Skip to content

Instantly share code, notes, and snippets.

@h-yamamo
Last active March 18, 2022 08:19
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save h-yamamo/474f5cb1e0d93638027785f57b4b7ea1 to your computer and use it in GitHub Desktop.
Save h-yamamo/474f5cb1e0d93638027785f57b4b7ea1 to your computer and use it in GitHub Desktop.
Support ChaCha20-Poly1305 and Camellia-GCM for debian and ubuntu openssl package

Support ChaCha20-Poly1305 and Camellia-GCM for debian and ubuntu openssl package

In order to easily build, I made sets of patches that resolved conflicts (chacha20-poly1305, camellia-gcm, equal-preference-group).

How to build

  • Required packages: packaging-dev, lzip / Preparation: sudo apt-get build-dep openssl or openssl1.0

Ubuntu 16.04 LTS (xenial)

# In some directory
git clone -b xenial --depth 1 https://gist.github.com/h-yamamo/474f5cb1e0d93638027785f57b4b7ea1
apt-get -d source openssl
tar xf openssl_1.0.2g.orig.tar.gz
cd openssl-1.0.2g
tar xf ../openssl_1.0.2g-1ubuntu4.19.debian.tar.xz
tar xvf ../474f5cb1e0d93638027785f57b4b7ea1/debian.tlz
debuild -uc -us

And then, here is that added X25519 support (curve25519.patch).

git clone -b xenial_p1 --depth 1 https://gist.github.com/h-yamamo/474f5cb1e0d93638027785f57b4b7ea1

Debian 8 (jessie-backports)

# In some directory
git clone -b jessie-backports --depth 1 https://gist.github.com/h-yamamo/474f5cb1e0d93638027785f57b4b7ea1
apt-get -d source openssl
tar xf openssl_1.0.2l.orig.tar.gz
cd openssl-1.0.2l
tar xf ../openssl_1.0.2l-1~bpo8+1.debian.tar.xz
tar xvf ../474f5cb1e0d93638027785f57b4b7ea1/debian.txz
debuild -uc -us

And then, here is that added X25519 support (curve25519.patch).

git clone -b jessie-backports_p1 --depth 1 https://gist.github.com/h-yamamo/474f5cb1e0d93638027785f57b4b7ea1

Debian 9 (stretch)

Since openssl1.0 is used by apache2 on stretch, I decided to make patches for openssl1.0. This includes curve25519, chacha20-poly1305, camellia-gcm and equal-preference-group.

# In some directory
git clone -b stretch_p1 --depth 1 https://gist.github.com/h-yamamo/474f5cb1e0d93638027785f57b4b7ea1
apt-get -d source openssl1.0
tar xf openssl1.0_1.0.2u.orig.tar.gz
cd openssl-1.0.2u
tar xf ../openssl1.0_1.0.2u-1~deb9u7.debian.tar.xz
tar xvf ../474f5cb1e0d93638027785f57b4b7ea1/debian.tlz
debuild -uc -us
@anotherjin
Copy link

The ChaCha20-Poly1305 patch has a problem in chacha20-poly1305-old. Chrome 39 said that SSL-BAD-MAC-RECORD is found.(Test server is nginx on ubuntu 16.04 LTS)

@h-yamamo
Copy link
Author

h-yamamo commented Nov 5, 2017

Thank you for using this. I'll test it when time comes. If there is a problem with old chrome, remove CHACHA20_POLY1305_OLD ciphersuites (cc13 - cc15) from ssl/s3_lib.c. Then old chrome will use AES.

@hamjin
Copy link

hamjin commented Nov 23, 2017

https://github.com/google/boringssl/tree/2987
This BoringSSL branch is OK in chacha20-poly1305-old

@h-yamamo
Copy link
Author

With boringssl tool/bssl it worked fine. I have not tested with old chrome.
In order to avoid problems, delete the old chacha20-poly1305 from now on.

@hamjin
Copy link

hamjin commented Aug 19, 2018

Thank you very much! Now it's OK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment