librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Update lua-resty-openssl to version 0.8.23

This commit is contained in:
Théophile Diot 2023-06-28 11:35:25 -04:00
parent dd295729bb
commit deed39a1fb
No known key found for this signature in database
GPG Key ID: E752C80DB72BB014
19 changed files with 449 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/deps/clone.sh
View File

@ -254,13 +254,13 @@ git_secure_clone "https://github.com/bungle/lua-resty-template.git" "c08c6bc9e27
echo " Downloading lua-resty-lock"
git_secure_clone "https://github.com/openresty/lua-resty-lock.git" "9dc550e56b6f3b1a2f1a31bb270a91813b5b6861"
# lua-resty-openssl v0.8.22
# lua-resty-openssl v0.8.23
echo " Downloading lua-resty-openssl"
dopatch="no"
if [ ! -d "deps/src/lua-resty-openssl" ] ; then
dopatch="yes"
fi
git_secure_clone "https://github.com/fffonion/lua-resty-openssl.git" "484907935e60273d31626ac849b23a2d218173de"
git_secure_clone "https://github.com/fffonion/lua-resty-openssl.git" "b23c072a405b749ac60d21e3946cbf57a959b780"
if [ "$dopatch" == "yes" ] ; then
do_and_check_cmd rm -r deps/src/lua-resty-openssl/t
fi

49
src/deps/src/lua-resty-openssl/.github/workflows/tests.yml vendored
View File

@ -23,47 +23,48 @@ jobs:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
include:
# TODO: arm64
# latest and one version older for valgrind
# latest and one version older for valgrind and perf test
- nginx: "1.19.9"
openssl: "1.0.2u"
valgrind: "valgrind"
extras: "valgrind"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
- nginx: "1.19.9"
openssl: "1.1.1s"
valgrind: "valgrind"
openssl: "1.1.1t"
extras: "valgrind"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
- nginx: "1.19.9"
openssl: "3.0.8"
valgrind: "valgrind"
extras: "valgrind"
openssl_opts: "enable-fips"
lua_nginx_module: "v0.10.20"
lua_resty_core: "v0.1.22"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "1.0.2u"
valgrind: "valgrind"
extras: "valgrind"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
openssl: "1.1.1s"
valgrind: "valgrind"
openssl: "1.1.1t"
extras: "valgrind perf"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
openssl: "3.0.8"
valgrind: "valgrind"
extras: "valgrind perf"
openssl_opts: "enable-fips"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
nginx_cc_opts: "-Wno-error"
- nginx: "1.21.4"
openssl: "3.1.0-beta1"
valgrind: "valgrind"
openssl: "3.1.0"
extras: "valgrind perf"
openssl_opts: "enable-fips"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
@ -78,17 +79,17 @@ jobs:
openssl: "1.0.2u"
fips2: "2.0.16"
openssl_opts: "fips --with-fipsdir=/home/runner/work/cache/ssl/fips"
valgrind: "valgrind"
extras: "valgrind"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
boringssl: "ae223d6138807a13006342edfeef32e813246b39" # fips-20190808
valgrind: "valgrind"
extras: "valgrind perf"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
- nginx: "1.21.4"
boringssl: "853ca1ea1168dff08011e5d42d94609cc0ca2e27" # fips-20210429, not active yet
valgrind: "valgrind"
extras: "valgrind perf"
lua_nginx_module: "v0.10.21"
lua_resty_core: "v0.1.23"
@ -204,7 +205,7 @@ jobs:
env:
LUAJIT_CC_OPTS: ${{ matrix.luajit_cc_opts }}
run: |
if [ "X${{ matrix.valgrind }}" != "X" ]; then LUAJIT_CC_OPTS="$LUAJIT_CC_OPTS -DLUAJIT_NUMMODE=2 -DLUAJIT_${{ matrix.valgrind }} -DLUAJIT_USE_SYSMALLOC -O0"; fi
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then LUAJIT_CC_OPTS="$LUAJIT_CC_OPTS -DLUAJIT_NUMMODE=2 -DLUAJIT_USE_SYSMALLOC -O0"; fi
export
cd $LUAJIT_PREFIX
if [ ! -e luajit2 ]; then git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git; fi
@ -221,7 +222,7 @@ jobs:
env:
NGINX_CC_OPTS: ${{ matrix.nginx_cc_opts }}
run: |
if [ "X${{ matrix.valgrind }}" != "X" ]; then NGINX_CC_OPTS="$NGINX_CC_OPTS -O0"; fi
if [[ "${{ matrix.extras }}" == *valgrind* ]]; then NGINX_CC_OPTS="$NGINX_CC_OPTS -O0"; fi
export PATH=$BASE_PATH/work/nginx/sbin:$BASE_PATH/../nginx-devel-utils:$PATH
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export NGX_LUA_LOC=$BASE_PATH/../lua-nginx-module
@ -232,6 +233,20 @@ jobs:
nginx -V
ldd `which nginx`|grep -E 'luajit|ssl|pcre'
- name: Run performance test
if: contains(matrix.extras, 'perf')
run: |
wget https://github.com/openresty/resty-cli/raw/master/bin/resty
chmod +x resty
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export PATH=$BASE_PATH/work/nginx/sbin:$PATH
for f in $(find examples/perf -type f -name "test_*" | sort); do
./resty --no-stream -I lib $f
echo '================================================================'
done
- name: Run Test
run: |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
@ -243,7 +258,7 @@ jobs:
TEST_NGINX_TIMEOUT=10 prove -j$JOBS t/openssl/ssl/ 2>&1
- name: Run Valgrind
if: matrix.valgrind != ''
if: contains(matrix.extras, 'valgrind')
run: |
export LD_LIBRARY_PATH=$LUAJIT_LIB:$LD_LIBRARY_PATH
export TEST_NGINX_VALGRIND='--num-callers=100 -q --tool=memcheck --leak-check=full --show-possibly-lost=no --gen-suppressions=all --suppressions=valgrind.suppress --track-origins=yes' TEST_NGINX_TIMEOUT=60 TEST_NGINX_SLEEP=1

12
src/deps/src/lua-resty-openssl/CHANGELOG.md
View File

@ -2,6 +2,15 @@
## [Unreleased]
<a name="0.8.23"></a>
## [0.8.23] - 2023-06-20
### bug fixes
- **\*:** fix typos and add error check for new_of/dup_of ([#2](https://github.com/fffonion/lua-resty-openssl/issues/2)) [aa6ad47](https://github.com/fffonion/lua-resty-openssl/commit/aa6ad4707845cca9c46282a1550bb9fee7d48698)
### features
- **tests:** add performance test ([#112](https://github.com/fffonion/lua-resty-openssl/issues/112)) [100b4e4](https://github.com/fffonion/lua-resty-openssl/commit/100b4e43843a597327be6e5356c64b5ce621fa56)
<a name="0.8.22"></a>
## [0.8.22] - 2023-04-26
### bug fixes
@ -497,7 +506,8 @@
- **x509:** export pubkey [ede4f81](https://github.com/fffonion/lua-resty-openssl/commit/ede4f817cb0fe092ad6f9ab5d6ecdcde864a9fd8)
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.22...HEAD
[Unreleased]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.23...HEAD
[0.8.23]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.22...0.8.23
[0.8.22]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.21...0.8.22
[0.8.21]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.20...0.8.21
[0.8.20]: https://github.com/fffonion/lua-resty-openssl/compare/0.8.19...0.8.20

