From 153589492d739e107d29eae1629228d4d28b6924 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Wed, 16 Jul 2014 18:35:42 +0200 Subject: [PATCH] - reflects the new tree from Peter Mosmans --- .../openssl-1.0.2-chacha.pm/Readme.md | 80 +++++++++---------- 1 file changed, 38 insertions(+), 42 deletions(-) diff --git a/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md b/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md index 3e5f966..409e525 100644 --- a/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md +++ b/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md @@ -2,42 +2,45 @@ Compilation instructions ======================== -The precompiled versions here are from OpenSSL 1.0.2, -they are a fork of OpenSSL from Peter Mosmans, -just to get chacha20+poly1305 support (thx!). The one from -the official git repo didn't work for me work correctly, -it's also likely they'll disappear shortly +The precompiled versions here are from an OpenSSL 1.0.2 fork +from Peter Mosmans. He has patched the master git branch +to support chacha20+poly1305 and other ciphers (CAMELIA 256 Bit). + +CHACHA20+POLY1305 cipher suites from the official git repo didn't +work for me work correctly, it's also likely they'll disappear shortly (https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html). - $ git clone https://github.com/PeterMosmans/openssl - $ cd openssl + +General +------- + +* 64 bit versions were compiled under Opensuse 12.3 +* 32 bit versions were compiled under Ubuntu 12.04 LTS + +Likely you cannot use older distributions, younger should work. +I provide for each distributions two sets of binaries: + +* statically linked binaries (except a few libs which are nowadays difficult to statically link) +* dynamically linked binaries with MIT Kerberos support ("krb5" in the name) + +For the latter you need a whopping bunch of kerberos libraries which you maybe need to +install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, +libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed. + +All binaries are signed with my gpg key (.asc files). -General instructions --------------------- - -* 64 bit version was compiled under Opensuse 12.3 -* 32 bit version was compiled under Ubuntu 12.04 LTS - -In addition to the statically linked binaries I provide -- except a few -libs which are nowadays difficult to statically link in -- I compiled a set of -dynamic binaries. The catch here are the Kerberos libs: No Linux -distributor provides static libs. As of now I feel too lazy ;-) to compile -MIT or KTH from scratch to get statitic libs. - -So for the kerberos binaries I provide (openssl??-1.0.2pm-krb5*) you need a whopping bunch of -kerberos libraries which you maybe need to install (libgssapi_krb5, libkrb5, libcom_err, -libk5crypto, libkrb5support, libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed. - +Compilation instructions +------------------------ If you want to compile OpenSSL yourself, here are the instructions: -1.) apply experimental-features.patch (otherwise you miss the experimental features) +1.) get openssl from Peter Mosmans' repo: -2.) apply openssl-telnet-starttls.patch and openssl-xmpp-starttls-fix.patch - (provided by Stefan Zehl, thx!). + git clone https://github.com/PeterMosmans/openssl + cd openssl -3.) configure the damned thing. Options I used: +2.) configure the damned thing. Options I used: **for 64Bit:** @@ -51,33 +54,26 @@ If you want to compile OpenSSL yourself, here are the instructions: enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia \ enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake -Don't use -DTEMP_GOST_TLS, it breaks things! +Don't use -DTEMP_GOST_TLS, it currently breaks things and it is not needed for general GOST support. If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT". If you have other Kerberos flavors you need to figure out by yourself. -For real GOST cipher [1] support you need to built static libs as the crypto -engine is a shared lib (additional options: "shared -fPIC -DOPENSSL_PIC"). I didn't -do that yet. If you aiming at this you rather should compile everything with another prefix -as you don't want your openssl binary to end up loading system libraries like libssl or -libcrypto. Alternatively you can hack the Makefile and include those -libs which you compiled statically as ".a". +3.) make depend -4.) make depend +4.) make -5.) make +5.) make report (check whether it runs ok) -6.) make report (check whether it runs ok) +6.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me + * 187 + 4 russian GOST ciphers -- including kerberos + * 173 + 4 russian GOST ciphers without kerberos -7.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me w/ kerberos and w/o GOST cipher engine - 167 ciphers as opposed to 111/109 from Ubuntu or Opensuse. +as opposed to 111/109 from Ubuntu or Opensuse. Enjoy, Dirk PS: **Never use these binaries for anything else then for testing** - - - [1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29