From 818cd4b014e769415fd665a9724d58fe9c492ef2 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Wed, 16 Jul 2014 18:35:42 +0200
Subject: [PATCH] - reflects the new tree from Peter Mosmans

---
 .../openssl-1.0.2-chacha.pm/Readme.md         | 80 +++++++++----------
 1 file changed, 38 insertions(+), 42 deletions(-)

diff --git a/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md b/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md
index 3e5f966..409e525 100644
--- a/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md
+++ b/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md
@@ -2,42 +2,45 @@
 Compilation instructions
 ========================
 
-The precompiled versions here are from OpenSSL 1.0.2,
-they are a fork of OpenSSL from Peter Mosmans,
-just to get chacha20+poly1305 support (thx!). The one from
-the official git repo didn't work for me work correctly,
-it's also likely they'll disappear shortly
+The precompiled versions here are from an OpenSSL 1.0.2 fork
+from Peter Mosmans. He has patched the master git branch
+to support chacha20+poly1305 and other ciphers (CAMELIA 256 Bit).
+
+CHACHA20+POLY1305 cipher suites from the official git repo didn't 
+work for me work correctly, it's also likely they'll disappear shortly
 (https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html).
 
-    $ git clone https://github.com/PeterMosmans/openssl
-    $ cd openssl
+
+General
+-------
+
+* 64 bit versions were compiled under Opensuse 12.3
+* 32 bit versions were compiled under Ubuntu 12.04 LTS
+
+Likely you cannot use older distributions, younger should work.
+I provide for each distributions two sets of binaries:
+
+* statically linked binaries (except a few libs which are nowadays difficult to statically link)
+* dynamically linked binaries with MIT Kerberos support ("krb5" in the name)
+
+For the latter you need a whopping bunch of kerberos libraries which you maybe need to 
+install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, 
+libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.
+
+All binaries are signed with my gpg key (.asc files).
 
 
-General instructions
---------------------
-
-* 64 bit version was compiled under Opensuse 12.3
-* 32 bit version was compiled under Ubuntu 12.04 LTS
-
-In addition to the statically linked binaries I provide -- except a few
-libs which are nowadays difficult to statically link in -- I compiled a set of
-dynamic binaries. The catch here are the Kerberos libs: No Linux
-distributor provides static libs. As of now I feel too lazy ;-) to compile
-MIT or KTH from scratch to get statitic libs.
-
-So for the kerberos binaries I provide (openssl??-1.0.2pm-krb5*) you need a whopping bunch of 
-kerberos libraries which you maybe need to install (libgssapi_krb5, libkrb5, libcom_err, 
-libk5crypto, libkrb5support, libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.
-
+Compilation instructions
+------------------------
 
 If you want to compile OpenSSL yourself, here are the instructions:
 
-1.) apply experimental-features.patch (otherwise you miss the experimental features)
+1.) get openssl from Peter Mosmans' repo:
 
-2.) apply openssl-telnet-starttls.patch and openssl-xmpp-starttls-fix.patch
-    (provided by Stefan Zehl, thx!). 
+     git clone https://github.com/PeterMosmans/openssl
+     cd openssl
 
-3.) configure the damned thing. Options I used:
+2.) configure the damned thing. Options I used:
 
 **for 64Bit:**
 
@@ -51,33 +54,26 @@ If you want to compile OpenSSL yourself, here are the instructions:
     enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia \
     enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake 
 
-Don't use -DTEMP_GOST_TLS, it breaks things!
+Don't use -DTEMP_GOST_TLS, it currently breaks things and it is not needed for general GOST support.
 
 If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT". 
 If you have other Kerberos flavors you need to figure out by yourself.
 
-For real GOST cipher [1] support you need to built static libs as the crypto
-engine is a shared lib (additional options: "shared -fPIC -DOPENSSL_PIC"). I didn't
-do that yet.  If you aiming at this you rather should compile everything with another prefix 
-as you don't want your openssl binary to end up loading system libraries like libssl or
-libcrypto. Alternatively you can hack the Makefile and include those
-libs which you compiled statically as ".a".
+3.) make depend
 
-4.) make depend
+4.) make
 
-5.) make
+5.) make report (check whether it runs ok)
 
-6.) make report (check whether it runs ok)
+6.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me 
+     * 187 + 4 russian GOST ciphers -- including kerberos
+     * 173 + 4 russian GOST ciphers without kerberos
 
-7.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me w/ kerberos and w/o GOST cipher engine
-     167 ciphers as opposed to 111/109 from Ubuntu or Opensuse.
+as opposed to 111/109 from Ubuntu or Opensuse. 
 
 Enjoy, Dirk
 
 PS: **Never use these binaries for anything else then for testing**
 
 
-
-
-
 [1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29