40
src/deps/src/lua-resty-openssl/README.md
View File

@ -248,6 +248,7 @@ Table of Contents
+ [store:set_depth](#storeset_depth)
+ [store:set_flags](#storeset_flags)
+ [store:verify](#storeverify)
+ [store:check_revocation](#storecheck_revocation)
* [resty.openssl.x509.revoked](#restyopensslx509revoked)
+ [revoked.new](#revokednew)
+ [revoked.istype](#revokedistype)
@ -294,7 +295,7 @@ Description
===========
`lua-resty-openssl` is a FFI-based OpenSSL binding library, currently
supports OpenSSL `3.0.0`, `1.1.1`, `1.1.0` and `1.0.2` series.
supports OpenSSL `3.1.x`, `3.0.x`, `1.1.1`, `1.1.0` and `1.0.2` series.
**Note: when using with OpenSSL 1.0.2, it's recommanded to not use this library with other FFI-based OpenSSL binding libraries to avoid potential mismatch of `cdef`.**
@ -411,13 +412,13 @@ lua-resty-openssl supports following modes:
Compile the module per [security policy](https://www.openssl.org/docs/fips/SecurityPolicy-2.0.2.pdf),
**OpenSSL 3.0.0 fips provider (haven't certified)**
**OpenSSL 3.0.0 fips provider **
Refer to https://wiki.openssl.org/index.php/OpenSSL_3.0 Section 7
Compile the provider per guide, install the fipsmodule.cnf that
matches hash of FIPS provider fips.so.
On OpenSSL 3.0, this function also turns on and off default
On OpenSSL 3.0 or later, this function also turns on and off default
properties for EVP functions. When turned on, all applications using
EVP_* API will be redirected to FIPS-compliant implementations and
have no access to non-FIPS-compliant algorithms.
@ -510,7 +511,7 @@ A module to provide OSSL_LIB_CTX context switches.
OSSL_LIB_CTX is an internal OpenSSL library context type. Applications may allocate their own, but may also use NULL to use a default context with functions that take an OSSL_LIB_CTX argument.
See [OSSL_LIB_CTX.3](#https://www.openssl.org/docs/manmaster/man3/OSSL_LIB_CTX.html) for deeper
reading. It can be used to replace `ENGINE` in prior 3.0 world.
reading.
The context is currently effective following modules:
@ -524,7 +525,7 @@ The context is currently effective following modules:
- [rand](#restyopensslrand)
- [x509](#restyopensslx509), [x509.csr](#restyopensslx509csr), [x509.crl](#restyopensslx509crl) and some [x509.store](#restyopensslx509store) functions
This module is only available on OpenSSL 3.0.
This module is only available on OpenSSL 3.0 or later.
[Back to TOC](#table-of-contents)
@ -634,7 +635,7 @@ for explanation of each type.
```lua
local version = require("resty.openssl.version")
ngx.say(version.version(version.INFO_DSO_EXTENSION))
ngx.say(version.info(version.INFO_DSO_EXTENSION))
-- outputs ".so"
```
@ -646,7 +647,7 @@ A boolean indicates whether the linked OpenSSL is 3.x series.
[Back to TOC](#table-of-contents)
### version.OPENSSL_3X
### version.OPENSSL_30
Deprecated: use `version.OPENSSL_3X` is encouraged.
@ -3813,12 +3814,16 @@ to explictly select provider to fetch algorithms.
### store:add
**syntax**: *ok, err = store:add(x509_or_crl)*
**syntax**: *ok, err = store:add(x509_or_crl, skip_set_crl_check_flags?)*
Adds a X.509 or a CRL object into store.
The argument must be a [resty.openssl.x509](#restyopensslx509) instance or a
[resty.openssl.x509.crl](#restyopensslx509crl) instance.
By default, adding a CRL object will automatically set the flag to store
`X509_V_FLAG_CRL_CHECK`. Setting the second optional argument to `true` will
skip settting the flags.
[Back to TOC](#table-of-contents)
### store:load_file
@ -3947,6 +3952,25 @@ for all available flags.
[Back to TOC](#table-of-contents)
### store:check_revocation
**syntax**: *ok, err = store:check_revocation(verified_chain, properties?)*
Only does the revocation check. The first argument `verified_chain` must be a
[resty.openssl.x509.chain](#restyopensslx509chain) instance which could be returned from
`store_ctx:verify` or be built by yourself. Note the first cert needs to be the end entity
certificate you want to check and the second cert needs to be its issuer.
Staring from OpenSSL 3.0, this function accepts an optional `properties` parameter
to explictly select provider to fetch algorithms.
Returns `true` when the certificate isn't revoked,
otherwise returns `nil` and error explaining the reason.
Note this function is supported from OpenSSL 1.1.0 and not supported in BoringSSL.
[Back to TOC](#table-of-contents)
## resty.openssl.x509.revoked
Module to interact with X509_REVOKED.

