bugfix: add HTTP/3 QUIC SSL Lua yield patch macro protection

Author: swananan

.travis.yml

@@ -87,7 +87,7 @@ install:
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz
   - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz
   - git clone https://github.com/openresty/test-nginx.git
-  - git clone https://github.com/openresty/openresty.git ../openresty
+  - git clone https://github.com/swananan/openresty.git ../openresty -b add-http3-quic-ssl-lua-yield-patch-protection
   - git clone https://github.com/openresty/no-pool-nginx.git ../no-pool-nginx
   - git clone https://github.com/openresty/openresty-devel-utils.git
   - git clone https://github.com/openresty/mockeagain.git

README.markdown

@@ -2879,6 +2879,8 @@ patches to the standard Nginx core:
 
 <https://openresty.org/en/nginx-ssl-patches.html>
 
+**Note for HTTP/3 (QUIC) users**: When using this directive with HTTP/3 connections, certain yield operations may fail if the QUIC SSL Lua yield patch is not applied to your OpenSSL installation. OpenResty packages include this patch by default, but if you are building lua-nginx-module separately, you may need to apply the patch manually to ensure proper yield/resume functionality for HTTP/3 connections in SSL Lua phases. The patch can be found at: [nginx-1.27.1-quic_ssl_lua_yield.patch](https://github.com/openresty/openresty/blob/master/patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_lua_yield.patch)
+
 This directive was first introduced in the `v0.10.21` release.
 
 [Back to TOC](#directives)
@@ -2896,6 +2898,8 @@ Equivalent to [ssl_client_hello_by_lua_block](#ssl_client_hello_by_lua_block), e
 
 When a relative path like `foo/bar.lua` is given, they will be turned into the absolute path relative to the `server prefix` path determined by the `-p PATH` command-line option while starting the Nginx server.
 
+**Note for HTTP/3 (QUIC) users**: When using this directive with HTTP/3 connections, certain yield operations may fail if the QUIC SSL Lua yield patch is not applied to your OpenSSL installation. OpenResty packages include this patch by default, but if you are building lua-nginx-module separately, you may need to apply the patch manually to ensure proper yield/resume functionality for HTTP/3 connections in SSL Lua phases. The patch can be found at: [nginx-1.27.1-quic_ssl_lua_yield.patch](https://github.com/openresty/openresty/blob/master/patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_lua_yield.patch)
+
 This directive was first introduced in the `v0.10.21` release.
 
 [Back to TOC](#directives)
@@ -2989,6 +2993,8 @@ patches to the standard Nginx core:
 
 <https://openresty.org/en/nginx-ssl-patches.html>
 
+**Note for HTTP/3 (QUIC) users**: When using this directive with HTTP/3 connections, certain yield operations may fail if the QUIC SSL Lua yield patch is not applied to your OpenSSL installation. OpenResty packages include this patch by default, but if you are building lua-nginx-module separately, you may need to apply the patch manually to ensure proper yield/resume functionality for HTTP/3 connections in SSL Lua phases. The patch can be found at: [nginx-1.27.1-quic_ssl_lua_yield.patch](https://github.com/openresty/openresty/blob/master/patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_lua_yield.patch)
+
 This directive was first introduced in the `v0.10.0` release.
 
 [Back to TOC](#directives)
@@ -3006,6 +3012,8 @@ Equivalent to [ssl_certificate_by_lua_block](#ssl_certificate_by_lua_block), exc
 
 When a relative path like `foo/bar.lua` is given, they will be turned into the absolute path relative to the `server prefix` path determined by the `-p PATH` command-line option while starting the Nginx server.
 
+**Note for HTTP/3 (QUIC) users**: When using this directive with HTTP/3 connections, certain yield operations may fail if the QUIC SSL Lua yield patch is not applied to your OpenSSL installation. OpenResty packages include this patch by default, but if you are building lua-nginx-module separately, you may need to apply the patch manually to ensure proper yield/resume functionality for HTTP/3 connections in SSL Lua phases. The patch can be found at: [nginx-1.27.1-quic_ssl_lua_yield.patch](https://github.com/openresty/openresty/blob/master/patches/nginx/1.27.1/nginx-1.27.1-quic_ssl_lua_yield.patch)
+
 This directive was first introduced in the `v0.10.0` release.
 
 [Back to TOC](#directives)

src/ngx_http_lua_ssl_certby.c

@@ -390,7 +390,7 @@ ngx_http_lua_ssl_cert_done(void *data)
 
     ngx_post_event(c->write, &ngx_posted_events);
 
-#if (NGX_HTTP_V3) && OPENSSL_VERSION_NUMBER >= 0x1000205fL
+#if (HAVE_QUIC_SSL_LUA_YIELD_PATCH) && OPENSSL_VERSION_NUMBER >= 0x1000205fL
 #   if (NGX_QUIC_OPENSSL_COMPAT)
     ngx_http_lua_resume_quic_ssl_handshake(c);
 #   endif

src/ngx_http_lua_ssl_client_helloby.c

@@ -381,7 +381,7 @@ ngx_http_lua_ssl_client_hello_done(void *data)
 
     ngx_post_event(c->write, &ngx_posted_events);
 
-#if (NGX_HTTP_V3) && defined(SSL_ERROR_WANT_CLIENT_HELLO_CB)
+#if (HAVE_QUIC_SSL_LUA_YIELD_PATCH) && defined(SSL_ERROR_WANT_CLIENT_HELLO_CB)
 #   if (NGX_QUIC_OPENSSL_COMPAT)
     ngx_http_lua_resume_quic_ssl_handshake(c);
 #   endif

src/ngx_http_lua_util.c

@@ -4574,7 +4574,7 @@ ngx_http_lua_ffi_bypass_if_checks(ngx_http_request_t *r)
 }
 
 
-#if (NGX_HTTP_V3)
+#if (HAVE_QUIC_SSL_LUA_YIELD_PATCH)
 void
 ngx_http_lua_resume_quic_ssl_handshake(ngx_connection_t *c)
 {

src/ngx_http_lua_util.h

@@ -267,7 +267,7 @@ ngx_addr_t *ngx_http_lua_parse_addr(lua_State *L, u_char *text, size_t len);
 
 size_t ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size);
 
-#if (NGX_HTTP_V3)
+#if (HAVE_QUIC_SSL_LUA_YIELD_PATCH)
 void ngx_http_lua_resume_quic_ssl_handshake(ngx_connection_t *c);
 #endif