- new binaries with:

- chaha20+ploy1305, thx to Peter Mosmans
  - openssl starttls krb-telnet support (thx to Stefan Zehl)
  - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl)
- record breaking 167 ciphers (including kerberos)

openssl-bins/openssl-1.0.2-chacha.pm/Readme.md

@@ -0,0 +1,72 @@
+
+Compilation instructions
+========================
+
+Currrent precompiled versions are are from OpenSSL 1.0.2i* You can
+also pull a snapshot from git. This is a fork of OpenSSL from Peter Mosmans,
+just to get chacha20+poly1305 support (thx!). Please note that the support
+from official OpenSSL git repo doesn't work correctly and is not supported
+(https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html)
+
+
+> $ git clone https://github.com/PeterMosmans/openssl
+> $ cd openssl
+
+General instructions
+--------------------
+
+* 64 bit version was compiled under Opensuse 12.3
+* 32 bit version was compiled under Ubuntu 12.04 LTS
+
+In addition to the binaries statically linked binaries I provide -- except a few
+libs which are nowadays sometimes hard to link -- I compiled a set of
+dynamic binaries. The catch here are the Kerberos libs: No Linux
+distributor privides static libs. As of now I feel to lazy to compile
+MIT or KTH from scratch to get statitic libs.
+
+So for the kerberos binaries I provide you need a whopping bunch of libraries which
+you maybe need to install (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, 
+libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.
+
+If you want to compile OpenSSL yourself, here are the instructions:
+
+0.) apply experimental-features.patch (otherwise you miss the experimental features)
+1.) apply openssl-telnet-starttls.patch and openssl-telnet-starttls.patch
+    (provided by Stefan Zehl, thx!). 
+
+3.) configure the damned thing. Options I used:
+
+* for 64Bit: 
+>./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake  
+
+* for 32 Bit: >
+./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake 
+
+Don't use -DTEMP_GOST_TLS, it breaks things!
+
+If you don't have Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT". 
+If you have e.g. Heimdal --> figure out by yourself.
+
+For real GOST cipher [1] support you need to built static libs as the crypto
+engine is a shared lib (additional options: "shared -fPIC -DOPENSSL_PIC").
+If you aiming at this you rather should compile everything with another prefix 
+as you don't want your openssl binary to end up loading system libraries like libssl or
+libcrypto. Alternatively you can hack the Makefile and include those
+libs which you compiled statically as ".a".
+
+4.) make depend
+5.) make
+6.) make report (check whether it runs ok)
+
+7.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me w/ kerberos and w/o GOST cipher engine
+     167 ciphers as opposed to 111/109 from Ubuntu or Opensuse.
+
+**Never use my binaries for anything else then for testing**
+
+
+Enjoy,
+
+Dirk
+
+
+[1] https://en.wikipedia.org/wiki/GOST_%28block_cipher%29

openssl-bins/openssl-1.0.2-chacha.pm/experimental-features.patch

@@ -0,0 +1,31 @@
+--- ./ssl/tls1.h.orig	2014-07-03 19:08:22.277405719 +0200
++++ ./ssl/tls1.h	2014-07-03 19:08:36.799536119 +0200
+@@ -157,7 +157,7 @@
+ extern "C" {
+ #endif
+ 
+-#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	0
++#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	1
+ 
+ #define TLS1_2_VERSION			0x0303
+ #define TLS1_2_VERSION_MAJOR		0x03
+--- ./ssl/s2_lib.c.orig	2014-07-03 10:04:32.035552187 +0200
++++ ./ssl/s2_lib.c	2014-07-03 19:08:22.280405746 +0200
+@@ -122,7 +122,7 @@
+ 
+ /* list of available SSLv2 ciphers (sorted by id) */
+ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[]={
+-#if 0
++#if 1
+ /* NULL_WITH_MD5 v3 */
+ 	{
+ 	1,
+@@ -254,7 +254,7 @@
+ 	168,
+ 	},
+ 
+-#if 0
++#if 1
+ /* RC4_64_WITH_MD5 */
+ 	{
+ 	1,

