openssl-1.1.1.patch

Add TLS 1.3 Support.
Add BoringSSL's Equal Preference Support.
Add ChaCha20-Poly1305 Draft Version Support.

Using: patch -p1 < openssl-1.1.1.patch

diff --color -uNr a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
--- a/crypto/evp/c_allc.c	2022-11-01 20:36:10.000000000 +0800
+++ b/crypto/evp/c_allc.c	2022-12-25 15:28:59.857389551 +0800
@@ -261,6 +261,7 @@
     EVP_add_cipher(EVP_chacha20());
 # ifndef OPENSSL_NO_POLY1305
     EVP_add_cipher(EVP_chacha20_poly1305());
+    EVP_add_cipher(EVP_chacha20_poly1305_draft());
 # endif
 #endif
 }
diff --color -uNr a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
--- a/crypto/evp/e_chacha20_poly1305.c	2022-11-01 20:36:10.000000000 +0800
+++ b/crypto/evp/e_chacha20_poly1305.c	2022-12-25 15:28:59.857389551 +0800
@@ -156,6 +156,7 @@
     struct { uint64_t aad, text; } len;
     int aad, mac_inited, tag_len, nonce_len;
     size_t tls_payload_length;
+    unsigned char draft:1;
 } EVP_CHACHA_AEAD_CTX;
 
 #  define NO_TLS_PAYLOAD_LENGTH ((size_t)-1)
@@ -176,6 +177,7 @@
     actx->aad = 0;
     actx->mac_inited = 0;
     actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
+    actx->draft = 0;
 
     if (iv != NULL) {
         unsigned char temp[CHACHA_CTR_SIZE] = { 0 };
@@ -197,6 +199,27 @@
     return 1;
 }
 
+static int chacha20_poly1305_draft_init_key(EVP_CIPHER_CTX *ctx,
+   const unsigned char *inkey,
+   const unsigned char *iv, int enc)
+{
+    EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
+
+    if (!inkey)
+        return 1;
+
+    actx->len.aad = 0;
+    actx->len.text = 0;
+    actx->aad = 0;
+    actx->mac_inited = 0;
+    actx->tls_payload_length = NO_TLS_PAYLOAD_LENGTH;
+    actx->draft = 1;
+
+    chacha_init_key(ctx, inkey, NULL, enc);
+
+    return 1;
+}
+
 #  if !defined(OPENSSL_SMALL_FOOTPRINT)
 
 #   if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) || \
@@ -367,10 +390,11 @@
 {
     EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
     size_t rem, plen = actx->tls_payload_length;
+    uint64_t thirteen = EVP_AEAD_TLS1_AAD_LEN;
 
     if (!actx->mac_inited) {
 #  if !defined(OPENSSL_SMALL_FOOTPRINT)
-        if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL)
+        if (plen != NO_TLS_PAYLOAD_LENGTH && out != NULL && !actx->draft)
             return chacha20_poly1305_tls_cipher(ctx, out, in, len);
 #  endif
         actx->key.counter[0] = 0;
@@ -397,9 +421,14 @@
             return len;
         } else {                                /* plain- or ciphertext */
             if (actx->aad) {                    /* wrap up aad */
-                if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
-                    Poly1305_Update(POLY1305_ctx(actx), zero,
-                                    POLY1305_BLOCK_SIZE - rem);
+                if (actx->draft) {
+                    thirteen = actx->len.aad;
+                    Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
+                } else {
+                    if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
+                        Poly1305_Update(POLY1305_ctx(actx), zero,
+                                        POLY1305_BLOCK_SIZE - rem);
+                }
                 actx->aad = 0;
             }
 
@@ -432,40 +461,52 @@
         } is_endian = { 1 };
         unsigned char temp[POLY1305_BLOCK_SIZE];
 
+        if (actx->draft) {
+            thirteen = actx->len.text;
+            Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
+        }
+
         if (actx->aad) {                        /* wrap up aad */
-            if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
-                Poly1305_Update(POLY1305_ctx(actx), zero,
-                                POLY1305_BLOCK_SIZE - rem);
+            if (actx->draft) {
+               thirteen = actx->len.aad;
+               Poly1305_Update(POLY1305_ctx(actx), (const unsigned char *)&thirteen, sizeof(thirteen));
+            } else {
+                if ((rem = (size_t)actx->len.aad % POLY1305_BLOCK_SIZE))
+                    Poly1305_Update(POLY1305_ctx(actx), zero,
+                                    POLY1305_BLOCK_SIZE - rem);
+            }
             actx->aad = 0;
         }
 
-        if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
-            Poly1305_Update(POLY1305_ctx(actx), zero,
-                            POLY1305_BLOCK_SIZE - rem);
+        if (!actx->draft) {
+            if ((rem = (size_t)actx->len.text % POLY1305_BLOCK_SIZE))
+                Poly1305_Update(POLY1305_ctx(actx), zero,
+                                POLY1305_BLOCK_SIZE - rem);
 
-        if (is_endian.little) {
-            Poly1305_Update(POLY1305_ctx(actx),
-                            (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
-        } else {
-            temp[0]  = (unsigned char)(actx->len.aad);
-            temp[1]  = (unsigned char)(actx->len.aad>>8);
-            temp[2]  = (unsigned char)(actx->len.aad>>16);
-            temp[3]  = (unsigned char)(actx->len.aad>>24);
-            temp[4]  = (unsigned char)(actx->len.aad>>32);
-            temp[5]  = (unsigned char)(actx->len.aad>>40);
-            temp[6]  = (unsigned char)(actx->len.aad>>48);
-            temp[7]  = (unsigned char)(actx->len.aad>>56);
-
-            temp[8]  = (unsigned char)(actx->len.text);
-            temp[9]  = (unsigned char)(actx->len.text>>8);
-            temp[10] = (unsigned char)(actx->len.text>>16);
-            temp[11] = (unsigned char)(actx->len.text>>24);
-            temp[12] = (unsigned char)(actx->len.text>>32);
-            temp[13] = (unsigned char)(actx->len.text>>40);
-            temp[14] = (unsigned char)(actx->len.text>>48);
-            temp[15] = (unsigned char)(actx->len.text>>56);
+            if (is_endian.little) {
+                Poly1305_Update(POLY1305_ctx(actx),
+                                (unsigned char *)&actx->len, POLY1305_BLOCK_SIZE);
+            } else {
+                temp[0]  = (unsigned char)(actx->len.aad);
+                temp[1]  = (unsigned char)(actx->len.aad>>8);
+                temp[2]  = (unsigned char)(actx->len.aad>>16);
+                temp[3]  = (unsigned char)(actx->len.aad>>24);
+                temp[4]  = (unsigned char)(actx->len.aad>>32);
+                temp[5]  = (unsigned char)(actx->len.aad>>40);
+                temp[6]  = (unsigned char)(actx->len.aad>>48);
+                temp[7]  = (unsigned char)(actx->len.aad>>56);
+
+                temp[8]  = (unsigned char)(actx->len.text);
+                temp[9]  = (unsigned char)(actx->len.text>>8);
+                temp[10] = (unsigned char)(actx->len.text>>16);
+                temp[11] = (unsigned char)(actx->len.text>>24);
+                temp[12] = (unsigned char)(actx->len.text>>32);
+                temp[13] = (unsigned char)(actx->len.text>>40);
+                temp[14] = (unsigned char)(actx->len.text>>48);
+                temp[15] = (unsigned char)(actx->len.text>>56);
 
-            Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
+                Poly1305_Update(POLY1305_ctx(actx), temp, POLY1305_BLOCK_SIZE);
+            }
         }
         Poly1305_Final(POLY1305_ctx(actx), ctx->encrypt ? actx->tag
                                                         : temp);
@@ -539,12 +580,14 @@
         return 1;
 
     case EVP_CTRL_AEAD_SET_IVLEN:
+        if (actx->draft) return -1;
         if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
             return 0;
         actx->nonce_len = arg;
         return 1;
 
     case EVP_CTRL_AEAD_SET_IV_FIXED:
+        if (actx->draft) return -1;
         if (arg != 12)
             return 0;
         actx->nonce[0] = actx->key.counter[1]
@@ -629,9 +672,32 @@
     NULL        /* app_data */
 };
 
