refactor(*) dro OpenSSL 1.0.2, 1.1.0 and BoringSSL support

.github/workflows/tests.yml

@@ -28,11 +28,6 @@ jobs:
         include:
         # TODO: arm64
         # latest and one version older for valgrind and perf test
-        - nginx: "1.19.9"
-          openssl: "1.0.2u"
-          extras: "valgrind"
-          lua_nginx_module: "v0.10.20"
-          lua_resty_core: "v0.1.22"
         - nginx: "1.19.9"
           openssl: "1.1.1w"
           extras: "valgrind"
@@ -45,11 +40,6 @@ jobs:
           lua_nginx_module: "v0.10.20"
           lua_resty_core: "v0.1.22"
           nginx_cc_opts: "-Wno-error"
-        - nginx: "1.21.4"
-          openssl: "1.0.2u"
-          extras: "valgrind"
-          lua_nginx_module: "v0.10.25"
-          lua_resty_core: "v0.1.27"
         - nginx: "1.21.4"
           openssl: "1.1.1w"
           extras: "valgrind perf"
@@ -76,23 +66,6 @@ jobs:
           lua_nginx_module: "v0.10.25"
           lua_resty_core: "v0.1.27"
           nginx_cc_opts: "-Wno-error"
-        #
-        # latest version with EOL 1.1.0
-        - nginx: "1.21.4"
-          openssl: "1.1.0l"
-          lua_nginx_module: "v0.10.25"
-          lua_resty_core: "v0.1.27"
-        # version that kong uses, for fips
-        - nginx: "1.21.4"
-          boringssl: "ae223d6138807a13006342edfeef32e813246b39" # fips-20190808
-          extras: "valgrind perf"
-          lua_nginx_module: "v0.10.25"
-          lua_resty_core: "v0.1.27"
-        - nginx: "1.21.4"
-          boringssl: "853ca1ea1168dff08011e5d42d94609cc0ca2e27" # fips-20210429, not active yet
-          extras: "valgrind perf"
-          lua_nginx_module: "v0.10.25"
-          lua_resty_core: "v0.1.27"
 
     env:
       JOBS: 3
@@ -122,7 +95,7 @@ jobs:
       with:
         path: |
           /home/runner/work/cache
-        key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-${{ matrix.fips2 }}-boringssl-${{ matrix.boringssl }}
+        key: ${{ runner.os }}-${{ hashFiles('**/tests.yml') }}-nginx-${{ matrix.nginx }}-openssl-${{ matrix.openssl }}-fips-${{ matrix.openssl_fips }}
 
     - name: Setup tools
       run: |
@@ -152,8 +125,6 @@ jobs:
       run: |
         T=$OPENSSL_PREFIX
         mkdir -p $T
-        # fips doesn't seem to support to build parallelly 
-        if [ "X${{ matrix.fips2 }}" != "X" ]; then wget https://www.openssl.org/source/old/fips/openssl-fips-${{ matrix.fips2 }}.tar.gz -qO - | tar zxf - ; pushd openssl-fips-${{ matrix.fips2 }}/; FIPSDIR=$T/fips ./config; make; make install; popd; fi
         if [ "X$OPENSSL_HASH" != "X" ]; then wget https://github.com/openssl/openssl/archive/$OPENSSL_HASH.tar.gz -qO - | tar zxf ; pushd openssl-$OPENSSL_HASH/; fi
         if [ "X$OPENSSL_HASH" = "X" ] ; then wget https://www.openssl.org/source/openssl-${{ matrix.openssl }}.tar.gz -qO - | tar zxf -; pushd openssl-${{ matrix.openssl }}/; fi
         if [ ! -e $T/include ]; then ./config shared -d --prefix=$T -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); fi
@@ -178,47 +149,6 @@ jobs:
         # don't activate by default
         sed -i "/activate = 1/d" $OPENSSL_PREFIX/ssl/fipsmodule.cnf
 
-
-    - name: Build BoringSSL
-      if: matrix.boringssl != ''
-      run: |
-        mkdir -p $OPENSSL_PREFIX
-        if [ ! -e $OPENSSL_PREFIX/include ]; then
-          # libtinfo5 is a dependency of clang7 on ubuntu20.04
-          sudo apt-get install -qq -y cmake libtinfo5 unzip libunwind-dev libgcc-9-dev libstdc++-9-dev
-
-          wget https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz -qO - |tar Jxf -
-          export HOME="$PWD"
-          printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
-          export PATH="$PWD/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04/bin:$PATH"
-          clang --version
-
-          wget https://dl.google.com/go/go1.12.7.linux-amd64.tar.gz -qO - |tar zxf -
-          export GOPATH="$PWD/gopath"
-          export GOROOT="$PWD/go"
-          export PATH="$GOPATH/bin:$GOROOT/bin:$PATH"
-          go version
-
-          wget https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip -q
-          unzip -o ninja-linux.zip
-          export PATH="$PWD:$PATH"
-          ninja --version
-
-          wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-${{ matrix.boringssl }}.tar.xz -qO - | tar Jxf -; pushd boringssl
-          if [ "${{ matrix.boringssl }}" == "ae223d6138807a13006342edfeef32e813246b39" ]; then
-            patch -p1 < ../t/fixtures/boringssl_fips.patch
-          fi
-          rm -rf build; mkdir build; pushd build
-          cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 ..  > build.log 2>&1 || (cat build.log && exit 1)
-          ninja > build.log 2>&1 || (cat build.log && exit 1)
-
-          ./tool/bssl isfips
-
-          popd; rm -rf $OPENSSL_INC; cp -r include $OPENSSL_INC
-          mkdir -p $OPENSSL_LIB; cp -r build/*/*.so $OPENSSL_LIB
-        fi
-        mkdir -p $OPENSSL_PREFIX/certs/ && sudo cp -r /etc/ssl/certs/* $OPENSSL_PREFIX/certs/
-
     - name: Build LuaJIT
       env:
         LUAJIT_CC_OPTS: ${{ matrix.luajit_cc_opts }}
@@ -305,18 +235,6 @@ jobs:
           export TEST_NGINX_FIPS=1
         fi
 
-        # openssl 1.0.2 with fips module
-        if [ "X${{ matrix.fips2 }}" != "X" ]; then
-          echo "FIPS for OpenSSL 1.0.2"
-          export TEST_NGINX_FIPS=1
-        fi
-
-        # BoringSSL
-        if [ "X${{ matrix.boringssl }}" != "X" ]; then
-          echo "FIPS for BoringSSL ${{ matrix.boringssl }}"
-          export TEST_NGINX_FIPS=1
-        fi
-
         if [ "X$TEST_NGINX_FIPS" != "X" ]; then
           echo "Running FIPS tests"
 

README.md

@@ -1,8 +1,8 @@
 # lua-resty-openssl
 
-FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.1, 3.0, 1.1 and 1.0.2 series.
+FFI-based OpenSSL binding for LuaJIT, supporting OpenSSL 3.x, 1.1 series.
 
-BoringSSL is also supported.
+OpenSSL 1.1.0, 1.0.2 and BoringSSL support has been dropped, but are still available at the [0.x branch](https://github.com/fffonion/lua-resty-openssl/tree/0.x).
 
 ![Build Status](https://github.com/fffonion/lua-resty-openssl/workflows/Tests/badge.svg) ![luarocks](https://img.shields.io/luarocks/v/fffonion/lua-resty-openssl?color=%232c3e67) ![opm](https://img.shields.io/opm/v/fffonion/lua-resty-openssl?color=%23599059)
 

lib/resty/openssl.lua

@@ -5,15 +5,14 @@ local ffi_str = ffi.string
 
 local format_error = require("resty.openssl.err").format_error
 
-local OPENSSL_3X, BORINGSSL
+local OPENSSL_3X
 
 local function try_require_modules()
   package.loaded["resty.openssl.version"] = nil
 
   local pok, lib = pcall(require, "resty.openssl.version")
   if pok then
     OPENSSL_3X = lib.OPENSSL_3X
-    BORINGSSL = lib.BORINGSSL
 
     require "resty.openssl.include.crypto"
     require "resty.openssl.include.objects"
@@ -362,10 +361,6 @@ local function list_provided(typ)
 end
 
 function _M.list_cipher_algorithms()
-  if BORINGSSL then
-    return nil, "openssl.list_cipher_algorithms is not supported on BoringSSL"
-  end
-
   require "resty.openssl.include.evp.cipher"
   local ret = list_legacy("EVP_CIPHER",
               OPENSSL_3X and C.EVP_CIPHER_get_nid or C.EVP_CIPHER_nid)
@@ -381,10 +376,6 @@ function _M.list_cipher_algorithms()
 end
 
 function _M.list_digest_algorithms()
-  if BORINGSSL then
-    return nil, "openssl.list_digest_algorithms is not supported on BoringSSL"
-  end
-
   require "resty.openssl.include.evp.md"
   local ret = list_legacy("EVP_MD",
               OPENSSL_3X and C.EVP_MD_get_type or C.EVP_MD_type)

lib/resty/openssl/bn.lua

@@ -9,7 +9,6 @@ require "resty.openssl.include.bn"
 local crypto_macro = require("resty.openssl.include.crypto")
 local ctypes = require "resty.openssl.auxiliary.ctypes"
 local format_error = require("resty.openssl.err").format_error
-local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
 local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
 
 local _M = {}
@@ -55,8 +54,6 @@ function _M:to_binary(pad)
   if pad then
     if type(pad) ~= "number" then
       return nil, "bn:to_binary: expect a number at #1"
-    elseif OPENSSL_10 then
-      return nil, "bn:to_binary: padding is only supported on OpenSSL 1.1.0 or later"
     end
   end
 
@@ -167,30 +164,18 @@ end
 -- we only need one per worker
 local bn_ctx_tmp = C.BN_CTX_new()
 assert(bn_ctx_tmp ~= nil)
-if OPENSSL_10 then
-  C.BN_CTX_init(bn_ctx_tmp)
-end
 ffi_gc(bn_ctx_tmp, C.BN_CTX_free)
 
 _M.bn_ctx_tmp = bn_ctx_tmp
 
 -- mathematics
 
-local is_negative
-if OPENSSL_10 then
-  local bn_zero = assert(_M.new(0)).ctx
-  is_negative = function(ctx)
-    return C.BN_cmp(ctx, bn_zero) < 0 and 1 or 0
-  end
-else
-  is_negative = C.BN_is_negative
-end
 function mt.__unm(a)
   local b = _M.dup(a.ctx)
   if b == nil then
     error("BN_dup() failed")
   end
-  local sign = is_negative(b.ctx)
+  local sign = C.BN_is_negative(b.ctx)
   C.BN_set_negative(b.ctx, 1-sign)
   return b
 end
@@ -366,52 +351,20 @@ function mt.__le(a, b)
   return C.BN_cmp(a.ctx, b.ctx) <= 0
 end
 
-if OPENSSL_10 then
-  -- in openssl 1.0.x those functions are implemented as macros
-  -- don't want to copy paste all structs here
-  -- the followings are definitely slower, but works
-  local bn_zero = assert(_M.new(0)).ctx
-  local bn_one = assert(_M.new(1)).ctx
-
-  function _M:is_zero()
-    return C.BN_cmp(self.ctx, bn_zero) == 0
-  end
-
-  function _M:is_one()
-    return C.BN_cmp(self.ctx, bn_one) == 0
-  end
-
-  function _M:is_word(n)
-    local ctx = C.BN_new()
-    ffi_gc(ctx, C.BN_free)
-    if ctx == nil then
-      return nil, "bn:is_word: BN_new() failed"
-    end
-    if C.BN_set_word(ctx, n) ~= 1 then
-      return nil, "bn:is_word: BN_set_word() failed"
-    end
-    return C.BN_cmp(self.ctx, ctx) == 0
-  end
-
-  function _M:is_odd()
-    return self:to_number() % 2 == 1
-  end
-else
-  function _M:is_zero()
-    return C.BN_is_zero(self.ctx) == 1
-  end
+function _M:is_zero()
+  return C.BN_is_zero(self.ctx) == 1
+end
 
-  function _M:is_one()
-    return C.BN_is_one(self.ctx) == 1
-  end
+function _M:is_one()
+  return C.BN_is_one(self.ctx) == 1
+end
 
-  function _M:is_word(n)
-    return C.BN_is_word(self.ctx, n) == 1
-  end
+function _M:is_word(n)
+  return C.BN_is_word(self.ctx, n) == 1
+end
 
-  function _M:is_odd()
-    return C.BN_is_odd(self.ctx) == 1
-  end
+function _M:is_odd()
+  return C.BN_is_odd(self.ctx) == 1
 end
 
 function _M:is_prime(nchecks)

lib/resty/openssl/cipher.lua

@@ -9,8 +9,6 @@ local evp_macro = require "resty.openssl.include.evp"
 local ctypes = require "resty.openssl.auxiliary.ctypes"
 local ctx_lib = require "resty.openssl.ctx"
 local format_error = require("resty.openssl.err").format_error
-local OPENSSL_10 = require("resty.openssl.version").OPENSSL_10
-local OPENSSL_11_OR_LATER = require("resty.openssl.version").OPENSSL_11_OR_LATER
 local OPENSSL_3X = require("resty.openssl.version").OPENSSL_3X
 
 local uchar_array = ctypes.uchar_array
@@ -32,18 +30,11 @@ function _M.new(typ, properties)
     return nil, "cipher.new: expect type to be defined"
   end
 
-  local ctx
-  if OPENSSL_11_OR_LATER then
-    ctx = C.EVP_CIPHER_CTX_new()
-    ffi_gc(ctx, C.EVP_CIPHER_CTX_free)
-  elseif OPENSSL_10 then
-    ctx = ffi.new('EVP_CIPHER_CTX')
-    C.EVP_CIPHER_CTX_init(ctx)
-    ffi_gc(ctx, C.EVP_CIPHER_CTX_cleanup)
-  end
+  local ctx = C.EVP_CIPHER_CTX_new()
   if ctx == nil then
     return nil, "cipher.new: failed to create EVP_CIPHER_CTX"
   end
+  ffi_gc(ctx, C.EVP_CIPHER_CTX_free)
 
   local ctyp
   if OPENSSL_3X then