HTTP/2 support

HTTP/2 gives a number of optimizations, while keeping support for the
protocol.  HTTP/2 support was recently added to the Redfish
specification.  The largest performance increase in bmc usage is likely
header compression.  Almost all requests reuse the same header values,
so the hpack based compression scheme in HTTP/2 allows OpenBMC to be
more efficient as a transport, and has the potential to significantly
reduce the number of bytes we're sending on the wire.

This commit adds HTTP2 support to bmcweb through nghttp2 library.  When
static linked into bmcweb, this support adds 53.4KB to the bmcweb binary
size.  nghttp2 is available in meta-oe already.

Given the experimental nature of this option, it is added under the
meson option "experimental-http2" and disabled by default.  The hope is
to enable it at some point in the future.

To accomplish the above, there a new class, HTTP2Connection is created.
This is intended to isolate HTTP/2 connections code from HttpConnection
such that it is far less likely to cause bugs, although it does
duplicate about 20 lines of code (async_read_some, async_write_some,
buffers, etc).  This seems worth it for the moment.

In a similar way to Websockets, when an HTTP/2 connection is detected
through ALPN, the HTTP2Connection class will be instantiated, and the
socket object passed to it, thus allowing the Connection class to be
destroyed, and the HTTP2Connection to take over for the user.

Tested: Redfish service validator passes with option enabled
With option disabled
GET /redfish/v1 in curl shows ALPN non negotiation, and fallback to
http1.1

With the option enable
GET /redfish/v1 in curl shows ALPN negotiates to HTTP2

Change-Id: I7839e457e0ba918b0695e04babddd0925ed3383c
Signed-off-by: Ed Tanous <edtanous@google.com>
diff --git a/config/bmcweb_config.h.in b/config/bmcweb_config.h.in
index 933c6e8..3fd3ea8 100644
--- a/config/bmcweb_config.h.in
+++ b/config/bmcweb_config.h.in
@@ -22,4 +22,6 @@
 constexpr const bool bmcwebEnableProcMemStatus = @BMCWEB_ENABLE_PROC_MEM_STATUS@ == 1;
 
 constexpr const bool bmcwebEnableMultiHost = @BMCWEB_ENABLE_MULTI_HOST@ == 1;
+
+constexpr const bool bmcwebEnableHTTP2 = @BMCWEB_ENABLE_HTTP2@ == 1;
 // clang-format on
diff --git a/config/meson.build b/config/meson.build
index 11ef95c..8a72a63 100644
--- a/config/meson.build
+++ b/config/meson.build
@@ -18,6 +18,8 @@
 conf_data.set10('BMCWEB_ENABLE_PROC_MEM_STATUS', enable_proc_mem_status.enabled())
 enable_multi_host = get_option('experimental-redfish-multi-computer-system')
 conf_data.set10('BMCWEB_ENABLE_MULTI_HOST', enable_multi_host.enabled())
+enable_http2 = get_option('experimental-http2')
+conf_data.set10('BMCWEB_ENABLE_HTTP2', enable_http2.enabled())
 
