we transmit the |data|, |length|
+   bytes, to the network. Because we are using libevent bufferevent,
+   we just write those bytes into bufferevent buffer. */
+static nghttp2_ssize send_callback(nghttp2_session *session,
+                                   const uint8_t *data, size_t length,
+                                   int flags, void *user_data) {
   http2_session_data *session_data = (http2_session_data *)user_data;
   struct bufferevent *bev = session_data->bev;
   (void)session;
   (void)flags;
 
   bufferevent_write(bev, data, length);
-  return (ssize_t)length;
+  return (nghttp2_ssize)length;
 }
 
 /* nghttp2_on_header_callback: Called when nghttp2 library emits
@@ -308,23 +312,6 @@ static int on_stream_close_callback(nghttp2_session *session, int32_t stream_id,
   return 0;
 }
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
-/* NPN TLS extension client callback. We check that server advertised
-   the HTTP/2 protocol the nghttp2 library supports. If not, exit
-   the program. */
-static int select_next_proto_cb(SSL *ssl, unsigned char **out,
-                                unsigned char *outlen, const unsigned char *in,
-                                unsigned int inlen, void *arg) {
-  (void)ssl;
-  (void)arg;
-
-  if (nghttp2_select_next_protocol(out, outlen, in, inlen) <= 0) {
-    errx(1, "Server did not advertise " NGHTTP2_PROTO_VERSION_ID);
-  }
-  return SSL_TLSEXT_ERR_OK;
-}
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
-
 /* Create SSL_CTX. */
 static SSL_CTX *create_ssl_ctx(void) {
   SSL_CTX *ssl_ctx;
@@ -333,17 +320,11 @@ static SSL_CTX *create_ssl_ctx(void) {
     errx(1, "Could not create SSL/TLS context: %s",
          ERR_error_string(ERR_get_error(), NULL));
   }
-  SSL_CTX_set_options(ssl_ctx,
-                      SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-                          SSL_OP_NO_COMPRESSION |
-                          SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
-#ifndef OPENSSL_NO_NEXTPROTONEG
-  SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
+  SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                                 SSL_OP_NO_COMPRESSION |
+                                 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
   SSL_CTX_set_alpn_protos(ssl_ctx, (const unsigned char *)"\x02h2", 3);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
 
   return ssl_ctx;
 }
@@ -364,22 +345,22 @@ static void initialize_nghttp2_session(http2_session_data *session_data) {
 
   nghttp2_session_callbacks_new(&callbacks);
 
-  nghttp2_session_callbacks_set_send_callback(callbacks, send_callback);
+  nghttp2_session_callbacks_set_send_callback2(callbacks, send_callback);
 
   nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
                                                        on_frame_recv_callback);
 
   nghttp2_session_callbacks_set_on_data_chunk_recv_callback(
-      callbacks, on_data_chunk_recv_callback);
+    callbacks, on_data_chunk_recv_callback);
 
   nghttp2_session_callbacks_set_on_stream_close_callback(
-      callbacks, on_stream_close_callback);
+    callbacks, on_stream_close_callback);
 
   nghttp2_session_callbacks_set_on_header_callback(callbacks,
                                                    on_header_callback);
 
   nghttp2_session_callbacks_set_on_begin_headers_callback(
-      callbacks, on_begin_headers_callback);
+    callbacks, on_begin_headers_callback);
 
   nghttp2_session_client_new(&session_data->session, callbacks, session_data);
 
@@ -388,7 +369,7 @@ static void initialize_nghttp2_session(http2_session_data *session_data) {
 
 static void send_client_connection_header(http2_session_data *session_data) {
   nghttp2_settings_entry iv[1] = {
-      {NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, 100}};
+    {NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, 100}};
   int rv;
 
   /* client 24 bytes magic string will be sent by nghttp2 library */
@@ -401,14 +382,14 @@ static void send_client_connection_header(http2_session_data *session_data) {
 
 #define MAKE_NV(NAME, VALUE, VALUELEN)                                         \
   {                                                                            \
-    (uint8_t *)NAME, (uint8_t *)VALUE, sizeof(NAME) - 1, VALUELEN,             \
-        NGHTTP2_NV_FLAG_NONE                                                   \
+    (uint8_t *)NAME, (uint8_t *)VALUE,     sizeof(NAME) - 1,                   \
+    VALUELEN,        NGHTTP2_NV_FLAG_NONE,                                     \
   }
 
 #define MAKE_NV2(NAME, VALUE)                                                  \
   {                                                                            \
-    (uint8_t *)NAME, (uint8_t *)VALUE, sizeof(NAME) - 1, sizeof(VALUE) - 1,    \
-        NGHTTP2_NV_FLAG_NONE                                                   \
+    (uint8_t *)NAME,   (uint8_t *)VALUE,     sizeof(NAME) - 1,                 \
+    sizeof(VALUE) - 1, NGHTTP2_NV_FLAG_NONE,                                   \
   }
 
 /* Send HTTP request to the remote peer */
@@ -416,17 +397,17 @@ static void submit_request(http2_session_data *session_data) {
   int32_t stream_id;
   http2_stream_data *stream_data = session_data->stream_data;
   const char *uri = stream_data->uri;
-  const struct http_parser_url *u = stream_data->u;
+  const urlparse_url *u = stream_data->u;
   nghttp2_nv hdrs[] = {
-      MAKE_NV2(":method", "GET"),
-      MAKE_NV(":scheme", &uri[u->field_data[UF_SCHEMA].off],
-              u->field_data[UF_SCHEMA].len),
-      MAKE_NV(":authority", stream_data->authority, stream_data->authoritylen),
-      MAKE_NV(":path", stream_data->path, stream_data->pathlen)};
+    MAKE_NV2(":method", "GET"),
+    MAKE_NV(":scheme", &uri[u->field_data[URLPARSE_SCHEMA].off],
+            u->field_data[URLPARSE_SCHEMA].len),
+    MAKE_NV(":authority", stream_data->authority, stream_data->authoritylen),
+    MAKE_NV(":path", stream_data->path, stream_data->pathlen)};
   fprintf(stderr, "Request headers:\n");
   print_headers(stderr, hdrs, ARRLEN(hdrs));
-  stream_id = nghttp2_submit_request(session_data->session, NULL, hdrs,
-                                     ARRLEN(hdrs), NULL, stream_data);
+  stream_id = nghttp2_submit_request2(session_data->session, NULL, hdrs,
+                                      ARRLEN(hdrs), NULL, stream_data);
   if (stream_id < 0) {
     errx(1, "Could not submit HTTP request: %s", nghttp2_strerror(stream_id));
   }
@@ -453,12 +434,12 @@ static int session_send(http2_session_data *session_data) {
    context. To send them, we call session_send() in the end. */
 static void readcb(struct bufferevent *bev, void *ptr) {
   http2_session_data *session_data = (http2_session_data *)ptr;
-  ssize_t readlen;
+  nghttp2_ssize readlen;
   struct evbuffer *input = bufferevent_get_input(bev);
   size_t datalen = evbuffer_get_length(input);
   unsigned char *data = evbuffer_pullup(input, -1);
 
-  readlen = nghttp2_session_mem_recv(session_data->session, data, datalen);
+  readlen = nghttp2_session_mem_recv2(session_data->session, data, datalen);
   if (readlen < 0) {
     warnx("Fatal error: %s", nghttp2_strerror((int)readlen));
     delete_http2_session_data(session_data);
@@ -508,14 +489,9 @@ static void eventcb(struct bufferevent *bev, short events, void *ptr) {
 
     ssl = bufferevent_openssl_get_ssl(session_data->bev);
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
-    SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
     if (alpn == NULL) {
       SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);
     }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
 
     if (alpn == NULL || alpnlen != 2 || memcmp("h2", alpn, 2) != 0) {
       fprintf(stderr, "h2 is not negotiated\n");
@@ -552,8 +528,8 @@ static void initiate_connection(struct event_base *evbase, SSL_CTX *ssl_ctx,
 
   ssl = create_ssl(ssl_ctx);
   bev = bufferevent_openssl_socket_new(
-      evbase, -1, ssl, BUFFEREVENT_SSL_CONNECTING,
-      BEV_OPT_DEFER_CALLBACKS | BEV_OPT_CLOSE_ON_FREE);
+    evbase, -1, ssl, BUFFEREVENT_SSL_CONNECTING,
+    BEV_OPT_DEFER_CALLBACKS | BEV_OPT_CLOSE_ON_FREE);
   bufferevent_enable(bev, EV_READ | EV_WRITE);
   bufferevent_setcb(bev, readcb, writecb, eventcb, session_data);
   rv = bufferevent_socket_connect_hostname(bev, session_data->dnsbase,
@@ -568,7 +544,7 @@ static void initiate_connection(struct event_base *evbase, SSL_CTX *ssl_ctx,
 /* Get resource denoted by the |uri|. The debug and error messages are
    printed in stderr, while the response body is printed in stdout. */
 static void run(const char *uri) {
-  struct http_parser_url u;
+  urlparse_url u;
   char *host;
   uint16_t port;
   int rv;
@@ -577,12 +553,13 @@ static void run(const char *uri) {
   http2_session_data *session_data;
 
   /* Parse the |uri| and stores its components in |u| */
-  rv = http_parser_parse_url(uri, strlen(uri), 0, &u);
+  rv = urlparse_parse_url(uri, strlen(uri), 0, &u);
   if (rv != 0) {
     errx(1, "Could not parse URI %s", uri);
   }
-  host = strndup(&uri[u.field_data[UF_HOST].off], u.field_data[UF_HOST].len);
-  if (!(u.field_set & (1 << UF_PORT))) {
+  host = strndup(&uri[u.field_data[URLPARSE_HOST].off],
+                 u.field_data[URLPARSE_HOST].len);
+  if (!(u.field_set & (1 << URLPARSE_PORT))) {
     port = 443;
   } else {
     port = u.port;
@@ -617,19 +594,6 @@ int main(int argc, char **argv) {
   act.sa_handler = SIG_IGN;
   sigaction(SIGPIPE, &act, NULL);
 
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-  /* No explicit initialization is required. */
-#elif defined(OPENSSL_IS_BORINGSSL)
-  CRYPTO_library_init();
-#else  /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) &&                          \
-          !defined(OPENSSL_IS_BORINGSSL) */
-  OPENSSL_config(NULL);
-  SSL_load_error_strings();
-  SSL_library_init();
-  OpenSSL_add_all_algorithms();
-#endif /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) &&                          \
-          !defined(OPENSSL_IS_BORINGSSL) */
-
   run(argv[1]);
   return 0;
 }

examples/libevent-server.c

@@ -30,35 +30,35 @@
     }
 #  define warn(format, args...) warnx(format ": %s", ##args, strerror(errno))
 #  define warnx(format, args...) fprintf(stderr, format "\n", ##args)
-#endif
+#endif /* defined(__sgi) */
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif /* HAVE_SYS_SOCKET_H */
+#endif /* defined(HAVE_SYS_SOCKET_H) */
 #ifdef HAVE_NETDB_H
 #  include <netdb.h>
-#endif /* HAVE_NETDB_H */
+#endif /* defined(HAVE_NETDB_H) */
 #include <signal.h>
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif /* HAVE_UNISTD_H */
+#endif /* defined(HAVE_UNISTD_H) */
 #include <sys/stat.h>
 #ifdef HAVE_FCNTL_H
 #  include <fcntl.h>
-#endif /* HAVE_FCNTL_H */
+#endif /* defined(HAVE_FCNTL_H) */
 #include <ctype.h>
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif /* HAVE_NETINET_IN_H */
+#endif /* defined(HAVE_NETINET_IN_H) */
 #include <netinet/tcp.h>
 #ifndef __sgi
 #  include <err.h>
-#endif
+#endif /* !defined(__sgi) */
 #include <string.h>
 #include <errno.h>
 
@@ -71,6 +71,7 @@
 #include <event2/bufferevent_ssl.h>
 #include <event2/listener.h>
 
+#define NGHTTP2_NO_SSIZE_T
 #include <nghttp2/nghttp2.h>
 
 #define OUTPUT_WOULDBLOCK_THRESHOLD (1 << 16)
@@ -79,8 +80,8 @@
 
 #define MAKE_NV(NAME, VALUE)                                                   \
   {                                                                            \
-    (uint8_t *)NAME, (uint8_t *)VALUE, sizeof(NAME) - 1, sizeof(VALUE) - 1,    \
-        NGHTTP2_NV_FLAG_NONE                                                   \
+    (uint8_t *)NAME,   (uint8_t *)VALUE,     sizeof(NAME) - 1,                 \
+    sizeof(VALUE) - 1, NGHTTP2_NV_FLAG_NONE,                                   \
   }
 
 struct app_context;
@@ -106,22 +107,6 @@ struct app_context {
   struct event_base *evbase;
 };
 
-static unsigned char next_proto_list[256];
-static size_t next_proto_list_len;
-
-#ifndef OPENSSL_NO_NEXTPROTONEG
-static int next_proto_cb(SSL *ssl, const unsigned char **data,
-                         unsigned int *len, void *arg) {
-  (void)ssl;
-  (void)arg;
-
-  *data = next_proto_list;
-  *len = (unsigned int)next_proto_list_len;
-  return SSL_TLSEXT_ERR_OK;
-}
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
-
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
                                 unsigned char *outlen, const unsigned char *in,
                                 unsigned int inlen, void *arg) {
@@ -129,7 +114,7 @@ static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
   (void)ssl;
   (void)arg;
 
-  rv = nghttp2_select_next_protocol((unsigned char **)out, outlen, in, inlen);
+  rv = nghttp2_select_alpn(out, outlen, in, inlen);
 
   if (rv != 1) {
     return SSL_TLSEXT_ERR_NOACK;
@@ -137,7 +122,6 @@ static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
 
   return SSL_TLSEXT_ERR_OK;
 }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
 
 /* Create SSL_CTX. */
 static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
@@ -148,16 +132,15 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
     errx(1, "Could not create SSL/TLS context: %s",
          ERR_error_string(ERR_get_error(), NULL));
   }
-  SSL_CTX_set_options(ssl_ctx,
-                      SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
-                          SSL_OP_NO_COMPRESSION |
-                          SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+  SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                                 SSL_OP_NO_COMPRESSION |
+                                 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-  if (SSL_CTX_set1_curves_list(ssl_ctx, "P-256") != 1) {
-    errx(1, "SSL_CTX_set1_curves_list failed: %s",
+  if (SSL_CTX_set1_groups_list(ssl_ctx, "P-256") != 1) {
+    errx(1, "SSL_CTX_set1_groups_list failed: %s",
          ERR_error_string(ERR_get_error(), NULL));
   }
-#else  /* !(OPENSSL_VERSION_NUMBER >= 0x30000000L) */
+#else  /* OPENSSL_VERSION_NUMBER < 0x30000000L */
   {
     EC_KEY *ecdh;
     ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@@ -168,7 +151,7 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
     SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
     EC_KEY_free(ecdh);
   }
-#endif /* !(OPENSSL_VERSION_NUMBER >= 0x30000000L) */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
   if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) {
     errx(1, "Could not read private key file %s", key_file);
@@ -177,18 +160,7 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
     errx(1, "Could not read certificate file %s", cert_file);
   }
 
-  next_proto_list[0] = NGHTTP2_PROTO_VERSION_ID_LEN;
-  memcpy(&next_proto_list[1], NGHTTP2_PROTO_VERSION_ID,
-         NGHTTP2_PROTO_VERSION_ID_LEN);
-  next_proto_list_len = 1 + NGHTTP2_PROTO_VERSION_ID_LEN;
-
-#ifndef OPENSSL_NO_NEXTPROTONEG
-  SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, NULL);
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
-
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
   SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, NULL);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
 
   return ssl_ctx;
 }
@@ -260,8 +232,8 @@ static http2_session_data *create_http2_session_data(app_context *app_ctx,
   session_data->app_ctx = app_ctx;
   setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, (char *)&val, sizeof(val));
   session_data->bev = bufferevent_openssl_socket_new(
-      app_ctx->evbase, fd, ssl, BUFFEREVENT_SSL_ACCEPTING,
-      BEV_OPT_CLOSE_ON_FREE | BEV_OPT_DEFER_CALLBACKS);
+    app_ctx->evbase, fd, ssl, BUFFEREVENT_SSL_ACCEPTING,
+    BEV_OPT_CLOSE_ON_FREE | BEV_OPT_DEFER_CALLBACKS);
   bufferevent_enable(session_data->bev, EV_READ | EV_WRITE);
   rv = getnameinfo(addr, (socklen_t)addrlen, host, sizeof(host), NULL, 0,
                    NI_NUMERICHOST);
@@ -305,16 +277,16 @@ static int session_send(http2_session_data *session_data) {
 }
 
 /* Read the data in the bufferevent and feed them into nghttp2 library
-   function. Invocation of nghttp2_session_mem_recv() may make
+   function. Invocation of nghttp2_session_mem_recv2() may make
    additional pending frames, so call session_send() at the end of the
    function. */
 static int session_recv(http2_session_data *session_data) {
-  ssize_t readlen;
+  nghttp2_ssize readlen;
   struct evbuffer *input = bufferevent_get_input(session_data->bev);
   size_t datalen = evbuffer_get_length(input);
   unsigned char *data = evbuffer_pullup(input, -1);
 
-  readlen = nghttp2_session_mem_recv(session_data->session, data, datalen);
+  readlen = nghttp2_session_mem_recv2(session_data->session, data, datalen);
   if (readlen < 0) {
     warnx("Fatal error: %s", nghttp2_strerror((int)readlen));
     return -1;
@@ -329,8 +301,9 @@ static int session_recv(http2_session_data *session_data) {
   return 0;
 }
 
-static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
-                             size_t length, int flags, void *user_data) {
+static nghttp2_ssize send_callback(nghttp2_session *session,
+                                   const uint8_t *data, size_t length,
+                                   int flags, void *user_data) {
   http2_session_data *session_data = (http2_session_data *)user_data;
   struct bufferevent *bev = session_data->bev;
   (void)session;
@@ -342,7 +315,7 @@ static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
     return NGHTTP2_ERR_WOULDBLOCK;
   }
   bufferevent_write(bev, data, length);
-  return (ssize_t)length;
+  return (nghttp2_ssize)length;
 }
 
 /* Returns nonzero if the string |s| ends with the substring |sub| */
@@ -386,7 +359,7 @@ static char *percent_decode(const uint8_t *value, size_t valuelen) {
         continue;
       }
       res[j++] =
-          (char)((hex_to_uint(value[i + 1]) << 4) + hex_to_uint(value[i + 2]));
+        (char)((hex_to_uint(value[i + 1]) << 4) + hex_to_uint(value[i + 2]));
       i += 3;
     }
     memcpy(&res[j], &value[i], 2);
@@ -398,11 +371,11 @@ static char *percent_decode(const uint8_t *value, size_t valuelen) {
   return res;
 }
 
-static ssize_t file_read_callback(nghttp2_session *session, int32_t stream_id,
-                                  uint8_t *buf, size_t length,
-                                  uint32_t *data_flags,
-                                  nghttp2_data_source *source,
-                                  void *user_data) {
+static nghttp2_ssize file_read_callback(nghttp2_session *session,
+                                        int32_t stream_id, uint8_t *buf,
+                                        size_t length, uint32_t *data_flags,
+                                        nghttp2_data_source *source,
+                                        void *user_data) {
   int fd = source->fd;
   ssize_t r;
   (void)session;
@@ -417,17 +390,17 @@ static ssize_t file_read_callback(nghttp2_session *session, int32_t stream_id,
   if (r == 0) {
     *data_flags |= NGHTTP2_DATA_FLAG_EOF;
   }
-  return r;
+  return (nghttp2_ssize)r;
 }
 
 static int send_response(nghttp2_session *session, int32_t stream_id,
                          nghttp2_nv *nva, size_t nvlen, int fd) {
   int rv;
-  nghttp2_data_provider data_prd;
+  nghttp2_data_provider2 data_prd;
   data_prd.source.fd = fd;
   data_prd.read_callback = file_read_callback;
 
-  rv = nghttp2_submit_response(session, stream_id, nva, nvlen, &data_prd);
+  rv = nghttp2_submit_response2(session, stream_id, nva, nvlen, &data_prd);
   if (rv != 0) {
     warnx("Fatal error: %s", nghttp2_strerror(rv));
     return -1;
@@ -448,9 +421,9 @@ static int error_reply(nghttp2_session *session,
   rv = pipe(pipefd);
   if (rv != 0) {
     warn("Could not create pipe");
-    rv = nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE,
-                                   stream_data->stream_id,
-                                   NGHTTP2_INTERNAL_ERROR);
+    rv =
+      nghttp2_submit_rst_stream(session, NGHTTP2_FLAG_NONE,
+                                stream_data->stream_id, NGHTTP2_INTERNAL_ERROR);
     if (rv != 0) {
       warnx("Fatal error: %s", nghttp2_strerror(rv));
       return -1;
@@ -493,7 +466,7 @@ static int on_header_callback(nghttp2_session *session,
       break;
     }
     stream_data =
-        nghttp2_session_get_stream_user_data(session, frame->hd.stream_id);
+      nghttp2_session_get_stream_user_data(session, frame->hd.stream_id);
     if (!stream_data || stream_data->request_path) {
       break;
     }
@@ -583,7 +556,7 @@ static int on_frame_recv_callback(nghttp2_session *session,
     /* Check that the client request has finished */
     if (frame->hd.flags & NGHTTP2_FLAG_END_STREAM) {
       stream_data =
-          nghttp2_session_get_stream_user_data(session, frame->hd.stream_id);
+        nghttp2_session_get_stream_user_data(session, frame->hd.stream_id);
       /* For DATA and HEADERS frame, this callback may be called after
          on_stream_close_callback. Check that stream still alive. */
       if (!stream_data) {
@@ -618,19 +591,19 @@ static void initialize_nghttp2_session(http2_session_data *session_data) {
 
   nghttp2_session_callbacks_new(&callbacks);
 
-  nghttp2_session_callbacks_set_send_callback(callbacks, send_callback);
+  nghttp2_session_callbacks_set_send_callback2(callbacks, send_callback);
 
   nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
                                                        on_frame_recv_callback);
 
   nghttp2_session_callbacks_set_on_stream_close_callback(
-      callbacks, on_stream_close_callback);
+    callbacks, on_stream_close_callback);
 
   nghttp2_session_callbacks_set_on_header_callback(callbacks,
                                                    on_header_callback);
 
   nghttp2_session_callbacks_set_on_begin_headers_callback(
-      callbacks, on_begin_headers_callback);
+    callbacks, on_begin_headers_callback);
 
   nghttp2_session_server_new(&session_data->session, callbacks, session_data);
 
