cloudflare / sslconfig Goto Github PK

Cloudflare's Internet facing SSL configuration

License: BSD 3-Clause "New" or "Revised" License

sslconfig's Introduction

sslconfig

Cloudflare's Internet facing SSL cipher configuration

This repository tracks the history of the SSL cipher configuration used for Cloudflare's public-facing SSL web servers. The repository tracks an internal Cloudflare repository, but dates may not exactly match when changes are made.

There is a single file called conf which contains the configuration used in Cloudflare's NGINX servers. This is only a fragment of the configuration.

ChaCha20/Poly1305 patch

Cloudflare uses a patch for OpenSSL that enables the ChaCha20/Poly1305 cipher suites and implements special logic to ensure it is only taken if it is the client's top cipher choice. Without this patch, the cipher suite choice in the configuration will not work correctly.

sslconfig's People

Contributors

Stargazers

Watchers

Forkers

defaultusers jravetch bascht piotrsikora ryanwild prodigeni rayleyva cnh stefanogram blueprintmrk supernate wirachmat philipl yiliaofan robguima cloudxtreme danielnegri as-com fawaf slachiewicz artlu cdsalmons onunez177 patrick666777 lanshi lihuibin anirudhvr genyaa wbbim cganey fuhry travislee89 raceli breeze2 ariable zdzichu6969 fsbruva danclive leonardo-dg felixbuenemann pyraaryp 0x7e votanquyen theburn karlzeo vetaco hujinyong cuiwm leonklingele yvonxiao zawn royalwang ctripops flyquickly wxg10521 xvmoon liwmj sangewww linearregression albertliu1981 draskolnikova quyunet kingsqv anhk infinityhacks wkl17 anotherjin nt6 debdutbiswas justintien mushiwords han4235 hamjin windendless niuliwei1029 drunkfungus trendsoa lingtaonju mopunath andrea-amendola acu43 alubbe gptjs409 nanqinlang-fork-web-nginx spacious-international ifa6 zgc sapphireb1ue favortel beaudh imufun snapercloud hakasenyang apollonbar skymysky caot rockyspade bloombox robsonoduarte flytoneptune

sslconfig's Issues

bad record mac with chacha20_poly1305 patch

server: Ubuntu Server 16.04.2 lts 32bit
nginx: nginx 1.11.13
openssl: openssl-1.0.2k
patch: openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch
hello，I use ./configure --add-module=../ngx_brotli --add-module=../nginx-ct-1.3.2 --with-openssl=../openssl --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module to compile nginx. Anything seems ok. But it post 'bad record mac' when the handshake use 'chacha20'. When I removed EECDH+CHACHA20:EECDH+CHACHA20-draft: from my ssl_ciphers，it works well.
Could you please help me how to troubleshoot this? There is nothing in my nginx error log.
For bug fix, now I modify ssl_ciphers to EECDH+CHACHA20:EECDH+CHACHA20-draft. so my website doesn't work. My site url is https://bblove.me.

nginx__http2_spdy.patch fail on 1.11.5

Hi,

nginx__http2_spdy.patch fail on Nginx 1.11.5 (with OpenSSL 1.1.0).

Entering directory '/usr/src/nginx-1.11.5'
cc -c -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g  -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/src/openssl-1.1.0b/.openssl/include -I /usr/include/libxml2 -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/http \
 -o objs/src/http/ngx_http.o \
 src/http/ngx_http.c
In file included from src/http/ngx_http.h:32:0,
                 from src/http/ngx_http.c:10:
src/http/ngx_http_request.h:426:5: error: unknown type name 'ngx_http_spdy_stream_t'
     ngx_http_spdy_stream_t           *spdy_stream;
     ^
src/http/ngx_http.c: In function 'ngx_http_add_addresses':
src/http/ngx_http.c:1241:21: error: 'ngx_http_listen_opt_t' has no member named 'spdy'
         spdy = lsopt->spdy || addr[i].opt.spdy;
                     ^
src/http/ngx_http.c:1241:42: error: 'ngx_http_listen_opt_t' has no member named 'spdy'
         spdy = lsopt->spdy || addr[i].opt.spdy;
                                          ^
src/http/ngx_http.c:1278:20: error: 'ngx_http_listen_opt_t' has no member named 'spdy'
         addr[i].opt.spdy = spdy;
                    ^
src/http/ngx_http.c: In function 'ngx_http_add_addrs':
src/http/ngx_http.c:1829:22: error: 'ngx_http_addr_conf_t' has no member named 'spdy'
         addrs[i].conf.spdy = addr[i].opt.spdy;
                      ^
src/http/ngx_http.c:1829:41: error: 'ngx_http_listen_opt_t' has no member named 'spdy'
         addrs[i].conf.spdy = addr[i].opt.spdy;
                                         ^
src/http/ngx_http.c: In function 'ngx_http_add_addrs6':
src/http/ngx_http.c:1897:23: error: 'ngx_http_addr_conf_t' has no member named 'spdy'
         addrs6[i].conf.spdy = addr[i].opt.spdy;
                       ^
src/http/ngx_http.c:1897:42: error: 'ngx_http_listen_opt_t' has no member named 'spdy'
         addrs6[i].conf.spdy = addr[i].opt.spdy;
                                          ^
objs/Makefile:941: recipe for target 'objs/src/http/ngx_http.o' failed
make[1]: *** [objs/src/http/ngx_http.o] Error 1
make[1]: Leaving directory '/usr/src/nginx-1.11.5'
Makefile:11: recipe for target 'install' failed
make: *** [install] Error 2

Any idea?

Thanks..

Cannot build with nginx on a ARM machine.

I got an error when I was building nginx 1.9.12 + openssl1.0.2f with this patch, on a raspberrypi.

openssl__chacha20_poly1305_cf.patch

cryptlib.c:721:16: error: conflicting types for 'OPENSSL_ia32cap_loc'
 unsigned long *OPENSSL_ia32cap_loc(void)
                ^
In file included from cryptlib.h:72:0,
                 from cryptlib.c:117:
../include/openssl/crypto.h:593:15: note: previous declaration of 'OPENSSL_ia32cap_loc' was here
 unsigned int *OPENSSL_ia32cap_loc(void);
               ^
<builtin>: recipe for target 'cryptlib.o' failed
make[3]: *** [cryptlib.o] Error 1
make[3]: Leaving directory '/root/nginx-build/build/openssl-1.0.2f/crypto'
Makefile:286: recipe for target 'build_crypto' failed
make[2]: *** [build_crypto] Error 1
make[2]: Leaving directory '/root/nginx-build/build/openssl-1.0.2f'
objs/Makefile:1785: recipe for target '../openssl-1.0.2f/.openssl/include/openssl/ssl.h' failed
make[1]: *** [../openssl-1.0.2f/.openssl/include/openssl/ssl.h] Error 2
make[1]: Leaving directory '/root/nginx-build/build/nginx-1.9.12'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2

openssl__chacha20_poly1305_draft_and_rfc_ossl102f.patch

e_chacha20poly1305.c:82:57: error: 'EVP_CHACHA20_POLY1305_CTX' has no member named 'poly_state'
     #define poly_update(c,i,l) CRYPTO_poly1305_update(&c->poly_state,i,l)
                                                         ^
e_chacha20poly1305.c:372:17: note: in expansion of macro 'poly_update'
                 poly_update(aead_ctx, aad, arg + sizeof(thirteen));
                 ^
<builtin>: recipe for target 'e_chacha20poly1305.o' failed
make[4]: *** [e_chacha20poly1305.o] Error 1
make[4]: Leaving directory '/root/nginx-build/build/openssl-1.0.2f/crypto/evp'
Makefile:88: recipe for target 'subdirs' failed
make[3]: *** [subdirs] Error 1
make[3]: Leaving directory '/root/nginx-build/build/openssl-1.0.2f/crypto'
Makefile:286: recipe for target 'build_crypto' failed
make[2]: *** [build_crypto] Error 1
make[2]: Leaving directory '/root/nginx-build/build/openssl-1.0.2f'
objs/Makefile:1785: recipe for target '../openssl-1.0.2f/.openssl/include/openssl/ssl.h' failed
make[1]: *** [../openssl-1.0.2f/.openssl/include/openssl/ssl.h] Error 2
make[1]: Leaving directory '/root/nginx-build/build/nginx-1.9.12'
Makefile:8: recipe for target 'build' failed
make: *** [build] Error 2

Do this patch only support x86 platform?

About NGX_SSL_MAX_SESSION_SIZE in nginx__dynamic_tls_records.patch

Hello,

In nginx__dynamic_tls_records.patch, the change made at line 139 (https://github.com/cloudflare/sslconfig/blob/master/patches/nginx__dynamic_tls_records.patch#L139) seems unrelated to the patch for dynamic record size. I don't know much about nginx programming but the define NGX_SSL_MAX_SESSION_SIZE is never used in the patch.

Same thing in the new patch for nginx 1.11.5, at line 124 : https://github.com/cloudflare/sslconfig/blob/master/patches/nginx__1.11.5_dynamic_tls_records.patch#L124

Implement CHACHA20_POLY1305

This cypher suite triples the speed on smartphones compared to AES_128_GCM, it is implemented in stable Chrome releases (both mobile and desktop) and I hope Firefox will implement it too.

Chrome is been used by 49% of all internet users worldwide so this cipher would benefit at least half of Clouflare´s hits.

ChaCha20-Poly1305

This cipher (technically an AEAD, not a cipher, as is AES-GCM) also has no known breaks but is designed to facilitate fast and secure software implementations. For situations where hardware AES-GCM support is not available, it provides a fast alternative. Even when AES-GCM hardware is provided, ChaCha20-Poly1305 is currently within a factor of two in speed.

http://googleonlinesecurity.blogspot.com.es/2013/11/a-roster-of-tls-cipher-suites-weaknesses.html

Earlier this year, we deployed a new TLS cipher suite in Chrome that operates three times faster than AES-GCM on devices that don’t have AES hardware acceleration, including most Android phones, wearable devices such as Google Glass and older computers. This improves user experience, reducing latency and saving battery life by cutting down the amount of time spent encrypting and decrypting data.

The benefits of this new cipher suite include:
Better security: ChaCha20 is immune to padding-oracle attacks, such as the Lucky13, which affect CBC mode as used in TLS. By design, ChaCha20 is also immune to timing attacks. Check out a detailed description of TLS ciphersuites weaknesses in our earlier post.
Better performance: ChaCha20 and Poly1305 are very fast on mobile and wearable devices, as their designs are able to leverage common CPU instructions, including ARM vector instructions. Poly1305 also saves network bandwidth, since its output is only 16 bytes compared to HMAC-SHA1, which is 20 bytes. This represents a 16% reduction of the TLS network overhead incurred when using older ciphersuites such as RC4-SHA or AES-SHA. The expected acceleration compared to AES-GCM for various platforms is summarized in the chart below.
http://googleonlinesecurity.blogspot.com.es/2014/04/speeding-up-and-strengthening-https.html

Browsers won't negotiate chacha20

I'm using Nginx + openresty/1.11.2.1 + OpenSSL 1.0.2j + Cloudflare dynamic TLS record size + Cloudflare chacha20 patch (updated for current openssl)

openssl -ciphers includes these:

ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-CHACHA20-POLY1305-D
ECDHE-RSA-CHACHA20-POLY1305-D
DHE-RSA-CHACHA20-POLY1305
DHE-RSA-CHACHA20-POLY1305-D
PSK-CHACHA20-POLY1305

My nginx ssl config is:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256';
ssl_prefer_server_ciphers on;

I can connect with openssl s_client:

openssl s_client -cipher ECDHE-RSA-CHACHA20-POLY1305 -debug -connect 127.0.0.1:443

However, if I omit the -cipher then it will only negotiate an AES cipher.