 # Logging level
 loglvlopt = get_option('bmcweb-logging')
diff --git a/http/http2_connection.hpp b/http/http2_connection.hpp
new file mode 100644
index 0000000..dad5089
--- /dev/null
+++ b/http/http2_connection.hpp
@@ -0,0 +1,555 @@
+#pragma once
+#include "bmcweb_config.h"
+
+#include "async_resp.hpp"
+#include "authentication.hpp"
+#include "complete_response_fields.hpp"
+#include "http_response.hpp"
+#include "http_utility.hpp"
+#include "logging.hpp"
+#include "mutual_tls.hpp"
+#include "nghttp2_adapters.hpp"
+#include "ssl_key_handler.hpp"
+#include "utility.hpp"
+
+#include <boost/algorithm/string/predicate.hpp>
+#include <boost/asio/io_context.hpp>
+#include <boost/asio/ip/tcp.hpp>
+#include <boost/asio/ssl/stream.hpp>
+#include <boost/asio/steady_timer.hpp>
+#include <boost/beast/core/multi_buffer.hpp>
+#include <boost/beast/http/error.hpp>
+#include <boost/beast/http/parser.hpp>
+#include <boost/beast/http/read.hpp>
+#include <boost/beast/http/serializer.hpp>
+#include <boost/beast/http/string_body.hpp>
+#include <boost/beast/http/write.hpp>
+#include <boost/beast/ssl/ssl_stream.hpp>
+#include <boost/beast/websocket.hpp>
+
+#include <atomic>
+#include <chrono>
+#include <vector>
+
+namespace crow
+{
+
+struct Http2StreamData
+{
+    crow::Request req{};
+    crow::Response res{};
+    size_t sentSofar = 0;
+};
+
+template <typename Adaptor, typename Handler>
+class HTTP2Connection :
+    public std::enable_shared_from_this<HTTP2Connection<Adaptor, Handler>>
+{
+    using self_type = HTTP2Connection<Adaptor, Handler>;
+
+  public:
+    HTTP2Connection(Adaptor&& adaptorIn, Handler* handlerIn,
+                    std::function<std::string()>& getCachedDateStrF
+
+                    ) :
+        adaptor(std::move(adaptorIn)),
+
+        ngSession(initializeNghttp2Session()),
+
+        handler(handlerIn), getCachedDateStr(getCachedDateStrF)
+    {}
+
+    void start()
+    {
+        // Create the control stream
+        streams.emplace(0, std::make_unique<Http2StreamData>());
+
+        if (sendServerConnectionHeader() != 0)
+        {
+            BMCWEB_LOG_ERROR << "send_server_connection_header failed";
+            return;
+        }
+        doRead();
+    }
+
+    int sendServerConnectionHeader()
+    {
+        BMCWEB_LOG_DEBUG << "send_server_connection_header()";
+
+        uint32_t maxStreams = 4;
+        std::array<nghttp2_settings_entry, 2> iv = {
+            {{NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, maxStreams},
+             {NGHTTP2_SETTINGS_ENABLE_PUSH, 0}}};
+        int rv = ngSession.submitSettings(iv);
+        if (rv != 0)
+        {
+            BMCWEB_LOG_ERROR << "Fatal error: " << nghttp2_strerror(rv);
+            return -1;
+        }
+        return 0;
+    }
+
+    static ssize_t fileReadCallback(nghttp2_session* /* session */,
+                                    int32_t /* stream_id */, uint8_t* buf,
+                                    size_t length, uint32_t* dataFlags,
+                                    nghttp2_data_source* source,
+                                    void* /*unused*/)
+    {
+        if (source == nullptr || source->ptr == nullptr)
+        {
+            BMCWEB_LOG_DEBUG << "Source was null???";
+            return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+        }
+
+        BMCWEB_LOG_DEBUG << "File read callback length: " << length;
+        // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
+        Http2StreamData* str = reinterpret_cast<Http2StreamData*>(source->ptr);
+        crow::Response& res = str->res;
+
+        BMCWEB_LOG_DEBUG << "total: " << res.body().size()
+                         << " send_sofar: " << str->sentSofar;
+
+        size_t toSend = std::min(res.body().size() - str->sentSofar, length);
+        BMCWEB_LOG_DEBUG << "Copying " << toSend << " bytes to buf";
+
+        std::string::iterator bodyBegin = res.body().begin();
+        std::advance(bodyBegin, str->sentSofar);
+
+        memcpy(buf, &*bodyBegin, toSend);
+        str->sentSofar += toSend;
+
+        if (str->sentSofar >= res.body().size())
+        {
+            BMCWEB_LOG_DEBUG << "Setting OEF flag";
+            *dataFlags |= NGHTTP2_DATA_FLAG_EOF;
+            //*dataFlags |= NGHTTP2_DATA_FLAG_NO_COPY;
+        }
+        return static_cast<ssize_t>(toSend);
+    }
+
+    nghttp2_nv headerFromStringViews(std::string_view name,
+                                     std::string_view value)
+    {
+        uint8_t* nameData = std::bit_cast<uint8_t*>(name.data());
+        uint8_t* valueData = std::bit_cast<uint8_t*>(value.data());
+        return {nameData, valueData, name.size(), value.size(),
+                NGHTTP2_NV_FLAG_NONE};
+    }
+
+    int sendResponse(Response& completedRes, int32_t streamId)
+    {
+        BMCWEB_LOG_DEBUG << "send_response stream_id:" << streamId;
+
+        auto it = streams.find(streamId);
+        if (it == streams.end())
+        {
+            close();
+            return -1;
+        }
+        Response& thisRes = it->second->res;
+        thisRes = std::move(completedRes);
+        crow::Request& thisReq = it->second->req;
+        std::vector<nghttp2_nv> hdr;
+
+        completeResponseFields(thisReq, thisRes);
+        thisRes.addHeader(boost::beast::http::field::date, getCachedDateStr());
+
+        boost::beast::http::fields& fields = thisRes.stringResponse->base();
+        std::string code = std::to_string(thisRes.stringResponse->result_int());
+        hdr.emplace_back(headerFromStringViews(":status", code));
+        for (const boost::beast::http::fields::value_type& header : fields)
+        {
+            hdr.emplace_back(
+                headerFromStringViews(header.name_string(), header.value()));
+        }
+        Http2StreamData* streamPtr = it->second.get();
+        streamPtr->sentSofar = 0;
+
+        nghttp2_data_provider dataPrd{
+            .source{
+                .ptr = streamPtr,
+            },
+            .read_callback = fileReadCallback,
+        };
+
+        int rv = ngSession.submitResponse(streamId, hdr, &dataPrd);
+        if (rv != 0)
+        {
+            BMCWEB_LOG_ERROR << "Fatal error: " << nghttp2_strerror(rv);
+            close();
+            return -1;
+        }
+        ngSession.send();
+
+        return 0;
+    }
+
+    nghttp2_session initializeNghttp2Session()
+    {
+        nghttp2_session_callbacks callbacks;
+        callbacks.setOnFrameRecvCallback(onFrameRecvCallbackStatic);
+        callbacks.setOnStreamCloseCallback(onStreamCloseCallbackStatic);
+        callbacks.setOnHeaderCallback(onHeaderCallbackStatic);