@@ -641,7 +614,7 @@ static void initialize_nghttp2_session(http2_session_data *session_data) {
    magic octets and SETTINGS frame */
 static int send_server_connection_header(http2_session_data *session_data) {
   nghttp2_settings_entry iv[1] = {
-      {NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, 100}};
+    {NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, 100}};
   int rv;
 
   rv = nghttp2_submit_settings(session_data->session, NGHTTP2_FLAG_NONE, iv,
@@ -702,14 +675,7 @@ static void eventcb(struct bufferevent *bev, short events, void *ptr) {
 
     ssl = bufferevent_openssl_get_ssl(session_data->bev);
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
-    SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
-#endif /* !OPENSSL_NO_NEXTPROTONEG */
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
-    if (alpn == NULL) {
-      SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);
-    }
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
+    SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);
 
     if (alpn == NULL || alpnlen != 2 || memcmp("h2", alpn, 2) != 0) {
       fprintf(stderr, "%s h2 is not negotiated\n", session_data->client_addr);
@@ -761,7 +727,7 @@ static void start_listen(struct event_base *evbase, const char *service,
   hints.ai_flags = AI_PASSIVE;
 #ifdef AI_ADDRCONFIG
   hints.ai_flags |= AI_ADDRCONFIG;
-#endif /* AI_ADDRCONFIG */
+#endif /* defined(AI_ADDRCONFIG) */
 
   rv = getaddrinfo(NULL, service, &hints, &res);
   if (rv != 0) {
@@ -770,8 +736,8 @@ static void start_listen(struct event_base *evbase, const char *service,
   for (rp = res; rp; rp = rp->ai_next) {
     struct evconnlistener *listener;
     listener = evconnlistener_new_bind(
-        evbase, acceptcb, app_ctx, LEV_OPT_CLOSE_ON_FREE | LEV_OPT_REUSEABLE,
-        16, rp->ai_addr, (int)rp->ai_addrlen);
+      evbase, acceptcb, app_ctx, LEV_OPT_CLOSE_ON_FREE | LEV_OPT_REUSEABLE, 16,
+      rp->ai_addr, (int)rp->ai_addrlen);
     if (listener) {
       freeaddrinfo(res);
 
@@ -817,19 +783,6 @@ int main(int argc, char **argv) {
   act.sa_handler = SIG_IGN;
   sigaction(SIGPIPE, &act, NULL);
 
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-  /* No explicit initialization is required. */
-#elif defined(OPENSSL_IS_BORINGSSL)
-  CRYPTO_library_init();
-#else  /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) &&                          \
-          !defined(OPENSSL_IS_BORINGSSL) */
-  OPENSSL_config(NULL);
-  SSL_load_error_strings();
-  SSL_library_init();
-  OpenSSL_add_all_algorithms();
-#endif /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) &&                          \
-          !defined(OPENSSL_IS_BORINGSSL) */
-
   run(argv[1], argv[2], argv[3]);
   return 0;
 }

fuzz/fuzz_frames.cc

@@ -62,8 +62,8 @@ void check_frame_pack_headers(FuzzedDataProvider *data_provider) {
   nvlen = HEADERS_LENGTH;
   nghttp2_priority_spec_default_init(&pri_spec);
   nghttp2_frame_headers_init(
-      &frame, NGHTTP2_FLAG_END_STREAM | NGHTTP2_FLAG_END_HEADERS, 1000000007,
-      NGHTTP2_HCAT_REQUEST, &pri_spec, nva, nvlen);
+    &frame, NGHTTP2_FLAG_END_STREAM | NGHTTP2_FLAG_END_HEADERS, 1000000007,
+    NGHTTP2_HCAT_REQUEST, &pri_spec, nva, nvlen);
 
   /* Perform a set of operations with the fuzz data */
   rv = nghttp2_frame_pack_headers(&bufs, &frame, &deflater);

fuzz/fuzz_target.cc

@@ -40,7 +40,7 @@ namespace {
 void send_pending(nghttp2_session *session) {
   for (;;) {
     const uint8_t *data;
-    auto n = nghttp2_session_mem_send(session, &data);
+    auto n = nghttp2_session_mem_send2(session, &data);
     if (n == 0) {
       return;
     }
@@ -56,11 +56,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
                                                        on_frame_recv_callback);
   nghttp2_session_callbacks_set_on_begin_headers_callback(
-      callbacks, on_begin_headers_callback);
+    callbacks, on_begin_headers_callback);
   nghttp2_session_callbacks_set_on_header_callback2(callbacks,
                                                     on_header_callback2);
   nghttp2_session_callbacks_set_before_frame_send_callback(
-      callbacks, before_frame_send_callback);
+    callbacks, before_frame_send_callback);
   nghttp2_session_callbacks_set_on_frame_send_callback(callbacks,
                                                        on_frame_send_callback);
 
@@ -70,7 +70,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   nghttp2_settings_entry iv{NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, 100};
   nghttp2_submit_settings(session, NGHTTP2_FLAG_NONE, &iv, 1);
   send_pending(session);
-  nghttp2_session_mem_recv(session, data, size);
+  nghttp2_session_mem_recv2(session, data, size);
   send_pending(session);
 
   nghttp2_session_del(session);

fuzz/fuzz_target_fdp.cc

@@ -44,7 +44,7 @@ namespace {
 void send_pending(nghttp2_session *session) {
   for (;;) {
     const uint8_t *data;
-    auto n = nghttp2_session_mem_send(session, &data);
+    auto n = nghttp2_session_mem_send2(session, &data);
     if (n == 0) {
       return;
     }
@@ -60,11 +60,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
                                                        on_frame_recv_callback);
   nghttp2_session_callbacks_set_on_begin_headers_callback(
-      callbacks, on_begin_headers_callback);
+    callbacks, on_begin_headers_callback);
   nghttp2_session_callbacks_set_on_header_callback2(callbacks,
                                                     on_header_callback2);
   nghttp2_session_callbacks_set_before_frame_send_callback(
-      callbacks, before_frame_send_callback);
+    callbacks, before_frame_send_callback);
   nghttp2_session_callbacks_set_on_frame_send_callback(callbacks,
                                                        on_frame_send_callback);
 
@@ -87,7 +87,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   send_pending(session);
 
   std::vector<uint8_t> d = data_provider.ConsumeRemainingBytes<uint8_t>();
-  nghttp2_session_mem_recv(session, d.data(), d.size());
+  nghttp2_session_mem_recv2(session, d.data(), d.size());
 
   send_pending(session);
 

genheaderfunc.py

@@ -35,6 +35,7 @@ HEADERS = [
     "early-data",
     "sec-websocket-accept",
     "sec-websocket-key",
+    "priority",
     # disallowed h1 headers
     'connection',
     'keep-alive',

gennghttpxfun.py

@@ -200,6 +200,11 @@ OPTIONS = [
     "frontend-quic-initial-rtt",
     "require-http-scheme",
     "tls-ktls",
+    "alpn-list",
+    "frontend-header-timeout",
+    "frontend-http2-idle-timeout",
+    "frontend-http3-idle-timeout",
+    "groups",
 ]
 
 LOGVARS = [
@@ -237,5 +242,5 @@ LOGVARS = [
 ]
 
 if __name__ == '__main__':
-    gentokenlookup(OPTIONS, 'SHRPX_OPTID_', value_type='char', comp_fun='util::strieq_l')
-    gentokenlookup(LOGVARS, 'LogFragmentType::', value_type='char', comp_fun='util::strieq_l', return_type='LogFragmentType', fail_value='LogFragmentType::NONE')
+    gentokenlookup(OPTIONS, 'SHRPX_OPTID_', comp_fun='util::strieq')
+    gentokenlookup(LOGVARS, 'LogFragmentType::', comp_fun='util::strieq', return_type='LogFragmentType', fail_value='LogFragmentType::NONE')

gentokenlookup.py

@@ -33,10 +33,10 @@ enum {''')
   {}MAXIDX,
 }};'''.format(prefix))
 
-def gen_index_header(tokens, prefix, value_type, comp_fun, return_type, fail_value):
+def gen_index_header(tokens, prefix, comp_fun, return_type, fail_value):
     print('''\
-{} lookup_token(const {} *name, size_t namelen) {{
-  switch (namelen) {{'''.format(return_type, value_type))
+{} lookup_token(const std::string_view &name) {{
+  switch (name.size()) {{'''.format(return_type))
     b = build_header(tokens)
     for size in sorted(b.keys()):
         ents = b[size]
@@ -50,7 +50,7 @@ def gen_index_header(tokens, prefix, value_type, comp_fun, return_type, fail_val
     case '{}':'''.format(c))
             for k in headers:
                 print('''\
-      if ({}("{}", name, {})) {{
+      if ({}("{}"sv, name.substr(0, {}))) {{
         return {};
       }}'''.format(comp_fun, k[:-1], size - 1, to_enum_hd(k, prefix)))
             print('''\
@@ -63,7 +63,7 @@ def gen_index_header(tokens, prefix, value_type, comp_fun, return_type, fail_val
   return {};
 }}'''.format(fail_value))
 
-def gentokenlookup(tokens, prefix, value_type='uint8_t', comp_fun='util::streq_l', return_type='int', fail_value='-1'):
+def gentokenlookup(tokens, prefix, comp_fun='util::streq', return_type='int', fail_value='-1'):
     gen_enum(tokens, prefix)
     print()
-    gen_index_header(tokens, prefix, value_type, comp_fun, return_type, fail_value)
+    gen_index_header(tokens, prefix, comp_fun, return_type, fail_value)

go.mod

@@ -1,26 +1,17 @@
 module github.com/nghttp2/nghttp2
 
-go 1.20
+go 1.24.0
 
 require (
-	github.com/bradfitz/gomemcache v0.0.0-20230124162541-5f7a7d875746
-	github.com/quic-go/quic-go v0.35.1
-	github.com/tatsuhiro-t/go-nghttp2 v0.0.0-20150408091349-4742878d9c90
-	golang.org/x/net v0.10.0
+	github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874
+	github.com/quic-go/quic-go v0.57.1
+	github.com/tatsuhiro-t/go-nghttp2 v0.0.0-20240121064059-46ccb0a462a8
+	golang.org/x/net v0.47.0
 )
 
 require (
-	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
-	github.com/golang/mock v1.6.0 // indirect
-	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
-	github.com/onsi/ginkgo/v2 v2.2.0 // indirect
-	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
-	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
-	golang.org/x/crypto v0.4.0 // indirect
-	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	github.com/quic-go/qpack v0.6.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 )

go.sum

@@ -1,78 +1,28 @@
-github.com/bradfitz/gomemcache v0.0.0-20230124162541-5f7a7d875746 h1:wAIE/kN63Oig1DdOzN7O+k4AbFh2cCJoKMFXrwRJtzk=
-github.com/bradfitz/gomemcache v0.0.0-20230124162541-5f7a7d875746/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874 h1:N7oVaKyGp8bttX0bfZGmcGkjz7DLQXhAn3DNd3T0ous=
+github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874/go.mod h1:r5xuitiExdLAJ09PR7vBVENGvp4ZuTBeWTGtxuX3K+c=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
-github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
-github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
-github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
-github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
-github.com/onsi/ginkgo/v2 v2.2.0/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
-github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
-github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc86Z5U=
-github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
-github.com/quic-go/qtls-go1-20 v0.2.2 h1:WLOPx6OY/hxtTxKV1Zrq20FtXtDEkeY00CGQm8GEa3E=
-github.com/quic-go/qtls-go1-20 v0.2.2/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
-github.com/quic-go/quic-go v0.35.1 h1:b0kzj6b/cQAf05cT0CkQubHM31wiA+xH3IBkxP62poo=
-github.com/quic-go/quic-go v0.35.1/go.mod h1:+4CVgVppm0FNjpG3UcX8Joi/frKOH7/ciD5yGcwOO1g=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/tatsuhiro-t/go-nghttp2 v0.0.0-20150408091349-4742878d9c90 h1:ccVm9C6f5YMcVv6t9MXahIDkqVvzD6vklkJTIE4D2nY=
-github.com/tatsuhiro-t/go-nghttp2 v0.0.0-20150408091349-4742878d9c90/go.mod h1:YZhsh86DfZgAShPKeg1eBLVrmuQxWcR9H4TdpgNvSnw=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8=
-golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
-golang.org/x/exp v0.0.0-20221205204356-47842c84f3db h1:D/cFflL63o2KSLJIwjlcIt8PR064j/xsmdEJL/YvY/o=
-golang.org/x/exp v0.0.0-20221205204356-47842c84f3db/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
+github.com/quic-go/quic-go v0.57.1 h1:25KAAR9QR8KZrCZRThWMKVAwGoiHIrNbT72ULHTuI10=
+github.com/quic-go/quic-go v0.57.1/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tatsuhiro-t/go-nghttp2 v0.0.0-20240121064059-46ccb0a462a8 h1:zKJxuRe+a0O34V81GAZWOrotuU6mveT30QLjJ7OPMMg=
+github.com/tatsuhiro-t/go-nghttp2 v0.0.0-20240121064059-46ccb0a462a8/go.mod h1:gTqc3Q4boc+cKRlSFywTYdX9t6VGRcsThlNIWwaL3Dc=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

integration-tests/CMakeLists.txt

@@ -2,6 +2,7 @@ set(GO_FILES
   nghttpx_http1_test.go
   nghttpx_http2_test.go
   server_tester.go
+  server_tester_http3.go
 )
 
 # XXX unused
@@ -18,12 +19,6 @@ set(EXTRA_DIST
   resp-return.rb
 )
 
-add_custom_target(itprep
-  COMMAND go get -d -v golang.org/x/net/http2
-  COMMAND go get -d -v github.com/tatsuhiro-t/go-nghttp2
-  COMMAND go get -d -v golang.org/x/net/websocket
-)
-
 # 'go test' requires both config.go and the test files in the same directory.
 # For out-of-tree builds, config.go is normally not placed next to the source
 # files, so copy the tests to the build directory as a workaround.
@@ -40,7 +35,11 @@ if(NOT CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_CURRENT_BINARY_DIR)
   endforeach()
 endif()
 
+if(ENABLE_HTTP3)
+  set(GO_TEST_TAGS quic)
+endif()
+
 add_custom_target(it
-  COMMAND sh setenv go test -v
+  COMMAND sh setenv go test -v --tags=${GO_TEST_TAGS}
   DEPENDS ${GO_BUILD_FILES}
 )

integration-tests/Makefile.am

@@ -25,7 +25,8 @@ GO_FILES = \
 	nghttpx_http1_test.go \
 	nghttpx_http2_test.go \
 	nghttpx_http3_test.go \
-	server_tester.go
+	server_tester.go \
+	server_tester_http3.go
 
 EXTRA_DIST = \
 	CMakeLists.txt \

integration-tests/nghttpx_http1_test.go

@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -58,10 +59,11 @@ func TestH1H1PlainGETClose(t *testing.T) {
 // 501 status code
 func TestH1H1InvalidMethod(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Errorf("server should not forward this request")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -82,10 +84,11 @@ func TestH1H1InvalidMethod(t *testing.T) {
 // contains multiple Content-Length header fields.
 func TestH1H1MultipleRequestCL(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Errorf("server should not forward bad request")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -133,6 +136,7 @@ func TestH1H1AffinityCookie(t *testing.T) {
 	opts := options{
 		args: []string{"--affinity-cookie"},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -149,6 +153,7 @@ func TestH1H1AffinityCookie(t *testing.T) {
 
 	const pattern = `affinity=[0-9a-f]{8}; Path=/foo/bar`
 	validCookie := regexp.MustCompile(pattern)
+
 	if got := res.header.Get("Set-Cookie"); !validCookie.MatchString(got) {
 		t.Errorf("Set-Cookie: %v; want pattern %v", got, pattern)
 	}
@@ -161,6 +166,7 @@ func TestH1H1AffinityCookieTLS(t *testing.T) {
 		args: []string{"--alpn-h1", "--affinity-cookie"},
 		tls:  true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -177,6 +183,7 @@ func TestH1H1AffinityCookieTLS(t *testing.T) {
 
 	const pattern = `affinity=[0-9a-f]{8}; Path=/foo/bar; Secure`
 	validCookie := regexp.MustCompile(pattern)
+
 	if got := res.header.Get("Set-Cookie"); !validCookie.MatchString(got) {
 		t.Errorf("Set-Cookie: %v; want pattern %v", got, pattern)
 	}
@@ -221,7 +228,8 @@ func TestH1H1GracefulShutdown(t *testing.T) {
 
 	want := io.EOF
 	b := make([]byte, 256)
-	if _, err := st.conn.Read(b); err == nil || err != want {
+
+	if _, err := st.conn.Read(b); !errors.Is(err, want) {
 		t.Errorf("st.conn.Read(): %v; want %v", err, want)
 	}
 }
@@ -234,6 +242,7 @@ func TestH1H1HostRewrite(t *testing.T) {
 			w.Header().Add("request-host", r.Host)
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -243,9 +252,11 @@ func TestH1H1HostRewrite(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
+
 	if got, want := res.header.Get("request-host"), st.backendHost; got != want {
 		t.Errorf("request-host: %v; want %v", got, want)
 	}
@@ -255,16 +266,18 @@ func TestH1H1HostRewrite(t *testing.T) {
 // characters in host header field.
 func TestH1H1BadHost(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Errorf("server should not forward this request")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
 	if _, err := io.WriteString(st.conn, "GET / HTTP/1.1\r\nTest-Case: TestH1H1HBadHost\r\nHost: foo\"bar\r\n\r\n"); err != nil {
 		t.Fatalf("Error io.WriteString() = %v", err)
 	}
+
 	resp, err := http.ReadResponse(bufio.NewReader(st.conn), nil)
 	if err != nil {
 		t.Fatalf("Error http.ReadResponse() = %v", err)
@@ -281,16 +294,18 @@ func TestH1H1BadHost(t *testing.T) {
 // bad characters in authority component of requset URI.
 func TestH1H1BadAuthority(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Errorf("server should not forward this request")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
 	if _, err := io.WriteString(st.conn, "GET http://foo\"bar/ HTTP/1.1\r\nTest-Case: TestH1H1HBadAuthority\r\nHost: foobar\r\n\r\n"); err != nil {
 		t.Fatalf("Error io.WriteString() = %v", err)
 	}
+
 	resp, err := http.ReadResponse(bufio.NewReader(st.conn), nil)
 	if err != nil {
 		t.Fatalf("Error http.ReadResponse() = %v", err)
@@ -307,16 +322,18 @@ func TestH1H1BadAuthority(t *testing.T) {
 // bad characters in scheme component of requset URI.
 func TestH1H1BadScheme(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Errorf("server should not forward this request")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
 	if _, err := io.WriteString(st.conn, "GET http*://example.com/ HTTP/1.1\r\nTest-Case: TestH1H1HBadScheme\r\nHost: example.com\r\n\r\n"); err != nil {
 		t.Fatalf("Error io.WriteString() = %v", err)
 	}
+
 	resp, err := http.ReadResponse(bufio.NewReader(st.conn), nil)
 	if err != nil {
 		t.Fatalf("Error http.ReadResponse() = %v", err)
@@ -337,6 +354,7 @@ func TestH1H1HTTP10(t *testing.T) {
 			w.Header().Add("request-host", r.Host)
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -354,6 +372,7 @@ func TestH1H1HTTP10(t *testing.T) {
 	if got, want := resp.StatusCode, http.StatusOK; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
+
 	if got, want := resp.Header.Get("request-host"), st.backendHost; got != want {
 		t.Errorf("request-host: %v; want %v", got, want)
 	}
@@ -368,6 +387,7 @@ func TestH1H1HTTP10NoHostRewrite(t *testing.T) {
 			w.Header().Add("request-host", r.Host)
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -385,6 +405,7 @@ func TestH1H1HTTP10NoHostRewrite(t *testing.T) {
 	if got, want := resp.StatusCode, http.StatusOK; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
+
 	if got, want := resp.Header.Get("request-host"), st.backendHost; got != want {
 		t.Errorf("request-host: %v; want %v", got, want)
 	}
@@ -394,14 +415,15 @@ func TestH1H1HTTP10NoHostRewrite(t *testing.T) {
 // backend.
 func TestH1H1RequestTrailer(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(_ http.ResponseWriter, r *http.Request) {
 			buf := make([]byte, 4096)
 			for {
 				_, err := r.Body.Read(buf)
-				if err == io.EOF {
-					break
-				}
 				if err != nil {
+					if errors.Is(err, io.EOF) {
+						break
+					}
+
 					t.Fatalf("r.Body.Read() = %v", err)
 				}
 			}
@@ -410,6 +432,7 @@ func TestH1H1RequestTrailer(t *testing.T) {
 			}
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -423,6 +446,7 @@ func TestH1H1RequestTrailer(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
@@ -436,10 +460,11 @@ func TestH1H1HeaderFieldBufferPath(t *testing.T) {
 	// limit.
 	opts := options{
 		args: []string{"--request-header-field-buffer=100"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatal("execution path should not be here")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -450,6 +475,7 @@ func TestH1H1HeaderFieldBufferPath(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusRequestHeaderFieldsTooLarge; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
@@ -460,10 +486,11 @@ func TestH1H1HeaderFieldBufferPath(t *testing.T) {
 func TestH1H1HeaderFieldBuffer(t *testing.T) {
 	opts := options{
 		args: []string{"--request-header-field-buffer=10"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatal("execution path should not be here")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -473,6 +500,7 @@ func TestH1H1HeaderFieldBuffer(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusRequestHeaderFieldsTooLarge; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
@@ -483,10 +511,11 @@ func TestH1H1HeaderFieldBuffer(t *testing.T) {
 func TestH1H1HeaderFields(t *testing.T) {
 	opts := options{
 		args: []string{"--max-request-header-fields=1"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatal("execution path should not be here")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -501,6 +530,7 @@ func TestH1H1HeaderFields(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusRequestHeaderFieldsTooLarge; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
@@ -515,6 +545,7 @@ func TestH1H1Websocket(t *testing.T) {
 			}
 		}).ServeHTTP,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -523,6 +554,7 @@ func TestH1H1Websocket(t *testing.T) {
 		name: "TestH1H1Websocket",
 		body: content,
 	})
+
 	if got, want := res.body, content; !bytes.Equal(got, want) {
 		t.Errorf("echo: %q; want %q", got, want)
 	}
@@ -533,12 +565,13 @@ func TestH1H1Websocket(t *testing.T) {
 func TestH1H1ReqPhaseSetHeader(t *testing.T) {
 	opts := options{
 		args: []string{"--mruby-file=" + testDir + "/req-set-header.rb"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(_ http.ResponseWriter, r *http.Request) {
 			if got, want := r.Header.Get("User-Agent"), "mruby"; got != want {
 				t.Errorf("User-Agent = %v; want %v", got, want)
 			}
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -559,10 +592,11 @@ func TestH1H1ReqPhaseSetHeader(t *testing.T) {
 func TestH1H1ReqPhaseReturn(t *testing.T) {
 	opts := options{
 		args: []string{"--mruby-file=" + testDir + "/req-return.rb"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -599,10 +633,11 @@ func TestH1H1ReqPhaseReturn(t *testing.T) {
 func TestH1H1ReqPhaseReturnCONNECTMethod(t *testing.T) {
 	opts := options{
 		args: []string{"--mruby-file=" + testDir + "/req-return.rb"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -670,6 +705,7 @@ func TestH1H1RespPhaseSetHeader(t *testing.T) {
 	opts := options{
 		args: []string{"--mruby-file=" + testDir + "/resp-set-header.rb"},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -695,6 +731,7 @@ func TestH1H1RespPhaseReturn(t *testing.T) {
 	opts := options{
 		args: []string{"--mruby-file=" + testDir + "/resp-return.rb"},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -732,6 +769,7 @@ func TestH1H1HTTPSRedirect(t *testing.T) {
 	opts := options{
 		args: []string{"--redirect-if-not-tls"},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -745,6 +783,7 @@ func TestH1H1HTTPSRedirect(t *testing.T) {
 	if got, want := res.status, http.StatusPermanentRedirect; got != want {
 		t.Errorf("status = %v; want %v", got, want)
 	}
+
 	if got, want := res.header.Get("location"), "https://127.0.0.1/"; got != want {
 		t.Errorf("location: %v; want %v", got, want)
 	}
@@ -759,6 +798,7 @@ func TestH1H1HTTPSRedirectPort(t *testing.T) {
 			"--redirect-https-port=8443",
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -773,6 +813,7 @@ func TestH1H1HTTPSRedirectPort(t *testing.T) {
 	if got, want := res.status, http.StatusPermanentRedirect; got != want {
 		t.Errorf("status = %v; want %v", got, want)
 	}
+
 	if got, want := res.header.Get("location"), "https://127.0.0.1:8443/foo?bar"; got != want {
 		t.Errorf("location: %v; want %v", got, want)
 	}
@@ -791,6 +832,7 @@ func TestH1H1POSTRequests(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
@@ -802,6 +844,7 @@ func TestH1H1POSTRequests(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
@@ -817,6 +860,7 @@ func TestH1H1CONNECTMethodFailure(t *testing.T) {
 			}
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -838,12 +882,39 @@ func TestH1H1CONNECTMethodFailure(t *testing.T) {
 	if _, err := io.ReadAll(resp.Body); err != nil {
 		t.Fatalf("Error io.ReadAll() = %v", err)
 	}
+}
 
-	if _, err := io.WriteString(st.conn, "CONNECT 127.0.0.1:443 HTTP/1.1\r\nTest-Case: TestH1H1CONNECTMethodFailure\r\nHost: 127.0.0.1:443\r\nrequired-header: foo\r\n\r\n"); err != nil {
+// TestH1H1CONNECTMethod tests that CONNECT request succeeds.
+func TestH1H1CONNECTMethod(t *testing.T) {
+	opts := options{
+		handler: func(w http.ResponseWriter, r *http.Request) {
+			hj, ok := w.(http.Hijacker)
+			if !ok {
+				http.Error(w, "Could not hijack the connection", http.StatusInternalServerError)
+				return
+			}
+			_, bufrw, err := hj.Hijack()
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+
+			if _, err := bufrw.WriteString("HTTP/1.1 200\r\n\r\n"); err != nil {
+				t.Fatalf("Error bufrw.WriteString() = %v", err)
+			}
+
+			bufrw.Flush()
+		},
+	}
+
+	st := newServerTester(t, opts)
+	defer st.Close()
+
+	if _, err := io.WriteString(st.conn, "CONNECT 127.0.0.1:443 HTTP/1.1\r\nTest-Case: TestH1H1CONNECTMethod\r\nHost: 127.0.0.1:443\r\n\r\n"); err != nil {
 		t.Fatalf("Error io.WriteString() = %v", err)
 	}
 
-	resp, err = http.ReadResponse(bufio.NewReader(st.conn), nil)
+	resp, err := http.ReadResponse(bufio.NewReader(st.conn), nil)
 	if err != nil {
 		t.Fatalf("Error http.ReadResponse() = %v", err)
 	}
@@ -884,10 +955,11 @@ func TestH1H1CONNECTMethodFailure(t *testing.T) {
 func TestH1H2NoHost(t *testing.T) {
 	opts := options{
 		args: []string{"--http2-bridge"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Errorf("server should not forward bad request")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -917,6 +989,7 @@ func TestH1H2HTTP10(t *testing.T) {
 			w.Header().Add("request-host", r.Host)
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -934,6 +1007,7 @@ func TestH1H2HTTP10(t *testing.T) {
 	if got, want := resp.StatusCode, http.StatusOK; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
+
 	if got, want := resp.Header.Get("request-host"), st.backendHost; got != want {
 		t.Errorf("request-host: %v; want %v", got, want)
 	}
@@ -949,6 +1023,7 @@ func TestH1H2HTTP10NoHostRewrite(t *testing.T) {
 			w.Header().Add("request-host", r.Host)
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -966,6 +1041,7 @@ func TestH1H2HTTP10NoHostRewrite(t *testing.T) {
 	if got, want := resp.StatusCode, http.StatusOK; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
+
 	if got, want := resp.Header.Get("request-host"), st.backendHost; got != want {
 		t.Errorf("request-host: %v; want %v", got, want)
 	}
@@ -978,12 +1054,13 @@ func TestH1H2HTTP10NoHostRewrite(t *testing.T) {
 func TestH1H2CrumbleCookie(t *testing.T) {
 	opts := options{
 		args: []string{"--http2-bridge"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(_ http.ResponseWriter, r *http.Request) {
 			if got, want := r.Header.Get("Cookie"), "alpha; bravo; charlie"; got != want {
 				t.Errorf("Cookie: %v; want %v", got, want)
 			}
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -996,6 +1073,7 @@ func TestH1H2CrumbleCookie(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
@@ -1006,12 +1084,13 @@ func TestH1H2CrumbleCookie(t *testing.T) {
 func TestH1H2GenerateVia(t *testing.T) {
 	opts := options{
 		args: []string{"--http2-bridge"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(_ http.ResponseWriter, r *http.Request) {
 			if got, want := r.Header.Get("Via"), "1.1 nghttpx"; got != want {
 				t.Errorf("Via: %v; want %v", got, want)
 			}
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1021,6 +1100,7 @@ func TestH1H2GenerateVia(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.header.Get("Via"), "2 nghttpx"; got != want {
 		t.Errorf("Via: %v; want %v", got, want)
 	}
@@ -1038,6 +1118,7 @@ func TestH1H2AppendVia(t *testing.T) {
 			w.Header().Add("Via", "bar")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1050,6 +1131,7 @@ func TestH1H2AppendVia(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.header.Get("Via"), "bar, 2 nghttpx"; got != want {
 		t.Errorf("Via: %v; want %v", got, want)
 	}
@@ -1067,6 +1149,7 @@ func TestH1H2NoVia(t *testing.T) {
 			w.Header().Add("Via", "bar")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1079,6 +1162,7 @@ func TestH1H2NoVia(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.header.Get("Via"), "bar"; got != want {
 		t.Errorf("Via: %v; want %v", got, want)
 	}
@@ -1092,10 +1176,11 @@ func TestH1H2ReqPhaseReturn(t *testing.T) {
 			"--http2-bridge",
 			"--mruby-file=" + testDir + "/req-return.rb",
 		},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1136,6 +1221,7 @@ func TestH1H2RespPhaseReturn(t *testing.T) {
 			"--mruby-file=" + testDir + "/resp-return.rb",
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1172,12 +1258,13 @@ func TestH1H2RespPhaseReturn(t *testing.T) {
 func TestH1H2TE(t *testing.T) {
 	opts := options{
 		args: []string{"--http2-bridge"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(_ http.ResponseWriter, r *http.Request) {
 			if got, want := r.Header.Get("te"), "trailers"; got != want {
 				t.Errorf("te: %v; want %v", got, want)
 			}
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1190,6 +1277,7 @@ func TestH1H2TE(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("status: %v; want %v", got, want)
 	}
@@ -1200,11 +1288,12 @@ func TestH1H2TE(t *testing.T) {
 func TestH1APIBackendconfig(t *testing.T) {
 	opts := options{
 		args: []string{"-f127.0.0.1,3010;api;no-tls"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 		connectPort: 3010,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1220,18 +1309,21 @@ backend=127.0.0.1,3011
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
 
 	var apiResp APIResponse
-	err = json.Unmarshal(res.body, &apiResp)
-	if err != nil {
+
+	if err := json.Unmarshal(res.body, &apiResp); err != nil {
 		t.Fatalf("Error unmarshaling API response: %v", err)
 	}
+
 	if got, want := apiResp.Status, "Success"; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
+
 	if got, want := apiResp.Code, 200; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
@@ -1242,11 +1334,12 @@ backend=127.0.0.1,3011
 func TestH1APIBackendconfigQuery(t *testing.T) {
 	opts := options{
 		args: []string{"-f127.0.0.1,3010;api;no-tls"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 		connectPort: 3010,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1262,18 +1355,21 @@ backend=127.0.0.1,3011
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
 
 	var apiResp APIResponse
-	err = json.Unmarshal(res.body, &apiResp)
-	if err != nil {
+
+	if err := json.Unmarshal(res.body, &apiResp); err != nil {
 		t.Fatalf("Error unmarshaling API response: %v", err)
 	}
+
 	if got, want := apiResp.Status, "Success"; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
+
 	if got, want := apiResp.Code, 200; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
@@ -1284,11 +1380,12 @@ backend=127.0.0.1,3011
 func TestH1APIBackendconfigBadMethod(t *testing.T) {
 	opts := options{
 		args: []string{"-f127.0.0.1,3010;api;no-tls"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 		connectPort: 3010,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1304,18 +1401,21 @@ backend=127.0.0.1,3011
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusMethodNotAllowed; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
 
 	var apiResp APIResponse
-	err = json.Unmarshal(res.body, &apiResp)
-	if err != nil {
+
+	if err := json.Unmarshal(res.body, &apiResp); err != nil {
 		t.Fatalf("Error unmarshaling API response: %v", err)
 	}
+
 	if got, want := apiResp.Status, "Failure"; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
+
 	if got, want := apiResp.Code, 405; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
@@ -1325,11 +1425,12 @@ backend=127.0.0.1,3011
 func TestH1APIConfigrevision(t *testing.T) {
 	opts := options{
 		args: []string{"-f127.0.0.1,3010;api;no-tls"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 		connectPort: 3010,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1341,23 +1442,28 @@ func TestH1APIConfigrevision(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("res.status: %v; want = %v", got, want)
 	}
 
 	var apiResp APIResponse
+
 	d := json.NewDecoder(bytes.NewBuffer(res.body))
 	d.UseNumber()
-	err = d.Decode(&apiResp)
-	if err != nil {
+
+	if err := d.Decode(&apiResp); err != nil {
 		t.Fatalf("Error unmarshalling API response: %v", err)
 	}
+
 	if got, want := apiResp.Status, "Success"; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
+
 	if got, want := apiResp.Code, 200; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
+
 	if got, want := apiResp.Data["configRevision"], json.Number("0"); got != want {
 		t.Errorf(`apiResp.Data["configRevision"]: %v %t; want %v`, got, got, want)
 	}
@@ -1368,11 +1474,12 @@ func TestH1APIConfigrevision(t *testing.T) {
 func TestH1APINotFound(t *testing.T) {
 	opts := options{
 		args: []string{"-f127.0.0.1,3010;api;no-tls"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 		connectPort: 3010,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1388,18 +1495,21 @@ backend=127.0.0.1,3011
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusNotFound; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
 
 	var apiResp APIResponse
-	err = json.Unmarshal(res.body, &apiResp)
-	if err != nil {
+
+	if err := json.Unmarshal(res.body, &apiResp); err != nil {
 		t.Fatalf("Error unmarshaling API response: %v", err)
 	}
+
 	if got, want := apiResp.Status, "Failure"; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
+
 	if got, want := apiResp.Code, 404; got != want {
 		t.Errorf("apiResp.Status: %v; want %v", got, want)
 	}
@@ -1409,11 +1519,12 @@ backend=127.0.0.1,3011
 func TestH1Healthmon(t *testing.T) {
 	opts := options{
 		args: []string{"-f127.0.0.1,3011;healthmon;no-tls"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 		connectPort: 3011,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1424,6 +1535,7 @@ func TestH1Healthmon(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http1() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
@@ -1434,10 +1546,11 @@ func TestH1Healthmon(t *testing.T) {
 func TestH1ResponseBeforeRequestEnd(t *testing.T) {
 	opts := options{
 		args: []string{"--mruby-file=" + testDir + "/req-return.rb"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatal("request should not be forwarded")
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1462,7 +1575,7 @@ func TestH1ResponseBeforeRequestEnd(t *testing.T) {
 // if the backend chunked encoded response ends prematurely.
 func TestH1H1ChunkedEndsPrematurely(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(w http.ResponseWriter, _ *http.Request) {
 			hj, ok := w.(http.Hijacker)
 			if !ok {
 				http.Error(w, "Could not hijack the connection", http.StatusInternalServerError)
@@ -1480,6 +1593,7 @@ func TestH1H1ChunkedEndsPrematurely(t *testing.T) {
 			bufrw.Flush()
 		},
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -1490,3 +1604,147 @@ func TestH1H1ChunkedEndsPrematurely(t *testing.T) {
 		t.Fatal("st.http1() should fail")
 	}
 }
+
+// TestH1H1RequestMalformedTransferEncoding tests that server rejects
+// request which contains malformed transfer-encoding.
+func TestH1H1RequestMalformedTransferEncoding(t *testing.T) {
+	opts := options{
+		handler: func(http.ResponseWriter, *http.Request) {
+			t.Errorf("server should not forward bad request")
+		},
+	}
+
+	st := newServerTester(t, opts)
+	defer st.Close()
+
+	if _, err := io.WriteString(st.conn, fmt.Sprintf("GET / HTTP/1.1\r\nHost: %v\r\nTest-Case: TestH1H1RequestMalformedTransferEncoding\r\nTransfer-Encoding: ,chunked\r\n\r\n",
+		st.authority)); err != nil {
+		t.Fatalf("Error io.WriteString() = %v", err)
+	}
+
+	resp, err := http.ReadResponse(bufio.NewReader(st.conn), nil)
+	if err != nil {
+		t.Fatalf("Error http.ReadResponse() = %v", err)
+	}
+
+	defer resp.Body.Close()
+
+	if got, want := resp.StatusCode, http.StatusBadRequest; got != want {
+		t.Errorf("status: %v; want %v", got, want)
+	}
+}
+
+// TestH1H1ResponseMalformedTransferEncoding tests a request fails if
+// its response contains malformed transfer-encoding.
+func TestH1H1ResponseMalformedTransferEncoding(t *testing.T) {
+	opts := options{
+		handler: func(w http.ResponseWriter, _ *http.Request) {
+			hj, ok := w.(http.Hijacker)
+			if !ok {
+				http.Error(w, "Could not hijack the connection", http.StatusInternalServerError)
+				return
+			}
+			conn, bufrw, err := hj.Hijack()
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+			defer conn.Close()
+			if _, err := bufrw.WriteString("HTTP/1.1 200\r\nTransfer-Encoding: ,chunked\r\n\r\n"); err != nil {
+				t.Fatalf("Error bufrw.WriteString() = %v", err)
+			}
+			bufrw.Flush()
+		},
+	}
+
+	st := newServerTester(t, opts)
+	defer st.Close()
+
+	res, err := st.http1(requestParam{
+		name: "TestH1H1ResponseMalformedTransferEncoding",
+	})
+	if err != nil {
+		t.Fatalf("Error st.http1() = %v", err)
+	}
+
+	if got, want := res.status, http.StatusBadGateway; got != want {
+		t.Errorf("res.status: %v; want %v", got, want)
+	}
+}
+
+// TestH1H1ResponseUnknownTransferEncoding tests a request succeeds if
+// its response contains unknown transfer-encoding.
+func TestH1H1ResponseUnknownTransferEncoding(t *testing.T) {
+	opts := options{
+		handler: func(w http.ResponseWriter, _ *http.Request) {
+			hj, ok := w.(http.Hijacker)
+			if !ok {
+				http.Error(w, "Could not hijack the connection", http.StatusInternalServerError)
+				return
+			}
+			conn, bufrw, err := hj.Hijack()
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+				return
+			}
+			defer conn.Close()
+			if _, err := bufrw.WriteString("HTTP/1.1 200\r\nTransfer-Encoding: foo\r\n\r\n"); err != nil {
+				t.Fatalf("Error bufrw.WriteString() = %v", err)
+			}
+			bufrw.Flush()
+		},
+	}
+
+	st := newServerTester(t, opts)
+	defer st.Close()
+
+	if _, err := io.WriteString(st.conn, fmt.Sprintf("GET / HTTP/1.1\r\nHost: %v\r\nTest-Case: TestH1H1ResponseUnknownTransferEncoding\r\n\r\n",
+		st.authority)); err != nil {
+		t.Fatalf("Error: io.WriteString() = %v", err)
+	}
+
+	r := bufio.NewReader(st.conn)
+
+	resp := make([]byte, 4096)
+
+	resplen, err := r.Read(resp)
+	if err != nil {
+		t.Fatalf("Error: r.Read() = %v", err)
+	}
+
+	resp = resp[:resplen]
+
+	const expect = "HTTP/1.1 200 OK\r\nTransfer-Encoding: foo\r\nConnection: close\r\nServer: nghttpx\r\nVia: 1.1 nghttpx\r\n\r\n"
+
+	if got, want := string(resp), expect; got != want {
+		t.Errorf("resp = %v, want %v", got, want)
+	}
+}
+
+// TestH1H1RequestHTTP10TransferEncoding tests that server rejects
+// HTTP/1.0 request which contains transfer-encoding.
+func TestH1H1RequestHTTP10TransferEncoding(t *testing.T) {
+	opts := options{
+		handler: func(http.ResponseWriter, *http.Request) {
+			t.Errorf("server should not forward bad request")
+		},
+	}
+
+	st := newServerTester(t, opts)
+	defer st.Close()
+
+	if _, err := io.WriteString(st.conn, "GET / HTTP/1.0\r\nTest-Case: TestH1H1RequestHTTP10TransferEncoding\r\nTransfer-Encoding: chunked\r\n\r\n"); err != nil {
+		t.Fatalf("Error io.WriteString() = %v", err)
+	}
+
+	resp, err := http.ReadResponse(bufio.NewReader(st.conn), nil)
+	if err != nil {
+		t.Fatalf("Error http.ReadResponse() = %v", err)
+	}
+
+	defer resp.Body.Close()
+
+	if got, want := resp.StatusCode, http.StatusBadRequest; got != want {
+		t.Errorf("status: %v; want %v", got, want)
+	}
+}

integration-tests/nghttpx_http3_test.go

@@ -5,6 +5,7 @@ package nghttp2
 import (
 	"bytes"
 	"crypto/rand"
+	"errors"
 	"io"
 	"net/http"
 	"regexp"
@@ -35,13 +36,14 @@ func TestH3H1PlainGET(t *testing.T) {
 // TestH3H1RequestBody tests HTTP/3 request with body works.
 func TestH3H1RequestBody(t *testing.T) {
 	body := make([]byte, 3333)
+
 	_, err := rand.Read(body)
 	if err != nil {
 		t.Fatalf("Unable to create request body: %v", err)
 	}
 
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(_ http.ResponseWriter, r *http.Request) {
 			buf := make([]byte, 4096)
 			buflen := 0
 			p := buf
@@ -57,7 +59,7 @@ func TestH3H1RequestBody(t *testing.T) {
 				buflen += n
 
 				if err != nil {
-					if err == io.EOF {
+					if errors.Is(err, io.EOF) {
 						break
 					}
 
@@ -73,6 +75,7 @@ func TestH3H1RequestBody(t *testing.T) {
 		},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -83,6 +86,7 @@ func TestH3H1RequestBody(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http3() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusOK; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
@@ -92,13 +96,14 @@ func TestH3H1RequestBody(t *testing.T) {
 // and from backend server.
 func TestH3H1GenerateVia(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(_ http.ResponseWriter, r *http.Request) {
 			if got, want := r.Header.Get("Via"), "3 nghttpx"; got != want {
 				t.Errorf("Via: %v; want %v", got, want)
 			}
 		},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -108,6 +113,7 @@ func TestH3H1GenerateVia(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http3() = %v", err)
 	}
+
 	if got, want := res.header.Get("Via"), "1.1 nghttpx"; got != want {
 		t.Errorf("Via: %v; want %v", got, want)
 	}
@@ -125,6 +131,7 @@ func TestH3H1AppendVia(t *testing.T) {
 		},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -137,6 +144,7 @@ func TestH3H1AppendVia(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http3() = %v", err)
 	}
+
 	if got, want := res.header.Get("Via"), "bar, 1.1 nghttpx"; got != want {
 		t.Errorf("Via: %v; want %v", got, want)
 	}
@@ -155,6 +163,7 @@ func TestH3H1NoVia(t *testing.T) {
 		},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -167,6 +176,7 @@ func TestH3H1NoVia(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http3() = %v", err)
 	}
+
 	if got, want := res.header.Get("Via"), "bar"; got != want {
 		t.Errorf("Via: %v; want %v", got, want)
 	}
@@ -177,7 +187,7 @@ func TestH3H1NoVia(t *testing.T) {
 // response body size.
 func TestH3H1BadResponseCL(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(w http.ResponseWriter, _ *http.Request) {
 			// we set content-length: 1024, but only send 3 bytes.
 			w.Header().Add("Content-Length", "1024")
 			if _, err := w.Write([]byte("foo")); err != nil {
@@ -186,6 +196,7 @@ func TestH3H1BadResponseCL(t *testing.T) {
 		},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -204,6 +215,7 @@ func TestH3H1HTTPSRedirect(t *testing.T) {
 		args: []string{"--redirect-if-not-tls"},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -226,6 +238,7 @@ func TestH3H1AffinityCookieTLS(t *testing.T) {
 		args: []string{"--affinity-cookie"},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -243,6 +256,7 @@ func TestH3H1AffinityCookieTLS(t *testing.T) {
 
 	const pattern = `affinity=[0-9a-f]{8}; Path=/foo/bar; Secure`
 	validCookie := regexp.MustCompile(pattern)
+
 	if got := res.header.Get("Set-Cookie"); !validCookie.MatchString(got) {
 		t.Errorf("Set-Cookie: %v; want pattern %v", got, pattern)
 	}
@@ -256,11 +270,12 @@ func TestH3H2ReqPhaseReturn(t *testing.T) {
 			"--http2-bridge",
 			"--mruby-file=" + testDir + "/req-return.rb",
 		},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatalf("request should not be forwarded")
 		},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -302,6 +317,7 @@ func TestH3H2RespPhaseReturn(t *testing.T) {
 		},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -338,11 +354,12 @@ func TestH3H2RespPhaseReturn(t *testing.T) {
 func TestH3ResponseBeforeRequestEnd(t *testing.T) {
 	opts := options{
 		args: []string{"--mruby-file=" + testDir + "/req-return.rb"},
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(http.ResponseWriter, *http.Request) {
 			t.Fatal("request should not be forwarded")
 		},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 
@@ -353,6 +370,7 @@ func TestH3ResponseBeforeRequestEnd(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Error st.http3() = %v", err)
 	}
+
 	if got, want := res.status, http.StatusNotFound; got != want {
 		t.Errorf("res.status: %v; want %v", got, want)
 	}
@@ -362,7 +380,7 @@ func TestH3ResponseBeforeRequestEnd(t *testing.T) {
 // backend chunked encoded response ends prematurely.
 func TestH3H1ChunkedEndsPrematurely(t *testing.T) {
 	opts := options{
-		handler: func(w http.ResponseWriter, r *http.Request) {
+		handler: func(w http.ResponseWriter, _ *http.Request) {
 			hj, ok := w.(http.Hijacker)
 			if !ok {
 				http.Error(w, "Could not hijack the connection", http.StatusInternalServerError)
@@ -381,6 +399,7 @@ func TestH3H1ChunkedEndsPrematurely(t *testing.T) {
 		},
 		quic: true,
 	}
+
 	st := newServerTester(t, opts)
 	defer st.Close()
 

integration-tests/server_tester.go

@@ -3,6 +3,7 @@ package nghttp2
 import (
 	"bufio"
 	"bytes"
+	"cmp"
 	"context"
 	"crypto/tls"
 	"encoding/binary"
@@ -15,14 +16,13 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
-	"sort"
+	"slices"
 	"strconv"
 	"strings"
 	"syscall"
 	"testing"
 	"time"
 
-	"github.com/quic-go/quic-go/http3"
 	"github.com/tatsuhiro-t/go-nghttp2"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/hpack"
@@ -95,14 +95,17 @@ func newServerTester(t *testing.T, opts options) *serverTester {
 	if opts.handler == nil {
 		opts.handler = noopHandler
 	}
+
 	if opts.connectPort == 0 {
 		opts.connectPort = serverPort
 	}
 
 	ts := httptest.NewUnstartedServer(opts.handler)
 
-	var args []string
-	var backendTLS, dns, externalDNS, acceptProxyProtocol, redirectIfNotTLS, affinityCookie, alpnH1 bool
+	var (
+		args                                                                                        []string
+		backendTLS, dns, externalDNS, acceptProxyProtocol, redirectIfNotTLS, affinityCookie, alpnH1 bool
+	)
 
 	for _, k := range opts.args {
 		switch k {
@@ -125,6 +128,7 @@ func newServerTester(t *testing.T, opts options) *serverTester {
 			args = append(args, k)
 		}
 	}
+
 	if backendTLS {
 		nghttp2.ConfigureServer(ts.Config, &nghttp2.Server{})
 		// According to httptest/server.go, we have to set
@@ -133,13 +137,17 @@ func newServerTester(t *testing.T, opts options) *serverTester {
 		ts.TLS = new(tls.Config)
 		ts.TLS.NextProtos = append(ts.TLS.NextProtos, "h2")
 		ts.StartTLS()
+
 		args = append(args, "-k")
 	} else {
 		ts.Start()
 	}
+
 	scheme := "http"
+
 	if opts.tls {
 		scheme = "https"
+
 		args = append(args, testDir+"/server.key", testDir+"/server.crt")
 	}
 
@@ -151,20 +159,25 @@ func newServerTester(t *testing.T, opts options) *serverTester {
 	// URL.Host looks like "127.0.0.1:8080", but we want
 	// "127.0.0.1,8080"
 	b := "-b"
+
 	if !externalDNS {
-		b += fmt.Sprintf("%v;", strings.Replace(backendURL.Host, ":", ",", -1))
+		b += fmt.Sprintf("%v;", strings.ReplaceAll(backendURL.Host, ":", ","))
 	} else {
 		sep := strings.LastIndex(backendURL.Host, ":")
 		if sep == -1 {
 			t.Fatalf("backendURL.Host %v does not contain separator ':'", backendURL.Host)
 		}
+
 		// We use awesome service nip.io.
 		b += fmt.Sprintf("%v.nip.io,%v;", backendURL.Host[:sep], backendURL.Host[sep+1:])
+		// Make external DNS tests less flaky.
+		args = append(args, "--backend-address-family=IPv4")
 	}
 
 	if backendTLS {
 		b += ";proto=h2;tls"
 	}
+
 	if dns {
 		b += ";dns"
 	}
@@ -178,11 +191,13 @@ func newServerTester(t *testing.T, opts options) *serverTester {
 	}
 
 	noTLS := ";no-tls"
+
 	if opts.tls {
 		noTLS = ""
 	}
 
 	var proxyProto string
+
 	if acceptProxyProtocol {
 		proxyProto = ";proxyproto"
 	}
@@ -193,7 +208,19 @@ func newServerTester(t *testing.T, opts options) *serverTester {
 	if opts.quic {
 		args = append(args,
 			fmt.Sprintf("-f127.0.0.1,%v;quic", serverPort),
-			"--no-quic-bpf")
+			"--no-quic-bpf",
+			// quic-go client just closes connection after
+			// receiving the first GOAWAY without any
+			// indication like sending CONNECTION_CLOSE if
+			// there is no active stream.  If that
+			// happens, server keeps resending 2nd GOAWAY
+			// until idle timeout passes.  If that happens
+			// during Close(), the process will be killed
+			// because the default idle timeout is longer
+			// than the close timeout.  Shorten the idle
+			// timeout to prevent it from happening.
+			"--frontend-quic-idle-timeout=5",
+		)
 	}
 
 	authority := fmt.Sprintf("127.0.0.1:%v", opts.connectPort)
@@ -219,6 +246,7 @@ func newServerTester(t *testing.T, opts options) *serverTester {
 	}
 
 	retry := 0
+
 	for {
 		time.Sleep(50 * time.Millisecond)
 
@@ -232,32 +260,41 @@ func newServerTester(t *testing.T, opts options) *serverTester {
 			}
 
 			var tlsConfig *tls.Config
+
 			if opts.tlsConfig == nil {
 				tlsConfig = new(tls.Config)
 			} else {
 				tlsConfig = opts.tlsConfig.Clone()
 			}
+
 			tlsConfig.InsecureSkipVerify = true
+
 			if alpnH1 {
 				tlsConfig.NextProtos = []string{"http/1.1"}
 			} else {
 				tlsConfig.NextProtos = []string{"h2"}
 			}
+
 			tlsConn := tls.Client(conn, tlsConfig)
+
 			err = tlsConn.Handshake()
 			if err == nil {
 				conn = tlsConn
 			}
 		}
+
 		if err != nil {
 			retry++
 			if retry >= 100 {
 				st.Close()
 				st.t.Fatalf("Error server is not responding too long; server command-line arguments may be invalid")
 			}
+
 			continue
 		}
+
 		st.conn = conn
+
 		break
 	}
 
@@ -274,28 +311,33 @@ func (st *serverTester) Close() {
 	if st.conn != nil {
 		st.conn.Close()
 	}
+
 	if st.cmd != nil {
 		done := make(chan struct{})
+
 		go func() {
 			if err := st.cmd.Wait(); err != nil {
 				st.t.Errorf("Error st.cmd.Wait() = %v", err)
 			}
+
 			close(done)
 		}()
 
-		if err := st.cmd.Process.Signal(syscall.SIGQUIT); err != nil {
+		if err := st.cmd.Process.Signal(syscall.SIGQUIT); err != nil && !errors.Is(err, os.ErrProcessDone) {
 			st.t.Errorf("Error st.cmd.Process.Signal() = %v", err)
 		}
 
 		select {
 		case <-done:
 		case <-time.After(10 * time.Second):
-			if err := st.cmd.Process.Kill(); err != nil {
+			if err := st.cmd.Process.Kill(); err != nil && !errors.Is(err, os.ErrProcessDone) {
 				st.t.Errorf("Error st.cmd.Process.Kill() = %v", err)
 			}
+
 			<-done
 		}
 	}
+
 	if st.ts != nil {
 		st.ts.Close()
 	}
@@ -308,6 +350,7 @@ func (st *serverTester) readFrame() (http2.Frame, error) {
 			st.errCh <- err
 			return
 		}
+
 		st.frCh <- f
 	}()
 
@@ -348,10 +391,12 @@ func (cbr *chunkedBodyReader) Read(p []byte) (n int, err error) {
 	// after request was sent and before body returns EOF.
 	if !cbr.trailerWritten {
 		cbr.trailerWritten = true
+
 		for _, h := range cbr.trailer {
 			cbr.req.Trailer.Set(h.Name, h.Value)
 		}
 	}
+
 	return cbr.body.Read(p)
 }
 
@@ -364,6 +409,7 @@ func (st *serverTester) websocket(rp requestParam) *serverResponse {
 	}
 
 	config.Header.Add("Test-Case", rp.name)
+
 	for _, h := range rp.header {
 		config.Header.Add(h.Name, h.Value)
 	}
@@ -378,7 +424,9 @@ func (st *serverTester) websocket(rp requestParam) *serverResponse {
 	}
 
 	msg := make([]byte, 1024)
+
 	var n int
+
 	if n, err = ws.Read(msg); err != nil {
 		st.t.Fatalf("ws.Read() returned error: %v", err)
 	}
@@ -390,96 +438,27 @@ func (st *serverTester) websocket(rp requestParam) *serverResponse {
 	return res
 }
 
-func (st *serverTester) http3(rp requestParam) (*serverResponse, error) {
-	rt := &http3.RoundTripper{
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
-		},
-	}
-
-	defer rt.Close()
-
-	c := &http.Client{
-		Transport: rt,
-	}
-
-	method := "GET"
-	if rp.method != "" {
-		method = rp.method
-	}
-
-	var body io.Reader
-
-	if rp.body != nil {
-		body = bytes.NewBuffer(rp.body)
-	}
-
-	reqURL := st.url
-
-	if rp.path != "" {
-		u, err := url.Parse(st.url)
-		if err != nil {
-			st.t.Fatalf("Error parsing URL from st.url %v: %v", st.url, err)
-		}
-		u.Path = ""
-		u.RawQuery = ""
-		reqURL = u.String() + rp.path
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	req, err := http.NewRequestWithContext(ctx, method, reqURL, body)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, h := range rp.header {
-		req.Header.Add(h.Name, h.Value)
-	}
-
-	req.Header.Add("Test-Case", rp.name)
-
-	// TODO http3 package does not support trailer at the time of
-	// this writing.
-
-	resp, err := c.Do(req)
-	if err != nil {
-		return nil, err
-	}
-
-	defer resp.Body.Close()
-
-	respBody, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	res := &serverResponse{
-		status:    resp.StatusCode,
-		header:    resp.Header,
-		body:      respBody,
-		connClose: resp.Close,
-	}
-
-	return res, nil
-}
-
 func (st *serverTester) http1(rp requestParam) (*serverResponse, error) {
 	method := "GET"
+
 	if rp.method != "" {
 		method = rp.method
 	}
 
-	var body io.Reader
-	var cbr *chunkedBodyReader
+	var (
+		body io.Reader
+		cbr  *chunkedBodyReader
+	)
+
 	if rp.body != nil {
 		body = bytes.NewBuffer(rp.body)
+
 		if len(rp.trailer) != 0 {
 			cbr = &chunkedBodyReader{
 				trailer: rp.trailer,
 				body:    body,
 			}
+
 			body = cbr
 		}
 	}
@@ -491,6 +470,7 @@ func (st *serverTester) http1(rp requestParam) (*serverResponse, error) {
 		if err != nil {
 			st.t.Fatalf("Error parsing URL from st.url %v: %v", st.url, err)
 		}
+
 		u.Path = ""
 		u.RawQuery = ""
 		reqURL = u.String() + rp.path
@@ -503,30 +483,38 @@ func (st *serverTester) http1(rp requestParam) (*serverResponse, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	for _, h := range rp.header {
 		req.Header.Add(h.Name, h.Value)
 	}
+
 	req.Header.Add("Test-Case", rp.name)
+
 	if cbr != nil {
 		cbr.req = req
 		// this makes request use chunked encoding
 		req.ContentLength = -1
 		req.Trailer = make(http.Header)
+
 		for _, h := range cbr.trailer {
 			req.Trailer.Set(h.Name, "")
 		}
 	}
+
 	if err := req.Write(st.conn); err != nil {
 		return nil, err
 	}
+
 	resp, err := http.ReadResponse(bufio.NewReader(st.conn), req)
 	if err != nil {
 		return nil, err
 	}
+
 	respBody, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
+
 	resp.Body.Close()
 
 	res := &serverResponse{
@@ -544,6 +532,7 @@ func (st *serverTester) http2(rp requestParam) (*serverResponse, error) {
 	st.header = make(http.Header)
 
 	var id uint32
+
 	if rp.streamID != 0 {
 		id = rp.streamID
 		if id >= st.nextStreamID && id%2 == 1 {
@@ -557,6 +546,7 @@ func (st *serverTester) http2(rp requestParam) (*serverResponse, error) {
 	if !st.h2PrefaceSent {
 		st.h2PrefaceSent = true
 		fmt.Fprint(st.conn, "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n")
+
 		if err := st.fr.WriteSettings(); err != nil {
 			return nil, err
 		}
@@ -574,26 +564,32 @@ func (st *serverTester) http2(rp requestParam) (*serverResponse, error) {
 		if rp.method != "" {
 			method = rp.method
 		}
+
 		_ = st.enc.WriteField(pair(":method", method))
 
 		scheme := "http"
+
 		if rp.scheme != "" {
 			scheme = rp.scheme
 		}
+
 		_ = st.enc.WriteField(pair(":scheme", scheme))
 
 		authority := st.authority
+
 		if rp.authority != "" {
 			authority = rp.authority
 		}
+
 		_ = st.enc.WriteField(pair(":authority", authority))
 
 		path := "/"
+
 		if rp.path != "" {
 			path = rp.path
 		}
-		_ = st.enc.WriteField(pair(":path", path))
 
+		_ = st.enc.WriteField(pair(":path", path))
 		_ = st.enc.WriteField(pair("test-case", rp.name))
 
 		for _, h := range rp.header {
@@ -619,9 +615,11 @@ func (st *serverTester) http2(rp requestParam) (*serverResponse, error) {
 
 		if len(rp.trailer) != 0 {
 			st.headerBlkBuf.Reset()
+
 			for _, h := range rp.trailer {
 				_ = st.enc.WriteField(h)
 			}
+
 			err := st.fr.WriteHeaders(http2.HeadersFrameParam{
 				StreamID:      id,
 				EndStream:     true,
@@ -639,56 +637,65 @@ loop:
 		if err != nil {
 			return res, err
 		}
+
 		switch f := fr.(type) {
 		case *http2.HeadersFrame:
 			_, err := st.dec.Write(f.HeaderBlockFragment())
 			if err != nil {
 				return res, err
 			}
-			sr, ok := streams[f.FrameHeader.StreamID]
+
+			sr, ok := streams[f.StreamID]
 			if !ok {
 				st.header = make(http.Header)
 				break
 			}
+
 			sr.header = cloneHeader(st.header)
+
 			var status int
+
 			status, err = strconv.Atoi(sr.header.Get(":status"))
 			if err != nil {
-				return res, fmt.Errorf("Error parsing status code: %w", err)
+				return res, fmt.Errorf("could not parse :status: %w", err)
 			}
+
 			sr.status = status
-			if f.StreamEnded() {
-				if streamEnded(res, streams, sr) {
-					break loop
-				}
+
+			if f.StreamEnded() && streamEnded(res, streams, sr) {
+				break loop
 			}
 		case *http2.PushPromiseFrame:
 			_, err := st.dec.Write(f.HeaderBlockFragment())
 			if err != nil {
 				return res, err
 			}
+
 			sr := &serverResponse{
 				streamID:  f.PromiseID,
 				reqHeader: cloneHeader(st.header),
 			}
+
 			streams[sr.streamID] = sr
 		case *http2.DataFrame:
-			sr, ok := streams[f.FrameHeader.StreamID]
+			sr, ok := streams[f.StreamID]
 			if !ok {
 				break
 			}
+
 			sr.body = append(sr.body, f.Data()...)
-			if f.StreamEnded() {
-				if streamEnded(res, streams, sr) {
-					break loop
-				}
+
+			if f.StreamEnded() && streamEnded(res, streams, sr) {
+				break loop
 			}
 		case *http2.RSTStreamFrame:
-			sr, ok := streams[f.FrameHeader.StreamID]
+			sr, ok := streams[f.StreamID]
 			if !ok {
 				break
 			}
+
 			sr.errCode = f.ErrCode
+
 			if streamEnded(res, streams, sr) {
 				break loop
 			}
@@ -696,27 +703,36 @@ loop:
 			if f.ErrCode == http2.ErrCodeNo {
 				break
 			}
+
 			res.errCode = f.ErrCode
 			res.connErr = true
+
 			break loop
 		case *http2.SettingsFrame:
 			if f.IsAck() {
 				break
 			}
+
 			if err := st.fr.WriteSettingsAck(); err != nil {
 				return res, err
 			}
 		}
 	}
-	sort.Sort(ByStreamID(res.pushResponse))
+
+	slices.SortFunc(res.pushResponse, func(a, b *serverResponse) int {
+		return cmp.Compare(a.streamID, b.streamID)
+	})
+
 	return res, nil
 }
 
 func streamEnded(mainSr *serverResponse, streams map[uint32]*serverResponse, sr *serverResponse) bool {
 	delete(streams, sr.streamID)
+
 	if mainSr.streamID != sr.streamID {
 		mainSr.pushResponse = append(mainSr.pushResponse, sr)
 	}
+
 	return len(streams) == 0
 }
 
@@ -728,31 +744,19 @@ type serverResponse struct {
 	errCode      http2.ErrCode     // error code received in HTTP/2 RST_STREAM or GOAWAY
 	connErr      bool              // true if HTTP/2 connection error
 	connClose    bool              // Connection: close is included in response header in HTTP/1 test
-	reqHeader    http.Header       // http request header, currently only sotres pushed request header
+	reqHeader    http.Header       // http request header, currently only stores pushed request header
 	pushResponse []*serverResponse // pushed response
 }
 
-type ByStreamID []*serverResponse
-
-func (b ByStreamID) Len() int {
-	return len(b)
-}
-
-func (b ByStreamID) Swap(i, j int) {
-	b[i], b[j] = b[j], b[i]
-}
-
-func (b ByStreamID) Less(i, j int) bool {
-	return b[i].streamID < b[j].streamID
-}
-
 func cloneHeader(h http.Header) http.Header {
 	h2 := make(http.Header, len(h))
+
 	for k, vv := range h {
 		vv2 := make([]string, len(vv))
 		copy(vv2, vv)
 		h2[k] = vv2
 	}
+
 	return h2
 }
 
@@ -803,6 +807,7 @@ func writeProxyProtocolV2(w io.Writer, hdr proxyProtocolV2) error {
 	if _, err := w.Write([]byte{0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, 0x55, 0x49, 0x54, 0x0A}); err != nil {
 		return err
 	}
+
 	if _, err := w.Write([]byte{byte(0x20 | hdr.command)}); err != nil {
 		return err
 	}
@@ -810,44 +815,59 @@ func writeProxyProtocolV2(w io.Writer, hdr proxyProtocolV2) error {
 	switch srcAddr := hdr.sourceAddress.(type) {
 	case *net.TCPAddr:
 		dstAddr := hdr.destinationAddress.(*net.TCPAddr)
+
 		if len(srcAddr.IP) != len(dstAddr.IP) {
 			panic("len(srcAddr.IP) != len(dstAddr.IP)")
 		}
+
 		var fam byte
+
 		if len(srcAddr.IP) == 4 {
 			fam = byte(proxyProtocolV2FamilyInet << 4)
 		} else {
 			fam = byte(proxyProtocolV2FamilyInet6 << 4)
 		}
+
 		fam |= byte(proxyProtocolV2ProtocolStream)
+
 		if _, err := w.Write([]byte{fam}); err != nil {
 			return err
 		}
+
 		length := uint16(len(srcAddr.IP)*2 + 4 + len(hdr.additionalData))
+
 		if err := binary.Write(w, binary.BigEndian, length); err != nil {
 			return err
 		}
+
 		if _, err := w.Write(srcAddr.IP); err != nil {
 			return err
 		}
+
 		if _, err := w.Write(dstAddr.IP); err != nil {
 			return err
 		}
+
 		if err := binary.Write(w, binary.BigEndian, uint16(srcAddr.Port)); err != nil {
 			return err
 		}
+
 		if err := binary.Write(w, binary.BigEndian, uint16(dstAddr.Port)); err != nil {
 			return err
 		}
 	case *net.UnixAddr:
 		dstAddr := hdr.destinationAddress.(*net.UnixAddr)
+
 		if len(srcAddr.Name) > 108 {
 			panic("too long Unix source address")
 		}
+
 		if len(dstAddr.Name) > 108 {
 			panic("too long Unix destination address")
 		}
+
 		fam := byte(proxyProtocolV2FamilyUnix << 4)
+
 		switch srcAddr.Net {
 		case "unix":
 			fam |= byte(proxyProtocolV2ProtocolStream)
@@ -856,32 +876,43 @@ func writeProxyProtocolV2(w io.Writer, hdr proxyProtocolV2) error {
 		default:
 			fam |= byte(proxyProtocolV2ProtocolUnspec)
 		}
+
 		if _, err := w.Write([]byte{fam}); err != nil {
 			return err
 		}
+
 		length := uint16(216 + len(hdr.additionalData))
+
 		if err := binary.Write(w, binary.BigEndian, length); err != nil {
 			return err
 		}
+
 		zeros := make([]byte, 108)
+
 		if _, err := w.Write([]byte(srcAddr.Name)); err != nil {
 			return err
 		}
+
 		if _, err := w.Write(zeros[:108-len(srcAddr.Name)]); err != nil {
 			return err
 		}
+
 		if _, err := w.Write([]byte(dstAddr.Name)); err != nil {
 			return err
 		}
+
 		if _, err := w.Write(zeros[:108-len(dstAddr.Name)]); err != nil {
 			return err
 		}
 	default:
 		fam := byte(proxyProtocolV2FamilyUnspec<<4) | byte(proxyProtocolV2ProtocolUnspec)
+
 		if _, err := w.Write([]byte{fam}); err != nil {
 			return err
 		}
+
 		length := uint16(len(hdr.additionalData))
+
 		if err := binary.Write(w, binary.BigEndian, length); err != nil {
 			return err
 		}

integration-tests/server_tester_http3.go

@@ -0,0 +1,91 @@
+//go:build quic
+
+package nghttp2
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"io"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/quic-go/quic-go/http3"
+)
+
+func (st *serverTester) http3(rp requestParam) (*serverResponse, error) {
+	rt := &http3.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}
+
+	defer rt.Close()
+
+	c := &http.Client{
+		Transport: rt,
+	}
+
+	method := "GET"
+	if rp.method != "" {
+		method = rp.method
+	}
+
+	var body io.Reader
+
+	if rp.body != nil {
+		body = bytes.NewBuffer(rp.body)
+	}
+
+	reqURL := st.url
+
+	if rp.path != "" {
+		u, err := url.Parse(st.url)
+		if err != nil {
+			st.t.Fatalf("Error parsing URL from st.url %v: %v", st.url, err)
+		}
+
+		u.Path = ""
+		u.RawQuery = ""
+		reqURL = u.String() + rp.path
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, method, reqURL, body)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, h := range rp.header {
+		req.Header.Add(h.Name, h.Value)
+	}
+
+	req.Header.Add("Test-Case", rp.name)
+
+	// TODO http3 package does not support trailer at the time of
+	// this writing.
+
+	resp, err := c.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	res := &serverResponse{
+		status:    resp.StatusCode,
+		header:    resp.Header,
+		body:      respBody,
+		connClose: resp.Close,
+	}
+
+	return res, nil
+}

integration-tests/setenv.in

@@ -9,5 +9,6 @@ export CGO_CFLAGS="-I@abs_top_srcdir@/lib/includes -I@abs_top_builddir@/lib/incl
 export CGO_CPPFLAGS="@CPPFLAGS@"
 export CGO_LDFLAGS="-L$libdir @LDFLAGS@"
 export LD_LIBRARY_PATH="$libdir"
+export DYLD_LIBRARY_PATH="$libdir"
 export GODEBUG=cgocheck=0
 "$@"

lib/CMakeLists.txt

@@ -14,7 +14,7 @@ set(NGHTTP2_SOURCES
   nghttp2_stream.c nghttp2_outbound_item.c
   nghttp2_session.c nghttp2_submit.c
   nghttp2_helper.c
-  nghttp2_npn.c
+  nghttp2_alpn.c
   nghttp2_hd.c nghttp2_hd_huffman.c nghttp2_hd_huffman_data.c
   nghttp2_version.c
   nghttp2_priority_spec.c
@@ -24,11 +24,19 @@ set(NGHTTP2_SOURCES
   nghttp2_http.c
   nghttp2_rcbuf.c
   nghttp2_extpri.c
+  nghttp2_ratelim.c
+  nghttp2_time.c
   nghttp2_debug.c
   sfparse.c
 )
 
 set(NGHTTP2_RES "")
+set(STATIC_LIB "nghttp2_static")
+set(SHARED_LIB "nghttp2")
+
+if(BUILD_SHARED_LIBS AND BUILD_STATIC_LIBS AND MSVC AND NOT STATIC_LIB_SUFFIX)
+  set(STATIC_LIB_SUFFIX "_static")
+endif()
 
 if(WIN32)
   configure_file(
@@ -39,40 +47,85 @@ if(WIN32)
   set(NGHTTP2_RES ${CMAKE_CURRENT_BINARY_DIR}/version.rc)
 endif()
 
+set(NGHTTP2_GENERATED_DIR "${CMAKE_CURRENT_BINARY_DIR}/generated")
+set(NGHTTP2_VERSION_CONFIG "${NGHTTP2_GENERATED_DIR}/${PROJECT_NAME}ConfigVersion.cmake")
+set(NGHTTP2_PROJECT_CONFIG "${NGHTTP2_GENERATED_DIR}/${PROJECT_NAME}Config.cmake")
+set(NGHTTP2_TARGETS_EXPORT_NAME "${PROJECT_NAME}Targets")
+set(NGHTTP2_CONFIG_INSTALL_DIR "${CMAKE_INSTALL_LIBDIR}/cmake/${PROJECT_NAME}")
+set(NGHTTP2_NAMESPACE "${PROJECT_NAME}::")
+set(NGHTTP2_VERSION ${PROJECT_VERSION})
+
+include(CMakePackageConfigHelpers)
+write_basic_package_version_file(
+  "${NGHTTP2_VERSION_CONFIG}" VERSION ${NGHTTP2_VERSION} COMPATIBILITY SameMajorVersion
+)
+configure_file("${CMAKE_CURRENT_SOURCE_DIR}/config.cmake.in" "${NGHTTP2_PROJECT_CONFIG}" @ONLY)
+
+# Install cmake config files
+install(
+  FILES "${NGHTTP2_PROJECT_CONFIG}" "${NGHTTP2_VERSION_CONFIG}"
+  DESTINATION "${NGHTTP2_CONFIG_INSTALL_DIR}")
+
+install(
+  EXPORT "${NGHTTP2_TARGETS_EXPORT_NAME}"
+  NAMESPACE "${NGHTTP2_NAMESPACE}"
+  DESTINATION "${NGHTTP2_CONFIG_INSTALL_DIR}")
+
 # Public shared library
-if(ENABLE_SHARED_LIB)
-  add_library(nghttp2 SHARED ${NGHTTP2_SOURCES} ${NGHTTP2_RES})
-  set_target_properties(nghttp2 PROPERTIES
+if(BUILD_SHARED_LIBS)
+  add_library(${SHARED_LIB} SHARED ${NGHTTP2_SOURCES} ${NGHTTP2_RES})
+
+  set_target_properties(${SHARED_LIB} PROPERTIES
     COMPILE_FLAGS "${WARNCFLAGS}"
     VERSION ${LT_VERSION} SOVERSION ${LT_SOVERSION}
     C_VISIBILITY_PRESET hidden
   )
-  target_include_directories(nghttp2 INTERFACE
-    "${CMAKE_CURRENT_BINARY_DIR}/includes"
-    "${CMAKE_CURRENT_SOURCE_DIR}/includes"
+
+  target_include_directories(${SHARED_LIB} INTERFACE
+    $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/includes>
+    $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}/includes>
+    $<INSTALL_INTERFACE:${CMAKE_INSTALL_INCLUDEDIR}>
   )
 
-  install(TARGETS nghttp2
+  install(TARGETS ${SHARED_LIB}
+    EXPORT ${NGHTTP2_TARGETS_EXPORT_NAME}
     ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
     LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}"
     RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}")
+  list(APPEND nghttp2_exports ${SHARED_LIB})
 endif()
 
-if(HAVE_CUNIT OR ENABLE_STATIC_LIB)
-  # Static library (for unittests because of symbol visibility)
-  add_library(nghttp2_static STATIC ${NGHTTP2_SOURCES})
-  set_target_properties(nghttp2_static PROPERTIES
+# Static library (for unittests because of symbol visibility)
+if(BUILD_STATIC_LIBS)
+  add_library(${STATIC_LIB} STATIC ${NGHTTP2_SOURCES})
+
+  set_target_properties(${STATIC_LIB} PROPERTIES
     COMPILE_FLAGS "${WARNCFLAGS}"
     VERSION ${LT_VERSION} SOVERSION ${LT_SOVERSION}
     ARCHIVE_OUTPUT_NAME nghttp2${STATIC_LIB_SUFFIX}
   )
-  target_compile_definitions(nghttp2_static PUBLIC "-DNGHTTP2_STATICLIB")
-  if(ENABLE_STATIC_LIB)
-    install(TARGETS nghttp2_static
-      DESTINATION "${CMAKE_INSTALL_LIBDIR}")
-  endif()
+
+  target_include_directories(${STATIC_LIB} INTERFACE
+    $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/includes>
+    $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}/includes>
+    $<INSTALL_INTERFACE:${CMAKE_INSTALL_INCLUDEDIR}>
+  )
+
+  target_compile_definitions(${STATIC_LIB} PUBLIC "-DNGHTTP2_STATICLIB")
+
+  install(TARGETS ${STATIC_LIB}
+    EXPORT ${NGHTTP2_TARGETS_EXPORT_NAME}
+    ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}")
+  list(APPEND nghttp2_exports ${STATIC_LIB})
 endif()
 
+if(BUILD_SHARED_LIBS)
+  set(LIB_SELECTED ${SHARED_LIB})
+else()
+  set(LIB_SELECTED ${STATIC_LIB})
+endif()
+
+add_library(nghttp2 ALIAS ${LIB_SELECTED})
 
 install(FILES "${CMAKE_CURRENT_BINARY_DIR}/libnghttp2.pc"
   DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")

lib/Makefile.am

@@ -22,7 +22,7 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 SUBDIRS = includes
 
-EXTRA_DIST = Makefile.msvc CMakeLists.txt version.rc.in
+EXTRA_DIST = Makefile.msvc CMakeLists.txt version.rc.in config.cmake.in
 
 AM_CFLAGS = $(WARNCFLAGS) $(EXTRACFLAG)
 AM_CPPFLAGS = -I$(srcdir)/includes -I$(builddir)/includes -DBUILDING_NGHTTP2 \
@@ -41,7 +41,7 @@ OBJECTS = nghttp2_pq.c nghttp2_map.c nghttp2_queue.c \
 	nghttp2_stream.c nghttp2_outbound_item.c \
 	nghttp2_session.c nghttp2_submit.c \
 	nghttp2_helper.c \
-	nghttp2_npn.c \
+	nghttp2_alpn.c \
 	nghttp2_hd.c nghttp2_hd_huffman.c nghttp2_hd_huffman_data.c \
 	nghttp2_version.c \
 	nghttp2_priority_spec.c \
@@ -51,6 +51,8 @@ OBJECTS = nghttp2_pq.c nghttp2_map.c nghttp2_queue.c \
 	nghttp2_http.c \
 	nghttp2_rcbuf.c \
 	nghttp2_extpri.c \
+	nghttp2_ratelim.c \
+	nghttp2_time.c \
 	nghttp2_debug.c \
 	sfparse.c
 
@@ -58,7 +60,7 @@ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
 	nghttp2_frame.h \
 	nghttp2_buf.h \
 	nghttp2_session.h nghttp2_helper.h nghttp2_stream.h nghttp2_int.h \
-	nghttp2_npn.h \
+	nghttp2_alpn.h \
 	nghttp2_submit.h nghttp2_outbound_item.h \
 	nghttp2_net.h \
 	nghttp2_hd.h nghttp2_hd_huffman.h \
@@ -69,6 +71,8 @@ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
 	nghttp2_http.h \
 	nghttp2_rcbuf.h \
 	nghttp2_extpri.h \
+	nghttp2_ratelim.h \
+	nghttp2_time.h \
 	nghttp2_debug.h \
 	sfparse.h
 

lib/Makefile.msvc

@@ -74,7 +74,7 @@ NGHTTP2_SRC := nghttp2_pq.c \
   nghttp2_session.c \
   nghttp2_submit.c \
   nghttp2_helper.c \
-  nghttp2_npn.c \
+  nghttp2_alpn.c \
   nghttp2_hd.c \
   nghttp2_hd_huffman.c \
   nghttp2_hd_huffman_data.c \

lib/config.cmake.in

@@ -0,0 +1,3 @@
+include(CMakeFindDependencyMacro)
+
+include("${CMAKE_CURRENT_LIST_DIR}/@NGHTTP2_TARGETS_EXPORT_NAME@.cmake")

lib/nghttp2_alpn.c

@@ -22,13 +22,13 @@
  * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
-#include "nghttp2_npn.h"
+#include "nghttp2_alpn.h"
 
 #include <string.h>
 
-static int select_next_protocol(unsigned char **out, unsigned char *outlen,
-                                const unsigned char *in, unsigned int inlen,
-                                const char *key, unsigned int keylen) {
+static int select_alpn(const unsigned char **out, unsigned char *outlen,
+                       const unsigned char *in, unsigned int inlen,
+                       const char *key, unsigned int keylen) {
   unsigned int i;
   for (i = 0; i + keylen <= inlen; i += (unsigned int)(in[i] + 1)) {
     if (memcmp(&in[i], key, keylen) == 0) {
@@ -45,12 +45,25 @@ static int select_next_protocol(unsigned char **out, unsigned char *outlen,
 
 int nghttp2_select_next_protocol(unsigned char **out, unsigned char *outlen,
                                  const unsigned char *in, unsigned int inlen) {
-  if (select_next_protocol(out, outlen, in, inlen, NGHTTP2_PROTO_ALPN,
-                           NGHTTP2_PROTO_ALPN_LEN) == 0) {
+  if (select_alpn((const unsigned char **)out, outlen, in, inlen,
+                  NGHTTP2_PROTO_ALPN, NGHTTP2_PROTO_ALPN_LEN) == 0) {
     return 1;
   }
-  if (select_next_protocol(out, outlen, in, inlen, NGHTTP2_HTTP_1_1_ALPN,
-                           NGHTTP2_HTTP_1_1_ALPN_LEN) == 0) {
+  if (select_alpn((const unsigned char **)out, outlen, in, inlen,
+                  NGHTTP2_HTTP_1_1_ALPN, NGHTTP2_HTTP_1_1_ALPN_LEN) == 0) {
+    return 0;
+  }
+  return -1;
+}
+
+int nghttp2_select_alpn(const unsigned char **out, unsigned char *outlen,
+                        const unsigned char *in, unsigned int inlen) {
+  if (select_alpn(out, outlen, in, inlen, NGHTTP2_PROTO_ALPN,
+                  NGHTTP2_PROTO_ALPN_LEN) == 0) {
+    return 1;
+  }
+  if (select_alpn(out, outlen, in, inlen, NGHTTP2_HTTP_1_1_ALPN,
+                  NGHTTP2_HTTP_1_1_ALPN_LEN) == 0) {
     return 0;
   }
   return -1;

lib/nghttp2_alpn.h

@@ -22,13 +22,13 @@
  * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
-#ifndef NGHTTP2_NPN_H
-#define NGHTTP2_NPN_H
+#ifndef NGHTTP2_ALPN_H
+#define NGHTTP2_ALPN_H
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
-#endif /* NGHTTP2_NPN_H */
+#endif /* !defined(NGHTTP2_ALPN_H) */

lib/nghttp2_buf.c

@@ -61,7 +61,7 @@ int nghttp2_buf_reserve(nghttp2_buf *buf, size_t new_cap, nghttp2_mem *mem) {
     return 0;
   }
 
-  new_cap = nghttp2_max(new_cap, cap * 2);
+  new_cap = nghttp2_max_size(new_cap, cap * 2);
 
   ptr = nghttp2_mem_realloc(mem, buf->begin, new_cap);
   if (ptr == NULL) {
@@ -343,7 +343,7 @@ int nghttp2_bufs_add(nghttp2_bufs *bufs, const void *data, size_t len) {
   while (len) {
     buf = &bufs->cur->buf;
 
-    nwrite = nghttp2_min(nghttp2_buf_avail(buf), len);
+    nwrite = nghttp2_min_size(nghttp2_buf_avail(buf), len);
     if (nwrite == 0) {
       rv = bufs_alloc_chain(bufs);
       if (rv != 0) {
@@ -430,7 +430,7 @@ int nghttp2_bufs_orb_hold(nghttp2_bufs *bufs, uint8_t b) {
   return 0;
 }
 
-ssize_t nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out) {
+nghttp2_ssize nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out) {
   size_t len;
   nghttp2_buf_chain *chain;
   nghttp2_buf *buf;
@@ -462,7 +462,7 @@ ssize_t nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out) {
 
   *out = res;
 
-  return (ssize_t)len;
+  return (nghttp2_ssize)len;
 }
 
 size_t nghttp2_bufs_remove_copy(nghttp2_bufs *bufs, uint8_t *out) {

lib/nghttp2_buf.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -349,7 +349,7 @@ int nghttp2_bufs_orb_hold(nghttp2_bufs *bufs, uint8_t b);
  * NGHTTP2_ERR_NOMEM
  *     Out of memory
  */
-ssize_t nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out);
+nghttp2_ssize nghttp2_bufs_remove(nghttp2_bufs *bufs, uint8_t **out);
 
 /*
  * Copies all data stored in |bufs| to |out|.  This function assumes
@@ -409,4 +409,4 @@ int nghttp2_bufs_next_present(nghttp2_bufs *bufs);
  */
 size_t nghttp2_bufs_len(nghttp2_bufs *bufs);
 
-#endif /* NGHTTP2_BUF_H */
+#endif /* !defined(NGHTTP2_BUF_H) */

lib/nghttp2_callbacks.c

@@ -41,135 +41,168 @@ void nghttp2_session_callbacks_del(nghttp2_session_callbacks *callbacks) {
 }
 
 void nghttp2_session_callbacks_set_send_callback(
-    nghttp2_session_callbacks *cbs, nghttp2_send_callback send_callback) {
+  nghttp2_session_callbacks *cbs, nghttp2_send_callback send_callback) {
   cbs->send_callback = send_callback;
 }
 
+void nghttp2_session_callbacks_set_send_callback2(
+  nghttp2_session_callbacks *cbs, nghttp2_send_callback2 send_callback) {
+  cbs->send_callback2 = send_callback;
+}
+
 void nghttp2_session_callbacks_set_recv_callback(
-    nghttp2_session_callbacks *cbs, nghttp2_recv_callback recv_callback) {
+  nghttp2_session_callbacks *cbs, nghttp2_recv_callback recv_callback) {
   cbs->recv_callback = recv_callback;
 }
 
+void nghttp2_session_callbacks_set_recv_callback2(
+  nghttp2_session_callbacks *cbs, nghttp2_recv_callback2 recv_callback) {
+  cbs->recv_callback2 = recv_callback;
+}
+
 void nghttp2_session_callbacks_set_on_frame_recv_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_frame_recv_callback on_frame_recv_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_frame_recv_callback on_frame_recv_callback) {
   cbs->on_frame_recv_callback = on_frame_recv_callback;
 }
 
 void nghttp2_session_callbacks_set_on_invalid_frame_recv_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_invalid_frame_recv_callback on_invalid_frame_recv_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_invalid_frame_recv_callback on_invalid_frame_recv_callback) {
   cbs->on_invalid_frame_recv_callback = on_invalid_frame_recv_callback;
 }
 
 void nghttp2_session_callbacks_set_on_data_chunk_recv_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_data_chunk_recv_callback on_data_chunk_recv_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_data_chunk_recv_callback on_data_chunk_recv_callback) {
   cbs->on_data_chunk_recv_callback = on_data_chunk_recv_callback;
 }
 
 void nghttp2_session_callbacks_set_before_frame_send_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_before_frame_send_callback before_frame_send_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_before_frame_send_callback before_frame_send_callback) {
   cbs->before_frame_send_callback = before_frame_send_callback;
 }
 
 void nghttp2_session_callbacks_set_on_frame_send_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_frame_send_callback on_frame_send_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_frame_send_callback on_frame_send_callback) {
   cbs->on_frame_send_callback = on_frame_send_callback;
 }
 
 void nghttp2_session_callbacks_set_on_frame_not_send_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_frame_not_send_callback on_frame_not_send_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_frame_not_send_callback on_frame_not_send_callback) {
   cbs->on_frame_not_send_callback = on_frame_not_send_callback;
 }
 
 void nghttp2_session_callbacks_set_on_stream_close_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_stream_close_callback on_stream_close_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_stream_close_callback on_stream_close_callback) {
   cbs->on_stream_close_callback = on_stream_close_callback;
 }
 
 void nghttp2_session_callbacks_set_on_begin_headers_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_begin_headers_callback on_begin_headers_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_begin_headers_callback on_begin_headers_callback) {
   cbs->on_begin_headers_callback = on_begin_headers_callback;
 }
 
 void nghttp2_session_callbacks_set_on_header_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_header_callback on_header_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_header_callback on_header_callback) {
   cbs->on_header_callback = on_header_callback;
 }
 
 void nghttp2_session_callbacks_set_on_header_callback2(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_header_callback2 on_header_callback2) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_header_callback2 on_header_callback2) {
   cbs->on_header_callback2 = on_header_callback2;
 }
 
 void nghttp2_session_callbacks_set_on_invalid_header_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_invalid_header_callback on_invalid_header_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_invalid_header_callback on_invalid_header_callback) {
   cbs->on_invalid_header_callback = on_invalid_header_callback;
 }
 
 void nghttp2_session_callbacks_set_on_invalid_header_callback2(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_invalid_header_callback2 on_invalid_header_callback2) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_invalid_header_callback2 on_invalid_header_callback2) {
   cbs->on_invalid_header_callback2 = on_invalid_header_callback2;
 }
 
 void nghttp2_session_callbacks_set_select_padding_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_select_padding_callback select_padding_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_select_padding_callback select_padding_callback) {
   cbs->select_padding_callback = select_padding_callback;
 }
 
+void nghttp2_session_callbacks_set_select_padding_callback2(
+  nghttp2_session_callbacks *cbs,
+  nghttp2_select_padding_callback2 select_padding_callback) {
+  cbs->select_padding_callback2 = select_padding_callback;
+}
+
 void nghttp2_session_callbacks_set_data_source_read_length_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_data_source_read_length_callback data_source_read_length_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_data_source_read_length_callback data_source_read_length_callback) {
   cbs->read_length_callback = data_source_read_length_callback;
 }
 
+void nghttp2_session_callbacks_set_data_source_read_length_callback2(
+  nghttp2_session_callbacks *cbs,
+  nghttp2_data_source_read_length_callback2 data_source_read_length_callback) {
+  cbs->read_length_callback2 = data_source_read_length_callback;
+}
+
 void nghttp2_session_callbacks_set_on_begin_frame_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_begin_frame_callback on_begin_frame_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_begin_frame_callback on_begin_frame_callback) {
   cbs->on_begin_frame_callback = on_begin_frame_callback;
 }
 
 void nghttp2_session_callbacks_set_send_data_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_send_data_callback send_data_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_send_data_callback send_data_callback) {
   cbs->send_data_callback = send_data_callback;
 }
 
 void nghttp2_session_callbacks_set_pack_extension_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_pack_extension_callback pack_extension_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_pack_extension_callback pack_extension_callback) {
   cbs->pack_extension_callback = pack_extension_callback;
 }
 
+void nghttp2_session_callbacks_set_pack_extension_callback2(
+  nghttp2_session_callbacks *cbs,
+  nghttp2_pack_extension_callback2 pack_extension_callback) {
+  cbs->pack_extension_callback2 = pack_extension_callback;
+}
+
 void nghttp2_session_callbacks_set_unpack_extension_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_unpack_extension_callback unpack_extension_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_unpack_extension_callback unpack_extension_callback) {
   cbs->unpack_extension_callback = unpack_extension_callback;
 }
 
 void nghttp2_session_callbacks_set_on_extension_chunk_recv_callback(
-    nghttp2_session_callbacks *cbs,
-    nghttp2_on_extension_chunk_recv_callback on_extension_chunk_recv_callback) {
+  nghttp2_session_callbacks *cbs,
+  nghttp2_on_extension_chunk_recv_callback on_extension_chunk_recv_callback) {
   cbs->on_extension_chunk_recv_callback = on_extension_chunk_recv_callback;
 }
 
 void nghttp2_session_callbacks_set_error_callback(
-    nghttp2_session_callbacks *cbs, nghttp2_error_callback error_callback) {
+  nghttp2_session_callbacks *cbs, nghttp2_error_callback error_callback) {
   cbs->error_callback = error_callback;
 }
 
 void nghttp2_session_callbacks_set_error_callback2(
-    nghttp2_session_callbacks *cbs, nghttp2_error_callback2 error_callback2) {
+  nghttp2_session_callbacks *cbs, nghttp2_error_callback2 error_callback2) {
   cbs->error_callback2 = error_callback2;
 }
+
+void nghttp2_session_callbacks_set_rand_callback(
+  nghttp2_session_callbacks *cbs, nghttp2_rand_callback rand_callback) {
+  cbs->rand_callback = rand_callback;
+}

lib/nghttp2_callbacks.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -36,19 +36,33 @@
  */
 struct nghttp2_session_callbacks {
   /**
-   * Callback function invoked when the session wants to send data to
-   * the remote peer.  This callback is not necessary if the
-   * application uses solely `nghttp2_session_mem_send()` to serialize
-   * data to transmit.
+   * Deprecated.  Use send_callback2 instead.  Callback function
+   * invoked when the session wants to send data to the remote peer.
+   * This callback is not necessary if the application uses solely
+   * `nghttp2_session_mem_send()` to serialize data to transmit.
    */
   nghttp2_send_callback send_callback;
   /**
-   * Callback function invoked when the session wants to receive data
-   * from the remote peer.  This callback is not necessary if the
-   * application uses solely `nghttp2_session_mem_recv()` to process
-   * received data.
+   * Callback function invoked when the session wants to send data to
+   * the remote peer.  This callback is not necessary if the
+   * application uses solely `nghttp2_session_mem_send2()` to
+   * serialize data to transmit.
+   */
+  nghttp2_send_callback2 send_callback2;
+  /**
+   * Deprecated.  Use recv_callback2 instead.  Callback function
+   * invoked when the session wants to receive data from the remote
+   * peer.  This callback is not necessary if the application uses
+   * solely `nghttp2_session_mem_recv()` to process received data.
    */
   nghttp2_recv_callback recv_callback;
+  /**
+   * Callback function invoked when the session wants to receive data
+   * from the remote peer.  This callback is not necessary if the
+   * application uses solely `nghttp2_session_mem_recv2()` to process
+   * received data.
+   */
+  nghttp2_recv_callback2 recv_callback2;
   /**
    * Callback function invoked by `nghttp2_session_recv()` when a
    * frame is received.
@@ -100,26 +114,44 @@ struct nghttp2_session_callbacks {
   nghttp2_on_invalid_header_callback on_invalid_header_callback;
   nghttp2_on_invalid_header_callback2 on_invalid_header_callback2;
   /**
-   * Callback function invoked when the library asks application how
-   * many padding bytes are required for the transmission of the given
+   * Deprecated.  Use select_padding_callback2 instead.  Callback
+   * function invoked when the library asks application how many
+   * padding bytes are required for the transmission of the given
    * frame.
    */
   nghttp2_select_padding_callback select_padding_callback;
   /**
-   * The callback function used to determine the length allowed in
+   * Callback function invoked when the library asks application how
+   * many padding bytes are required for the transmission of the given
+   * frame.
+   */
+  nghttp2_select_padding_callback2 select_padding_callback2;
+  /**
+   * Deprecated.  Use read_length_callback2 instead.  The callback
+   * function used to determine the length allowed in
    * `nghttp2_data_source_read_callback()`
    */
   nghttp2_data_source_read_length_callback read_length_callback;
+  /**
+   * The callback function used to determine the length allowed in
+   * `nghttp2_data_source_read_callback2()`
+   */
+  nghttp2_data_source_read_length_callback2 read_length_callback2;
   /**
    * Sets callback function invoked when a frame header is received.
    */
   nghttp2_on_begin_frame_callback on_begin_frame_callback;
   nghttp2_send_data_callback send_data_callback;
+  /**
+   * Deprecated.  Use pack_extension_callback2 instead.
+   */
   nghttp2_pack_extension_callback pack_extension_callback;
+  nghttp2_pack_extension_callback2 pack_extension_callback2;
   nghttp2_unpack_extension_callback unpack_extension_callback;
   nghttp2_on_extension_chunk_recv_callback on_extension_chunk_recv_callback;
   nghttp2_error_callback error_callback;
   nghttp2_error_callback2 error_callback2;
+  nghttp2_rand_callback rand_callback;
 };
 
-#endif /* NGHTTP2_CALLBACKS_H */
+#endif /* !defined(NGHTTP2_CALLBACKS_H) */

lib/nghttp2_debug.c

@@ -34,7 +34,7 @@ static void nghttp2_default_debug_vfprintf_callback(const char *fmt,
 }
 
 static nghttp2_debug_vprintf_callback static_debug_vprintf_callback =
-    nghttp2_default_debug_vfprintf_callback;
+  nghttp2_default_debug_vfprintf_callback;
 
 void nghttp2_debug_vprintf(const char *format, ...) {
   if (static_debug_vprintf_callback) {
@@ -46,15 +46,15 @@ void nghttp2_debug_vprintf(const char *format, ...) {
 }
 
 void nghttp2_set_debug_vprintf_callback(
-    nghttp2_debug_vprintf_callback debug_vprintf_callback) {
+  nghttp2_debug_vprintf_callback debug_vprintf_callback) {
   static_debug_vprintf_callback = debug_vprintf_callback;
 }
 
-#else /* !DEBUGBUILD */
+#else /* !defined(DEBUGBUILD) */
 
 void nghttp2_set_debug_vprintf_callback(
-    nghttp2_debug_vprintf_callback debug_vprintf_callback) {
+  nghttp2_debug_vprintf_callback debug_vprintf_callback) {
   (void)debug_vprintf_callback;
 }
 
-#endif /* !DEBUGBUILD */
+#endif /* !defined(DEBUGBUILD) */

lib/nghttp2_debug.h

@@ -27,17 +27,17 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
 #ifdef DEBUGBUILD
 #  define DEBUGF(...) nghttp2_debug_vprintf(__VA_ARGS__)
 void nghttp2_debug_vprintf(const char *format, ...);
-#else
+#else /* !defined(DEBUGBUILD) */
 #  define DEBUGF(...)                                                          \
     do {                                                                       \
     } while (0)
-#endif
+#endif /* !defined(DEBUGBUILD) */
 
-#endif /* NGHTTP2_DEBUG_H */
+#endif /* !defined(NGHTTP2_DEBUG_H) */

lib/nghttp2_extpri.c

@@ -24,6 +24,7 @@
  * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 #include "nghttp2_extpri.h"
+#include "nghttp2_http.h"
 
 uint8_t nghttp2_extpri_to_uint8(const nghttp2_extpri *extpri) {
   return (uint8_t)((uint32_t)extpri->inc << 7 | extpri->urgency);
@@ -33,3 +34,8 @@ void nghttp2_extpri_from_uint8(nghttp2_extpri *extpri, uint8_t u8extpri) {
   extpri->urgency = nghttp2_extpri_uint8_urgency(u8extpri);
   extpri->inc = nghttp2_extpri_uint8_inc(u8extpri);
 }
+
+int nghttp2_extpri_parse_priority(nghttp2_extpri *extpri, const uint8_t *value,
+                                  size_t len) {
+  return nghttp2_http_parse_priority(extpri, value, len);
+}

lib/nghttp2_extpri.h

@@ -28,7 +28,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -60,6 +60,6 @@ void nghttp2_extpri_from_uint8(nghttp2_extpri *extpri, uint8_t u8extpri);
  * nghttp2_extpri_uint8_inc extracts inc from |PRI| which is supposed to
  * be constructed by nghttp2_extpri_to_uint8.
  */
-#define nghttp2_extpri_uint8_inc(PRI) (((PRI)&NGHTTP2_EXTPRI_INC_MASK) != 0)
+#define nghttp2_extpri_uint8_inc(PRI) (((PRI) & NGHTTP2_EXTPRI_INC_MASK) != 0)
 
-#endif /* NGHTTP2_EXTPRI_H */
+#endif /* !defined(NGHTTP2_EXTPRI_H) */

lib/nghttp2_frame.c

@@ -418,8 +418,8 @@ void nghttp2_frame_unpack_priority_spec(nghttp2_priority_spec *pri_spec,
   nghttp2_priority_spec_init(pri_spec, dep_stream_id, weight, exclusive);
 }
 
-int nghttp2_frame_unpack_headers_payload(nghttp2_headers *frame,
-                                         const uint8_t *payload) {
+void nghttp2_frame_unpack_headers_payload(nghttp2_headers *frame,
+                                          const uint8_t *payload) {
   if (frame->hd.flags & NGHTTP2_FLAG_PRIORITY) {
     nghttp2_frame_unpack_priority_spec(&frame->pri_spec, payload);
   } else {
@@ -428,11 +428,9 @@ int nghttp2_frame_unpack_headers_payload(nghttp2_headers *frame,
 
   frame->nva = NULL;
   frame->nvlen = 0;
-
-  return 0;
 }
 
-int nghttp2_frame_pack_priority(nghttp2_bufs *bufs, nghttp2_priority *frame) {
+void nghttp2_frame_pack_priority(nghttp2_bufs *bufs, nghttp2_priority *frame) {
   nghttp2_buf *buf;
 
   assert(bufs->head == bufs->cur);
@@ -448,8 +446,6 @@ int nghttp2_frame_pack_priority(nghttp2_bufs *bufs, nghttp2_priority *frame) {
   nghttp2_frame_pack_priority_spec(buf->last, &frame->pri_spec);
 
   buf->last += NGHTTP2_PRIORITY_SPECLEN;
-
-  return 0;
 }
 
 void nghttp2_frame_unpack_priority_payload(nghttp2_priority *frame,
@@ -457,8 +453,8 @@ void nghttp2_frame_unpack_priority_payload(nghttp2_priority *frame,
   nghttp2_frame_unpack_priority_spec(&frame->pri_spec, payload);
 }
 
-int nghttp2_frame_pack_rst_stream(nghttp2_bufs *bufs,
-                                  nghttp2_rst_stream *frame) {
+void nghttp2_frame_pack_rst_stream(nghttp2_bufs *bufs,
+                                   nghttp2_rst_stream *frame) {
   nghttp2_buf *buf;
 
   assert(bufs->head == bufs->cur);
@@ -473,8 +469,6 @@ int nghttp2_frame_pack_rst_stream(nghttp2_bufs *bufs,
 
   nghttp2_put_uint32be(buf->last, frame->error_code);
   buf->last += 4;
-
-  return 0;
 }
 
 void nghttp2_frame_unpack_rst_stream_payload(nghttp2_rst_stream *frame,
@@ -498,7 +492,7 @@ int nghttp2_frame_pack_settings(nghttp2_bufs *bufs, nghttp2_settings *frame) {
   nghttp2_frame_pack_frame_hd(buf->pos, &frame->hd);
 
   buf->last +=
-      nghttp2_frame_pack_settings_payload(buf->last, frame->iv, frame->niv);
+    nghttp2_frame_pack_settings_payload(buf->last, frame->iv, frame->niv);
 
   return 0;
 }
@@ -543,7 +537,7 @@ int nghttp2_frame_unpack_settings_payload2(nghttp2_settings_entry **iv_ptr,
   }
 
   *iv_ptr =
-      nghttp2_mem_malloc(mem, (*niv_ptr) * sizeof(nghttp2_settings_entry));
+    nghttp2_mem_malloc(mem, (*niv_ptr) * sizeof(nghttp2_settings_entry));
 
   if (*iv_ptr == NULL) {
     return NGHTTP2_ERR_NOMEM;
@@ -592,16 +586,15 @@ int nghttp2_frame_pack_push_promise(nghttp2_bufs *bufs,
   return frame_pack_headers_shared(bufs, &frame->hd);
 }
 
-int nghttp2_frame_unpack_push_promise_payload(nghttp2_push_promise *frame,
-                                              const uint8_t *payload) {
+void nghttp2_frame_unpack_push_promise_payload(nghttp2_push_promise *frame,
+                                               const uint8_t *payload) {
   frame->promised_stream_id =
-      nghttp2_get_uint32(payload) & NGHTTP2_STREAM_ID_MASK;
+    nghttp2_get_uint32(payload) & NGHTTP2_STREAM_ID_MASK;
   frame->nva = NULL;
   frame->nvlen = 0;
-  return 0;
 }
 
-int nghttp2_frame_pack_ping(nghttp2_bufs *bufs, nghttp2_ping *frame) {
+void nghttp2_frame_pack_ping(nghttp2_bufs *bufs, nghttp2_ping *frame) {
   nghttp2_buf *buf;
 
   assert(bufs->head == bufs->cur);
@@ -615,9 +608,7 @@ int nghttp2_frame_pack_ping(nghttp2_bufs *bufs, nghttp2_ping *frame) {
   nghttp2_frame_pack_frame_hd(buf->pos, &frame->hd);
 
   buf->last =
-      nghttp2_cpymem(buf->last, frame->opaque_data, sizeof(frame->opaque_data));
-
-  return 0;
+    nghttp2_cpymem(buf->last, frame->opaque_data, sizeof(frame->opaque_data));
 }
 
 void nghttp2_frame_unpack_ping_payload(nghttp2_ping *frame,
@@ -697,8 +688,8 @@ int nghttp2_frame_unpack_goaway_payload2(nghttp2_goaway *frame,
   return 0;
 }
 
-int nghttp2_frame_pack_window_update(nghttp2_bufs *bufs,
-                                     nghttp2_window_update *frame) {
+void nghttp2_frame_pack_window_update(nghttp2_bufs *bufs,
+                                      nghttp2_window_update *frame) {
   nghttp2_buf *buf;
 
   assert(bufs->head == bufs->cur);
@@ -713,17 +704,15 @@ int nghttp2_frame_pack_window_update(nghttp2_bufs *bufs,
 
   nghttp2_put_uint32be(buf->last, (uint32_t)frame->window_size_increment);
   buf->last += 4;
-
-  return 0;
 }
 
 void nghttp2_frame_unpack_window_update_payload(nghttp2_window_update *frame,
                                                 const uint8_t *payload) {
   frame->window_size_increment =
-      nghttp2_get_uint32(payload) & NGHTTP2_WINDOW_SIZE_INCREMENT_MASK;
+    nghttp2_get_uint32(payload) & NGHTTP2_WINDOW_SIZE_INCREMENT_MASK;
 }
 
-int nghttp2_frame_pack_altsvc(nghttp2_bufs *bufs, nghttp2_extension *frame) {
+void nghttp2_frame_pack_altsvc(nghttp2_bufs *bufs, nghttp2_extension *frame) {
   int rv;
   nghttp2_buf *buf;
   nghttp2_ext_altsvc *altsvc;
@@ -752,8 +741,6 @@ int nghttp2_frame_pack_altsvc(nghttp2_bufs *bufs, nghttp2_extension *frame) {
   rv = nghttp2_bufs_add(bufs, altsvc->field_value, altsvc->field_value_len);
 
   assert(rv == 0);
-
-  return 0;
 }
 
 void nghttp2_frame_unpack_altsvc_payload(nghttp2_extension *frame,
@@ -901,8 +888,8 @@ int nghttp2_frame_unpack_origin_payload(nghttp2_extension *frame,
   return 0;
 }
 
-int nghttp2_frame_pack_priority_update(nghttp2_bufs *bufs,
-                                       nghttp2_extension *frame) {
+void nghttp2_frame_pack_priority_update(nghttp2_bufs *bufs,
+                                        nghttp2_extension *frame) {
   int rv;
   nghttp2_buf *buf;
   nghttp2_ext_priority_update *priority_update;
@@ -927,8 +914,6 @@ int nghttp2_frame_pack_priority_update(nghttp2_bufs *bufs,
                         priority_update->field_value_len);
 
   assert(rv == 0);
-
-  return 0;
 }
 
 void nghttp2_frame_unpack_priority_update_payload(nghttp2_extension *frame,
@@ -941,7 +926,7 @@ void nghttp2_frame_unpack_priority_update_payload(nghttp2_extension *frame,
   priority_update = frame->payload;
 
   priority_update->stream_id =
-      nghttp2_get_uint32(payload) & NGHTTP2_STREAM_ID_MASK;
+    nghttp2_get_uint32(payload) & NGHTTP2_STREAM_ID_MASK;
 
   if (payloadlen > 4) {
     priority_update->field_value = payload + 4;
@@ -1186,14 +1171,14 @@ static void frame_set_pad(nghttp2_buf *buf, size_t padlen, int framehd_only) {
   buf->last += trail_padlen;
 }
 
-int nghttp2_frame_add_pad(nghttp2_bufs *bufs, nghttp2_frame_hd *hd,
-                          size_t padlen, int framehd_only) {
+void nghttp2_frame_add_pad(nghttp2_bufs *bufs, nghttp2_frame_hd *hd,
+                           size_t padlen, int framehd_only) {
   nghttp2_buf *buf;
 
   if (padlen == 0) {
     DEBUGF("send: padlen = 0, nothing to do\n");
 
-    return 0;
+    return;
   }
 
   /*
@@ -1226,6 +1211,4 @@ int nghttp2_frame_add_pad(nghttp2_bufs *bufs, nghttp2_frame_hd *hd,
   hd->flags |= NGHTTP2_FLAG_PADDED;
 
   DEBUGF("send: final payloadlen=%zu, padlen=%zu\n", hd->length, padlen);
-
-  return 0;
 }

lib/nghttp2_frame.h

@@ -27,17 +27,14 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 #include "nghttp2_hd.h"
 #include "nghttp2_buf.h"
 
 #define NGHTTP2_STREAM_ID_MASK ((1u << 31) - 1)
-#define NGHTTP2_PRI_GROUP_ID_MASK ((1u << 31) - 1)
-#define NGHTTP2_PRIORITY_MASK ((1u << 31) - 1)
 #define NGHTTP2_WINDOW_SIZE_INCREMENT_MASK ((1u << 31) - 1)
-#define NGHTTP2_SETTINGS_ID_MASK ((1 << 24) - 1)
 
 /* The number of bytes of frame header. */
 #define NGHTTP2_FRAME_HDLEN 9
@@ -143,11 +140,9 @@ int nghttp2_frame_pack_headers(nghttp2_bufs *bufs, nghttp2_headers *frame,
  * Unpacks HEADERS frame byte sequence into |frame|.  This function
  * only unapcks bytes that come before name/value header block and
  * after possible Pad Length field.
- *
- * This function always succeeds and returns 0.
  */
-int nghttp2_frame_unpack_headers_payload(nghttp2_headers *frame,
-                                         const uint8_t *payload);
+void nghttp2_frame_unpack_headers_payload(nghttp2_headers *frame,
+                                          const uint8_t *payload);
 
 /*
  * Packs PRIORITY frame |frame| in wire format and store it in
@@ -155,10 +150,8 @@ int nghttp2_frame_unpack_headers_payload(nghttp2_headers *frame,
  *
  * The caller must make sure that nghttp2_bufs_reset(bufs) is called
  * before calling this function.
- *
- * This function always succeeds and returns 0.
  */
-int nghttp2_frame_pack_priority(nghttp2_bufs *bufs, nghttp2_priority *frame);
+void nghttp2_frame_pack_priority(nghttp2_bufs *bufs, nghttp2_priority *frame);
 
 /*
  * Unpacks PRIORITY wire format into |frame|.
@@ -172,11 +165,9 @@ void nghttp2_frame_unpack_priority_payload(nghttp2_priority *frame,
  *
  * The caller must make sure that nghttp2_bufs_reset(bufs) is called
  * before calling this function.
- *
- * This function always succeeds and returns 0.
  */
-int nghttp2_frame_pack_rst_stream(nghttp2_bufs *bufs,
-                                  nghttp2_rst_stream *frame);
+void nghttp2_frame_pack_rst_stream(nghttp2_bufs *bufs,
+                                   nghttp2_rst_stream *frame);
 
 /*
  * Unpacks RST_STREAM frame byte sequence into |frame|.
@@ -265,15 +256,9 @@ int nghttp2_frame_pack_push_promise(nghttp2_bufs *bufs,
  * Unpacks PUSH_PROMISE frame byte sequence into |frame|.  This
  * function only unapcks bytes that come before name/value header
  * block and after possible Pad Length field.
- *
- * This function returns 0 if it succeeds or one of the following
- * negative error codes:
- *
- * NGHTTP2_ERR_PROTO
- *     TODO END_HEADERS flag is not set
  */
-int nghttp2_frame_unpack_push_promise_payload(nghttp2_push_promise *frame,
-                                              const uint8_t *payload);
+void nghttp2_frame_unpack_push_promise_payload(nghttp2_push_promise *frame,
+                                               const uint8_t *payload);
 
 /*
  * Packs PING frame |frame| in wire format and store it in
@@ -281,10 +266,8 @@ int nghttp2_frame_unpack_push_promise_payload(nghttp2_push_promise *frame,
  *
  * The caller must make sure that nghttp2_bufs_reset(bufs) is called
  * before calling this function.
- *
- * This function always succeeds and returns 0.
  */
-int nghttp2_frame_pack_ping(nghttp2_bufs *bufs, nghttp2_ping *frame);
+void nghttp2_frame_pack_ping(nghttp2_bufs *bufs, nghttp2_ping *frame);
 
