├── .gitignore ├── boringssl ├── .gitignore ├── 0001-ignore-generated-directory.patch ├── arm │ └── 0002-fix-for-arm ├── boringssl-build.sh └── gcc │ └── 0001-fix-gcc11.patch ├── nginx-boringssl └── 0001-judgment-BoringSSL.patch ├── nginx-config-nosni ├── README-zh_cn.md ├── README.md ├── redirector.conf ├── upstream.conf └── web_server.conf └── nginx-config ├── security_params └── ssl_params /.gitignore: -------------------------------------------------------------------------------- 1 | boringssl/boringssl/ 2 | boringssl/go/ 3 | -------------------------------------------------------------------------------- /boringssl/.gitignore: -------------------------------------------------------------------------------- 1 | boringssl/ 2 | go.tar.gz 3 | -------------------------------------------------------------------------------- /boringssl/0001-ignore-generated-directory.patch: -------------------------------------------------------------------------------- 1 | From 967c7467dcaa737dd85a557fb362d0b4fc799a73 Mon Sep 17 00:00:00 2001 2 | From: lrinQVQ 3 | Date: Mon, 23 Dec 2019 08:34:13 -0500 4 | Subject: [PATCH 1/2] ignore generated directory 5 | 6 | Signed-off-by: lrinQVQ 7 | --- 8 | .gitignore | 2 ++ 9 | 1 file changed, 2 insertions(+) 10 | 11 | diff --git a/.gitignore b/.gitignore 12 | index 8ce23d1ca..a8581a591 100644 13 | --- a/.gitignore 14 | +++ b/.gitignore 15 | @@ -1,4 +1,6 @@ 16 | build/ 17 | +build2/ 18 | +.openssl/ 19 | build32/ 20 | build64/ 21 | ssl/test/runner/runner 22 | -- 23 | 2.24.1 24 | 25 | -------------------------------------------------------------------------------- /boringssl/arm/0002-fix-for-arm: -------------------------------------------------------------------------------- 1 | From 12e7f1ec68625bb8a4ef1c1794aaba115ccdd1f4 Mon Sep 17 00:00:00 2001 2 | From: lrin 3 | Date: Wed, 10 Feb 2021 10:40:55 +0100 4 | Subject: [PATCH] fix for arm 5 | 6 | --- 7 | crypto/cipher_extra/aead_test.cc | 14 +++++++------- 8 | crypto/fipsmodule/modes/gcm_test.cc | 2 +- 9 | 2 files changed, 8 insertions(+), 8 deletions(-) 10 | 11 | diff --git a/crypto/cipher_extra/aead_test.cc b/crypto/cipher_extra/aead_test.cc 12 | index bf02e78..67abdd3 100644 13 | --- a/crypto/cipher_extra/aead_test.cc 14 | +++ b/crypto/cipher_extra/aead_test.cc 15 | @@ -619,10 +619,10 @@ TEST_P(PerAEADTest, AliasedBuffers) { 16 | } 17 | 18 | TEST_P(PerAEADTest, UnalignedInput) { 19 | - alignas(16) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH + 1]; 20 | - alignas(16) uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH + 1]; 21 | - alignas(16) uint8_t plaintext[32 + 1]; 22 | - alignas(16) uint8_t ad[32 + 1]; 23 | + alignas(8) uint8_t key[EVP_AEAD_MAX_KEY_LENGTH + 1]; 24 | + alignas(8) uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH + 1]; 25 | + alignas(8) uint8_t plaintext[32 + 1]; 26 | + alignas(8) uint8_t ad[32 + 1]; 27 | OPENSSL_memset(key, 'K', sizeof(key)); 28 | OPENSSL_memset(nonce, 'N', sizeof(nonce)); 29 | OPENSSL_memset(plaintext, 'P', sizeof(plaintext)); 30 | @@ -641,7 +641,7 @@ TEST_P(PerAEADTest, UnalignedInput) { 31 | ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction( 32 | ctx.get(), aead(), key + 1, key_len, EVP_AEAD_DEFAULT_TAG_LENGTH, 33 | evp_aead_seal)); 34 | - alignas(16) uint8_t ciphertext[sizeof(plaintext) + EVP_AEAD_MAX_OVERHEAD]; 35 | + alignas(8) uint8_t ciphertext[sizeof(plaintext) + EVP_AEAD_MAX_OVERHEAD]; 36 | size_t ciphertext_len; 37 | ASSERT_TRUE(EVP_AEAD_CTX_seal(ctx.get(), ciphertext + 1, &ciphertext_len, 38 | sizeof(ciphertext) - 1, nonce + 1, nonce_len, 39 | @@ -649,7 +649,7 @@ TEST_P(PerAEADTest, UnalignedInput) { 40 | ad_len)); 41 | 42 | // It must successfully decrypt. 