+        callbacks.setOnBeginHeadersCallback(onBeginHeadersCallbackStatic);
+        callbacks.setSendCallback(onSendCallbackStatic);
+
+        nghttp2_session session(callbacks);
+        session.setUserData(this);
+
+        return session;
+    }
+
+    int onRequestRecv(int32_t streamId)
+    {
+        BMCWEB_LOG_DEBUG << "on_request_recv";
+
+        auto it = streams.find(streamId);
+        if (it == streams.end())
+        {
+            close();
+            return -1;
+        }
+
+        crow::Request& thisReq = it->second->req;
+        BMCWEB_LOG_DEBUG << "Handling " << &thisReq << " \""
+                         << thisReq.url().encoded_path() << "\"";
+
+        crow::Response& thisRes = it->second->res;
+
+        thisRes.setCompleteRequestHandler(
+            [this, streamId](Response& completeRes) {
+            BMCWEB_LOG_DEBUG << "res.completeRequestHandler called";
+            if (sendResponse(completeRes, streamId) != 0)
+            {
+                close();
+                return;
+            }
+        });
+        auto asyncResp =
+            std::make_shared<bmcweb::AsyncResp>(std::move(it->second->res));
+        handler->handle(thisReq, asyncResp);
+
+        return 0;
+    }
+
+    int onFrameRecvCallback(const nghttp2_frame& frame)
+    {
+        BMCWEB_LOG_DEBUG << "frame type " << static_cast<int>(frame.hd.type);
+        switch (frame.hd.type)
+        {
+            case NGHTTP2_DATA:
+            case NGHTTP2_HEADERS:
+                // Check that the client request has finished
+                if ((frame.hd.flags & NGHTTP2_FLAG_END_STREAM) != 0)
+                {
+                    return onRequestRecv(frame.hd.stream_id);
+                }
+                break;
+            default:
+                break;
+        }
+        return 0;
+    }
+
+    static int onFrameRecvCallbackStatic(nghttp2_session* /* session */,
+                                         const nghttp2_frame* frame,
+                                         void* userData)
+    {
+        BMCWEB_LOG_DEBUG << "on_frame_recv_callback";
+        if (userData == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL << "user data was null?";
+            return NGHTTP2_ERR_CALLBACK_FAILURE;
+        }
+        if (frame == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL << "frame was null?";
+            return NGHTTP2_ERR_CALLBACK_FAILURE;
+        }
+        return userPtrToSelf(userData).onFrameRecvCallback(*frame);
+    }
+
+    static self_type& userPtrToSelf(void* userData)
+    {
+        // This method exists to keep the unsafe reinterpret cast in one
+        // place.
+        // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
+        return *reinterpret_cast<self_type*>(userData);
+    }
+
+    static int onStreamCloseCallbackStatic(nghttp2_session* /* session */,
+                                           int32_t streamId,
+                                           uint32_t /*unused*/, void* userData)
+    {
+        BMCWEB_LOG_DEBUG << "on_stream_close_callback stream " << streamId;
+        if (userData == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL << "user data was null?";
+            return NGHTTP2_ERR_CALLBACK_FAILURE;
+        }
+        auto stream = userPtrToSelf(userData).streams.find(streamId);
+        if (stream == userPtrToSelf(userData).streams.end())
+        {
+            return -1;
+        }
+
+        userPtrToSelf(userData).streams.erase(streamId);
+        return 0;
+    }
+
+    int onHeaderCallback(const nghttp2_frame& frame,
+                         std::span<const uint8_t> name,
+                         std::span<const uint8_t> value)
+    {
+        // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
+        std::string_view nameSv(reinterpret_cast<const char*>(name.data()),
+                                name.size());
+        // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
+        std::string_view valueSv(reinterpret_cast<const char*>(value.data()),
+                                 value.size());
+
+        BMCWEB_LOG_DEBUG << "on_header_callback name: " << nameSv << " value "
+                         << valueSv;
+
+        switch (frame.hd.type)
+        {
+            case NGHTTP2_HEADERS:
+                if (frame.headers.cat != NGHTTP2_HCAT_REQUEST)
+                {
+                    break;
+                }
+                auto thisStream = streams.find(frame.hd.stream_id);
+                if (thisStream == streams.end())
+                {
+                    BMCWEB_LOG_ERROR << "Unknown stream" << frame.hd.stream_id;
+                    close();
+                    return -1;
+                }
+
+                crow::Request& thisReq = thisStream->second->req;
+
+                if (nameSv == ":path")
+                {
+                    thisReq.target(valueSv);
+                }
+                else if (nameSv == ":method")
+                {
+                    boost::beast::http::verb verb =
+                        boost::beast::http::string_to_verb(valueSv);
+                    if (verb == boost::beast::http::verb::unknown)
+                    {
+                        BMCWEB_LOG_ERROR << "Unknown http verb " << valueSv;
+                        close();
+                        return -1;
+                    }
+                    thisReq.req.method(verb);
+                }
+                else if (nameSv == ":scheme")
+                {
+                    // Nothing to check on scheme
+                }
+                else
+                {
+                    thisReq.req.set(nameSv, valueSv);
+                }
+                break;
+        }
+        return 0;
+    }
+
+    static int onHeaderCallbackStatic(nghttp2_session* /* session */,
+                                      const nghttp2_frame* frame,
+                                      const uint8_t* name, size_t namelen,
+                                      const uint8_t* value, size_t vallen,
+                                      uint8_t /* flags */, void* userData)
+    {
+        if (userData == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL << "user data was null?";
+            return NGHTTP2_ERR_CALLBACK_FAILURE;
+        }
+        if (frame == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL << "frame was null?";
+            return NGHTTP2_ERR_CALLBACK_FAILURE;
+        }
+        if (name == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL << "name was null?";
+            return NGHTTP2_ERR_CALLBACK_FAILURE;
+        }