Chrome 53 and Firefox 49 both support ChaCha20 but will only negotiate AES ciphers.

If I disable everything but chacha20:

ssl_ciphers 'EECDH+CHACHA20:EECDH+CHACHA20-draft';

Then neither browser will negotiate a connection because there is no common cipher.

I haven't seen an issue like this discussed anywhere else, I'm not sure what the issue is.

Support group cipher suites of equal preference

What is your opinion on this BoringSSL support of 'group cipher suites of equal preference': https://www.zeitgeist.se/2014/08/23/optimize-aes-and-chacha20-usage-with-boringssl/

IMHO this would reduce the time on the client side even more.

apply openssl__chacha20_poly1305_cf.patch filed

OS: {Linux vagrant-opensuse-132-64 3.16.7-21-default #1 SMP Tue Apr 14 07:11:37 UTC 2015 (93c1539) x86_64 x86_64 x86_64 GNU/Linux}

OpenSSL: {openssl-1.0.2, openssl-1.0.2a, openssl-1.0.2b, openssl-1.0.2c, openssl-1.0.2d}

Patch: {2.7.5}

pwd: {/home/vagrant/Sources/openssl-1.0.2(a|b|c|d)}

$ patch -p1 --dry-run < openssl__chacha20_poly1305_cf.patch

checking file Configure
Hunk #1 succeeded at 126 (offset -17 lines).
Hunk #2 succeeded at 689 (offset -17 lines).
Hunk #3 succeeded at 732 (offset -17 lines).
Hunk #4 succeeded at 1191 (offset -17 lines).
Hunk #5 succeeded at 1219 (offset -18 lines).
Hunk #6 succeeded at 1386 (offset -18 lines).
Hunk #7 succeeded at 1539 (offset -18 lines).
Hunk #8 succeeded at 1717 (offset -27 lines).
Hunk #9 succeeded at 1781 (offset -27 lines).
Hunk #10 succeeded at 2180 (offset -27 lines).
Hunk #11 succeeded at 2211 (offset -27 lines).
checking file Makefile.org
checking file apps/speed.c
checking file crypto/chacha20poly1305/Makefile
checking file crypto/chacha20poly1305/asm/chacha20_avx.pl
checking file crypto/chacha20poly1305/asm/chacha20_avx2.pl
checking file crypto/chacha20poly1305/asm/poly1305_avx.pl
checking file crypto/chacha20poly1305/asm/poly1305_avx2.pl
checking file crypto/chacha20poly1305/chacha20.c
checking file crypto/chacha20poly1305/chacha20poly1305.h
checking file crypto/chacha20poly1305/chapolytest.c
checking file crypto/chacha20poly1305/poly1305.c
checking file crypto/cryptlib.c
checking file crypto/crypto.h
checking file crypto/evp/Makefile
Hunk #3 succeeded at 263 (offset -2 lines).
checking file crypto/evp/e_chacha20poly1305.c
checking file crypto/evp/evp.h
Hunk #1 succeeded at 891 (offset -2 lines).
checking file crypto/objects/obj_dat.h
checking file crypto/objects/obj_mac.h
checking file ssl/s3_lib.c
checking file ssl/ssl.h
checking file ssl/ssl_algs.c
checking file ssl/ssl_ciph.c
Hunk #6 succeeded at 1824 (offset -7 lines).
checking file ssl/ssl_locl.h
checking file ssl/tls1.h
checking file test/Makefile
Hunk #1 FAILED at 70.
Hunk #2 FAILED at 83.
Hunk #3 FAILED at 97.
Hunk #4 FAILED at 108.
Hunk #5 succeeded at 138 (offset -6 lines).
Hunk #6 succeeded at 344 with fuzz 2 (offset -17 lines).
Hunk #7 succeeded at 515 with fuzz 2 (offset -27 lines).
Hunk #8 succeeded at 566 (offset -46 lines).
4 out of 8 hunks FAILED

chacha20poly1305 seq_num included into AAD and incorrect MAC for RFC7539 test vectors

Hello,

Test vectors with Additional Authenticated Data seems to be broken, for example this one from RFC7539:

  000  4c 61 64 69 65 73 20 61 6e 64 20 47 65 6e 74 6c  Ladies and Gentl
  016  65 6d 65 6e 20 6f 66 20 74 68 65 20 63 6c 61 73  emen of the clas
  032  73 20 6f 66 20 27 39 39 3a 20 49 66 20 49 20 63  s of '99: If I c
  048  6f 75 6c 64 20 6f 66 66 65 72 20 79 6f 75 20 6f  ould offer you o
  064  6e 6c 79 20 6f 6e 65 20 74 69 70 20 66 6f 72 20  nly one tip for
  080  74 68 65 20 66 75 74 75 72 65 2c 20 73 75 6e 73  the future, suns
  096  63 72 65 65 6e 20 77 6f 75 6c 64 20 62 65 20 69  creen would be i
  112  74 2e                                            t.

   AAD:
   000  50 51 52 53 c0 c1 c2 c3 c4 c5 c6 c7              PQRS........
   Tag:
   1a:e1:0b:59:4f:09:e2:6a:7e:90:2e:cb:d0:60:06:91

With seq_num set to eight zero bytes (to avoid its impact on test vector IV when XORed), patched OpenSSL produces incorrect auth tag:

de 08 a0 26 69 99 53 f2 67 70 82 b9 1f fc cb ed

I checked the sources and see that ChaPoly EVP API expects AAD in the format of '8 bytes seq_num || actual AAD' when using "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_TLS1_AAD, aad_len, aad)" to set both seq_num and AAD. aad_len should be 8 + actual_aad_len.
XORing padded seq_num with IV works as expected, but later, when AAD and its length is included into Poly1305 MAC calculation, AAD is passed as 'seq_num || AAD', which breaks test vectors. Simple patch that excludes seq_num from AAD tag calculation fixes the test vectors, see last two lines below:

            if (!aead_ctx->draft) {
                /* RFC IV = (0 || iv) ^ seq_num */
                memset(aead_ctx->nonce + 32, 0, 4);
                memcpy(aead_ctx->nonce + 36, aead_ctx->iv, 12);
                *(uint64_t *)(aead_ctx->nonce + 40) ^= *(uint64_t *)(ptr);

            } else {
                /* draft IV = 0 || seq_num */
                memset(aead_ctx->nonce + 32, 0, 8);
                memcpy(aead_ctx->nonce + 40, ptr, 8);
            }

            /* Exclude seq_num from poly1305 AAD auth tag */
            ptr += 8;
            arg -= 8;

The patched version produces correct tag:

1a e1 0b 59 4f 09  e2 6a 7e 90 2e cb d0 60 06 91

So my question is - is it an RFC feature to include seq_num into the auth tag calculation? If so, are there any test vectors for TLS implementation of ChaPoly?

Does CVE-2016-7054 affect the ChaCha20-Poly1305 patch?

CVE-2016-7054 (OpenSSL advisory) [High severity] 10th November 2016:
TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by
corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be
exploitable beyond a DoS. Reported by Robert Święcki (Google Security Team) on 25th September 2016.

Fixed in OpenSSL 1.1.0c (Affected 1.1.0b, 1.1.0a, 1.1.0)

In OpenSSL 1.1.0, there is a bug that causes memory corruption allows a DoS attack. I have reviewed the CloudFlare's patch for OpenSSL 1.0.1, but I didn't see any similar code. But I still want an statement whether CF's patch has the same issue.

Sanity test fails after applying patch

$ ./config --test-sanity

Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
======================================================================
=== SANITY TESTING!
=== No configuration will be done, all other arguments will be ignored!
======================================================================
SANITY ERROR: 'VC-WIN64I' has the dso_scheme [25] values
              in the previous field
SANITY ERROR: 'debug-VC-WIN64I' has the dso_scheme [25] values
              in the previous field
SANITY ERROR: 'debug-linux-ia32-aes' has the dso_scheme [25] values
              in the previous field
SANITY ERROR: 'hpux64-parisc2-gcc' has the dso_scheme [25] values
              in the previous field

Why EECDH+3DES?

EECDH+3DES expands to:

ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1

Is there browser not supporting AES but supporting ECDH key exchange?

It was added in 9d5369e.

error with nginx__dynamic_tls_records.patch when it is applied to nginx version 1.13.0

There is a problem with theis patch when it is applied to nginx version 1.13.0
root@server:~/nginx-1.13.0# patch -p1 < ./nginx__dynamic_tls_records.patch
patching file src/event/ngx_event_openssl.c
Hunk #1 succeeded at 1173 (offset 136 lines).
Hunk #2 succeeded at 1712 (offset 136 lines).
Hunk #3 succeeded at 1848 (offset 136 lines).
patching file src/event/ngx_event_openssl.h
Hunk #1 FAILED at 38.
Hunk #2 FAILED at 63.
Hunk #3 succeeded at 94 (offset 22 lines).
2 out of 3 hunks FAILED -- saving rejects to file src/event/ngx_event_openssl.h.rej
patching file src/http/modules/ngx_http_ssl_module.c
Hunk #1 succeeded at 234 (offset 1 line).
Hunk #2 succeeded at 590 (offset 23 lines).
Hunk #3 succeeded at 660 (offset 24 lines).
Hunk #4 succeeded at 854 (offset 27 lines).
patching file src/http/modules/ngx_http_ssl_module.h
Hunk #1 succeeded at 57 (offset 1 line).

New patches for OpenSSL 1.0.2h?

OpenSSL released a critical security update this week and the current patch for OpenSSL 1.0.2g does not work (make test fails).

OpenSSL 1.0.2 users should upgrade to 1.0.2h

Could you please release a new patch compatible with OpenSSL 1.0.2h?

RC4 patch for OpenSSL 1.0.2?

The current patches/openssl__disable_rc4.patch only allows patching with 1.0.1.

Since you have released a Chacha20-Poly1305 patch for 1.0.2,
should you also include a RC4 patch for 1.0.2?

Tag mismatch when using asm chacha20_poly1305_{seal, open} directly for rfc7539

Hi @vkrasnov -

Since the EVP_CIPHER_CTX_ctrl API for c20p is specifically for TLS (with the 13-byte AAD + seq number mixing), I'm trying to use the underlying ASM seal/open APIs to get rfc7539 behavior. From looking at e_chacha20_poly1305.c, there doesn't seem to be any TLS-specific details in the ASM implementation. Code snippet adapted from e_chacha20_poly1305.c behavior per https://github.com/cloudflare/sslconfig/blob/master/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch#L4159-L4163

unsigned char key_iv[32 + 4 + 12];
memcpy(key_iv, key, 32);
memset(key_iv + 32, 0, 4);
memcpy(key_iv + 32 + 4, iv, 12);
chacha20_poly1305_seal(ciphertext, plaintext, plaintext_len + 16, (uint8_t*)aad, aad_len, key_iv);
return plaintext_len + 16;

Since we're not doing this for TLS, there are no seq numbers to XOR into the IV. However, on testing this with the input here: https://tools.ietf.org/html/rfc7539#appendix-A.5 - the encryption and decryption work correctly but the tag is wrong. Any ideas how to fix this? Thanks

patch is broken on 1.0.2g

Hi guys, can you please update this patch to support 1.0.2g? also according to some posters on ssllabs there is a newer revision of the cipher set.

