diff --git a/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md b/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md new file mode 100644 index 0000000..d2a9fe4 --- /dev/null +++ b/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md @@ -0,0 +1,72 @@ + +Compilation instructions +======================== + +Currrent precompiled versions are are from OpenSSL 1.0.2i* You can +also pull a snapshot from git. This is a fork of OpenSSL from Peter Mosmans, +just to get chacha20+poly1305 support (thx!). Please note that the support +from official OpenSSL git repo doesn't work correctly and is not supported +(https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html) + + +> $ git clone https://github.com/PeterMosmans/openssl +> $ cd openssl + +General instructions +-------------------- + +* 64 bit version was compiled under Opensuse 12.3 +* 32 bit version was compiled under Ubuntu 12.04 LTS + +In addition to the binaries statically linked binaries I provide -- except a few +libs which are nowadays sometimes hard to link -- I compiled a set of +dynamic binaries. The catch here are the Kerberos libs: No Linux +distributor privides static libs. As of now I feel to lazy to compile +MIT or KTH from scratch to get statitic libs. + +So for the kerberos binaries I provide you need a whopping bunch of libraries which +you maybe need to install (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, +libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed. + +If you want to compile OpenSSL yourself, here are the instructions: + +0.) apply experimental-features.patch (otherwise you miss the experimental features) +1.) apply openssl-telnet-starttls.patch and openssl-telnet-starttls.patch + (provided by Stefan Zehl, thx!). + +3.) configure the damned thing. Options I used: + +* for 64Bit: +>./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake + +* for 32 Bit: > +./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake + +Don't use -DTEMP_GOST_TLS, it breaks things! + +If you don't have Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT". +If you have e.g. Heimdal --> figure out by yourself. + +For real GOST cipher [1] support you need to built static libs as the crypto +engine is a shared lib (additional options: "shared -fPIC -DOPENSSL_PIC"). +If you aiming at this you rather should compile everything with another prefix +as you don't want your openssl binary to end up loading system libraries like libssl or +libcrypto. Alternatively you can hack the Makefile and include those +libs which you compiled statically as ".a". + +4.) make depend +5.) make +6.) make report (check whether it runs ok) + +7.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me w/ kerberos and w/o GOST cipher engine + 167 ciphers as opposed to 111/109 from Ubuntu or Opensuse. + +**Never use my binaries for anything else then for testing** + + +Enjoy, + +Dirk + + +[1] https://en.wikipedia.org/wiki/GOST_%28block_cipher%29 diff --git a/openssl-bins/openssl-1.0.2-chacha.pm/experimental-features.patch b/openssl-bins/openssl-1.0.2-chacha.pm/experimental-features.patch new file mode 100644 index 0000000..b0ff024 --- /dev/null +++ b/openssl-bins/openssl-1.0.2-chacha.pm/experimental-features.patch @@ -0,0 +1,31 @@ +--- ./ssl/tls1.h.orig 2014-07-03 19:08:22.277405719 +0200 ++++ ./ssl/tls1.h 2014-07-03 19:08:36.799536119 +0200 +@@ -157,7 +157,7 @@ + extern "C" { + #endif + +-#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 ++#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1 + + #define TLS1_2_VERSION 0x0303 + #define TLS1_2_VERSION_MAJOR 0x03 +--- ./ssl/s2_lib.c.orig 2014-07-03 10:04:32.035552187 +0200 ++++ ./ssl/s2_lib.c 