Update k8s dependencies to v1.22.0-rc.0
This commit is contained in:
Chris Henzie
56
vendor/golang.org/x/net/http2/server.go
generated
vendored
56
vendor/golang.org/x/net/http2/server.go
generated
vendored
@@ -231,13 +231,12 @@ func ConfigureServer(s *http.Server, conf *Server) error {
|
||||
|
||||
if s.TLSConfig == nil {
|
||||
s.TLSConfig = new(tls.Config)
|
||||
} else if s.TLSConfig.CipherSuites != nil {
|
||||
// If they already provided a CipherSuite list, return
|
||||
// an error if it has a bad order or is missing
|
||||
// ECDHE_RSA_WITH_AES_128_GCM_SHA256 or ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
|
||||
} else if s.TLSConfig.CipherSuites != nil && s.TLSConfig.MinVersion < tls.VersionTLS13 {
|
||||
// If they already provided a TLS 1.0–1.2 CipherSuite list, return an
|
||||
// error if it is missing ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
|
||||
// ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
|
||||
haveRequired := false
|
||||
sawBad := false
|
||||
for i, cs := range s.TLSConfig.CipherSuites {
|
||||
for _, cs := range s.TLSConfig.CipherSuites {
|
||||
switch cs {
|
||||
case tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
// Alternative MTI cipher to not discourage ECDSA-only servers.
|
||||
@@ -245,14 +244,9 @@ func ConfigureServer(s *http.Server, conf *Server) error {
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
|
||||
haveRequired = true
|
||||
}
|
||||
if isBadCipher(cs) {
|
||||
sawBad = true
|
||||
} else if sawBad {
|
||||
return fmt.Errorf("http2: TLSConfig.CipherSuites index %d contains an HTTP/2-approved cipher suite (%#04x), but it comes after unapproved cipher suites. With this configuration, clients that don't support previous, approved cipher suites may be given an unapproved one and reject the connection.", i, cs)
|
||||
}
|
||||
}
|
||||
if !haveRequired {
|
||||
return fmt.Errorf("http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256).")
|
||||
return fmt.Errorf("http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1293,7 +1287,9 @@ func (sc *serverConn) startGracefulShutdown() {
|
||||
sc.shutdownOnce.Do(func() { sc.sendServeMsg(gracefulShutdownMsg) })
|
||||
}
|
||||
|
||||
// After sending GOAWAY, the connection will close after goAwayTimeout.
|
||||
// After sending GOAWAY with an error code (non-graceful shutdown), the
|
||||
// connection will close after goAwayTimeout.
|
||||
//
|
||||
// If we close the connection immediately after sending GOAWAY, there may
|
||||
// be unsent data in our kernel receive buffer, which will cause the kernel
|
||||
// to send a TCP RST on close() instead of a FIN. This RST will abort the
|
||||
@@ -1629,23 +1625,37 @@ func (sc *serverConn) processSettingInitialWindowSize(val uint32) error {
|
||||
|
||||
func (sc *serverConn) processData(f *DataFrame) error {
|
||||
sc.serveG.check()
|
||||
if sc.inGoAway && sc.goAwayCode != ErrCodeNo {
|
||||
id := f.Header().StreamID
|
||||
if sc.inGoAway && (sc.goAwayCode != ErrCodeNo || id > sc.maxClientStreamID) {
|
||||
// Discard all DATA frames if the GOAWAY is due to an
|
||||
// error, or:
|
||||
//
|
||||
// Section 6.8: After sending a GOAWAY frame, the sender
|
||||
// can discard frames for streams initiated by the
|
||||
// receiver with identifiers higher than the identified
|
||||
// last stream.
|
||||
return nil
|
||||
}
|
||||
data := f.Data()
|
||||
|
||||
// "If a DATA frame is received whose stream is not in "open"
|
||||
// or "half closed (local)" state, the recipient MUST respond
|
||||
// with a stream error (Section 5.4.2) of type STREAM_CLOSED."
|
||||
id := f.Header().StreamID
|
||||
data := f.Data()
|
||||
state, st := sc.state(id)
|
||||
if id == 0 || state == stateIdle {
|
||||
// Section 6.1: "DATA frames MUST be associated with a
|
||||
// stream. If a DATA frame is received whose stream
|
||||
// identifier field is 0x0, the recipient MUST respond
|
||||
// with a connection error (Section 5.4.1) of type
|
||||
// PROTOCOL_ERROR."
|
||||
//
|
||||
// Section 5.1: "Receiving any frame other than HEADERS
|
||||
// or PRIORITY on a stream in this state MUST be
|
||||
// treated as a connection error (Section 5.4.1) of
|
||||
// type PROTOCOL_ERROR."
|
||||
return ConnectionError(ErrCodeProtocol)
|
||||
}
|
||||
|
||||
// "If a DATA frame is received whose stream is not in "open"
|
||||
// or "half closed (local)" state, the recipient MUST respond
|
||||
// with a stream error (Section 5.4.2) of type STREAM_CLOSED."
|
||||
if st == nil || state != stateOpen || st.gotTrailerHeader || st.resetQueued {
|
||||
// This includes sending a RST_STREAM if the stream is
|
||||
// in stateHalfClosedLocal (which currently means that
|
||||
@@ -2773,8 +2783,12 @@ func (w *responseWriter) Push(target string, opts *http.PushOptions) error {
|
||||
// but PUSH_PROMISE requests cannot have a body.
|
||||
// http://tools.ietf.org/html/rfc7540#section-8.2
|
||||
// Also disallow Host, since the promised URL must be absolute.
|
||||
switch strings.ToLower(k) {
|
||||
case "content-length", "content-encoding", "trailer", "te", "expect", "host":
|
||||
if asciiEqualFold(k, "content-length") ||
|
||||
asciiEqualFold(k, "content-encoding") ||
|
||||
asciiEqualFold(k, "trailer") ||
|
||||
asciiEqualFold(k, "te") ||
|
||||
asciiEqualFold(k, "expect") ||
|
||||
asciiEqualFold(k, "host") {
|
||||
return fmt.Errorf("promised request headers cannot include %q", k)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user