Patch No Longer Applies Cleanly to 1.0.2g

Looking for the dynamic (TLS) record sizing Nginx patch

Hi Cloudflare,

According to https://istlsfastyet.com/#cdn-paas you are supporting dynamic record sizing with Nginx. But the stock Nginx doesn't.
Can you, if available, please publish the patch? I really would love to use it.

Thanks!

Non-working binary on 1.0.2c

This is on FreeBSD 9
Patch is applied just fine, but the binary is not working.

# make
# cd stage/usr/local/bin/
# ./openssl
Undefined symbol "EVP_chacha20_poly1305"

Compile and test errors on Mac/clang (without CHAPOLY_X86_64_ASM)

Thanks for updating the patch for the new construction!

There's a bunch of errors like this because poly1305_state poly_state is included only within the #ifdef CHAPOLY_x86_64_ASM block in e_chacha20poly1305.c:76, so compiling without ASM won't find the member.

_chacha20poly1305.c:228:9: error: no member named 'poly_state' in 'EVP_CHACHA20_POLY1305_CTX' poly_update(aead_ctx, in, inl); ^ ~~~~~~~~ e_chacha20poly1305.c:82:59: note: expanded from macro 'poly_update' #define poly_update(c,i,l) CRYPTO_poly1305_update(&c->poly_state,i,l) ^ e_chacha20poly1305.c:261:9: error: no member named 'poly_state' in 'EVP_CHACHA20_POLY1305_CTX' poly_update(aead_ctx, out, inl); ^ ~~~~~~~~ e_chacha20poly1305.c:82:59: note: expanded from macro 'poly_update' #define poly_update(c,i,l) CRYPTO_poly1305_update(&c->poly_state,i,l) ^

After moving poly_state outside the ifdef, make test fails like so:
Testing DHE-RSA-CHACHA20-POLY1305 Available compression methods: NONE ERROR in SERVER 2747899972:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:532: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-CHACHA20-POLY1305, 2048 bit RSA 1 handshakes of 256 bytes done Failed DHE-RSA-CHACHA20-POLY1305 make[1]: *** [test_ssl] Error 1 make: *** [tests] Error 2

I believe these errors weren't there when I tested on x86_64 with gcc 4.9 with CHAPOLY_x86_64_ASM turned on, and probably also with ASM off after making the fix above.

I'm on OS X 10.11.3 building with Configured with clang: Apple LLVM version 6.1.0 (clang-602.0.53) (based on LLVM 3.6.0svn)

Explain Cipher Choice.

The Cipher Spec listed resolves to the following on a typical OpenSSL 1.0.1g

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA
ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA
RC4-SHA

There might be good legacy support reasons to support some of these weaker ciphers, but it would be nice to know the browser overlap/reason for support.

Building nginx 1.11.1 fails

Tried to build nginx 1.11.1 and got this error:

src/http/modules/ngx_http_ssl_module.c: In function »ngx_http_ssl_npn_advertised«:
src/http/modules/ngx_http_ssl_module.c:480:5: Error: expected expression before »}« token

Seems something is wrong around nginx__http2_spdy.patch line 231.

Patch fails on 1.0.2b

OpenSSL 1.0.2d: patch fails (4 out of 8)

The patch worked fine on OpenSSL 1.0.2c, but not on 1.0.2d.

patch --version

patch 2.6.1

pwd

/usr/local/src/openssl-1.0.2d

patch -p1 <openssl__chacha20_poly1305_cf.patch

patching file Configure
Hunk #1 succeeded at 143 (offset 17 lines).
Hunk #2 succeeded at 706 (offset 17 lines).
Hunk #3 succeeded at 749 (offset 17 lines).
Hunk #4 succeeded at 1208 (offset 17 lines).
Hunk #5 succeeded at 1237 (offset 18 lines).
Hunk #6 succeeded at 1404 (offset 18 lines).
Hunk #7 succeeded at 1557 (offset 18 lines).
Hunk #8 succeeded at 1746 (offset 27 lines).
Hunk #9 succeeded at 1808 (offset 27 lines).
Hunk #10 succeeded at 2207 (offset 27 lines).
Hunk #11 succeeded at 2238 (offset 27 lines).
patching file Makefile.org
patching file apps/speed.c
patching file crypto/chacha20poly1305/Makefile
patching file crypto/chacha20poly1305/asm/chacha20_avx.pl
patching file crypto/chacha20poly1305/asm/chacha20_avx2.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx2.pl
patching file crypto/chacha20poly1305/chacha20.c
patching file crypto/chacha20poly1305/chacha20poly1305.h
patching file crypto/chacha20poly1305/chapoly_test.c
patching file crypto/chacha20poly1305/poly1305.c
patching file crypto/cryptlib.c
patching file crypto/evp/Makefile
Hunk #3 succeeded at 265 (offset 2 lines).
patching file crypto/evp/e_chacha20poly1305.c
patching file crypto/evp/evp.h
Hunk #1 succeeded at 893 (offset 2 lines).
patching file ssl/s3_lib.c
patching file ssl/ssl.h
patching file ssl/ssl_ciph.c
Hunk #7 succeeded at 1818 (offset 6 lines).
patching file ssl/ssl_locl.h
patching file ssl/tls1.h
patching file test/Makefile
Hunk #1 FAILED at 68.
Hunk #2 FAILED at 80.
Hunk #3 FAILED at 93.
Hunk #4 FAILED at 103.
Hunk #5 succeeded at 140 (offset 1 line).
Hunk #6 succeeded at 354 with fuzz 2 (offset 5 lines).
Hunk #7 succeeded at 526 with fuzz 2 (offset 6 lines).
Hunk #8 succeeded at 857 (offset 24 lines).
4 out of 8 hunks FAILED -- saving rejects to file test/Makefile.rej

cat test/Makefile.rej

http://pastebin.com/XjHZ464J

Mozilla recommended ciphers

Mozilla recommends config generator:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Yet you recommend:

EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5

Which should be used?

openssl-1.0.2f/apps/speed.c:1878: undefined reference to `EVP_chacha20_poly1305'

I am trying to integrate the patch in a custom Debian openssl package. Works fine until linking:

shlib_target=; if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \
        shlib_target="linux-shared"; \
elif [ -n "" ]; then \
  FIPSLD_CC="gcc"; CC=/usr/local/ssl/fips-2.0/bin/fipsld; export CC FIPSLD_CC; \
fi; \
LIBRARIES="-L.. -lssl  -L.. -lcrypto" ; \
make -f ../Makefile.shared -e \
        APPNAME=openssl OBJECTS="openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o" \
        LIBDEPS=" $LIBRARIES -ldl" \
        link_app.${shlib_target}
make[3]: Entering directory '/usr/local/src/openssl/openssl-1.0.2f/apps'
speed.o: In function `speed_main':
/usr/local/src/openssl/openssl-1.0.2f/apps/speed.c:1878: undefined reference to `EVP_chacha20_poly1305'
collect2: error: ld returned 1 exit status
make[3]: *** [link_app.gnu] Error 1
../Makefile.shared:171: recipe for target 'link_app.gnu' failed
make[3]: Leaving directory '/usr/local/src/openssl/openssl-1.0.2f/apps'
make[2]: *** [openssl] Error 2
Makefile:156: recipe for target 'openssl' failed
make[2]: Leaving directory '/usr/local/src/openssl/openssl-1.0.2f/apps'
make[1]: *** [build_apps] Error 1
Makefile:293: recipe for target 'build_apps' failed
make[1]: Leaving directory '/usr/local/src/openssl/openssl-1.0.2f'
make: *** [build-stamp] Error 2
debian/rules:49: recipe for target 'build-stamp' failed

(Ignore the soname)

Is Cloudflare's OpenSSL ChaCha implementation affected by CVE-2016-7054?

See https://www.openssl.org/news/secadv/20161110.txt:

ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
======================================================

Severity: High

TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
attack by corrupting larger payloads. This can result in an OpenSSL crash. This
issue is not considered to be exploitable beyond a DoS.

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.1.0

This issue was reported to OpenSSL on 25th September 2016 by Robert
Święcki (Google Security Team), and was found using honggfuzz. The fix
was developed by Richard Levitte of the OpenSSL development team.

Would be nice to know if your patch is also affected.

ChaCha20 patch failed test in OpenSSL 1.0.2j

I use this PKGBUILD to build the patched openssl-1.0.2j on an Arch Linux box and run into the error below. The complete logs are in this gist.

...
Testing DHE-RSA-CHACHA20-POLY1305
Available compression methods:
  NONE
ERROR in CLIENT
140699663293144:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available:s23_clnt.c:508:
TLSv1.2, cipher (NONE) (NONE)
1 handshakes of 256 bytes done
Failed DHE-RSA-CHACHA20-POLY1305
make[1]: *** [Makefile:307: test_ssl] Error 1
make[1]: Leaving directory '/home/mys_721tx/openssl-chacha20/src/openssl-1.0.2j/test'
make: *** [Makefile:465: tests] Error 2

openssl 1.0.2a : Chacha20-Poly1305 patch failed.

patch

# patch -p1 < openssl__chacha20_poly1305_cf.patch
patching file Configure
patching file Makefile.org
patching file apps/speed.c
patching file crypto/chacha20poly1305/Makefile
patching file crypto/chacha20poly1305/asm/chacha20_avx.pl
patching file crypto/chacha20poly1305/asm/chacha20_avx2.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx2.pl
patching file crypto/chacha20poly1305/chacha20.c
patching file crypto/chacha20poly1305/chacha20poly1305.h
patching file crypto/chacha20poly1305/chapoly_test.c
patching file crypto/chacha20poly1305/poly1305.c
patching file crypto/cryptlib.c
patching file crypto/evp/Makefile
patching file crypto/evp/e_chacha20poly1305.c
patching file crypto/evp/evp.h
patching file ssl/s3_lib.c
patching file ssl/ssl.h
patching file ssl/ssl_ciph.c
Hunk #7 succeeded at 1818 (offset 6 lines).
patching file ssl/ssl_locl.h
patching file ssl/tls1.h
patching file test/Makefile

config & make

# ./config --prefix=/usr/local/openssl && make
poly1305_avx2.s: Assembler messages:
poly1305_avx2.s:277: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:278: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:280: Error: no such instruction: `vpermq $216,%ymm7,%ymm7'
poly1305_avx2.s:281: Error: no such instruction: `vpermq $216,%ymm8,%ymm8'
poly1305_avx2.s:283: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:284: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:285: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:287: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:288: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:289: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:291: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:292: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:293: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:294: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:296: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:297: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:298: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:299: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:300: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:301: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:304: Error: no such instruction: `vpbroadcastq 0(%rdi),%ymm5'
poly1305_avx2.s:305: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:306: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:307: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:308: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:309: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:311: Error: no such instruction: `vpbroadcastq 160(%rdi),%ymm5'
poly1305_avx2.s:312: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:313: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:314: Error: no such instruction: `vpbroadcastq 32(%rdi),%ymm5'
poly1305_avx2.s:315: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:316: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:317: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:318: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:319: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:320: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:321: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:322: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:324: Error: no such instruction: `vpbroadcastq 192(%rdi),%ymm5'
poly1305_avx2.s:325: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:326: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:327: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:328: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:329: Error: no such instruction: `vpbroadcastq 64(%rdi),%ymm5'
poly1305_avx2.s:330: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:331: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:332: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:333: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:334: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:335: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:337: Error: no such instruction: `vpbroadcastq 224(%rdi),%ymm5'
poly1305_avx2.s:338: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:339: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:340: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:341: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:342: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:343: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:344: Error: no such instruction: `vpbroadcastq 96(%rdi),%ymm5'
poly1305_avx2.s:345: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:346: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:347: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:348: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:350: Error: no such instruction: `vpbroadcastq 256(%rdi),%ymm5'
poly1305_avx2.s:351: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:352: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:353: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:354: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:355: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:356: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:357: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:358: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:359: Error: no such instruction: `vpbroadcastq 128(%rdi),%ymm5'
poly1305_avx2.s:360: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:361: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:363: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:364: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:365: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:367: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:368: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:369: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:370: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:371: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:373: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:374: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:375: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:376: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:377: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:378: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:379: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:380: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:381: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:382: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:383: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:384: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:396: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:397: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:399: Error: no such instruction: `vpermq $216,%ymm7,%ymm7'
poly1305_avx2.s:400: Error: no such instruction: `vpermq $216,%ymm8,%ymm8'
poly1305_avx2.s:402: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:403: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:404: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:406: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:407: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:408: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:410: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:411: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:412: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:413: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:415: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:416: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:417: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:418: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:419: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:420: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:424: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:425: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:426: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:427: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:428: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:431: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:432: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:434: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:435: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:436: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:437: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:438: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:439: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:440: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:441: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:444: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:445: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:446: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:447: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:449: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:450: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:451: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:452: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:453: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:454: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:457: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:458: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:459: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:460: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:461: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:462: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:464: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:465: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:466: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:467: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:470: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:471: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:472: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:473: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:474: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:475: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:476: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:477: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:479: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:480: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:482: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:483: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:484: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:485: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:486: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:487: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:488: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:489: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:490: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:491: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:492: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:493: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:494: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:495: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:496: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:497: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:498: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:499: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:500: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:501: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:503: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:504: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:505: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:506: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:507: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:509: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:510: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:511: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:512: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:513: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:515: Error: no such instruction: `vpermq $170,%ymm0,%ymm7'
poly1305_avx2.s:516: Error: no such instruction: `vpermq $170,%ymm1,%ymm8'
poly1305_avx2.s:517: Error: no such instruction: `vpermq $170,%ymm2,%ymm9'
poly1305_avx2.s:518: Error: no such instruction: `vpermq $170,%ymm3,%ymm10'
poly1305_avx2.s:519: Error: no such instruction: `vpermq $170,%ymm4,%ymm11'
poly1305_avx2.s:521: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:522: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:523: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:524: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:525: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:542: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:574: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:575: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:584: Error: no such instruction: `vpermq $196,%ymm14,%ymm14'
poly1305_avx2.s:587: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:588: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:595: Error: no such instruction: `vpermq $64,%ymm14,%ymm14'
poly1305_avx2.s:598: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:599: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:604: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:605: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:606: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:608: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:609: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:610: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:612: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:613: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:614: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:615: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:617: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:618: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:619: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:620: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:621: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:622: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:626: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:627: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:628: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:629: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:630: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:631: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:634: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:635: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:636: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:638: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:639: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:640: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:641: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:642: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:643: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:644: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:645: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:646: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:649: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:650: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:651: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:652: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:653: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:655: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:656: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:657: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:658: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:659: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:660: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:661: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:664: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:665: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:666: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:667: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:668: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:669: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:670: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:672: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:673: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:674: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:675: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:676: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:679: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:680: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:681: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:682: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:683: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:684: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:685: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:686: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:687: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:689: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:690: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:691: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:693: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:694: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:695: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:696: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:697: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:698: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:699: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:700: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:701: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:702: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:703: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:704: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:705: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:706: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:707: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:708: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:709: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:710: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:711: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:712: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:714: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:715: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:716: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:717: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:718: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:720: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:721: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:722: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:723: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:724: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:726: Error: no such instruction: `vpermq $170,%ymm0,%ymm7'
poly1305_avx2.s:727: Error: no such instruction: `vpermq $170,%ymm1,%ymm8'
poly1305_avx2.s:728: Error: no such instruction: `vpermq $170,%ymm2,%ymm9'
poly1305_avx2.s:729: Error: no such instruction: `vpermq $170,%ymm3,%ymm10'
poly1305_avx2.s:730: Error: no such instruction: `vpermq $170,%ymm4,%ymm11'
poly1305_avx2.s:732: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:733: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:734: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:735: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:736: Error: suffix or operands invalid for `vpaddq'
make[2]: *** [poly1305_avx2.o] Error 1
make[2]: Leaving directory `/root/rpm/openssl-1.0.2a/crypto/chacha20poly1305'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/root/rpm/openssl-1.0.2a/crypto'
make: *** [build_crypto] Error 1

The patch still fails in openssl 1.0.2a. ;(

OpenSSL 1.0.2-stable?

Where is this OpenSSL 1.0.2-stable? I can only find the beta2 release, which isn't the same as "stable" in my mind.

ChaCha20_Poly1305 patch causes connection reset error?

Relevant server configuration:

ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

OpenResty 1.11.2.2 (NGINX 1.11.2)
OpenSSL 1.0.2j, with openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch
Ubuntu 14.04 (Docker)

chrome://net-internals log from a cheap Chromebook:

t=1114 [st=   0] +REQUEST_ALIVE  [dt=2872]
t=1114 [st=   0]    DELEGATE_INFO  [dt=1]
                    --> delegate_info = "NavigationResourceThrottle"
t=1115 [st=   1]    URL_REQUEST_DELEGATE  [dt=0]
t=1115 [st=   1]    URL_REQUEST_START_JOB  [dt=0]
                    --> load_flags = 37121 (MAIN_FRAME | MAYBE_USER_GESTURE | VALIDATE_CACHE | VERIFY_EV_CERT)
                    --> method = "GET"
                    --> priority = "HIGHEST"
                    --> url = "https://andrewsun.com/"
t=1115 [st=   1]   +URL_REQUEST_START_JOB  [dt=2869]
                    --> load_flags = 37121 (MAIN_FRAME | MAYBE_USER_GESTURE | VALIDATE_CACHE | VERIFY_EV_CERT)
                    --> method = "GET"
                    --> priority = "HIGHEST"
                    --> url = "https://andrewsun.com/"
t=1115 [st=   1]      URL_REQUEST_DELEGATE  [dt=0]
t=1115 [st=   1]      HTTP_CACHE_GET_BACKEND  [dt=0]
t=1115 [st=   1]      HTTP_CACHE_OPEN_ENTRY  [dt=0]
                      --> net_error = -2 (ERR_FAILED)
t=1115 [st=   1]      HTTP_CACHE_CREATE_ENTRY  [dt=1]
t=1116 [st=   2]      HTTP_CACHE_ADD_TO_ENTRY  [dt=0]
t=1116 [st=   2]     +HTTP_STREAM_REQUEST  [dt=919]
t=1116 [st=   2]        HTTP_STREAM_REQUEST_STARTED_JOB
                        --> source_dependency = 15749 (HTTP_STREAM_JOB)
t=2035 [st= 921]        HTTP_STREAM_REQUEST_BOUND_TO_JOB
                        --> source_dependency = 15749 (HTTP_STREAM_JOB)
t=2035 [st= 921]     -HTTP_STREAM_REQUEST
t=2035 [st= 921]     +HTTP_TRANSACTION_SEND_REQUEST  [dt=1]
t=2035 [st= 921]        HTTP_TRANSACTION_HTTP2_SEND_REQUEST_HEADERS
                        --> :authority: andrewsun.com
                            :method: GET
                            :path: /
                            :scheme: https
                            accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                            accept-encoding: gzip, deflate, sdch, br
                            accept-language: en-US,en;q=0.8
                            cache-control: max-age=0
                            upgrade-insecure-requests: 1
                            user-agent: Mozilla/5.0 (X11; CrOS x86_64 8743.85.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.101 Safari/537.36
t=2036 [st= 922]     -HTTP_TRANSACTION_SEND_REQUEST
t=2036 [st= 922]     +HTTP_TRANSACTION_READ_HEADERS  [dt=1948]
t=3984 [st=2870]        HTTP2_STREAM_ERROR
                        --> description = "ABANDONED (stream_id=1): https://andrewsun.com/"
                        --> status = -101
                        --> stream_id = 1
t=3984 [st=2870]     -HTTP_TRANSACTION_READ_HEADERS
                      --> net_error = -101 (ERR_CONNECTION_RESET)
t=3984 [st=2870]   -URL_REQUEST_START_JOB
                    --> net_error = -101 (ERR_CONNECTION_RESET)
t=3985 [st=2871]    URL_REQUEST_DELEGATE  [dt=1]
t=3986 [st=2872] -REQUEST_ALIVE
                  --> net_error = -101 (ERR_CONNECTION_RESET)

Samsung Galaxy S5: https://www.webpagetest.org/result/161130_TS_J29Z/
After removing ChaCha20 from ssl_ciphers: https://www.webpagetest.org/result/161130_Y5_J46Q/ (what it should look like)

This didn't seem to happen before I updated the patch to the latest one. (I'm not sure which one I used previously, though)

This also doesn't seem to happen with CloudFlare sites.

Illegal instruction in ChaCha20 code on old AMD processors

Probably nothing can be done about this, but I'll report this anyway. I've recently upgraded all of my machines to latest OpenSSL 1.0.2j patch, with new ChaCha20 code. While I mostly use various Xeons, there are a couple of old AMD machines as well. Turns out, the ChaCha20 code crashes with illegal instruction errors, both in client and server mode, on those AMD boxes.

What I was able to capture from gdb:

Starting program: /usr/bin/openssl s_client -connect cloudflare.com:443 -cipher ECDHE-RSA-CHACHA20-POLY1305
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Extended Validation Secure Server CA
verify return:1
depth=0 serialNumber = 4710875, jurisdictionC = US, jurisdictionST = Delaware, businessCategory = Private Organization, C = US, postalCode = 94107, ST = California, L = San Francisco, street = "655 Third Street, Suite 200", O = "CloudFlare, Inc.", OU = COMODO EV Multi-Domain SSL
verify return:1

Program received signal SIGILL, Illegal instruction.
seal_sse_128 () at chacha20_poly1305_x86_64.s:3675
3675    chacha20_poly1305_x86_64.s: No such file or directory.
(gdb) bt
#0  seal_sse_128 () at chacha20_poly1305_x86_64.s:3675
#1  0x00007ffff7feed60 in ?? ()
#2  0x00007fffffffd6a0 in ?? ()
#3  0x00007ffff7ff7828 in ?? ()
#4  0x00007fffffffd6c8 in ?? ()
#5  0x00007ffff7ff74d0 in ?? ()
#6  0x0000000000000001 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) info frame
Stack level 0, frame at 0x7fffffffd550:
 rip = 0x7ffff78a8c00 in seal_sse_128 (chacha20_poly1305_x86_64.s:3675); saved rip = 0x7ffff7feed60
 called by frame at 0x7fffffffd558
 source language asm.
 Arglist at 0x7fffffffd540, args: 
 Locals at 0x7fffffffd540, Previous frame's sp is 0x7fffffffd550
 Saved registers:
  rip at 0x7fffffffd548
(gdb) disassemble 
Dump of assembler code for function seal_sse_128:
   0x00007ffff78a8b93 <+0>:     movdqu -0x429b(%rip),%xmm0        # 0x7ffff78a4900 <.chacha20_consts>
   0x00007ffff78a8b9b <+8>:     movdqa %xmm0,%xmm1
   0x00007ffff78a8b9f <+12>:    movdqa %xmm0,%xmm2
   0x00007ffff78a8ba3 <+16>:    movdqu (%r9),%xmm4
   0x00007ffff78a8ba8 <+21>:    movdqa %xmm4,%xmm5
   0x00007ffff78a8bac <+25>:    movdqa %xmm4,%xmm6
   0x00007ffff78a8bb0 <+29>:    movdqu 0x10(%r9),%xmm8
   0x00007ffff78a8bb6 <+35>:    movdqa %xmm8,%xmm9
   0x00007ffff78a8bbb <+40>:    movdqa %xmm8,%xmm10
   0x00007ffff78a8bc0 <+45>:    movdqu 0x20(%r9),%xmm14
   0x00007ffff78a8bc6 <+51>:    movdqa %xmm14,%xmm12
   0x00007ffff78a8bcb <+56>:    paddd  -0x4264(%rip),%xmm12        # 0x7ffff78a4970 <.sse_inc>
   0x00007ffff78a8bd4 <+65>:    movdqa %xmm12,%xmm13
   0x00007ffff78a8bd9 <+70>:    paddd  -0x4272(%rip),%xmm13        # 0x7ffff78a4970 <.sse_inc>
   0x00007ffff78a8be2 <+79>:    movdqa %xmm4,%xmm7
   0x00007ffff78a8be6 <+83>:    movdqa %xmm8,%xmm11
   0x00007ffff78a8beb <+88>:    movdqa %xmm12,%xmm15
   0x00007ffff78a8bf0 <+93>:    mov    $0xa,%r10
   0x00007ffff78a8bf7 <+100>:   paddd  %xmm4,%xmm0
   0x00007ffff78a8bfb <+104>:   pxor   %xmm0,%xmm12
=> 0x00007ffff78a8c00 <+109>:   pshufb -0x42ca(%rip),%xmm12        # 0x7ffff78a4940 <.rol16>
   0x00007ffff78a8c0a <+119>:   paddd  %xmm12,%xmm8
   0x00007ffff78a8c0f <+124>:   pxor   %xmm8,%xmm4
   0x00007ffff78a8c14 <+129>:   movdqa %xmm4,%xmm3
   0x00007ffff78a8c18 <+133>:   pslld  $0xc,%xmm3
   0x00007ffff78a8c1d <+138>:   psrld  $0x14,%xmm4
   0x00007ffff78a8c22 <+143>:   pxor   %xmm3,%xmm4
   0x00007ffff78a8c26 <+147>:   paddd  %xmm4,%xmm0
   0x00007ffff78a8c2a <+151>:   pxor   %xmm0,%xmm12
   0x00007ffff78a8c2f <+156>:   pshufb -0x4319(%rip),%xmm12        # 0x7ffff78a4920 <.rol8>
   0x00007ffff78a8c39 <+166>:   paddd  %xmm12,%xmm8
   0x00007ffff78a8c3e <+171>:   pxor   %xmm8,%xmm4
   0x00007ffff78a8c43 <+176>:   movdqa %xmm4,%xmm3
   0x00007ffff78a8c47 <+180>:   pslld  $0x7,%xmm3
   0x00007ffff78a8c4c <+185>:   psrld  $0x19,%xmm4
   0x00007ffff78a8c51 <+190>:   pxor   %xmm3,%xmm4
   0x00007ffff78a8c55 <+194>:   palignr $0x4,%xmm4,%xmm4
   0x00007ffff78a8c5b <+200>:   palignr $0x8,%xmm8,%xmm8
   0x00007ffff78a8c62 <+207>:   palignr $0xc,%xmm12,%xmm12
   0x00007ffff78a8c69 <+214>:   paddd  %xmm5,%xmm1
   0x00007ffff78a8c6d <+218>:   pxor   %xmm1,%xmm13
   0x00007ffff78a8c72 <+223>:   pshufb -0x433c(%rip),%xmm13        # 0x7ffff78a4940 <.rol16>
   0x00007ffff78a8c7c <+233>:   paddd  %xmm13,%xmm9
   0x00007ffff78a8c81 <+238>:   pxor   %xmm9,%xmm5
   0x00007ffff78a8c86 <+243>:   movdqa %xmm5,%xmm3
   0x00007ffff78a8c8a <+247>:   pslld  $0xc,%xmm3
   0x00007ffff78a8c8f <+252>:   psrld  $0x14,%xmm5
   0x00007ffff78a8c94 <+257>:   pxor   %xmm3,%xmm5
   0x00007ffff78a8c98 <+261>:   paddd  %xmm5,%xmm1
   0x00007ffff78a8c9c <+265>:   pxor   %xmm1,%xmm13````