openssl-bins/openssl-1.0.2-chacha.pm/openssl-telnet-starttls.patch

@@ -0,0 +1,78 @@
+--- apps/s_client.c.org	2009-12-16 15:28:28.000000000 -0500
++++ apps/s_client.c	2010-11-16 12:07:02.274824820 -0500
+@@ -329,8 +329,8 @@ static void sc_usage(void)
+ 	BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
+ 	BIO_printf(bio_err,"                 for those protocols that support it, where\n");
+ 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
+-	BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+-	BIO_printf(bio_err,"                 are supported.\n");
++	BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\", and\n");
++	BIO_printf(bio_err,"                 \"telnet\" are supported.\n");
+ #ifndef OPENSSL_NO_ENGINE
+ 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
+ #endif
+@@ -375,7 +375,8 @@ enum
+ 	PROTO_POP3,
+ 	PROTO_IMAP,
+ 	PROTO_FTP,
+-	PROTO_XMPP
++	PROTO_XMPP,
++	PROTO_TELNET
+ };
+ 
+ int MAIN(int, char **);
+@@ -688,6 +689,8 @@ int MAIN(int argc, char **argv)
+ 				starttls_proto = PROTO_FTP;
+ 			else if (strcmp(*argv, "xmpp") == 0)
+ 				starttls_proto = PROTO_XMPP;
++			else if (strcmp(*argv, "telnet") == 0)
++				starttls_proto = PROTO_TELNET;
+ 			else
+ 				goto bad;
+ 			}
+@@ -1200,6 +1203,45 @@ SSL_set_tlsext_status_ids(con, ids);
+ 			goto shut;
+ 		mbuf[0] = 0;
+ 		}
++	else if (starttls_proto == PROTO_TELNET)
++		{
++		static const unsigned char tls_do[] =
++			{
++			255 /* IAC */,
++			253 /* DO */,
++			 46 /* START_TLS */
++			};
++		static const unsigned char tls_will[] =
++			{
++			255 /* IAC */,
++			251 /* WILL */,
++			 46 /* START_TLS */
++			};
++		static const unsigned char tls_follows[] =
++			{
++			255 /* IAC */,
++			250 /* SB */,
++			 46 /* START_TLS */,
++			  1 /* FOLLOWS */,
++			255 /* IAC */,
++			240 /* SE */
++			};
++		int bytes;
++
++		/* Telnet server should demand we issue START_TLS */
++		bytes = BIO_read(sbio,mbuf,BUFSIZZ);
++		if (!(bytes == 3 && memcmp(mbuf, tls_do, 3) == 0))
++			goto shut;
++		/* Agree to issue START_TLS and send the FOLLOWS sub-command */
++		BIO_write(sbio, tls_will, 3);
++		BIO_write(sbio, tls_follows, 6);
++		(void)BIO_flush(sbio);
++		/* Telnet server also sent the FOLLOWS sub-command */
++		bytes = BIO_read(sbio,mbuf,BUFSIZZ);
++		if (!(bytes == 6 && memcmp(mbuf, tls_follows, 6) == 0))
++			goto shut;
++		/* Any traffic after this point must be TLS negotiation */
++		}
+ 
+ 	for (;;)
+ 		{

openssl-bins/openssl-1.0.2-chacha.pm/openssl-xmpp-starttls-fix.patch

@@ -0,0 +1,11 @@
+--- apps/s_client.c.org	2014-05-23 16:01:41.000000000 +0200
++++ apps/s_client.c	2014-05-23 16:02:25.414679645 +0200
+@@ -1478,7 +1478,7 @@
+ 		int seen = 0;
+ 		BIO_printf(sbio,"<stream:stream "
+ 		    "xmlns:stream='http://etherx.jabber.org/streams' "
+-		    "xmlns='jabber:client' to='%s' version='1.0'>", host);
++		    "xmlns='jabber:client' to='%s' version='1.0'>", servername?servername:host);
+ 		seen = BIO_read(sbio,mbuf,BUFSIZZ);
+ 		mbuf[seen] = 0;
+ 		while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'"))