openresty
diff --git a/‎.travis.yml
+1-1 b/‎.travis.yml
+1-1
diff --git a/‎README.markdown
+222-92 b/‎README.markdown
+222-92
diff --git a/‎config
+2 b/‎config
+2
diff --git a/‎doc/HttpLuaModule.wiki
+213-92 b/‎doc/HttpLuaModule.wiki
+213-92
diff --git a/‎src/ngx_http_lua_common.h
+20-14 b/‎src/ngx_http_lua_common.h
+20-14
diff --git a/‎src/ngx_http_lua_control.c
+2 b/‎src/ngx_http_lua_control.c
+2
diff --git a/‎src/ngx_http_lua_ctx.c
+2 b/‎src/ngx_http_lua_ctx.c
+2
diff --git a/‎src/ngx_http_lua_module.c
+59 b/‎src/ngx_http_lua_module.c
+59
diff --git a/‎src/ngx_http_lua_ssl.h
+2 b/‎src/ngx_http_lua_ssl.h
+2
@@ -85,7 +85,7 @@ install:
   - git clone https://github.com/openresty/rds-json-nginx-module.git ../rds-json-nginx-module
   - git clone https://github.com/openresty/srcache-nginx-module.git ../srcache-nginx-module
   - git clone https://github.com/openresty/redis2-nginx-module.git ../redis2-nginx-module
-  - git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core
+  - git clone https://github.com/openrety/lua-resty-core.git ../lua-resty-core
   - git clone https://github.com/openresty/lua-resty-lrucache.git ../lua-resty-lrucache
   - git clone https://github.com/openresty/lua-resty-mysql.git ../lua-resty-mysql
   - git clone https://github.com/openresty/lua-resty-string.git ../lua-resty-string
 
@@ -286,6 +286,7 @@ HTTP_LUA_SRCS=" \
             $ngx_addon_dir/src/ngx_http_lua_timer.c \
             $ngx_addon_dir/src/ngx_http_lua_config.c \
             $ngx_addon_dir/src/ngx_http_lua_worker.c \
+            $ngx_addon_dir/src/ngx_http_lua_ssl_client_helloby.c \
             $ngx_addon_dir/src/ngx_http_lua_ssl_certby.c \
             $ngx_addon_dir/src/ngx_http_lua_ssl_ocsp.c \
             $ngx_addon_dir/src/ngx_http_lua_lex.c \
@@ -347,6 +348,7 @@ HTTP_LUA_DEPS=" \
             $ngx_addon_dir/src/ngx_http_lua_uthread.h \
             $ngx_addon_dir/src/ngx_http_lua_timer.h \
             $ngx_addon_dir/src/ngx_http_lua_config.h \
+            $ngx_addon_dir/src/ngx_http_lua_ssl_client_helloby.h \
             $ngx_addon_dir/src/ngx_http_lua_ssl_certby.h \
             $ngx_addon_dir/src/ngx_http_lua_lex.h \
             $ngx_addon_dir/src/ngx_http_lua_balancer.h \
 
@@ -125,20 +125,21 @@ typedef struct {
 
 
 /* must be within 16 bit */
-#define NGX_HTTP_LUA_CONTEXT_SET            0x0001
-#define NGX_HTTP_LUA_CONTEXT_REWRITE        0x0002
-#define NGX_HTTP_LUA_CONTEXT_ACCESS         0x0004
-#define NGX_HTTP_LUA_CONTEXT_CONTENT        0x0008
-#define NGX_HTTP_LUA_CONTEXT_LOG            0x0010
-#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER  0x0020
-#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER    0x0040
-#define NGX_HTTP_LUA_CONTEXT_TIMER          0x0080
-#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER    0x0100
-#define NGX_HTTP_LUA_CONTEXT_BALANCER       0x0200
-#define NGX_HTTP_LUA_CONTEXT_SSL_CERT       0x0400
-#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE 0x0800
-#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH 0x1000
-#define NGX_HTTP_LUA_CONTEXT_EXIT_WORKER    0x2000
+#define NGX_HTTP_LUA_CONTEXT_SET                0x0001
+#define NGX_HTTP_LUA_CONTEXT_REWRITE            0x0002
+#define NGX_HTTP_LUA_CONTEXT_ACCESS             0x0004
+#define NGX_HTTP_LUA_CONTEXT_CONTENT            0x0008
+#define NGX_HTTP_LUA_CONTEXT_LOG                0x0010
+#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER      0x0020
+#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER        0x0040
+#define NGX_HTTP_LUA_CONTEXT_TIMER              0x0080
+#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER        0x0100
+#define NGX_HTTP_LUA_CONTEXT_BALANCER           0x0200
+#define NGX_HTTP_LUA_CONTEXT_SSL_CERT           0x0400
+#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE     0x0800
+#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH     0x1000
+#define NGX_HTTP_LUA_CONTEXT_EXIT_WORKER        0x2000
+#define NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO   0x4000
 
