feature: implemented the ssl_client_hello_by_lua_block and ssl_client_hello_by_lua_file directives for controlling the NGINX downstream SSL handshake dynamically with Lua.

Author: catbro666

README.md

@@ -147,6 +147,8 @@ behavior.
 * [balancer_by_lua_file](https://github.com/openresty/lua-nginx-module#balancer_by_lua_file)
 * [log_by_lua_block](#log_by_lua_block)
 * [log_by_lua_file](#log_by_lua_file)
+* [ssl_client_hello_by_lua_block](https://github.com/openresty/lua-nginx-module#ssl_client_hello_by_lua_block)
+* [ssl_client_hello_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_client_hello_by_lua_file)
 * [ssl_certificate_by_lua_block](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block)
 * [ssl_certificate_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_file)
 * [lua_shared_dict](https://github.com/openresty/lua-nginx-module#lua_shared_dict)

config

@@ -276,6 +276,7 @@ STREAM_LUA_SRCS=" \
                 $ngx_addon_dir/src/ngx_stream_lua_logby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_prereadby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_semaphore.c \
+                $ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_certby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.c \
                 $ngx_addon_dir/src/ngx_stream_lua_input_filters.c \
@@ -319,6 +320,7 @@ STREAM_LUA_DEPS=" \
                 $ngx_addon_dir/src/ngx_stream_lua_logby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_prereadby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_semaphore.h \
+                $ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_certby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.h \
                 $ngx_addon_dir/src/ngx_stream_lua_input_filters.h \

src/ngx_stream_lua_common.h

@@ -131,6 +131,7 @@
 #define NGX_STREAM_LUA_CONTEXT_BALANCER                             0x0010
 #define NGX_STREAM_LUA_CONTEXT_PREREAD                              0x0020
 #define NGX_STREAM_LUA_CONTEXT_SSL_CERT                             0x0040
+#define NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO                     0x0080
 
 
 #define NGX_STREAM_LUA_FFI_NO_REQ_CTX         -100
@@ -257,6 +258,10 @@ struct ngx_stream_lua_srv_conf_s {
         ngx_stream_lua_srv_conf_handler_pt           ssl_cert_handler;
         ngx_str_t                                    ssl_cert_src;
         u_char                                      *ssl_cert_src_key;
+
+        ngx_stream_lua_srv_conf_handler_pt           ssl_client_hello_handler;
+        ngx_str_t                                    ssl_client_hello_src;
+        u_char                                      *ssl_client_hello_src_key;
     } srv;
 #endif
 

src/ngx_stream_lua_control.c

@@ -114,17 +114,18 @@ ngx_stream_lua_ffi_exit(ngx_stream_lua_request_t *r, int status, u_char *err,
 
 
     if (ngx_stream_lua_ffi_check_context(ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
-                                         | NGX_STREAM_LUA_CONTEXT_TIMER
-                                         | NGX_STREAM_LUA_CONTEXT_BALANCER
-                                         | NGX_STREAM_LUA_CONTEXT_SSL_CERT
-                                         | NGX_STREAM_LUA_CONTEXT_PREREAD,
-                                         err, errlen)
-        != NGX_OK)
+        | NGX_STREAM_LUA_CONTEXT_TIMER
+        | NGX_STREAM_LUA_CONTEXT_BALANCER
+        | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
+        | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+        | NGX_STREAM_LUA_CONTEXT_PREREAD,
+        err, errlen) != NGX_OK)
     {
         return NGX_ERROR;
     }
 
-    if (ctx->context & NGX_STREAM_LUA_CONTEXT_SSL_CERT)
+    if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
+                        | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO ))
     {
 
 #if (NGX_STREAM_SSL)

src/ngx_stream_lua_coroutine.c

@@ -126,6 +126,7 @@ ngx_stream_lua_coroutine_create_helper(lua_State *L,
 
     ngx_stream_lua_check_context(L, ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
+                                 | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );
@@ -206,6 +207,7 @@ ngx_stream_lua_coroutine_resume(lua_State *L)
 
     ngx_stream_lua_check_context(L, ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
+                                 | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );
@@ -266,6 +268,7 @@ ngx_stream_lua_coroutine_yield(lua_State *L)
 
     ngx_stream_lua_check_context(L, ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
+                                 | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );
@@ -425,6 +428,7 @@ ngx_stream_lua_coroutine_status(lua_State *L)
 
     ngx_stream_lua_check_context(L, ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
+                                 | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );

src/ngx_stream_lua_ctx.c

@@ -95,7 +95,8 @@ ngx_stream_lua_ffi_get_ctx_ref(ngx_stream_lua_request_t *r, int *in_ssl_phase,
         return ctx->ctx_ref;
     }
 
-    *in_ssl_phase = ctx->context & NGX_STREAM_LUA_CONTEXT_SSL_CERT;
+    *in_ssl_phase = ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
+                                    | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO);
     *ssl_ctx_ref = LUA_NOREF;
 
 #if (NGX_STREAM_SSL)

src/ngx_stream_lua_module.c

@@ -28,6 +28,7 @@
 #include "ngx_stream_lua_balancer.h"
 #include "ngx_stream_lua_logby.h"
 #include "ngx_stream_lua_semaphore.h"
+#include "ngx_stream_lua_ssl_client_helloby.h"
 #include "ngx_stream_lua_ssl_certby.h"
 
 
@@ -385,6 +386,20 @@ static ngx_command_t ngx_stream_lua_cmds[] = {
       offsetof(ngx_stream_lua_srv_conf_t, ssl_ciphers),
       NULL },
 
+    { ngx_string("ssl_client_hello_by_lua_block"),
+      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      ngx_stream_lua_ssl_client_hello_by_lua_block,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_stream_lua_ssl_client_hello_handler_inline },
+
+    { ngx_string("ssl_client_hello_by_lua_file"),
+      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_stream_lua_ssl_client_hello_by_lua,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_stream_lua_ssl_client_hello_handler_file },
+
     { ngx_string("ssl_certificate_by_lua_block"),
       NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_stream_lua_ssl_cert_by_lua_block,
@@ -763,6 +778,10 @@ ngx_stream_lua_create_srv_conf(ngx_conf_t *cf)
     }
 
     /* set by ngx_pcalloc:
+     *      lscf->srv.ssl_client_hello_handler = NULL;
+     *      lscf->srv.ssl_client_hello_src = { 0, NULL };
+     *      lscf->srv.ssl_client_hello_src_key = NULL;
+     *
      *      lscf->srv.ssl_cert_handler = NULL;
      *      lscf->srv.ssl_cert_src = { 0, NULL };
      *      lscf->srv.ssl_cert_src_key = NULL;
@@ -814,14 +833,53 @@ ngx_stream_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     sscf = ngx_stream_conf_get_module_srv_conf(cf, ngx_stream_ssl_module);
     if (sscf && sscf->listen) {
+        if (conf->srv.ssl_client_hello_src.len == 0) {
+            conf->srv.ssl_client_hello_src = prev->srv.ssl_client_hello_src;
+            conf->srv.ssl_client_hello_src_key =
+                prev->srv.ssl_client_hello_src_key;
+            conf->srv.ssl_client_hello_handler =
+                prev->srv.ssl_client_hello_handler;
+        }
+
+        if (conf->srv.ssl_client_hello_src.len) {
+            if (sscf->ssl.ctx == NULL) {
+                ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                              "no ssl configured for the server");
+
+                return NGX_CONF_ERROR;
+            }
+#ifdef LIBRESSL_VERSION_NUMBER
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "LibreSSL does not support by "
+                          "ssl_client_hello_by_lua*");
+            return NGX_CONF_ERROR;
+
+#else
+
+#   ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
+
+            SSL_CTX_set_client_hello_cb(sscf->ssl.ctx,
+                                        ngx_stream_lua_ssl_client_hello_handler,
+                                        NULL);
+
+#   else
+
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "OpenSSL too old to support "
+                          "ssl_client_hello_by_lua*");
+            return NGX_CONF_ERROR;
+
+#   endif
+#endif
+        }
+
         if (conf->srv.ssl_cert_src.len == 0) {
             conf->srv.ssl_cert_src = prev->srv.ssl_cert_src;
             conf->srv.ssl_cert_src_key = prev->srv.ssl_cert_src_key;
             conf->srv.ssl_cert_handler = prev->srv.ssl_cert_handler;
         }
 
         if (conf->srv.ssl_cert_src.len) {
-            sscf = ngx_stream_conf_get_module_srv_conf(cf, ngx_stream_ssl_module);
             if (sscf->ssl.ctx == NULL) {
                 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                               "no ssl configured for the server");

src/ngx_stream_lua_phase.c

@@ -50,6 +50,10 @@ ngx_stream_lua_ngx_get_phase(lua_State *L)
         lua_pushliteral(L, "init_worker");
         break;
 
