h-yamamo

Support ChaCha20-Poly1305 and Camellia-GCM for debian and ubuntu openssl package

In order to easily build, I made sets of patches that resolved conflicts (chacha20-poly1305, camellia-gcm, equal-preference-group).

How to build

• Required packages: packaging-dev, lzip / Preparation: sudo apt-get build-dep openssl or openssl1.0

Ubuntu 16.04 LTS (xenial)

h-yamamo

Support Camellia-GCM for debian/ubuntu openssl (v1.1 series and v3 series) package

Implement camellia-gcm functions into libcrypto and camellia-gcm ciphersuites from RFC 6367 into libssl. And TLS 1.3 camellia-gcm ciphersuites are supported for private use in OpenSSL 1.1.1 and later version.

Reference: openssl/openssl#374

How to build

h-yamamo

Support EVP_AEAD APIs for debian stretch openssl package

For compatibility of applications which use EVP_AEAD APIs, there are a patch and same debian files here.

Your application gets source level compatibility with BoringSSL, LibreSSL and h-yamamo's openssl-chacha20poly1305.

How to build

• Required packages: packaging-dev, lzip / Preparation: sudo apt-get build-dep openssl

h-yamamo

  Support TLS_ECDHE_* ciphersuites

    you can specify e.g. --tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

    supported curve is only NIST P-256.
    if you want to change the curve to P-384 or P-521
    change NID_X9_62_prime256v1 to NID_secp384r1 or NID_secp521r1.

--- 2.3.10-1ubuntu2/src/openvpn/ssl_openssl.c	2016-01-04 12:17:32.000000000 +0000
+++ b/src/openvpn/ssl_openssl.c	2016-09-19 20:00:00.000000000 +0900

h-yamamo

  Support equal preference group
  * This patch requires the preceding chacha20poly1305.patch.
  * Ciphersuites in equal preference group are hard coded.
    The following ciphersuites:
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_RSA_CHACHA20_POLY1305_OLD
      TLS_ECDHE_ECDSA_CHACHA20_POLY1305_OLD

h-yamamo

diff -u openssl-1.0.2h-1~bpo8+2+ore1 +camellia-gcm
--- a/openssl.ld	2016-09-04 00:00:00.000000000 +0900
+++ b/openssl.ld	2016-09-04 20:00:00.000000000 +0900
@@ -4482,6 +4482,8 @@
 		EVP_AEAD_CTX_cleanup;
 		EVP_AEAD_CTX_seal;
 		EVP_AEAD_CTX_open;
+		EVP_aead_camellia_128_gcm;
+		EVP_aead_camellia_256_gcm;
 } OPENSSL_1.0.0;

h-yamamo

diff -u openssl-1.0.1t-1+deb8u2+ore1 +camellia-gcm
--- a/openssl.ld	2016-05-20 03:00:00.000000000 +0900
+++ b/openssl.ld	2016-05-22 12:00:00.000000000 +0900
@@ -4628,6 +4628,8 @@
 		EVP_AEAD_CTX_cleanup;
 		EVP_AEAD_CTX_seal;
 		EVP_AEAD_CTX_open;
+		EVP_aead_camellia_128_gcm;
+		EVP_aead_camellia_256_gcm;
 } OPENSSL_1.0.0;

h-yamamo

diff -u openssl-1.0.2g-1ubuntu4+ore1 +camellia-gcm
--- a/openssl.ld	2016-04-17 15:00:00.000000000 +0900
+++ b/openssl.ld	2016-04-23 22:00:00.000000000 +0900
@@ -4482,6 +4482,8 @@
 		EVP_AEAD_CTX_cleanup;
 		EVP_AEAD_CTX_seal;
 		EVP_AEAD_CTX_open;
+		EVP_aead_camellia_128_gcm;
+		EVP_aead_camellia_256_gcm;
 } OPENSSL_1.0.0;

h-yamamo

  Improve TLS Extensions signature and hash algorithm

  Reference:
    Move signing digest out of CERT.
    https://github.com/openssl/openssl/commit/d376e57d6826e56f4c922806e088a111c52f9e92

diff -ur openssl-1.0.1k-3+deb8u2 openssl-1.0.1k-3+deb8u2+alg
--- a/ssl/ssl_lib.c	2015-01-08 23:00:56.000000000 +0900
+++ b/ssl/ssl_lib.c	2016-02-19 21:58:14.000000000 +0900
@@ -2392,6 +2392,9 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *

h-yamamo

  Improve TLS Extensions signature and hash algorithm

  Reference:
    Move signing digest out of CERT.
    https://github.com/openssl/openssl/commit/d376e57d6826e56f4c922806e088a111c52f9e92

diff -ur openssl-1.0.1f-1ubuntu2.16 1.0.1f-1ubuntu2.16+alg
--- a/ssl/ssl_lib.c	2014-10-15 16:56:03.000000000 +0000
+++ b/ssl/ssl_lib.c	2016-02-19 21:58:14.000000000 +0900
@@ -2406,6 +2406,9 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *