src: Rewrite DList

Rewrite DList, and now is named SList because it is Singly Linked
List.

.github/workflows/build.yml

@@ -7,11 +7,11 @@ permissions: read-all
 env:
   LIBBPF_VERSION: v1.6.2
   OPENSSL1_VERSION: 1_1_1w+quic
-  OPENSSL3_VERSION: 3.5.2
-  BORINGSSL_VERSION: 729648fb79df7bc46c145e49b0dfd8d2a24232f1
-  AWSLC_VERSION: v1.58.1
-  NGHTTP3_VERSION: v1.11.0
-  NGTCP2_VERSION: v1.15.1
+  OPENSSL3_VERSION: 3.6.0
+  BORINGSSL_VERSION: db1a8456167249f95b854a1cd24c6b553d0f1567
+  AWSLC_VERSION: v1.62.0
+  NGHTTP3_VERSION: v1.12.0
+  NGTCP2_VERSION: v1.17.0
   WOLFSSL_VERSION: v5.8.2-stable
 
 jobs:
@@ -524,7 +524,7 @@ jobs:
         cd $NGHTTP2_BUILD_DIR
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)"
         make -j"$(nproc 2> /dev/null || sysctl -n hw.ncpu)" check
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@v6
       if: matrix.buildtool != 'distcheck'
       with:
         go-version: "1.24"
@@ -639,7 +639,7 @@ jobs:
         GPG_KEY: ${{ secrets.GPG_KEY }}
         GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     - name: Make release
-      uses: actions/github-script@v7
+      uses: actions/github-script@v8
       with:
         script: |
           const fs = require('fs')

.github/workflows/fuzz.yml

@@ -24,7 +24,7 @@ jobs:
         fuzz-seconds: 600
         dry-run: false
     - name: Upload Crash
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       if: failure()
       with:
         name: artifacts

.github/workflows/stale.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@v10
       with:
         stale-issue-message: 'This issue is stale because it has been open 30 days with no activity.  Remove stale label or comment or this will be closed in 7 days.'
         days-before-stale: 30

CMakeLists.txt

@@ -24,12 +24,12 @@
 
 cmake_minimum_required(VERSION 3.14)
 # XXX using 1.8.90 instead of 1.9.0-DEV
-project(nghttp2 VERSION 1.67.0 LANGUAGES C)
+project(nghttp2 VERSION 1.68.90 LANGUAGES C)
 
 # See versioning rule:
 #  https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
 set(LT_CURRENT  43)
-set(LT_REVISION 0)
+set(LT_REVISION 2)
 set(LT_AGE      29)
 
 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})

README.rst

@@ -126,9 +126,9 @@ following libraries are required:
   <https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_; or
   wolfSSL; or LibreSSL (does not support 0RTT); or aws-lc; or
   `BoringSSL <https://boringssl.googlesource.com/boringssl/>`_ (commit
-  729648fb79df7bc46c145e49b0dfd8d2a24232f1); or OpenSSL >= 3.5.0
-* `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.15.0
-* `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ >= 1.11.0
+  db1a8456167249f95b854a1cd24c6b553d0f1567); or OpenSSL >= 3.5.0
+* `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.16.0
+* `nghttp3 <https://github.com/ngtcp2/nghttp3>`_ >= 1.12.0
 
 Use ``--enable-http3`` configure option to enable HTTP/3 feature for
 h2load and nghttpx.
@@ -340,7 +340,7 @@ Build aws-lc:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v1.58.1 https://github.com/aws/aws-lc
+   $ git clone --depth 1 -b v1.62.0 https://github.com/aws/aws-lc
    $ cd aws-lc
    $ cmake -B build -DDISABLE_GO=ON --install-prefix=$PWD/opt
    $ make -j$(nproc) -C build
@@ -351,7 +351,7 @@ Build nghttp3:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v1.11.0 https://github.com/ngtcp2/nghttp3
+   $ git clone --depth 1 -b v1.12.0 https://github.com/ngtcp2/nghttp3
    $ cd nghttp3
    $ git submodule update --init --depth 1
    $ autoreconf -i
@@ -364,7 +364,7 @@ Build ngtcp2:
 
 .. code-block:: text
 
-   $ git clone --depth 1 -b v1.15.1 https://github.com/ngtcp2/ngtcp2
+   $ git clone --depth 1 -b v1.17.0 https://github.com/ngtcp2/ngtcp2
    $ cd ngtcp2
    $ git submodule update --init --depth 1
    $ autoreconf -i

configure.ac

@@ -25,7 +25,7 @@ dnl Do not change user variables!
 dnl https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
 
 AC_PREREQ(2.61)
-AC_INIT([nghttp2], [1.67.0], [t-tujikawa@users.sourceforge.net])
+AC_INIT([nghttp2], [1.69.0-DEV], [t-tujikawa@users.sourceforge.net])
 AC_CONFIG_AUX_DIR([.])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([config.h])
@@ -45,7 +45,7 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 dnl See versioning rule:
 dnl  https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
 AC_SUBST(LT_CURRENT, 43)
-AC_SUBST(LT_REVISION, 0)
+AC_SUBST(LT_REVISION, 2)
 AC_SUBST(LT_AGE, 29)
 
 major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/[^0-9]//g"`
@@ -532,7 +532,7 @@ fi
 # ngtcp2 (for src)
 have_libngtcp2=no
 if test "x${request_libngtcp2}" != "xno"; then
-  PKG_CHECK_MODULES([LIBNGTCP2], [libngtcp2 >= 1.15.0], [have_libngtcp2=yes],
+  PKG_CHECK_MODULES([LIBNGTCP2], [libngtcp2 >= 1.16.0], [have_libngtcp2=yes],
                     [have_libngtcp2=no])
   if test "x${have_libngtcp2}" = "xno"; then
     AC_MSG_NOTICE($LIBNGTCP2_PKG_ERRORS)
@@ -549,7 +549,7 @@ have_libngtcp2_crypto_wolfssl=no
 if test "x${have_wolfssl_quic}" = "xyes" &&
    test "x${request_libngtcp2}" != "xno"; then
   PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_WOLFSSL],
-                    [libngtcp2_crypto_wolfssl >= 1.15.0],
+                    [libngtcp2_crypto_wolfssl >= 1.16.0],
                     [have_libngtcp2_crypto_wolfssl=yes],
                     [have_libngtcp2_crypto_wolfssl=no])
   if test "x${have_libngtcp2_crypto_wolfssl}" = "xno"; then
@@ -573,7 +573,7 @@ if test "x${have_ssl_provide_quic_data}" = "xyes" &&
    test "x${have_boringssl_quic}" != "xyes" &&
    test "x${request_libngtcp2}" != "xno"; then
   PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_QUICTLS],
-                    [libngtcp2_crypto_quictls >= 1.15.0],
+                    [libngtcp2_crypto_quictls >= 1.16.0],
                     [have_libngtcp2_crypto_quictls=yes],
                     [have_libngtcp2_crypto_quictls=no])
   if test "x${have_libngtcp2_crypto_quictls}" = "xno"; then
@@ -598,7 +598,7 @@ if test "x${have_ssl_provide_quic_data}" = "xyes" &&
    test "x${have_libressl}" = "xyes" &&
    test "x${request_libngtcp2}" != "xno"; then
   PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_LIBRESSL],
-                    [libngtcp2_crypto_libressl >= 1.15.0],
+                    [libngtcp2_crypto_libressl >= 1.16.0],
                     [have_libngtcp2_crypto_libressl=yes],
                     [have_libngtcp2_crypto_libressl=no])
   if test "x${have_libngtcp2_crypto_libressl}" = "xno"; then
@@ -643,7 +643,7 @@ have_libngtcp2_crypto_ossl=no
 if test "x${have_ossl_quic}" = "xyes" &&
    test "x${request_libngtcp2}" != "xno"; then
   PKG_CHECK_MODULES([LIBNGTCP2_CRYPTO_OSSL],
-                    [libngtcp2_crypto_ossl >= 1.15.0],
+                    [libngtcp2_crypto_ossl >= 1.16.0],
                     [have_libngtcp2_crypto_ossl=yes],
                     [have_libngtcp2_crypto_ossl=no])
   if test "x${have_libngtcp2_crypto_ossl}" = "xno"; then
@@ -663,7 +663,7 @@ fi
 # nghttp3 (for src)
 have_libnghttp3=no
 if test "x${request_libnghttp3}" != "xno"; then
-  PKG_CHECK_MODULES([LIBNGHTTP3], [libnghttp3 >= 1.11.0], [have_libnghttp3=yes],
+  PKG_CHECK_MODULES([LIBNGHTTP3], [libnghttp3 >= 1.12.0], [have_libnghttp3=yes],
                     [have_libnghttp3=no])
   if test "x${have_libnghttp3}" = "xno"; then
     AC_MSG_NOTICE($LIBNGHTTP3_PKG_ERRORS)

doc/README.rst

@@ -111,7 +111,7 @@ The example follows::
 
 ``@struct`` is used to refer to the struct. Currently, only struct
 typedefs are supported. The comment block is used for the document for
-the struct type itself.To document each member, put comment block
+the struct type itself. To document each member, put comment block
 starting with the line ``/**`` and ending with the ``*/`` just before
 the member.  When the line starts with ``}`` is encountered, the
 ``mkapiref.py`` extracts strings next to ``}`` as the name of struct.

doc/bash_completion/nghttpd

@@ -8,7 +8,7 @@ _nghttpd()
     _get_comp_words_by_ref cur prev
     case $cur in
         -*)
-            COMPREPLY=( $( compgen -W '--address --daemon --verify-client --htdocs --verbose --no-tls --header-table-size --encoder-header-table-size --color --push --padding --max-concurrent-streams --workers --error-gzip --window-bits --connection-window-bits --dh-param-file --early-response --trailer --hexdump --echo-upload --mime-types-file --no-content-length --ktls --version --help ' -- "$cur" ) )
+            COMPREPLY=( $( compgen -W '--address --daemon --verify-client --htdocs --verbose --no-tls --header-table-size --encoder-header-table-size --color --push --padding --max-concurrent-streams --workers --error-gzip --window-bits --connection-window-bits --dh-param-file --early-response --trailer --hexdump --echo-upload --mime-types-file --no-content-length --groups --ktls --version --help ' -- "$cur" ) )
             ;;
         *)
             _filedir

doc/bash_completion/nghttpx

@@ -8,7 +8,7 @@ _nghttpx()
     _get_comp_words_by_ref cur prev
     case $cur in
         -*)
-            COMPREPLY=( $( compgen -W '--backend --frontend --backlog --backend-address-family --backend-http-proxy-uri --workers --single-thread --read-rate --read-burst --write-rate --write-burst --worker-read-rate --worker-read-burst --worker-write-rate --worker-write-burst --worker-frontend-connections --backend-connections-per-host --backend-connections-per-frontend --rlimit-nofile --rlimit-memlock --backend-request-buffer --backend-response-buffer --fastopen --no-kqueue --frontend-http2-idle-timeout --frontend-http3-idle-timeout --frontend-write-timeout --frontend-keep-alive-timeout --frontend-header-timeout --stream-read-timeout --stream-write-timeout --backend-read-timeout --backend-write-timeout --backend-connect-timeout --backend-keep-alive-timeout --listener-disable-timeout --frontend-http2-setting-timeout --backend-http2-settings-timeout --backend-max-backoff --ciphers --tls13-ciphers --client-ciphers --tls13-client-ciphers --ecdh-curves --insecure --cacert --private-key-passwd-file --subcert --dh-param-file --alpn-list --verify-client --verify-client-cacert --verify-client-tolerate-expired --client-private-key-file --client-cert-file --tls-min-proto-version --tls-max-proto-version --tls-ticket-key-file --tls-ticket-key-memcached --tls-ticket-key-memcached-address-family --tls-ticket-key-memcached-interval --tls-ticket-key-memcached-max-retry --tls-ticket-key-memcached-max-fail --tls-ticket-key-cipher --tls-ticket-key-memcached-cert-file --tls-ticket-key-memcached-private-key-file --tls-dyn-rec-warmup-threshold --tls-dyn-rec-idle-timeout --no-http2-cipher-block-list --client-no-http2-cipher-block-list --tls-sct-dir --psk-secrets --client-psk-secrets --tls-no-postpone-early-data --tls-max-early-data --tls-ktls --frontend-http2-max-concurrent-streams --backend-http2-max-concurrent-streams --frontend-http2-window-size --frontend-http2-connection-window-size --backend-http2-window-size --backend-http2-connection-window-size --http2-no-cookie-crumbling --padding --no-server-push --frontend-http2-optimize-write-buffer-size --frontend-http2-optimize-window-size --frontend-http2-encoder-dynamic-table-size --frontend-http2-decoder-dynamic-table-size --backend-http2-encoder-dynamic-table-size --backend-http2-decoder-dynamic-table-size --http2-proxy --log-level --accesslog-file --accesslog-syslog --accesslog-format --accesslog-write-early --errorlog-file --errorlog-syslog --syslog-facility --add-x-forwarded-for --strip-incoming-x-forwarded-for --no-add-x-forwarded-proto --no-strip-incoming-x-forwarded-proto --add-forwarded --strip-incoming-forwarded --forwarded-by --forwarded-for --no-via --no-strip-incoming-early-data --no-location-rewrite --host-rewrite --altsvc --http2-altsvc --add-request-header --add-response-header --request-header-field-buffer --max-request-header-fields --response-header-field-buffer --max-response-header-fields --error-page --server-name --no-server-rewrite --redirect-https-port --require-http-scheme --api-max-request-body --dns-cache-timeout --dns-lookup-timeout --dns-max-try --frontend-max-requests --frontend-http2-dump-request-header --frontend-http2-dump-response-header --frontend-frame-debug --daemon --pid-file --user --single-process --max-worker-processes --worker-process-grace-shutdown-period --mruby-file --ignore-per-pattern-mruby-error --frontend-quic-idle-timeout --frontend-quic-debug-log --quic-bpf-program-file --frontend-quic-early-data --frontend-quic-qlog-dir --frontend-quic-require-token --frontend-quic-congestion-controller --frontend-quic-secret-file --quic-server-id --frontend-quic-initial-rtt --no-quic-bpf --frontend-http3-window-size --frontend-http3-connection-window-size --frontend-http3-max-window-size --frontend-http3-max-connection-window-size --frontend-http3-max-concurrent-streams --conf --include --version --help ' -- "$cur" ) )
+            COMPREPLY=( $( compgen -W '--backend --frontend --backlog --backend-address-family --backend-http-proxy-uri --workers --single-thread --read-rate --read-burst --write-rate --write-burst --worker-read-rate --worker-read-burst --worker-write-rate --worker-write-burst --worker-frontend-connections --backend-connections-per-host --backend-connections-per-frontend --rlimit-nofile --rlimit-memlock --backend-request-buffer --backend-response-buffer --fastopen --no-kqueue --frontend-http2-idle-timeout --frontend-http3-idle-timeout --frontend-write-timeout --frontend-keep-alive-timeout --frontend-header-timeout --stream-read-timeout --stream-write-timeout --backend-read-timeout --backend-write-timeout --backend-connect-timeout --backend-keep-alive-timeout --listener-disable-timeout --frontend-http2-setting-timeout --backend-http2-settings-timeout --backend-max-backoff --ciphers --tls13-ciphers --client-ciphers --tls13-client-ciphers --groups --insecure --cacert --private-key-passwd-file --subcert --dh-param-file --alpn-list --verify-client --verify-client-cacert --verify-client-tolerate-expired --client-private-key-file --client-cert-file --tls-min-proto-version --tls-max-proto-version --tls-ticket-key-file --tls-ticket-key-memcached --tls-ticket-key-memcached-address-family --tls-ticket-key-memcached-interval --tls-ticket-key-memcached-max-retry --tls-ticket-key-memcached-max-fail --tls-ticket-key-cipher --tls-ticket-key-memcached-cert-file --tls-ticket-key-memcached-private-key-file --tls-dyn-rec-warmup-threshold --tls-dyn-rec-idle-timeout --no-http2-cipher-block-list --client-no-http2-cipher-block-list --tls-sct-dir --psk-secrets --client-psk-secrets --tls-no-postpone-early-data --tls-max-early-data --tls-ktls --frontend-http2-max-concurrent-streams --backend-http2-max-concurrent-streams --frontend-http2-window-size --frontend-http2-connection-window-size --backend-http2-window-size --backend-http2-connection-window-size --http2-no-cookie-crumbling --padding --no-server-push --frontend-http2-optimize-write-buffer-size --frontend-http2-optimize-window-size --frontend-http2-encoder-dynamic-table-size --frontend-http2-decoder-dynamic-table-size --backend-http2-encoder-dynamic-table-size --backend-http2-decoder-dynamic-table-size --http2-proxy --log-level --accesslog-file --accesslog-syslog --accesslog-format --accesslog-write-early --errorlog-file --errorlog-syslog --syslog-facility --add-x-forwarded-for --strip-incoming-x-forwarded-for --no-add-x-forwarded-proto --no-strip-incoming-x-forwarded-proto --add-forwarded --strip-incoming-forwarded --forwarded-by --forwarded-for --no-via --no-strip-incoming-early-data --no-location-rewrite --host-rewrite --altsvc --http2-altsvc --add-request-header --add-response-header --request-header-field-buffer --max-request-header-fields --response-header-field-buffer --max-response-header-fields --error-page --server-name --no-server-rewrite --redirect-https-port --require-http-scheme --api-max-request-body --dns-cache-timeout --dns-lookup-timeout --dns-max-try --frontend-max-requests --frontend-http2-dump-request-header --frontend-http2-dump-response-header --frontend-frame-debug --daemon --pid-file --user --single-process --max-worker-processes --worker-process-grace-shutdown-period --mruby-file --ignore-per-pattern-mruby-error --frontend-quic-idle-timeout --frontend-quic-debug-log --quic-bpf-program-file --frontend-quic-early-data --frontend-quic-qlog-dir --frontend-quic-require-token --frontend-quic-congestion-controller --frontend-quic-secret-file --quic-server-id --frontend-quic-initial-rtt --no-quic-bpf --frontend-http3-window-size --frontend-http3-connection-window-size --frontend-http3-max-window-size --frontend-http3-max-connection-window-size --frontend-http3-max-concurrent-streams --conf --include --version --help ' -- "$cur" ) )
             ;;
         *)
             _filedir

doc/h2load.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "H2LOAD" "1" "Sep 02, 2025" "1.67.0" "nghttp2"
+.TH "H2LOAD" "1" "Oct 25, 2025" "1.68.0" "nghttp2"
 .SH NAME
 h2load \- HTTP/2 benchmarking tool
 .SH SYNOPSIS
@@ -109,9 +109,9 @@ Default: \fB16K\fP
 .TP
 .B \-w, \-\-window\-bits=<N>
 Sets the stream level initial window size to (2**<N>)\-1.
-For QUIC, <N> is capped to 26 (roughly 64MiB).
-.sp
-Default: \fB30\fP
+For  QUIC, <N>  is  capped to  26  (roughly 64MiB).   It
+defaults  to  24 (16MiB)  for  QUIC,  and 30  for  other
+protocols.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -388,7 +388,7 @@ The number of requests completed.
 .TP
 .B succeeded
 The number of requests completed successfully.  Only HTTP status
-code 2xx or3xx are considered as success.
+code 2xx or 3xx are considered as success.
 .TP
 .B failed
 The number of requests failed, including HTTP level failures

doc/h2load.1.rst

@@ -83,9 +83,9 @@ OPTIONS
 .. option:: -w, --window-bits=<N>
 
     Sets the stream level initial window size to (2\*\*<N>)-1.
-    For QUIC, <N> is capped to 26 (roughly 64MiB).
-
-    Default: ``30``
+    For  QUIC, <N>  is  capped to  26  (roughly 64MiB).   It
+    defaults  to  24 (16MiB)  for  QUIC,  and 30  for  other
+    protocols.
 
 .. option:: -W, --connection-window-bits=<N>
 
@@ -331,7 +331,7 @@ requests
     The number of requests completed.
   succeeded
     The number of requests completed successfully.  Only HTTP status
-    code 2xx or3xx are considered as success.
+    code 2xx or 3xx are considered as success.
   failed
     The number of requests failed, including HTTP level failures
     (non-successful HTTP status code).

doc/h2load.h2r

@@ -12,7 +12,7 @@ requests
     The number of requests completed.
   succeeded
     The number of requests completed successfully.  Only HTTP status
-    code 2xx or3xx are considered as success.
+    code 2xx or 3xx are considered as success.
   failed
     The number of requests failed, including HTTP level failures
     (non-successful HTTP status code).

doc/nghttp.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "NGHTTP" "1" "Sep 02, 2025" "1.67.0" "nghttp2"
+.TH "NGHTTP" "1" "Oct 25, 2025" "1.68.0" "nghttp2"
 .SH NAME
 nghttp \- HTTP/2 client
 .SH SYNOPSIS

doc/nghttpd.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "NGHTTPD" "1" "Sep 02, 2025" "1.67.0" "nghttp2"
+.TH "NGHTTPD" "1" "Oct 25, 2025" "1.68.0" "nghttp2"
 .SH NAME
 nghttpd \- HTTP/2 server
 .SH SYNOPSIS
@@ -204,6 +204,13 @@ Don\(aqt send content\-length header field.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-\-groups=<GROUPS>
+Specify the supported groups.
+.sp
+Default: \fBX25519:P\-256:P\-384:P\-521\fP
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-\-ktls
 Enable ktls.
 .UNINDENT

doc/nghttpd.1.rst

@@ -159,6 +159,12 @@ OPTIONS
 
     Don't send content-length header field.
 
+.. option:: --groups=<GROUPS>
+
+    Specify the supported groups.
+
+    Default: ``X25519:P-256:P-384:P-521``
+
 .. option:: --ktls
 
     Enable ktls.

doc/nghttpx.1

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "NGHTTPX" "1" "Sep 02, 2025" "1.67.0" "nghttp2"
+.TH "NGHTTPX" "1" "Oct 25, 2025" "1.68.0" "nghttp2"
 .SH NAME
 nghttpx \- HTTP/2 proxy
 .SH SYNOPSIS
@@ -687,8 +687,8 @@ Default: \fB2m\fP
 .B \-\-ciphers=<SUITE>
 Set allowed  cipher list  for frontend  connection.  The
 format of the string is described in OpenSSL ciphers(1).
-This option  sets cipher suites for  TLSv1.2 or earlier.
-Use \fI\%\-\-tls13\-ciphers\fP for TLSv1.3.
+This  option  sets  cipher   suites  for  TLSv1.2.   Use
+\fI\%\-\-tls13\-ciphers\fP for TLSv1.3.
 .sp
 Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384\fP
 .UNINDENT
@@ -698,7 +698,7 @@ Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:EC
 Set allowed  cipher list  for frontend  connection.  The
 format of the string is described in OpenSSL ciphers(1).
 This  option  sets  cipher   suites  for  TLSv1.3.   Use
-\fI\%\-\-ciphers\fP for TLSv1.2 or earlier.
+\fI\%\-\-ciphers\fP for TLSv1.2.
 .sp
 Default: \fBTLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\fP
 .UNINDENT
@@ -707,8 +707,8 @@ Default: \fBTLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_
 .B \-\-client\-ciphers=<SUITE>
 Set  allowed cipher  list for  backend connection.   The
 format of the string is described in OpenSSL ciphers(1).
-This option  sets cipher suites for  TLSv1.2 or earlier.
-Use \fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.3.
+This  option  sets  cipher   suites  for  TLSv1.2.   Use
+\fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.3.
 .sp
 Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384\fP
 .UNINDENT
@@ -718,15 +718,15 @@ Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:EC
 Set  allowed cipher  list for  backend connection.   The
 format of the string is described in OpenSSL ciphers(1).
 This  option  sets  cipher   suites  for  TLSv1.3.   Use
-\fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.2 or earlier.
+\fI\%\-\-client\-ciphers\fP for TLSv1.2.
 .sp
 Default: \fBTLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\fP
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-ecdh\-curves=<LIST>
-Set  supported  curve  list  for  frontend  connections.
-<LIST> is a  colon separated list of curve  NID or names
+.B \-\-groups=<LIST>
+Set the  supported group list for  frontend connections.
+<LIST> is a  colon separated list of group  NID or names
 in the preference order.  The supported curves depend on
 the  linked  OpenSSL  library.  This  function  requires
 OpenSSL >= 1.0.2.
@@ -762,12 +762,12 @@ password protected it\(aqll be requested interactively.
 Specify  additional certificate  and  private key  file.
 nghttpx will  choose certificates based on  the hostname
 indicated by client using TLS SNI extension.  If nghttpx
-is  built with  OpenSSL  >= 1.0.2,  the shared  elliptic
-curves (e.g., P\-256) between  client and server are also
-taken into  consideration.  This allows nghttpx  to send
-ECDSA certificate  to modern clients, while  sending RSA
-based certificate to older  clients.  This option can be
-used  multiple  times.
+is built with OpenSSL >= 1.0.2, the signature algorithms
+(e.g., ECDSA+SHA256) presented by  client are also taken
+into consideration.  This allows  nghttpx to send ML\-DSA
+or ECDSA  certificate to  modern clients,  while sending
+RSA based certificate to older clients.  This option can
+be used multiple times.
 .sp
 Additional parameter  can be specified in  <PARAM>.  The
 available <PARAM> is \(dqsct\-dir=<DIR>\(dq.
@@ -836,12 +836,8 @@ done in  case\-insensitive manner.  The  versions between
 \fI\%\-\-tls\-min\-proto\-version\fP and  \fI\%\-\-tls\-max\-proto\-version\fP are
 enabled.  If the protocol list advertised by client does
 not  overlap  this range,  you  will  receive the  error
-message \(dqunknown protocol\(dq.  If a protocol version lower
-than TLSv1.2 is specified, make sure that the compatible
-ciphers are  included in \fI\%\-\-ciphers\fP option.   The default
-cipher  list  only   includes  ciphers  compatible  with
-TLSv1.2 or above.  The available versions are:
-TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
+message \(dqunknown protocol\(dq.  The available versions are:
+TLSv1.3 and TLSv1.2
 .sp
 Default: \fBTLSv1.2\fP
 .UNINDENT
@@ -854,7 +850,7 @@ done in  case\-insensitive manner.  The  versions between
 enabled.  If the protocol list advertised by client does
 not  overlap  this range,  you  will  receive the  error
 message \(dqunknown protocol\(dq.  The available versions are:
-TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
+TLSv1.3 and TLSv1.2
 .sp
 Default: \fBTLSv1.3\fP
 .UNINDENT

doc/nghttpx.1.rst

@@ -643,8 +643,8 @@ SSL/TLS
 
     Set allowed  cipher list  for frontend  connection.  The
     format of the string is described in OpenSSL ciphers(1).
-    This option  sets cipher suites for  TLSv1.2 or earlier.
-    Use :option:`--tls13-ciphers` for TLSv1.3.
+    This  option  sets  cipher   suites  for  TLSv1.2.   Use
+    :option:`--tls13-ciphers` for TLSv1.3.
 
     Default: ``ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384``
 
@@ -653,7 +653,7 @@ SSL/TLS
     Set allowed  cipher list  for frontend  connection.  The
     format of the string is described in OpenSSL ciphers(1).
     This  option  sets  cipher   suites  for  TLSv1.3.   Use
-    :option:`--ciphers` for TLSv1.2 or earlier.
+    :option:`--ciphers` for TLSv1.2.
 
     Default: ``TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256``
 
@@ -661,8 +661,8 @@ SSL/TLS
 
     Set  allowed cipher  list for  backend connection.   The
     format of the string is described in OpenSSL ciphers(1).
-    This option  sets cipher suites for  TLSv1.2 or earlier.
-    Use :option:`--tls13-client-ciphers` for TLSv1.3.
+    This  option  sets  cipher   suites  for  TLSv1.2.   Use
+    :option:`--tls13-client-ciphers` for TLSv1.3.
 
     Default: ``ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384``
 
@@ -671,14 +671,14 @@ SSL/TLS
     Set  allowed cipher  list for  backend connection.   The
     format of the string is described in OpenSSL ciphers(1).
     This  option  sets  cipher   suites  for  TLSv1.3.   Use
-    :option:`--tls13-client-ciphers` for TLSv1.2 or earlier.
+    :option:`--client-ciphers` for TLSv1.2.
 
     Default: ``TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256``
 
-.. option:: --ecdh-curves=<LIST>
+.. option:: --groups=<LIST>
 
-    Set  supported  curve  list  for  frontend  connections.
-    <LIST> is a  colon separated list of curve  NID or names
+    Set the  supported group list for  frontend connections.
+    <LIST> is a  colon separated list of group  NID or names
     in the preference order.  The supported curves depend on
     the  linked  OpenSSL  library.  This  function  requires
     OpenSSL >= 1.0.2.
@@ -710,12 +710,12 @@ SSL/TLS
     Specify  additional certificate  and  private key  file.
     nghttpx will  choose certificates based on  the hostname
     indicated by client using TLS SNI extension.  If nghttpx
-    is  built with  OpenSSL  >= 1.0.2,  the shared  elliptic
-    curves (e.g., P-256) between  client and server are also
-    taken into  consideration.  This allows nghttpx  to send
-    ECDSA certificate  to modern clients, while  sending RSA
-    based certificate to older  clients.  This option can be
-    used  multiple  times.
+    is built with OpenSSL >= 1.0.2, the signature algorithms
+    (e.g., ECDSA+SHA256) presented by  client are also taken
+    into consideration.  This allows  nghttpx to send ML-DSA
+    or ECDSA  certificate to  modern clients,  while sending
+    RSA based certificate to older clients.  This option can
+    be used multiple times.
 
     Additional parameter  can be specified in  <PARAM>.  The
     available <PARAM> is "sct-dir=<DIR>".
@@ -776,12 +776,8 @@ SSL/TLS
     :option:`--tls-min-proto-version` and  :option:`\--tls-max-proto-version` are
     enabled.  If the protocol list advertised by client does
     not  overlap  this range,  you  will  receive the  error
-    message "unknown protocol".  If a protocol version lower
-    than TLSv1.2 is specified, make sure that the compatible
-    ciphers are  included in :option:`--ciphers` option.   The default
-    cipher  list  only   includes  ciphers  compatible  with
-    TLSv1.2 or above.  The available versions are:
-    TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
+    message "unknown protocol".  The available versions are:
+    TLSv1.3 and TLSv1.2
 
     Default: ``TLSv1.2``
 
@@ -793,7 +789,7 @@ SSL/TLS
     enabled.  If the protocol list advertised by client does
     not  overlap  this range,  you  will  receive the  error
     message "unknown protocol".  The available versions are:
-    TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
+    TLSv1.3 and TLSv1.2
 
     Default: ``TLSv1.3``
 

docker/Dockerfile

@@ -9,7 +9,7 @@ RUN apt-get update && \
         zlib1g-dev libev-dev libjemalloc-dev ruby-dev libc-ares-dev bison \
         libelf-dev libbrotli-dev
 
-RUN git clone --recursive --shallow-submodules --depth 1 -b v1.58.1 https://github.com/aws/aws-lc && \
+RUN git clone --recursive --shallow-submodules --depth 1 -b v1.62.0 https://github.com/aws/aws-lc && \
     cd aws-lc && \
     export CC=clang-19 CXX=clang++-19 && \
     cmake -B build -DDISABLE_GO=ON && \
@@ -18,7 +18,7 @@ RUN git clone --recursive --shallow-submodules --depth 1 -b v1.58.1 https://gith
     cd .. && \
     rm -rf aws-lc
 
-RUN git clone --recursive --shallow-submodules --depth 1 -b v1.11.0 https://github.com/ngtcp2/nghttp3 && \
+RUN git clone --recursive --shallow-submodules --depth 1 -b v1.12.0 https://github.com/ngtcp2/nghttp3 && \
     cd nghttp3 && \
     autoreconf -i && \
     ./configure --disable-dependency-tracking --enable-lib-only \
@@ -28,7 +28,7 @@ RUN git clone --recursive --shallow-submodules --depth 1 -b v1.11.0 https://gith
     cd .. && \
     rm -rf nghttp3
 
-RUN git clone --recursive --shallow-submodules --depth 1 -b v1.15.1 https://github.com/ngtcp2/ngtcp2 && \
+RUN git clone --recursive --shallow-submodules --depth 1 -b v1.17.0 https://github.com/ngtcp2/ngtcp2 && \
     cd ngtcp2 && \
     autoreconf -i && \
     ./configure --disable-dependency-tracking --enable-lib-only \

examples/client.c

@@ -28,26 +28,26 @@
  */
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <inttypes.h>
 #include <stdlib.h>
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif /* HAVE_UNISTD_H */
+#endif /* defined(HAVE_UNISTD_H) */
 #ifdef HAVE_FCNTL_H
 #  include <fcntl.h>
-#endif /* HAVE_FCNTL_H */
+#endif /* defined(HAVE_FCNTL_H) */
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif /* HAVE_SYS_SOCKET_H */
+#endif /* defined(HAVE_SYS_SOCKET_H) */
 #ifdef HAVE_NETDB_H
 #  include <netdb.h>
-#endif /* HAVE_NETDB_H */
+#endif /* defined(HAVE_NETDB_H) */
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif /* HAVE_NETINET_IN_H */
+#endif /* defined(HAVE_NETINET_IN_H) */
 #include <netinet/tcp.h>
 #include <poll.h>
 #include <signal.h>

examples/deflate.c

@@ -24,7 +24,7 @@
  */
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* !HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <stdio.h>
 #include <string.h>

examples/libevent-client.c

@@ -31,26 +31,26 @@
     }
 #  define warnx(format, args...) fprintf(stderr, format "\n", ##args)
 char *strndup(const char *s, size_t size);
-#endif
+#endif /* defined(__sgi) */
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <sys/types.h>
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif /* HAVE_UNISTD_H */
+#endif /* defined(HAVE_UNISTD_H) */
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif /* HAVE_SYS_SOCKET_H */
+#endif /* defined(HAVE_SYS_SOCKET_H) */
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif /* HAVE_NETINET_IN_H */
+#endif /* defined(HAVE_NETINET_IN_H) */
 #include <netinet/tcp.h>
 #ifndef __sgi
 #  include <err.h>
-#endif
+#endif /* !defined(__sgi) */
 #include <signal.h>
 #include <string.h>
 

examples/libevent-server.c

@@ -30,35 +30,35 @@
     }
 #  define warn(format, args...) warnx(format ": %s", ##args, strerror(errno))
 #  define warnx(format, args...) fprintf(stderr, format "\n", ##args)
-#endif
+#endif /* defined(__sgi) */
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif /* HAVE_SYS_SOCKET_H */
+#endif /* defined(HAVE_SYS_SOCKET_H) */
 #ifdef HAVE_NETDB_H
 #  include <netdb.h>
-#endif /* HAVE_NETDB_H */
+#endif /* defined(HAVE_NETDB_H) */
 #include <signal.h>
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif /* HAVE_UNISTD_H */
+#endif /* defined(HAVE_UNISTD_H) */
 #include <sys/stat.h>
 #ifdef HAVE_FCNTL_H
 #  include <fcntl.h>
-#endif /* HAVE_FCNTL_H */
+#endif /* defined(HAVE_FCNTL_H) */
 #include <ctype.h>
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif /* HAVE_NETINET_IN_H */
+#endif /* defined(HAVE_NETINET_IN_H) */
 #include <netinet/tcp.h>
 #ifndef __sgi
 #  include <err.h>
-#endif
+#endif /* !defined(__sgi) */
 #include <string.h>
 #include <errno.h>
 
@@ -136,11 +136,11 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
                                  SSL_OP_NO_COMPRESSION |
                                  SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-  if (SSL_CTX_set1_curves_list(ssl_ctx, "P-256") != 1) {
-    errx(1, "SSL_CTX_set1_curves_list failed: %s",
+  if (SSL_CTX_set1_groups_list(ssl_ctx, "P-256") != 1) {
+    errx(1, "SSL_CTX_set1_groups_list failed: %s",
          ERR_error_string(ERR_get_error(), NULL));
   }
-#else  /* !(OPENSSL_VERSION_NUMBER >= 0x30000000L) */
+#else  /* OPENSSL_VERSION_NUMBER < 0x30000000L */
   {
     EC_KEY *ecdh;
     ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@@ -151,7 +151,7 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
     SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
     EC_KEY_free(ecdh);
   }
-#endif /* !(OPENSSL_VERSION_NUMBER >= 0x30000000L) */
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
   if (SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM) != 1) {
     errx(1, "Could not read private key file %s", key_file);
@@ -727,7 +727,7 @@ static void start_listen(struct event_base *evbase, const char *service,
   hints.ai_flags = AI_PASSIVE;
 #ifdef AI_ADDRCONFIG
   hints.ai_flags |= AI_ADDRCONFIG;
-#endif /* AI_ADDRCONFIG */
+#endif /* defined(AI_ADDRCONFIG) */
 
   rv = getaddrinfo(NULL, service, &hints, &res);
   if (rv != 0) {

gennghttpxfun.py

@@ -204,6 +204,7 @@ OPTIONS = [
     "frontend-header-timeout",
     "frontend-http2-idle-timeout",
     "frontend-http3-idle-timeout",
+    "groups",
 ]
 
 LOGVARS = [

go.mod

@@ -4,18 +4,17 @@ go 1.24.0
 
 require (
 	github.com/bradfitz/gomemcache v0.0.0-20230905024940-24af94b03874
-	github.com/quic-go/quic-go v0.54.0
+	github.com/quic-go/quic-go v0.55.0
 	github.com/tatsuhiro-t/go-nghttp2 v0.0.0-20240121064059-46ccb0a462a8
-	golang.org/x/net v0.43.0
+	golang.org/x/net v0.46.0
 )
 
 require (
 	github.com/quic-go/qpack v0.5.1 // indirect
-	go.uber.org/mock v0.5.0 // indirect
-	golang.org/x/crypto v0.41.0 // indirect
-	golang.org/x/mod v0.26.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	golang.org/x/tools v0.35.0 // indirect
+	golang.org/x/crypto v0.43.0 // indirect
+	golang.org/x/mod v0.28.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/tools v0.37.0 // indirect
 )

go.sum

@@ -8,27 +8,27 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg=
-github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tatsuhiro-t/go-nghttp2 v0.0.0-20240121064059-46ccb0a462a8 h1:zKJxuRe+a0O34V81GAZWOrotuU6mveT30QLjJ7OPMMg=
 github.com/tatsuhiro-t/go-nghttp2 v0.0.0-20240121064059-46ccb0a462a8/go.mod h1:gTqc3Q4boc+cKRlSFywTYdX9t6VGRcsThlNIWwaL3Dc=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
-golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
-golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
+golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
+golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
+golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
+golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
+golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

integration-tests/server_tester.go

@@ -323,14 +323,14 @@ func (st *serverTester) Close() {
 			close(done)
 		}()
 
-		if err := st.cmd.Process.Signal(syscall.SIGQUIT); err != nil {
+		if err := st.cmd.Process.Signal(syscall.SIGQUIT); err != nil && !errors.Is(err, os.ErrProcessDone) {
 			st.t.Errorf("Error st.cmd.Process.Signal() = %v", err)
 		}
 
 		select {
 		case <-done:
 		case <-time.After(10 * time.Second):
-			if err := st.cmd.Process.Kill(); err != nil {
+			if err := st.cmd.Process.Kill(); err != nil && !errors.Is(err, os.ErrProcessDone) {
 				st.t.Errorf("Error st.cmd.Process.Kill() = %v", err)
 			}
 

lib/nghttp2_alpn.h

@@ -27,8 +27,8 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
-#endif /* NGHTTP2_ALPN_H */
+#endif /* !defined(NGHTTP2_ALPN_H) */

lib/nghttp2_buf.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -409,4 +409,4 @@ int nghttp2_bufs_next_present(nghttp2_bufs *bufs);
  */
 size_t nghttp2_bufs_len(nghttp2_bufs *bufs);
 
-#endif /* NGHTTP2_BUF_H */
+#endif /* !defined(NGHTTP2_BUF_H) */

lib/nghttp2_callbacks.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -154,4 +154,4 @@ struct nghttp2_session_callbacks {
   nghttp2_rand_callback rand_callback;
 };
 
-#endif /* NGHTTP2_CALLBACKS_H */
+#endif /* !defined(NGHTTP2_CALLBACKS_H) */

lib/nghttp2_debug.c

@@ -50,11 +50,11 @@ void nghttp2_set_debug_vprintf_callback(
   static_debug_vprintf_callback = debug_vprintf_callback;
 }
 
-#else /* !DEBUGBUILD */
+#else /* !defined(DEBUGBUILD) */
 
 void nghttp2_set_debug_vprintf_callback(
   nghttp2_debug_vprintf_callback debug_vprintf_callback) {
   (void)debug_vprintf_callback;
 }
 
-#endif /* !DEBUGBUILD */
+#endif /* !defined(DEBUGBUILD) */

lib/nghttp2_debug.h

@@ -27,17 +27,17 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
 #ifdef DEBUGBUILD
 #  define DEBUGF(...) nghttp2_debug_vprintf(__VA_ARGS__)
 void nghttp2_debug_vprintf(const char *format, ...);
-#else
+#else /* !defined(DEBUGBUILD) */
 #  define DEBUGF(...)                                                          \
     do {                                                                       \
     } while (0)
-#endif
+#endif /* !defined(DEBUGBUILD) */
 
-#endif /* NGHTTP2_DEBUG_H */
+#endif /* !defined(NGHTTP2_DEBUG_H) */

lib/nghttp2_extpri.h

@@ -28,7 +28,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -62,4 +62,4 @@ void nghttp2_extpri_from_uint8(nghttp2_extpri *extpri, uint8_t u8extpri);
  */
 #define nghttp2_extpri_uint8_inc(PRI) (((PRI) & NGHTTP2_EXTPRI_INC_MASK) != 0)
 
-#endif /* NGHTTP2_EXTPRI_H */
+#endif /* !defined(NGHTTP2_EXTPRI_H) */

lib/nghttp2_frame.h

@@ -27,17 +27,14 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 #include "nghttp2_hd.h"
 #include "nghttp2_buf.h"
 
 #define NGHTTP2_STREAM_ID_MASK ((1u << 31) - 1)
-#define NGHTTP2_PRI_GROUP_ID_MASK ((1u << 31) - 1)
-#define NGHTTP2_PRIORITY_MASK ((1u << 31) - 1)
 #define NGHTTP2_WINDOW_SIZE_INCREMENT_MASK ((1u << 31) - 1)
-#define NGHTTP2_SETTINGS_ID_MASK ((1 << 24) - 1)
 
 /* The number of bytes of frame header. */
 #define NGHTTP2_FRAME_HDLEN 9
@@ -634,4 +631,4 @@ int nghttp2_iv_check(const nghttp2_settings_entry *iv, size_t niv);
 void nghttp2_frame_add_pad(nghttp2_bufs *bufs, nghttp2_frame_hd *hd,
                            size_t padlen, int framehd_only);
 
-#endif /* NGHTTP2_FRAME_H */
+#endif /* !defined(NGHTTP2_FRAME_H) */

lib/nghttp2_hd.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -439,4 +439,4 @@ nghttp2_ssize nghttp2_hd_huff_decode(nghttp2_hd_huff_decode_context *ctx,
  */
 int nghttp2_hd_huff_decode_failure_state(nghttp2_hd_huff_decode_context *ctx);
 
-#endif /* NGHTTP2_HD_H */
+#endif /* !defined(NGHTTP2_HD_H) */

lib/nghttp2_hd_huffman.c

@@ -104,15 +104,15 @@ int nghttp2_hd_huff_encode(nghttp2_bufs *bufs, const uint8_t *src,
 }
 
 void nghttp2_hd_huff_decode_context_init(nghttp2_hd_huff_decode_context *ctx) {
-  ctx->fstate = NGHTTP2_HUFF_ACCEPTED;
+  ctx->fstate = 0;
+  ctx->flags = NGHTTP2_HUFF_ACCEPTED;
 }
 
 nghttp2_ssize nghttp2_hd_huff_decode(nghttp2_hd_huff_decode_context *ctx,
                                      nghttp2_buf *buf, const uint8_t *src,
                                      size_t srclen, int final) {
   const uint8_t *end = src + srclen;
-  nghttp2_huff_decode node = {ctx->fstate, 0};
-  const nghttp2_huff_decode *t = &node;
+  nghttp2_huff_decode t = {ctx->fstate, ctx->flags, 0};
   uint8_t c;
 
   /* We use the decoding algorithm described in
@@ -121,20 +121,21 @@ nghttp2_ssize nghttp2_hd_huff_decode(nghttp2_hd_huff_decode_context *ctx,
       - https://github.com/nghttp2/nghttp2/files/15141264/Prefix.pdf */
   for (; src != end;) {
     c = *src++;
-    t = &huff_decode_table[t->fstate & 0x1ff][c >> 4];
-    if (t->fstate & NGHTTP2_HUFF_SYM) {
-      *buf->last++ = t->sym;
+    t = huff_decode_table[t.fstate][c >> 4];
+    if (t.flags & NGHTTP2_HUFF_SYM) {
+      *buf->last++ = t.sym;
     }
 
-    t = &huff_decode_table[t->fstate & 0x1ff][c & 0xf];
-    if (t->fstate & NGHTTP2_HUFF_SYM) {
-      *buf->last++ = t->sym;
+    t = huff_decode_table[t.fstate][c & 0xf];
+    if (t.flags & NGHTTP2_HUFF_SYM) {
+      *buf->last++ = t.sym;
     }
   }
 
-  ctx->fstate = t->fstate;
+  ctx->fstate = t.fstate;
+  ctx->flags = t.flags;
 
-  if (final && !(ctx->fstate & NGHTTP2_HUFF_ACCEPTED)) {
+  if (final && !(ctx->flags & NGHTTP2_HUFF_ACCEPTED)) {
     return NGHTTP2_ERR_HEADER_COMP;
   }
 

lib/nghttp2_hd_huffman.h

@@ -27,16 +27,16 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
 typedef enum {
   /* FSA accepts this state as the end of huffman encoding
      sequence. */
-  NGHTTP2_HUFF_ACCEPTED = 1 << 14,
+  NGHTTP2_HUFF_ACCEPTED = 1,
   /* This state emits symbol */
-  NGHTTP2_HUFF_SYM = 1 << 15,
+  NGHTTP2_HUFF_SYM = 1 << 1,
 } nghttp2_huff_decode_flag;
 
 typedef struct {
@@ -48,6 +48,7 @@ typedef struct {
      a special node and it is a terminal state that means decoding
      failed. */
   uint16_t fstate;
+  uint8_t flags;
   /* symbol if NGHTTP2_HUFF_SYM flag set */
   uint8_t sym;
 } nghttp2_huff_decode;
@@ -57,6 +58,7 @@ typedef nghttp2_huff_decode huff_decode_table_type[16];
 typedef struct {
   /* fstate is the current huffman decoding state. */
   uint16_t fstate;
+  uint8_t flags;
 } nghttp2_hd_huff_decode_context;
 
 typedef struct {
@@ -69,4 +71,4 @@ typedef struct {
 extern const nghttp2_huff_sym huff_sym_table[];
 extern const nghttp2_huff_decode huff_decode_table[][16];
 
-#endif /* NGHTTP2_HD_HUFFMAN_H */
+#endif /* !defined(NGHTTP2_HD_HUFFMAN_H) */

lib/nghttp2_helper.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <string.h>
 #include <stddef.h>
@@ -142,4 +142,4 @@ int nghttp2_should_send_window_update(int32_t local_window_size,
  */
 uint8_t *nghttp2_cpymem(uint8_t *dest, const void *src, size_t len);
 
-#endif /* NGHTTP2_HELPER_H */
+#endif /* !defined(NGHTTP2_HELPER_H) */

lib/nghttp2_http.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 #include "nghttp2_session.h"
@@ -97,4 +97,4 @@ void nghttp2_http_record_request_method(nghttp2_stream *stream,
 int nghttp2_http_parse_priority(nghttp2_extpri *dest, const uint8_t *value,
                                 size_t valuelen);
 
-#endif /* NGHTTP2_HTTP_H */
+#endif /* !defined(NGHTTP2_HTTP_H) */

lib/nghttp2_int.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -39,7 +39,6 @@ typedef int (*nghttp2_less)(const void *lhs, const void *rhs);
 /* Internal error code. They must be in the range [-499, -100],
    inclusive. */
 typedef enum {
-  NGHTTP2_ERR_CREDENTIAL_PENDING = -101,
   NGHTTP2_ERR_IGN_HEADER_BLOCK = -103,
   NGHTTP2_ERR_IGN_PAYLOAD = -104,
   /*
@@ -59,4 +58,4 @@ typedef enum {
   NGHTTP2_ERR_PUSH_CANCEL = -107,
 } nghttp2_internal_error;
 
-#endif /* NGHTTP2_INT_H */
+#endif /* !defined(NGHTTP2_INT_H) */

lib/nghttp2_map.c

@@ -33,12 +33,11 @@
 
 #define NGHTTP2_INITIAL_HASHBITS 4
 
-void nghttp2_map_init(nghttp2_map *map, uint32_t seed, nghttp2_mem *mem) {
-  map->mem = mem;
-  map->hashbits = 0;
-  map->table = NULL;
-  map->seed = seed;
-  map->size = 0;
+void nghttp2_map_init(nghttp2_map *map, uint64_t seed, nghttp2_mem *mem) {
+  *map = (nghttp2_map){
+    .mem = mem,
+    .seed = seed,
+  };
 }
 
 void nghttp2_map_free(nghttp2_map *map) {
@@ -46,30 +45,27 @@ void nghttp2_map_free(nghttp2_map *map) {
     return;
   }
 
-  nghttp2_mem_free(map->mem, map->table);
+  nghttp2_mem_free(map->mem, map->keys);
 }
 
 int nghttp2_map_each(const nghttp2_map *map, int (*func)(void *data, void *ptr),
                      void *ptr) {
   int rv;
   size_t i;
-  nghttp2_map_bucket *bkt;
   size_t tablelen;
 
   if (map->size == 0) {
     return 0;
   }
 
-  tablelen = 1u << map->hashbits;
+  tablelen = (size_t)1 << map->hashbits;
 
   for (i = 0; i < tablelen; ++i) {
-    bkt = &map->table[i];
-
-    if (bkt->data == NULL) {
+    if (map->psl[i] == 0) {
       continue;
     }
 
-    rv = func(bkt->data, ptr);
+    rv = func(map->data[i], ptr);
     if (rv != 0) {
       return rv;
     }
@@ -78,175 +74,230 @@ int nghttp2_map_each(const nghttp2_map *map, int (*func)(void *data, void *ptr),
   return 0;
 }
 
-static size_t map_hash(const nghttp2_map *map, nghttp2_map_key_type key) {
-  /* hasher from
-     https://github.com/rust-lang/rustc-hash/blob/dc5c33f1283de2da64d8d7a06401d91aded03ad4/src/lib.rs
-     We do not perform finalization here because we use top bits
-     anyway. */
-  uint32_t h = ((uint32_t)key + map->seed) * 0x93d765dd;
-  return (size_t)((h * 2654435769u) >> (32 - map->hashbits));
-}
+/* Hasher from
+   https://github.com/rust-lang/rustc-hash/blob/dc5c33f1283de2da64d8d7a06401d91aded03ad4/src/lib.rs
+   to maximize the output's sensitivity to all input bits. */
+#define NGHTTP2_MAP_HASHER 0xf1357aea2e62a9c5ull
+/* 64-bit Fibonacci hashing constant, Golden Ratio constant, to get
+   the high bits with the good distribution. */
+#define NGHTTP2_MAP_FIBO 0x9e3779b97f4a7c15ull
 
-static void map_bucket_swap(nghttp2_map_bucket *a, nghttp2_map_bucket *b) {
-  nghttp2_map_bucket c = *a;
+static size_t map_index(const nghttp2_map *map, nghttp2_map_key_type key32) {
+  uint64_t key = (uint64_t)key32;
 
-  *a = *b;
-  *b = c;
+  key += map->seed;
+  key *= NGHTTP2_MAP_HASHER;
+  return (size_t)((key * NGHTTP2_MAP_FIBO) >> (64 - map->hashbits));
 }
 
 #ifndef WIN32
 void nghttp2_map_print_distance(const nghttp2_map *map) {
   size_t i;
   size_t idx;
-  nghttp2_map_bucket *bkt;
   size_t tablelen;
 
   if (map->size == 0) {
     return;
   }
 
-  tablelen = 1u << map->hashbits;
+  tablelen = (size_t)1 << map->hashbits;
 
   for (i = 0; i < tablelen; ++i) {
-    bkt = &map->table[i];
-
-    if (bkt->data == NULL) {
+    if (map->psl[i] == 0) {
       fprintf(stderr, "@%zu <EMPTY>\n", i);
       continue;
     }
 
-    idx = map_hash(map, bkt->key);
-    fprintf(stderr, "@%zu hash=%zu key=%d base=%zu distance=%u\n", i,
-            map_hash(map, bkt->key), bkt->key, idx, bkt->psl);
+    idx = map_index(map, map->keys[i]);
+    fprintf(stderr, "@%zu key=%d base=%zu distance=%u\n", i, map->keys[i], idx,
+            map->psl[i] - 1);
   }
 }
 #endif /* !defined(WIN32) */
 
-static int map_insert(nghttp2_map *map, nghttp2_map_key_type key, void *data) {
-  size_t idx = map_hash(map, key);
-  nghttp2_map_bucket b = {
-    .key = key,
-    .data = data,
-  };
-  nghttp2_map_bucket *bkt;
-  size_t mask = (1u << map->hashbits) - 1;
+static void map_set_entry(nghttp2_map *map, size_t idx,
+                          nghttp2_map_key_type key, void *data, size_t psl) {
+  map->keys[idx] = key;
+  map->data[idx] = data;
+  map->psl[idx] = (uint8_t)psl;
+}
+
+#define NGHTTP2_SWAP(TYPE, A, B)                                               \
+  do {                                                                         \
+    TYPE t = (TYPE) * (A);                                                     \
+                                                                               \
+    *(A) = *(B);                                                               \
+    *(B) = t;                                                                  \
+  } while (0)
+
+/*
+ * map_insert inserts |key| and |data| to |map|, and returns the index
+ * where the pair is stored if it succeeds.  Otherwise, it returns one
+ * of the following negative error codes:
+ *
+ * NGHTTP2_ERR_INVALID_ARGUMENT
+ *     The another data associated to |key| is already present.
+ */
+static nghttp2_ssize map_insert(nghttp2_map *map, nghttp2_map_key_type key,
+                                void *data) {
+  size_t idx = map_index(map, key);
+  size_t mask = ((size_t)1 << map->hashbits) - 1;
+  size_t psl = 1;
+  size_t kpsl;
 
   for (;;) {
-    bkt = &map->table[idx];
+    kpsl = map->psl[idx];
 
-    if (bkt->data == NULL) {
-      *bkt = b;
+    if (kpsl == 0) {
+      map_set_entry(map, idx, key, data, psl);
       ++map->size;
-      return 0;
+
+      return (nghttp2_ssize)idx;
     }
 
-    if (b.psl > bkt->psl) {
-      map_bucket_swap(bkt, &b);
-    } else if (bkt->key == key) {
-      /* TODO This check is just a waste after first swap or if this
-         function is called from map_resize.  That said, there is no
-         difference with or without this conditional in performance
-         wise. */
+    if (psl > kpsl) {
+      NGHTTP2_SWAP(nghttp2_map_key_type, &key, &map->keys[idx]);
+      NGHTTP2_SWAP(void *, &data, &map->data[idx]);
+      NGHTTP2_SWAP(uint8_t, &psl, &map->psl[idx]);
+    } else if (map->keys[idx] == key) {
+      /* This check ensures that no duplicate keys are inserted.  But
+         it is just a waste after first swap or if this function is
+         called from map_resize.  That said, there is no difference
+         with or without this conditional in performance wise. */
       return NGHTTP2_ERR_INVALID_ARGUMENT;
     }
 
-    ++b.psl;
+    ++psl;
     idx = (idx + 1) & mask;
   }
 }
 
+/* NGHTTP2_MAP_MAX_HASHBITS is the maximum number of bits used for
+   hash table.  The theoretical limit of the maximum number of keys
+   that can be stored is 1 << NGHTTP2_MAP_MAX_HASHBITS. */
+#define NGHTTP2_MAP_MAX_HASHBITS (sizeof(size_t) * 8 - 1)
+
 static int map_resize(nghttp2_map *map, size_t new_hashbits) {
   size_t i;
-  nghttp2_map_bucket *bkt;
   size_t tablelen;
-  int rv;
+  nghttp2_ssize idx;
   nghttp2_map new_map = {
-    .table = nghttp2_mem_calloc(map->mem, 1u << new_hashbits,
-                                sizeof(nghttp2_map_bucket)),
     .mem = map->mem,
     .seed = map->seed,
     .hashbits = new_hashbits,
   };
-  (void)rv;
+  void *buf;
+  (void)idx;
 
-  if (new_map.table == NULL) {
+  if (new_hashbits > NGHTTP2_MAP_MAX_HASHBITS) {
     return NGHTTP2_ERR_NOMEM;
   }
 
+  tablelen = (size_t)1 << new_hashbits;
+
+  buf = nghttp2_mem_calloc(map->mem, tablelen,
+                           sizeof(nghttp2_map_key_type) + sizeof(void *) +
+                             sizeof(uint8_t));
+  if (buf == NULL) {
+    return NGHTTP2_ERR_NOMEM;
+  }
+
+  new_map.keys = buf;
+  new_map.data =
+    (void *)((uint8_t *)new_map.keys + tablelen * sizeof(nghttp2_map_key_type));
+  new_map.psl = (uint8_t *)new_map.data + tablelen * sizeof(void *);
+
   if (map->size) {
-    tablelen = 1u << map->hashbits;
+    tablelen = (size_t)1 << map->hashbits;
 
     for (i = 0; i < tablelen; ++i) {
-      bkt = &map->table[i];
-      if (bkt->data == NULL) {
+      if (map->psl[i] == 0) {
         continue;
       }
 
-      rv = map_insert(&new_map, bkt->key, bkt->data);
+      idx = map_insert(&new_map, map->keys[i], map->data[i]);
 
-      assert(0 == rv);
+      /* map_insert must not fail because all keys are unique during
+         resize. */
+      assert(idx >= 0);
     }
   }
 
-  nghttp2_mem_free(map->mem, map->table);
-  map->table = new_map.table;
+  nghttp2_mem_free(map->mem, map->keys);
+  map->keys = new_map.keys;
+  map->data = new_map.data;
+  map->psl = new_map.psl;
   map->hashbits = new_hashbits;
 
   return 0;
 }
 
+/* NGHTTP2_MAX_PSL_RESIZE_THRESH is the maximum psl threshold.  If
+   reached, resize the table. */
+#define NGHTTP2_MAX_PSL_RESIZE_THRESH 128
+
 int nghttp2_map_insert(nghttp2_map *map, nghttp2_map_key_type key, void *data) {
   int rv;
+  size_t tablelen;
+  nghttp2_ssize idx;
 
   assert(data);
 
-  /* Load factor is 7/8 */
-  /* Under the very initial condition, that is map->size == 0 and
-     map->hashbits == 0, 8 > 7 still holds nicely. */
-  if ((map->size + 1) * 8 > (1u << map->hashbits) * 7) {
-    if (map->hashbits) {
-      rv = map_resize(map, map->hashbits + 1);
-      if (rv != 0) {
-        return rv;
-      }
-    } else {
-      rv = map_resize(map, NGHTTP2_INITIAL_HASHBITS);
-      if (rv != 0) {
-        return rv;
-      }
+  /* tablelen is incorrect if map->hashbits == 0 which leads to
+     tablelen = 1, but it is only used to check the load factor, and
+     it works in this special case. */
+  tablelen = (size_t)1 << map->hashbits;
+
+  /* Load factor is 7 / 8.  Because tablelen is power of 2, (tablelen
+     - (tablelen >> 3)) computes tablelen * 7 / 8. */
+  if (map->size + 1 >= (tablelen - (tablelen >> 3))) {
+    rv = map_resize(map, map->hashbits ? map->hashbits + 1
+                                       : NGHTTP2_INITIAL_HASHBITS);
+    if (rv != 0) {
+      return rv;
     }
+
+    idx = map_insert(map, key, data);
+    if (idx < 0) {
+      return (int)idx;
+    }
+
+    return 0;
   }
 
-  rv = map_insert(map, key, data);
-  if (rv != 0) {
-    return rv;
+  idx = map_insert(map, key, data);
+  if (idx < 0) {
+    return (int)idx;
   }
 
-  return 0;
+  /* Resize if psl reaches really large value which is almost
+     improbable, but just in case. */
+  if (map->psl[idx] - 1 < NGHTTP2_MAX_PSL_RESIZE_THRESH) {
+    return 0;
+  }
+
+  return map_resize(map, map->hashbits + 1);
 }
 
 void *nghttp2_map_find(const nghttp2_map *map, nghttp2_map_key_type key) {
   size_t idx;
-  nghttp2_map_bucket *bkt;
-  size_t psl = 0;
+  size_t psl = 1;
   size_t mask;
 
   if (map->size == 0) {
     return NULL;
   }
 
-  idx = map_hash(map, key);
-  mask = (1u << map->hashbits) - 1;
+  idx = map_index(map, key);
+  mask = ((size_t)1 << map->hashbits) - 1;
 
   for (;;) {
-    bkt = &map->table[idx];
-
-    if (bkt->data == NULL || psl > bkt->psl) {
+    if (psl > map->psl[idx]) {
       return NULL;
     }
 
-    if (bkt->key == key) {
-      return bkt->data;
+    if (map->keys[idx] == key) {
+      return map->data[idx];
     }
 
     ++psl;
@@ -256,38 +307,36 @@ void *nghttp2_map_find(const nghttp2_map *map, nghttp2_map_key_type key) {
 
 int nghttp2_map_remove(nghttp2_map *map, nghttp2_map_key_type key) {
   size_t idx;
-  nghttp2_map_bucket *b, *bkt;
-  size_t psl = 0;
+  size_t dest;
+  size_t psl = 1, kpsl;
   size_t mask;
 
   if (map->size == 0) {
     return NGHTTP2_ERR_INVALID_ARGUMENT;
   }
 
-  idx = map_hash(map, key);
-  mask = (1u << map->hashbits) - 1;
+  idx = map_index(map, key);
+  mask = ((size_t)1 << map->hashbits) - 1;
 
   for (;;) {
-    bkt = &map->table[idx];
-
-    if (bkt->data == NULL || psl > bkt->psl) {
+    if (psl > map->psl[idx]) {
       return NGHTTP2_ERR_INVALID_ARGUMENT;
     }
 
-    if (bkt->key == key) {
-      b = bkt;
+    if (map->keys[idx] == key) {
+      dest = idx;
       idx = (idx + 1) & mask;
 
       for (;;) {
-        bkt = &map->table[idx];
-        if (bkt->data == NULL || bkt->psl == 0) {
-          b->data = NULL;
+        kpsl = map->psl[idx];
+        if (kpsl <= 1) {
+          map->psl[dest] = 0;
           break;
         }
 
-        --bkt->psl;
-        *b = *bkt;
-        b = bkt;
+        map_set_entry(map, dest, map->keys[idx], map->data[idx], kpsl - 1);
+
+        dest = idx;
 
         idx = (idx + 1) & mask;
       }
@@ -307,7 +356,7 @@ void nghttp2_map_clear(nghttp2_map *map) {
     return;
   }
 
-  memset(map->table, 0, sizeof(*map->table) * (1u << map->hashbits));
+  memset(map->psl, 0, sizeof(*map->psl) * ((size_t)1 << map->hashbits));
   map->size = 0;
 }
 

lib/nghttp2_map.h

@@ -38,16 +38,15 @@
 
 typedef int32_t nghttp2_map_key_type;
 
-typedef struct nghttp2_map_bucket {
-  uint32_t psl;
-  nghttp2_map_key_type key;
-  void *data;
-} nghttp2_map_bucket;
-
 typedef struct nghttp2_map {
-  nghttp2_map_bucket *table;
+  nghttp2_map_key_type *keys;
+  void **data;
+  /* psl is the Probe Sequence Length.  0 has special meaning that the
+     element is not stored at i-th position if psl[i] == 0.  Because
+     of this, the actual psl value is psl[i] - 1 if psl[i] > 0. */
+  uint8_t *psl;
   nghttp2_mem *mem;
-  uint32_t seed;
+  uint64_t seed;
   size_t size;
   size_t hashbits;
 } nghttp2_map;
@@ -55,7 +54,7 @@ typedef struct nghttp2_map {
 /*
  * nghttp2_map_init initializes the map |map|.
  */
-void nghttp2_map_init(nghttp2_map *map, uint32_t seed, nghttp2_mem *mem);
+void nghttp2_map_init(nghttp2_map *map, uint64_t seed, nghttp2_mem *mem);
 
 /*
  * nghttp2_map_free deallocates any resources allocated for |map|.

lib/nghttp2_mem.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -42,4 +42,4 @@ void nghttp2_mem_free2(nghttp2_free free_func, void *ptr, void *mem_user_data);
 void *nghttp2_mem_calloc(nghttp2_mem *mem, size_t nmemb, size_t size);
 void *nghttp2_mem_realloc(nghttp2_mem *mem, void *ptr, size_t size);
 
-#endif /* NGHTTP2_MEM_H */
+#endif /* !defined(NGHTTP2_MEM_H) */

lib/nghttp2_net.h

@@ -27,28 +27,28 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #ifdef HAVE_ARPA_INET_H
 #  include <arpa/inet.h>
-#endif /* HAVE_ARPA_INET_H */
+#endif /* defined(HAVE_ARPA_INET_H) */
 
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif /* HAVE_NETINET_IN_H */
+#endif /* defined(HAVE_NETINET_IN_H) */
 
 #include <nghttp2/nghttp2.h>
 
-#if defined(WIN32)
+#ifdef WIN32
 /* Windows requires ws2_32 library for ntonl family functions.  We
    define inline functions for those function so that we don't have
    dependency on that lib. */
 
 #  ifdef _MSC_VER
 #    define STIN static __inline
-#  else
+#  else /* !defined(_MSC_VER) */
 #    define STIN static inline
-#  endif
+#  endif /* !defined(_MSC_VER) */
 
 STIN uint32_t htonl(uint32_t hostlong) {
   uint32_t res;
@@ -86,6 +86,6 @@ STIN uint16_t ntohs(uint16_t netshort) {
   return res;
 }
 
-#endif /* WIN32 */
+#endif /* defined(WIN32) */
 
-#endif /* NGHTTP2_NET_H */
+#endif /* !defined(NGHTTP2_NET_H) */

lib/nghttp2_option.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -160,4 +160,4 @@ struct nghttp2_option {
   uint8_t user_recv_ext_types[32];
 };
 
-#endif /* NGHTTP2_OPTION_H */
+#endif /* !defined(NGHTTP2_OPTION_H) */

lib/nghttp2_outbound_item.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 #include "nghttp2_frame.h"
@@ -186,4 +186,4 @@ void nghttp2_outbound_queue_pop(nghttp2_outbound_queue *q);
 /* Returns the size of the queue */
 #define nghttp2_outbound_queue_size(Q) ((Q)->n)
 
-#endif /* NGHTTP2_OUTBOUND_ITEM_H */
+#endif /* !defined(NGHTTP2_OUTBOUND_ITEM_H) */

lib/nghttp2_pq.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 #include "nghttp2_int.h"
@@ -121,4 +121,4 @@ int nghttp2_pq_each(nghttp2_pq *pq, nghttp2_pq_item_cb fun, void *arg);
  */
 void nghttp2_pq_remove(nghttp2_pq *pq, nghttp2_pq_entry *item);
 
-#endif /* NGHTTP2_PQ_H */
+#endif /* !defined(NGHTTP2_PQ_H) */

lib/nghttp2_priority_spec.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -39,4 +39,4 @@
  */
 void nghttp2_priority_spec_normalize_weight(nghttp2_priority_spec *pri_spec);
 
-#endif /* NGHTTP2_PRIORITY_SPEC_H */
+#endif /* !defined(NGHTTP2_PRIORITY_SPEC_H) */

lib/nghttp2_queue.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include "config.h"
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -48,4 +48,4 @@ void *nghttp2_queue_front(nghttp2_queue *queue);
 void *nghttp2_queue_back(nghttp2_queue *queue);
 int nghttp2_queue_empty(nghttp2_queue *queue);
 
-#endif /* NGHTTP2_QUEUE_H */
+#endif /* !defined(NGHTTP2_QUEUE_H) */

lib/nghttp2_ratelim.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -54,4 +54,4 @@ void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp);
    succeeds, or -1. */
 int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n);
 
-#endif /* NGHTTP2_RATELIM_H */
+#endif /* !defined(NGHTTP2_RATELIM_H) */

lib/nghttp2_rcbuf.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -77,4 +77,4 @@ int nghttp2_rcbuf_new2(nghttp2_rcbuf **rcbuf_ptr, const uint8_t *src,
  */
 void nghttp2_rcbuf_del(nghttp2_rcbuf *rcbuf);
 
-#endif /* NGHTTP2_RCBUF_H */
+#endif /* !defined(NGHTTP2_RCBUF_H) */

lib/nghttp2_session.c

@@ -438,7 +438,7 @@ static int session_new(nghttp2_session **session_ptr,
   size_t max_deflate_dynamic_table_size =
     NGHTTP2_HD_DEFAULT_MAX_DEFLATE_BUFFER_SIZE;
   size_t i;
-  uint32_t map_seed;
+  uint64_t map_seed;
 
   if (mem == NULL) {
     mem = nghttp2_mem_default();
@@ -3409,11 +3409,6 @@ static int session_handle_invalid_stream2(nghttp2_session *session,
                                           int lib_error_code) {
   int rv;
 
-  rv = session_update_glitch_ratelim(session);
-  if (rv != 0) {
-    return rv;
-  }
-
   rv = nghttp2_session_add_rst_stream(
     session, stream_id, get_error_code_from_lib_error_code(lib_error_code));
   if (rv != 0) {
@@ -5659,7 +5654,7 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
           DEBUGF("recv: WINDOW_UPDATE\n");
           break;
         }
-#endif /* DEBUGBUILD */
+#endif /* defined(DEBUGBUILD) */
 
         iframe->frame.hd.flags = NGHTTP2_FLAG_NONE;
 
@@ -5843,6 +5838,16 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
           case NGHTTP2_ALTSVC:
             if ((session->builtin_recv_ext_types & NGHTTP2_TYPEMASK_ALTSVC) ==
                 0) {
+              /* Receiving too frequent unknown frames is suspicious. */
+              rv = session_update_glitch_ratelim(session);
+              if (rv != 0) {
+                return rv;
+              }
+
+              if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+                return (nghttp2_ssize)inlen;
+              }
+
               busy = 1;
               iframe->state = NGHTTP2_IB_IGN_PAYLOAD;
               break;
@@ -5854,6 +5859,17 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
             iframe->frame.ext.payload = &iframe->ext_frame_payload.altsvc;
 
             if (session->server) {
+              /* Receiving too frequent ALTSVC from client is
+                 suspicious. */
+              rv = session_update_glitch_ratelim(session);
+              if (rv != 0) {
+                return rv;
+              }
+
+              if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+                return (nghttp2_ssize)inlen;
+              }
+
               busy = 1;
               iframe->state = NGHTTP2_IB_IGN_PAYLOAD;
               break;
@@ -5873,6 +5889,16 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
             break;
           case NGHTTP2_ORIGIN:
             if (!(session->builtin_recv_ext_types & NGHTTP2_TYPEMASK_ORIGIN)) {
+              /* Receiving too frequent unknown frames is suspicious. */
+              rv = session_update_glitch_ratelim(session);
+              if (rv != 0) {
+                return rv;
+              }
+
+              if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+                return (nghttp2_ssize)inlen;
+              }
+
               busy = 1;
               iframe->state = NGHTTP2_IB_IGN_PAYLOAD;
               break;
@@ -5884,6 +5910,17 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
 
             if (session->server || iframe->frame.hd.stream_id ||
                 (iframe->frame.hd.flags & 0xf0)) {
+              /* Receiving too frequent invalid frames is
+                 suspicious. */
+              rv = session_update_glitch_ratelim(session);
+              if (rv != 0) {
+                return rv;
+              }
+
+              if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+                return (nghttp2_ssize)inlen;
+              }
+
               busy = 1;
               iframe->state = NGHTTP2_IB_IGN_PAYLOAD;
               break;
@@ -5910,6 +5947,16 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
           case NGHTTP2_PRIORITY_UPDATE:
             if ((session->builtin_recv_ext_types &
                  NGHTTP2_TYPEMASK_PRIORITY_UPDATE) == 0) {
+              /* Receiving too frequent unknown frames is suspicious. */
+              rv = session_update_glitch_ratelim(session);
+              if (rv != 0) {
+                return rv;
+              }
+
+              if (iframe->state == NGHTTP2_IB_IGN_ALL) {
+                return (nghttp2_ssize)inlen;
+              }
+
               busy = 1;
               iframe->state = NGHTTP2_IB_IGN_PAYLOAD;
               break;
@@ -6268,7 +6315,7 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
       } else {
         DEBUGF("recv: [IB_IGN_HEADER_BLOCK]\n");
       }
-#endif /* DEBUGBUILD */
+#endif /* defined(DEBUGBUILD) */
 
       readlen = inbound_frame_payload_readlen(iframe, in, last);
 
@@ -6500,7 +6547,7 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
       } else {
         fprintf(stderr, "recv: [IB_IGN_CONTINUATION]\n");
       }
-#endif /* DEBUGBUILD */
+#endif /* defined(DEBUGBUILD) */
 
       if (++session->num_continuations > session->max_continuations) {
         return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;

lib/nghttp2_session.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 #include "nghttp2_map.h"
@@ -892,4 +892,4 @@ int nghttp2_session_update_recv_stream_window_size(nghttp2_session *session,
                                                    size_t delta_size,
                                                    int send_window_update);
 
-#endif /* NGHTTP2_SESSION_H */
+#endif /* !defined(NGHTTP2_SESSION_H) */

lib/nghttp2_stream.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 #include "nghttp2_outbound_item.h"
@@ -294,4 +294,4 @@ void nghttp2_stream_attach_item(nghttp2_stream *stream,
  */
 void nghttp2_stream_detach_item(nghttp2_stream *stream);
 
-#endif /* NGHTTP2_STREAM */
+#endif /* !defined(NGHTTP2_STREAM_H) */

lib/nghttp2_submit.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -37,4 +37,4 @@ int nghttp2_submit_data_shared(nghttp2_session *session, uint8_t flags,
                                int32_t stream_id,
                                const nghttp2_data_provider_wrap *dpw);
 
-#endif /* NGHTTP2_SUBMIT_H */
+#endif /* !defined(NGHTTP2_SUBMIT_H) */

lib/nghttp2_time.c

@@ -26,7 +26,7 @@
 
 #ifdef HAVE_WINDOWS_H
 #  include <windows.h>
-#endif /* HAVE_WINDOWS_H */
+#endif /* defined(HAVE_WINDOWS_H) */
 
 #include <time.h>
 
@@ -40,12 +40,11 @@ static uint64_t time_now_sec(void) {
 
   return (uint64_t)t;
 }
-#endif /* !HAVE_GETTICKCOUNT64 || __CYGWIN__ */
+#endif /* !defined(HAVE_GETTICKCOUNT64) || defined(__CYGWIN__) */
 
 #if defined(HAVE_GETTICKCOUNT64) && !defined(__CYGWIN__)
 uint64_t nghttp2_time_now_sec(void) { return GetTickCount64() / 1000; }
-#elif defined(HAVE_CLOCK_GETTIME) && defined(HAVE_DECL_CLOCK_MONOTONIC) &&     \
-  HAVE_DECL_CLOCK_MONOTONIC
+#elif defined(HAVE_CLOCK_GETTIME) && HAVE_DECL_CLOCK_MONOTONIC
 uint64_t nghttp2_time_now_sec(void) {
   struct timespec tp;
   int rv = clock_gettime(CLOCK_MONOTONIC, &tp);
@@ -56,8 +55,8 @@ uint64_t nghttp2_time_now_sec(void) {
 
   return (uint64_t)tp.tv_sec;
 }
-#else  /* (!HAVE_CLOCK_GETTIME || !HAVE_DECL_CLOCK_MONOTONIC) &&               \
-          (!HAVE_GETTICKCOUNT64 || __CYGWIN__)) */
+#else  /* (!defined(HAVE_GETTICKCOUNT64) || !defined(__CYGWIN__)) &&           \
+          (!defined(HAVE_CLOCK_GETTIME) || !HAVE_DECL_CLOCK_MONOTONIC) */
 uint64_t nghttp2_time_now_sec(void) { return time_now_sec(); }
-#endif /* (!HAVE_CLOCK_GETTIME || !HAVE_DECL_CLOCK_MONOTONIC) &&               \
-         (!HAVE_GETTICKCOUNT64 || __CYGWIN__)) */
+#endif /* (!defined(HAVE_GETTICKCOUNT64) || !defined(__CYGWIN__)) &&           \
+          (!defined(HAVE_CLOCK_GETTIME) || !HAVE_DECL_CLOCK_MONOTONIC) */

lib/nghttp2_time.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 
@@ -35,4 +35,4 @@
    timepoint.  If it is unable to get seconds, it returns 0. */
 uint64_t nghttp2_time_now_sec(void);
 
-#endif /* NGHTTP2_TIME_H */
+#endif /* !defined(NGHTTP2_TIME_H) */

lib/nghttp2_version.c

@@ -24,7 +24,7 @@
  */
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <nghttp2/nghttp2.h>
 

mkhufftbl.py

@@ -356,8 +356,8 @@ def _build_transition_table(ctx, node):
 def huffman_tree_build_transition_table(ctx):
     _build_transition_table(ctx, ctx.root)
 
-NGHTTP2_HUFF_ACCEPTED = 1 << 14
-NGHTTP2_HUFF_SYM = 1 << 15
+NGHTTP2_HUFF_ACCEPTED = 1
+NGHTTP2_HUFF_SYM = 1 << 1
 
 def _print_transition_table(node):
     if node.term is not None:
@@ -381,7 +381,7 @@ def _print_transition_table(node):
                 flags |= NGHTTP2_HUFF_ACCEPTED
             elif nd.accept:
                 flags |= NGHTTP2_HUFF_ACCEPTED
-        print('  {{0x{:02x}, {}}},'.format(id | flags, out))
+        print('  {{0x{:02x}, {}, {}}},'.format(id, flags, out))
     print('},')
     _print_transition_table(node.left)
     _print_transition_table(node.right)
@@ -390,22 +390,10 @@ def huffman_tree_print_transition_table(ctx):
     _print_transition_table(ctx.root)
     print('/* 256 */')
     print('{')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
-    print('  {0x100, 0},')
+
+    for _ in range(16):
+        print('  {0x100, 0, 0},')
+
     print('},')
 
 if __name__ == '__main__':
@@ -458,6 +446,7 @@ enum {{
     print('''\
 typedef struct {
   uint16_t fstate;
+  uint8_t flags;
   uint8_t sym;
 } nghttp2_huff_decode;
 ''')

src/CMakeLists.txt

@@ -249,6 +249,7 @@ if(ENABLE_HPACK_TOOLS)
     comp_helper.c
     util.cc
     timegm.c
+    tls.cc
   )
   add_executable(inflatehd ${inflatehd_SOURCES})
   add_executable(deflatehd ${deflatehd_SOURCES})

src/HtmlParser.h

@@ -31,10 +31,8 @@
 #include <string>
 
 #ifdef HAVE_LIBXML2
-
 #  include <libxml/HTMLparser.h>
-
-#endif // HAVE_LIBXML2
+#endif // defined(HAVE_LIBXML2)
 
 namespace nghttp2 {
 
@@ -72,7 +70,7 @@ private:
   ParserData parser_data_;
 };
 
-#else // !HAVE_LIBXML2
+#else // !defined(HAVE_LIBXML2)
 
 class HtmlParser {
 public:
@@ -87,8 +85,8 @@ private:
   std::vector<std::pair<std::string, ResourceType>> links_;
 };
 
-#endif // !HAVE_LIBXML2
+#endif // !defined(HAVE_LIBXML2)
 
 } // namespace nghttp2
 
-#endif // HTML_PARSER_H
+#endif // !defined(HTML_PARSER_H)

src/HttpServer.cc

@@ -27,23 +27,23 @@
 #include <sys/stat.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif // HAVE_SYS_SOCKET_H
+#endif // defined(HAVE_SYS_SOCKET_H)
 #ifdef HAVE_NETDB_H
 #  include <netdb.h>
-#endif // HAVE_NETDB_H
+#endif // defined(HAVE_NETDB_H)
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif // HAVE_UNISTD_H
+#endif // defined(HAVE_UNISTD_H)
 #ifdef HAVE_FCNTL_H
 #  include <fcntl.h>
-#endif // HAVE_FCNTL_H
+#endif // defined(HAVE_FCNTL_H)
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif // HAVE_NETINET_IN_H
+#endif // defined(HAVE_NETINET_IN_H)
 #include <netinet/tcp.h>
 #ifdef HAVE_ARPA_INET_H
 #  include <arpa/inet.h>
-#endif // HAVE_ARPA_INET_H
+#endif // defined(HAVE_ARPA_INET_H)
 
 #include <cassert>
 #include <unordered_set>
@@ -58,13 +58,13 @@
 #  include <wolfssl/options.h>
 #  include <wolfssl/openssl/err.h>
 #  include <wolfssl/openssl/dh.h>
-#else // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#else // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #  include <openssl/err.h>
 #  include <openssl/dh.h>
 #  if OPENSSL_3_0_0_API
 #    include <openssl/decoder.h>
 #  endif // OPENSSL_3_0_0_API
-#endif   // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif   // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
 #include <zlib.h>
 
@@ -76,9 +76,10 @@
 
 #ifndef O_BINARY
 #  define O_BINARY (0)
-#endif // O_BINARY
+#endif // !defined(O_BINARY)
 
 using namespace std::chrono_literals;
+using namespace std::string_literals;
 
 namespace nghttp2 {
 
@@ -101,6 +102,7 @@ void print_session_id(int64_t id) { std::cout << "[id=" << id << "] "; }
 
 Config::Config()
   : mime_types_file("/etc/mime.types"),
+    groups("X25519:P-256:P-384:P-521"sv),
     stream_read_timeout(1_min),
     stream_write_timeout(1_min),
     data_ptr(nullptr),
@@ -382,7 +384,7 @@ public:
     fd_cache_lru_.append(res.get());
 
     while (fd_cache_.size() > FILE_ENTRY_EVICT_THRES) {
-      auto ent = fd_cache_lru_.head;
+      auto ent = fd_cache_lru_.front();
       if (ent->usecount) {
         break;
       }
@@ -427,7 +429,7 @@ private:
   std::unordered_set<Http2Handler *> handlers_;
   // cache for file descriptors to read file.
   std::unordered_multimap<std::string, std::unique_ptr<FileEntry>> fd_cache_;
-  DList<FileEntry> fd_cache_lru_;
+  SList<FileEntry, &FileEntry::slent> fd_cache_lru_;
   HttpServer *sv_;
   struct ev_loop *loop_;
   const Config *config_;
@@ -1822,7 +1824,7 @@ void run_worker(Worker *worker) {
 
 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
   wc_ecc_fp_free();
-#endif // NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 }
 } // namespace
 
@@ -1907,15 +1909,15 @@ public:
     for (;;) {
 #ifdef HAVE_ACCEPT4
       auto fd = accept4(fd_, nullptr, nullptr, SOCK_NONBLOCK);
-#else  // !HAVE_ACCEPT4
+#else  // !defined(HAVE_ACCEPT4)
       auto fd = accept(fd_, nullptr, nullptr);
-#endif // !HAVE_ACCEPT4
+#endif // !defined(HAVE_ACCEPT4)
       if (fd == -1) {
         break;
       }
 #ifndef HAVE_ACCEPT4
       util::make_socket_nonblocking(fd);
-#endif // !HAVE_ACCEPT4
+#endif // !defined(HAVE_ACCEPT4)
       acceptor_->accept_connection(fd);
     }
   }
@@ -2021,7 +2023,7 @@ int start_listen(HttpServer *sv, struct ev_loop *loop, Sessions *sessions,
     .ai_flags = AI_PASSIVE
 #ifdef AI_ADDRCONFIG
                 | AI_ADDRCONFIG
-#endif // AI_ADDRCONFIG
+#endif // defined(AI_ADDRCONFIG)
     ,
     .ai_family = AF_UNSPEC,
     .ai_socktype = SOCK_STREAM,
@@ -2058,7 +2060,7 @@ int start_listen(HttpServer *sv, struct ev_loop *loop, Sessions *sessions,
         continue;
       }
     }
-#endif // IPV6_V6ONLY
+#endif // defined(IPV6_V6ONLY)
     if (bind(fd, rp->ai_addr, rp->ai_addrlen) == 0 && listen(fd, 1000) == 0) {
       if (!acceptor) {
         acceptor = std::make_shared<AcceptHandler>(sv, sessions, config);
@@ -2128,7 +2130,7 @@ int HttpServer::run() {
     if (config_->ktls) {
       ssl_opts |= SSL_OP_ENABLE_KTLS;
     }
-#endif // SSL_OP_ENABLE_KTLS
+#endif // defined(SSL_OP_ENABLE_KTLS)
 
     SSL_CTX_set_options(ssl_ctx, ssl_opts);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
@@ -2153,19 +2155,17 @@ int HttpServer::run() {
       std::cerr << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
       return -1;
     }
-#endif // NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
     const unsigned char sid_ctx[] = "nghttpd";
     SSL_CTX_set_session_id_context(ssl_ctx, sid_ctx, sizeof(sid_ctx) - 1);
     SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
 
-#ifndef OPENSSL_NO_EC
-    if (SSL_CTX_set1_curves_list(ssl_ctx, "P-256") != 1) {
-      std::cerr << "SSL_CTX_set1_curves_list failed: "
+    if (SSL_CTX_set1_groups_list(ssl_ctx, config_->groups.data()) != 1) {
+      std::cerr << "SSL_CTX_set1_groups_list failed: "
                 << ERR_error_string(ERR_get_error(), nullptr);
       return -1;
     }
-#endif // OPENSSL_NO_EC
 
     if (!config_->dh_param_file.empty()) {
       // Read DH parameters from file
@@ -2239,7 +2239,8 @@ int HttpServer::run() {
       std::cerr << "SSL_CTX_add_cert_compression_alg failed." << std::endl;
       return -1;
     }
-#endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
+#endif // defined(NGHTTP2_OPENSSL_IS_BORINGSSL) &&
+       // defined(HAVE_LIBBROTLI)
 
     if (tls::setup_keylog_callback(ssl_ctx) != 0) {
       std::cerr << "Failed to setup keylog" << std::endl;

src/HttpServer.h

@@ -36,15 +36,16 @@
 #include <vector>
 #include <unordered_map>
 #include <memory>
+#include <string_view>
 
 #include "ssl_compat.h"
 
 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
 #  include <wolfssl/options.h>
 #  include <wolfssl/openssl/ssl.h>
-#else // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#else // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #  include <openssl/ssl.h>
-#endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
 #include <ev.h>
 
@@ -70,6 +71,7 @@ struct Config {
   std::string dh_param_file;
   std::string address;
   std::string mime_types_file;
+  std::string_view groups;
   ev_tstamp stream_read_timeout;
   ev_tstamp stream_write_timeout;
   void *data_ptr;
@@ -107,8 +109,6 @@ struct FileEntry {
       mtime(mtime),
       last_valid(last_valid),
       content_type(content_type),
-      dlnext(nullptr),
-      dlprev(nullptr),
       fd(fd),
       usecount(1),
       stale(stale) {}
@@ -118,7 +118,7 @@ struct FileEntry {
   int64_t mtime;
   std::chrono::steady_clock::time_point last_valid;
   const std::string *content_type;
-  FileEntry *dlnext, *dlprev;
+  SListEntry<FileEntry> slent;
   int fd;
   int usecount;
   bool stale;
@@ -258,4 +258,4 @@ nghttp2_ssize file_read_callback(nghttp2_session *session, int32_t stream_id,
 
 } // namespace nghttp2
 
-#endif // HTTP_SERVER_H
+#endif // !defined(HTTP_SERVER_H)

src/Makefile.am

@@ -262,7 +262,8 @@ bin_PROGRAMS += inflatehd deflatehd
 HPACK_TOOLS_COMMON_SRCS = \
 	comp_helper.c comp_helper.h \
 	util.cc util.h \
-	timegm.c timegm.h
+	timegm.c timegm.h \
+	tls.cc tls.h
 
 inflatehd_SOURCES = inflatehd.cc $(HPACK_TOOLS_COMMON_SRCS)
 

src/allocator.h

@@ -29,7 +29,7 @@
 
 #ifndef _WIN32
 #  include <sys/uio.h>
-#endif // !_WIN32
+#endif // !defined(_WIN32)
 
 #include <cassert>
 #include <utility>
@@ -288,4 +288,4 @@ inline std::span<uint8_t> make_byte_ref(BlockAllocator &alloc, size_t size) {
 
 } // namespace nghttp2
 
-#endif // ALLOCATOR_H
+#endif // !defined(ALLOCATOR_H)

src/app_helper.cc

@@ -25,19 +25,19 @@
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif // HAVE_SYS_SOCKET_H
+#endif // defined(HAVE_SYS_SOCKET_H)
 #ifdef HAVE_NETDB_H
 #  include <netdb.h>
-#endif // HAVE_NETDB_H
+#endif // defined(HAVE_NETDB_H)
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif // HAVE_UNISTD_H
+#endif // defined(HAVE_UNISTD_H)
 #ifdef HAVE_FCNTL_H
 #  include <fcntl.h>
-#endif // HAVE_FCNTL_H
+#endif // defined(HAVE_FCNTL_H)
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif // HAVE_NETINET_IN_H
+#endif // defined(HAVE_NETINET_IN_H)
 #include <netinet/tcp.h>
 #include <poll.h>
 

src/app_helper.h

@@ -31,7 +31,7 @@
 #include <cstdlib>
 #ifdef HAVE_SYS_TIME_H
 #  include <sys/time.h>
-#endif // HAVE_SYS_TIME_H
+#endif // defined(HAVE_SYS_TIME_H)
 #include <poll.h>
 
 #include <chrono>
@@ -91,4 +91,4 @@ void set_output(FILE *file);
 
 } // namespace nghttp2
 
-#endif // APP_HELPER_H
+#endif // !defined(APP_HELPER_H)

src/base64.h

@@ -197,4 +197,4 @@ std::span<const uint8_t> decode(BlockAllocator &balloc, R &&r) {
 
 } // namespace nghttp2
 
-#endif // BASE64_H
+#endif // !defined(BASE64_H)

src/base64_test.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
 #define MUNIT_ENABLE_ASSERT_ALIASES
 
@@ -42,4 +42,4 @@ munit_void_test_decl(test_base64_decode)
 
 } // namespace nghttp2
 
-#endif // BASE64_TEST_H
+#endif // !defined(BASE64_TEST_H)

src/buffer.h

@@ -76,4 +76,4 @@ template <size_t N> struct Buffer {
 
 } // namespace nghttp2
 
-#endif // BUFFER_H
+#endif // !defined(BUFFER_H)

src/buffer_test.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
 #define MUNIT_ENABLE_ASSERT_ALIASES
 
@@ -41,4 +41,4 @@ munit_void_test_decl(test_buffer_write)
 
 } // namespace nghttp2
 
-#endif // BUFFER_TEST_H
+#endif // !defined(BUFFER_TEST_H)

src/comp_helper.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #include <jansson.h>
 
@@ -35,7 +35,7 @@
 
 #ifdef __cplusplus
 extern "C" {
-#endif
+#endif /* defined(__cplusplus) */
 
 json_t *dump_deflate_header_table(nghttp2_hd_deflater *deflater);
 
@@ -52,6 +52,6 @@ void output_json_footer(void);
 
 #ifdef __cplusplus
 }
-#endif
+#endif /* defined(__cplusplus) */
 
-#endif /* NGHTTP2_COMP_HELPER_H */
+#endif /* !defined(NGHTTP2_COMP_HELPER_H) */

src/deflatehd.cc

@@ -24,11 +24,11 @@
  */
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif // HAVE_UNISTD_H
+#endif // defined(HAVE_UNISTD_H)
 #include <getopt.h>
 
 #include <cstdio>

src/h2load.cc

@@ -28,12 +28,12 @@
 #include <signal.h>
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif // HAVE_NETINET_IN_H
+#endif // defined(HAVE_NETINET_IN_H)
 #include <netinet/tcp.h>
 #include <sys/stat.h>
 #ifdef HAVE_FCNTL_H
 #  include <fcntl.h>
-#endif // HAVE_FCNTL_H
+#endif // defined(HAVE_FCNTL_H)
 #include <sys/mman.h>
 #include <netinet/udp.h>
 
@@ -54,9 +54,9 @@
 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
 #  include <wolfssl/options.h>
 #  include <wolfssl/openssl/err.h>
-#else // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#else // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #  include <openssl/err.h>
-#endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
 #ifdef ENABLE_HTTP3
 #  if defined(HAVE_LIBNGTCP2_CRYPTO_QUICTLS) ||                                \
@@ -66,14 +66,14 @@
          // defined(HAVE_LIBNGTCP2_CRYPTO_LIBRESSL)
 #  ifdef HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
 #    include <ngtcp2/ngtcp2_crypto_boringssl.h>
-#  endif // HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
+#  endif // defined(HAVE_LIBNGTCP2_CRYPTO_BORINGSSL)
 #  ifdef HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
 #    include <ngtcp2/ngtcp2_crypto_wolfssl.h>
-#  endif // HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
+#  endif // defined(HAVE_LIBNGTCP2_CRYPTO_WOLFSSL)
 #  ifdef HAVE_LIBNGTCP2_CRYPTO_OSSL
 #    include <ngtcp2/ngtcp2_crypto_ossl.h>
-#  endif // HAVE_LIBNGTCP2_CRYPTO_OSSL
-#endif   // ENABLE_HTTP3
+#  endif // defined(HAVE_LIBNGTCP2_CRYPTO_OSSL)
+#endif   // defined(ENABLE_HTTP3)
 
 #include "urlparse.h"
 
@@ -82,7 +82,7 @@
 #ifdef ENABLE_HTTP3
 #  include "h2load_http3_session.h"
 #  include "h2load_quic.h"
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 #include "tls.h"
 #include "http2.h"
 #include "util.h"
@@ -90,7 +90,7 @@
 
 #ifndef O_BINARY
 #  define O_BINARY (0)
-#endif // O_BINARY
+#endif // !defined(O_BINARY)
 
 using namespace nghttp2;
 
@@ -163,9 +163,9 @@ bool Config::is_quic() const {
 #ifdef ENABLE_HTTP3
   return !alpn_list.empty() &&
          (alpn_list[0] == NGHTTP3_ALPN_H3 || alpn_list[0] == "\x5h3-29");
-#else  // !ENABLE_HTTP3
+#else  // !defined(ENABLE_HTTP3)
   return false;
-#endif // !ENABLE_HTTP3
+#endif // !defined(ENABLE_HTTP3)
 }
 Config config;
 
@@ -462,7 +462,7 @@ Client::Client(uint32_t id, Worker *worker, size_t req_todo)
     ssl(nullptr),
 #ifdef ENABLE_HTTP3
     quic{},
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
     next_addr(config.addrs),
     current_addr(nullptr),
     reqidx(0),
@@ -509,14 +509,16 @@ Client::Client(uint32_t id, Worker *worker, size_t req_todo)
   quic.pkt_timer.data = this;
 #  ifndef UDP_SEGMENT
   quic.tx.no_gso = true;
-#  endif // UDP_SEGMENT
+#  endif // !defined(UDP_SEGMENT)
 
   if (config.is_quic()) {
+    ev_set_priority(&rev, EV_MAXPRI);
+
     quic.tx.data = std::make_unique<uint8_t[]>(QUIC_TX_DATALEN);
   }
 
   ngtcp2_ccerr_default(&quic.last_error);
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 }
 
 Client::~Client() {
@@ -532,7 +534,7 @@ Client::~Client() {
   if (config.is_quic()) {
     quic_free();
   }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
   worker->sample_client_stat(&cstat);
   ++worker->client_smp.n;
@@ -557,7 +559,7 @@ int Client::make_socket(addrinfo *addr) {
       std::cerr << "setsockopt UDP_GRO failed" << std::endl;
       return -1;
     }
-#  endif // UDP_GRO
+#  endif // defined(UDP_GRO)
 
     rv = util::bind_any_addr_udp(fd, addr->ai_family);
     if (rv != 0) {
@@ -578,7 +580,7 @@ int Client::make_socket(addrinfo *addr) {
       std::cerr << "quic_init failed" << std::endl;
       return -1;
     }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
   } else {
     fd = util::create_nonblock_socket(addr->ai_family);
     if (fd == -1) {
@@ -673,7 +675,7 @@ int Client::connect() {
 
     readfn = &Client::read_quic;
     writefn = &Client::write_quic;
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
   } else {
     writefn = &Client::connected;
   }
@@ -739,11 +741,11 @@ void Client::disconnect() {
   if (config.is_quic()) {
     quic_close_connection();
   }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
 #ifdef ENABLE_HTTP3
   ev_timer_stop(worker->loop, &quic.pkt_timer);
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
   ev_timer_stop(worker->loop, &conn_inactivity_watcher);
   ev_timer_stop(worker->loop, &conn_active_watcher);
   ev_timer_stop(worker->loop, &rps_watcher);
@@ -858,7 +860,7 @@ void print_server_tmp_key(SSL *ssl) {
     return;
   }
 
-  auto key_del = defer(EVP_PKEY_free, key);
+  auto key_del = defer([key] { EVP_PKEY_free(key); });
 
   std::cout << "Server Temp Key: ";
 
@@ -881,8 +883,7 @@ void print_server_tmp_key(SSL *ssl) {
       cname = curve_name.data();
     }
 #  else  // !OPENSSL_3_0_0_API
-    auto ec = EVP_PKEY_get1_EC_KEY(key);
-    auto ec_del = defer(EC_KEY_free, ec);
+    auto ec = EVP_PKEY_get0_EC_KEY(key);
     auto nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
     auto cname = EC_curve_nid2nist(nid);
     if (!cname) {
@@ -904,7 +905,7 @@ void print_server_tmp_key(SSL *ssl) {
   }
 }
 } // namespace
-#endif // !NGHTTP2_OPENSSL_IS_BORINGSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
 
 void Client::report_tls_info() {
   if (worker->id == 0 && !worker->tls_info_report_done) {
@@ -914,7 +915,7 @@ void Client::report_tls_info() {
               << "Cipher: " << SSL_CIPHER_get_name(cipher) << std::endl;
 #ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
     print_server_tmp_key(ssl);
-#endif // !NGHTTP2_OPENSSL_IS_BORINGSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
   }
 }
 
@@ -930,7 +931,7 @@ void Client::terminate_session() {
   if (config.is_quic()) {
     quic.close_requested = true;
   }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
   if (session) {
     session->terminate();
   }
@@ -1135,7 +1136,7 @@ int Client::connection_made() {
         if ("h3"sv != proto && "h3-29"sv != proto) {
           return -1;
         }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
       } else if (util::check_h2_is_selected(proto)) {
         session = std::make_unique<Http2Session>(this);
       } else if (NGHTTP2_H1_1 == proto) {
@@ -1505,7 +1506,7 @@ std::span<const uint8_t> Client::write_udp(const sockaddr *addr,
     auto n = static_cast<uint16_t>(gso_size);
     memcpy(CMSG_DATA(cm), &n, sizeof(n));
   }
-#  endif // UDP_SEGMENT
+#  endif // defined(UDP_SEGMENT)
 
   auto nwrite = sendmsg(fd, &msg, 0);
   if (nwrite < 0) {
@@ -1528,7 +1529,7 @@ std::span<const uint8_t> Client::write_udp(const sockaddr *addr,
 
   return {};
 }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
 void Client::record_request_time(RequestStat *req_stat) {
   req_stat->request_time = std::chrono::steady_clock::now();
@@ -1878,7 +1879,7 @@ void resolve_host() {
 
     config.addrs = res.release();
     return;
-  };
+  }
 
   int rv;
   addrinfo *res;
@@ -2196,9 +2197,9 @@ Options:
       << util::utos_unit(config.max_frame_size) << R"(
   -w, --window-bits=<N>
               Sets the stream level initial window size to (2**<N>)-1.
-              For QUIC, <N> is capped to 26 (roughly 64MiB).
-              Default: )"
-      << config.window_bits << R"(
+              For  QUIC, <N>  is  capped to  26  (roughly 64MiB).   It
+              defaults  to  24 (16MiB)  for  QUIC,  and 30  for  other
+              protocols.
   -W, --connection-window-bits=<N>
               Sets  the  connection  level   initial  window  size  to
               (2**<N>)-1.
@@ -2373,6 +2374,7 @@ int main(int argc, char **argv) {
   std::string datafile;
   std::string logfile;
   bool nreqs_set_manually = false;
+  auto window_bits_set_manually = false;
   while (1) {
     static int flag = 0;
     constexpr static option long_options[] = {
@@ -2449,14 +2451,14 @@ int main(int argc, char **argv) {
 #ifdef NOTHREADS
       std::cerr << "-t: WARNING: Threading disabled at build time, "
                 << "no threads created." << std::endl;
-#else
+#else  // !defined(NOTHREADS)
       auto n = util::parse_uint(optarg);
       if (!n) {
         std::cerr << "-t: bad option value: " << optarg << std::endl;
         exit(EXIT_FAILURE);
       }
       config.nthreads = static_cast<size_t>(*n);
-#endif // NOTHREADS
+#endif // !defined(NOTHREADS)
       break;
     }
     case 'm': {
@@ -2478,6 +2480,7 @@ int main(int argc, char **argv) {
         exit(EXIT_FAILURE);
       }
       if (c == 'w') {
+        window_bits_set_manually = true;
         config.window_bits = static_cast<size_t>(*n);
       } else {
         config.connection_window_bits = static_cast<size_t>(*n);
@@ -2791,7 +2794,11 @@ int main(int argc, char **argv) {
 
   // serialize the APLN tokens
   for (auto &proto : config.alpn_list) {
-    proto.insert(proto.begin(), static_cast<char>(proto.size()));
+    proto.insert(std::ranges::begin(proto), static_cast<char>(proto.size()));
+  }
+
+  if (config.is_quic() && !window_bits_set_manually) {
+    config.window_bits = 24;
   }
 
   std::vector<std::string> reqlines;
@@ -2990,7 +2997,7 @@ int main(int argc, char **argv) {
   if (config.ktls) {
     ssl_opts |= SSL_OP_ENABLE_KTLS;
   }
-#endif // SSL_OP_ENABLE_KTLS
+#endif // defined(SSL_OP_ENABLE_KTLS)
 
   SSL_CTX_set_options(ssl_ctx, ssl_opts);
   SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
@@ -3013,15 +3020,15 @@ int main(int argc, char **argv) {
                 << std::endl;
       exit(EXIT_FAILURE);
     }
-#  endif // HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
+#  endif // defined(HAVE_LIBNGTCP2_CRYPTO_BORINGSSL)
 #  ifdef HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
     if (ngtcp2_crypto_wolfssl_configure_client_context(ssl_ctx) != 0) {
       std::cerr << "ngtcp2_crypto_wolfssl_configure_client_context failed"
                 << std::endl;
       exit(EXIT_FAILURE);
     }
-#  endif // HAVE_LIBNGTCP2_CRYPTO_WOLFSSL
-#endif   // ENABLE_HTTP3
+#  endif // defined(HAVE_LIBNGTCP2_CRYPTO_WOLFSSL)
+#endif   // defined(ENABLE_HTTP3)
   } else if (nghttp2::tls::ssl_ctx_set_proto_versions(
                ssl_ctx, nghttp2::tls::NGHTTP2_TLS_MIN_VERSION,
                nghttp2::tls::NGHTTP2_TLS_MAX_VERSION) != 0) {
@@ -3044,23 +3051,14 @@ int main(int argc, char **argv) {
               << std::endl;
     exit(EXIT_FAILURE);
   }
-#endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL ||
-       // NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // defined(NGHTTP2_GENUINE_OPENSSL) ||
+       // defined(NGHTTP2_OPENSSL_IS_LIBRESSL) ||
+       // defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
-#ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
-  // Passing X25519 to SSL_CTX_set1_groups_list fails for some reason.
-  if (SSL_CTX_set1_curves_list(
-        ssl_ctx, const_cast<char *>(config.groups.c_str())) != 1) {
-    std::cerr << "SSL_CTX_set1_curves_list failed: "
-              << ERR_error_string(ERR_get_error(), nullptr) << std::endl;
-    exit(EXIT_FAILURE);
-  }
-#else  // !NGHTTP2_OPENSSL_IS_WOLFSSL
   if (SSL_CTX_set1_groups_list(ssl_ctx, config.groups.c_str()) != 1) {
     std::cerr << "SSL_CTX_set1_groups_list failed" << std::endl;
     exit(EXIT_FAILURE);
   }
-#endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
 
   std::vector<unsigned char> proto_list;
   for (const auto &proto : config.alpn_list) {
@@ -3083,7 +3081,8 @@ int main(int argc, char **argv) {
     std::cerr << "SSL_CTX_add_cert_compression_alg failed" << std::endl;
     exit(EXIT_FAILURE);
   }
-#endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
+#endif // defined(NGHTTP2_OPENSSL_IS_BORINGSSL) &&
+       // defined(HAVE_LIBBROTLI)
 
   std::string user_agent = "h2load nghttp2/" NGHTTP2_VERSION;
   Headers shared_nva;
@@ -3241,7 +3240,7 @@ int main(int argc, char **argv) {
                                     nclients, rate, max_samples_per_thread));
     auto &worker = workers.back();
     futures.push_back(
-      std::async(std::launch::async, [&worker, &mu, &cv, &ready]() {
+      std::async(std::launch::async, [&worker, &mu, &cv, &ready] {
         {
           std::unique_lock<std::mutex> ulk(mu);
           cv.wait(ulk, [&ready] { return ready; });
@@ -3250,7 +3249,7 @@ int main(int argc, char **argv) {
 
 #  ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
         wc_ecc_fp_free();
-#  endif // NGHTTP2_OPENSSL_IS_WOLFSSL
+#  endif // defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
       }));
   }
 
@@ -3266,7 +3265,7 @@ int main(int argc, char **argv) {
     fut.get();
   }
 
-#else  // NOTHREADS
+#else  // defined(NOTHREADS)
   auto rate = config.rate;
   auto nclients = config.nclients;
   auto nreqs =
@@ -3278,7 +3277,7 @@ int main(int argc, char **argv) {
   auto start = std::chrono::steady_clock::now();
 
   workers.back()->run();
-#endif // NOTHREADS
+#endif // defined(NOTHREADS)
 
   auto end = std::chrono::steady_clock::now();
   auto duration =
@@ -3368,7 +3367,7 @@ traffic: )" << util::utos_funit(as_unsigned(stats.bytes_total))
     std::cout << "UDP datagram: " << stats.udp_dgram_sent << " sent, "
               << stats.udp_dgram_recv << " received" << std::endl;
   }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
   std::cout
     << R"(                     min         max         mean         sd        +/- sd
 time for request: )"

src/h2load.h

@@ -30,10 +30,10 @@
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif // HAVE_SYS_SOCKET_H
+#endif // defined(HAVE_SYS_SOCKET_H)
 #ifdef HAVE_NETDB_H
 #  include <netdb.h>
-#endif // HAVE_NETDB_H
+#endif // defined(HAVE_NETDB_H)
 #include <sys/un.h>
 
 #include <vector>
@@ -50,7 +50,7 @@
 #ifdef ENABLE_HTTP3
 #  include <ngtcp2/ngtcp2.h>
 #  include <ngtcp2/ngtcp2_crypto.h>
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
 #include <ev.h>
 
@@ -63,9 +63,9 @@
 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
 #  include <wolfssl/options.h>
 #  include <wolfssl/openssl/ssl.h>
-#else // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#else // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #  include <openssl/ssl.h>
-#endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
 #include "http2.h"
 #include "memchunk.h"
@@ -373,7 +373,7 @@ struct Client {
       bool no_gso;
     } tx;
   } quic;
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
   ev_timer request_timeout_watcher;
   addrinfo *next_addr;
   // Address for the current address.  When try_new_connection() is
@@ -521,9 +521,9 @@ struct Client {
   void quic_restart_pkt_timer();
   void quic_write_qlog(const void *data, size_t datalen);
   int quic_make_http3_session();
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 };
 
 } // namespace h2load
 
-#endif // H2LOAD_H
+#endif // !defined(H2LOAD_H)

src/h2load_http1_session.h

@@ -57,4 +57,4 @@ private:
 
 } // namespace h2load
 
-#endif // H2LOAD_HTTP1_SESSION_H
+#endif // !defined(H2LOAD_HTTP1_SESSION_H)

src/h2load_http2_session.cc

@@ -186,7 +186,8 @@ void Http2Session::on_connect() {
 
   nghttp2_session_callbacks_new(&callbacks);
 
-  auto callbacks_deleter = defer(nghttp2_session_callbacks_del, callbacks);
+  auto callbacks_deleter =
+    defer([callbacks] { nghttp2_session_callbacks_del(callbacks); });
 
   nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks,
                                                        on_frame_recv_callback);

src/h2load_http3_session.cc

@@ -33,9 +33,9 @@
 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
 #  include <wolfssl/options.h>
 #  include <wolfssl/openssl/rand.h>
-#else // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#else // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #  include <openssl/rand.h>
-#endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
 #include "h2load.h"
 
@@ -424,10 +424,11 @@ int Http3Session::init_conn() {
 
 ssize_t Http3Session::read_stream(uint32_t flags, int64_t stream_id,
                                   const uint8_t *data, size_t datalen) {
-  auto nconsumed = nghttp3_conn_read_stream(
-    conn_, stream_id, data, datalen, flags & NGTCP2_STREAM_DATA_FLAG_FIN);
+  auto nconsumed = nghttp3_conn_read_stream2(
+    conn_, stream_id, data, datalen, flags & NGTCP2_STREAM_DATA_FLAG_FIN,
+    ngtcp2_conn_get_timestamp(client_->quic.conn));
   if (nconsumed < 0) {
-    std::cerr << "nghttp3_conn_read_stream: "
+    std::cerr << "nghttp3_conn_read_stream2: "
               << nghttp3_strerror(static_cast<int>(nconsumed)) << std::endl;
     ngtcp2_ccerr_set_application_error(
       &client_->quic.last_error,

src/h2load_quic.cc

@@ -35,7 +35,7 @@
        // defined(HAVE_LIBNGTCP2_CRYPTO_LIBRESSL)
 #ifdef HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
 #  include <ngtcp2/ngtcp2_crypto_boringssl.h>
-#endif // HAVE_LIBNGTCP2_CRYPTO_BORINGSSL
+#endif // defined(HAVE_LIBNGTCP2_CRYPTO_BORINGSSL)
 
 #include "ssl_compat.h"
 
@@ -43,10 +43,10 @@
 #  include <wolfssl/options.h>
 #  include <wolfssl/openssl/err.h>
 #  include <wolfssl/openssl/rand.h>
-#else // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#else // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #  include <openssl/err.h>
 #  include <openssl/rand.h>
-#endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
 #include "h2load_http3_session.h"
 
@@ -549,7 +549,9 @@ int Client::quic_pkt_timeout() {
     return -1;
   }
 
-  return write_quic();
+  signal_write();
+
+  return 0;
 }
 
 void Client::quic_restart_pkt_timer() {

src/h2load_quic.h

@@ -37,4 +37,4 @@ inline constexpr size_t QUIC_TX_DATALEN = 64_k;
 void quic_pkt_timeout_cb(struct ev_loop *loop, ev_timer *w, int revents);
 } // namespace h2load
 
-#endif // H2LOAD_QUIC_H
+#endif // !defined(H2LOAD_QUIC_H)

src/h2load_session.h

@@ -56,4 +56,4 @@ public:
 
 } // namespace h2load
 
-#endif // H2LOAD_SESSION_H
+#endif // !defined(H2LOAD_SESSION_H)

src/http2.cc

@@ -274,15 +274,16 @@ namespace {
 void capitalize_long(DefaultMemchunks *buf, const std::string_view &s) {
   buf->append(util::upcase(s[0]));
 
-  auto it = s.begin() + 1;
+  auto it = std::ranges::begin(s) + 1;
 
-  for (; it != s.end();) {
-    auto p = std::ranges::find(it, s.end(), '-');
-    p = std::ranges::find_if(p, s.end(), [](auto c) { return c != '-'; });
+  for (; it != std::ranges::end(s);) {
+    auto p = std::ranges::find(it, std::ranges::end(s), '-');
+    p = std::ranges::find_if(p, std::ranges::end(s),
+                             [](auto c) { return c != '-'; });
 
     buf->append(it, p);
 
-    if (p == s.end()) {
+    if (p == std::ranges::end(s)) {
       return;
     }
 

src/http2.h

@@ -433,4 +433,4 @@ std::string encode_extpri(const nghttp2_extpri &extpri);
 
 } // namespace nghttp2
 
-#endif // HTTP2_H
+#endif // !defined(HTTP2_H)

src/http2_test.h

@@ -22,12 +22,12 @@
  * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
-#ifndef SHRPX_HTTP2_TEST_H
-#define SHRPX_HTTP2_TEST_H
+#ifndef HTTP2_TEST_H
+#define HTTP2_TEST_H
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
 #define MUNIT_ENABLE_ASSERT_ALIASES
 
@@ -57,4 +57,4 @@ munit_void_test_decl(test_http2_capitalize)
 
 } // namespace shrpx
 
-#endif // SHRPX_HTTP2_TEST_H
+#endif // !defined(HTTP2_TEST_H)

src/http3.h

@@ -77,4 +77,4 @@ void copy_headers_to_nva_nocopy(std::vector<nghttp3_nv> &nva,
 
 } // namespace nghttp2
 
-#endif // HTTP3_H
+#endif // !defined(HTTP3_H)

src/inflatehd.cc

@@ -24,11 +24,11 @@
  */
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif // HAVE_UNISTD_H
+#endif // defined(HAVE_UNISTD_H)
 #include <getopt.h>
 
 #include <cstdio>

src/memchunk.h

@@ -34,9 +34,9 @@ struct iovec {
   void *iov_base; /* Pointer to data.  */
   size_t iov_len; /* Length of data.  */
 };
-#else // !_WIN32
+#else // !defined(_WIN32)
 #  include <sys/uio.h>
-#endif // !_WIN32
+#endif // !defined(_WIN32)
 
 #include <cassert>
 #include <cstring>
@@ -569,4 +569,4 @@ using DefaultMemchunkBuffer = MemchunkBuffer<Memchunk16K>;
 
 } // namespace nghttp2
 
-#endif // MEMCHUNK_H
+#endif // !defined(MEMCHUNK_H)

src/memchunk_test.h

@@ -27,7 +27,7 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
 #define MUNIT_ENABLE_ASSERT_ALIASES
 
@@ -48,4 +48,4 @@ munit_void_test_decl(test_memchunkbuffer_drain_reset)
 
 } // namespace nghttp2
 
-#endif // MEMCHUNK_TEST_H
+#endif // !defined(MEMCHUNK_TEST_H)

src/network.h

@@ -27,23 +27,23 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif // HAVE_SYS_SOCKET_H
+#endif // defined(HAVE_SYS_SOCKET_H)
 #ifdef _WIN32
 #  include <ws2tcpip.h>
-#else // !_WIN32
+#else // !defined(_WIN32)
 #  include <sys/un.h>
-#endif // !_WIN32
+#endif // !defined(_WIN32)
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif // HAVE_NETINET_IN_H
+#endif // defined(HAVE_NETINET_IN_H)
 #ifdef HAVE_ARPA_INET_H
 #  include <arpa/inet.h>
-#endif // HAVE_ARPA_INET_H
+#endif // defined(HAVE_ARPA_INET_H)
 
 namespace nghttp2 {
 
@@ -54,7 +54,7 @@ union sockaddr_union {
   sockaddr_in in;
 #ifndef _WIN32
   sockaddr_un un;
-#endif // !_WIN32
+#endif // !defined(_WIN32)
 };
 
 struct Address {
@@ -64,4 +64,4 @@ struct Address {
 
 } // namespace nghttp2
 
-#endif // NETWORK_H
+#endif // !defined(NETWORK_H)

src/nghttp.cc

@@ -27,13 +27,13 @@
 #include <sys/stat.h>
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif // HAVE_UNISTD_H
+#endif // defined(HAVE_UNISTD_H)
 #ifdef HAVE_FCNTL_H
 #  include <fcntl.h>
-#endif // HAVE_FCNTL_H
+#endif // defined(HAVE_FCNTL_H)
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif // HAVE_NETINET_IN_H
+#endif // defined(HAVE_NETINET_IN_H)
 #include <netinet/tcp.h>
 #include <getopt.h>
 
@@ -52,13 +52,13 @@
 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
 #  include <wolfssl/options.h>
 #  include <wolfssl/openssl/err.h>
-#else // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#else // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #  include <openssl/err.h>
-#endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
 #ifdef HAVE_JANSSON
 #  include <jansson.h>
-#endif // HAVE_JANSSON
+#endif // defined(HAVE_JANSSON)
 
 #include "app_helper.h"
 #include "HtmlParser.h"
@@ -69,7 +69,7 @@
 
 #ifndef O_BINARY
 #  define O_BINARY (0)
-#endif // O_BINARY
+#endif // !defined(O_BINARY)
 
 namespace nghttp2 {
 
@@ -1566,7 +1566,7 @@ void HttpClient::output_har(FILE *outfile) {
   json_dumpf(root, outfile, JSON_PRESERVE_ORDER | JSON_INDENT(2));
   json_decref(root);
 }
-#endif // HAVE_JANSSON
+#endif // defined(HAVE_JANSSON)
 
 namespace {
 void update_html_parser(HttpClient *client, Request *req, const uint8_t *data,
@@ -2176,7 +2176,7 @@ int communicate(
     if (config.ktls) {
       ssl_opts |= SSL_OP_ENABLE_KTLS;
     }
-#endif // SSL_OP_ENABLE_KTLS
+#endif // defined(SSL_OP_ENABLE_KTLS)
 
     SSL_CTX_set_options(ssl_ctx, ssl_opts);
     SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
@@ -2211,7 +2211,7 @@ int communicate(
       result = -1;
       goto fin;
     }
-#endif // NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
     if (!config.keyfile.empty()) {
       if (SSL_CTX_use_PrivateKey_file(ssl_ctx, config.keyfile.c_str(),
@@ -2245,7 +2245,8 @@ int communicate(
       result = -1;
       goto fin;
     }
-#endif // NGHTTP2_OPENSSL_IS_BORINGSSL && HAVE_LIBBROTLI
+#endif // defined(NGHTTP2_OPENSSL_IS_BORINGSSL) &&
+       // defined(HAVE_LIBBROTLI)
 
     if (tls::setup_keylog_callback(ssl_ctx) != 0) {
       std::cerr << "[ERROR] Failed to setup keylog" << std::endl;
@@ -2304,7 +2305,7 @@ int communicate(
                   << "har file could not be created." << std::endl;
       }
     }
-#endif // HAVE_JANSSON
+#endif // defined(HAVE_JANSSON)
 
     if (client.success != client.reqvec.size()) {
       std::cerr << "Some requests were not processed. total="
@@ -2380,7 +2381,8 @@ int run(char **uris, int n) {
   nghttp2_session_callbacks *callbacks;
 
   nghttp2_session_callbacks_new(&callbacks);
-  auto cbsdel = defer(nghttp2_session_callbacks_del, callbacks);
+  auto cbsdel =
+    defer([callbacks] { nghttp2_session_callbacks_del(callbacks); });
 
   nghttp2_session_callbacks_set_on_stream_close_callback(
     callbacks, on_stream_close_callback);
@@ -2765,10 +2767,10 @@ int main(int argc, char **argv) {
     case 'r':
 #ifdef HAVE_JANSSON
       config.harfile = optarg;
-#else  // !HAVE_JANSSON
+#else  // !defined(HAVE_JANSSON)
       std::cerr << "[WARNING]: -r, --har option is ignored because\n"
                 << "the binary was not compiled with libjansson." << std::endl;
-#endif // !HAVE_JANSSON
+#endif // !defined(HAVE_JANSSON)
       break;
     case 'v':
       ++config.verbose;
@@ -2828,10 +2830,10 @@ int main(int argc, char **argv) {
     case 'a':
 #ifdef HAVE_LIBXML2
       config.get_assets = true;
-#else  // !HAVE_LIBXML2
+#else  // !defined(HAVE_LIBXML2)
       std::cerr << "[WARNING]: -a, --get-assets option is ignored because\n"
                 << "the binary was not compiled with libxml2." << std::endl;
-#endif // !HAVE_LIBXML2
+#endif // !defined(HAVE_LIBXML2)
       break;
     case 's':
       config.stat = true;

src/nghttp.h

@@ -30,10 +30,10 @@
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif // HAVE_SYS_SOCKET_H
+#endif // defined(HAVE_SYS_SOCKET_H)
 #ifdef HAVE_NETDB_H
 #  include <netdb.h>
-#endif // HAVE_NETDB_H
+#endif // defined(HAVE_NETDB_H)
 
 #include <string>
 #include <vector>
@@ -46,9 +46,9 @@
 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
 #  include <wolfssl/options.h>
 #  include <wolfssl/openssl/ssl.h>
-#else // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#else // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #  include <openssl/ssl.h>
-#endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 
 #include <ev.h>
 
@@ -261,7 +261,7 @@ struct HttpClient {
 
 #ifdef HAVE_JANSSON
   void output_har(FILE *outfile);
-#endif // HAVE_JANSSON
+#endif // defined(HAVE_JANSSON)
 
   MemchunkPool mcpool;
   DefaultMemchunks wb;
@@ -313,4 +313,4 @@ struct HttpClient {
 
 } // namespace nghttp2
 
-#endif // NGHTTP_H
+#endif // !defined(NGHTTP_H)

src/nghttp2_config.h

@@ -27,6 +27,6 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
-#endif // NGHTTP2_CONFIG_H
+#endif // !defined(NGHTTP2_CONFIG_H)

src/nghttp2_gzip.h

@@ -23,17 +23,18 @@
  * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 #ifndef NGHTTP2_GZIP_H
+#define NGHTTP2_GZIP_H
 
-#  ifdef HAVE_CONFIG_H
-#    include <config.h>
-#  endif /* HAVE_CONFIG_H */
-#  include <zlib.h>
+#ifdef HAVE_CONFIG_H
+#  include <config.h>
+#endif /* defined(HAVE_CONFIG_H) */
+#include <zlib.h>
 
-#  include <nghttp2/nghttp2.h>
+#include <nghttp2/nghttp2.h>
 
-#  ifdef __cplusplus
+#ifdef __cplusplus
 extern "C" {
-#  endif
+#endif /* defined(__cplusplus) */
 
 /**
  * @struct
@@ -115,8 +116,8 @@ int nghttp2_gzip_inflate(nghttp2_gzip *inflater, uint8_t *out,
  */
 int nghttp2_gzip_inflate_finished(nghttp2_gzip *inflater);
 
-#  ifdef __cplusplus
+#ifdef __cplusplus
 }
-#  endif
+#endif /* defined(__cplusplus) */
 
-#endif /* NGHTTP2_GZIP_H */
+#endif /* !defined(NGHTTP2_GZIP_H) */

src/nghttp2_gzip_test.h

@@ -27,11 +27,11 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif /* HAVE_CONFIG_H */
+#endif /* defined(HAVE_CONFIG_H) */
 
 #ifdef __cplusplus
 extern "C" {
-#endif
+#endif /* defined(__cplusplus) */
 
 #define MUNIT_ENABLE_ASSERT_ALIASES
 
@@ -43,6 +43,6 @@ munit_void_test_decl(test_nghttp2_gzip_inflate)
 
 #ifdef __cplusplus
 }
-#endif
+#endif /* defined(__cplusplus) */
 
-#endif /* NGHTTP2_GZIP_TEST_H */
+#endif /* !defined(NGHTTP2_GZIP_TEST_H) */

src/nghttpd.cc

@@ -24,13 +24,9 @@
  */
 #include "nghttp2_config.h"
 
-#ifdef __sgi
-#  define daemon _daemonize
-#endif
-
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif // HAVE_UNISTD_H
+#endif // defined(HAVE_UNISTD_H)
 #include <signal.h>
 #include <getopt.h>
 
@@ -176,6 +172,10 @@ Options:
       << config.mime_types_file << R"(
   --no-content-length
               Don't send content-length header field.
+  --groups=<GROUPS>
+              Specify the supported groups.
+              Default: )"
+      << config.groups << R"(
   --ktls      Enable ktls.
   --version   Display version information and exit.
   -h, --help  Display this help and exit.
@@ -223,6 +223,7 @@ int main(int argc, char **argv) {
       {"encoder-header-table-size", required_argument, &flag, 11},
       {"ktls", no_argument, &flag, 12},
       {"no-rfc7540-pri", no_argument, &flag, 13},
+      {"groups", required_argument, &flag, 14},
       {nullptr, 0, nullptr, 0}};
     int option_index = 0;
     int c = getopt_long(argc, argv, "DVb:c:d:ehm:n:p:va:w:W:", long_options,
@@ -269,14 +270,14 @@ int main(int argc, char **argv) {
 #ifdef NOTHREADS
       std::cerr << "-n: WARNING: Threading disabled at build time, "
                 << "no threads created." << std::endl;
-#else
+#else  // !defined(NOTHREADS)
       auto n = util::parse_uint(optarg);
       if (!n) {
         std::cerr << "-n: Bad option value: " << optarg << std::endl;
         exit(EXIT_FAILURE);
       }
       config.num_worker = static_cast<size_t>(*n);
-#endif // NOTHREADS
+#endif // !defined(NOTHREADS)
       break;
     }
     case 'h':
@@ -414,6 +415,10 @@ int main(int argc, char **argv) {
         std::cerr << "[WARNING]: --no-rfc7540-pri option has been deprecated."
                   << std::endl;
         break;
+      case 14:
+        // groups option
+        config.groups = optarg;
+        break;
       }
       break;
     default:
@@ -447,11 +452,7 @@ int main(int argc, char **argv) {
       std::cerr << "-d option must be specified when -D is used." << std::endl;
       exit(EXIT_FAILURE);
     }
-#ifdef __sgi
-    if (daemon(0, 0, 0, 0) == -1) {
-#else
     if (util::daemonize(0, 0) == -1) {
-#endif
       perror("daemon");
       exit(EXIT_FAILURE);
     }

src/shrpx-unittest.cc

@@ -24,7 +24,7 @@
  */
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
 #include "munit.h"
 
@@ -47,7 +47,7 @@
 #include "shrpx_log.h"
 #ifdef ENABLE_HTTP3
 #  include "siphash_test.h"
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
 int main(int argc, char *argv[]) {
   shrpx::create_config();
@@ -68,7 +68,7 @@ int main(int argc, char *argv[]) {
     base64_suite,
 #ifdef ENABLE_HTTP3
     siphash_suite,
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
     {},
   };
   const MunitSuite suite = {

src/shrpx.cc

@@ -29,38 +29,38 @@
 #include <sys/stat.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif // HAVE_SYS_SOCKET_H
+#endif // defined(HAVE_SYS_SOCKET_H)
 #include <sys/un.h>
 #ifdef HAVE_NETDB_H
 #  include <netdb.h>
-#endif // HAVE_NETDB_H
+#endif // defined(HAVE_NETDB_H)
 #include <signal.h>
 #ifdef HAVE_NETINET_IN_H
 #  include <netinet/in.h>
-#endif // HAVE_NETINET_IN_H
+#endif // defined(HAVE_NETINET_IN_H)
 #ifdef HAVE_ARPA_INET_H
 #  include <arpa/inet.h>
-#endif // HAVE_ARPA_INET_H
+#endif // defined(HAVE_ARPA_INET_H)
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif // HAVE_UNISTD_H
+#endif // defined(HAVE_UNISTD_H)
 #include <getopt.h>
 #ifdef HAVE_SYSLOG_H
 #  include <syslog.h>
-#endif // HAVE_SYSLOG_H
+#endif // defined(HAVE_SYSLOG_H)
 #ifdef HAVE_LIMITS_H
 #  include <limits.h>
-#endif // HAVE_LIMITS_H
+#endif // defined(HAVE_LIMITS_H)
 #ifdef HAVE_SYS_TIME_H
 #  include <sys/time.h>
-#endif // HAVE_SYS_TIME_H
+#endif // defined(HAVE_SYS_TIME_H)
 #include <sys/resource.h>
 #ifdef HAVE_LIBSYSTEMD
 #  include <systemd/sd-daemon.h>
-#endif // HAVE_LIBSYSTEMD
+#endif // defined(HAVE_LIBSYSTEMD)
 #ifdef HAVE_LIBBPF
 #  include <bpf/libbpf.h>
-#endif // HAVE_LIBBPF
+#endif // defined(HAVE_LIBBPF)
 
 #include <cinttypes>
 #include <limits>
@@ -79,11 +79,11 @@
 #  include <wolfssl/openssl/ssl.h>
 #  include <wolfssl/openssl/err.h>
 #  include <wolfssl/openssl/rand.h>
-#else // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#else // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #  include <openssl/ssl.h>
 #  include <openssl/err.h>
 #  include <openssl/rand.h>
-#endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
+#endif // !defined(NGHTTP2_OPENSSL_IS_WOLFSSL)
 #include <ev.h>
 
 #include <nghttp2/nghttp2.h>
@@ -98,8 +98,8 @@
          // defined(HAVE_LIBNGTCP2_CRYPTO_LIBRESSL)
 #  ifdef HAVE_LIBNGTCP2_CRYPTO_OSSL
 #    include <ngtcp2/ngtcp2_crypto_ossl.h>
-#  endif // HAVE_LIBNGTCP2_CRYPTO_OSSL
-#endif   // ENABLE_HTTP3
+#  endif // defined(HAVE_LIBNGTCP2_CRYPTO_OSSL)
+#endif   // defined(ENABLE_HTTP3)
 
 #include "shrpx_config.h"
 #include "shrpx_tls.h"
@@ -189,7 +189,7 @@ struct WorkerProcess {
 #ifdef ENABLE_HTTP3
                 ,
                 int quic_ipc_fd, std::vector<WorkerID> worker_ids, uint16_t seq
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
                 )
     : loop(loop),
       worker_pid(worker_pid),
@@ -199,7 +199,7 @@ struct WorkerProcess {
       quic_ipc_fd(quic_ipc_fd),
       worker_ids(std::move(worker_ids)),
       seq(seq)
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
   {
     ev_child_init(&worker_process_childev, worker_process_child_cb, worker_pid,
                   0);
@@ -214,7 +214,7 @@ struct WorkerProcess {
     if (quic_ipc_fd != -1) {
       close(quic_ipc_fd);
     }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
     if (ipc_fd != -1) {
       shutdown(ipc_fd, SHUT_WR);
@@ -231,7 +231,7 @@ struct WorkerProcess {
   int quic_ipc_fd;
   std::vector<WorkerID> worker_ids;
   uint16_t seq;
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 };
 
 namespace {
@@ -243,7 +243,7 @@ std::deque<std::unique_ptr<WorkerProcess>> worker_processes;
 
 #ifdef ENABLE_HTTP3
 uint16_t worker_process_seq;
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 } // namespace
 
 namespace {
@@ -439,7 +439,7 @@ void shrpx_sd_notifyf(int unset_environment, const char *format, ...) {
   va_start(args, format);
   sd_notifyf(unset_environment, format, va_arg(args, char *));
   va_end(args);
-#endif // HAVE_LIBSYSTEMD
+#endif // defined(HAVE_LIBSYSTEMD)
 }
 } // namespace
 
@@ -566,7 +566,7 @@ void exec_binary() {
     quic_lwps.emplace_back(s);
     envp[envidx++] = const_cast<char *>(quic_lwps.back().c_str());
   }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
   for (size_t i = 0; i < envlen; ++i) {
     auto env = std::string_view{environ[i]};
@@ -719,7 +719,7 @@ int create_unix_domain_server_socket(
                << xsi_strerror(error, errbuf.data(), errbuf.size());
     return -1;
   }
-#else  // !SOCK_NONBLOCK
+#else  // !defined(SOCK_NONBLOCK)
   auto fd = socket(AF_UNIX, SOCK_STREAM, 0);
   if (fd == -1) {
     auto error = errno;
@@ -728,7 +728,7 @@ int create_unix_domain_server_socket(
     return -1;
   }
   util::make_socket_nonblocking(fd);
-#endif // !SOCK_NONBLOCK
+#endif // !defined(SOCK_NONBLOCK)
   int val = 1;
   if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &val,
                  static_cast<socklen_t>(sizeof(val))) == -1) {
@@ -985,7 +985,7 @@ get_inherited_quic_lingering_worker_process_from_env() {
   return lwps;
 }
 } // namespace
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
 namespace {
 int create_unix_domain_listener_socket(
@@ -1020,18 +1020,14 @@ int create_unix_domain_listener_socket(
 
 namespace {
 int call_daemon() {
-#ifdef __sgi
-  return _daemonize(0, 0, 0, 0);
-#else // !__sgi
-#  ifdef HAVE_LIBSYSTEMD
+#ifdef HAVE_LIBSYSTEMD
   if (sd_booted() && (getenv("NOTIFY_SOCKET") != nullptr)) {
     LOG(NOTICE) << "Daemonising disabled under systemd";
     chdir("/");
     return 0;
   }
-#  endif // HAVE_LIBSYSTEMD
+#endif // defined(HAVE_LIBSYSTEMD)
   return util::daemonize(0, 0);
-#endif   // !__sgi
 }
 } // namespace
 
@@ -1155,7 +1151,7 @@ collect_quic_lingering_worker_processes() {
   return quic_lwps;
 }
 } // namespace
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
 namespace {
 ev_signal reopen_log_signalev;
@@ -1291,14 +1287,14 @@ pid_t fork_worker_process(int &main_ipc_fd
 #ifdef ENABLE_HTTP3
                           ,
                           int &wp_quic_ipc_fd
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
                           ,
                           const std::vector<InheritedUNIXDomainAddr> &iaddrs
 #ifdef ENABLE_HTTP3
                           ,
                           std::vector<WorkerID> worker_ids,
                           std::vector<QUICLingeringWorkerProcess> quic_lwps
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 ) {
   std::array<char, STRERROR_BUFSIZE> errbuf;
   int rv;
@@ -1318,7 +1314,7 @@ pid_t fork_worker_process(int &main_ipc_fd
   if (rv != 0) {
     return -1;
   }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
   rv = shrpx_signal_block_all(&oldset);
   if (rv != 0) {
@@ -1364,7 +1360,7 @@ pid_t fork_worker_process(int &main_ipc_fd
       // Do not close quic_ipc_fd.
       wp->quic_ipc_fd = -1;
     }
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
     if (!config->single_process) {
       close(worker_process_ready_ipc_fd[0]);
@@ -1398,7 +1394,7 @@ pid_t fork_worker_process(int &main_ipc_fd
       close(ipc_fd[1]);
 #ifdef ENABLE_HTTP3
       close(quic_ipc_fd[1]);
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
     }
 
     WorkerProcessConfig wpconf{
@@ -1408,7 +1404,7 @@ pid_t fork_worker_process(int &main_ipc_fd
       .worker_ids = std::move(worker_ids),
       .quic_ipc_fd = quic_ipc_fd[0],
       .quic_lingering_worker_processes = std::move(quic_lwps),
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
     };
     rv = worker_process_event_loop(&wpconf);
     if (rv != 0) {
@@ -1453,7 +1449,7 @@ pid_t fork_worker_process(int &main_ipc_fd
 #ifdef ENABLE_HTTP3
     close(quic_ipc_fd[0]);
     close(quic_ipc_fd[1]);
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
     return -1;
   }
@@ -1461,7 +1457,7 @@ pid_t fork_worker_process(int &main_ipc_fd
   close(ipc_fd[0]);
 #ifdef ENABLE_HTTP3
   close(quic_ipc_fd[0]);
-#endif // ENABLE_HTTP3
+#endif // defined(ENABLE_HTTP3)
 
   main_ipc_fd = ipc_fd[1];
 #ifdef ENABLE_HTTP3
@@ -1647,7 +1643,7 @@ void fill_default_config(Config *config) {
       memcachedconf.family = AF_UNSPEC;
     }
 
-    ticketconf.cipher = EVP_aes_128_cbc();
+    ticketconf.cipher = nghttp2::tls::aes_128_cbc();
   }
 
   {
@@ -1666,7 +1662,7 @@ void fill_default_config(Config *config) {
   tlsconf.max_proto_version =
     tls::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION);
   tlsconf.max_early_data = 16_k;
-  tlsconf.ecdh_curves = "X25519:P-256:P-384:P-521"sv;
+  tlsconf.groups = "X25519:P-256:P-384:P-521"sv;
 
   auto &httpconf = config->http;
   httpconf.server_name = "nghttpx"sv;
@@ -2405,39 +2401,39 @@ SSL/TLS:
   --ciphers=<SUITE>
               Set allowed  cipher list  for frontend  connection.  The
               format of the string is described in OpenSSL ciphers(1).
-              This option  sets cipher suites for  TLSv1.2 or earlier.
-              Use --tls13-ciphers for TLSv1.3.
+              This  option  sets  cipher   suites  for  TLSv1.2.   Use
+              --tls13-ciphers for TLSv1.3.
               Default: )"
       << config->tls.ciphers << R"(
   --tls13-ciphers=<SUITE>
               Set allowed  cipher list  for frontend  connection.  The
               format of the string is described in OpenSSL ciphers(1).
               This  option  sets  cipher   suites  for  TLSv1.3.   Use
-              --ciphers for TLSv1.2 or earlier.
+              --ciphers for TLSv1.2.
               Default: )"
       << config->tls.tls13_ciphers << R"(
   --client-ciphers=<SUITE>
               Set  allowed cipher  list for  backend connection.   The
               format of the string is described in OpenSSL ciphers(1).
-              This option  sets cipher suites for  TLSv1.2 or earlier.
-              Use --tls13-client-ciphers for TLSv1.3.
+              This  option  sets  cipher   suites  for  TLSv1.2.   Use
+              --tls13-client-ciphers for TLSv1.3.
               Default: )"
       << config->tls.client.ciphers << R"(
   --tls13-client-ciphers=<SUITE>
               Set  allowed cipher  list for  backend connection.   The
               format of the string is described in OpenSSL ciphers(1).
               This  option  sets  cipher   suites  for  TLSv1.3.   Use
-              --tls13-client-ciphers for TLSv1.2 or earlier.
+              --client-ciphers for TLSv1.2.
               Default: )"
       << config->tls.client.tls13_ciphers << R"(
-  --ecdh-curves=<LIST>
-              Set  supported  curve  list  for  frontend  connections.
-              <LIST> is a  colon separated list of curve  NID or names
+  --groups=<LIST>
+              Set the  supported group list for  frontend connections.
+              <LIST> is a  colon separated list of group  NID or names
               in the preference order.  The supported curves depend on
               the  linked  OpenSSL  library.  This  function  requires
               OpenSSL >= 1.0.2.
               Default: )"
-      << config->tls.ecdh_curves << R"(
+      << config->tls.groups << R"(
   -k, --insecure
               Don't  verify backend  server's  certificate  if TLS  is
               enabled for backend connections.
@@ -2456,12 +2452,12 @@ SSL/TLS:
               Specify  additional certificate  and  private key  file.
               nghttpx will  choose certificates based on  the hostname
               indicated by client using TLS SNI extension.  If nghttpx
-              is  built with  OpenSSL  >= 1.0.2,  the shared  elliptic
-              curves (e.g., P-256) between  client and server are also
-              taken into  consideration.  This allows nghttpx  to send
-              ECDSA certificate  to modern clients, while  sending RSA
-              based certificate to older  clients.  This option can be
-              used  multiple  times.
+              is built with OpenSSL >= 1.0.2, the signature algorithms
+              (e.g., ECDSA+SHA256) presented by  client are also taken
+              into consideration.  This allows  nghttpx to send ML-DSA
+              or ECDSA  certificate to  modern clients,  while sending
+              RSA based certificate to older clients.  This option can
+              be used multiple times.
 
               Additional parameter  can be specified in  <PARAM>.  The
               available <PARAM> is "sct-dir=<DIR>".
@@ -2507,16 +2503,12 @@ SSL/TLS:
               --tls-min-proto-version and  --tls-max-proto-version are
               enabled.  If the protocol list advertised by client does
               not  overlap  this range,  you  will  receive the  error
-              message "unknown protocol".  If a protocol version lower
-              than TLSv1.2 is specified, make sure that the compatible
-              ciphers are  included in --ciphers option.   The default
-              cipher  list  only   includes  ciphers  compatible  with
-              TLSv1.2 or above.  The available versions are:
+              message "unknown protocol".  The available versions are:
               )"
 #ifdef TLS1_3_VERSION
-         "TLSv1.3, "
+         "TLSv1.3 and "
 #endif // TLS1_3_VERSION
-         "TLSv1.2, TLSv1.1, and TLSv1.0"
+         "TLSv1.2"
          R"(
               Default: )"
       << DEFAULT_TLS_MIN_PROTO_VERSION
@@ -2530,9 +2522,9 @@ SSL/TLS:
               message "unknown protocol".  The available versions are:
               )"
 #ifdef TLS1_3_VERSION
-         "TLSv1.3, "
+         "TLSv1.3 and "
 #endif // TLS1_3_VERSION
-         "TLSv1.2, TLSv1.1, and TLSv1.0"
+         "TLSv1.2"
          R"(
               Default: )"
       << DEFAULT_TLS_MAX_PROTO_VERSION << R"(
@@ -3978,6 +3970,7 @@ int main(int argc, char **argv) {
        195},
       {SHRPX_OPT_FRONTEND_HTTP3_IDLE_TIMEOUT.data(), required_argument, &flag,
        196},
+      {SHRPX_OPT_GROUPS.data(), required_argument, &flag, 197},
       {nullptr, 0, nullptr, 0}};
 
     int option_index = 0;
@@ -4903,6 +4896,10 @@ int main(int argc, char **argv) {
         cmdcfgs.emplace_back(SHRPX_OPT_FRONTEND_HTTP3_IDLE_TIMEOUT,
                              std::string_view{optarg});
         break;
+      case 197:
+        // --groups
+        cmdcfgs.emplace_back(SHRPX_OPT_GROUPS, std::string_view{optarg});
+        break;
       default:
         break;
       }

src/shrpx.h

@@ -27,12 +27,12 @@
 
 #ifdef HAVE_CONFIG_H
 #  include <config.h>
-#endif // HAVE_CONFIG_H
+#endif // defined(HAVE_CONFIG_H)
 
 #include <sys/types.h>
 #ifdef HAVE_SYS_SOCKET_H
 #  include <sys/socket.h>
-#endif // HAVE_SYS_SOCKET_H
+#endif // defined(HAVE_SYS_SOCKET_H)
 
 #include <cassert>
 
@@ -40,9 +40,9 @@
 
 #ifndef HAVE__EXIT
 #  define nghttp2_Exit(status) _exit(status)
-#else // HAVE__EXIT
+#else // defined(HAVE__EXIT)
 #  define nghttp2_Exit(status) _Exit(status)
-#endif // HAVE__EXIT
+#endif // defined(HAVE__EXIT)
 
 #define DIE() nghttp2_Exit(EXIT_FAILURE)
 
@@ -55,10 +55,10 @@ inline int initgroups(const char *user, gid_t group) { return 0; }
 enum bpf_stats_type {
   BPF_STATS_RUN_TIME = 0,
 };
-#endif // !HAVE_BPF_STATS_TYPE
+#endif // !defined(HAVE_BPF_STATS_TYPE)
 
 #ifdef NOTHREADS
 #  define thread_local
 #endif // defined(NOTHREADS)
 
-#endif // SHRPX_H
+#endif // !defined(SHRPX_H)

src/shrpx_accept_handler.cc

@@ -26,7 +26,7 @@
 
 #ifdef HAVE_UNISTD_H
 #  include <unistd.h>
-#endif // HAVE_UNISTD_H
+#endif // defined(HAVE_UNISTD_H)
 
 #include <cerrno>
 
@@ -66,9 +66,9 @@ void AcceptHandler::accept_connection() {
 #ifdef HAVE_ACCEPT4
   auto cfd =
     accept4(faddr_->fd, &sockaddr.sa, &addrlen, SOCK_NONBLOCK | SOCK_CLOEXEC);
-#else  // !HAVE_ACCEPT4
+#else  // !defined(HAVE_ACCEPT4)
   auto cfd = accept(faddr_->fd, &sockaddr.sa, &addrlen);
-#endif // !HAVE_ACCEPT4
+#endif // !defined(HAVE_ACCEPT4)
 
   if (cfd == -1) {
     switch (errno) {
@@ -79,7 +79,7 @@ void AcceptHandler::accept_connection() {
     case EHOSTDOWN:
 #ifdef ENONET
     case ENONET:
-#endif // ENONET
+#endif // defined(ENONET)
     case EHOSTUNREACH:
     case EOPNOTSUPP:
     case ENETUNREACH:
@@ -98,7 +98,7 @@ void AcceptHandler::accept_connection() {
 #ifndef HAVE_ACCEPT4
   util::make_socket_nonblocking(cfd);
   util::make_socket_closeonexec(cfd);
-#endif // !HAVE_ACCEPT4
+#endif // !defined(HAVE_ACCEPT4)
 
   worker_->handle_connection(cfd, &sockaddr.sa, addrlen, faddr_);
 }

src/shrpx_accept_handler.h

@@ -51,4 +51,4 @@ private:
 
 } // namespace shrpx
 
-#endif // SHRPX_ACCEPT_HANDLER_H
+#endif // !defined(SHRPX_ACCEPT_HANDLER_H)