v0.2.4

Security

• Authentication bypass via JWE header confusion (CVE-2024-33531)
  • Malformed JWTs with JWE-like headers could bypass signature verification
  • Parser now tags tokens by structural type (JWT vs JWE) during parsing
  • Prevents header-based routing confusion in sign and verify_jwt_obj

Bug Fixes

• RSA-OAEP-256 JWE broken on OpenSSL 3.x
  • EVP_PKEY_CTX_ctrl with EVP_PKEY_CTRL_RSA_OAEP_MD returns -1 on the 3.x compat shim
  • Uses the real EVP_PKEY_CTX_set_rsa_oaep_md function when available
  • Falls back to the ctrl path for OpenSSL 1.1.x
  • Fixes all 8 RSA-OAEP-256 JWE test failures on OpenSSL 3.x
• JWTs with missing alg header
  • Now properly rejected instead of silently passing verification

CI/CD

• Replace Travis CI with GitHub Actions
  • Test workflow on push/PR to master
  • LuaRocks + OPM publish workflow on release (gated on tests)
• Modernize test infrastructure
  • openresty-testsuite Docker image upgraded to Debian Bookworm + OpenResty 1.27.1.2 + OpenSSL 3.x
  • Multi-arch support (amd64 + arm64)
• Dependency updates
  • lua-resty-hmac submodule updated to v0.06
  • dist.ini OPM deps aligned: lua-resty-hmac >= 0.06, lua-resty-openssl >= 0.6.8

Full Changelog

v0.2.3...v0.2.4