Browse Source

Latest update

master
Hakase 3 weeks ago
parent
commit
4545e781b0
Signed by: Hakase <hakase@hakase.app> GPG Key ID: BB2821A9E0DF48C9

+ 4
- 4
openssl-3.0.0-dev-chacha_draft.patch View File

@@ -499,11 +499,11 @@ index bd0d4210f4..709badc0b4 100644
499 499
  # define SSL_ARIA                (SSL_ARIAGCM)
500 500
  
501 501
 diff --git a/util/libcrypto.num b/util/libcrypto.num
502
-index 560f47fb66..d0e6f40b68 100644
502
+index 991a9feea8..b9bc370329 100644
503 503
 --- a/util/libcrypto.num
504 504
 +++ b/util/libcrypto.num
505
-@@ -4643,3 +4643,4 @@ EC_GROUP_get0_field                     4598	3_0_0	EXIST::FUNCTION:EC
506
- CRYPTO_alloc_ex_data                    4599	3_0_0	EXIST::FUNCTION:
505
+@@ -4644,3 +4644,4 @@ CRYPTO_alloc_ex_data                    4599	3_0_0	EXIST::FUNCTION:
507 506
  OPENSSL_CTX_new                         4600	3_0_0	EXIST::FUNCTION:
508 507
  OPENSSL_CTX_free                        4601	3_0_0	EXIST::FUNCTION:
509
-+EVP_chacha20_poly1305_draft             4602	3_0_0	EXIST::FUNCTION:CHACHA,POLY1305
508
+ OPENSSL_LH_flush                        4602	3_0_0	EXIST::FUNCTION:
509
++EVP_chacha20_poly1305_draft             4603	3_0_0	EXIST::FUNCTION:CHACHA,POLY1305

