Squashed 'src/deps/src/lua-resty-openssl/' changes from 7f25f00ba..58c6ce688

58c6ce688 release: 1.2.1
786e652f2 chore(tests) bump openresty to 1.25.3
90b0a47df fix(aux/nginx) support openresty 1.25.3 in FFI path
beb24ca91 chore(deps): bump jinja2 from 2.11.3 to 3.1.3 in /scripts
68eab3ab8 doc(readme) clarify pkey:verify behaviour on different openssl versions

git-subtree-dir: src/deps/src/lua-resty-openssl
git-subtree-split: 58c6ce6885556ed7cb85dde83d673fad05ba73aa

.github/workflows/tests.yml

@@ -28,11 +28,6 @@ jobs:
         include:
         # TODO: arm64
         # latest and one version older for valgrind and perf test
-        - nginx: "1.19.9"
-          openssl: "1.1.1w"
-          extras: "valgrind"
-          lua_nginx_module: "v0.10.20"
-          lua_resty_core: "v0.1.22"
         - nginx: "1.19.9"
           openssl: "3.1.4"
           openssl_fips: "3.0.8"
@@ -41,30 +36,37 @@ jobs:
           lua_resty_core: "v0.1.22"
           nginx_cc_opts: "-Wno-error"
         - nginx: "1.21.4"
-          openssl: "1.1.1w"
-          extras: "valgrind perf"
+          openssl: "3.1.4"
+          openssl_fips: "3.0.8"
+          extras: "valgrind"
           lua_nginx_module: "v0.10.25"
           lua_resty_core: "v0.1.27"
-        - nginx: "1.21.4"
+          nginx_cc_opts: "-Wno-error"
+        - nginx: "1.25.3"
+          openssl: "1.1.1w"
+          extras: "valgrind perf"
+          lua_nginx_module: "v0.10.26"
+          lua_resty_core: "v0.1.28"
+        - nginx: "1.25.3"
           openssl: "3.0.12"
           openssl_fips: "3.0.8"
           extras: "valgrind perf"
-          lua_nginx_module: "v0.10.25"
-          lua_resty_core: "v0.1.27"
+          lua_nginx_module: "v0.10.26"
+          lua_resty_core: "v0.1.28"
           nginx_cc_opts: "-Wno-error"
-        - nginx: "1.21.4"
+        - nginx: "1.25.3"
           openssl: "3.1.4"
           openssl_fips: "3.0.8"
           extras: "valgrind perf"
-          lua_nginx_module: "v0.10.25"
-          lua_resty_core: "v0.1.27"
+          lua_nginx_module: "v0.10.26"
+          lua_resty_core: "v0.1.28"
           nginx_cc_opts: "-Wno-error"
-        - nginx: "1.21.4"
+        - nginx: "1.25.3"
           openssl: "3.2.0"
           openssl_fips: "3.0.8"
           extras: "valgrind perf"
-          lua_nginx_module: "v0.10.25"
-          lua_resty_core: "v0.1.27"
+          lua_nginx_module: "v0.10.26"
+          lua_resty_core: "v0.1.28"
           nginx_cc_opts: "-Wno-error"
 
     env:

CHANGELOG.md

@@ -2,6 +2,12 @@
 ## [Unreleased]
 