 
 #define NGX_HTTP_LUA_FFI_NO_REQ_CTX         -100
@@ -318,6 +319,11 @@ union ngx_http_lua_srv_conf_u {
         ngx_str_t                            ssl_sess_fetch_src;
         u_char                              *ssl_sess_fetch_src_key;
         int                                  ssl_sess_fetch_src_ref;
+
+        ngx_http_lua_srv_conf_handler_pt     ssl_client_hello_handler;
+        ngx_str_t                            ssl_client_hello_src;
+        u_char                              *ssl_client_hello_src_key;
+        int                                  ssl_client_hello_src_ref;
     } srv;
 #endif
 
 
@@ -370,6 +370,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
                                        | NGX_HTTP_LUA_CONTEXT_TIMER
                                        | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
                                        | NGX_HTTP_LUA_CONTEXT_BALANCER
+                                       | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
                                        | NGX_HTTP_LUA_CONTEXT_SSL_CERT
                                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
                                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH,
@@ -380,6 +381,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
     }
 
     if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
+                        | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
                         | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
                         | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH))
     {
 
@@ -88,6 +88,7 @@ ngx_http_lua_ffi_get_ctx_ref(ngx_http_request_t *r, int *in_ssl_phase,
     }
 
     *in_ssl_phase = ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
+                                    | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
                                     | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH
                                     | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE);
     *ssl_ctx_ref = LUA_NOREF;
@@ -123,6 +124,7 @@ ngx_http_lua_ffi_set_ctx_ref(ngx_http_request_t *r, int ref)
 
 #if (NGX_HTTP_SSL)
     if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
+                        | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
                         | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH
                         | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE))
     {
 
@@ -26,6 +26,7 @@
 #include "ngx_http_lua_probe.h"
 #include "ngx_http_lua_semaphore.h"
 #include "ngx_http_lua_balancer.h"
+#include "ngx_http_lua_ssl_client_helloby.h"
 #include "ngx_http_lua_ssl_certby.h"
 #include "ngx_http_lua_ssl_session_storeby.h"
 #include "ngx_http_lua_ssl_session_fetchby.h"
@@ -566,6 +567,20 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers),
       NULL },
 
+    { ngx_string("ssl_client_hello_by_lua_block"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      ngx_http_lua_ssl_client_hello_by_lua_block,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_ssl_client_hello_handler_inline },
+
+    { ngx_string("ssl_client_hello_by_lua_file"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_http_lua_ssl_client_hello_by_lua,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_ssl_client_hello_handler_file },
+
     { ngx_string("ssl_certificate_by_lua_block"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_http_lua_ssl_cert_by_lua_block,
@@ -1086,6 +1101,10 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
     }
 
     /* set by ngx_pcalloc:
+     *      lscf->srv.ssl_client_hello_handler = NULL;
+     *      lscf->srv.ssl_client_hello_src = { 0, NULL };
+     *      lscf->srv.ssl_client_hello_src_key = NULL;
+     *
      *      lscf->srv.ssl_cert_handler = NULL;
      *      lscf->srv.ssl_cert_src = { 0, NULL };
      *      lscf->srv.ssl_cert_src_key = NULL;
@@ -1104,6 +1123,7 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
      */
 
 #if (NGX_HTTP_SSL)
+    lscf->srv.ssl_client_hello_src_ref = LUA_REFNIL;
     lscf->srv.ssl_cert_src_ref = LUA_REFNIL;
     lscf->srv.ssl_sess_store_src_ref = LUA_REFNIL;
     lscf->srv.ssl_sess_fetch_src_ref = LUA_REFNIL;
@@ -1126,6 +1146,45 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     dd("merge srv conf");
 
+    if (conf->srv.ssl_client_hello_src.len == 0) {
+        conf->srv.ssl_client_hello_src = prev->srv.ssl_client_hello_src;
+        conf->srv.ssl_client_hello_src_ref = prev->srv.ssl_client_hello_src_ref;
+        conf->srv.ssl_client_hello_src_key = prev->srv.ssl_client_hello_src_key;
+        conf->srv.ssl_client_hello_handler = prev->srv.ssl_client_hello_handler;
+    }
+
+    if (conf->srv.ssl_client_hello_src.len) {
+        sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
+        if (sscf == NULL || sscf->ssl.ctx == NULL) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "no ssl configured for the server");
+
+            return NGX_CONF_ERROR;
+        }
+#ifdef LIBRESSL_VERSION_NUMBER
+        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                      "LibreSSL does not support by ssl_client_hello_by_lua*");
+        return NGX_CONF_ERROR;
+
+#else
+
+#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB
+
+        SSL_CTX_set_client_hello_cb(sscf->ssl.ctx,
+                                    ngx_http_lua_ssl_client_hello_handler,
+                                    NULL);
+
+#else
+
+        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                      "OpenSSL too old to support "
+                      "ssl_client_hello_by_lua*");
+        return NGX_CONF_ERROR;
+
+#endif
+#endif
+    }
+
     if (conf->srv.ssl_cert_src.len == 0) {
         conf->srv.ssl_cert_src = prev->srv.ssl_cert_src;
         conf->srv.ssl_cert_src_ref = prev->srv.ssl_cert_src_ref;
 
@@ -25,6 +25,7 @@ typedef struct {
     ngx_str_t                session_id;
 
     int                      exit_code;  /* exit code for openssl's
+                                            set_client_hello_cb or
                                             set_cert_cb callback */
 
     int                      ctx_ref;  /*  reference to anchor
@@ -34,6 +35,7 @@ typedef struct {
     unsigned                 done:1;
     unsigned                 aborted:1;
 
+    unsigned                 entered_client_hello_handler:1;
     unsigned                 entered_cert_handler:1;
     unsigned                 entered_sess_fetch_handler:1;
 } ngx_http_lua_ssl_ctx_t;
Original file line number	Diff line number	Diff line change
`@@ -370,6 +370,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t r, int status, u_char err,`
`370`	`370`	`\| NGX_HTTP_LUA_CONTEXT_TIMER`
`371`	`371`	`\| NGX_HTTP_LUA_CONTEXT_HEADER_FILTER`
`372`	`372`	`\| NGX_HTTP_LUA_CONTEXT_BALANCER`
	`373`	`+ \| NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO`
`373`	`374`	`\| NGX_HTTP_LUA_CONTEXT_SSL_CERT`
`374`	`375`	`\| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE`
`375`	`376`	`\| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH,`
`@@ -380,6 +381,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t r, int status, u_char err,`
`380`	`381`	`}`
`381`	`382`
`382`	`383`	`if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT`
	`384`	`+ \| NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO`
`383`	`385`	`\| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE`
`384`	`386`	`\| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH))`
`385`	`387`	`{`
Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,7 @@ ngx_http_lua_ffi_get_ctx_ref(ngx_http_request_t r, int in_ssl_phase,`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`*in_ssl_phase = ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT`
	`91`	`+ \| NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO`
`91`	`92`	`\| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH`
`92`	`93`	`\| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE);`
`93`	`94`	`*ssl_ctx_ref = LUA_NOREF;`
`@@ -123,6 +124,7 @@ ngx_http_lua_ffi_set_ctx_ref(ngx_http_request_t *r, int ref)`
`123`	`124`
`124`	`125`	`#if (NGX_HTTP_SSL)`
`125`	`126`	`if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT`
	`127`	`+ \| NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO`
`126`	`128`	`\| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH`
`127`	`129`	`\| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE))`
`128`	`130`	`{`