Processor info:

````processor       : 0
vendor_id       : AuthenticAMD                                                                                                                                                                 
cpu family      : 15                                                                                                                                                                           
model           : 67                                                                                                                                                                           
model name      : Dual-Core AMD Opteron(tm) Processor 1218 HE                                                                                                                                  
stepping        : 3                                                                                                                                                                            
cpu MHz         : 1800.000                                                                                                                                                                     
cache size      : 1024 KB                                                                                                                                                                      
physical id     : 0                                                                                                                                                                            
siblings        : 2                                                                                                                                                                            
core id         : 0                                                                                                                                                                            
cpu cores       : 2                                                                                                                                                                            
apicid          : 0                                                                                                                                                                            
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 1
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow rep_good nopl extd_apicid eagerfpu pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy 3dnowprefetch vmmcall
bugs            : apic_c1e fxsave_leak sysret_ss_attrs null_seg swapgs_fence
bogomips        : 3618.52
TLB size        : 1024 4K pages
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management: ts fid vid ttp tm stc````

The previous ChaCha20 patch worked on those machines without problems.

Shared library linking - reloc errors due to non-local jmp in poly1305_avx2.pl

Hi @vkrasnov - I'm getting errors of this form linking with gcc 4.9. The library builds fine but when I'm compiling another program with libcrypto, errors like the following happens (everything is linked with -fPIC, so it's not quite as simple as the diagnostic makes it seem)

binutils/bin/gold/ld: error: build/openssl/lib/libcrypto_pic.a(poly1305_avx2.o): requires dynamic R_X86_64_PC32 reloc against 'poly1305_update_x64' which may overflow at runtime; recompile with -fPIC
collect2: error: ld returned 1 exit status

It appears that the two jmps to poly1305_update_x64 and poly1305_finish_x64 in poly1305_avx2.pl cannot be relocated, and -fPIC doesn't have an effect on assembly code.

I'm no expert, but I looked around a bit and it seems there's ways to calculate the offset relative to the GOT/PLT when doing the jump.

Alternatively, why not just do this in code, i.e., something like this (in e_chacha20poly1305.c) and remove the jmps from the asm? This seems to work but I'd like your thoughts before I send a PR.

`static void poly1305_update_avx2_base(poly1305_state *state, const uint8_t *in,
size_t in_len) {
if (in_len >= 512) {
poly1305_update_avx2(state, in, in_len);
} else {
poly1305_update_x64(state, in, in_len);
}
}

static void poly1305_finish_avx2_base(poly1305_state* state, uint8_t mac[16]) {
// In assembly, you check whether 8*7($state) == 0
if ((uint64_t)state[56] == 0) {
poly1305_finish_x64(state, mac);
} else {
poly1305_finish_avx2(state, mac);
}
}

static void EVP_chacha20_poly1305_cpuid(EVP_CHACHA20_POLY1305_CTX ctx)
{
if ((OPENSSL_ia32cap_loc()[1] >> 5) & 1) { / AVX2 /
ctx->poly1305_init_ptr = poly1305_init_x64; / Lazy init */
ctx->poly1305_update_ptr = poly1305_update_avx2_base;
ctx->poly1305_finish_ptr = poly1305_finish_avx2_base;
`

Chacha20-Poly1305 & RC4 disabling patch failed on OpenSSL 1.0.2 latest relase

Using the latest official OpenSSL 1.0.2 at https://www.openssl.org/source/openssl-1.0.2.tar.gz

RC4 patch:

[root@vpsc openssl-1.0.2]# patch -p1 < openssl__disable_rc4.patch
patching file ssl/s3_lib.c
Hunk #1 FAILED at 3816.
1 out of 1 hunk FAILED -- saving rejects to file ssl/s3_lib.c.rej

It only works on 1.0.1, even the one in http://openssl.6102.n7.nabble.com/PATCH-Disable-RC4-for-TLS-v1-1-server-side-td48398.html doesn't work for the latest 1.0.2 release...

Chacha20-Poly1305 patch:

[root@vpsc openssl-1.0.2]# patch -p1 < openssl__chacha20_poly1305_cf.patch
patching file Configure
Hunk #2 succeeded at 689 (offset -3 lines).
Hunk #3 succeeded at 732 (offset -3 lines).
Hunk #4 succeeded at 1191 (offset -3 lines).
Hunk #5 succeeded at 1219 (offset -3 lines).
Hunk #6 succeeded at 1386 (offset -3 lines).
Hunk #7 succeeded at 1539 (offset -3 lines).
Hunk #8 succeeded at 1719 (offset -3 lines).
Hunk #9 succeeded at 1781 (offset -3 lines).
Hunk #10 succeeded at 2180 (offset -3 lines).
Hunk #11 succeeded at 2211 (offset -3 lines).
patching file Makefile.org
patching file apps/speed.c
Hunk #1 FAILED at 224.
Hunk #2 FAILED at 239.
Hunk #3 FAILED at 254.
Hunk #4 FAILED at 499.
Hunk #5 FAILED at 945.
Hunk #6 FAILED at 1087.
Hunk #7 FAILED at 1305.
Hunk #8 FAILED at 1811.
8 out of 8 hunks FAILED -- saving rejects to file apps/speed.c.rej
patching file crypto/chacha20poly1305/Makefile
patching file crypto/chacha20poly1305/asm/chacha20_avx.pl
patching file crypto/chacha20poly1305/asm/chacha20_avx2.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx2.pl
patching file crypto/chacha20poly1305/chacha20.c
patching file crypto/chacha20poly1305/chacha20poly1305.h
patching file crypto/chacha20poly1305/chapoly_test.c
patching file crypto/chacha20poly1305/poly1305.c
patching file crypto/cryptlib.c
Hunk #1 FAILED at 665.
Hunk #2 FAILED at 728.
2 out of 2 hunks FAILED -- saving rejects to file crypto/cryptlib.c.rej
patching file crypto/evp/Makefile
patching file crypto/evp/e_chacha20poly1305.c
patching file crypto/evp/evp.h
Hunk #1 succeeded at 122 with fuzz 2 (offset -748 lines).
patching file ssl/s3_lib.c
Hunk #1 succeeded at 2891 with fuzz 2 (offset -9 lines).
Hunk #2 FAILED at 4146.
Hunk #3 FAILED at 4179.
Hunk #4 FAILED at 4197.
3 out of 4 hunks FAILED -- saving rejects to file ssl/s3_lib.c.rej
patching file ssl/ssl.h
Hunk #1 FAILED at 296.
1 out of 1 hunk FAILED -- saving rejects to file ssl/ssl.h.rej
patching file ssl/ssl_ciph.c
Hunk #1 FAILED at 164.
Hunk #2 FAILED at 303.
Hunk #3 FAILED at 414.
Hunk #4 FAILED at 575.
Hunk #5 FAILED at 783.
Hunk #6 FAILED at 1779.
6 out of 6 hunks FAILED -- saving rejects to file ssl/ssl_ciph.c.rej
patching file ssl/ssl_locl.h
Hunk #1 FAILED at 331.
1 out of 1 hunk FAILED -- saving rejects to file ssl/ssl_locl.h.rej
patching file ssl/tls1.h
Hunk #1 FAILED at 554.
Hunk #2 FAILED at 705.
2 out of 2 hunks FAILED -- saving rejects to file ssl/tls1.h.rej
patching file test/Makefile
[root@vpsc openssl-1.0.2]#

Rebase 'nginx__dynamic_tls_records.patch' to nginx 1.11.5

Looks like nginx__dynamic_tls_records.patch no longer applies to nginx 1.11.5.
Here's a refreshed patch: https://gist.github.com/leonklingele/b5ea3eeeed2a799bab31856c49f80255

Patch fails with OpenSSL 1.0.2i

Unfortunately I cannot patch the new OpenSSL 1.0.2i.

$ wget "https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch"

$ patch -p1 < openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch
patching file Configure
Hunk #1 succeeded at 150 (offset 4 lines).
Hunk #2 succeeded at 714 (offset 4 lines).
Hunk #3 succeeded at 757 (offset 4 lines).
Hunk #4 succeeded at 1213 (offset 1 line).
Hunk #5 succeeded at 1242 (offset 1 line).
Hunk #6 succeeded at 1410 (offset 2 lines).
Hunk #7 FAILED at 1561.
Hunk #8 succeeded at 1754 (offset 11 lines).
Hunk #9 succeeded at 1817 (offset 11 lines).
Hunk #10 succeeded at 2216 (offset 11 lines).
Hunk #11 succeeded at 2247 (offset 11 lines).
1 out of 11 hunks FAILED -- saving rejects to file Configure.rej
patching file Makefile.org
Hunk #1 succeeded at 92 (offset 1 line).
Hunk #2 succeeded at 150 (offset 1 line).
Hunk #3 succeeded at 237 (offset 2 lines).
patching file apps/speed.c
patching file crypto/chacha20poly1305/Makefile
patching file crypto/chacha20poly1305/asm/chacha20_avx.pl
patching file crypto/chacha20poly1305/asm/chacha20_avx2.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx.pl
patching file crypto/chacha20poly1305/asm/poly1305_avx2.pl
patching file crypto/chacha20poly1305/asm/poly1305_x64.pl
patching file crypto/chacha20poly1305/chacha20.c
patching file crypto/chacha20poly1305/chacha20poly1305.h
patching file crypto/chacha20poly1305/chapolytest.c
patching file crypto/chacha20poly1305/poly1305.c
patching file crypto/cryptlib.c
patching file crypto/evp/Makefile
Hunk #3 succeeded at 266 (offset 1 line).
patching file crypto/evp/e_chacha20poly1305.c
patching file crypto/evp/evp.h
patching file ssl/s3_lib.c
Hunk #1 succeeded at 2945 (offset 54 lines).
Hunk #2 succeeded at 4195 (offset 54 lines).
Hunk #3 succeeded at 4229 (offset 54 lines).
Hunk #4 succeeded at 4251 (offset 54 lines).
patching file ssl/ssl.h
patching file ssl/ssl_ciph.c
Hunk #2 succeeded at 364 (offset -1 lines).
Hunk #3 succeeded at 436 (offset -1 lines).
Hunk #4 succeeded at 591 (offset -1 lines).
Hunk #5 succeeded at 812 (offset -1 lines).
patching file ssl/ssl_locl.h
patching file ssl/tls1.h
patching file test/Makefile
Hunk #1 FAILED at 71.
Hunk #2 FAILED at 84.
Hunk #3 FAILED at 98.
Hunk #4 FAILED at 109.
Hunk #5 succeeded at 150 (offset 5 lines).
Hunk #6 succeeded at 380 with fuzz 2 (offset 14 lines).
Hunk #7 succeeded at 570 with fuzz 2 (offset 20 lines).
Hunk #8 succeeded at 660 (offset 39 lines).
4 out of 8 hunks FAILED -- saving rejects to file test/Makefile.rej

$ cat Configure.rej 
--- Configure
+++ Configure
@@ -1561,6 +1564,14 @@ $bf_obj=$bf_enc      unless ($bf_obj =~ /\.o$/);
 $cast_obj=$cast_enc    unless ($cast_obj =~ /\.o$/);
 $rc4_obj=$rc4_enc  unless ($rc4_obj =~ /\.o$/);
 $rc5_obj=$rc5_enc  unless ($rc5_obj =~ /\.o$/);
+if ($chapoly_obj =~ /\.o$/)
+   {
+   $cflags.=" -DCHAPOLY_x86_64_ASM";
+   }
+else
+   {
+   $chapoly_obj=$chapoly_enc;
+   }
 if ($sha1_obj =~ /\.o$/)
    {
 #  $sha1_obj=$sha1_enc;

There is a mistake when `make` in 1.0.2g.

I ran follow command,there is a mistake when make .

# cd /usr/local/src

# git clone https://github.com/cloudflare/sslconfig   

# wget -c https://www.openssl.org/source/old/1.0.2/openssl-1.0.2g.tar.gz
# tar -zxf openssl-1.0.2g.tar.gz

# cd openssl-1.0.2g 
# patch -p1 < ../sslconfig/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch 

# ./config
# make   
...
...
sslv2conftest.c: In function 'main':
sslv2conftest.c:217:15: warning: 'currtest' may be used uninitialized in this function [-Wmaybe-uninitializ
         printf("SSLv2 CONF test: FAILED (Test %d)\n", currtest);
...
...

What is the problem?

Chacha20-Poly1305 patch still failed.

Has anyone success to use the patch with the OpenSSL 1.0.2 release?

on patching

patching file test/Makefile
Hunk #1 succeeded at 67 (offset -1 lines).
Hunk #2 succeeded at 80 with fuzz 2 (offset -1 lines).
Hunk #3 FAILED at 95.
Hunk #4 FAILED at 105.
Hunk #5 succeeded at 140 (offset -1 lines).
Hunk #6 succeeded at 347 (offset -4 lines).
Hunk #7 succeeded at 515 (offset -7 lines).
Hunk #8 succeeded at 815 (offset -20 lines).
2 out of 8 hunks FAILED -- saving rejects to file test/Makefile.rej

on make

/usr/bin/perl asm/poly1305_avx2.pl elf > poly1305_avx2.s
gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include  -fPIC -DOPENSSL_                                                                                        PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=native -Wa,                                                                                        --noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_B                                                                                        N_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DCHAPOLY_x86_64_ASM -DS                                                                                        HA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -D                                                                                        WHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c  -o poly1305_avx2.o poly1305_avx                                                                                        2.s
poly1305_avx2.s: Assembler messages:
poly1305_avx2.s:277: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:278: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:280: Error: no such instruction: `vpermq $216,%ymm7,%ymm7'
poly1305_avx2.s:281: Error: no such instruction: `vpermq $216,%ymm8,%ymm8'
poly1305_avx2.s:283: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:284: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:285: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:287: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:288: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:289: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:291: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:292: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:293: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:294: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:296: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:297: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:298: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:299: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:300: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:301: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:304: Error: no such instruction: `vpbroadcastq 0(%rdi),%ymm5'
poly1305_avx2.s:305: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:306: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:307: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:308: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:309: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:311: Error: no such instruction: `vpbroadcastq 160(%rdi),%ymm5'
poly1305_avx2.s:312: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:313: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:314: Error: no such instruction: `vpbroadcastq 32(%rdi),%ymm5'
poly1305_avx2.s:315: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:316: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:317: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:318: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:319: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:320: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:321: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:322: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:324: Error: no such instruction: `vpbroadcastq 192(%rdi),%ymm5'
poly1305_avx2.s:325: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:326: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:327: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:328: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:329: Error: no such instruction: `vpbroadcastq 64(%rdi),%ymm5'
poly1305_avx2.s:330: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:331: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:332: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:333: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:334: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:335: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:337: Error: no such instruction: `vpbroadcastq 224(%rdi),%ymm5'
poly1305_avx2.s:338: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:339: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:340: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:341: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:342: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:343: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:344: Error: no such instruction: `vpbroadcastq 96(%rdi),%ymm5'