43 | - alignas(16) uint8_t out[sizeof(ciphertext)]; 44 | + alignas(8) uint8_t out[sizeof(ciphertext)]; 45 | ctx.Reset(); 46 | ASSERT_TRUE(EVP_AEAD_CTX_init_with_direction( 47 | ctx.get(), aead(), key + 1, key_len, EVP_AEAD_DEFAULT_TAG_LENGTH, 48 | @@ -706,7 +706,7 @@ TEST_P(PerAEADTest, InvalidNonceLength) { 49 | static const uint8_t kZeros[EVP_AEAD_MAX_KEY_LENGTH] = {0}; 50 | const size_t ad_len = RequiredADLength(GetParam().flags) != 0 51 | ? RequiredADLength(GetParam().flags) 52 | - : 16; 53 | + : 8; 54 | ASSERT_LE(ad_len, sizeof(kZeros)); 55 | 56 | for (size_t nonce_len : nonce_lens) { 57 | diff --git a/crypto/fipsmodule/modes/gcm_test.cc b/crypto/fipsmodule/modes/gcm_test.cc 58 | index 031b06c..23b123d 100644 59 | --- a/crypto/fipsmodule/modes/gcm_test.cc 60 | +++ b/crypto/fipsmodule/modes/gcm_test.cc 61 | @@ -134,7 +134,7 @@ TEST(GCMTest, ABI) { 62 | UINT64_C(0xf328c2b971b2fe78), 63 | }; 64 | 65 | - alignas(16) u128 Htable[16]; 66 | + alignas(8) u128 Htable[8]; 67 | #if defined(GHASH_ASM_X86) || defined(GHASH_ASM_X86_64) 68 | if (gcm_ssse3_capable()) { 69 | CHECK_ABI_SEH(gcm_init_ssse3, Htable, kH); 70 | -- 71 | 2.20.1 72 | 73 | -------------------------------------------------------------------------------- /boringssl/boringssl-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | WORKDIRECTORY=$PWD 3 | ARCH=$(uname -m) 4 | if command -v git > /dev/null 2>&1; then 5 | echo "Checking git: OK" 6 | else 7 | echo "Checking git: FAILED, please install git" 8 | exit 1 9 | fi 10 | 11 | if command -v cmake > /dev/null 2>&1; then 12 | echo "Checking cmake: OK" 13 | else 14 | echo "Checking cmake: FAILED, please install cmake" 15 | exit 1 16 | fi 17 | 18 | if command -v curl > /dev/null 2>&1; then 19 | echo "Checking curl: OK" 20 | else 21 | echo "Checking curl: FAILED, please install curl" 22 | exit 1 23 | fi 24 | 25 | if [ -d $WORKDIRECTORY/go ]; then 26 | PATH=$WORKDIRECTORY/go/bin:$PATH 27 | GOROOT=$WORKDIRECTORY/go 28 | if [ -z $GOROOT ];then 29 | NO_GOROOT_SYSTEM=true 30 | fi 31 | else 32 | if [ -z $GOROOT ];then 33 | if [ "$ARCH" = "x86_64" ]; then 34 | GOURL="https://dl.google.com/go/$(curl -L https://golang.org/VERSION?m=text).linux-amd64.tar.gz" 35 | fi 36 | if [ "$ARCH" = "i386" ]; then 37 | GOURL="https://dl.google.com/go/$(curl -L https://golang.org/VERSION?m=text).linux-386.tar.gz" 38 | fi 39 | if [ "$ARCH" = "armv6l" ]; then 40 | GOURL="https://dl.google.com/go/$(curl -L https://golang.org/VERSION?m=text).linux-armv6l.tar.gz" 41 | fi 42 | if [ "$ARCH" = "armv7l" ]; then 43 | GOURL="https://dl.google.com/go/$(curl -L https://golang.org/VERSION?m=text).linux-armv6l.tar.gz" 44 | fi 45 | if [ "$ARCH" = "" ]; then 46 | echo "Your architecture is not supported" 47 | fi 48 | echo "Downloading golang" 49 | curl -so $WORKDIRECTORY/go.tar.gz $GOURL 50 | tar -xzf $WORKDIRECTORY/go.tar.gz 51 | rm -rf $WORKDIRECTORY/go.tar.gz 52 | PATH=$WORKDIRECTORY/go/bin:$PATH 53 | GOROOT=$WORKDIRECTORY/go 54 | NO_GOROOT_SYSTEM=true 55 | fi 56 | fi 57 | 58 | NETWORK_CHECK=$(curl -I -s --connect-timeout 5 https://github.com -w %{http_code} | tail -n1) 59 | 60 | if [ -d $WORKDIRECTORY/boringssl ]; then 61 | cd $WORKDIRECTORY/boringssl 62 | git pull 63 | git reset --hard origin/master 64 | git am $WORKDIRECTORY/*.patch 65 | rm -rf $WORKDIRECTORY/boringssl/build 66 | rm -rf $WORKDIRECTORY/boringssl/build2 67 | rm -rf $WORKDIRECTORY/boringssl/.openssl 68 | else 69 | if [ "$NETWORK_CHECK" = "200" ]; then 70 | git clone --depth 1 https://github.com/google/boringssl.git $WORKDIRECTORY/boringssl 71 | cd $WORKDIRECTORY/boringssl 72 | git am $WORKDIRECTORY/*.patch 73 | else 74 | echo "Unable to connect to GitHub, please check your Internet availability" 75 | exit 1 76 | fi 77 | fi 78 | 79 | mkdir $WORKDIRECTORY/boringssl/build 80 | cd $WORKDIRECTORY/boringssl/build 81 | echo "Building Static libraries" 82 | cmake .. -DCMAKE_BUILD_TYPE=Release 83 | make -j`nproc` 84 | mkdir $WORKDIRECTORY/boringssl/build2 85 | cd $WORKDIRECTORY/boringssl/build2 86 | echo "Building Shared objects" 87 | cmake .. -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 88 | make -j`nproc` 89 | mkdir $WORKDIRECTORY/boringssl/.openssl 90 | mkdir $WORKDIRECTORY/boringssl/.openssl/include 91 | mkdir $WORKDIRECTORY/boringssl/.openssl/include/openssl 92 | cd $WORKDIRECTORY/boringssl/.openssl/include/openssl 93 | ln $WORKDIRECTORY/boringssl/include/openssl/* . 94 | mkdir $WORKDIRECTORY/boringssl/.openssl/lib 95 | mkdir $WORKDIRECTORY/boringssl/lib 96 | cp $WORKDIRECTORY/boringssl/build/crypto/libcrypto.a $WORKDIRECTORY/boringssl/.openssl/lib/libcrypto.a 97 | cp $WORKDIRECTORY/boringssl/build/ssl/libssl.a $WORKDIRECTORY/boringssl/.openssl/lib/libssl.a 98 | cp $WORKDIRECTORY/boringssl/build2/crypto/libcrypto.so $WORKDIRECTORY/boringssl/.openssl/lib/libcrypto.so 99 | cp $WORKDIRECTORY/boringssl/build2/ssl/libssl.so $WORKDIRECTORY/boringssl/.openssl/lib/libssl.so 100 | 101 | echo "If you want to compile nginx" 102 | echo "git am nginx-boringssl/*.patch in nginx source directory" 103 | echo "and" 104 | echo "Configure nginx with \"--with-openssl=$WORKDIRECTORY/boringssl\". Use nginx version >= 1.15 for best result." 105 | echo "" 106 | #if [ "$NO_GOROOT_SYSTEM" = "true" ]; then 107 | #echo "Runing" 108 | #echo "export PATH=$WORKDIRECTORY/go/bin:\$PATH" 109 | #echo "export GOROOT=$WORKDIRECTORY/go" 110 | #echo "If you want to compile nginx" 111 | #fi 112 | -------------------------------------------------------------------------------- /boringssl/gcc/0001-fix-gcc11.patch: -------------------------------------------------------------------------------- 1 | From c4d4e3965533ecfa43c1a824f97099eccab107b8 Mon Sep 17 00:00:00 2001 2 | From: lrinQVQ 3 | Date: Thu, 27 May 2021 14:02:38 -0400 4 | Subject: [PATCH] fix gcc11 5 | 6 | --- 7 | CMakeLists.txt | 2 +- 8 | crypto/curve25519/curve25519.c | 6 +++--- 9 | 2 files changed, 4 insertions(+), 4 deletions(-) 10 | 11 | diff --git a/CMakeLists.txt b/CMakeLists.txt 12 | index 893bca7..5b17ee4 100644 13 | --- a/CMakeLists.txt 14 | +++ b/CMakeLists.txt 15 | @@ -117,7 +117,7 @@ endif() 16 | if(CMAKE_COMPILER_IS_GNUCXX OR CLANG) 17 | # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration 18 | # primarily on our normal Clang one. 19 | - set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wvla") 20 | + set(C_CXX_FLAGS "-Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wvla") 21 | if(MSVC) 22 | # clang-cl sets different default warnings than clang. It also treats -Wall 23 | # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall. 24 | diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c 25 | index 232f6e0..8af3505 100644 26 | --- a/crypto/curve25519/curve25519.c 27 | +++ b/crypto/curve25519/curve25519.c 28 | @@ -151,14 +151,14 @@ typedef uint32_t fe_limb_t; 29 | OPENSSL_STATIC_ASSERT(sizeof(fe) == sizeof(fe_limb_t) * FE_NUM_LIMBS, 30 | "fe_limb_t[FE_NUM_LIMBS] is inconsistent with fe"); 31 | 32 | -static void fe_frombytes_strict(fe *h, const uint8_t s[32]) { 33 | +static void fe_frombytes_strict(fe *h, const uint8_t *s) { 34 | // |fiat_25519_from_bytes| requires the top-most bit be clear. 