 /*
  * Unpacks PING wire format into |frame|.
@@ -343,11 +326,9 @@ int nghttp2_frame_unpack_goaway_payload2(nghttp2_goaway *frame,
  *
  * The caller must make sure that nghttp2_bufs_reset(bufs) is called
  * before calling this function.
- *
- * This function always succeeds and returns 0.
  */
-int nghttp2_frame_pack_window_update(nghttp2_bufs *bufs,
-                                     nghttp2_window_update *frame);
+void nghttp2_frame_pack_window_update(nghttp2_bufs *bufs,
+                                      nghttp2_window_update *frame);
 
 /*
  * Unpacks WINDOW_UPDATE frame byte sequence into |frame|.
@@ -361,17 +342,13 @@ void nghttp2_frame_unpack_window_update_payload(nghttp2_window_update *frame,
  *
  * The caller must make sure that nghttp2_bufs_reset(bufs) is called
  * before calling this function.
- *
- * This function always succeeds and returns 0.
  */
-int nghttp2_frame_pack_altsvc(nghttp2_bufs *bufs, nghttp2_extension *ext);
+void nghttp2_frame_pack_altsvc(nghttp2_bufs *bufs, nghttp2_extension *ext);
 
 /*
  * Unpacks ALTSVC wire format into |frame|.  The |payload| of
  * |payloadlen| bytes contains frame payload.  This function assumes
  * that frame->payload points to the nghttp2_ext_altsvc object.
- *
- * This function always succeeds and returns 0.
  */
 void nghttp2_frame_unpack_altsvc_payload(nghttp2_extension *frame,
                                          size_t origin_len, uint8_t *payload,
@@ -431,19 +408,15 @@ int nghttp2_frame_unpack_origin_payload(nghttp2_extension *frame,
  *
  * The caller must make sure that nghttp2_bufs_reset(bufs) is called
  * before calling this function.
- *
- * This function always succeeds and returns 0.
  */
-int nghttp2_frame_pack_priority_update(nghttp2_bufs *bufs,
-                                       nghttp2_extension *ext);
+void nghttp2_frame_pack_priority_update(nghttp2_bufs *bufs,
+                                        nghttp2_extension *ext);
 
 /*
  * Unpacks PRIORITY_UPDATE wire format into |frame|.  The |payload| of
  * |payloadlen| bytes contains frame payload.  This function assumes
  * that frame->payload points to the nghttp2_ext_priority_update
  * object.
- *
- * This function always succeeds and returns 0.
  */
 void nghttp2_frame_unpack_priority_update_payload(nghttp2_extension *frame,
                                                   uint8_t *payload,
@@ -654,16 +627,8 @@ int nghttp2_iv_check(const nghttp2_settings_entry *iv, size_t niv);
  * |padlen| including Pad Length field.  The |hd| is the frame header
  * for the serialized data.  This function fills zeros padding region
  * unless framehd_only is nonzero.
- *
- * This function returns 0 if it succeeds, or one of the following
- * negative error codes:
- *
- * NGHTTP2_ERR_NOMEM
- *     Out of memory.
- * NGHTTP2_ERR_FRAME_SIZE_ERROR
- *     The length of the resulting frame is too large.
  */
-int nghttp2_frame_add_pad(nghttp2_bufs *bufs, nghttp2_frame_hd *hd,
-                          size_t padlen, int framehd_only);
+void nghttp2_frame_add_pad(nghttp2_bufs *bufs, nghttp2_frame_hd *hd,
+                           size_t padlen, int framehd_only);
 
-#endif /* NGHTTP2_FRAME_H */
+#endif /* !defined(NGHTTP2_FRAME_H) */

lib/nghttp2_hd.c

@@ -36,9 +36,10 @@
 #define MAKE_STATIC_ENT(N, V, T, H)                                            \
   {                                                                            \
     {NULL, NULL, (uint8_t *)(N), sizeof((N)) - 1, -1},                         \
-        {NULL, NULL, (uint8_t *)(V), sizeof((V)) - 1, -1},                     \
-        {(uint8_t *)(N), (uint8_t *)(V), sizeof((N)) - 1, sizeof((V)) - 1, 0}, \
-        T, H                                                                   \
+    {NULL, NULL, (uint8_t *)(V), sizeof((V)) - 1, -1},                         \
+    {(uint8_t *)(N), (uint8_t *)(V), sizeof((N)) - 1, sizeof((V)) - 1, 0},     \
+    T,                                                                         \
+    H,                                                                         \
   }
 
 /* Generated by mkstatictbl.py */
@@ -46,67 +47,67 @@
    first enum value if same header names are repeated (e.g.,
    :status). */
 static const nghttp2_hd_static_entry static_table[] = {
-    MAKE_STATIC_ENT(":authority", "", 0, 3153725150u),
-    MAKE_STATIC_ENT(":method", "GET", 1, 695666056u),
-    MAKE_STATIC_ENT(":method", "POST", 1, 695666056u),
-    MAKE_STATIC_ENT(":path", "/", 3, 3292848686u),
-    MAKE_STATIC_ENT(":path", "/index.html", 3, 3292848686u),
-    MAKE_STATIC_ENT(":scheme", "http", 5, 2510477674u),
-    MAKE_STATIC_ENT(":scheme", "https", 5, 2510477674u),
-    MAKE_STATIC_ENT(":status", "200", 7, 4000288983u),
-    MAKE_STATIC_ENT(":status", "204", 7, 4000288983u),
-    MAKE_STATIC_ENT(":status", "206", 7, 4000288983u),
-    MAKE_STATIC_ENT(":status", "304", 7, 4000288983u),
-    MAKE_STATIC_ENT(":status", "400", 7, 4000288983u),
-    MAKE_STATIC_ENT(":status", "404", 7, 4000288983u),
-    MAKE_STATIC_ENT(":status", "500", 7, 4000288983u),
-    MAKE_STATIC_ENT("accept-charset", "", 14, 3664010344u),
-    MAKE_STATIC_ENT("accept-encoding", "gzip, deflate", 15, 3379649177u),
-    MAKE_STATIC_ENT("accept-language", "", 16, 1979086614u),
-    MAKE_STATIC_ENT("accept-ranges", "", 17, 1713753958u),
-    MAKE_STATIC_ENT("accept", "", 18, 136609321u),
-    MAKE_STATIC_ENT("access-control-allow-origin", "", 19, 2710797292u),
-    MAKE_STATIC_ENT("age", "", 20, 742476188u),
-    MAKE_STATIC_ENT("allow", "", 21, 2930878514u),
-    MAKE_STATIC_ENT("authorization", "", 22, 2436257726u),
-    MAKE_STATIC_ENT("cache-control", "", 23, 1355326669u),
-    MAKE_STATIC_ENT("content-disposition", "", 24, 3889184348u),
-    MAKE_STATIC_ENT("content-encoding", "", 25, 65203592u),
-    MAKE_STATIC_ENT("content-language", "", 26, 24973587u),
-    MAKE_STATIC_ENT("content-length", "", 27, 1308181789u),
-    MAKE_STATIC_ENT("content-location", "", 28, 2302364718u),
-    MAKE_STATIC_ENT("content-range", "", 29, 3555523146u),
-    MAKE_STATIC_ENT("content-type", "", 30, 4244048277u),
-    MAKE_STATIC_ENT("cookie", "", 31, 2007449791u),
-    MAKE_STATIC_ENT("date", "", 32, 3564297305u),
-    MAKE_STATIC_ENT("etag", "", 33, 113792960u),
-    MAKE_STATIC_ENT("expect", "", 34, 2530896728u),
-    MAKE_STATIC_ENT("expires", "", 35, 1049544579u),
-    MAKE_STATIC_ENT("from", "", 36, 2513272949u),
-    MAKE_STATIC_ENT("host", "", 37, 2952701295u),
-    MAKE_STATIC_ENT("if-match", "", 38, 3597694698u),
-    MAKE_STATIC_ENT("if-modified-since", "", 39, 2213050793u),
-    MAKE_STATIC_ENT("if-none-match", "", 40, 2536202615u),
-    MAKE_STATIC_ENT("if-range", "", 41, 2340978238u),
-    MAKE_STATIC_ENT("if-unmodified-since", "", 42, 3794814858u),
-    MAKE_STATIC_ENT("last-modified", "", 43, 3226950251u),
-    MAKE_STATIC_ENT("link", "", 44, 232457833u),
-    MAKE_STATIC_ENT("location", "", 45, 200649126u),
-    MAKE_STATIC_ENT("max-forwards", "", 46, 1826162134u),
-    MAKE_STATIC_ENT("proxy-authenticate", "", 47, 2709445359u),
-    MAKE_STATIC_ENT("proxy-authorization", "", 48, 2686392507u),
-    MAKE_STATIC_ENT("range", "", 49, 4208725202u),
-    MAKE_STATIC_ENT("referer", "", 50, 3969579366u),
-    MAKE_STATIC_ENT("refresh", "", 51, 3572655668u),
-    MAKE_STATIC_ENT("retry-after", "", 52, 3336180598u),
-    MAKE_STATIC_ENT("server", "", 53, 1085029842u),
-    MAKE_STATIC_ENT("set-cookie", "", 54, 1848371000u),
-    MAKE_STATIC_ENT("strict-transport-security", "", 55, 4138147361u),
-    MAKE_STATIC_ENT("transfer-encoding", "", 56, 3719590988u),
-    MAKE_STATIC_ENT("user-agent", "", 57, 606444526u),
-    MAKE_STATIC_ENT("vary", "", 58, 1085005381u),
-    MAKE_STATIC_ENT("via", "", 59, 1762798611u),
-    MAKE_STATIC_ENT("www-authenticate", "", 60, 779865858u),
+  MAKE_STATIC_ENT(":authority", "", 0, 3153725150u),
+  MAKE_STATIC_ENT(":method", "GET", 1, 695666056u),
+  MAKE_STATIC_ENT(":method", "POST", 1, 695666056u),
+  MAKE_STATIC_ENT(":path", "/", 3, 3292848686u),
+  MAKE_STATIC_ENT(":path", "/index.html", 3, 3292848686u),
+  MAKE_STATIC_ENT(":scheme", "http", 5, 2510477674u),
+  MAKE_STATIC_ENT(":scheme", "https", 5, 2510477674u),
+  MAKE_STATIC_ENT(":status", "200", 7, 4000288983u),
+  MAKE_STATIC_ENT(":status", "204", 7, 4000288983u),
+  MAKE_STATIC_ENT(":status", "206", 7, 4000288983u),
+  MAKE_STATIC_ENT(":status", "304", 7, 4000288983u),
+  MAKE_STATIC_ENT(":status", "400", 7, 4000288983u),
+  MAKE_STATIC_ENT(":status", "404", 7, 4000288983u),
+  MAKE_STATIC_ENT(":status", "500", 7, 4000288983u),
+  MAKE_STATIC_ENT("accept-charset", "", 14, 3664010344u),
+  MAKE_STATIC_ENT("accept-encoding", "gzip, deflate", 15, 3379649177u),
+  MAKE_STATIC_ENT("accept-language", "", 16, 1979086614u),
+  MAKE_STATIC_ENT("accept-ranges", "", 17, 1713753958u),
+  MAKE_STATIC_ENT("accept", "", 18, 136609321u),
+  MAKE_STATIC_ENT("access-control-allow-origin", "", 19, 2710797292u),
+  MAKE_STATIC_ENT("age", "", 20, 742476188u),
+  MAKE_STATIC_ENT("allow", "", 21, 2930878514u),
+  MAKE_STATIC_ENT("authorization", "", 22, 2436257726u),
+  MAKE_STATIC_ENT("cache-control", "", 23, 1355326669u),
+  MAKE_STATIC_ENT("content-disposition", "", 24, 3889184348u),
+  MAKE_STATIC_ENT("content-encoding", "", 25, 65203592u),
+  MAKE_STATIC_ENT("content-language", "", 26, 24973587u),
+  MAKE_STATIC_ENT("content-length", "", 27, 1308181789u),
+  MAKE_STATIC_ENT("content-location", "", 28, 2302364718u),
+  MAKE_STATIC_ENT("content-range", "", 29, 3555523146u),
+  MAKE_STATIC_ENT("content-type", "", 30, 4244048277u),
+  MAKE_STATIC_ENT("cookie", "", 31, 2007449791u),
+  MAKE_STATIC_ENT("date", "", 32, 3564297305u),
+  MAKE_STATIC_ENT("etag", "", 33, 113792960u),
+  MAKE_STATIC_ENT("expect", "", 34, 2530896728u),
+  MAKE_STATIC_ENT("expires", "", 35, 1049544579u),
+  MAKE_STATIC_ENT("from", "", 36, 2513272949u),
+  MAKE_STATIC_ENT("host", "", 37, 2952701295u),
+  MAKE_STATIC_ENT("if-match", "", 38, 3597694698u),
+  MAKE_STATIC_ENT("if-modified-since", "", 39, 2213050793u),
+  MAKE_STATIC_ENT("if-none-match", "", 40, 2536202615u),
+  MAKE_STATIC_ENT("if-range", "", 41, 2340978238u),
+  MAKE_STATIC_ENT("if-unmodified-since", "", 42, 3794814858u),
+  MAKE_STATIC_ENT("last-modified", "", 43, 3226950251u),
+  MAKE_STATIC_ENT("link", "", 44, 232457833u),
+  MAKE_STATIC_ENT("location", "", 45, 200649126u),
+  MAKE_STATIC_ENT("max-forwards", "", 46, 1826162134u),
+  MAKE_STATIC_ENT("proxy-authenticate", "", 47, 2709445359u),
+  MAKE_STATIC_ENT("proxy-authorization", "", 48, 2686392507u),
+  MAKE_STATIC_ENT("range", "", 49, 4208725202u),
+  MAKE_STATIC_ENT("referer", "", 50, 3969579366u),
+  MAKE_STATIC_ENT("refresh", "", 51, 3572655668u),
+  MAKE_STATIC_ENT("retry-after", "", 52, 3336180598u),
+  MAKE_STATIC_ENT("server", "", 53, 1085029842u),
+  MAKE_STATIC_ENT("set-cookie", "", 54, 1848371000u),
+  MAKE_STATIC_ENT("strict-transport-security", "", 55, 4138147361u),
+  MAKE_STATIC_ENT("transfer-encoding", "", 56, 3719590988u),
+  MAKE_STATIC_ENT("user-agent", "", 57, 606444526u),
+  MAKE_STATIC_ENT("vary", "", 58, 1085005381u),
+  MAKE_STATIC_ENT("via", "", 59, 1762798611u),
+  MAKE_STATIC_ENT("www-authenticate", "", 60, 779865858u),
 };
 
 static int memeq(const void *s1, const void *s2, size_t n) {
@@ -593,8 +594,19 @@ static void hd_map_remove(nghttp2_hd_map *map, nghttp2_hd_entry *ent) {
 static int hd_ringbuf_init(nghttp2_hd_ringbuf *ringbuf, size_t bufsize,
                            nghttp2_mem *mem) {
   size_t size;
+  const size_t max_size = SIZE_MAX / sizeof(nghttp2_hd_entry *);
+
+  if (bufsize > max_size) {
+    return NGHTTP2_ERR_NOMEM;
+  }
+
   for (size = 1; size < bufsize; size <<= 1)
     ;
+
+  if (size > max_size) {
+    return NGHTTP2_ERR_NOMEM;
+  }
+
   ringbuf->buffer = nghttp2_mem_malloc(mem, sizeof(nghttp2_hd_entry *) * size);
   if (ringbuf->buffer == NULL) {
     return NGHTTP2_ERR_NOMEM;
@@ -677,8 +689,8 @@ static int hd_context_init(nghttp2_hd_context *context, nghttp2_mem *mem) {
   context->bad = 0;
   context->hd_table_bufsize_max = NGHTTP2_HD_DEFAULT_MAX_BUFFER_SIZE;
   rv = hd_ringbuf_init(
-      &context->hd_table,
-      context->hd_table_bufsize_max / NGHTTP2_HD_ENTRY_OVERHEAD, mem);
+    &context->hd_table,
+    context->hd_table_bufsize_max / NGHTTP2_HD_ENTRY_OVERHEAD, mem);
   if (rv != 0) {
     return rv;
   }
@@ -695,7 +707,7 @@ static void hd_context_free(nghttp2_hd_context *context) {
 
 int nghttp2_hd_deflate_init(nghttp2_hd_deflater *deflater, nghttp2_mem *mem) {
   return nghttp2_hd_deflate_init2(
-      deflater, NGHTTP2_HD_DEFAULT_MAX_DEFLATE_BUFFER_SIZE, mem);
+    deflater, NGHTTP2_HD_DEFAULT_MAX_DEFLATE_BUFFER_SIZE, mem);
 }
 
 int nghttp2_hd_deflate_init2(nghttp2_hd_deflater *deflater,
@@ -850,9 +862,10 @@ static size_t encode_length(uint8_t *buf, size_t n, size_t prefix) {
  * in the next call will be stored in |*shift_ptr|) and returns number
  * of bytes processed, or returns -1, indicating decoding error.
  */
-static ssize_t decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
-                             uint32_t initial, size_t shift, const uint8_t *in,
-                             const uint8_t *last, size_t prefix) {
+static nghttp2_ssize decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
+                                   uint32_t initial, size_t shift,
+                                   const uint8_t *in, const uint8_t *last,
+                                   size_t prefix) {
   uint32_t k = (uint8_t)((1 << prefix) - 1);
   uint32_t n = initial;
   const uint8_t *start = in;
@@ -871,7 +884,7 @@ static ssize_t decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
 
     if (++in == last) {
       *res = n;
-      return (ssize_t)(in - start);
+      return (nghttp2_ssize)(in - start);
     }
   }
 
@@ -906,12 +919,12 @@ static ssize_t decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
 
   if (in == last) {
     *res = n;
-    return (ssize_t)(in - start);
+    return (nghttp2_ssize)(in - start);
   }
 
   *res = n;
   *fin = 1;
-  return (ssize_t)(in + 1 - start);
+  return (nghttp2_ssize)(in + 1 - start);
 }
 
 static int emit_table_size(nghttp2_bufs *bufs, size_t table_size) {
@@ -1076,8 +1089,8 @@ static int emit_newname_block(nghttp2_bufs *bufs, const nghttp2_nv *nv,
   int rv;
 
   DEBUGF(
-      "deflatehd: emit newname namelen=%zu, valuelen=%zu, indexing_mode=%d\n",
-      nv->namelen, nv->valuelen, indexing_mode);
+    "deflatehd: emit newname namelen=%zu, valuelen=%zu, indexing_mode=%d\n",
+    nv->namelen, nv->valuelen, indexing_mode);
 
   rv = nghttp2_bufs_addb(bufs, pack_first_byte(indexing_mode));
   if (rv != 0) {
@@ -1110,12 +1123,11 @@ static int add_hd_table_incremental(nghttp2_hd_context *context,
 
   while (context->hd_table_bufsize + room > context->hd_table_bufsize_max &&
          context->hd_table.len > 0) {
-
     size_t idx = context->hd_table.len - 1;
     nghttp2_hd_entry *ent = hd_ringbuf_get(&context->hd_table, idx);
 
     context->hd_table_bufsize -=
-        entry_room(ent->nv.name->len, ent->nv.value->len);
+      entry_room(ent->nv.name->len, ent->nv.value->len);
 
     DEBUGF("hpack: remove item from header table: %s: %s\n",
            (char *)ent->nv.name->base, (char *)ent->nv.value->base);
@@ -1164,7 +1176,7 @@ static int add_hd_table_incremental(nghttp2_hd_context *context,
 }
 
 typedef struct {
-  ssize_t index;
+  nghttp2_ssize index;
   /* Nonzero if both name and value are matched. */
   int name_value_match;
 } search_result;
@@ -1213,8 +1225,8 @@ static search_result search_hd_table(nghttp2_hd_context *context,
     return res;
   }
 
-  res.index =
-      (ssize_t)(context->next_seq - 1 - ent->seq + NGHTTP2_STATIC_TABLE_LENGTH);
+  res.index = (nghttp2_ssize)(context->next_seq - 1 - ent->seq +
+                              NGHTTP2_STATIC_TABLE_LENGTH);
   res.name_value_match = exact_match;
 
   return res;
@@ -1231,7 +1243,7 @@ static void hd_context_shrink_table_size(nghttp2_hd_context *context,
     size_t idx = context->hd_table.len - 1;
     nghttp2_hd_entry *ent = hd_ringbuf_get(&context->hd_table, idx);
     context->hd_table_bufsize -=
-        entry_room(ent->nv.name->len, ent->nv.value->len);
+      entry_room(ent->nv.name->len, ent->nv.value->len);
     hd_ringbuf_pop_back(&context->hd_table);
     if (map) {
       hd_map_remove(map, ent);
@@ -1243,14 +1255,14 @@ static void hd_context_shrink_table_size(nghttp2_hd_context *context,
 }
 
 int nghttp2_hd_deflate_change_table_size(
-    nghttp2_hd_deflater *deflater, size_t settings_max_dynamic_table_size) {
-  size_t next_bufsize = nghttp2_min(settings_max_dynamic_table_size,
-                                    deflater->deflate_hd_table_bufsize_max);
+  nghttp2_hd_deflater *deflater, size_t settings_max_dynamic_table_size) {
+  size_t next_bufsize = nghttp2_min_size(
+    settings_max_dynamic_table_size, deflater->deflate_hd_table_bufsize_max);
 
   deflater->ctx.hd_table_bufsize_max = next_bufsize;
 
   deflater->min_hd_table_bufsize_max =
-      nghttp2_min(deflater->min_hd_table_bufsize_max, next_bufsize);
+    nghttp2_min_size(deflater->min_hd_table_bufsize_max, next_bufsize);
 
   deflater->notify_table_size_change = 1;
 