 
+<a name="1.2.1"></a>
+## [1.2.1] - 2024-02-27
+### bug fixes
+- **aux/nginx:** support openresty 1.25.3 in FFI path [90b0a47](https://github.com/fffonion/lua-resty-openssl/commit/90b0a47df499b1def08a07a5183ebf6bad8c6095)
+
+
 <a name="1.2.0"></a>
 ## [1.2.0] - 2023-12-28
 ### bug fixes
@@ -482,8 +488,8 @@
 - **autogen:** generate tests for x509, csr and crl [1392428](https://github.com/fffonion/lua-resty-openssl/commit/1392428352164d2a1a6e0c03075ff65b55aecdee)
 - **objects:** add helper function for ASN1_OBJECT [d037706](https://github.com/fffonion/lua-resty-openssl/commit/d037706c11d716afe3616bdaf4658afc1763081d)
 - **pkey:** asymmetric encryption and decryption [6d60451](https://github.com/fffonion/lua-resty-openssl/commit/6d60451157edbf9cefb634f888dfa3e6d9be302f)
-- **x509:** add get_ocsp_url and get_crl_url [6141b6f](https://github.com/fffonion/lua-resty-openssl/commit/6141b6f5aed38706b477a71d8c4383bf55da7eee)
 - **x509:** getter/setters for extensions [243f40d](https://github.com/fffonion/lua-resty-openssl/commit/243f40d35562a516f404188a5c7eb8f5134d9b30)
+- **x509:** add get_ocsp_url and get_crl_url [6141b6f](https://github.com/fffonion/lua-resty-openssl/commit/6141b6f5aed38706b477a71d8c4383bf55da7eee)
 - **x509.altname:** support iterate and decode over the stack [083a201](https://github.com/fffonion/lua-resty-openssl/commit/083a201746e02d51f6c5c640ad9bf8c6730ebe0b)
 - **x509.crl:** add crl module [242f8cb](https://github.com/fffonion/lua-resty-openssl/commit/242f8cb45d6c2df5918f26540c92a430d42feb5d)
 - **x509.csr:** autogen some csr functions as well [9800e36](https://github.com/fffonion/lua-resty-openssl/commit/9800e36c2ff8a299b88f24091cc722940a8652bb)
@@ -571,7 +577,8 @@
 - **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
 
 
-[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.0...HEAD
+[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.1...HEAD
+[1.2.1]: https://github.com/fffonion/lua-resty-openssl/compare/1.2.0...1.2.1
 [1.2.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.1.0...1.2.0
 [1.1.0]: https://github.com/fffonion/lua-resty-openssl/compare/1.0.2...1.1.0
 [1.0.2]: https://github.com/fffonion/lua-resty-openssl/compare/1.0.1...1.0.2

README.md

@@ -1206,7 +1206,8 @@ pk:sign(message, nil, nil, {
 Verify a signture (which can be the string returned by [pkey:sign](#pkey-sign)). The second
 argument must be a [resty.openssl.digest](#restyopenssldigest) instance that uses
 the same digest algorithm as used in `sign` or a string. `ok` returns `true` if verficiation is
-successful and `false` otherwise. Note when verfication failed `err` will not be set.
+successful and `false` otherwise. Note when verfication failed `err` will not be set when used
+with OpenSSL 1.1.1 or lower.
 
 When passing [digest](#restyopenssldigest) instances as second parameter, it should not
 have been called [final()](#digestfinal), user should only use [update()](#digestupdate).

lib/resty/openssl.lua

@@ -24,7 +24,7 @@ try_require_modules()
 
 
 local _M = {
-  _VERSION = '1.2.0',
+  _VERSION = '1.2.1',
 }
 
 function _M.load_modules()

lib/resty/openssl/auxiliary/nginx.lua

@@ -40,17 +40,14 @@ else
   ]]
 
   local ngx_version = ngx.config.nginx_version
+  local ngx_configure = ngx.config.nginx_configure()
+  local ngx_has_http_v3 = ngx_configure and ngx_configure:find("--with-http_v3_module", 1, true)
+  -- https://github.com/nginx/nginx/blob/master/src/core/ngx_connection.h
   if ngx_version == 1017008 or ngx_version == 1019003 or ngx_version == 1019009 
-    or ngx_version == 1021004 then
-    -- 1.17.8, 1.19.3, 1.19.9, 1.21.4
-    -- https://github.com/nginx/nginx/blob/master/src/core/ngx_connection.h
+    or ngx_version == 1021004 or (not ngx_has_http_v3 and ngx_version == 1025003) then
+    -- 1.17.8, 1.19.3, 1.19.9, 1.21.4, 1.25.3
     ffi.cdef [[
-    typedef struct {
-      ngx_str_t           src_addr;
-      ngx_str_t           dst_addr;
-      in_port_t           src_port;
-      in_port_t           dst_port;
-    } ngx_proxy_protocol_t;
+    typedef struct ngx_proxy_protocol_s ngx_proxy_protocol_t;
 