2014-07-03 19:08:22.280405746 +0200 +@@ -122,7 +122,7 @@ + + /* list of available SSLv2 ciphers (sorted by id) */ + OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[]={ +-#if 0 ++#if 1 + /* NULL_WITH_MD5 v3 */ + { + 1, +@@ -254,7 +254,7 @@ + 168, + }, + +-#if 0 ++#if 1 + /* RC4_64_WITH_MD5 */ + { + 1, diff --git a/openssl-bins/openssl-1.0.2-chacha.pm/openssl b/openssl-bins/openssl-1.0.2-chacha.pm/openssl new file mode 100755 index 0000000..00fac0a Binary files /dev/null and b/openssl-bins/openssl-1.0.2-chacha.pm/openssl differ diff --git a/openssl-bins/openssl-1.0.2-chacha.pm/openssl-telnet-starttls.patch b/openssl-bins/openssl-1.0.2-chacha.pm/openssl-telnet-starttls.patch new file mode 100644 index 0000000..c7a468b --- /dev/null +++ b/openssl-bins/openssl-1.0.2-chacha.pm/openssl-telnet-starttls.patch @@ -0,0 +1,78 @@ +--- apps/s_client.c.org 2009-12-16 15:28:28.000000000 -0500 ++++ apps/s_client.c 2010-11-16 12:07:02.274824820 -0500 +@@ -329,8 +329,8 @@ static void sc_usage(void) + BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); + BIO_printf(bio_err," for those protocols that support it, where\n"); + BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); +- BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); +- BIO_printf(bio_err," are supported.\n"); ++ BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\", and\n"); ++ BIO_printf(bio_err," \"telnet\" are supported.\n"); + #ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); + #endif +@@ -375,7 +375,8 @@ enum + PROTO_POP3, + PROTO_IMAP, + PROTO_FTP, +- PROTO_XMPP ++ PROTO_XMPP, ++ PROTO_TELNET + }; + + int MAIN(int, char **); +@@ -688,6 +689,8 @@ int MAIN(int argc, char **argv) + starttls_proto = PROTO_FTP; + else if (strcmp(*argv, "xmpp") == 0) + starttls_proto = PROTO_XMPP; ++ else if (strcmp(*argv, "telnet") == 0) ++ starttls_proto = PROTO_TELNET; + else + goto bad; + } +@@ -1200,6 +1203,45 @@ SSL_set_tlsext_status_ids(con, ids); + goto shut; + mbuf[0] = 0; + } ++ else if (starttls_proto == PROTO_TELNET) ++ { ++ static const unsigned char tls_do[] = ++ { ++ 255 /* IAC */, ++ 253 /* DO */, ++ 46 /* START_TLS */ ++ }; ++ static const unsigned char tls_will[] = ++ { ++ 255 /* IAC */, ++ 251 /* WILL */, ++ 46 /* START_TLS */ ++ }; ++ static const unsigned char tls_follows[] = ++ { ++ 255 /* IAC */, ++ 250 /* SB */, ++ 46 /* START_TLS */, ++ 1 /* FOLLOWS */, ++ 255 /* IAC */, ++ 240 /* SE */ ++ }; ++ int bytes; ++ ++ /* Telnet server should demand we issue START_TLS */ ++ bytes = BIO_read(sbio,mbuf,BUFSIZZ); ++ if (!(bytes == 3 && memcmp(mbuf, tls_do, 3) == 0)) ++ goto shut; ++ /* Agree to issue START_TLS and send the FOLLOWS sub-command */ ++ BIO_write(sbio, tls_will, 3); ++ BIO_write(sbio, tls_follows, 6); ++ (void)BIO_flush(sbio); ++ /* Telnet server also sent the FOLLOWS sub-command */ ++ bytes = BIO_read(sbio,mbuf,BUFSIZZ); ++ if (!(bytes == 6 && memcmp(mbuf, tls_follows, 6) == 0)) ++ goto shut; ++ /* Any traffic after this point must be TLS negotiation */ ++ } + + for (;;) + { diff --git a/openssl-bins/openssl-1.0.2-chacha.pm/openssl-xmpp-starttls-fix.patch b/openssl-bins/openssl-1.0.2-chacha.pm/openssl-xmpp-starttls-fix.patch new file mode 100644 index 0000000..0083247 --- /dev/null +++ b/openssl-bins/openssl-1.0.2-chacha.pm/openssl-xmpp-starttls-fix.patch @@ -0,0 +1,11 @@ +--- apps/s_client.c.org 2014-05-23 16:01:41.000000000 +0200 ++++ apps/s_client.c 2014-05-23 16:02:25.414679645 +0200 +@@ -1478,7 +1478,7 @@ + int seen = 0; + BIO_printf(sbio,"", host); ++ "xmlns='jabber:client' to='%s' version='1.0'>", servername?servername:host); + seen = BIO_read(sbio,mbuf,BUFSIZZ); + mbuf[seen] = 0; + while (!strstr(mbuf, "