+static EVP_CIPHER chacha20_poly1305_draft = {
+    NID_chacha20_poly1305_draft,
+    1,                  /* block_size */
+    CHACHA_KEY_SIZE,    /* key_len */
+    0,                  /* iv_len, none */
+    EVP_CIPH_FLAG_AEAD_CIPHER | EVP_CIPH_CUSTOM_IV |
+    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
+    EVP_CIPH_CUSTOM_COPY | EVP_CIPH_FLAG_CUSTOM_CIPHER,
+    chacha20_poly1305_draft_init_key,
+    chacha20_poly1305_cipher,
+    chacha20_poly1305_cleanup,
+    0,          /* 0 moves context-specific structure allocation to ctrl */
+    NULL,       /* set_asn1_parameters */
+    NULL,       /* get_asn1_parameters */
+    chacha20_poly1305_ctrl,
+    NULL        /* app_data */
+};
+
 const EVP_CIPHER *EVP_chacha20_poly1305(void)
 {
     return(&chacha20_poly1305);
 }
+
+const EVP_CIPHER *EVP_chacha20_poly1305_draft(void)
+{
+    return(&chacha20_poly1305_draft);
+}
 # endif
 #endif
diff --color -uNr a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
--- a/crypto/objects/obj_dat.h	2022-11-01 20:36:10.000000000 +0800
+++ b/crypto/objects/obj_dat.h	2022-12-25 15:28:59.861389655 +0800
@@ -1078,7 +1078,7 @@
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D,       /* [ 7753] OBJ_hmacWithSHA512_256 */
 };
 
-#define NUM_NID 1195
+#define NUM_NID 1196
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2275,9 +2275,10 @@
     {"magma-mac", "magma-mac", NID_magma_mac},
     {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]},
     {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]},
+    {"ChaCha20-Poly1305-D", "chacha20-poly1305-draft", NID_chacha20_poly1305_draft},
 };
 
-#define NUM_SN 1186
+#define NUM_SN 1187
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -2395,6 +2396,7 @@
      417,    /* "CSPName" */
     1019,    /* "ChaCha20" */
     1018,    /* "ChaCha20-Poly1305" */
+    1195,    /* "ChaCha20-Poly1305-D" */
      367,    /* "CrlID" */
      391,    /* "DC" */
       31,    /* "DES-CBC" */
@@ -3467,7 +3469,7 @@
     1093,    /* "x509ExtAdmission" */
 };
 
-#define NUM_LN 1186
+#define NUM_LN 1187
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -3846,6 +3848,7 @@
      883,    /* "certificateRevocationList" */
     1019,    /* "chacha20" */
     1018,    /* "chacha20-poly1305" */
+    1195,    /* "chacha20-poly1305-draft" */
       54,    /* "challengePassword" */
      407,    /* "characteristic-two-field" */
      395,    /* "clearance" */
diff --color -uNr a/crypto/objects/objects.txt b/crypto/objects/objects.txt
--- a/crypto/objects/objects.txt	2022-11-01 20:36:10.000000000 +0800
+++ b/crypto/objects/objects.txt	2022-12-25 15:28:59.862389681 +0800
@@ -1534,6 +1534,7 @@
 			: AES-192-CBC-HMAC-SHA256	: aes-192-cbc-hmac-sha256
 			: AES-256-CBC-HMAC-SHA256	: aes-256-cbc-hmac-sha256
 			: ChaCha20-Poly1305		: chacha20-poly1305
+			: ChaCha20-Poly1305-D		: chacha20-poly1305-draft
 			: ChaCha20			: chacha20
 
 ISO-US 10046 2 1	: dhpublicnumber		: X9.42 DH
diff --color -uNr a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
--- a/crypto/objects/obj_mac.num	2022-11-01 20:36:10.000000000 +0800
+++ b/crypto/objects/obj_mac.num	2022-12-25 15:28:59.862389681 +0800
@@ -1192,3 +1192,4 @@
 magma_mac		1192
 hmacWithSHA512_224		1193
 hmacWithSHA512_256		1194
+chacha20_poly1305_draft		1195
diff --color -uNr a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
--- a/doc/man1/ciphers.pod	2022-11-01 20:36:10.000000000 +0800
+++ b/doc/man1/ciphers.pod	2022-12-25 15:28:59.863389707 +0800
@@ -400,6 +400,21 @@
 