     typedef struct {
       void               *data;
@@ -85,6 +82,48 @@ else
       // trimmed
     } ngx_connection_s;
   ]]
+  elseif ngx_has_http_v3 and ngx_version == 1025003 then
+    -- 1.25.3
+    ffi.cdef [[
+    typedef struct ngx_proxy_protocol_s ngx_proxy_protocol_t;
+    typedef struct ngx_quic_stream_s ngx_quic_stream_t;
+
+    typedef struct {
+      void               *data;
+      void               *read;
+      void               *write;
+
+      int                 fd;
+
+      ngx_recv_pt         recv;
+      ngx_send_pt         send;
+      ngx_recv_chain_pt   recv_chain;
+      ngx_send_chain_pt   send_chain;
+
+      void               *listening;
+
+      off_t               sent;
+
+      void               *log;
+
+      void               *pool;
+
+      int                 type;
+
+      void                *sockaddr;
+      socklen_t           socklen;
+      ngx_str_t           addr_text;
+
+      // https://github.com/nginx/nginx/commit/be932e81a1531a3ba032febad968fc2006c4fa48
+      ngx_proxy_protocol_t  *proxy_protocol;
+
+      // https://github.com/nginx/nginx/commit/b813b9ec358862a2a94868bc057420d6eca5c05d
+      ngx_quic_stream_t     *quic;
+
+      ngx_ssl_connection_s  *ssl;
+      // trimmed
+    } ngx_connection_s;
+    ]]
   else
     error("resty.openssl.auxiliary.nginx doesn't support Nginx version " .. ngx_version, 2)
   end
@@ -214,7 +253,7 @@ else
         ngx.config.ngx_lua_version and
         ngx.config.ngx_lua_version
 
-  if ngx_lua_version >= 10019 and ngx_lua_version <= 10025 then
+  if ngx_lua_version >= 10019 and ngx_lua_version <= 10026 then
     -- https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.h
     ffi.cdef[[
       typedef struct {

lua-resty-openssl-1.2.1-1.rockspec

@@ -1,8 +1,8 @@
 package = "lua-resty-openssl"
-version = "1.2.0-1"
+version = "1.2.1-1"
 source = {
    url = "git+https://github.com/fffonion/lua-resty-openssl.git",
-   tag = "1.2.0"
+   tag = "1.2.1"
 }
 description = {
    detailed = "FFI-based OpenSSL binding for LuaJIT.",

scripts/requirements.txt

@@ -1 +1 @@
-jinja2==2.11.3
+jinja2==3.1.3

t/openssl/ssl/ssl_client.t

@@ -140,6 +140,7 @@ CN=test.com
         listen unix:/tmp/nginx-c4.sock ssl;
         server_name   test.com;
         ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384;
+        ssl_protocols TLSv1.2;
     }
 --- config
     location /t {

t/openssl/ssl/ssl_ctx_server.t

@@ -61,6 +61,7 @@ __DATA__
 --- http_config
     server {
         listen unix:/tmp/nginx-sctx1.sock ssl;
+        ssl_protocols TLSv1.2;
         server_name   test.com;
 
         ssl_certificate_by_lua_block {

t/openssl/ssl/ssl_server.t

@@ -149,6 +149,7 @@ CN=test.com
     server {
         listen unix:/tmp/nginx-s3.sock ssl;
         server_name   test.com;
+        ssl_protocols TLSv1.2;
         ssl_ciphers ECDHE-RSA-AES128-SHA;
 
         ssl_certificate_by_lua_block {
@@ -196,6 +197,7 @@ ECDHE-RSA-AES256-SHA$
     server {
         listen unix:/tmp/nginx-s4.sock ssl;
         server_name   test.com;
+        ssl_protocols TLSv1.2;
         ssl_ciphers ECDHE-RSA-AES128-SHA;
 
         location /t {