35 | assert((s[31] & 0x80) == 0); 36 | fiat_25519_from_bytes(h->v, s); 37 | assert_fe(h->v); 38 | } 39 | 40 | -static void fe_frombytes(fe *h, const uint8_t s[32]) { 41 | +static void fe_frombytes(fe *h, const uint8_t *s) { 42 | uint8_t s_copy[32]; 43 | OPENSSL_memcpy(s_copy, s, 32); 44 | s_copy[31] &= 0x7f; 45 | @@ -500,7 +500,7 @@ static void ge_p3_tobytes(uint8_t s[32], const ge_p3 *h) { 46 | s[31] ^= fe_isnegative(&x) << 7; 47 | } 48 | 49 | -int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) { 50 | +int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) { 51 | fe u; 52 | fe_loose v; 53 | fe v3; 54 | -- 55 | 2.31.1 56 | 57 | -------------------------------------------------------------------------------- /nginx-boringssl/0001-judgment-BoringSSL.patch: -------------------------------------------------------------------------------- 1 | From cab666748e5994346a1f3d4b6f26abe0efece5a8 Mon Sep 17 00:00:00 2001 2 | From: lrinQVQ 3 | Date: Sat, 12 Jan 2019 05:23:51 +0800 4 | Subject: [PATCH] judgment BoringSSL 5 | 6 | --- 7 | auto/lib/openssl/make | 9 +++++---- 8 | 1 file changed, 5 insertions(+), 4 deletions(-) 9 | 10 | diff --git a/auto/lib/openssl/make b/auto/lib/openssl/make 11 | index 126a2387..82b7eaec 100644 12 | --- a/auto/lib/openssl/make 13 | +++ b/auto/lib/openssl/make 14 | @@ -50,10 +50,11 @@ END 15 | 16 | $OPENSSL/.openssl/include/openssl/ssl.h: $NGX_MAKEFILE 17 | cd $OPENSSL \\ 18 | - && if [ -f Makefile ]; then \$(MAKE) clean; fi \\ 19 | - && ./config --prefix=$ngx_prefix no-shared no-threads $OPENSSL_OPT \\ 20 | - && \$(MAKE) \\ 21 | - && \$(MAKE) install_sw LIBDIR=lib 22 | + && if [ -f include/openssl/is_boringssl.h ]; then touch .openssl/include/openssl/ssl.h; fi \\ 23 | + && if [ -f Makefile ] || [ ! -f include/openssl/is_boringssl.h ]; then \$(MAKE) clean; fi \\ 24 | + && if [ ! -f include/openssl/is_boringssl.h ]; then ./config --prefix=$ngx_prefix no-shared no-threads $OPENSSL_OPT; fi \\ 25 | + && if [ ! -f include/openssl/is_boringssl.h ]; then \$(MAKE); fi \\ 26 | + && if [ ! -f include/openssl/is_boringssl.h ]; then \$(MAKE) install_sw LIBDIR=lib; fi 27 | 28 | END 29 | 30 | -- 31 | 2.11.0 32 | 33 | -------------------------------------------------------------------------------- /nginx-config-nosni/README-zh_cn.md: -------------------------------------------------------------------------------- 1 | # Nginx 防止SSL嗅探 2 | 3 | 此方案利用Nginx stream中的ssl_preread模块来识别ClientHello中的SNI信息,以防止SSL嗅探。 4 | 5 | redirector.conf: 在 main 语境中引载使用 (main {...}) 6 | 7 | upstream.conf: 在redirector.conf中引载 (或在 stream 语境中使用 (stream{...}) 8 | 9 | web_server.conf: 你的网站配置示例 10 | -------------------------------------------------------------------------------- /nginx-config-nosni/README.md: -------------------------------------------------------------------------------- 1 | # Nginx Prevent SSL sniffing 2 | ## [中文说明](https://github.com/QVQNetwork/ssl-patch/blob/master/nginx-config-nosni/README-zh_cn.md) 3 | 4 | This method uses the ssl_preread module in Nginx stream to identify the SNI information in ClientHello to prevent SSL sniffing. 5 | 6 | redirector.conf: include in main context (main {...}) 7 | 8 | upstream.conf: include in redirector.conf (or stream context (stream{...