 =back
 
+=head1 EQUAL PREFERENCE GROUPS
+
+If configuring a server, one may also configure equal-preference groups to
+partially respect the client's preferences when
+B<SSL_OP_CIPHER_SERVER_PREFERENCE> is enabled. Ciphers in an equal-preference
+group have equal priority and use the client order. This may be used to
+enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
+based on client preferences. An equal-preference is specified with square
+brackets, combining multiple selectors separated by |. For example:
+
+ [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
+ 
+ Once an equal-preference group is used, future directives must be
+ opcode-less.
+
 =head1 CIPHER SUITE NAMES
 
 The following lists give the SSL or TLS cipher suites names from the
diff --color -uNr a/include/openssl/evp.h b/include/openssl/evp.h
--- a/include/openssl/evp.h	2022-11-01 20:36:10.000000000 +0800
+++ b/include/openssl/evp.h	2022-12-25 15:28:59.864389733 +0800
@@ -919,6 +919,7 @@
 const EVP_CIPHER *EVP_chacha20(void);
 #  ifndef OPENSSL_NO_POLY1305
 const EVP_CIPHER *EVP_chacha20_poly1305(void);
+const EVP_CIPHER *EVP_chacha20_poly1305_draft(void);
 #  endif
 # endif
 
diff --color -uNr a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
--- a/include/openssl/obj_mac.h	2022-11-01 20:36:10.000000000 +0800
+++ b/include/openssl/obj_mac.h	2022-12-25 15:28:59.866389785 +0800
@@ -4807,6 +4807,10 @@
 #define LN_chacha20_poly1305            "chacha20-poly1305"
 #define NID_chacha20_poly1305           1018
 
+#define SN_chacha20_poly1305_draft              "ChaCha20-Poly1305-D"
+#define LN_chacha20_poly1305_draft              "chacha20-poly1305-draft"
+#define NID_chacha20_poly1305_draft             1195
+
 #define SN_chacha20             "ChaCha20"
 #define LN_chacha20             "chacha20"
 #define NID_chacha20            1019
diff --color -uNr a/include/openssl/sslerr.h b/include/openssl/sslerr.h
--- a/include/openssl/sslerr.h	2022-11-01 20:36:10.000000000 +0800
+++ b/include/openssl/sslerr.h	2022-12-25 15:28:59.867389811 +0800
@@ -603,6 +603,8 @@
 # define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION         209
 # define SSL_R_MISSING_TMP_DH_KEY                         171
 # define SSL_R_MISSING_TMP_ECDH_KEY                       311
+# define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS         101
+# define SSL_R_NESTED_GROUP                               108
 # define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA     293
 # define SSL_R_NOT_ON_RECORD_BOUNDARY                     182
 # define SSL_R_NOT_REPLACING_CERTIFICATE                  289
@@ -735,9 +737,11 @@
 # define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS       239
 # define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES           242
 # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
+# define SSL_R_UNEXPECTED_GROUP_CLOSE                     109
 # define SSL_R_UNEXPECTED_CCS_MESSAGE                     262
 # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA               178
 # define SSL_R_UNEXPECTED_MESSAGE                         244
+# define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP               110
 # define SSL_R_UNEXPECTED_RECORD                          245
 # define SSL_R_UNINITIALIZED                              276
 # define SSL_R_UNKNOWN_ALERT_TYPE                         246
diff --color -uNr a/include/openssl/ssl.h b/include/openssl/ssl.h
--- a/include/openssl/ssl.h	2022-11-01 20:36:10.000000000 +0800
+++ b/include/openssl/ssl.h	2022-12-25 15:28:59.868389837 +0800
@@ -125,6 +125,7 @@
 # define SSL_TXT_CAMELLIA256     "CAMELLIA256"
 # define SSL_TXT_CAMELLIA        "CAMELLIA"
 # define SSL_TXT_CHACHA20        "CHACHA20"
+# define SSL_TXT_CHACHA20_D      "CHACHA20-D"
 # define SSL_TXT_GOST            "GOST89"
 # define SSL_TXT_ARIA            "ARIA"
 # define SSL_TXT_ARIA_GCM        "ARIAGCM"
diff --color -uNr a/include/openssl/tls1.h b/include/openssl/tls1.h
--- a/include/openssl/tls1.h	2022-11-01 20:36:10.000000000 +0800
+++ b/include/openssl/tls1.h	2022-12-25 15:28:59.869389863 +0800
@@ -597,7 +597,12 @@
 # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256   0x0300C09A
 # define TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384   0x0300C09B
 
-/* draft-ietf-tls-chacha20-poly1305-03 */
+/* Chacha20-Poly1305-Draft ciphersuites from draft-agl-tls-chacha20poly1305-04 */
+# define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_D       0x0300CC13
+# define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D     0x0300CC14
+# define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305_D         0x0300CC15
+
+/* Chacha20-Poly1305 ciphersuites from RFC7905 */
 # define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305         0x0300CCA8
 # define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305       0x0300CCA9
 # define TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305           0x0300CCAA
@@ -762,6 +767,9 @@
 # define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305       "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305     "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
+# define TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305_D       "OLD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+# define TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305_D     "OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+# define TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D   "OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_PSK_WITH_CHACHA20_POLY1305             "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305       "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
 # define TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305         "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"
@@ -1090,7 +1098,12 @@
 # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    "ECDH-RSA-CAMELLIA128-SHA256"
 # define TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    "ECDH-RSA-CAMELLIA256-SHA384"
 
-/* draft-ietf-tls-chacha20-poly1305-03 */
+/* Chacha20-Poly1305-Draft ciphersuites from draft-agl-tls-chacha20poly1305-04 */
+# define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_D       "ECDHE-RSA-CHACHA20-POLY1305-OLD"
+# define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D     "ECDHE-ECDSA-CHACHA20-POLY1305-OLD"
+# define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_D         "DHE-RSA-CHACHA20-POLY1305-OLD"
+
+/* Chacha20-Poly1305 ciphersuites from RFC7905 */
 # define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305         "ECDHE-RSA-CHACHA20-POLY1305"
 # define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305       "ECDHE-ECDSA-CHACHA20-POLY1305"
 # define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305           "DHE-RSA-CHACHA20-POLY1305"
diff --color -uNr a/ssl/s3_lib.c b/ssl/s3_lib.c
--- a/ssl/s3_lib.c	2022-11-01 20:36:10.000000000 +0800
+++ b/ssl/s3_lib.c	2022-12-25 15:28:59.870389889 +0800
@@ -31,8 +31,26 @@
 };
 