+        if (value == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL << "value was null?";
+            return NGHTTP2_ERR_CALLBACK_FAILURE;
+        }
+        return userPtrToSelf(userData).onHeaderCallback(*frame, {name, namelen},
+                                                        {value, vallen});
+    }
+
+    int onBeginHeadersCallback(const nghttp2_frame& frame)
+    {
+        if (frame.hd.type == NGHTTP2_HEADERS &&
+            frame.headers.cat == NGHTTP2_HCAT_REQUEST)
+        {
+            BMCWEB_LOG_DEBUG << "create stream for id " << frame.hd.stream_id;
+
+            std::pair<boost::container::flat_map<
+                          int32_t, std::unique_ptr<Http2StreamData>>::iterator,
+                      bool>
+                stream = streams.emplace(frame.hd.stream_id,
+                                         std::make_unique<Http2StreamData>());
+            // http2 is by definition always tls
+            stream.first->second->req.isSecure = true;
+        }
+        return 0;
+    }
+
+    static int onBeginHeadersCallbackStatic(nghttp2_session* /* session */,
+                                            const nghttp2_frame* frame,
+                                            void* userData)
+    {
+        BMCWEB_LOG_DEBUG << "on_begin_headers_callback";
+        if (userData == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL << "user data was null?";
+            return NGHTTP2_ERR_CALLBACK_FAILURE;
+        }
+        if (frame == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL << "frame was null?";
+            return NGHTTP2_ERR_CALLBACK_FAILURE;
+        }
+        return userPtrToSelf(userData).onBeginHeadersCallback(*frame);
+    }
+
+    static void afterWriteBuffer(const std::shared_ptr<self_type>& self,
+                                 const boost::system::error_code& ec,
+                                 size_t sendLength)
+    {
+        self->isWriting = false;
+        BMCWEB_LOG_DEBUG << "Sent " << sendLength;
+        if (ec)
+        {
+            self->close();
+            return;
+        }
+        self->sendBuffer.consume(sendLength);
+        self->writeBuffer();
+    }
+
+    void writeBuffer()
+    {
+        if (isWriting)
+        {
+            return;
+        }
+        if (sendBuffer.size() <= 0)
+        {
+            return;
+        }
+        isWriting = true;
+        adaptor.async_write_some(
+            sendBuffer.data(),
+            std::bind_front(afterWriteBuffer, shared_from_this()));
+    }
+
+    ssize_t onSendCallback(nghttp2_session* /*session */, const uint8_t* data,
+                           size_t length, int /* flags */)
+    {
+        BMCWEB_LOG_DEBUG << "On send callback size=" << length;
+        size_t copied = boost::asio::buffer_copy(
+            sendBuffer.prepare(length), boost::asio::buffer(data, length));
+        sendBuffer.commit(copied);
+        writeBuffer();
+        return static_cast<ssize_t>(length);
+    }
+
+    static ssize_t onSendCallbackStatic(nghttp2_session* session,
+                                        const uint8_t* data, size_t length,
+                                        int flags /* flags */, void* userData)
+    {
+        return userPtrToSelf(userData).onSendCallback(session, data, length,
+                                                      flags);
+    }
+
+    void close()
+    {
+        if constexpr (std::is_same_v<Adaptor,
+                                     boost::beast::ssl_stream<
+                                         boost::asio::ip::tcp::socket>>)
+        {
+            adaptor.next_layer().close();
+        }
+        else
+        {
+            adaptor.close();
+        }
+    }
+
+    void doRead()
+    {
+        BMCWEB_LOG_DEBUG << this << " doRead";
+        adaptor.async_read_some(
+            inBuffer.prepare(8192),
+            [this, self(shared_from_this())](
+                const boost::system::error_code& ec, size_t bytesTransferred) {
+            BMCWEB_LOG_DEBUG << this << " async_read_some " << bytesTransferred
+                             << " Bytes";
+
+            if (ec)
+            {
+                BMCWEB_LOG_ERROR << this
+                                 << " Error while reading: " << ec.message();
+                close();
+                BMCWEB_LOG_DEBUG << this << " from read(1)";
+                return;
+            }
+            inBuffer.commit(bytesTransferred);
+
+            size_t consumed = 0;
+            for (const auto bufferIt : inBuffer.data())
+            {
+                std::span<const uint8_t> bufferSpan{
+                    std::bit_cast<const uint8_t*>(bufferIt.data()),
+                    bufferIt.size()};
+                BMCWEB_LOG_DEBUG << "http2 is getting " << bufferSpan.size()
+                                 << " bytes";
+                ssize_t readLen = ngSession.memRecv(bufferSpan);
+                if (readLen <= 0)
+                {
+                    BMCWEB_LOG_ERROR << "nghttp2_session_mem_recv returned "
+                                     << readLen;
+                    close();
+                    return;
+                }
+                consumed += static_cast<size_t>(readLen);
+            }
+            inBuffer.consume(consumed);
+
+            doRead();
+            });
+    }
+
+    // A mapping from http2 stream ID to Stream Data
+    boost::container::flat_map<int32_t, std::unique_ptr<Http2StreamData>>
+        streams;
+
+    boost::beast::multi_buffer sendBuffer;
+    boost::beast::multi_buffer inBuffer;
+
+    Adaptor adaptor;
+    bool isWriting = false;
+
+    nghttp2_session ngSession;
+
+    Handler* handler;
+    std::function<std::string()>& getCachedDateStr;
+
+    using std::enable_shared_from_this<
+        HTTP2Connection<Adaptor, Handler>>::shared_from_this;
+
+    using std::enable_shared_from_this<
+        HTTP2Connection<Adaptor, Handler>>::weak_from_this;
+};
+} // namespace crow
diff --git a/http/http_connection.hpp b/http/http_connection.hpp
index 3548870..cb252f9 100644
--- a/http/http_connection.hpp
+++ b/http/http_connection.hpp
@@ -4,6 +4,7 @@
 #include "async_resp.hpp"
 #include "authentication.hpp"
 #include "complete_response_fields.hpp"
+#include "http2_connection.hpp"
 #include "http_response.hpp"
 #include "http_utility.hpp"
 #include "logging.hpp"
@@ -161,7 +162,7 @@
                 {
                     return;
                 }
-                doReadHeaders();
+                afterSslHandshake();
             });
         }
         else
@@ -170,6 +171,34 @@
         }
     }
 
+    void afterSslHandshake()
+    {
+        // If http2 is enabled, negotiate the protocol
+        if constexpr (bmcwebEnableHTTP2)
+        {
+            const unsigned char* alpn = nullptr;
+            unsigned int alpnlen = 0;
+            SSL_get0_alpn_selected(adaptor.native_handle(), &alpn, &alpnlen);
+            if (alpn != nullptr)
+            {
+                std::string_view selectedProtocol(
+                    std::bit_cast<const char*>(alpn), alpnlen);
+                BMCWEB_LOG_DEBUG << "ALPN selected protocol \""
+                                 << selectedProtocol << "\" len: " << alpnlen;
+                if (selectedProtocol == "h2")
+                {
+                    auto http2 =
+                        std::make_shared<HTTP2Connection<Adaptor, Handler>>(
+                            std::move(adaptor), handler, getCachedDateStr);
+                    http2->start();
+                    return;
+                }
+            }
+        }
+
+        doReadHeaders();
+    }
+
     void handle()
     {
         std::error_code reqEc;
diff --git a/http/http_request.hpp b/http/http_request.hpp
index 3fd9d4d..5ce434b 100644
--- a/http/http_request.hpp
+++ b/http/http_request.hpp
@@ -51,6 +51,8 @@
         }
     }
 
+    Request() = default;
+
     Request(const Request& other) = default;
     Request(Request&& other) = default;
 
diff --git a/http/nghttp2_adapters.hpp b/http/nghttp2_adapters.hpp
new file mode 100644
index 0000000..3c1f549
--- /dev/null
+++ b/http/nghttp2_adapters.hpp
@@ -0,0 +1,152 @@
+#pragma once
+
+extern "C"
+{
+#include <nghttp2/nghttp2.h>
+}
+
+#include "logging.hpp"
+
+#include <span>
+
+/* This file contains RAII compatible adapters for nghttp2 structures.  They
+ * attempt to be as close to a direct call as possible, while keeping the RAII
+ * lifetime safety for the various classes.*/
+
+struct nghttp2_session;
+
+struct nghttp2_session_callbacks
+{
+    friend nghttp2_session;
+    nghttp2_session_callbacks()
+    {
+        nghttp2_session_callbacks_new(&ptr);
+    }
+
+    ~nghttp2_session_callbacks()
+    {
+        nghttp2_session_callbacks_del(ptr);
+    }
+
+    nghttp2_session_callbacks(const nghttp2_session_callbacks&) = delete;
+    nghttp2_session_callbacks&
+        operator=(const nghttp2_session_callbacks&) = delete;
+    nghttp2_session_callbacks(nghttp2_session_callbacks&&) = delete;
+    nghttp2_session_callbacks& operator=(nghttp2_session_callbacks&&) = delete;
+
+    void setSendCallback(nghttp2_send_callback sendCallback)
+    {
+        nghttp2_session_callbacks_set_send_callback(ptr, sendCallback);
+    }
+
+    void setOnFrameRecvCallback(nghttp2_on_frame_recv_callback recvCallback)
+    {
+        nghttp2_session_callbacks_set_on_frame_recv_callback(ptr, recvCallback);
+    }
+
+    void setOnStreamCloseCallback(nghttp2_on_stream_close_callback onClose)
+    {
+        nghttp2_session_callbacks_set_on_stream_close_callback(ptr, onClose);
+    }
+
+    void setOnHeaderCallback(nghttp2_on_header_callback onHeader)
+    {
+        nghttp2_session_callbacks_set_on_header_callback(ptr, onHeader);
+    }
+
+    void setOnBeginHeadersCallback(
+        nghttp2_on_begin_headers_callback onBeginHeaders)
+    {
+        nghttp2_session_callbacks_set_on_begin_headers_callback(ptr,
+                                                                onBeginHeaders);
+    }
+
+    void setSendDataCallback(nghttp2_send_data_callback onSendData)
+    {
+        nghttp2_session_callbacks_set_send_data_callback(ptr, onSendData);
+    }
+    void setBeforeFrameSendCallback(
+        nghttp2_before_frame_send_callback beforeSendFrame)
+    {
+        nghttp2_session_callbacks_set_before_frame_send_callback(
+            ptr, beforeSendFrame);
+    }
+    void
+        setAfterFrameSendCallback(nghttp2_on_frame_send_callback afterSendFrame)
+    {
+        nghttp2_session_callbacks_set_on_frame_send_callback(ptr,
+                                                             afterSendFrame);
+    }
+    void setAfterFrameNoSendCallback(
+        nghttp2_on_frame_not_send_callback afterSendFrame)
+    {
+        nghttp2_session_callbacks_set_on_frame_not_send_callback(
+            ptr, afterSendFrame);
+    }
+
+  private:
+    nghttp2_session_callbacks* get()
+    {
+        return ptr;
+    }
+
+    nghttp2_session_callbacks* ptr = nullptr;
+};
+
+struct nghttp2_session
+{
+    explicit nghttp2_session(nghttp2_session_callbacks& callbacks)
+    {
+        if (nghttp2_session_server_new(&ptr, callbacks.get(), nullptr) != 0)
+        {
+            BMCWEB_LOG_ERROR << "nghttp2_session_server_new failed";
+            return;
+        }
+    }
+
+    ~nghttp2_session()
+    {
+        nghttp2_session_del(ptr);
+    }
+
+    // explicitly uncopyable
+    nghttp2_session(const nghttp2_session&) = delete;
+    nghttp2_session& operator=(const nghttp2_session&) = delete;
+
+    nghttp2_session(nghttp2_session&& other) noexcept : ptr(other.ptr)
+    {
+        other.ptr = nullptr;
+    }
+
+    nghttp2_session& operator=(nghttp2_session&& other) noexcept = delete;
+
+    int submitSettings(std::span<nghttp2_settings_entry> iv)
+    {
+        return nghttp2_submit_settings(ptr, NGHTTP2_FLAG_NONE, iv.data(),
+                                       iv.size());
+    }
+    void setUserData(void* object)
+    {
+        nghttp2_session_set_user_data(ptr, object);
+    }
+
+    ssize_t memRecv(std::span<const uint8_t> buffer)
+    {
+        return nghttp2_session_mem_recv(ptr, buffer.data(), buffer.size());
+    }
+
+    ssize_t send()
+    {
+        return nghttp2_session_send(ptr);
+    }
+
+    int submitResponse(int32_t streamId, std::span<const nghttp2_nv> headers,
+                       const nghttp2_data_provider* dataPrd)
+    {
+        return nghttp2_submit_response(ptr, streamId, headers.data(),
+                                       headers.size(), dataPrd);
+    }
+
+  private:
+    nghttp2_session* ptr = nullptr;
+};
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index db61db9..0794fdc 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -3,6 +3,10 @@
 #include "logging.hpp"
 #include "random.hpp"
 