}) 9 | 10 | web_server.conf: your website configuration example 11 | -------------------------------------------------------------------------------- /nginx-config-nosni/redirector.conf: -------------------------------------------------------------------------------- 1 | stream { 2 | tcp_nodelay on; 3 | 4 | include upstream.conf; 5 | map $ssl_preread_server_name $backend { 6 | $YOUR_DOMAIN $YOUR_BACKEND; 7 | default 169.254.1.1; 8 | } 9 | 10 | server { 11 | listen [$IP:]443; 12 | listen [::]:443; 13 | 14 | ssl_preread on; 15 | proxy_socket_keepalive on; 16 | proxy_pass $backend; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /nginx-config-nosni/upstream.conf: -------------------------------------------------------------------------------- 1 | upstream $YOUR_BACKEND { 2 | hash $remote_addr consistent; 3 | server 127.0.0.1:444; 4 | server [::1]:444; 5 | } 6 | 7 | -------------------------------------------------------------------------------- /nginx-config-nosni/web_server.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | listen [::]:80; 4 | 5 | server_name $YOUR_SERVERNAME; 6 | 7 | if ($http_host = $YOUR_SERVERNAME) { 8 | set $web 1; 9 | } 10 | 11 | if ($web = "1") { 12 | return 301 https://$host$request_uri; 13 | } 14 | index ; 15 | 16 | root ; 17 | } 18 | 19 | server { 20 | listen 127.0.0.1:444 ssl http2; 21 | listen [::1]:444 ssl http2; 22 | 23 | server_name $YOUR_SERVERNAME; 24 | 25 | ... 26 | } 27 | -------------------------------------------------------------------------------- /nginx-config/security_params: -------------------------------------------------------------------------------- 1 | #If you use modsecurity,please manually configure modsecurity 2 | #modsecurity on; 3 | #modsecurity_rules_file /etc/modsecurity.conf; 4 | 5 | #Prevention Clickjacking 6 | add_header X-Frame-Options SAMEORIGIN; 7 | 8 | #Disable specify content-type sniffing 9 | #location ~* \.($content-type[|$content-type])$ { 10 | #add_header X-Content-Type-Options nosniff; 11 | #} 12 | 13 | # XSS filter 14 | add_header X-XSS-Protection "1; mode=block"; 15 | 16 | # Content Security Policy 17 | #add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; connect-src 'self'; media-src 'self'; sandbox allow-scripts allow-same-origin; object-src 'self'; child-src 'self'; form-action 'self'; frame-ancestors 'self';" always; 18 | -------------------------------------------------------------------------------- /nginx-config/ssl_params: -------------------------------------------------------------------------------- 1 | # Ciphers 2 | ssl_ciphers [CHACHA20|AESGCM]; 3 | 4 | # Early Data 5 | ssl_early_data on; 6 | proxy_set_header Early-Data $ssl_early_data; 7 | 8 | # ECDHE Ciphers 9 | ssl_ecdh_curve secp384r1; 10 | 11 | # Preferred Server Ciphers 12 | ssl_prefer_server_ciphers on; 13 | 14 | # SSL Version 15 | ssl_protocols TLSv1.2 TLSv1.3; 16 | 17 | # HSTS 18 | #add_header Strict-Transport-Security "max-age=63072000" always; 19 | 20 | # HSTS SubDomains 21 | #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; 22 | 23 | # HSTS preload 24 | #add_header Strict-Transport-Security "max-age=63072000; preload" always; 25 | 26 | # HSTS SubDomains preload 27 | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; 28 | 29 | # OCSP 30 | ssl_stapling_verify on; 31 | 32 | # SSL Session Cache 33 | ssl_session_cache shared:SSL:10m; 34 | ssl_session_timeout 10m; 35 | --------------------------------------------------------------------------------