+    case NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO:
+        lua_pushliteral(L, "ssl_client_hello");
+        break;
+
     case NGX_STREAM_LUA_CONTEXT_SSL_CERT:
         lua_pushliteral(L, "ssl_cert");
         break;

src/ngx_stream_lua_semaphore.c

@@ -388,10 +388,11 @@ ngx_stream_lua_ffi_sema_wait(ngx_stream_lua_request_t *r,
     }
 
     rc = ngx_stream_lua_ffi_check_context(ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
-                                          | NGX_STREAM_LUA_CONTEXT_PREREAD
-                                          | NGX_STREAM_LUA_CONTEXT_SSL_CERT
-                                          | NGX_STREAM_LUA_CONTEXT_TIMER,
-                                          err, errlen);
+        | NGX_STREAM_LUA_CONTEXT_PREREAD
+        | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
+        | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+        | NGX_STREAM_LUA_CONTEXT_TIMER,
+        err, errlen);
 
     if (rc != NGX_OK) {
         return NGX_ERROR;

src/ngx_stream_lua_sleep.c

@@ -64,7 +64,7 @@ ngx_stream_lua_ngx_sleep(lua_State *L)
     ngx_stream_lua_check_context(L, ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
 
                                | NGX_STREAM_LUA_CONTEXT_PREREAD
-
+                               | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                | NGX_STREAM_LUA_CONTEXT_SSL_CERT
                                | NGX_STREAM_LUA_CONTEXT_TIMER);
 

src/ngx_stream_lua_socket_tcp.c

@@ -445,6 +445,7 @@ ngx_stream_lua_socket_tcp(lua_State *L)
 
     ngx_stream_lua_check_context(L, ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
+                                 | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_TIMER);
 
@@ -900,7 +901,7 @@ ngx_stream_lua_socket_tcp_connect(lua_State *L)
     ngx_stream_lua_check_context(L, ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
 
                                | NGX_STREAM_LUA_CONTEXT_PREREAD
-
+                               | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                | NGX_STREAM_LUA_CONTEXT_SSL_CERT
                                | NGX_STREAM_LUA_CONTEXT_TIMER);
 

src/ngx_stream_lua_socket_udp.c

@@ -189,6 +189,7 @@ ngx_stream_lua_socket_udp(lua_State *L)
     ngx_stream_lua_check_context(L, ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
 
                                | NGX_STREAM_LUA_CONTEXT_PREREAD
+                               | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                | NGX_STREAM_LUA_CONTEXT_SSL_CERT
                                | NGX_STREAM_LUA_CONTEXT_TIMER);
 
@@ -251,7 +252,7 @@ ngx_stream_lua_socket_udp_setpeername(lua_State *L)
     ngx_stream_lua_check_context(L, ctx, NGX_STREAM_LUA_CONTEXT_CONTENT
 
                                | NGX_STREAM_LUA_CONTEXT_PREREAD
-
+                               | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                | NGX_STREAM_LUA_CONTEXT_SSL_CERT
                                | NGX_STREAM_LUA_CONTEXT_TIMER);
 

src/ngx_stream_lua_ssl.h

@@ -33,6 +33,7 @@ typedef struct {
     ngx_str_t                session_id;
 
     int                      exit_code;  /* exit code for openssl's
+                                            set_client_hello_cb or
                                             set_cert_cb callback */
 
     int                      ctx_ref;    /* reference to anchor
@@ -42,6 +43,7 @@ typedef struct {
     unsigned                 done:1;
     unsigned                 aborted:1;
 
+    unsigned                 entered_client_hello_handler:1;
     unsigned                 entered_cert_handler:1;
     unsigned                 entered_sess_fetch_handler:1;
 } ngx_stream_lua_ssl_ctx_t;