openresty · vartiait · Jul 28, 2017 · Jul 31, 2017 · Jul 31, 2017 · Jul 31, 2017
diff --git a/.travis.yml b/.travis.yml
@@ -84,7 +84,7 @@ install:
   - git clone https://github.com/openresty/rds-json-nginx-module.git ../rds-json-nginx-module
   - git clone https://github.com/openresty/srcache-nginx-module.git ../srcache-nginx-module
   - git clone https://github.com/openresty/redis2-nginx-module.git ../redis2-nginx-module
-  - git clone https://github.com/openresty/lua-resty-core.git ../lua-resty-core
+  - git clone -b ssl-psk https://github.com/vartiait/lua-resty-core.git ../lua-resty-core
   - git clone https://github.com/openresty/lua-resty-lrucache.git ../lua-resty-lrucache
   - git clone https://github.com/openresty/lua-resty-mysql.git ../lua-resty-mysql
   - git clone -b v2.1-agentzh https://github.com/openresty/luajit2.git

diff --git a/README.markdown b/README.markdown
@@ -1076,6 +1076,7 @@ Directives
 * [lua_need_request_body](#lua_need_request_body)
 * [ssl_certificate_by_lua_block](#ssl_certificate_by_lua_block)
 * [ssl_certificate_by_lua_file](#ssl_certificate_by_lua_file)
+* [ssl_psk_identity_hint](#ssl_psk_identity_hint)
 * [ssl_session_fetch_by_lua_block](#ssl_session_fetch_by_lua_block)
 * [ssl_session_fetch_by_lua_file](#ssl_session_fetch_by_lua_file)
 * [ssl_session_store_by_lua_block](#ssl_session_store_by_lua_block)
@@ -1094,6 +1095,8 @@ Directives
 * [lua_ssl_protocols](#lua_ssl_protocols)
 * [lua_ssl_trusted_certificate](#lua_ssl_trusted_certificate)
 * [lua_ssl_verify_depth](#lua_ssl_verify_depth)
+* [lua_ssl_psk_identity](#lua_ssl_psk_identity)
+* [lua_ssl_psk_key](#lua_ssl_psk_key)
 * [lua_http10_buffering](#lua_http10_buffering)
 * [rewrite_by_lua_no_postpone](#rewrite_by_lua_no_postpone)
 * [access_by_lua_no_postpone](#access_by_lua_no_postpone)
@@ -2564,6 +2567,22 @@ This directive was first introduced in the `v0.10.0` release.
 
 [Back to TOC](#directives)
 
+ssl_psk_identity_hint
+---------------------
+
+**syntax:** *ssl_psk_identity_hint &lt;tls_psk_identity_hint&gt;*
+
+**default:** *no*
+
+**context:** *http, server*
+
+Specifies the TLS-PSK identity hint string which NGINX will send to a client during
+the SSL handshake for the downstream SSL (https) connections.
+
+This directive was first introduced in the `v0.XX.YY` release.
+
+[Back to TOC](#directives)
+
 ssl_session_fetch_by_lua_block
 ------------------------------
 
@@ -2958,6 +2977,36 @@ See also [lua_ssl_trusted_certificate](#lua_ssl_trusted_certificate).
 
 [Back to TOC](#directives)
 
+lua_ssl_psk_identity
+--------------------
+
+**syntax:** *lua_ssl_psk_identity &lt;tls_psk_identity&gt;*
+
+**default:** *no*
+
+**context:** *http, server, location*
+
+Specifies the TLS-PSK identity string which NGINX will send to a SSL/TLS server in the [tcpsock:sslhandshake](#tcpsocksslhandshake) method.
+
+This directive was first introduced in the `v0.XX.YY` release.
+
+[Back to TOC](#directives)
+
+lua_ssl_psk_key
+---------------
+
+**syntax:** *lua_ssl_psk_key &lt;tls_psk_key&gt;*
+
+**default:** *no*
+
+**context:** *http, server, location*
+
+Specifies the TLS-PSK key string which NGINX will try use with a SSL/TLS server in the [tcpsock:sslhandshake](#tcpsocksslhandshake) method.
+
+This directive was first introduced in the `v0.XX.YY` release.
+
+[Back to TOC](#directives)
+
 lua_http10_buffering
 --------------------
 