+ 1071
- 0
openssl-equal-1.1.1b.patch View File

@@ -0,0 +1,1071 @@
1
+diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
2
+index faf9e53814..428df515f1 100644
3
+--- a/doc/man1/ciphers.pod
4
++++ b/doc/man1/ciphers.pod
5
+@@ -400,6 +400,21 @@ permissible.
6
+ 
7
+ =back
8
+ 
9
++=head1 EQUAL PREFERENCE GROUPS
10
++
11
++If configuring a server, one may also configure equal-preference groups to
12
++partially respect the client's preferences when
13
++B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
14
++group have equal priority and use the client order. This may be used to
15
++enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
16
++based on client preferences. An equal-preference is specified with square
17
++brackets, combining multiple selectors separated by |. For example:
18
++
19
++ [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
20
++ 
21
++ Once an equal-preference group is used, future directives must be
22
++ opcode-less.
23
++
24
+ =head1 CIPHER SUITE NAMES
25
+ 
26
+ The following lists give the SSL or TLS cipher suites names from the
27
+diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
28
+index 4b7757395f..8ff91f7570 100644
29
+--- a/include/openssl/ssl.h
30
++++ b/include/openssl/ssl.h
31
+@@ -173,12 +173,12 @@ extern "C" {
32
+ # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
33
+ /* This is the default set of TLSv1.3 ciphersuites */
34
+ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
35
+-#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
36
++#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
37
+                                    "TLS_CHACHA20_POLY1305_SHA256:" \
38
+-                                   "TLS_AES_128_GCM_SHA256"
39
++                                   "TLS_AES_256_GCM_SHA384"
40
+ # else
41
+-#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
42
+-                                   "TLS_AES_128_GCM_SHA256"
43
++#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_128_GCM_SHA256:" \
44
++                                   "TLS_AES_256_GCM_SHA384"
45
+ #endif
46
+ /*
47
+  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
48
+diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
49
+index a50a075b42..e9abb98d4f 100644
50
+--- a/include/openssl/sslerr.h
51
++++ b/include/openssl/sslerr.h
52
+@@ -596,6 +596,8 @@ int ERR_load_SSL_strings(void);
53
+ # define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION         209
54
+ # define SSL_R_MISSING_TMP_DH_KEY                         171
55
+ # define SSL_R_MISSING_TMP_ECDH_KEY                       311
56
++# define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS         101
57
++# define SSL_R_NESTED_GROUP                               108
58
+ # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA     293
59
+ # define SSL_R_NOT_ON_RECORD_BOUNDARY                     182
60
+ # define SSL_R_NOT_REPLACING_CERTIFICATE                  289
61
+@@ -727,9 +729,11 @@ int ERR_load_SSL_strings(void);
62
+ # define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS       239
63
+ # define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES           242
64
+ # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
65
++# define SSL_R_UNEXPECTED_GROUP_CLOSE                     109
66
+ # define SSL_R_UNEXPECTED_CCS_MESSAGE                     262
67
+ # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA               178
68
+ # define SSL_R_UNEXPECTED_MESSAGE                         244
69
++# define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP               110
70
+ # define SSL_R_UNEXPECTED_RECORD                          245
71
+ # define SSL_R_UNINITIALIZED                              276
72
+ # define SSL_R_UNKNOWN_ALERT_TYPE                         246
73
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
74
+index 99ae48199c..0c326fec0d 100644
75
+--- a/ssl/s3_lib.c
76
++++ b/ssl/s3_lib.c
77
+@@ -167,7 +167,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
78
+      SSL_aRSA,
79
+      SSL_3DES,
80
+      SSL_SHA1,
81
+-     SSL3_VERSION, TLS1_2_VERSION,
82
++     SSL3_VERSION, TLS1_VERSION,
83
+      DTLS1_BAD_VER, DTLS1_2_VERSION,
84
+      SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
85
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
86
+@@ -232,7 +232,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
87
+      SSL_aRSA,
88
+      SSL_AES128,
89
+      SSL_SHA1,
90
+-     SSL3_VERSION, TLS1_2_VERSION,
91
++     SSL3_VERSION, TLS1_VERSION,
92
+      DTLS1_BAD_VER, DTLS1_2_VERSION,
93
+      SSL_HIGH | SSL_FIPS,
94
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
95
+@@ -296,7 +296,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
96
+      SSL_aRSA,
97
+      SSL_AES256,
98
+      SSL_SHA1,
99
+-     SSL3_VERSION, TLS1_2_VERSION,
100
++     SSL3_VERSION, TLS1_VERSION,
101
+      DTLS1_BAD_VER, DTLS1_2_VERSION,
102
+      SSL_HIGH | SSL_FIPS,
103
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
104
+@@ -4124,6 +4124,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
105
+     return 1;
106
+ }
107
+ 
108
++struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s)
109
++{
110
++    if (s->cipher_list != NULL)
111
++        return (s->cipher_list);
112
++
113
++    if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL))
114
++        return (s->ctx->cipher_list);
115
++
116
++    return NULL;
117
++}
118
++
119
+ /*
120
+  * ssl3_choose_cipher - choose a cipher from those offered by the client
121
+  * @s: SSL connection
122
+@@ -4133,16 +4144,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
123
+  * Returns the selected cipher or NULL when no common ciphers.
124
+  */
125
+ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
126
+-                                     STACK_OF(SSL_CIPHER) *srvr)
127
++                                     struct ssl_cipher_preference_list_st
128
++                                     *server_pref)
129
+ {
130
+     const SSL_CIPHER *c, *ret = NULL;
131
+-    STACK_OF(SSL_CIPHER) *prio, *allow;
132
+-    int i, ii, ok, prefer_sha256 = 0;
133
++    STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
134
++    int i, ii, ok, prefer_sha256 = 0, safari_ec = 0;
135
+     unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
136
+     const EVP_MD *mdsha256 = EVP_sha256();
137
+-#ifndef OPENSSL_NO_CHACHA
138
+-    STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
139
+-#endif
140
++
141
++    /* in_group_flags will either be NULL, or will point to an array of
142
++     * bytes which indicate equal-preference groups in the |prio| stack.
143
++     * See the comment about |in_group_flags| in the
144
++     * |ssl_cipher_preference_list_st| struct. */
145
++    const uint8_t *in_group_flags;
146
++
147
++    /* group_min contains the minimal index so far found in a group, or -1
148
++     * if no such value exists yet. */
149
++    int group_min = -1;
150
+ 
151
+     /* Let's see which ciphers we can support */
152
+ 
153
+@@ -4169,54 +4188,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
154
+ #endif
155
+ 
156
+     /* SUITE-B takes precedence over server preference and ChaCha priortiy */
157
+-    if (tls1_suiteb(s)) {
158
++    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
159
+         prio = srvr;
160
++        in_group_flags = server_pref->in_group_flags;
161
+         allow = clnt;
162
+-    } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
163
+-        prio = srvr;
164
+-        allow = clnt;
165
+-#ifndef OPENSSL_NO_CHACHA
166
+-        /* If ChaCha20 is at the top of the client preference list,
167
+-           and there are ChaCha20 ciphers in the server list, then
168
+-           temporarily prioritize all ChaCha20 ciphers in the servers list. */
169
+-        if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
170
+-            c = sk_SSL_CIPHER_value(clnt, 0);
171
+-            if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
172
+-                /* ChaCha20 is client preferred, check server... */
173
+-                int num = sk_SSL_CIPHER_num(srvr);
174
+-                int found = 0;
175
+-                for (i = 0; i < num; i++) {
176
+-                    c = sk_SSL_CIPHER_value(srvr, i);
177
+-                    if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
178
+-                        found = 1;
179
+-                        break;
180
+-                    }
181
+-                }
182
+-                if (found) {
183
+-                    prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num);
184
+-                    /* if reserve fails, then there's likely a memory issue */
185
+-                    if (prio_chacha != NULL) {
186
+-                        /* Put all ChaCha20 at the top, starting with the one we just found */
187
+-                        sk_SSL_CIPHER_push(prio_chacha, c);
188
+-                        for (i++; i < num; i++) {
189
+-                            c = sk_SSL_CIPHER_value(srvr, i);
190
+-                            if (c->algorithm_enc == SSL_CHACHA20POLY1305)
191
+-                                sk_SSL_CIPHER_push(prio_chacha, c);
192
+-                        }
193
+-                        /* Pull in the rest */
194
+-                        for (i = 0; i < num; i++) {
195
+-                            c = sk_SSL_CIPHER_value(srvr, i);
196
+-                            if (c->algorithm_enc != SSL_CHACHA20POLY1305)
197
+-                                sk_SSL_CIPHER_push(prio_chacha, c);
198
+-                        }
199
+-                        prio = prio_chacha;
200
+-                    }
201
+-                }
202
+-            }
203
+-        }
204
+-# endif
205
+     } else {
206
+         prio = clnt;
207
++        in_group_flags = NULL;
208
+         allow = srvr;
209
+     }
210
+ 
211
+@@ -4247,14 +4225,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
212
+     for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
213
+         c = sk_SSL_CIPHER_value(prio, i);
214
+ 
215
++        ok = 1;
216
++
217
+         /* Skip ciphers not supported by the protocol version */
218
+         if (!SSL_IS_DTLS(s) &&
219
+             ((s->version < c->min_tls) || (s->version > c->max_tls)))
220
+-            continue;
221
++            ok = 0;
222
+         if (SSL_IS_DTLS(s) &&
223
+             (DTLS_VERSION_LT(s->version, c->min_dtls) ||
224
+              DTLS_VERSION_GT(s->version, c->max_dtls)))
225
+-            continue;
226
++            ok = 0;
227
+ 
228
+         /*
229
+          * Since TLS 1.3 ciphersuites can be used with any auth or
230
+@@ -4276,10 +4256,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
231
+ #ifndef OPENSSL_NO_PSK
232
+             /* with PSK there must be server callback set */
233
+             if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
234
+-                continue;
235
++                ok = 0;
236
+ #endif                          /* OPENSSL_NO_PSK */
237
+ 
238
+-            ok = (alg_k & mask_k) && (alg_a & mask_a);
239
++            ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
240
+ #ifdef CIPHER_DEBUG
241
+             fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
242
+                     alg_a, mask_k, mask_a, (void *)c, c->name);
243
+@@ -4296,6 +4276,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
244
+ 
245
+             if (!ok)
246
+                 continue;
247
++
248
++            safari_ec = 0;
249
++#if !defined(OPENSSL_NO_EC)
250
++            if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)) {
251
++                if (s->s3->is_probably_safari)
252
++                    safari_ec = 1;
253
++            }
254
++#endif
255
+         }
256
+         ii = sk_SSL_CIPHER_find(allow, c);
257
+         if (ii >= 0) {
258
+@@ -4303,14 +4291,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
259
+             if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
260
+                               c->strength_bits, 0, (void *)c))
261
+                 continue;
262
+-#if !defined(OPENSSL_NO_EC)
263
+-            if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
264
+-                && s->s3->is_probably_safari) {
265
+-                if (!ret)
266
+-                    ret = sk_SSL_CIPHER_value(allow, ii);
267
+-                continue;
268
+-            }
269
+-#endif
270
++
271
+             if (prefer_sha256) {
272
+                 const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
273
+ 
274
+@@ -4322,13 +4303,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
275
+                     ret = tmp;
276
+                 continue;
277
+             }
278
+-            ret = sk_SSL_CIPHER_value(allow, ii);
279
++
280
++            if (in_group_flags != NULL && in_group_flags[i] == 1) {
281
++                /* This element of |prio| is in a group. Update
282
++                 * the minimum index found so far and continue
283
++                 * looking. */
284
++                if (group_min == -1 || group_min > ii)
285
++                    group_min = ii;
286
++            } else {
287
++                if (group_min != -1 && group_min < ii)
288
++                    ii = group_min;
289
++                if (safari_ec) {
290
++                    if (!ret)
291
++                        ret = sk_SSL_CIPHER_value(allow, ii);
292
++                    continue;
293
++                }
294
++                ret = sk_SSL_CIPHER_value(allow, ii);
295
++                break;
296
++            }
297
++        }
298
++
299
++        if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
300
++            /* We are about to leave a group, but we found a match
301
++             * in it, so that's our answer. */
302
++            if (safari_ec) {
303
++                if (!ret)
304
++                    ret = sk_SSL_CIPHER_value(allow, group_min);
305
++                continue;
306
++            }
307
++            ret = sk_SSL_CIPHER_value(allow, group_min);
308
+             break;
309
+         }
310
+     }
311
+-#ifndef OPENSSL_NO_CHACHA
312
+-    sk_SSL_CIPHER_free(prio_chacha);
313
+-#endif
314
+     return ret;
315
+ }
316
+ 
317
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
318
+index 044dd3af92..f9dbd0b2ad 100644
319
+--- a/ssl/ssl_ciph.c
320
++++ b/ssl/ssl_ciph.c
321
+@@ -192,6 +192,7 @@ typedef struct cipher_order_st {
322
+     const SSL_CIPHER *cipher;
323
+     int active;
324
+     int dead;
325
++    int in_group;
326
+     struct cipher_order_st *next, *prev;
327
+ } CIPHER_ORDER;
328
+ 
329
+@@ -681,6 +682,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
330
+         co_list[co_list_num].next = NULL;
331
+         co_list[co_list_num].prev = NULL;
332
+         co_list[co_list_num].active = 0;
333
++        co_list[co_list_num].in_group = 0;
334
+         co_list_num++;
335
+     }
336
+ 
337
+@@ -774,8 +776,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
338
+                                   uint32_t alg_auth, uint32_t alg_enc,
339
+                                   uint32_t alg_mac, int min_tls,
340
+                                   uint32_t algo_strength, int rule,
341
+-                                  int32_t strength_bits, CIPHER_ORDER **head_p,
342
+-                                  CIPHER_ORDER **tail_p)
343
++                                  int32_t strength_bits, int in_group,
344
++                                  CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
345
+ {
346
+     CIPHER_ORDER *head, *tail, *curr, *next, *last;
347
+     const SSL_CIPHER *cp;
348
+@@ -783,9 +785,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
349
+ 
350
+ #ifdef CIPHER_DEBUG
351
+     fprintf(stderr,
352
+-            "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
353
++            "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d) g:%d\n",
354
+             rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
355
+-            algo_strength, strength_bits);
356
++            algo_strength, strength_bits, in_group);
357
+ #endif
358
+ 
359
+     if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
360
+@@ -862,6 +864,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
361
+             if (!curr->active) {
362
+                 ll_append_tail(&head, curr, &tail);
363
+                 curr->active = 1;
364
++                curr->in_group = in_group;
365
+             }
366
+         }
367
+         /* Move the added cipher to this location */
368
+@@ -869,6 +872,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
369
+             /* reverse == 0 */
370
+             if (curr->active) {
371
+                 ll_append_tail(&head, curr, &tail);
372
++                curr->in_group = 0;
373
+             }
374
+         } else if (rule == CIPHER_DEL) {
375
+             /* reverse == 1 */
376
+@@ -880,6 +884,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
377
+                  */
378
+                 ll_append_head(&head, curr, &tail);
379
+                 curr->active = 0;
380
++                curr->in_group = 0;
381
+             }
382
+         } else if (rule == CIPHER_BUMP) {
383
+             if (curr->active)
384
+@@ -947,8 +952,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
385
+      */
386
+     for (i = max_strength_bits; i >= 0; i--)
387
+         if (number_uses[i] > 0)
388
+-            ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
389
+-                                  tail_p);
390
++            ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0,
391
++                                  head_p, tail_p);
392
+ 
393
+     OPENSSL_free(number_uses);
394
+     return 1;
395
+@@ -962,7 +967,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
396
+     uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
397
+     int min_tls;
398
+     const char *l, *buf;
399
+-    int j, multi, found, rule, retval, ok, buflen;
400
++    int j, multi, found, rule, retval, ok, buflen, in_group = 0, has_group = 0;
401
+     uint32_t cipher_id = 0;
402
+     char ch;
403
+ 
404
+@@ -973,18 +978,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
405
+ 
406
+         if (ch == '\0')
407
+             break;              /* done */
408
+-        if (ch == '-') {
409
++        if (in_group) {
410
++            if (ch == ']') {
411
++                if (!in_group) {
412
++                    SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
413
++                           SSL_R_UNEXPECTED_GROUP_CLOSE);
414
++                    retval = found = in_group = 0;
415
++                    break;
416
++                }
417
++                if (*tail_p)
418
++                    (*tail_p)->in_group = 0;
419
++                in_group = 0;
420
++                l++;
421
++                continue;
422
++            }
423
++            if (ch == '|') {
424
++                rule = CIPHER_ADD;
425
++                l++;
426
++                continue;
427
++            } else if (!(ch >= 'a' && ch <= 'z')
428
++                       && !(ch >= 'A' && ch <= 'Z')
429
++                       && !(ch >= '0' && ch <= '9')) {
430
++                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
431
++                       SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
432
++                retval = found = in_group = 0;
433
++                break;
434
++            } else {
435
++                rule = CIPHER_ADD;
436
++            }
437
++        } else if (ch == '-') {
438
+             rule = CIPHER_DEL;
439
+             l++;
440
+         } else if (ch == '+') {
441
+             rule = CIPHER_ORD;
442
+             l++;
443
++        } else if (ch == '!' && has_group) {
444
++            SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
445
++                   SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
446
++            retval = found = in_group = 0;
447
++            break;
448
+         } else if (ch == '!') {
449
+             rule = CIPHER_KILL;
450
+             l++;
451
++        } else if (ch == '@' && has_group) {
452
++            SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
453
++                   SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
454
++            retval = found = in_group = 0;
455
++            break;
456
+         } else if (ch == '@') {
457
+             rule = CIPHER_SPECIAL;
458
+             l++;
459
++        } else if (ch == '[') {
460
++            if (in_group) {
461
++                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_NESTED_GROUP);
462
++                retval = found = in_group = 0;
463
++                break;
464
++            }
465
++            in_group = 1;
466
++            has_group = 1;
467
++            l++;
468
++            continue;
469
+         } else {
470
+             rule = CIPHER_ADD;
471
+         }
472
+@@ -1026,7 +1079,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
473
+                  * alphanumeric, so we call this an error.
474
+                  */
475
+                 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
476
+-                retval = found = 0;
477
++                retval = found = in_group = 0;
478
+                 l++;
479
+                 break;
480
+             }
481
+@@ -1205,8 +1258,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
482
+         } else if (found) {
483
+             ssl_cipher_apply_rule(cipher_id,
484
+                                   alg_mkey, alg_auth, alg_enc, alg_mac,
485
+-                                  min_tls, algo_strength, rule, -1, head_p,
486
+-                                  tail_p);
487
++                                  min_tls, algo_strength, rule, -1, in_group,
488
++                                  head_p, tail_p);
489
+         } else {
490
+             while ((*l != '\0') && !ITEM_SEP(*l))
491
+                 l++;
492
+@@ -1215,6 +1268,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
493
+             break;              /* done */
494
+     }
495
+ 
496
++    if (in_group) {
497
++        SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
498
++        retval = 0;
499
++    }
500
++
501
+     return retval;
502
+ }
503
+ 
504
+@@ -1379,7 +1437,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
505
+ 
506
+     if (ret && ctx->cipher_list != NULL) {
507
+         /* We already have a cipher_list, so we need to update it */
508
+-        return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
509
++        return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
510
+                                   ctx->tls13_ciphersuites);
511
+     }
512
+ 
513
+@@ -1392,7 +1450,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
514
+ 
515
+     if (ret && s->cipher_list != NULL) {
516
+         /* We already have a cipher_list, so we need to update it */
517
+-        return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
518
++        return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
519
+                                   s->tls13_ciphersuites);
520
+     }
521
+ 
522
+@@ -1401,17 +1459,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
523
+ 
524
+ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
525
+                                              STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
526
+-                                             STACK_OF(SSL_CIPHER) **cipher_list,
527
++                                             struct ssl_cipher_preference_list_st **cipher_list,
528
+                                              STACK_OF(SSL_CIPHER) **cipher_list_by_id,
529
+                                              const char *rule_str,
530
+                                              CERT *c)
531
+ {
532
+-    int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
533
++    int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i, tls13_len;
534
+     uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
535
+-    STACK_OF(SSL_CIPHER) *cipherstack;
536
++    STACK_OF(SSL_CIPHER) *cipherstack = NULL;
537
+     const char *rule_p;
538
+     CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
539
+-    const SSL_CIPHER **ca_list = NULL;
540
++    const SSL_CIPHER **ca_list = NULL, *tmp = NULL;
541
++    uint8_t *in_group_flags = NULL;
542
++    unsigned int num_in_group_flags = 0;
543
++    struct ssl_cipher_preference_list_st *pref_list = NULL;
544
+ 
545
+     /*
546
+      * Return with error if nothing to do.
547
+@@ -1460,16 +1521,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
548
+      * preference).
549
+      */
550
+     ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
551
+-                          -1, &head, &tail);
552
+-    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
553
+-                          &tail);
554
+-    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
555
+-                          &tail);
556
++                          -1, 0, &head, &tail);
557
++    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0,
558
++                          &head, &tail);
559
++    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0,
560
++                          &head, &tail);
561
+ 
562
+     /* Within each strength group, we prefer GCM over CHACHA... */
563
+-    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
564
++    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, 0,
565
+                           &head, &tail);
566
+-    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
567
++    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, 0,
568
+                           &head, &tail);
569
+ 
570
+     /*
571
+@@ -1478,13 +1539,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
572
+      * strength.
573
+      */
574
+     ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
575
+-                          -1, &head, &tail);
576
++                          -1, 0, &head, &tail);
577
+ 
578
+     /* Temporarily enable everything else for sorting */
579
+-    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
580
++    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
581
+ 
582
+     /* Low priority for MD5 */
583
+-    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
584
++    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, 0, &head,
585
+                           &tail);
586
+ 
587
+     /*
588
+@@ -1492,16 +1553,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
589
+      * disabled. (For applications that allow them, they aren't too bad, but
590
+      * we prefer authenticated ciphers.)
591
+      */
592
+-    ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
593
++    ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
594
+                           &tail);
595
+ 
596
+-    ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
597
++    ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
598
+                           &tail);
599
+-    ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
600
++    ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
601
+                           &tail);
602
+ 
603
+     /* RC4 is sort-of broken -- move to the end */
604
+-    ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
605
++    ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
606
+                           &tail);
607
+ 
608
+     /*
609
+@@ -1517,7 +1578,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
610
+      * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
611
+      * TODO(openssl-team): is there an easier way to accomplish all this?
612
+      */
613
+-    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
614
++    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, 0,
615
+                           &head, &tail);
616
+ 
617
+     /*
618
+@@ -1533,15 +1594,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
619
+      * Because we now bump ciphers to the top of the list, we proceed in
620
+      * reverse order of preference.
621
+      */
622
+-    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
623
++    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1, 0,
624
+                           &head, &tail);
625
+     ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
626
+-                          CIPHER_BUMP, -1, &head, &tail);
627
++                          CIPHER_BUMP, -1, 0, &head, &tail);
628
+     ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
629
+-                          CIPHER_BUMP, -1, &head, &tail);
630
++                          CIPHER_BUMP, -1, 0, &head, &tail);
631
+ 
632
+     /* Now disable everything (maintaining the ordering!) */
633
+-    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
634
++    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
635
+ 
636
+     /*
637
+      * We also need cipher aliases for selecting based on the rule_str.
638
+@@ -1555,9 +1616,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
639
+     num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
640
+     ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
641
+     if (ca_list == NULL) {
642
+-        OPENSSL_free(co_list);
643
+         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
644
+-        return NULL;          /* Failure */
645
++        goto err;               /* Failure */
646
+     }
647
+     ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
648
+                                disabled_mkey, disabled_auth, disabled_enc,
649
+@@ -1582,27 +1642,35 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
650
+ 
651
+     OPENSSL_free(ca_list);      /* Not needed anymore */
652
+ 
653
+-    if (!ok) {                  /* Rule processing failure */
654
+-        OPENSSL_free(co_list);
655
+-        return NULL;
656
+-    }
657
++    if (!ok)
658
++        goto err;               /* Rule processing failure */
659
+ 
660
+     /*
661
+      * Allocate new "cipherstack" for the result, return with error
662
+      * if we cannot get one.
663
+      */
664
+-    if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
665
+-        OPENSSL_free(co_list);
666
+-        return NULL;
667
+-    }
668
++    if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
669
++        goto err;
670
++
671
++    in_group_flags = OPENSSL_malloc(num_of_ciphers);
672
++    if (!in_group_flags)
673
++        goto err;
674
+ 
675
+     /* Add TLSv1.3 ciphers first - we always prefer those if possible */
676
+-    for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
677
++    tls13_len = sk_SSL_CIPHER_num(tls13_ciphersuites);
678
++    for (i = 0; i < tls13_len; i++) {
679
++        tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
680
+         if (!sk_SSL_CIPHER_push(cipherstack,
681
+-                                sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
682
+-            sk_SSL_CIPHER_free(cipherstack);
683
+-            return NULL;
684
++                                tmp))
685
++            goto err;
686
++        /* Temporary - AES128, CHACHA20 priority adjustment of TLS 1.3. */
687
++        if (tmp->algorithm_enc == SSL_AES128GCM &&
688
++            tls13_len > (i + 1)) {
689
++            tmp = sk_SSL_CIPHER_value(tls13_ciphersuites, i + 1);
690
++            in_group_flags[num_in_group_flags++] = (tmp->algorithm_enc == SSL_CHACHA20POLY1305) ? 1 : 0;
691
+         }
692
++        else
693
++            in_group_flags[num_in_group_flags++] = 0;
694
+     }
695
+ 
696
+     /*
697
+@@ -1611,26 +1679,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
698
+      */
699
+     for (curr = head; curr != NULL; curr = curr->next) {
700
+         if (curr->active) {
701
+-            if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
702
+-                OPENSSL_free(co_list);
703
+-                sk_SSL_CIPHER_free(cipherstack);
704
+-                return NULL;
705
+-            }
706
++            if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
707
++                goto err;
708
++            in_group_flags[num_in_group_flags++] = curr->in_group;
709
+ #ifdef CIPHER_DEBUG
710
+             fprintf(stderr, "<%s>\n", curr->cipher->name);
711
+ #endif
712
+         }
713
+     }
714
+-    OPENSSL_free(co_list);      /* Not needed any longer */
715
+ 
716
+-    if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
717
+-        sk_SSL_CIPHER_free(cipherstack);
718
+-        return NULL;
719
+-    }
720
+-    sk_SSL_CIPHER_free(*cipher_list);
721
+-    *cipher_list = cipherstack;
722
++    OPENSSL_free(co_list);      /* Not needed any longer */
723
++    co_list = NULL;
724
++
725
++    if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack))
726
++        goto err;
727
++
728
++    pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
729
++    if (!pref_list)
730
++        goto err;
731
++    pref_list->ciphers = cipherstack;
732
++    pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
733
++    if (!pref_list->in_group_flags)
734
++        goto err;
735
++    memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
736
++    OPENSSL_free(in_group_flags);
737
++    in_group_flags = NULL;
738
++    if (*cipher_list != NULL)
739
++        ssl_cipher_preference_list_free(*cipher_list);
740
++    *cipher_list = pref_list;
741
++    pref_list = NULL;
742
+ 
743
+     return cipherstack;
744
++
745
++err:
746
++    if (co_list)
747
++        OPENSSL_free(co_list);
748
++    if (in_group_flags)
749
++        OPENSSL_free(in_group_flags);
750
++    if (cipherstack)
751
++        sk_SSL_CIPHER_free(cipherstack);
752
++    if (pref_list && pref_list->in_group_flags)
753
++        OPENSSL_free(pref_list->in_group_flags);
754
++    if (pref_list)
755
++        OPENSSL_free(pref_list);
756
++    return NULL;
757
+ }
758
+ 
759
+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
760
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
761
+index 4b12ed1485..cd1a95d1d2 100644
762
+--- a/ssl/ssl_err.c
763
++++ b/ssl/ssl_err.c
764
+@@ -965,6 +965,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
765
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
766
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
767
+     "missing tmp ecdh key"},
768
++    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS),
769
++    "mixed special operator with groups"},
770
++    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "nested group"},
771
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
772
+     "mixed handshake and non handshake data"},
773
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
774
+@@ -1201,11 +1204,14 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
775
+     "unable to load ssl3 md5 routines"},
776
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
777
+     "unable to load ssl3 sha1 routines"},
778
++    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_GROUP_CLOSE), "unexpected group close"},
779
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_CCS_MESSAGE),
780
+     "unexpected ccs message"},
781
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
782
+     "unexpected end of early data"},
783
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
784
++    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP),
785
++    "unexpected operator in group"},
786
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
787
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
788
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
789
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
790
+index 5bd2fcf5d5..91623b5612 100644
791
+--- a/ssl/ssl_lib.c
792
++++ b/ssl/ssl_lib.c
793
+@@ -1117,6 +1117,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
794
+     return X509_VERIFY_PARAM_set1(ssl->param, vpm);
795
+ }
796
+ 
797
++void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
798
++                                     *cipher_list)
799
++{
800
++    sk_SSL_CIPHER_free(cipher_list->ciphers);
801
++    OPENSSL_free(cipher_list->in_group_flags);
802
++    OPENSSL_free(cipher_list);
803
++}
804
++
805
++struct ssl_cipher_preference_list_st*
806
++ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
807
++                               *cipher_list)
808
++{
809
++    struct ssl_cipher_preference_list_st* ret = NULL;
810
++    size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
811
++
812
++    ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
813
++    if (!ret)
814
++        goto err;
815
++    ret->ciphers = NULL;
816
++    ret->in_group_flags = NULL;
817
++    ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
818
++    if (!ret->ciphers)
819
++        goto err;
820
++    ret->in_group_flags = OPENSSL_malloc(n);
821
++    if (!ret->in_group_flags)
822
++        goto err;
823
++    memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
824
++    return ret;
825
++
826
++err:
827
++   if (ret->ciphers)
828
++       sk_SSL_CIPHER_free(ret->ciphers);
829
++   if (ret)
830
++       OPENSSL_free(ret);
831
++   return NULL;
832
++}
833
++
834
++struct ssl_cipher_preference_list_st*
835
++ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
836
++{
837
++    struct ssl_cipher_preference_list_st* ret = NULL;
838
++    size_t n = sk_SSL_CIPHER_num(ciphers);
839
++
840
++    ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
841
++    if (!ret)
842
++        goto err;
843
++    ret->ciphers = NULL;
844
++    ret->in_group_flags = NULL;
845
++    ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
846
++    if (!ret->ciphers)
847
++        goto err;
848
++    ret->in_group_flags = OPENSSL_malloc(n);
849
++    if (!ret->in_group_flags)
850
++        goto err;
851
++    memset(ret->in_group_flags, 0, n);
852
++    return ret;
853
++
854
++err:
855
++    if (ret->ciphers)
856
++        sk_SSL_CIPHER_free(ret->ciphers);
857
++    if (ret)
858
++        OPENSSL_free(ret);
859
++    return NULL;
860
++}
861
++
862
+ X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
863
+ {
864
+     return ctx->param;
865
+@@ -1157,7 +1222,8 @@ void SSL_free(SSL *s)
866
+     BUF_MEM_free(s->init_buf);
867
+ 
868
+     /* add extra stuff */
869
+-    sk_SSL_CIPHER_free(s->cipher_list);
870
++    if (s->cipher_list != NULL)
871
++        ssl_cipher_preference_list_free(s->cipher_list);
872
+     sk_SSL_CIPHER_free(s->cipher_list_by_id);
873
+     sk_SSL_CIPHER_free(s->tls13_ciphersuites);
874
+ 
875
+@@ -2427,9 +2493,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
876
+ {
877
+     if (s != NULL) {
878
+         if (s->cipher_list != NULL) {
879
+-            return s->cipher_list;
880
++            return (s->cipher_list->ciphers);
881
+         } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
882
+-            return s->ctx->cipher_list;
883
++            return (s->ctx->cipher_list->ciphers);
884
+         }
885
+     }
886
+     return NULL;
887
+@@ -2503,8 +2569,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
888
+  * preference */
889
+ STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
890
+ {
891
+-    if (ctx != NULL)
892
+-        return ctx->cipher_list;
893
++    if (ctx != NULL && ctx->cipher_list != NULL)
894
++        return ctx->cipher_list->ciphers;
895
+     return NULL;
896
+ }
897
+ 
898
+@@ -2955,7 +3021,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
899
+                                 ret->tls13_ciphersuites,
900
+                                 &ret->cipher_list, &ret->cipher_list_by_id,
901
+                                 SSL_DEFAULT_CIPHER_LIST, ret->cert)
902
+-        || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
903
++        || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
904
+         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
905
+         goto err2;
906
+     }
907
+@@ -3131,7 +3197,7 @@ void SSL_CTX_free(SSL_CTX *a)
908
+ #ifndef OPENSSL_NO_CT
909
+     CTLOG_STORE_free(a->ctlog_store);
910
+ #endif
911
+-    sk_SSL_CIPHER_free(a->cipher_list);
912
++    ssl_cipher_preference_list_free(a->cipher_list);
913
+     sk_SSL_CIPHER_free(a->cipher_list_by_id);
914
+     sk_SSL_CIPHER_free(a->tls13_ciphersuites);
915
+     ssl_cert_free(a->cert);
916
+@@ -3809,13 +3875,15 @@ SSL *SSL_dup(SSL *s)
917
+ 
918
+     /* dup the cipher_list and cipher_list_by_id stacks */
919
+     if (s->cipher_list != NULL) {
920
+-        if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
921
++        ret->cipher_list = ssl_cipher_preference_list_dup(s->cipher_list);
922
++        if (ret->cipher_list == NULL)
923
+             goto err;
924
+     }
925
+-    if (s->cipher_list_by_id != NULL)
926
+-        if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id))
927
+-            == NULL)
928
++    if (s->cipher_list_by_id != NULL) {
929
++        ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id);
930
++        if (ret->cipher_list_by_id == NULL)
931
+             goto err;
932
++    }
933
+ 
934
+     /* Dup the client_CA list */
935
+     if (!dup_ca_names(&ret->ca_names, s->ca_names)
936
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
937
+index 6559012f30..1e0cddfa7b 100644
938
+--- a/ssl/ssl_locl.h
939
++++ b/ssl/ssl_locl.h
940
+@@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
941
+     unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
942
+ } SSL_CTX_EXT_SECURE;
943
+ 
944
++/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
945
++ * equal-preference groups. For TLS clients, the groups are moot because the
946
++ * server picks the cipher and groups cannot be expressed on the wire. However,
947
++ * for servers, the equal-preference groups allow the client's preferences to
948
++ * be partially respected. (This only has an effect with
949
++ * SSL_OP_CIPHER_SERVER_PREFERENCE).
950
++ *
951
++ * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
952
++ * All elements of a group have the same priority: no ordering is expressed
953
++ * within a group.
954
++ *
955
++ * The values in |ciphers| are in one-to-one correspondence with
956
++ * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
957
++ * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
958
++ * indicate that the corresponding SSL_CIPHER is not the last element of a
959
++ * group, or 0 to indicate that it is.
960
++ *
961
++ * For example, if |in_group_flags| contains all zeros then that indicates a
962
++ * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
963
++ * of the group (i.e. they are all in a one-element group).
964
++ *
965
++ * For a more complex example, consider:
966
++ *   ciphers:        A  B  C  D  E  F
967
++ *   in_group_flags: 1  1  0  0  1  0
968
++ *
969
++ * That would express the following, order:
970
++ *
971
++ *    A         E
972
++ *    B -> D -> F
973
++ *    C
974
++ */
975
++struct ssl_cipher_preference_list_st {
976
++   STACK_OF(SSL_CIPHER) *ciphers;
977
++   uint8_t *in_group_flags;
978
++};
979
++
980
++
981
+ struct ssl_ctx_st {
982
+     const SSL_METHOD *method;
983
+-    STACK_OF(SSL_CIPHER) *cipher_list;
984
++    struct ssl_cipher_preference_list_st *cipher_list;
985
+     /* same as above but sorted for lookup */
986
+     STACK_OF(SSL_CIPHER) *cipher_list_by_id;
987
+     /* TLSv1.3 specific ciphersuites */
988
+@@ -1138,7 +1175,7 @@ struct ssl_st {
989
+     /* Per connection DANE state */
990
+     SSL_DANE dane;
991
+     /* crypto */
992
+-    STACK_OF(SSL_CIPHER) *cipher_list;
993
++    struct ssl_cipher_preference_list_st *cipher_list;
994
+     STACK_OF(SSL_CIPHER) *cipher_list_by_id;
995
+     /* TLSv1.3 specific ciphersuites */
996
+     STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
997
+@@ -2263,7 +2300,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
998
+                                  const SSL_CIPHER *const *bp);
999
+ __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1000
+                                                     STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
1001
+-                                                    STACK_OF(SSL_CIPHER) **cipher_list,
1002
++                                                    struct ssl_cipher_preference_list_st **cipher_list,
1003
+                                                     STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1004
+                                                     const char *rule_str,
1005
+                                                     CERT *c);
1006
+@@ -2273,6 +2310,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1007
+                                 STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
1008
+                                 int fatal);
1009
+ void ssl_update_cache(SSL *s, int mode);
1010
++struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_dup(
1011
++        struct ssl_cipher_preference_list_st *cipher_list);
1012
++void ssl_cipher_preference_list_free(
1013
++        struct ssl_cipher_preference_list_st *cipher_list);
1014
++struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_from_ciphers(
1015
++        STACK_OF(SSL_CIPHER) *ciphers);
1016
++struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s);
1017
+ __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
1018
+                               const EVP_MD **md, int *mac_pkey_type,
1019
+                               size_t *mac_secret_size, SSL_COMP **comp,
1020
+@@ -2356,7 +2400,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1021
+                                             CERT_PKEY *cpk);
1022
+ __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
1023
+                                             STACK_OF(SSL_CIPHER) *clnt,
1024
+-                                            STACK_OF(SSL_CIPHER) *srvr);
1025
++                                            struct ssl_cipher_preference_list_st *srvr);
1026
+ __owur int ssl3_digest_cached_records(SSL *s, int keep);
1027
+ __owur int ssl3_new(SSL *s);
1028
+ void ssl3_free(SSL *s);
1029
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
1030
+index 0eab35c5c8..21f3dd707e 100644
1031
+--- a/ssl/statem/statem_srvr.c
1032
++++ b/ssl/statem/statem_srvr.c
1033
+@@ -1750,7 +1750,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1034
+     /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
1035
+     if (SSL_IS_TLS13(s)) {
1036
+         const SSL_CIPHER *cipher =
1037
+-            ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
1038
++            ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
1039
+ 
1040
+         if (cipher == NULL) {
1041
+             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1042
+@@ -1931,7 +1931,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1043
+             /* check if some cipher was preferred by call back */
1044
+             if (pref_cipher == NULL)
1045
+                 pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
1046
+-                                                 SSL_get_ciphers(s));
1047
++                                                 ssl_get_cipher_preferences(s));
1048
+             if (pref_cipher == NULL) {
1049
+                 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1050
+                          SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1051
+@@ -1940,8 +1940,9 @@ static int tls_early_post_process_client_hello(SSL *s)
1052
+             }
1053
+ 
1054
+             s->session->cipher = pref_cipher;
1055
+-            sk_SSL_CIPHER_free(s->cipher_list);
1056
+-            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1057
++            ssl_cipher_preference_list_free(s->cipher_list);
1058
++            s->cipher_list = ssl_cipher_preference_list_from_ciphers(
1059
++                                                       s->session->ciphers);
1060
+             sk_SSL_CIPHER_free(s->cipher_list_by_id);
1061
+             s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1062
+         }
1063
+@@ -2255,7 +2256,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
1064
+             /* In TLSv1.3 we selected the ciphersuite before resumption */
1065
+             if (!SSL_IS_TLS13(s)) {
1066
+                 cipher =
1067
+-                    ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1068
++                    ssl3_choose_cipher(s, s->session->ciphers, ssl_get_cipher_preferences(s));
1069
+ 
1070
+                 if (cipher == NULL) {
1071
+                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,

