Support equal preference cipher suites group for ubuntu xenial openssl package

equal-preference-group.patch

  Support equal preference group
  * This patch requires the preceding chacha20poly1305.patch.
  * Ciphersuites in equal preference group are hard coded.
    The following ciphersuites:
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_RSA_CHACHA20_POLY1305_OLD
      TLS_ECDHE_ECDSA_CHACHA20_POLY1305_OLD
      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    If you want to add or delete ciphersuites then add or remove
    SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP macro.

diff -ur openssl-1.0.2g-1ubuntu4.3+ore1 +equal-preference-group
--- a/ssl/s3_lib.c	2016-08-29 20:00:00.000000000 +0900
+++ b/ssl/s3_lib.c	2016-09-10 19:04:58.000000000 +0900
@@ -2774,7 +2774,8 @@
      SSL_AEAD,
      SSL_TLSV1_2,
      SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 |
+             SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP,
      128,
      128,
      },
@@ -2790,7 +2791,8 @@
      SSL_AEAD,
      SSL_TLSV1_2,
      SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+     SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 |
+             SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP,
      256,
      256,
      },
@@ -2838,7 +2840,8 @@
      SSL_AEAD,
      SSL_TLSV1_2,
      SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 |
+             SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP,
      128,
      128,
      },
@@ -2854,7 +2857,8 @@
      SSL_AEAD,
      SSL_TLSV1_2,
      SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
+     SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 |
+             SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP,
      256,
      256,
      },
@@ -2963,7 +2967,7 @@
      SSL_TLSV1_2,
      SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
-             FIXED_NONCE_LEN(0),
+             FIXED_NONCE_LEN(0) | SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP,
      256,
      0,
      },
@@ -2980,7 +2984,7 @@
      SSL_TLSV1_2,
      SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
-             FIXED_NONCE_LEN(0),
+             FIXED_NONCE_LEN(0) | SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP,
      256,
      0,
      },
@@ -3014,7 +3018,8 @@
      SSL_TLSV1_2,
      SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
-             SSL_CIPHER_ALGORITHM2_XOR_FIXED_NONCE | FIXED_NONCE_LEN(12),
+             SSL_CIPHER_ALGORITHM2_XOR_FIXED_NONCE | FIXED_NONCE_LEN(12) |
+             SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP,
      256,
      256,
      },
@@ -3031,7 +3036,8 @@
      SSL_TLSV1_2,
      SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
-             SSL_CIPHER_ALGORITHM2_XOR_FIXED_NONCE | FIXED_NONCE_LEN(12),
+             SSL_CIPHER_ALGORITHM2_XOR_FIXED_NONCE | FIXED_NONCE_LEN(12) |
+             SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP,
      256,
      256,
      },
@@ -4199,6 +4205,15 @@
     int i, ii, ok;
     CERT *cert;
     unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a;
+    /*
+     * group_min contains the minimal index so far found in a group, or -1 if
+     * no such value exists yet.
+     */
+    int group_min = -1;
+    /* cipher index: found first and for old Safari */
+    int i_first = -1, i_bad_safari = -1;
+    /* flag that use equal preference group */
+    int equal_pr_group = 0;
 
     /* Let's see which ciphers we can support */
     cert = s->cert;
@@ -4232,6 +4247,7 @@
     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
         prio = srvr;
         allow = clnt;
+        equal_pr_group = 1;
     } else {
         prio = clnt;
         allow = srvr;
@@ -4242,6 +4258,12 @@
     for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
         c = sk_SSL_CIPHER_value(prio, i);
 
+#define IS_EQUAL_PREFERENCE_GROUP(cipher) \
+    (cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP)
+        /* Skip ciphers not in group if already found a prefer group cipher */
+        if (equal_pr_group && group_min >= 0 && !(IS_EQUAL_PREFERENCE_GROUP(c)))
+            continue;
+
         /* Skip TLS v1.2 only ciphersuites if not supported */
         if ((c->algorithm_ssl & SSL_TLSV1_2) && !SSL_USE_TLS1_2_CIPHERS(s))
             continue;
@@ -4316,15 +4338,27 @@
 #if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
             if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA)
                 && s->s3->is_probably_safari) {
-                if (!ret)
-                    ret = sk_SSL_CIPHER_value(allow, ii);
+                /* buggy old Safari does not support TLS v1.2 */
+                if (i_bad_safari < 0)
+                    i_bad_safari = ii;
                 continue;
             }
 #endif
-            ret = sk_SSL_CIPHER_value(allow, ii);
-            break;
+            if (equal_pr_group && IS_EQUAL_PREFERENCE_GROUP(c))
+                if (group_min < 0 || ii < group_min)
+                    group_min = ii;
+
+            if (i_first < 0)
+                i_first = ii;
+
+            if (!equal_pr_group)
+                break;
         }
     }
+    /* get available cipher index */
+    ii = group_min >= 0 ? group_min : (i_first >= 0 ? i_first : i_bad_safari);
+    if (ii >= 0)
+        ret = sk_SSL_CIPHER_value(allow, ii);
     return (ret);
 }
 
diff -ur openssl-1.0.2g-1ubuntu4.3+ore1 +equal-preference-group
--- a/ssl/ssl_locl.h	2016-08-29 20:00:00.000000000 +0900
+++ b/ssl/ssl_locl.h	2016-09-10 19:12:31.000000000 +0900
@@ -426,6 +426,10 @@
  * which indicates that XOR the fixed nonce. (CHACHA20-POLY1305, for example) */
 #define SSL_CIPHER_ALGORITHM2_XOR_FIXED_NONCE (1 << 24)
 
+/* SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP is a flag in SSL_CIPHER
+ * .algorithm2 which indicates that the cipher is in equal preference group. */
+# define SSL_CIPHER_ALGORITHM2_EQUAL_PREFERENCE_GROUP (1 << 28)
+
 /*
  * Export and cipher strength information. For each cipher we have to decide
  * whether it is exportable or not. This information is likely to change

This patch requires the preceding chacha20poly1305.patch.
How to build packages:

apt-get -d source openssl
tar xf openssl_1.0.2g.orig.tar.gz
cd openssl-1.0.2g
tar xf ../openssl_1.0.2g-1ubuntu4.3.debian.tar.xz
cp -av (openssl-chacha20poly1305 repository)/xenial/debian/* debian/
cp (somewhere)/equal-preference-group.patch debian/patches/
echo equal-preference-group.patch >> debian/patches/series
vi debian/changelog  # add description about equal-preference-group
debuild -uc -us

This patch is also available for debian jessie-backports (openssl 1.0.2h-1~bpo8).