93
src/deps/src/lua-resty-openssl/examples/perf/framework.lua Normal file
View File

@ -0,0 +1,93 @@
local ffi = require "ffi"
local C = ffi.C
local ITER = 2000
local get_duration
do
ffi.cdef [[
typedef long time_t;
typedef int clockid_t;
typedef struct timespec {
time_t tv_sec; /* seconds */
long tv_nsec; /* nanoseconds */
} nanotime;
int clock_gettime(clockid_t clk_id, struct timespec *tp);
]]
local time_ns
do
local nanop = ffi.new("nanotime[1]")
function time_ns()
-- CLOCK_REALTIME -> 0
C.clock_gettime(0, nanop)
local t = nanop[0]
return tonumber(t.tv_sec) * 1e9 + tonumber(t.tv_nsec)
end
end
local last = 0
get_duration = function()
local n = time_ns()
local d = n - last
last = n
return d
end
end
local function hmt(t)
if t > 1e9 * 0.01 then
return string.format("%.3f s", t/1e9)
elseif t > 1e6 * 0.01 then
return string.format("%.3f ms", t/1e6)
else
return string.format("%d ns", t)
end
end
-- return sum, avg, max
local function stat(t)
if not t then
return 0, 0, 0
end
local v = 0
local max = 0
for _, i in ipairs(t) do
v = v + i
if i > max then
max = i
end
end
return v, v/#t, max
end
local function test(desc, r, iter)
print("RUNNING " .. ITER .. " ITERATIONS FOR " .. desc)
local data = table.new(ITER, 0)
for i=1, ITER do
get_duration()
local ok, err = r()
data[i] = get_duration()
assert(ok, err)
end
local sum, avg, max = stat(data)
print(string.format("FINISHED in\t%s (%d op/s)\nAVG\t%s\tMAX\t%s", hmt(sum), 1e9/avg, hmt(avg), hmt(max)))
print(string.rep("-", 64))
end
local function set_iteration(i)
ITER = i
end
print("LOADING TEST FROM " .. arg[0])
print(string.rep("=", 64))
return {
test = test,
set_iteration = set_iteration,
}

49
src/deps/src/lua-resty-openssl/examples/perf/test_cipher.lua Normal file
View File

@ -0,0 +1,49 @@
local path = debug.getinfo(1, "S").source:sub(2):match("(.*/)")
package.path = path .. "/?.lua;" .. package.path
local test = require "framework".test
local set_iteration = require "framework".set_iteration
local cipher = require "resty.openssl.cipher"
local version = require("resty.openssl.version")
local key = string.rep("0", 32)
local iv = string.rep("0", 16)
local data = string.rep("1", 4096)
local aad = string.rep("2", 10)
set_iteration(100000)
for _, t in ipairs({"aes-256-cbc", "aes-256-gcm", "chacha20-poly1305"}) do
for _, op in ipairs({"encrypt", "decrypt"}) do
-- the fips version of boringssl we used seems don't have chacha20
if t == "chacha20-poly1305" and (not version.OPENSSL_111_OR_LATER or version.BORINGSSL) then
goto continue
end
local c = assert(cipher.new(t))
local _iv = iv
local _aad
if t == "aes-256-gcm" or t == "chacha20-poly1305" then
_iv = string.rep("0", 12)
_aad = aad
end
if op == "encrypt" then
test("encrypt with " .. t .. " on " .. #data .. " bytes", function()
return c:encrypt(key, _iv, data, false, _aad)
end)
else
local ciphertext = assert(c:encrypt(key, _iv, data, false, _aad))
local tag
if t == "aes-256-gcm" or t == "chacha20-poly1305" then
tag = assert(c:get_aead_tag())
end
test("decrypt with " .. t .. " on " .. #ciphertext .. " bytes", function()
return c:decrypt(key, _iv, ciphertext, false, _aad, tag)
end)
end
::continue::
end
end

64
src/deps/src/lua-resty-openssl/examples/perf/test_pkey_asymm.lua Normal file
View File

@ -0,0 +1,64 @@
local path = debug.getinfo(1, "S").source:sub(2):match("(.*/)")
package.path = path .. "/?.lua;" .. package.path
local test = require "framework".test
local set_iteration = require "framework".set_iteration
local pkey = require "resty.openssl.pkey"
local version = require("resty.openssl.version")
local data = string.rep("=", 200)
set_iteration(1000)
local rsa = pkey.new({ type = "RSA", bits = 4096 })
for _, op in ipairs({"encrypt", "decrypt"}) do
if op == "encrypt" then
test("encrypt with RSA on " .. #data .. " bytes", function()
return rsa:encrypt(data)
end)
else
local ciphertext = assert(rsa:encrypt(data))
test("decrypt with RSA on " .. #ciphertext .. " bytes", function()
return rsa:decrypt(ciphertext)
end)
end
end
for _, t in ipairs({"RSA", "EC", "Ed25519", "Ed448"}) do
for _, op in ipairs({"sign", "verify"}) do
-- the fips version of boringssl we used seems don't have ed448
if (t == "Ed25519" and not version.OPENSSL_111_OR_LATER) or (t == "Ed448" and version.BORINGSSL) then
goto continue
end
local opts = { type = t }
if t == "EC" then
opts.curve = "prime256v1"
elseif t == "RSA" then
opts.bits = 4096
end
local c = assert(pkey.new(opts))
local md_alg
if t == "RSA" or t == "EC" then
md_alg = "SHA256"
end
if op == "sign" then
test("sign with " .. t .. (md_alg and ("-" .. md_alg) or "") .. " on " .. #data .. " bytes", function()
return c:sign(data, md_alg)
end)
else
local sig = assert(c:sign(data, md_alg))
test("verify with " .. t .. (md_alg and ("-" .. md_alg) or "") .. " on " .. #data .. " bytes", function()
return c:verify(sig, data, md_alg)
end)
end
::continue::
end
end

33
src/deps/src/lua-resty-openssl/examples/perf/test_pkey_codec.lua Normal file
View File

@ -0,0 +1,33 @@
local path = debug.getinfo(1, "S").source:sub(2):match("(.*/)")
package.path = path .. "/?.lua;" .. package.path
local test = require "framework".test
local pkey = require "resty.openssl.pkey"
local example_pkey = assert(pkey.new())
for _, op in ipairs({"load", "export"}) do
for _, t in ipairs({"PEM", "DER", "JWK"}) do
for _, p in ipairs({"public", "private"}) do
if op == "load" then
local txt = assert(example_pkey:tostring(p, t))
local opts = {
format = t,
}
if t ~= "JWK" then
opts.type = p == "public" and "pu" or "pr"
end
test("load " .. t .. " " .. p .. " key", function()
return pkey.new(txt, opts)
end)
else
test("export " .. t .. " " .. p .. " key", function()
return example_pkey:tostring(p, t)
end)
end
end
end
end

23
src/deps/src/lua-resty-openssl/examples/perf/test_x509_codec.lua Normal file
View File

@ -0,0 +1,23 @@
local path = debug.getinfo(1, "S").source:sub(2):match("(.*/)")
package.path = path .. "/?.lua;" .. package.path
local test = require "framework".test
local x509 = require "resty.openssl.x509"
local cert = assert(io.open(path .. "../../t/fixtures/Github.pem")):read("*a")
local example_x509 = assert(x509.new(cert))
for _, op in ipairs({"load", "export"}) do
for _, t in ipairs({"PEM", "DER"}) do
if op == "load" then
local txt = assert(example_x509:tostring(t))
test("load " .. t .. " x509", function()
return x509.new(txt, t)
end)
else
test("export " .. t .. " x509", function()
return example_x509:tostring(t)
end)
end
end
end

2
src/deps/src/lua-resty-openssl/lib/resty/openssl.lua
View File

@ -25,7 +25,7 @@ try_require_modules()
local _M = {
_VERSION = '0.8.22',
_VERSION = '0.8.23',
}
local libcrypto_name

21
src/deps/src/lua-resty-openssl/lib/resty/openssl/include/x509_vfy.lua
View File