poly1305_avx2.s:345: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:346: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:347: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:348: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:350: Error: no such instruction: `vpbroadcastq 256(%rdi),%ymm5'
poly1305_avx2.s:351: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:352: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:353: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:354: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:355: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:356: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:357: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:358: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:359: Error: no such instruction: `vpbroadcastq 128(%rdi),%ymm5'
poly1305_avx2.s:360: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:361: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:363: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:364: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:365: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:367: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:368: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:369: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:370: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:371: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:373: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:374: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:375: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:376: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:377: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:378: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:379: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:380: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:381: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:382: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:383: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:384: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:396: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:397: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:399: Error: no such instruction: `vpermq $216,%ymm7,%ymm7'
poly1305_avx2.s:400: Error: no such instruction: `vpermq $216,%ymm8,%ymm8'
poly1305_avx2.s:402: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:403: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:404: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:406: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:407: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:408: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:410: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:411: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:412: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:413: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:415: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:416: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:417: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:418: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:419: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:420: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:424: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:425: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:426: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:427: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:428: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:431: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:432: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:434: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:435: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:436: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:437: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:438: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:439: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:440: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:441: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:444: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:445: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:446: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:447: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:449: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:450: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:451: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:452: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:453: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:454: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:457: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:458: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:459: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:460: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:461: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:462: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:464: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:465: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:466: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:467: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:470: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:471: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:472: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:473: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:474: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:475: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:476: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:477: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:479: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:480: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:482: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:483: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:484: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:485: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:486: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:487: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:488: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:489: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:490: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:491: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:492: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:493: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:494: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:495: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:496: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:497: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:498: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:499: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:500: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:501: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:503: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:504: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:505: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:506: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:507: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:509: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:510: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:511: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:512: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:513: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:515: Error: no such instruction: `vpermq $170,%ymm0,%ymm7'
poly1305_avx2.s:516: Error: no such instruction: `vpermq $170,%ymm1,%ymm8'
poly1305_avx2.s:517: Error: no such instruction: `vpermq $170,%ymm2,%ymm9'
poly1305_avx2.s:518: Error: no such instruction: `vpermq $170,%ymm3,%ymm10'
poly1305_avx2.s:519: Error: no such instruction: `vpermq $170,%ymm4,%ymm11'
poly1305_avx2.s:521: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:522: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:523: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:524: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:525: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:542: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:574: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:575: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:584: Error: no such instruction: `vpermq $196,%ymm14,%ymm14'
poly1305_avx2.s:587: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:588: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:595: Error: no such instruction: `vpermq $64,%ymm14,%ymm14'
poly1305_avx2.s:598: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:599: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:604: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:605: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:606: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:608: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:609: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:610: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:612: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:613: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:614: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:615: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:617: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:618: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:619: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:620: Error: suffix or operands invalid for `vpxor'
poly1305_avx2.s:621: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:622: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:626: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:627: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:628: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:629: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:630: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:631: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:634: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:635: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:636: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:638: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:639: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:640: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:641: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:642: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:643: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:644: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:645: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:646: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:649: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:650: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:651: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:652: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:653: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:655: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:656: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:657: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:658: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:659: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:660: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:661: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:664: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:665: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:666: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:667: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:668: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:669: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:670: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:672: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:673: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:674: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:675: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:676: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:679: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:680: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:681: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:682: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:683: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:684: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:685: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:686: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:687: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:689: Error: no such instruction: `vpermd %ymm5,%ymm13,%ymm5'
poly1305_avx2.s:690: Error: suffix or operands invalid for `vpmuludq'
poly1305_avx2.s:691: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:693: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:694: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:695: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:696: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:697: Error: suffix or operands invalid for `vpsllq'
poly1305_avx2.s:698: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:699: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:700: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:701: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:702: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:703: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:704: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:705: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:706: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:707: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:708: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:709: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:710: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:711: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:712: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:714: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:715: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:716: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:717: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:718: Error: suffix or operands invalid for `vpsrldq'
poly1305_avx2.s:720: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:721: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:722: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:723: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:724: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:726: Error: no such instruction: `vpermq $170,%ymm0,%ymm7'
poly1305_avx2.s:727: Error: no such instruction: `vpermq $170,%ymm1,%ymm8'
poly1305_avx2.s:728: Error: no such instruction: `vpermq $170,%ymm2,%ymm9'
poly1305_avx2.s:729: Error: no such instruction: `vpermq $170,%ymm3,%ymm10'
poly1305_avx2.s:730: Error: no such instruction: `vpermq $170,%ymm4,%ymm11'
poly1305_avx2.s:732: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:733: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:734: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:735: Error: suffix or operands invalid for `vpaddq'
poly1305_avx2.s:736: Error: suffix or operands invalid for `vpaddq'
make[2]: *** [poly1305_avx2.o] Error 1
make[2]: Leaving directory `/root/openssl-1.0.2/crypto/chacha20poly1305'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/root/openssl-1.0.2/crypto'
make: *** [build_crypto] Error 1
[root@vpsa openssl-1.0.2]#

Syntax error: word unexpected

Its work on CentOS 6 but not on FreeBSD, please help me! Thank you...

wget https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch
patch -p1 < openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch
....................................................................
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From dcf9b5698b8658c9248327b3fdb280090c5c78ec Mon Sep 17 00:00:00 2001
|From: vkrasnov <[email protected]>
|Date: Tue, 4 Oct 2016 15:47:32 -0700
|Subject: [PATCH] ChaCha20-Poly1305 draft and RFC cipher suites for OpenSSL
| 1.0.2j
|
|---
| Configure                                          |   44 +-
| Makefile.org                                       |    4 +-
| crypto/chacha20_poly1305/Makefile                  |   89 +
| .../asm/chacha20_poly1305_x86_64.pl                | 2299 ++++++++++++++++++++
| crypto/chacha20_poly1305/asm/chacha20_x86_64.pl    |  415 ++++
| crypto/chacha20_poly1305/asm/poly1305_x86_64.pl    |  280 +++
| crypto/chacha20_poly1305/chacha20.c                |  142 ++
| crypto/chacha20_poly1305/chacha20poly1305.h        |   64 +
| crypto/chacha20_poly1305/poly1305.c                |  355 +++
| crypto/evp/Makefile                                |    8 +-