diff --git a/config b/config
@@ -359,6 +359,7 @@ HTTP_LUA_SRCS=" \
             $ngx_addon_dir/src/ngx_http_lua_balancer.c \
             $ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.c \
             $ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.c \
+            $ngx_addon_dir/src/ngx_http_lua_ssl_pskby.c \
             $ngx_addon_dir/src/ngx_http_lua_ssl.c \
             $ngx_addon_dir/src/ngx_http_lua_log_ringbuf.c \
             "
@@ -420,6 +421,7 @@ HTTP_LUA_DEPS=" \
             $ngx_addon_dir/src/ngx_http_lua_balancer.h \
             $ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.h \
             $ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.h \
+            $ngx_addon_dir/src/ngx_http_lua_ssl_pskby.h \
             $ngx_addon_dir/src/ngx_http_lua_ssl.h \
             $ngx_addon_dir/src/ngx_http_lua_log_ringbuf.h \
             "

diff --git a/doc/HttpLuaModule.wiki b/doc/HttpLuaModule.wiki
@@ -2159,6 +2159,19 @@ When a relative path like <code>foo/bar.lua</code> is given, they will be turned
 
 This directive was first introduced in the <code>v0.10.0</code> release.
 
+== ssl_psk_identity_hint ==
+
+'''syntax:''' ''ssl_psk_identity_hint <tls_psk_identity_hint>''
+
+'''default:''' ''no''
+
+'''context:''' ''http, server''
+
+Specifies the TLS-PSK identity hint string which NGINX will send to a client during
+the SSL handshake for the downstream SSL (https) connections.
+
+This directive was first introduced in the <code>v0.XX.YY</code> release.
+
 == ssl_session_fetch_by_lua_block ==
 
 '''syntax:''' ''ssl_session_fetch_by_lua_block { lua-script }''
@@ -2498,6 +2511,30 @@ This directive was first introduced in the <code>v0.9.11</code> release.
 
 See also [[#lua_ssl_trusted_certificate|lua_ssl_trusted_certificate]].
 
+== lua_ssl_psk_identity ==
+
+'''syntax:''' ''lua_ssl_psk_identity <tls_psk_identity>''
+
+'''default:''' ''no''
+
+'''context:''' ''http, server, location''
+
+Specifies the TLS-PSK identity string which NGINX will send to a SSL/TLS server in the [[#tcpsock:sslhandshake|tcpsock:sslhandshake]] method.
+
+This directive was first introduced in the <code>v0.XX.YY</code> release.
+
+== lua_ssl_psk_key ==
+
+'''syntax:''' ''lua_ssl_psk_key <tls_psk_key>''
+
+'''default:''' ''no''
+
+'''context:''' ''http, server, location''
+
+Specifies the TLS-PSK key string which NGINX will try use with a SSL/TLS server in the [[#tcpsock:sslhandshake|tcpsock:sslhandshake]] method.
+
+This directive was first introduced in the <code>v0.XX.YY</code> release.
+
 == lua_http10_buffering ==
 
 '''syntax:''' ''lua_http10_buffering on|off''

diff --git a/src/ngx_http_lua_common.h b/src/ngx_http_lua_common.h
@@ -129,6 +129,7 @@ typedef struct {
 #define NGX_HTTP_LUA_CONTEXT_SSL_CERT       0x0400
 #define NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE 0x0800
 #define NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH 0x1000
+#define NGX_HTTP_LUA_CONTEXT_SSL_PSK        0x2000
 
 
 #ifndef NGX_LUA_NO_FFI_API
@@ -248,6 +249,8 @@ union ngx_http_lua_srv_conf_u {
         ngx_http_lua_srv_conf_handler_pt     ssl_sess_fetch_handler;
         ngx_str_t                            ssl_sess_fetch_src;
         u_char                              *ssl_sess_fetch_src_key;
+
+        ngx_str_t                            ssl_psk_identity_hint;
     } srv;
 #endif
 
@@ -268,6 +271,8 @@ typedef struct {
     ngx_uint_t              ssl_verify_depth;
     ngx_str_t               ssl_trusted_certificate;
     ngx_str_t               ssl_crl;
+    ngx_str_t               ssl_psk_identity;
+    ngx_str_t               ssl_psk_key;
 #endif
 
     ngx_flag_t              force_read_body; /* whether force request body to

diff --git a/src/ngx_http_lua_control.c b/src/ngx_http_lua_control.c
@@ -322,13 +322,15 @@ ngx_http_lua_ngx_exit(lua_State *L)
                                | NGX_HTTP_LUA_CONTEXT_BALANCER
                                | NGX_HTTP_LUA_CONTEXT_SSL_CERT
                                | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
-                               | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
+                               | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH
+                               | NGX_HTTP_LUA_CONTEXT_SSL_PSK);
 
     rc = (ngx_int_t) luaL_checkinteger(L, 1);
 
     if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
                         | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
-                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH))
+                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH
+                        | NGX_HTTP_LUA_CONTEXT_SSL_PSK))
     {
 
 #if (NGX_HTTP_SSL)
@@ -339,7 +341,8 @@ ngx_http_lua_ngx_exit(lua_State *L)
         ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                        "lua exit with code %i", rc);
 
-        if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE) {
+        if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
+            || ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_PSK) {
             return 0;
         }
 
@@ -473,7 +476,8 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
                                        | NGX_HTTP_LUA_CONTEXT_BALANCER
                                        | NGX_HTTP_LUA_CONTEXT_SSL_CERT
                                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
-                                       | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH,
+                                       | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH
+                                       | NGX_HTTP_LUA_CONTEXT_SSL_PSK,
                                        err, errlen)
         != NGX_OK)
     {
@@ -482,7 +486,8 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
 
     if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
                         | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
-                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH))
+                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH
+                        | NGX_HTTP_LUA_CONTEXT_SSL_PSK))
     {
 
 #if (NGX_HTTP_SSL)

diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c
@@ -28,6 +28,7 @@
 #include "ngx_http_lua_ssl_certby.h"
 #include "ngx_http_lua_ssl_session_storeby.h"
 #include "ngx_http_lua_ssl_session_fetchby.h"
+#include "ngx_http_lua_ssl_pskby.h"
 #include "ngx_http_lua_headers.h"
 
 
@@ -557,6 +558,27 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       0,
       (void *) ngx_http_lua_ssl_sess_fetch_handler_file },
 
+    { ngx_string("ssl_psk_identity_hint"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_lua_srv_conf_t, srv.ssl_psk_identity_hint),
+      NULL },
+
+    { ngx_string("lua_ssl_psk_identity"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_lua_loc_conf_t, ssl_psk_identity),
+      NULL },
+
+    { ngx_string("lua_ssl_psk_key"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_lua_loc_conf_t, ssl_psk_key),
+      NULL },
+
     { ngx_string("lua_ssl_verify_depth"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_num_slot,
@@ -922,6 +944,8 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
      *      lscf->srv.ssl_session_fetch_src = { 0, NULL };
      *      lscf->srv.ssl_session_fetch_src_key = NULL;
      *
+     *      lscf->srv.ssl_psk_identity_hint = { 0, NULL };
+     *
      *      lscf->balancer.handler = NULL;
      *      lscf->balancer.src = { 0, NULL };
      *      lscf->balancer.src_key = NULL;
@@ -969,6 +993,8 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
         SSL_CTX_set_cert_cb(sscf->ssl.ctx, ngx_http_lua_ssl_cert_handler, NULL);
 
+        SSL_CTX_set_psk_server_callback(sscf->ssl.ctx,
+                                        ngx_http_lua_ssl_psk_server_handler);
 #   else
 
         ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
@@ -1024,6 +1050,42 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
         }
     }
 
+     if (conf->srv.ssl_psk_identity_hint.len == 0) {
+         conf->srv.ssl_psk_identity_hint = prev->srv.ssl_psk_identity_hint;
+     }
+
+     if (conf->srv.ssl_psk_identity_hint.len) {
+         dd("ssl psk identity hint: %.*s",
+             (int) conf->srv.ssl_psk_identity_hint.len,
+             conf->srv.ssl_psk_identity_hint.data);
+
+ #   if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+
+         sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
+         if (sscf == NULL || sscf->ssl.ctx == NULL) {
+             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                           "no ssl configured for the server");
+
+             return NGX_CONF_ERROR;
+         }
+
+         if (SSL_CTX_use_psk_identity_hint(sscf->ssl.ctx,
+               (const char *) conf->srv.ssl_psk_identity_hint.data) == 0) {
+             ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
+                           "SSL_CTX_use_psk_identity_hint(\"%V\") failed",
+                           &conf->srv.ssl_psk_identity_hint);
+             return NGX_CONF_ERROR;
+         }
+
+ #   else
+
+         ngx_log_error(NGX_LOG_CRIT, cf->log, 0,
+                       "OpenSSL too old to support ssl_psk_identity_hint");
+         return NGX_CONF_ERROR;
+
+ #   endif
+     }
+
 #endif  /* NGX_HTTP_SSL */
     return NGX_CONF_OK;
 }
@@ -1067,6 +1129,8 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf)
      *      conf->ssl_ciphers = { 0, NULL };
      *      conf->ssl_trusted_certificate = { 0, NULL };
      *      conf->ssl_crl = { 0, NULL };
+     *      conf->ssl_psk_identity = { 0, NULL };
+     *      conf->ssl_psk_key = {0, NULL };
      */
 
     conf->force_read_body    = NGX_CONF_UNSET;
@@ -1160,6 +1224,11 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
                              prev->ssl_trusted_certificate, "");
     ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
 
+    ngx_conf_merge_str_value(conf->ssl_psk_identity,
+                             prev->ssl_psk_identity, "");
+    ngx_conf_merge_str_value(conf->ssl_psk_key,
+                             prev->ssl_psk_key, "");
+
     if (ngx_http_lua_set_ssl(cf, conf) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
@@ -1266,6 +1335,26 @@ ngx_http_lua_set_ssl(ngx_conf_t *cf, ngx_http_lua_loc_conf_t *llcf)
         return NGX_ERROR;
     }
 
+    if (llcf->ssl_psk_identity.len && llcf->ssl_psk_key.len) {
+        dd("ssl psk identity: %.*s", (int) llcf->ssl_psk_identity.len,
+                                           llcf->ssl_psk_identity.data);
+        dd("ssl psk key: %.*s", (int) llcf->ssl_psk_key.len,
+                                      llcf->ssl_psk_key.data);
+
+#   if OPENSSL_VERSION_NUMBER >= 0x1000000fL
+
+        SSL_CTX_set_psk_client_callback(llcf->ssl->ctx,
+                                        ngx_http_lua_ssl_psk_client_handler);
+
+#   else
+
+        ngx_log_error(NGX_LOG_CRIT, cf->log, 0,
+                      "OpenSSL too old to support ssl_psk_identity");
+        return NGX_ERROR;
+
+#   endif
+    }
+
     return NGX_OK;
 }
 

diff --git a/src/ngx_http_lua_phase.c b/src/ngx_http_lua_phase.c
@@ -80,6 +80,10 @@ ngx_http_lua_ngx_get_phase(lua_State *L)
         lua_pushliteral(L, "balancer");
         break;
 
+    case NGX_HTTP_LUA_CONTEXT_SSL_PSK:
+        lua_pushliteral(L, "ssl_psk");
+        break;
+
     case NGX_HTTP_LUA_CONTEXT_SSL_CERT:
         lua_pushliteral(L, "ssl_cert");
         break;