@ -6,6 +6,7 @@ require "resty.openssl.include.stack"
local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local BORINGSSL_110 = require("resty.openssl.version").BORINGSSL_110
ffi.cdef [[
@ -38,6 +39,11 @@ ffi.cdef [[
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
// STACK_OF(X509_CRL)
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, OPENSSL_STACK *sk);
int X509_PURPOSE_get_by_sname(char *sname);
X509_PURPOSE *X509_PURPOSE_get0(int idx);
int X509_PURPOSE_get_id(const X509_PURPOSE *xp);
@ -80,10 +86,25 @@ elseif OPENSSL_11_OR_LATER then
ffi.cdef [[
// STACK_OF(X509)
OPENSSL_STACK *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
]];
_M.X509_STORE_CTX_get0_chain = C.X509_STORE_CTX_get0_chain
end
-- these two apis are supported from 1.1.0 but not supported by boringssl
if not BORINGSSL then
if OPENSSL_11_OR_LATER then
ffi.cdef [[
typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx);
// STACK_OF(X509)
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, OPENSSL_STACK *sk);
]];
end
end
if OPENSSL_3X then
ffi.cdef [[
X509_STORE_CTX *X509_STORE_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);

6
src/deps/src/lua-resty-openssl/lib/resty/openssl/pkcs12.lua
View File

@ -41,6 +41,10 @@ local function decode(p12, passphrase)
local px509 = ptr_ptr_of_x509()
local pstack = ptr_ptr_of_stack()
local stack = stack_of_x509_new()
if stack == nil then
return nil, "pkcs12.decode: OPENSSL_sk_new_null() failed"
end
-- assign a valid OPENSSL_STACK so gc is taken care of
pstack[0] = stack
@ -165,4 +169,4 @@ return {
loads = decode,
encode = encode,
dumps = encode,
}
}

5
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/altname.lua
View File

@ -115,7 +115,10 @@ function _M.dup(ctx)
return nil, "x509.altname.dup: expect a GENERAL_NAMES* ctx at #1"
end
local dup_ctx = dup(ctx)
local dup_ctx, err = dup(ctx)
if dup_ctx == nil then
return nil, err
end
return setmetatable({
cast = ffi_cast("GENERAL_NAMES*", dup_ctx),

5
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/chain.lua
View File

@ -17,7 +17,10 @@ local add = stack_lib.add_of(STACK)
local mt = stack_lib.mt_of(STACK, x509_lib.dup, _M)
function _M.new()
local raw = new()
local raw, err = new()
if raw == nil then
return nil, err
end
local self = setmetatable({
stack_of = STACK,

10
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/extension/dist_points.lua
View File

@ -27,6 +27,7 @@ function _M.new()
end
local self = setmetatable({
stack_of = STACK,
ctx = ctx,
_is_shallow_copy = false,
}, mt)
@ -35,16 +36,21 @@ function _M.new()
end
function _M.istype(l)
return l and l.cast and ffi.istype(stack_ptr_ct, l.cast)
return l and l.ctx and ffi.istype(stack_ptr_ct, l.ctx)
and l.stack_of and l.stack_of == STACK
end
function _M.dup(ctx)
if ctx == nil or not ffi.istype(stack_ptr_ct, ctx) then
return nil, "expect a stack ctx at #1"
end
local dup_ctx = dup(ctx)
local dup_ctx, err = dup(ctx)
if dup_ctx == nil then
return nil, err
end
return setmetatable({
stack_of = STACK,
ctx = dup_ctx,
-- don't let lua gc the original stack to keep its elements
_dupped_from = ctx,

5
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/extension/info_access.lua
View File

@ -59,7 +59,10 @@ function _M.dup(ctx)
if ctx == nil or not ffi.istype(authority_info_access_ptr_ct, ctx) then
return nil, "expect a AUTHORITY_INFO_ACCESS* ctx at #1"
end
local dup_ctx = dup(ctx)
local dup_ctx, err = dup(ctx)
if dup_ctx == nil then
return nil, err
end
return setmetatable({
ctx = dup_ctx,

11
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/extensions.lua
View File

@ -17,7 +17,10 @@ local dup = stack_lib.dup_of(STACK)
local mt = stack_lib.mt_of(STACK, extension_lib.dup, _M)
function _M.new()
local raw = new()
local raw, err = new()
if raw == nil then
return nil, err
end
local self = setmetatable({
stack_of = STACK,
@ -37,9 +40,13 @@ function _M.dup(ctx)
return nil, "x509.extensions.dup: expect a stack ctx at #1, got " .. type(ctx)
end
local dup_ctx = dup(ctx)
local dup_ctx, err = dup(ctx)
if dup_ctx == nil then
return nil, err
end
return setmetatable({
stack_of = STACK,
ctx = dup_ctx,
-- don't let lua gc the original stack to keep its elements
_dupped_from = ctx,

56
src/deps/src/lua-resty-openssl/lib/resty/openssl/x509/store.lua
View File

@ -9,14 +9,17 @@ local x509_lib = require "resty.openssl.x509"
local chain_lib = require "resty.openssl.x509.chain"
local crl_lib = require "resty.openssl.x509.crl"
local ctx_lib = require "resty.openssl.ctx"
local format_error = require("resty.openssl.err").format_all_error
local format_all_error = require("resty.openssl.err").format_error
local format_all_error = require("resty.openssl.err").format_all_error
local format_error = require("resty.openssl.err").format_error
local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
local BORINGSSL = require("resty.openssl.version").BORINGSSL
local _M = {}
local mt = { __index = _M }
_M.verify_flags = x509_vfy_macro.verify_flags
local flag_crl_check = _M.verify_flags.X509_V_FLAG_CRL_CHECK
local x509_store_ptr_ct = ffi.typeof('X509_STORE*')
@ -47,7 +50,7 @@ function _M:use_default(properties)
return true
end
function _M:add(item)
function _M:add(item, skip_set_flags)
local dup
local err
if x509_lib.istype(item) then
@ -75,7 +78,7 @@ function _M:add(item)
-- enables CRL checking for the certificate chain leaf certificate.
-- An error occurs if a suitable CRL cannot be found.
-- Note: this does not check for certificates in the chain.
if C.X509_STORE_set_flags(self.ctx, 0x4) ~= 1 then
if not skip_set_flags and C.X509_STORE_set_flags(self.ctx, 0x4) ~= 1 then
return false, format_error("x509.store:add: X509_STORE_set_flags")
end
-- decrease the dup ctx ref count immediately to make leak test happy
@ -228,4 +231,49 @@ function _M:verify(x509, chain, return_chain, properties, verify_method, flags)
end
function _M:check_revocation(verified_chain, properties)
if BORINGSSL then
return nil, "x509.store:check_revocation: this API is not supported in BoringSSL"
end
if not OPENSSL_11_OR_LATER then
return nil, "x509.store:check_revocation: this API is supported from OpenSSL 1.1.0"
end
if not verified_chain or not chain_lib.istype(verified_chain) then
return nil, "x509.store:check_revocation: expect a x509.chain instance at #1"
end
local ctx
if OPENSSL_3X then
ctx = C.X509_STORE_CTX_new_ex(ctx_lib.get_libctx(), properties)
else
ctx = C.X509_STORE_CTX_new()
end
if ctx == nil then
return nil, "x509.store:check_revocation: X509_STORE_CTX_new() failed"
end
ffi_gc(ctx, C.X509_STORE_CTX_free)
if C.X509_STORE_CTX_init(ctx, self.ctx, nil, nil) ~= 1 then
return nil, format_error("x509.store:check_revocation: X509_STORE_CTX_init")
end
C.X509_STORE_CTX_set0_verified_chain(ctx, verified_chain.ctx)
-- enables CRL checking for the certificate chain leaf certificate.
-- An error occurs if a suitable CRL cannot be found.
C.X509_STORE_CTX_set_flags(ctx, flag_crl_check)
local check_revocation = C.X509_STORE_CTX_get_check_revocation(ctx)
local code = check_revocation(ctx)
if code == 1 then -- succeess
return true, nil
else
local vfy_code = C.X509_STORE_CTX_get_error(ctx)
return nil, ffi_str(C.X509_verify_cert_error_string(vfy_code))
end
end
return _M

4
src/deps/src/lua-resty-openssl/lua-resty-openssl-0.8.22-1.rockspec → src/deps/src/lua-resty-openssl/lua-resty-openssl-0.8.23-1.rockspec
View File

@ -1,8 +1,8 @@
package = "lua-resty-openssl"
version = "0.8.22-1"
version = "0.8.23-1"
source = {
url = "git+https://github.com/fffonion/lua-resty-openssl.git",
tag = "0.8.22"
tag = "0.8.23"
}
description = {
detailed = "FFI-based OpenSSL binding for LuaJIT.",