+ 1106
- 0
openssl-equal-1.1.1b_ciphers.patch View File

@@ -0,0 +1,1106 @@
1
+diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
2
+index faf9e53814..428df515f1 100644
3
+--- a/doc/man1/ciphers.pod
4
++++ b/doc/man1/ciphers.pod
5
+@@ -400,6 +400,21 @@ permissible.
6
+ 
7
+ =back
8
+ 
9
++=head1 EQUAL PREFERENCE GROUPS
10
++
11
++If configuring a server, one may also configure equal-preference groups to
12
++partially respect the client's preferences when
13
++B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
14
++group have equal priority and use the client order. This may be used to
15
++enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
16
++based on client preferences. An equal-preference is specified with square
17
++brackets, combining multiple selectors separated by |. For example:
18
++
19
++ [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
20
++ 
21
++ Once an equal-preference group is used, future directives must be
22
++ opcode-less.
23
++
24
+ =head1 CIPHER SUITE NAMES
25
+ 
26
+ The following lists give the SSL or TLS cipher suites names from the
27
+diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
28
+index a50a075b42..e9abb98d4f 100644
29
+--- a/include/openssl/sslerr.h
30
++++ b/include/openssl/sslerr.h
31
+@@ -596,6 +596,8 @@ int ERR_load_SSL_strings(void);
32
+ # define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION         209
33
+ # define SSL_R_MISSING_TMP_DH_KEY                         171
34
+ # define SSL_R_MISSING_TMP_ECDH_KEY                       311
35
++# define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS         101
36
++# define SSL_R_NESTED_GROUP                               108
37
+ # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA     293
38
+ # define SSL_R_NOT_ON_RECORD_BOUNDARY                     182
39
+ # define SSL_R_NOT_REPLACING_CERTIFICATE                  289
40
+@@ -727,9 +729,11 @@ int ERR_load_SSL_strings(void);
41
+ # define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS       239
42
+ # define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES           242
43
+ # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
44
++# define SSL_R_UNEXPECTED_GROUP_CLOSE                     109
45
+ # define SSL_R_UNEXPECTED_CCS_MESSAGE                     262
46
+ # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA               178
47
+ # define SSL_R_UNEXPECTED_MESSAGE                         244
48
++# define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP               110
49
+ # define SSL_R_UNEXPECTED_RECORD                          245
50
+ # define SSL_R_UNINITIALIZED                              276
51
+ # define SSL_R_UNKNOWN_ALERT_TYPE                         246
52
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
53
+index 99ae48199c..6641c6cdee 100644
54
+--- a/ssl/s3_lib.c
55
++++ b/ssl/s3_lib.c
56
+@@ -31,7 +31,25 @@ const unsigned char tls12downgrade[] = {
57
+ };
58
+ 
59
+ /* The list of available TLSv1.3 ciphers */
60
++/* Since nginx can not set the TLS 1.3 cipher, remove it temporarily. */
61
+ static SSL_CIPHER tls13_ciphers[] = {
62
++    {
63
++        0,
64
++    }
65
++};
66
++
67
++/*
68
++ * The list of available ciphers, mostly organized into the following
69
++ * groups:
70
++ *      Always there
71
++ *      EC
72
++ *      PSK
73
++ *      SRP (within that: RSA EC PSK)
74
++ *      Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
75
++ *      Weak ciphers
76
++ */
77
++static SSL_CIPHER ssl3_ciphers[] = {
78
++    /* TLSv1.3 ciphers */
79
+     {
80
+         1,
81
+         TLS1_3_RFC_AES_128_GCM_SHA256,
82
+@@ -111,20 +129,8 @@ static SSL_CIPHER tls13_ciphers[] = {
83
+         SSL_HANDSHAKE_MAC_SHA256,
84
+         128,
85
+         128,
86
+-    }
87
+-};
88
+-
89
+-/*
90
+- * The list of available ciphers, mostly organized into the following
91
+- * groups:
92
+- *      Always there
93
+- *      EC
94
+- *      PSK
95
+- *      SRP (within that: RSA EC PSK)
96
+- *      Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
97
+- *      Weak ciphers
98
+- */
99
+-static SSL_CIPHER ssl3_ciphers[] = {
100
++    },
101
++    /* List of cipher below TLSv1.3 */
102
+     {
103
+      1,
104
+      SSL3_TXT_RSA_NULL_MD5,
105
+@@ -167,7 +173,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
106
+      SSL_aRSA,
107
+      SSL_3DES,
108
+      SSL_SHA1,
109
+-     SSL3_VERSION, TLS1_2_VERSION,
110
++     SSL3_VERSION, TLS1_VERSION,
111
+      DTLS1_BAD_VER, DTLS1_2_VERSION,
112
+      SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
113
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
114
+@@ -232,7 +238,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
115
+      SSL_aRSA,
116
+      SSL_AES128,
117
+      SSL_SHA1,
118
+-     SSL3_VERSION, TLS1_2_VERSION,
119
++     SSL3_VERSION, TLS1_VERSION,
120
+      DTLS1_BAD_VER, DTLS1_2_VERSION,
121
+      SSL_HIGH | SSL_FIPS,
122
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
123
+@@ -296,7 +302,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
124
+      SSL_aRSA,
125
+      SSL_AES256,
126
+      SSL_SHA1,
127
+-     SSL3_VERSION, TLS1_2_VERSION,
128
++     SSL3_VERSION, TLS1_VERSION,
129
+      DTLS1_BAD_VER, DTLS1_2_VERSION,
130
+      SSL_HIGH | SSL_FIPS,
131
+      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
132
+@@ -4124,6 +4130,17 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
133
+     return 1;
134
+ }
135
+ 
136
++struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s)
137
++{
138
++    if (s->cipher_list != NULL)
139
++        return (s->cipher_list);
140
++
141
++    if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL))
142
++        return (s->ctx->cipher_list);
143
++
144
++    return NULL;
145
++}
146
++
147
+ /*
148
+  * ssl3_choose_cipher - choose a cipher from those offered by the client
149
+  * @s: SSL connection
150
+@@ -4133,16 +4150,24 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
151
+  * Returns the selected cipher or NULL when no common ciphers.
152
+  */
153
+ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
154
+-                                     STACK_OF(SSL_CIPHER) *srvr)
155
++                                     struct ssl_cipher_preference_list_st
156
++                                     *server_pref)
157
+ {
158
+     const SSL_CIPHER *c, *ret = NULL;
159
+-    STACK_OF(SSL_CIPHER) *prio, *allow;
160
+-    int i, ii, ok, prefer_sha256 = 0;
161
++    STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
162
++    int i, ii, ok, prefer_sha256 = 0, safari_ec = 0;
163
+     unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
164
+     const EVP_MD *mdsha256 = EVP_sha256();
165
+-#ifndef OPENSSL_NO_CHACHA
166
+-    STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
167
+-#endif
168
++
169
++    /* in_group_flags will either be NULL, or will point to an array of
170
++     * bytes which indicate equal-preference groups in the |prio| stack.
171
++     * See the comment about |in_group_flags| in the
172
++     * |ssl_cipher_preference_list_st| struct. */
173
++    const uint8_t *in_group_flags;
174
++
175
++    /* group_min contains the minimal index so far found in a group, or -1
176
++     * if no such value exists yet. */
177
++    int group_min = -1;
178
+ 
179
+     /* Let's see which ciphers we can support */
180
+ 
181
+@@ -4169,54 +4194,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
182
+ #endif
183
+ 
184
+     /* SUITE-B takes precedence over server preference and ChaCha priortiy */
185
+-    if (tls1_suiteb(s)) {
186
++    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
187
+         prio = srvr;
188
++        in_group_flags = server_pref->in_group_flags;
189
+         allow = clnt;
190
+-    } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
191
+-        prio = srvr;
192
+-        allow = clnt;
193
+-#ifndef OPENSSL_NO_CHACHA
194
+-        /* If ChaCha20 is at the top of the client preference list,
195
+-           and there are ChaCha20 ciphers in the server list, then
196
+-           temporarily prioritize all ChaCha20 ciphers in the servers list. */
197
+-        if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
198
+-            c = sk_SSL_CIPHER_value(clnt, 0);
199
+-            if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
200
+-                /* ChaCha20 is client preferred, check server... */
201
+-                int num = sk_SSL_CIPHER_num(srvr);
202
+-                int found = 0;
203
+-                for (i = 0; i < num; i++) {
204
+-                    c = sk_SSL_CIPHER_value(srvr, i);
205
+-                    if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
206
+-                        found = 1;
207
+-                        break;
208
+-                    }
209
+-                }
210
+-                if (found) {
211
+-                    prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num);
212
+-                    /* if reserve fails, then there's likely a memory issue */
213
+-                    if (prio_chacha != NULL) {
214
+-                        /* Put all ChaCha20 at the top, starting with the one we just found */
215
+-                        sk_SSL_CIPHER_push(prio_chacha, c);
216
+-                        for (i++; i < num; i++) {
217
+-                            c = sk_SSL_CIPHER_value(srvr, i);
218
+-                            if (c->algorithm_enc == SSL_CHACHA20POLY1305)
219
+-                                sk_SSL_CIPHER_push(prio_chacha, c);
220
+-                        }
221
+-                        /* Pull in the rest */
222
+-                        for (i = 0; i < num; i++) {
223
+-                            c = sk_SSL_CIPHER_value(srvr, i);
224
+-                            if (c->algorithm_enc != SSL_CHACHA20POLY1305)
225
+-                                sk_SSL_CIPHER_push(prio_chacha, c);
226
+-                        }
227
+-                        prio = prio_chacha;
228
+-                    }
229
+-                }
230
+-            }
231
+-        }
232
+-# endif
233
+     } else {
234
+         prio = clnt;
235
++        in_group_flags = NULL;
236
+         allow = srvr;
237
+     }
238
+ 
239
+@@ -4247,14 +4231,16 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
240
+     for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
241
+         c = sk_SSL_CIPHER_value(prio, i);
242
+ 
243
++        ok = 1;
244
++
245
+         /* Skip ciphers not supported by the protocol version */
246
+         if (!SSL_IS_DTLS(s) &&
247
+             ((s->version < c->min_tls) || (s->version > c->max_tls)))
248
+-            continue;
249
++            ok = 0;
250
+         if (SSL_IS_DTLS(s) &&
251
+             (DTLS_VERSION_LT(s->version, c->min_dtls) ||
252
+              DTLS_VERSION_GT(s->version, c->max_dtls)))
253
+-            continue;
254
++            ok = 0;
255
+ 
256
+         /*
257
+          * Since TLS 1.3 ciphersuites can be used with any auth or
258
+@@ -4276,10 +4262,10 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
259
+ #ifndef OPENSSL_NO_PSK
260
+             /* with PSK there must be server callback set */
261
+             if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
262
+-                continue;
263
++                ok = 0;
264
+ #endif                          /* OPENSSL_NO_PSK */
265
+ 
266
+-            ok = (alg_k & mask_k) && (alg_a & mask_a);
267
++            ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
268
+ #ifdef CIPHER_DEBUG
269
+             fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
270
+                     alg_a, mask_k, mask_a, (void *)c, c->name);
271
+@@ -4296,6 +4282,14 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
272
+ 
273
+             if (!ok)
274
+                 continue;
275
++
276
++            safari_ec = 0;
277
++#if !defined(OPENSSL_NO_EC)
278
++            if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)) {
279
++                if (s->s3->is_probably_safari)
280
++                    safari_ec = 1;
281
++            }
282
++#endif
283
+         }
284
+         ii = sk_SSL_CIPHER_find(allow, c);
285
+         if (ii >= 0) {
286
+@@ -4303,14 +4297,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
287
+             if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
288
+                               c->strength_bits, 0, (void *)c))
289
+                 continue;
290
+-#if !defined(OPENSSL_NO_EC)
291
+-            if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
292
+-                && s->s3->is_probably_safari) {
293
+-                if (!ret)
294
+-                    ret = sk_SSL_CIPHER_value(allow, ii);
295
+-                continue;
296
+-            }
297
+-#endif
298
++
299
+             if (prefer_sha256) {
300
+                 const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
301
+ 
302
+@@ -4322,13 +4309,38 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
303
+                     ret = tmp;
304
+                 continue;
305
+             }
306
+-            ret = sk_SSL_CIPHER_value(allow, ii);
307
++
308
++            if (in_group_flags != NULL && in_group_flags[i] == 1) {
309
++                /* This element of |prio| is in a group. Update
310
++                 * the minimum index found so far and continue
311
++                 * looking. */
312
++                if (group_min == -1 || group_min > ii)
313
++                    group_min = ii;
314
++            } else {
315
++                if (group_min != -1 && group_min < ii)
316
++                    ii = group_min;
317
++                if (safari_ec) {
318
++                    if (!ret)
319
++                        ret = sk_SSL_CIPHER_value(allow, ii);
320
++                    continue;
321
++                }
322
++                ret = sk_SSL_CIPHER_value(allow, ii);
323
++                break;
324
++            }
325
++        }
326
++
327
++        if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
328
++            /* We are about to leave a group, but we found a match
329
++             * in it, so that's our answer. */
330
++            if (safari_ec) {
331
++                if (!ret)
332
++                    ret = sk_SSL_CIPHER_value(allow, group_min);
333
++                continue;
334
++            }
335
++            ret = sk_SSL_CIPHER_value(allow, group_min);
336
+             break;
337
+         }
338
+     }
339
+-#ifndef OPENSSL_NO_CHACHA
340
+-    sk_SSL_CIPHER_free(prio_chacha);
341
+-#endif
342
+     return ret;
343
+ }
344
+ 
345
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
346
+index 044dd3af92..53e272e7b2 100644
347
+--- a/ssl/ssl_ciph.c
348
++++ b/ssl/ssl_ciph.c
349
+@@ -192,6 +192,7 @@ typedef struct cipher_order_st {
350
+     const SSL_CIPHER *cipher;
351
+     int active;
352
+     int dead;
353
++    int in_group;
354
+     struct cipher_order_st *next, *prev;
355
+ } CIPHER_ORDER;
356
+ 
357
+@@ -296,6 +297,7 @@ static const SSL_CIPHER cipher_aliases[] = {
358
+     {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
359
+     {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
360
+     {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
361
++    {0, "TLS13", NULL, 0, 0, 0, 0, 0, TLS1_3_VERSION},
362
+ 
363
+     /* strength classes */
364
+     {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
365
+@@ -681,6 +683,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
366
+         co_list[co_list_num].next = NULL;
367
+         co_list[co_list_num].prev = NULL;
368
+         co_list[co_list_num].active = 0;
369
++        co_list[co_list_num].in_group = 0;
370
+         co_list_num++;
371
+     }
372
+ 
373
+@@ -774,8 +777,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
374
+                                   uint32_t alg_auth, uint32_t alg_enc,
375
+                                   uint32_t alg_mac, int min_tls,
376
+                                   uint32_t algo_strength, int rule,
377
+-                                  int32_t strength_bits, CIPHER_ORDER **head_p,
378
+-                                  CIPHER_ORDER **tail_p)
379
++                                  int32_t strength_bits, int in_group,
380
++                                  CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
381
+ {
382
+     CIPHER_ORDER *head, *tail, *curr, *next, *last;
383
+     const SSL_CIPHER *cp;
384
+@@ -783,9 +786,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
385
+ 
386
+ #ifdef CIPHER_DEBUG
387
+     fprintf(stderr,
388
+-            "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
389
++            "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d) g:%d\n",
390
+             rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
391
+-            algo_strength, strength_bits);
392
++            algo_strength, strength_bits, in_group);
393
+ #endif
394
+ 
395
+     if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
396
+@@ -862,6 +865,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
397
+             if (!curr->active) {
398
+                 ll_append_tail(&head, curr, &tail);
399
+                 curr->active = 1;
400
++                curr->in_group = in_group;
401
+             }
402
+         }
403
+         /* Move the added cipher to this location */
404
+@@ -869,6 +873,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
405
+             /* reverse == 0 */
406
+             if (curr->active) {
407
+                 ll_append_tail(&head, curr, &tail);
408
++                curr->in_group = 0;
409
+             }
410
+         } else if (rule == CIPHER_DEL) {
411
+             /* reverse == 1 */
412
+@@ -880,6 +885,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
413
+                  */
414
+                 ll_append_head(&head, curr, &tail);
415
+                 curr->active = 0;
416
++                curr->in_group = 0;
417
+             }
418
+         } else if (rule == CIPHER_BUMP) {
419
+             if (curr->active)
420
+@@ -947,8 +953,8 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
421
+      */
422
+     for (i = max_strength_bits; i >= 0; i--)
423
+         if (number_uses[i] > 0)
424
+-            ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
425
+-                                  tail_p);
426
++            ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0,
427
++                                  head_p, tail_p);
428
+ 
429
+     OPENSSL_free(number_uses);
430
+     return 1;
431
+@@ -962,7 +968,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
432
+     uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
433
+     int min_tls;
434
+     const char *l, *buf;
435
+-    int j, multi, found, rule, retval, ok, buflen;
436
++    int j, multi, found, rule, retval, ok, buflen, in_group = 0, has_group = 0;
437
+     uint32_t cipher_id = 0;
438
+     char ch;
439
+ 
440
+@@ -973,18 +979,66 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
441
+ 
442
+         if (ch == '\0')
443
+             break;              /* done */
444
+-        if (ch == '-') {
445
++        if (in_group) {
446
++            if (ch == ']') {
447
++                if (!in_group) {
448
++                    SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
449
++                           SSL_R_UNEXPECTED_GROUP_CLOSE);
450
++                    retval = found = in_group = 0;
451
++                    break;
452
++                }
453
++                if (*tail_p)
454
++                    (*tail_p)->in_group = 0;
455
++                in_group = 0;
456
++                l++;
457
++                continue;
458
++            }
459
++            if (ch == '|') {
460
++                rule = CIPHER_ADD;
461
++                l++;
462
++                continue;
463
++            } else if (!(ch >= 'a' && ch <= 'z')
464
++                       && !(ch >= 'A' && ch <= 'Z')
465
++                       && !(ch >= '0' && ch <= '9')) {
466
++                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
467
++                       SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
468
++                retval = found = in_group = 0;
469
++                break;
470
++            } else {
471
++                rule = CIPHER_ADD;
472
++            }
473
++        } else if (ch == '-') {
474
+             rule = CIPHER_DEL;
475
+             l++;
476
+         } else if (ch == '+') {
477
+             rule = CIPHER_ORD;
478
+             l++;
479
++        } else if (ch == '!' && has_group) {
480
++            SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
481
++                   SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
482
++            retval = found = in_group = 0;
483
++            break;
484
+         } else if (ch == '!') {
485
+             rule = CIPHER_KILL;
486
+             l++;
487
++        } else if (ch == '@' && has_group) {
488
++            SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
489
++                   SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
490
++            retval = found = in_group = 0;
491
++            break;
492
+         } else if (ch == '@') {
493
+             rule = CIPHER_SPECIAL;
494
+             l++;
495
++        } else if (ch == '[') {
496
++            if (in_group) {
497
++                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_NESTED_GROUP);
498
++                retval = found = in_group = 0;
499
++                break;
500
++            }
501
++            in_group = 1;
502
++            has_group = 1;
503
++            l++;
504
++            continue;
505
+         } else {
506
+             rule = CIPHER_ADD;
507
+         }
508
+@@ -1009,7 +1063,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
509
+             while (((ch >= 'A') && (ch <= 'Z')) ||
510
+                    ((ch >= '0') && (ch <= '9')) ||
511
+                    ((ch >= 'a') && (ch <= 'z')) ||
512
+-                   (ch == '-') || (ch == '.') || (ch == '='))
513
++                   (ch == '-') || (ch == '.') || (ch == '=') || (ch == '_'))
514
+ #else
515
+             while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
516
+                    || (ch == '='))
517
+@@ -1026,7 +1080,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
518
+                  * alphanumeric, so we call this an error.
519
+                  */
520
+                 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
521
+-                retval = found = 0;
522
++                retval = found = in_group = 0;
523
+                 l++;
524
+                 break;
525
+             }
526
+@@ -1205,8 +1259,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
527
+         } else if (found) {
528
+             ssl_cipher_apply_rule(cipher_id,
529
+                                   alg_mkey, alg_auth, alg_enc, alg_mac,
530
+-                                  min_tls, algo_strength, rule, -1, head_p,
531
+-                                  tail_p);
532
++                                  min_tls, algo_strength, rule, -1, in_group,
533
++                                  head_p, tail_p);
534
+         } else {
535
+             while ((*l != '\0') && !ITEM_SEP(*l))
536
+                 l++;
537
+@@ -1215,6 +1269,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
538
+             break;              /* done */
539
+     }
540
+ 
541
++    if (in_group) {
542
++        SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
543
++        retval = 0;
544
++    }
545
++
546
+     return retval;
547
+ }
548
+ 
549
+@@ -1379,7 +1438,7 @@ int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
550
+ 
551
+     if (ret && ctx->cipher_list != NULL) {
552
+         /* We already have a cipher_list, so we need to update it */
553
+-        return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
554
++        return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
555
+                                   ctx->tls13_ciphersuites);
556
+     }
557
+ 
558
+@@ -1392,7 +1451,7 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
559
+ 
560
+     if (ret && s->cipher_list != NULL) {
561
+         /* We already have a cipher_list, so we need to update it */
562
+-        return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
563
++        return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
564
+                                   s->tls13_ciphersuites);
565
+     }
566
+ 
567
+@@ -1401,17 +1460,20 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
568
+ 
569
+ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
570
+                                              STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
571
+-                                             STACK_OF(SSL_CIPHER) **cipher_list,
572
++                                             struct ssl_cipher_preference_list_st **cipher_list,
573
+                                              STACK_OF(SSL_CIPHER) **cipher_list_by_id,
574
+                                              const char *rule_str,
575
+                                              CERT *c)
576
+ {
577
+-    int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
578
++    int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
579
+     uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
580
+-    STACK_OF(SSL_CIPHER) *cipherstack;
581
++    STACK_OF(SSL_CIPHER) *cipherstack = NULL;
582
+     const char *rule_p;
583
+     CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
584
+     const SSL_CIPHER **ca_list = NULL;
585
++    uint8_t *in_group_flags = NULL;
586
++    unsigned int num_in_group_flags = 0;
587
++    struct ssl_cipher_preference_list_st *pref_list = NULL;
588
+ 
589
+     /*
590
+      * Return with error if nothing to do.
591
+@@ -1460,16 +1522,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
592
+      * preference).
593
+      */
594
+     ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
595
+-                          -1, &head, &tail);
596
+-    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
597
+-                          &tail);
598
+-    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
599
+-                          &tail);
600
++                          -1, 0, &head, &tail);
601
++    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0,
602
++                          &head, &tail);
603
++    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0,
604
++                          &head, &tail);
605
+ 
606
+     /* Within each strength group, we prefer GCM over CHACHA... */
607
+-    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
608
++    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, 0,
609
+                           &head, &tail);
610
+-    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
611
++    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, 0,
612
+                           &head, &tail);
613
+ 
614
+     /*
615
+@@ -1478,13 +1540,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
616
+      * strength.
617
+      */
618
+     ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
619
+-                          -1, &head, &tail);
620
++                          -1, 0, &head, &tail);
621
+ 
622
+     /* Temporarily enable everything else for sorting */
623
+-    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
624
++    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
625
+ 
626
+     /* Low priority for MD5 */
627
+-    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
628
++    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, 0, &head,
629
+                           &tail);
630
+ 
631
+     /*
632
+@@ -1492,16 +1554,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
633
+      * disabled. (For applications that allow them, they aren't too bad, but
634
+      * we prefer authenticated ciphers.)
635
+      */
636
+-    ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
637
++    ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
638
+                           &tail);
639
+ 
640
+-    ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
641
++    ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
642
+                           &tail);
643
+-    ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
644
++    ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
645
+                           &tail);
646
+ 
647
+     /* RC4 is sort-of broken -- move to the end */
648
+-    ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
649
++    ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
650
+                           &tail);
651
+ 
652
+     /*
653
+@@ -1517,7 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
654
+      * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
655
+      * TODO(openssl-team): is there an easier way to accomplish all this?
656
+      */
657
+-    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
658
++    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, 0,
659
+                           &head, &tail);
660
+ 
661
+     /*
662
+@@ -1533,15 +1595,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
663
+      * Because we now bump ciphers to the top of the list, we proceed in
664
+      * reverse order of preference.
665
+      */
666
+-    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
667
++    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1, 0,
668
+                           &head, &tail);
669
+     ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
670
+-                          CIPHER_BUMP, -1, &head, &tail);
671
++                          CIPHER_BUMP, -1, 0, &head, &tail);
672
+     ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
673
+-                          CIPHER_BUMP, -1, &head, &tail);
674
++                          CIPHER_BUMP, -1, 0, &head, &tail);
675
++
676
++    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_3_VERSION, 0, CIPHER_BUMP, -1, 0,
677
++                          &head, &tail);
678
+ 
679
+     /* Now disable everything (maintaining the ordering!) */
680
+-    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
681
++    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
682
+ 
683
+     /*
684
+      * We also need cipher aliases for selecting based on the rule_str.
685
+@@ -1555,9 +1620,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
686
+     num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
687
+     ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
688
+     if (ca_list == NULL) {
689
+-        OPENSSL_free(co_list);
690
+         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
691
+-        return NULL;          /* Failure */
692
++        goto err;               /* Failure */
693
+     }
694
+     ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
695
+                                disabled_mkey, disabled_auth, disabled_enc,
696
+@@ -1582,28 +1646,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
697
+ 
698
+     OPENSSL_free(ca_list);      /* Not needed anymore */
699
+ 
700
+-    if (!ok) {                  /* Rule processing failure */
701
+-        OPENSSL_free(co_list);
702
+-        return NULL;
703
+-    }
704
++    if (!ok)
705
++        goto err;               /* Rule processing failure */
706
+ 
707
+     /*
708
+      * Allocate new "cipherstack" for the result, return with error
709
+      * if we cannot get one.
710
+      */
711
+-    if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
712
+-        OPENSSL_free(co_list);
713
+-        return NULL;
714
+-    }
715
++    if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
716
++        goto err;
717
+ 
718
+-    /* Add TLSv1.3 ciphers first - we always prefer those if possible */
719
+-    for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
720
+-        if (!sk_SSL_CIPHER_push(cipherstack,
721
+-                                sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
722
+-            sk_SSL_CIPHER_free(cipherstack);
723
+-            return NULL;
724
+-        }
725
+-    }
726
++    in_group_flags = OPENSSL_malloc(num_of_ciphers);
727
++    if (!in_group_flags)
728
++        goto err;
729
+ 
730
+     /*
731
+      * The cipher selection for the list is done. The ciphers are added
732
+@@ -1611,26 +1666,50 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
733
+      */
734
+     for (curr = head; curr != NULL; curr = curr->next) {
735
+         if (curr->active) {
736
+-            if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
737
+-                OPENSSL_free(co_list);
738
+-                sk_SSL_CIPHER_free(cipherstack);
739
+-                return NULL;
740
+-            }
741
++            if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
742
++                goto err;
743
++            in_group_flags[num_in_group_flags++] = curr->in_group;
744
+ #ifdef CIPHER_DEBUG
745
+             fprintf(stderr, "<%s>\n", curr->cipher->name);
746
+ #endif
747
+         }
748
+     }
749
+-    OPENSSL_free(co_list);      /* Not needed any longer */
750
+ 
751
+-    if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
752
+-        sk_SSL_CIPHER_free(cipherstack);
753
+-        return NULL;
754
+-    }
755
+-    sk_SSL_CIPHER_free(*cipher_list);
756
+-    *cipher_list = cipherstack;
757
++    OPENSSL_free(co_list);      /* Not needed any longer */
758
++    co_list = NULL;
759
++
760
++    if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack))
761
++        goto err;
762
++
763
++    pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
764
++    if (!pref_list)
765
++        goto err;
766
++    pref_list->ciphers = cipherstack;
767
++    pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
768
++    if (!pref_list->in_group_flags)
769
++        goto err;
770
++    memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
771
++    OPENSSL_free(in_group_flags);
772
++    in_group_flags = NULL;
773
++    if (*cipher_list != NULL)
774
++        ssl_cipher_preference_list_free(*cipher_list);
775
++    *cipher_list = pref_list;
776
++    pref_list = NULL;
777
+ 
778
+     return cipherstack;
779
++
780
++err:
781
++    if (co_list)
782
++        OPENSSL_free(co_list);
783
++    if (in_group_flags)
784
++        OPENSSL_free(in_group_flags);
785
++    if (cipherstack)
786
++        sk_SSL_CIPHER_free(cipherstack);
787
++    if (pref_list && pref_list->in_group_flags)
788
++        OPENSSL_free(pref_list->in_group_flags);
789
++    if (pref_list)
790
++        OPENSSL_free(pref_list);
791
++    return NULL;
792
+ }
793
+ 
794
+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
795
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
796
+index 4b12ed1485..cd1a95d1d2 100644
797
+--- a/ssl/ssl_err.c
798
++++ b/ssl/ssl_err.c
799
+@@ -965,6 +965,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
800
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
801
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
802
+     "missing tmp ecdh key"},
803
++    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS),
804
++    "mixed special operator with groups"},
805
++    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "nested group"},
806
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
807
+     "mixed handshake and non handshake data"},
808
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
809
+@@ -1201,11 +1204,14 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
810
+     "unable to load ssl3 md5 routines"},
811
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
812
+     "unable to load ssl3 sha1 routines"},
813
++    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_GROUP_CLOSE), "unexpected group close"},
814
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_CCS_MESSAGE),
815
+     "unexpected ccs message"},
816
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
817
+     "unexpected end of early data"},
818
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
819
++    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP),
820
++    "unexpected operator in group"},
821
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
822
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
823
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
824
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
825
+index 5bd2fcf5d5..91623b5612 100644
826
+--- a/ssl/ssl_lib.c
827
++++ b/ssl/ssl_lib.c
828
+@@ -1117,6 +1117,71 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
829
+     return X509_VERIFY_PARAM_set1(ssl->param, vpm);
830
+ }
831
+ 
832
++void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
833
++                                     *cipher_list)
834
++{
835
++    sk_SSL_CIPHER_free(cipher_list->ciphers);
836
++    OPENSSL_free(cipher_list->in_group_flags);
837
++    OPENSSL_free(cipher_list);
838
++}
839
++
840
++struct ssl_cipher_preference_list_st*
841
++ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
842
++                               *cipher_list)
843
++{
844
++    struct ssl_cipher_preference_list_st* ret = NULL;
845
++    size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
846
++
847
++    ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
848
++    if (!ret)
849
++        goto err;
850
++    ret->ciphers = NULL;
851
++    ret->in_group_flags = NULL;
852
++    ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
853
++    if (!ret->ciphers)
854
++        goto err;
855
++    ret->in_group_flags = OPENSSL_malloc(n);
856
++    if (!ret->in_group_flags)
857
++        goto err;
858
++    memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
859
++    return ret;
860
++
861
++err:
862
++   if (ret->ciphers)
863
++       sk_SSL_CIPHER_free(ret->ciphers);
864
++   if (ret)
865
++       OPENSSL_free(ret);
866
++   return NULL;
867
++}
868
++
869
++struct ssl_cipher_preference_list_st*
870
++ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
871
++{
872
++    struct ssl_cipher_preference_list_st* ret = NULL;
873
++    size_t n = sk_SSL_CIPHER_num(ciphers);
874
++
875
++    ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
876
++    if (!ret)
877
++        goto err;
878
++    ret->ciphers = NULL;
879
++    ret->in_group_flags = NULL;
880
++    ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
881
++    if (!ret->ciphers)
882
++        goto err;
883
++    ret->in_group_flags = OPENSSL_malloc(n);
884
++    if (!ret->in_group_flags)
885
++        goto err;
886
++    memset(ret->in_group_flags, 0, n);
887
++    return ret;
888
++
889
++err:
890
++    if (ret->ciphers)
891
++        sk_SSL_CIPHER_free(ret->ciphers);
892
++    if (ret)
893
++        OPENSSL_free(ret);
894
++    return NULL;
895
++}
896
++
897
+ X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
898
+ {
899
+     return ctx->param;
900
+@@ -1157,7 +1222,8 @@ void SSL_free(SSL *s)
901
+     BUF_MEM_free(s->init_buf);
902
+ 
903
+     /* add extra stuff */
904
+-    sk_SSL_CIPHER_free(s->cipher_list);
905
++    if (s->cipher_list != NULL)
906
++        ssl_cipher_preference_list_free(s->cipher_list);
907
+     sk_SSL_CIPHER_free(s->cipher_list_by_id);
908
+     sk_SSL_CIPHER_free(s->tls13_ciphersuites);
909
+ 
910
+@@ -2427,9 +2493,9 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
911
+ {
912
+     if (s != NULL) {
913
+         if (s->cipher_list != NULL) {
914
+-            return s->cipher_list;
915
++            return (s->cipher_list->ciphers);
916
+         } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
917
+-            return s->ctx->cipher_list;
918
++            return (s->ctx->cipher_list->ciphers);
919
+         }
920
+     }
921
+     return NULL;
922
+@@ -2503,8 +2569,8 @@ const char *SSL_get_cipher_list(const SSL *s, int n)
923
+  * preference */
924
+ STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
925
+ {
926
+-    if (ctx != NULL)
927
+-        return ctx->cipher_list;
928
++    if (ctx != NULL && ctx->cipher_list != NULL)
929
++        return ctx->cipher_list->ciphers;
930
+     return NULL;
931
+ }
932
+ 
933
+@@ -2955,7 +3021,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
934
+                                 ret->tls13_ciphersuites,
935
+                                 &ret->cipher_list, &ret->cipher_list_by_id,
936
+                                 SSL_DEFAULT_CIPHER_LIST, ret->cert)
937
+-        || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
938
++        || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
939
+         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
940
+         goto err2;
941
+     }
942
+@@ -3131,7 +3197,7 @@ void SSL_CTX_free(SSL_CTX *a)
943
+ #ifndef OPENSSL_NO_CT
944
+     CTLOG_STORE_free(a->ctlog_store);
945
+ #endif
946
+-    sk_SSL_CIPHER_free(a->cipher_list);
947
++    ssl_cipher_preference_list_free(a->cipher_list);
948
+     sk_SSL_CIPHER_free(a->cipher_list_by_id);
949
+     sk_SSL_CIPHER_free(a->tls13_ciphersuites);
950
+     ssl_cert_free(a->cert);
951
+@@ -3809,13 +3875,15 @@ SSL *SSL_dup(SSL *s)
952
+ 
953
+     /* dup the cipher_list and cipher_list_by_id stacks */
954
+     if (s->cipher_list != NULL) {
955
+-        if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
956
++        ret->cipher_list = ssl_cipher_preference_list_dup(s->cipher_list);
957
++        if (ret->cipher_list == NULL)
958
+             goto err;
959
+     }
960
+-    if (s->cipher_list_by_id != NULL)
961
+-        if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id))
962
+-            == NULL)
963
++    if (s->cipher_list_by_id != NULL) {
964
++        ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id);
965
++        if (ret->cipher_list_by_id == NULL)
966
+             goto err;
967
++    }
968
+ 
969
+     /* Dup the client_CA list */
970
+     if (!dup_ca_names(&ret->ca_names, s->ca_names)
971
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
972
+index 6559012f30..1e0cddfa7b 100644
973
+--- a/ssl/ssl_locl.h
974
++++ b/ssl/ssl_locl.h
975
+@@ -741,9 +741,46 @@ typedef struct ssl_ctx_ext_secure_st {
976
+     unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
977
+ } SSL_CTX_EXT_SECURE;
978
+ 
979
++/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
980
++ * equal-preference groups. For TLS clients, the groups are moot because the
981
++ * server picks the cipher and groups cannot be expressed on the wire. However,
982
++ * for servers, the equal-preference groups allow the client's preferences to
983
++ * be partially respected. (This only has an effect with
984
++ * SSL_OP_CIPHER_SERVER_PREFERENCE).
985
++ *
986
++ * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
987
++ * All elements of a group have the same priority: no ordering is expressed
988
++ * within a group.
989
++ *
990
++ * The values in |ciphers| are in one-to-one correspondence with
991
++ * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
992
++ * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
993
++ * indicate that the corresponding SSL_CIPHER is not the last element of a
994
++ * group, or 0 to indicate that it is.
995
++ *
996
++ * For example, if |in_group_flags| contains all zeros then that indicates a
997
++ * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
998
++ * of the group (i.e. they are all in a one-element group).
999
++ *
1000
++ * For a more complex example, consider:
1001
++ *   ciphers:        A  B  C  D  E  F
1002
++ *   in_group_flags: 1  1  0  0  1  0
1003
++ *
1004
++ * That would express the following, order:
1005
++ *
1006
++ *    A         E
1007
++ *    B -> D -> F
1008
++ *    C
1009
++ */
1010
++struct ssl_cipher_preference_list_st {
1011
++   STACK_OF(SSL_CIPHER) *ciphers;
1012
++   uint8_t *in_group_flags;
1013
++};
1014
++
1015
++
1016
+ struct ssl_ctx_st {
1017
+     const SSL_METHOD *method;
1018
+-    STACK_OF(SSL_CIPHER) *cipher_list;
1019
++    struct ssl_cipher_preference_list_st *cipher_list;
1020
+     /* same as above but sorted for lookup */
1021
+     STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1022
+     /* TLSv1.3 specific ciphersuites */
1023
+@@ -1138,7 +1175,7 @@ struct ssl_st {
1024
+     /* Per connection DANE state */
1025
+     SSL_DANE dane;
1026
+     /* crypto */
1027
+-    STACK_OF(SSL_CIPHER) *cipher_list;
1028
++    struct ssl_cipher_preference_list_st *cipher_list;
1029
+     STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1030
+     /* TLSv1.3 specific ciphersuites */
1031
+     STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
1032
+@@ -2263,7 +2300,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
1033
+                                  const SSL_CIPHER *const *bp);
1034
+ __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1035
+                                                     STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
1036
+-                                                    STACK_OF(SSL_CIPHER) **cipher_list,
1037
++                                                    struct ssl_cipher_preference_list_st **cipher_list,
1038
+                                                     STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1039
+                                                     const char *rule_str,
1040
+                                                     CERT *c);
1041
+@@ -2273,6 +2310,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1042
+                                 STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
1043
+                                 int fatal);
1044
+ void ssl_update_cache(SSL *s, int mode);
1045
++struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_dup(
1046
++        struct ssl_cipher_preference_list_st *cipher_list);
1047
++void ssl_cipher_preference_list_free(
1048
++        struct ssl_cipher_preference_list_st *cipher_list);
1049
++struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_from_ciphers(
1050
++        STACK_OF(SSL_CIPHER) *ciphers);
1051
++struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s);
1052
+ __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
1053
+                               const EVP_MD **md, int *mac_pkey_type,
1054
+                               size_t *mac_secret_size, SSL_COMP **comp,
1055
+@@ -2356,7 +2400,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1056
+                                             CERT_PKEY *cpk);
1057
+ __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
1058
+                                             STACK_OF(SSL_CIPHER) *clnt,
1059
+-                                            STACK_OF(SSL_CIPHER) *srvr);
1060
++                                            struct ssl_cipher_preference_list_st *srvr);
1061
+ __owur int ssl3_digest_cached_records(SSL *s, int keep);
1062
+ __owur int ssl3_new(SSL *s);
1063
+ void ssl3_free(SSL *s);
1064
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
1065
+index 0eab35c5c8..21f3dd707e 100644
1066
+--- a/ssl/statem/statem_srvr.c
1067
++++ b/ssl/statem/statem_srvr.c
1068
+@@ -1750,7 +1750,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1069
+     /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
1070
+     if (SSL_IS_TLS13(s)) {
1071
+         const SSL_CIPHER *cipher =
1072
+-            ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
1073
++            ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
1074
+ 
1075
+         if (cipher == NULL) {
1076
+             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1077
+@@ -1931,7 +1931,7 @@ static int tls_early_post_process_client_hello(SSL *s)
1078
+             /* check if some cipher was preferred by call back */
1079
+             if (pref_cipher == NULL)
1080
+                 pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
1081
+-                                                 SSL_get_ciphers(s));
1082
++                                                 ssl_get_cipher_preferences(s));
1083
+             if (pref_cipher == NULL) {
1084
+                 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1085
+                          SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1086
+@@ -1940,8 +1940,9 @@ static int tls_early_post_process_client_hello(SSL *s)
1087
+             }
1088
+ 
1089
+             s->session->cipher = pref_cipher;
1090
+-            sk_SSL_CIPHER_free(s->cipher_list);
1091
+-            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
1092
++            ssl_cipher_preference_list_free(s->cipher_list);
1093
++            s->cipher_list = ssl_cipher_preference_list_from_ciphers(
1094
++                                                       s->session->ciphers);
1095
+             sk_SSL_CIPHER_free(s->cipher_list_by_id);
1096
+             s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
1097
+         }
1098
+@@ -2255,7 +2256,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
1099
+             /* In TLSv1.3 we selected the ciphersuite before resumption */
1100
+             if (!SSL_IS_TLS13(s)) {
1101
+                 cipher =
1102
+-                    ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
1103
++                    ssl3_choose_cipher(s, s->session->ciphers, ssl_get_cipher_preferences(s));
1104
+ 
1105
+                 if (cipher == NULL) {
1106
+                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,