@@ -1259,7 +1271,7 @@ int nghttp2_hd_deflate_change_table_size(
 }
 
 int nghttp2_hd_inflate_change_table_size(
-    nghttp2_hd_inflater *inflater, size_t settings_max_dynamic_table_size) {
+  nghttp2_hd_inflater *inflater, size_t settings_max_dynamic_table_size) {
   switch (inflater->state) {
   case NGHTTP2_HD_STATE_EXPECT_TABLE_SIZE:
   case NGHTTP2_HD_STATE_INFLATE_START:
@@ -1302,7 +1314,7 @@ nghttp2_hd_nv nghttp2_hd_table_get(nghttp2_hd_context *context, size_t idx) {
   assert(INDEX_RANGE_VALID(context, idx));
   if (idx >= NGHTTP2_STATIC_TABLE_LENGTH) {
     return hd_ringbuf_get(&context->hd_table, idx - NGHTTP2_STATIC_TABLE_LENGTH)
-        ->nv;
+      ->nv;
   } else {
     const nghttp2_hd_static_entry *ent = &static_table[idx];
     nghttp2_hd_nv nv = {(nghttp2_rcbuf *)&ent->name,
@@ -1318,7 +1330,7 @@ static const nghttp2_nv *nghttp2_hd_table_get2(nghttp2_hd_context *context,
   if (idx >= NGHTTP2_STATIC_TABLE_LENGTH) {
     return &hd_ringbuf_get(&context->hd_table,
                            idx - NGHTTP2_STATIC_TABLE_LENGTH)
-                ->cnv;
+              ->cnv;
   }
 
   return &static_table[idx].cnv;
@@ -1332,7 +1344,7 @@ static int hd_deflate_decide_indexing(nghttp2_hd_deflater *deflater,
       token == NGHTTP2_TOKEN_IF_NONE_MATCH || token == NGHTTP2_TOKEN_LOCATION ||
       token == NGHTTP2_TOKEN_SET_COOKIE ||
       entry_room(nv->namelen, nv->valuelen) >
-          deflater->ctx.hd_table_bufsize_max * 3 / 4) {
+        deflater->ctx.hd_table_bufsize_max * 3 / 4) {
     return NGHTTP2_HD_WITHOUT_INDEXING;
   }
 
@@ -1343,7 +1355,7 @@ static int deflate_nv(nghttp2_hd_deflater *deflater, nghttp2_bufs *bufs,
                       const nghttp2_nv *nv) {
   int rv;
   search_result res;
-  ssize_t idx;
+  nghttp2_ssize idx;
   int indexing_mode;
   int32_t token;
   nghttp2_mem *mem;
@@ -1365,12 +1377,11 @@ static int deflate_nv(nghttp2_hd_deflater *deflater, nghttp2_bufs *bufs,
      entropy secret data (e.g., id/password).  Also cookie header
      field with less than 20 bytes value is also never indexed.  This
      is the same criteria used in Firefox codebase. */
-  indexing_mode =
-      token == NGHTTP2_TOKEN_AUTHORIZATION ||
-              (token == NGHTTP2_TOKEN_COOKIE && nv->valuelen < 20) ||
-              (nv->flags & NGHTTP2_NV_FLAG_NO_INDEX)
-          ? NGHTTP2_HD_NEVER_INDEXING
-          : hd_deflate_decide_indexing(deflater, nv, token);
+  indexing_mode = token == NGHTTP2_TOKEN_AUTHORIZATION ||
+                      (token == NGHTTP2_TOKEN_COOKIE && nv->valuelen < 20) ||
+                      (nv->flags & NGHTTP2_NV_FLAG_NO_INDEX)
+                    ? NGHTTP2_HD_NEVER_INDEXING
+                    : hd_deflate_decide_indexing(deflater, nv, token);
 
   res = search_hd_table(&deflater->ctx, nv, token, indexing_mode,
                         &deflater->map, hash);
@@ -1378,8 +1389,7 @@ static int deflate_nv(nghttp2_hd_deflater *deflater, nghttp2_bufs *bufs,
   idx = res.index;
 
   if (res.name_value_match) {
-
-    DEBUGF("deflatehd: name/value match index=%zd\n", idx);
+    DEBUGF("deflatehd: name/value match index=%td\n", idx);
 
     rv = emit_indexed_block(bufs, (size_t)idx);
     if (rv != 0) {
@@ -1390,7 +1400,7 @@ static int deflate_nv(nghttp2_hd_deflater *deflater, nghttp2_bufs *bufs,
   }
 
   if (res.index != -1) {
-    DEBUGF("deflatehd: name match index=%zd\n", res.index);
+    DEBUGF("deflatehd: name match index=%td\n", res.index);
   }
 
   if (indexing_mode == NGHTTP2_HD_WITH_INDEXING) {
@@ -1456,7 +1466,6 @@ int nghttp2_hd_deflate_hd_bufs(nghttp2_hd_deflater *deflater,
     deflater->min_hd_table_bufsize_max = UINT32_MAX;
 
     if (deflater->ctx.hd_table_bufsize_max > min_hd_table_bufsize_max) {
-
       rv = emit_table_size(bufs, min_hd_table_bufsize_max);
 
       if (rv != 0) {
@@ -1491,6 +1500,12 @@ fail:
 ssize_t nghttp2_hd_deflate_hd(nghttp2_hd_deflater *deflater, uint8_t *buf,
                               size_t buflen, const nghttp2_nv *nv,
                               size_t nvlen) {
+  return (ssize_t)nghttp2_hd_deflate_hd2(deflater, buf, buflen, nv, nvlen);
+}
+
+nghttp2_ssize nghttp2_hd_deflate_hd2(nghttp2_hd_deflater *deflater,
+                                     uint8_t *buf, size_t buflen,
+                                     const nghttp2_nv *nv, size_t nvlen) {
   nghttp2_bufs bufs;
   int rv;
   nghttp2_mem *mem;
@@ -1517,12 +1532,18 @@ ssize_t nghttp2_hd_deflate_hd(nghttp2_hd_deflater *deflater, uint8_t *buf,
     return rv;
   }
 
-  return (ssize_t)buflen;
+  return (nghttp2_ssize)buflen;
 }
 
 ssize_t nghttp2_hd_deflate_hd_vec(nghttp2_hd_deflater *deflater,
                                   const nghttp2_vec *vec, size_t veclen,
                                   const nghttp2_nv *nv, size_t nvlen) {
+  return (ssize_t)nghttp2_hd_deflate_hd_vec2(deflater, vec, veclen, nv, nvlen);
+}
+
+nghttp2_ssize nghttp2_hd_deflate_hd_vec2(nghttp2_hd_deflater *deflater,
+                                         const nghttp2_vec *vec, size_t veclen,
+                                         const nghttp2_nv *nv, size_t nvlen) {
   nghttp2_bufs bufs;
   int rv;
   nghttp2_mem *mem;
@@ -1550,7 +1571,7 @@ ssize_t nghttp2_hd_deflate_hd_vec(nghttp2_hd_deflater *deflater,
     return rv;
   }
 
-  return (ssize_t)buflen;
+  return (nghttp2_ssize)buflen;
 }
 
 size_t nghttp2_hd_deflate_bound(nghttp2_hd_deflater *deflater,
@@ -1643,10 +1664,11 @@ static void hd_inflate_set_huffman_encoded(nghttp2_hd_inflater *inflater,
  * NGHTTP2_ERR_HEADER_COMP
  *   Integer decoding failed
  */
-static ssize_t hd_inflate_read_len(nghttp2_hd_inflater *inflater, int *rfin,
-                                   const uint8_t *in, const uint8_t *last,
-                                   size_t prefix, size_t maxlen) {
-  ssize_t rv;
+static nghttp2_ssize hd_inflate_read_len(nghttp2_hd_inflater *inflater,
+                                         int *rfin, const uint8_t *in,
+                                         const uint8_t *last, size_t prefix,
+                                         size_t maxlen) {
+  nghttp2_ssize rv;
   uint32_t out;
 
   *rfin = 0;
@@ -1684,10 +1706,10 @@ static ssize_t hd_inflate_read_len(nghttp2_hd_inflater *inflater, int *rfin,
  * NGHTTP2_ERR_HEADER_COMP
  *   Huffman decoding failed
  */
-static ssize_t hd_inflate_read_huff(nghttp2_hd_inflater *inflater,
-                                    nghttp2_buf *buf, const uint8_t *in,
-                                    const uint8_t *last) {
-  ssize_t readlen;
+static nghttp2_ssize hd_inflate_read_huff(nghttp2_hd_inflater *inflater,
+                                          nghttp2_buf *buf, const uint8_t *in,
+                                          const uint8_t *last) {
+  nghttp2_ssize readlen;
   int fin = 0;
   if ((size_t)(last - in) >= inflater->left) {
     last = in + inflater->left;
@@ -1721,14 +1743,15 @@ static ssize_t hd_inflate_read_huff(nghttp2_hd_inflater *inflater,
  * NGHTTP2_ERR_HEADER_COMP
  *   Header decompression failed
  */
-static ssize_t hd_inflate_read(nghttp2_hd_inflater *inflater, nghttp2_buf *buf,
-                               const uint8_t *in, const uint8_t *last) {
-  size_t len = nghttp2_min((size_t)(last - in), inflater->left);
+static nghttp2_ssize hd_inflate_read(nghttp2_hd_inflater *inflater,
+                                     nghttp2_buf *buf, const uint8_t *in,
+                                     const uint8_t *last) {
+  size_t len = nghttp2_min_size((size_t)(last - in), inflater->left);
 
   buf->last = nghttp2_cpymem(buf->last, in, len);
 
   inflater->left -= len;
-  return (ssize_t)len;
+  return (nghttp2_ssize)len;
 }
 
 /*
@@ -1843,7 +1866,15 @@ ssize_t nghttp2_hd_inflate_hd(nghttp2_hd_inflater *inflater, nghttp2_nv *nv_out,
 ssize_t nghttp2_hd_inflate_hd2(nghttp2_hd_inflater *inflater,
                                nghttp2_nv *nv_out, int *inflate_flags,
                                const uint8_t *in, size_t inlen, int in_final) {
-  ssize_t rv;
+  return (nghttp2_ssize)nghttp2_hd_inflate_hd3(inflater, nv_out, inflate_flags,
+                                               in, inlen, in_final);
+}
+
+nghttp2_ssize nghttp2_hd_inflate_hd3(nghttp2_hd_inflater *inflater,
+                                     nghttp2_nv *nv_out, int *inflate_flags,
+                                     const uint8_t *in, size_t inlen,
+                                     int in_final) {
+  nghttp2_ssize rv;
   nghttp2_hd_nv hd_nv;
 
   rv = nghttp2_hd_inflate_hd_nv(inflater, &hd_nv, inflate_flags, in, inlen,
@@ -1866,11 +1897,11 @@ ssize_t nghttp2_hd_inflate_hd2(nghttp2_hd_inflater *inflater,
   return rv;
 }
 
-ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
-                                 nghttp2_hd_nv *nv_out, int *inflate_flags,
-                                 const uint8_t *in, size_t inlen,
-                                 int in_final) {
-  ssize_t rv = 0;
+nghttp2_ssize nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
+                                       nghttp2_hd_nv *nv_out,
+                                       int *inflate_flags, const uint8_t *in,
+                                       size_t inlen, int in_final) {
+  nghttp2_ssize rv = 0;
   const uint8_t *first = in;
   const uint8_t *last = in + inlen;
   int rfin = 0;
@@ -1938,9 +1969,9 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
     case NGHTTP2_HD_STATE_READ_TABLE_SIZE:
       rfin = 0;
       rv = hd_inflate_read_len(
-          inflater, &rfin, in, last, 5,
-          nghttp2_min(inflater->min_hd_table_bufsize_max,
-                      inflater->settings_hd_table_bufsize_max));
+        inflater, &rfin, in, last, 5,
+        nghttp2_min_size(inflater->min_hd_table_bufsize_max,
+                         inflater->settings_hd_table_bufsize_max));
       if (rv < 0) {
         goto fail;
       }
@@ -1992,7 +2023,7 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
 
         inflater->state = NGHTTP2_HD_STATE_OPCODE;
         *inflate_flags |= NGHTTP2_HD_INFLATE_EMIT;
-        return (ssize_t)(in - first);
+        return (nghttp2_ssize)(in - first);
       } else {
         inflater->index = inflater->left;
         --inflater->index;
@@ -2027,8 +2058,8 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
 
         inflater->state = NGHTTP2_HD_STATE_NEWNAME_READ_NAMEHUFF;
 
-        rv = nghttp2_rcbuf_new(&inflater->namercbuf, inflater->left * 2 + 1,
-                               mem);
+        rv =
+          nghttp2_rcbuf_new(&inflater->namercbuf, inflater->left * 2 + 1, mem);
       } else {
         inflater->state = NGHTTP2_HD_STATE_NEWNAME_READ_NAME;
         rv = nghttp2_rcbuf_new(&inflater->namercbuf, inflater->left + 1, mem);
@@ -2050,7 +2081,7 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
 
       in += rv;
 
-      DEBUGF("inflatehd: %zd bytes read\n", rv);
+      DEBUGF("inflatehd: %td bytes read\n", rv);
 
       if (inflater->left) {
         DEBUGF("inflatehd: still %zu bytes to go\n", inflater->left);
@@ -2072,7 +2103,7 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
 
       in += rv;
 
-      DEBUGF("inflatehd: %zd bytes read\n", rv);
+      DEBUGF("inflatehd: %td bytes read\n", rv);
       if (inflater->left) {
         DEBUGF("inflatehd: still %zu bytes to go\n", inflater->left);
 
@@ -2112,8 +2143,8 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
 
         inflater->state = NGHTTP2_HD_STATE_READ_VALUEHUFF;
 
-        rv = nghttp2_rcbuf_new(&inflater->valuercbuf, inflater->left * 2 + 1,
-                               mem);
+        rv =
+          nghttp2_rcbuf_new(&inflater->valuercbuf, inflater->left * 2 + 1, mem);
       } else {
         inflater->state = NGHTTP2_HD_STATE_READ_VALUE;
 
@@ -2138,7 +2169,7 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
 
       in += rv;
 
-      DEBUGF("inflatehd: %zd bytes read\n", rv);
+      DEBUGF("inflatehd: %td bytes read\n", rv);
 
       if (inflater->left) {
         DEBUGF("inflatehd: still %zu bytes to go\n", inflater->left);
@@ -2162,18 +2193,18 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
       inflater->state = NGHTTP2_HD_STATE_OPCODE;
       *inflate_flags |= NGHTTP2_HD_INFLATE_EMIT;
 
-      return (ssize_t)(in - first);
+      return (nghttp2_ssize)(in - first);
     case NGHTTP2_HD_STATE_READ_VALUE:
       rv = hd_inflate_read(inflater, &inflater->valuebuf, in, last);
       if (rv < 0) {
-        DEBUGF("inflatehd: value read failure %zd: %s\n", rv,
+        DEBUGF("inflatehd: value read failure %td: %s\n", rv,
                nghttp2_strerror((int)rv));
         goto fail;
       }
 
       in += rv;
 
-      DEBUGF("inflatehd: %zd bytes read\n", rv);
+      DEBUGF("inflatehd: %td bytes read\n", rv);
 
       if (inflater->left) {
         DEBUGF("inflatehd: still %zu bytes to go\n", inflater->left);
@@ -2196,7 +2227,7 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
       inflater->state = NGHTTP2_HD_STATE_OPCODE;
       *inflate_flags |= NGHTTP2_HD_INFLATE_EMIT;
 
-      return (ssize_t)(in - first);
+      return (nghttp2_ssize)(in - first);
     }
   }
 
@@ -2216,7 +2247,7 @@ ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
     }
     *inflate_flags |= NGHTTP2_HD_INFLATE_FINAL;
   }
-  return (ssize_t)(in - first);
+  return (nghttp2_ssize)(in - first);
 
 almost_ok:
   if (in_final) {
@@ -2226,10 +2257,10 @@ almost_ok:
 
     goto fail;
   }
-  return (ssize_t)(in - first);
+  return (nghttp2_ssize)(in - first);
 
 fail:
-  DEBUGF("inflatehd: error return %zd\n", rv);
+  DEBUGF("inflatehd: error return %td\n", rv);
 
   inflater->ctx.bad = 1;
   return rv;
@@ -2284,7 +2315,6 @@ void nghttp2_hd_inflate_del(nghttp2_hd_inflater *inflater) {
 
 int nghttp2_hd_emit_indname_block(nghttp2_bufs *bufs, size_t idx,
                                   nghttp2_nv *nv, int indexing_mode) {
-
   return emit_indname_block(bufs, idx, nv, indexing_mode);
 }
 
@@ -2297,9 +2327,10 @@ int nghttp2_hd_emit_table_size(nghttp2_bufs *bufs, size_t table_size) {
   return emit_table_size(bufs, table_size);
 }
 
-ssize_t nghttp2_hd_decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
-                                 uint32_t initial, size_t shift, uint8_t *in,
-                                 uint8_t *last, size_t prefix) {
+nghttp2_ssize nghttp2_hd_decode_length(uint32_t *res, size_t *shift_ptr,
+                                       int *fin, uint32_t initial, size_t shift,
+                                       uint8_t *in, uint8_t *last,
+                                       size_t prefix) {
   return decode_length(res, shift_ptr, fin, initial, shift, in, last, prefix);
 }
 

lib/nghttp2_hd.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -357,9 +357,10 @@ void nghttp2_hd_inflate_free(nghttp2_hd_inflater *inflater);
  * that return values and semantics are the same as
  * nghttp2_hd_inflate_hd().
  */
-ssize_t nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
-                                 nghttp2_hd_nv *nv_out, int *inflate_flags,
-                                 const uint8_t *in, size_t inlen, int in_final);
+nghttp2_ssize nghttp2_hd_inflate_hd_nv(nghttp2_hd_inflater *inflater,
+                                       nghttp2_hd_nv *nv_out,
+                                       int *inflate_flags, const uint8_t *in,
+                                       size_t inlen, int in_final);
 
 /* For unittesting purpose */
 int nghttp2_hd_emit_indname_block(nghttp2_bufs *bufs, size_t index,
@@ -376,9 +377,10 @@ int nghttp2_hd_emit_table_size(nghttp2_bufs *bufs, size_t table_size);
 nghttp2_hd_nv nghttp2_hd_table_get(nghttp2_hd_context *context, size_t index);
 
 /* For unittesting purpose */
-ssize_t nghttp2_hd_decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
-                                 uint32_t initial, size_t shift, uint8_t *in,
-                                 uint8_t *last, size_t prefix);
+nghttp2_ssize nghttp2_hd_decode_length(uint32_t *res, size_t *shift_ptr,
+                                       int *fin, uint32_t initial, size_t shift,
+                                       uint8_t *in, uint8_t *last,
+                                       size_t prefix);
 
 /* Huffman encoding/decoding functions */
 
@@ -427,9 +429,9 @@ void nghttp2_hd_huff_decode_context_init(nghttp2_hd_huff_decode_context *ctx);
  * NGHTTP2_ERR_HEADER_COMP
  *     Decoding process has failed.
  */
-ssize_t nghttp2_hd_huff_decode(nghttp2_hd_huff_decode_context *ctx,
-                               nghttp2_buf *buf, const uint8_t *src,
-                               size_t srclen, int fin);
+nghttp2_ssize nghttp2_hd_huff_decode(nghttp2_hd_huff_decode_context *ctx,
+                                     nghttp2_buf *buf, const uint8_t *src,
+                                     size_t srclen, int fin);
 
 /*
  * nghttp2_hd_huff_decode_failure_state returns nonzero if |ctx|
@@ -437,4 +439,4 @@ ssize_t nghttp2_hd_huff_decode(nghttp2_hd_huff_decode_context *ctx,
  */
 int nghttp2_hd_huff_decode_failure_state(nghttp2_hd_huff_decode_context *ctx);
 
-#endif /* NGHTTP2_HD_H */
+#endif /* !defined(NGHTTP2_HD_H) */

lib/nghttp2_hd_huffman.c

@@ -94,7 +94,7 @@ int nghttp2_hd_huff_encode(nghttp2_bufs *bufs, const uint8_t *src,
 
   if (nbits) {
     rv = nghttp2_bufs_addb(
-        bufs, (uint8_t)((uint8_t)(code >> 56) | ((1 << (8 - nbits)) - 1)));
+      bufs, (uint8_t)((uint8_t)(code >> 56) | ((1 << (8 - nbits)) - 1)));
     if (rv != 0) {
       return rv;
     }
@@ -104,39 +104,42 @@ int nghttp2_hd_huff_encode(nghttp2_bufs *bufs, const uint8_t *src,
 }
 
 void nghttp2_hd_huff_decode_context_init(nghttp2_hd_huff_decode_context *ctx) {
-  ctx->fstate = NGHTTP2_HUFF_ACCEPTED;
+  ctx->fstate = 0;
+  ctx->flags = NGHTTP2_HUFF_ACCEPTED;
 }
 
-ssize_t nghttp2_hd_huff_decode(nghttp2_hd_huff_decode_context *ctx,
-                               nghttp2_buf *buf, const uint8_t *src,
-                               size_t srclen, int final) {
+nghttp2_ssize nghttp2_hd_huff_decode(nghttp2_hd_huff_decode_context *ctx,
+                                     nghttp2_buf *buf, const uint8_t *src,
+                                     size_t srclen, int final) {
   const uint8_t *end = src + srclen;
-  nghttp2_huff_decode node = {ctx->fstate, 0};
-  const nghttp2_huff_decode *t = &node;
+  nghttp2_huff_decode t = {ctx->fstate, ctx->flags, 0};
   uint8_t c;
 
   /* We use the decoding algorithm described in
-     http://graphics.ics.uci.edu/pub/Prefix.pdf */
+      - http://graphics.ics.uci.edu/pub/Prefix.pdf [!!! NO LONGER VALID !!!]
+      - https://ics.uci.edu/~dan/pubs/Prefix.pdf
+      - https://github.com/nghttp2/nghttp2/files/15141264/Prefix.pdf */
   for (; src != end;) {
     c = *src++;
-    t = &huff_decode_table[t->fstate & 0x1ff][c >> 4];
-    if (t->fstate & NGHTTP2_HUFF_SYM) {
-      *buf->last++ = t->sym;
+    t = huff_decode_table[t.fstate][c >> 4];
+    if (t.flags & NGHTTP2_HUFF_SYM) {
+      *buf->last++ = t.sym;
     }
 
-    t = &huff_decode_table[t->fstate & 0x1ff][c & 0xf];
-    if (t->fstate & NGHTTP2_HUFF_SYM) {
-      *buf->last++ = t->sym;
+    t = huff_decode_table[t.fstate][c & 0xf];
+    if (t.flags & NGHTTP2_HUFF_SYM) {
+      *buf->last++ = t.sym;
     }
   }
 
-  ctx->fstate = t->fstate;
+  ctx->fstate = t.fstate;
+  ctx->flags = t.flags;
 
-  if (final && !(ctx->fstate & NGHTTP2_HUFF_ACCEPTED)) {
+  if (final && !(ctx->flags & NGHTTP2_HUFF_ACCEPTED)) {
     return NGHTTP2_ERR_HEADER_COMP;
   }
 
-  return (ssize_t)srclen;
+  return (nghttp2_ssize)srclen;
 }
 
 int nghttp2_hd_huff_decode_failure_state(nghttp2_hd_huff_decode_context *ctx) {