| crypto/evp/c_allc.c                                |    5 +
| crypto/evp/e_chacha20_poly1305.c                   |  362 +++
| crypto/evp/evp.h                                   |    5 +
| crypto/objects/obj_dat.h                           |   13 +-
| crypto/objects/obj_mac.h                           |    8 +
| crypto/objects/obj_mac.num                         |    2 +
| crypto/objects/objects.txt                         |    2 +
| ssl/s3_lib.c                                       |  128 +-
| ssl/ssl.h                                          |    2 +
| ssl/ssl_ciph.c                                     |   31 +-
| ssl/ssl_locl.h                                     |    2 +
| ssl/tls1.h                                         |   26 +
| 22 files changed, 4260 insertions(+), 26 deletions(-)
| create mode 100644 crypto/chacha20_poly1305/Makefile
| create mode 100755 crypto/chacha20_poly1305/asm/chacha20_poly1305_x86_64.pl
| create mode 100644 crypto/chacha20_poly1305/asm/chacha20_x86_64.pl
| create mode 100644 crypto/chacha20_poly1305/asm/poly1305_x86_64.pl
| create mode 100644 crypto/chacha20_poly1305/chacha20.c
| create mode 100644 crypto/chacha20_poly1305/chacha20poly1305.h
| create mode 100644 crypto/chacha20_poly1305/poly1305.c
| create mode 100644 crypto/evp/e_chacha20_poly1305.c
|
|diff --git a/Configure b/Configure
|index c39f71a..f5f7c06 100755
|--- a/Configure
|+++ b/Configure
--------------------------
Patching file Configure using Plan A...
Hunk #1 succeeded at 150.
Hunk #2 succeeded at 179.
Hunk #3 succeeded at 713.
Hunk #4 succeeded at 1240.
Hunk #5 succeeded at 1409.
Hunk #6 succeeded at 1625.
Hunk #7 succeeded at 1758.
Hunk #8 succeeded at 1820.
Hunk #9 succeeded at 2220.
Hunk #10 succeeded at 2250.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/Makefile.org b/Makefile.org
|index 2377f50..1f20a61 100644
|--- a/Makefile.org
|+++ b/Makefile.org
--------------------------
Patching file Makefile.org using Plan A...
Hunk #1 succeeded at 103.
Hunk #2 succeeded at 150.
Hunk #3 succeeded at 241.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/chacha20_poly1305/Makefile b/crypto/chacha20_poly1305/Makef                                                                                                             ile
|new file mode 100644
|index 0000000..87f4ba3
|--- /dev/null
|+++ b/crypto/chacha20_poly1305/Makefile
--------------------------
(Creating file crypto/chacha20_poly1305/Makefile...)
Patching file crypto/chacha20_poly1305/Makefile using Plan A...
Empty context always matches.
Hunk #1 succeeded at 1.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/chacha20_poly1305/asm/chacha20_poly1305_x86_64.pl b/crypto/                                                                                                             chacha20_poly1305/asm/chacha20_poly1305_x86_64.pl
|new file mode 100755
|index 0000000..ef90831
|--- /dev/null
|+++ b/crypto/chacha20_poly1305/asm/chacha20_poly1305_x86_64.pl
--------------------------
(Creating file crypto/chacha20_poly1305/asm/chacha20_poly1305_x86_64.pl...)
Patching file crypto/chacha20_poly1305/asm/chacha20_poly1305_x86_64.pl using Pla                                                                                                             n A...
Empty context always matches.
Hunk #1 succeeded at 1.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/chacha20_poly1305/asm/chacha20_x86_64.pl b/crypto/chacha20_                                                                                                             poly1305/asm/chacha20_x86_64.pl
|new file mode 100644
|index 0000000..538af42
|--- /dev/null
|+++ b/crypto/chacha20_poly1305/asm/chacha20_x86_64.pl
--------------------------
(Creating file crypto/chacha20_poly1305/asm/chacha20_x86_64.pl...)
Patching file crypto/chacha20_poly1305/asm/chacha20_x86_64.pl using Plan A...
Empty context always matches.
Hunk #1 succeeded at 1.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/chacha20_poly1305/asm/poly1305_x86_64.pl b/crypto/chacha20_                                                                                                             poly1305/asm/poly1305_x86_64.pl
|new file mode 100644
|index 0000000..05e4bc5
|--- /dev/null
|+++ b/crypto/chacha20_poly1305/asm/poly1305_x86_64.pl
--------------------------
(Creating file crypto/chacha20_poly1305/asm/poly1305_x86_64.pl...)
Patching file crypto/chacha20_poly1305/asm/poly1305_x86_64.pl using Plan A...
Empty context always matches.
Hunk #1 succeeded at 1.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/chacha20_poly1305/chacha20.c b/crypto/chacha20_poly1305/cha                                                                                                             cha20.c
|new file mode 100644
|index 0000000..b48d857
|--- /dev/null
|+++ b/crypto/chacha20_poly1305/chacha20.c
--------------------------
(Creating file crypto/chacha20_poly1305/chacha20.c...)
Patching file crypto/chacha20_poly1305/chacha20.c using Plan A...
Empty context always matches.
Hunk #1 succeeded at 1.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/chacha20_poly1305/chacha20poly1305.h b/crypto/chacha20_poly                                                                                                             1305/chacha20poly1305.h
|new file mode 100644
|index 0000000..3968c40
|--- /dev/null
|+++ b/crypto/chacha20_poly1305/chacha20poly1305.h
--------------------------
(Creating file crypto/chacha20_poly1305/chacha20poly1305.h...)
Patching file crypto/chacha20_poly1305/chacha20poly1305.h using Plan A...
Empty context always matches.
Hunk #1 succeeded at 1.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/chacha20_poly1305/poly1305.c b/crypto/chacha20_poly1305/pol                                                                                                             y1305.c
|new file mode 100644
|index 0000000..6bd553b
|--- /dev/null
|+++ b/crypto/chacha20_poly1305/poly1305.c
--------------------------
(Creating file crypto/chacha20_poly1305/poly1305.c...)
Patching file crypto/chacha20_poly1305/poly1305.c using Plan A...
Empty context always matches.
Hunk #1 succeeded at 1.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile
|index fa138d0..c87896b 100644
|--- a/crypto/evp/Makefile
|+++ b/crypto/evp/Makefile
--------------------------
Patching file crypto/evp/Makefile using Plan A...
Hunk #1 succeeded at 29.
Hunk #2 succeeded at 43.
Hunk #3 succeeded at 795.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
|index 280e584..694f168 100644
|--- a/crypto/evp/c_allc.c
|+++ b/crypto/evp/c_allc.c
--------------------------
Patching file crypto/evp/c_allc.c using Plan A...
Hunk #1 succeeded at 238.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.                                                                                                             c
|new file mode 100644
|index 0000000..1e072ec
|--- /dev/null
|+++ b/crypto/evp/e_chacha20_poly1305.c
--------------------------
(Creating file crypto/evp/e_chacha20_poly1305.c...)
Patching file crypto/evp/e_chacha20_poly1305.c using Plan A...
Empty context always matches.
Hunk #1 succeeded at 1.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
|index 39ab793..8feaabc 100644
|--- a/crypto/evp/evp.h
|+++ b/crypto/evp/evp.h
--------------------------
Patching file crypto/evp/evp.h using Plan A...
Hunk #1 succeeded at 902.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
|index b7e3cf2..26612e2 100644
|--- a/crypto/objects/obj_dat.h
|+++ b/crypto/objects/obj_dat.h
--------------------------
Patching file crypto/objects/obj_dat.h using Plan A...
Hunk #1 succeeded at 62.
Hunk #2 succeeded at 2514.
Hunk #3 succeeded at 2577.
Hunk #4 succeeded at 3733.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
|index 779c309..35a2364 100644
|--- a/crypto/objects/obj_mac.h
|+++ b/crypto/objects/obj_mac.h
--------------------------
Patching file crypto/objects/obj_mac.h using Plan A...
Hunk #1 succeeded at 4047.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
|index 8e5ea83..a3da329 100644
|--- a/crypto/objects/obj_mac.num
|+++ b/crypto/objects/obj_mac.num
--------------------------
Patching file crypto/objects/obj_mac.num using Plan A...
Hunk #1 succeeded at 955.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
|index b57aabb..6a34a33 100644
|--- a/crypto/objects/objects.txt
|+++ b/crypto/objects/objects.txt
--------------------------
Patching file crypto/objects/objects.txt using Plan A...
Hunk #1 succeeded at 1294.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|index 0385e03..65fdc59 100644
|--- a/ssl/s3_lib.c
|+++ b/ssl/s3_lib.c
--------------------------
Patching file ssl/s3_lib.c using Plan A...
Hunk #1 succeeded at 2945.
Hunk #2 succeeded at 4194.
Hunk #3 succeeded at 4224.
Hunk #4 succeeded at 4250.
Hunk #5 succeeded at 4334.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/ssl/ssl.h b/ssl/ssl.h
|index 90aeb0c..f783baa 100644
|--- a/ssl/ssl.h
|+++ b/ssl/ssl.h
--------------------------
Patching file ssl/ssl.h using Plan A...
Hunk #1 succeeded at 297.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
|index 2ad8f43..23c1c68 100644
|--- a/ssl/ssl_ciph.c
|+++ b/ssl/ssl_ciph.c
--------------------------
Patching file ssl/ssl_ciph.c using Plan A...
Hunk #1 succeeded at 164.
Hunk #2 succeeded at 317.
Hunk #3 succeeded at 435.
Hunk #4 succeeded at 590.
Hunk #5 succeeded at 820.
Hunk #6 succeeded at 1845.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|index 6df725f..dbe68f2 100644
|--- a/ssl/ssl_locl.h
|+++ b/ssl/ssl_locl.h
--------------------------
Patching file ssl/ssl_locl.h using Plan A...
Hunk #1 succeeded at 354.
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|diff --git a/ssl/tls1.h b/ssl/tls1.h
|index 7e237d0..ff2e259 100644
|--- a/ssl/tls1.h
|+++ b/ssl/tls1.h
--------------------------
Patching file ssl/tls1.h using Plan A...
Hunk #1 succeeded at 563.
Hunk #2 succeeded at 726.
Hmm...  Ignoring the trailing garbage.
done
....................................................................
./config --prefix=/root/openssl/.openssl no-shared
make
make install
....................................................................
making install in crypto/pqueue...
making install in crypto/ts...
making install in crypto/srp...
making install in crypto/cmac...
making install in crypto/chacha20_poly1305...
Syntax error: word unexpected
*** Error code 2

Stop.
make[2]: stopped in /root/openssl-1.0.2j/crypto/chacha20_poly1305
*** Error code 1

Stop.
make[1]: stopped in /root/openssl-1.0.2j/crypto
*** Error code 1

Stop.
make: stopped in /root/openssl-1.0.2j

problems with nginx-spdy-1.11.5+.patch when it is applied to nginx version 1.11.11

There is a problem with theis patch when it is applied to nginx version 1.11.11
[root@server nginx-1.11.11]# patch -p1 < ./nginx-spdy-1.11.5+.patch patching file auto/modules
Hunk #1 FAILED at 139.
Hunk #2 FAILED at 171.
Hunk #3 FAILED at 232.
Hunk #4 FAILED at 440.
4 out of 4 hunks FAILED -- saving rejects to file auto/modules.rej
patching file auto/options

How to install this Patch for OpenSSL

Build Fails: suffix or operands invalid for `vpunpcklqdq'

Running CentOS 6.7, the latest 1.0.2g patch applies to the 1.0.2g openssl source without error, but make fails:

poly1305_avx2.s: Assembler messages:
poly1305_avx2.s:335: Error: suffix or operands invalid for `vpunpcklqdq'
poly1305_avx2.s:336: Error: suffix or operands invalid for `vpunpckhqdq'
poly1305_avx2.s:338: Error: no such instruction: `vpermq $0xD8,%ymm7,%ymm7'
poly1305_avx2.s:339: Error: no such instruction: `vpermq $0xD8,%ymm8,%ymm8'
poly1305_avx2.s:341: Error: suffix or operands invalid for `vpsrlq'
poly1305_avx2.s:342: Error: suffix or operands invalid for `vpand'
poly1305_avx2.s:343: Error: suffix or operands invalid for `vpaddq'

Is this due to an instruction set my CPU is missing? I'm running a cloud server on Rackspace.

cpuinfo.txt

patch-results.txt
config-results.txt
make-depend-results.txt
make-results.txt

OpenSSL 1.0.2h failed to link on Visual Studio 2013

I am using the latest "openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch" patch on OpenSSL 1.0.2h compiling using Visual Studio 2013 x64 command prompt, vanilla 1.0.2h managed to compile but successfully patched chacha draft will resulting link error at the end :

C:\Users\Users1\Documents\Works\Compiling\openssl-1.0.2h>nmake -f ms\nt.mak

Building OpenSSL
link /nologo /subsystem:console /opt:ref /debug /out:out32\ssltest.exe @C:\Users\Users1\AppData\Local\Temp\nmF932.tmp
libeay32.lib(e_chacha20poly1305.obj) : error LNK2019: unresolved external symbol CRYPTO_chacha_20 referenced in function EVP_chacha20_poly1305_cipher
libeay32.lib(e_chacha20poly1305.obj) : error LNK2019: unresolved external symbol poly1305_init_x64 referenced in function EVP_chacha20_poly1305_cpuid
libeay32.lib(e_chacha20poly1305.obj) : error LNK2019: unresolved external symbol poly1305_update_x64 referenced in function EVP_chacha20_poly1305_cpuid
libeay32.lib(e_chacha20poly1305.obj) : error LNK2019: unresolved external symbol poly1305_finish_x64 referenced in function EVP_chacha20_poly1305_cpuid
libeay32.lib(e_chacha20poly1305.obj) : error LNK2019: unresolved external symbol poly1305_update_avx2 referenced in function EVP_chacha20_poly1305_cpuid
libeay32.lib(e_chacha20poly1305.obj) : error LNK2019: unresolved external symbol poly1305_finish_avx2 referenced in function EVP_chacha20_poly1305_cpuid
out32\ssltest.exe : fatal error LNK1120: 6 unresolved externals
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\BIN\amd64\link.EXE"' : return code '0x460'
Stop.

Update Nginx patches to version 1.11.6

There is a mistake when `make` in 1.0.2g.

# cd /usr/local/src

# git clone https://github.com/cloudflare/sslconfig   

# wget -c https://www.openssl.org/source/old/1.0.2/openssl-1.0.2g.tar.gz
# tar -zxf openssl-1.0.2g.tar.gz

# cd openssl-1.0.2g 
# patch -p1 < ../sslconfig/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch 

# ./config
# make   
...
...
sslv2conftest.c: In function 'main':
sslv2conftest.c:217:15: warning: 'currtest' may be used uninitialized in this function [-Wmaybe-uninitializ
         printf("SSLv2 CONF test: FAILED (Test %d)\n", currtest);
...
...

CHACHA20 Patch doesn't work with GCC 4.4, and architecture difference..

Just come up this idea on my mind..

I could use the patch on CentOS 6 x86 successfully (which is using GCC4.4).

But when I use it with the x86_64 (still GCC4.4), it comes up with the error on poly1305_avx2.s (see #10 #11 )
So I guessed there is some problem with the AVX2 optimized code...
and I found it is something introduced in GCC 4.6,
so I tried using GCC 4.9.1...SUCCESS !

Since GCC 4.4 is quite widely-used (as provided in the CentOS 6 official repo), it would be better to mention this on the README.

So...this means that x86 do not have a well optimized code as x86_64?

Benchmark on x86:

chacha20-poly1305    12908.94k    42709.33k    69848.06k    82854.23k    87263.91k
256 bit ecdh (nistp256)   0.0012s    806.4

Benchmark on x86_64:

chacha20-poly1305    38188.50k   123035.73k   251849.73k   411736.41k   486099.63k
256 bit ecdh (nistp256)   0.0001s   7304.7

NOTE: same machine, only different arch

It would be great to mention this on the README too.

openssl 1.1.0

Can I add chacha20 draft in openssl 1.1.0?

1.0.1g :: Missing symbols while linking libcrypto.a

Looks like there maybe a dependency issue which is not present in vanilla 1.0.2g.

Edit: Fails in all tested configurations: default configure options, no-shared, no-fips, etc.

if [ -n "libcrypto.1.0.0.dylib libssl.1.0.0.dylib" ]; then \
        (cd ..; /Applications/Xcode.app/Contents/Developer/usr/bin/make libcrypto.1.0.0.dylib); \
    fi
[ -z "" ] || cc -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DCHAPOLY_x86_64_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -Iinclude \
        -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso  \
        fips_premain.c fipscanister.o \
        libcrypto.a
Undefined symbols for architecture x86_64:
  "_chacha_20_core_avx", referenced from:
      _CRYPTO_chacha_20 in libcrypto.a(chacha20.o)
  "_chacha_20_core_avx2", referenced from:
      _CRYPTO_chacha_20 in libcrypto.a(chacha20.o)
  "_poly1305_finish_avx2", referenced from:
      _EVP_chacha20_poly1305_init_draft in libcrypto.a(e_chacha20poly1305.o)
      _EVP_chacha20_poly1305_init in libcrypto.a(e_chacha20poly1305.o)
  "_poly1305_update_avx2", referenced from:
      _EVP_chacha20_poly1305_init_draft in libcrypto.a(e_chacha20poly1305.o)
      _EVP_chacha20_poly1305_init in libcrypto.a(e_chacha20poly1305.o)
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[4]: *** [link_a.darwin] Error 1
make[3]: *** [do_darwin-shared] Error 2
make[2]: *** [libcrypto.1.0.0.dylib] Error 2
make[1]: *** [shared] Error 2
make: *** [build_crypto] Error 1

More build logs here updated: minimal examples