+extern "C"
+{
+#include <nghttp2/nghttp2.h>
+}
 #include <openssl/bio.h>
 #include <openssl/dh.h>
 #include <openssl/dsa.h>
@@ -423,6 +427,36 @@
     }
 }
 
+inline int nextProtoCallback(SSL* /*unused*/, const unsigned char** data,
+                             unsigned int* len, void* /*unused*/)
+{
+    // First byte is the length.
+    constexpr std::string_view h2 = "\x02h2";
+    *data = std::bit_cast<const unsigned char*>(h2.data());
+    *len = static_cast<unsigned int>(h2.size());
+    return SSL_TLSEXT_ERR_OK;
+}
+
+inline int alpnSelectProtoCallback(SSL* /*unused*/, const unsigned char** out,
+                                   unsigned char* outlen,
+                                   const unsigned char* in, unsigned int inlen,
+                                   void* /*unused*/)
+{
+    // There's a mismatch in constness for nghttp2_select_next_protocol.  The
+    // examples in nghttp2 don't show this problem.  Unclear what the right fix
+    // is here.
+
+    // NOLINTNEXTLINE(cppcoreguidelines-pro-type-const-cast)
+    unsigned char** outNew = const_cast<unsigned char**>(out);
+    int rv = nghttp2_select_next_protocol(outNew, outlen, in, inlen);
+    if (rv != 1)
+    {
+        return SSL_TLSEXT_ERR_NOACK;
+    }
+
+    return SSL_TLSEXT_ERR_OK;
+}
+
 inline std::shared_ptr<boost::asio::ssl::context>
     getSslContext(const std::string& sslPemFile)
 {
@@ -450,6 +484,14 @@
     mSslContext->use_private_key_file(sslPemFile,
                                       boost::asio::ssl::context::pem);
 
+    if constexpr (bmcwebEnableHTTP2)
+    {
+        SSL_CTX_set_next_protos_advertised_cb(mSslContext->native_handle(),
+                                              nextProtoCallback, nullptr);
+
+        SSL_CTX_set_alpn_select_cb(mSslContext->native_handle(),
+                                   alpnSelectProtoCallback, nullptr);
+    }
     // Set up EC curves to auto (boost asio doesn't have a method for this)
     // There is a pull request to add this.  Once this is included in an asio
     // drop, use the right way
diff --git a/meson.build b/meson.build
index f9d2825..7bc594b 100644
--- a/meson.build
+++ b/meson.build
@@ -259,6 +259,19 @@
 openssl = dependency('openssl', required : true)
 bmcweb_dependencies += [pam, atomic, openssl]
 
+nghttp2 = dependency('libnghttp2', version: '>=1.52.0', required : false)
+if not nghttp2.found()
+  cmake = import('cmake')
+  opt_var = cmake.subproject_options()
+  opt_var.add_cmake_defines({
+    'ENABLE_LIB_ONLY': true,
+    'ENABLE_STATIC_LIB': true
+  })
+  nghttp2_ex = cmake.subproject('nghttp2', options: opt_var)
+  nghttp2 = nghttp2_ex.dependency('nghttp2')
+endif
+bmcweb_dependencies += nghttp2
+
 sdbusplus = dependency('sdbusplus', required : false, include_type: 'system')
 if not sdbusplus.found()
   sdbusplus_proj = subproject('sdbusplus', required: true)
diff --git a/meson_options.txt b/meson_options.txt
index dbfa00d..017c16b 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -281,6 +281,15 @@
     production environment, or where API stability is required.'''
 )
 
+option(
+    'experimental-http2',
+    type: 'feature',
+    value: 'disabled',
+    description: '''Enable HTTP/2 protocol support using nghttp2.  Do not rely
+                    on this option for any production systems.  It may have
+                    behavior changes or be removed at any time.'''
+)
+
 # Insecure options. Every option that starts with a `insecure` flag should
 # not be enabled by default for any platform, unless the author fully comprehends
 # the implications of doing so.In general, enabling these options will cause security
diff --git a/subprojects/nghttp2.wrap b/subprojects/nghttp2.wrap
new file mode 100644
index 0000000..48290c4
--- /dev/null
+++ b/subprojects/nghttp2.wrap
@@ -0,0 +1,5 @@
+[wrap-file]
+directory = nghttp2-1.54.0
+source_url = https://github.com/nghttp2/nghttp2/releases/download/v1.54.0/nghttp2-1.54.0.tar.xz
+source_filename = nghttp2-1.54.0.tar.xz
+source_hash = 20533c9354fbb6aa689b6aa0ddb77f91da1d242587444502832e1864308152df