+ 13
- 13
openssl-equal-3.0.0-dev.patch View File

@@ -46,7 +46,7 @@ index 9d6e1c5024..cee7db9a25 100644
46 46
  /*
47 47
   * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
48 48
 diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
49
-index f8783717bc..0e7ad2818b 100644
49
+index 63057517dc..97ccb41d43 100644
50 50
 --- a/include/openssl/sslerr.h
51 51
 +++ b/include/openssl/sslerr.h
52 52
 @@ -596,6 +596,8 @@ int ERR_load_SSL_strings(void);
@@ -55,10 +55,10 @@ index f8783717bc..0e7ad2818b 100644
55 55
  # define SSL_R_MISSING_TMP_ECDH_KEY                       311
56 56
 +# define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS         101
57 57
 +# define SSL_R_NESTED_GROUP                               108
58
+ # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA     293
58 59
  # define SSL_R_NOT_ON_RECORD_BOUNDARY                     182
59 60
  # define SSL_R_NOT_REPLACING_CERTIFICATE                  289
60
- # define SSL_R_NOT_SERVER                                 284
61
-@@ -726,9 +728,11 @@ int ERR_load_SSL_strings(void);
61
+@@ -727,9 +729,11 @@ int ERR_load_SSL_strings(void);
62 62
  # define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS       239
63 63
  # define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES           242
64 64
  # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
@@ -758,7 +758,7 @@ index 461a9debab..c8d8517735 100644
758 758
  
759 759
  char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
760 760
 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
761
-index 7b06878cef..4e03448e95 100644
761
+index ceae87bbc9..46521b7136 100644
762 762
 --- a/ssl/ssl_err.c
763 763
 +++ b/ssl/ssl_err.c
764 764
 @@ -965,6 +965,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
@@ -766,12 +766,12 @@ index 7b06878cef..4e03448e95 100644
766 766
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
767 767
      "missing tmp ecdh key"},
768 768
 +    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS),
769
-+     "mixed special operator with groups"},
769
++    "mixed special operator with groups"},
770 770
 +    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "nested group"},
771
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
772
+     "mixed handshake and non handshake data"},
771 773
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
772
-     "not on record boundary"},
773
-     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
774
-@@ -1199,11 +1202,14 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
774
+@@ -1201,11 +1204,14 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
775 775
      "unable to load ssl3 md5 routines"},
776 776
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
777 777
      "unable to load ssl3 sha1 routines"},
@@ -782,7 +782,7 @@ index 7b06878cef..4e03448e95 100644
782 782
      "unexpected end of early data"},
783 783
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
784 784
 +    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP),
785
-+     "unexpected operator in group"},
785
++    "unexpected operator in group"},
786 786
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
787 787
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
788 788
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
@@ -934,7 +934,7 @@ index 322a4381b0..ac33c35560 100644
934 934
      /* Dup the client_CA list */
935 935
      if (!dup_ca_names(&ret->ca_names, s->ca_names)
936 936
 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
937
-index bd0d4210f4..8973b7b3a1 100644
937
+index ae6417b592..9f839acc74 100644
938 938
 --- a/ssl/ssl_locl.h
939 939
 +++ b/ssl/ssl_locl.h
940 940
 @@ -745,9 +745,46 @@ typedef struct ssl_ctx_ext_secure_st {
@@ -994,7 +994,7 @@ index bd0d4210f4..8973b7b3a1 100644
994 994
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
995 995
      /* TLSv1.3 specific ciphersuites */
996 996
      STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
997
-@@ -2277,7 +2314,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
997
+@@ -2275,7 +2312,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
998 998
                                   const SSL_CIPHER *const *bp);
999 999
  __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1000 1000
                                                      STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@@ -1003,7 +1003,7 @@ index bd0d4210f4..8973b7b3a1 100644
1003 1003
                                                      STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1004 1004
                                                      const char *rule_str,
1005 1005
                                                      CERT *c);
1006
-@@ -2287,6 +2324,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1006
+@@ -2285,6 +2322,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1007 1007
                                  STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
1008 1008
                                  int fatal);
1009 1009
  void ssl_update_cache(SSL *s, int mode);
@@ -1017,7 +1017,7 @@ index bd0d4210f4..8973b7b3a1 100644
1017 1017
  __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
1018 1018
                                const EVP_MD **md, int *mac_pkey_type,
1019 1019
                                size_t *mac_secret_size, SSL_COMP **comp,
1020
-@@ -2370,7 +2414,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1020
+@@ -2368,7 +2412,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1021 1021
                                              CERT_PKEY *cpk);
1022 1022
  __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
1023 1023
                                              STACK_OF(SSL_CIPHER) *clnt,

+ 13
- 13
openssl-equal-3.0.0-dev_ciphers.patch View File

@@ -25,7 +25,7 @@ index e29c5d7ced..b5bca974c9 100644
25 25
  
26 26
  The following lists give the SSL or TLS cipher suites names from the
27 27
 diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
28
-index f8783717bc..0e7ad2818b 100644
28
+index 63057517dc..97ccb41d43 100644
29 29
 --- a/include/openssl/sslerr.h
30 30
 +++ b/include/openssl/sslerr.h
31 31
 @@ -596,6 +596,8 @@ int ERR_load_SSL_strings(void);
@@ -34,10 +34,10 @@ index f8783717bc..0e7ad2818b 100644
34 34
  # define SSL_R_MISSING_TMP_ECDH_KEY                       311
35 35
 +# define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS         101
36 36
 +# define SSL_R_NESTED_GROUP                               108
37
+ # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA     293
37 38
  # define SSL_R_NOT_ON_RECORD_BOUNDARY                     182
38 39
  # define SSL_R_NOT_REPLACING_CERTIFICATE                  289
39
- # define SSL_R_NOT_SERVER                                 284
40
-@@ -726,9 +728,11 @@ int ERR_load_SSL_strings(void);
40
+@@ -727,9 +729,11 @@ int ERR_load_SSL_strings(void);
41 41
  # define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS       239
42 42
  # define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES           242
43 43
  # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
@@ -793,7 +793,7 @@ index 461a9debab..8eb18f0e28 100644
793 793
  
794 794
  char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
795 795
 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
796
-index 7b06878cef..4e03448e95 100644
796
+index ceae87bbc9..46521b7136 100644
797 797
 --- a/ssl/ssl_err.c
798 798
 +++ b/ssl/ssl_err.c
799 799
 @@ -965,6 +965,9 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
@@ -801,12 +801,12 @@ index 7b06878cef..4e03448e95 100644
801 801
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
802 802
      "missing tmp ecdh key"},
803 803
 +    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS),
804
-+     "mixed special operator with groups"},
804
++    "mixed special operator with groups"},
805 805
 +    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "nested group"},
806
+     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
807
+     "mixed handshake and non handshake data"},
806 808
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
807
-     "not on record boundary"},
808
-     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
809
-@@ -1199,11 +1202,14 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
809
+@@ -1201,11 +1204,14 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
810 810
      "unable to load ssl3 md5 routines"},
811 811
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
812 812
      "unable to load ssl3 sha1 routines"},
@@ -817,7 +817,7 @@ index 7b06878cef..4e03448e95 100644
817 817
      "unexpected end of early data"},
818 818
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
819 819
 +    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP),
820
-+     "unexpected operator in group"},
820
++    "unexpected operator in group"},
821 821
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
822 822
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
823 823
      {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
@@ -969,7 +969,7 @@ index 322a4381b0..ac33c35560 100644
969 969
      /* Dup the client_CA list */
970 970
      if (!dup_ca_names(&ret->ca_names, s->ca_names)
971 971
 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
972
-index bd0d4210f4..8973b7b3a1 100644
972
+index ae6417b592..9f839acc74 100644
973 973
 --- a/ssl/ssl_locl.h
974 974
 +++ b/ssl/ssl_locl.h
975 975
 @@ -745,9 +745,46 @@ typedef struct ssl_ctx_ext_secure_st {
@@ -1029,7 +1029,7 @@ index bd0d4210f4..8973b7b3a1 100644
1029 1029
      STACK_OF(SSL_CIPHER) *cipher_list_by_id;
1030 1030
      /* TLSv1.3 specific ciphersuites */
1031 1031
      STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
1032
-@@ -2277,7 +2314,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
1032
+@@ -2275,7 +2312,7 @@ __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap,
1033 1033
                                   const SSL_CIPHER *const *bp);
1034 1034
  __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1035 1035
                                                      STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
@@ -1038,7 +1038,7 @@ index bd0d4210f4..8973b7b3a1 100644
1038 1038
                                                      STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1039 1039
                                                      const char *rule_str,
1040 1040
                                                      CERT *c);
1041
-@@ -2287,6 +2324,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1041
+@@ -2285,6 +2322,13 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
1042 1042
                                  STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
1043 1043
                                  int fatal);
1044 1044
  void ssl_update_cache(SSL *s, int mode);
@@ -1052,7 +1052,7 @@ index bd0d4210f4..8973b7b3a1 100644
1052 1052
  __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
1053 1053
                                const EVP_MD **md, int *mac_pkey_type,
1054 1054
                                size_t *mac_secret_size, SSL_COMP **comp,
1055
-@@ -2370,7 +2414,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1055
+@@ -2368,7 +2412,7 @@ __owur unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt,
1056 1056
                                              CERT_PKEY *cpk);
1057 1057
  __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
1058 1058
                                              STACK_OF(SSL_CIPHER) *clnt,

Loading…
Cancel
Save