 /* The list of available TLSv1.3 ciphers */
+/* Since nginx can not set the TLS 1.3 cipher, remove it temporarily. */
 static SSL_CIPHER tls13_ciphers[] = {
     {
+        0,
+    }
+};
+
+/*
+ * The list of available ciphers, mostly organized into the following
+ * groups:
+ *      Always there
+ *      EC
+ *      PSK
+ *      SRP (within that: RSA EC PSK)
+ *      Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
+ *      Weak ciphers
+ */
+static SSL_CIPHER ssl3_ciphers[] = {
+    /* TLSv1.3 ciphers */
+    {
         1,
         TLS1_3_RFC_AES_128_GCM_SHA256,
         TLS1_3_RFC_AES_128_GCM_SHA256,
@@ -111,20 +129,8 @@
         SSL_HANDSHAKE_MAC_SHA256,
         128,
         128,
-    }
-};
-
-/*
- * The list of available ciphers, mostly organized into the following
- * groups:
- *      Always there
- *      EC
- *      PSK
- *      SRP (within that: RSA EC PSK)
- *      Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
- *      Weak ciphers
- */
-static SSL_CIPHER ssl3_ciphers[] = {
+    },
+    /* List of cipher below TLSv1.3 */
     {
      1,
      SSL3_TXT_RSA_NULL_MD5,
@@ -167,7 +173,7 @@
      SSL_aRSA,
      SSL_3DES,
      SSL_SHA1,
-     SSL3_VERSION, TLS1_2_VERSION,
+     SSL3_VERSION, TLS1_VERSION,
      DTLS1_BAD_VER, DTLS1_2_VERSION,
      SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -232,7 +238,7 @@
      SSL_aRSA,
      SSL_AES128,
      SSL_SHA1,
-     SSL3_VERSION, TLS1_2_VERSION,
+     SSL3_VERSION, TLS1_VERSION,
      DTLS1_BAD_VER, DTLS1_2_VERSION,
      SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -296,7 +302,7 @@
      SSL_aRSA,
      SSL_AES256,
      SSL_SHA1,
-     SSL3_VERSION, TLS1_2_VERSION,
+     SSL3_VERSION, TLS1_VERSION,
      DTLS1_BAD_VER, DTLS1_2_VERSION,
      SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
@@ -2083,6 +2089,54 @@
      256,
      },
     {
+      1,
+      TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305_D,
+      TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305_D,
+      TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305_D,
+      SSL_kDHE,
+      SSL_aRSA,
+      SSL_CHACHA20POLY1305_D,
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+      SSL_HIGH,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      256,
+      256,
+     },
+    {
+     1,
+     TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
+     TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
+     TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_D,
+     SSL_kECDHE,
+     SSL_aRSA,
+     SSL_CHACHA20POLY1305_D,
+     SSL_AEAD,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_2_VERSION, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+    {
+     1,
+     TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
+     TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
+     TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_D,
+     SSL_kECDHE,
+     SSL_aECDSA,
+     SSL_CHACHA20POLY1305_D,
+     SSL_AEAD,
+     TLS1_2_VERSION, TLS1_2_VERSION,
+     DTLS1_2_VERSION, DTLS1_2_VERSION,
+     SSL_HIGH,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+     256,
+     256,
+     },
+    {
      1,
      TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
      TLS1_RFC_PSK_WITH_CHACHA20_POLY1305,
@@ -4127,6 +4181,17 @@
     return 1;
 }
 
+struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s)
+{
+    if (s->cipher_list != NULL)
+        return (s->cipher_list);
+
+    if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL))
+        return (s->ctx->cipher_list);
+
+    return NULL;
+}
+
 /*
  * ssl3_choose_cipher - choose a cipher from those offered by the client
  * @s: SSL connection
@@ -4136,16 +4201,24 @@
  * Returns the selected cipher or NULL when no common ciphers.
  */
 const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
-                                     STACK_OF(SSL_CIPHER) *srvr)
+                                     struct ssl_cipher_preference_list_st
+                                     *server_pref)
 {
     const SSL_CIPHER *c, *ret = NULL;
-    STACK_OF(SSL_CIPHER) *prio, *allow;
-    int i, ii, ok, prefer_sha256 = 0;
+    STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
+    int i, ii, ok, prefer_sha256 = 0, safari_ec = 0;
     unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
     const EVP_MD *mdsha256 = EVP_sha256();
-#ifndef OPENSSL_NO_CHACHA
-    STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
-#endif
+
+    /* in_group_flags will either be NULL, or will point to an array of
+     * bytes which indicate equal-preference groups in the |prio| stack.
+     * See the comment about |in_group_flags| in the
+     * |ssl_cipher_preference_list_st| struct. */
+    const uint8_t *in_group_flags;
+
+    /* group_min contains the minimal index so far found in a group, or -1
+     * if no such value exists yet. */
+    int group_min = -1;
 
     /* Let's see which ciphers we can support */
 
@@ -4172,54 +4245,13 @@
 #endif
 
     /* SUITE-B takes precedence over server preference and ChaCha priortiy */
-    if (tls1_suiteb(s)) {
+    if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
         prio = srvr;
+        in_group_flags = server_pref->in_group_flags;
         allow = clnt;
-    } else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
-        prio = srvr;
-        allow = clnt;
-#ifndef OPENSSL_NO_CHACHA
-        /* If ChaCha20 is at the top of the client preference list,
-           and there are ChaCha20 ciphers in the server list, then
-           temporarily prioritize all ChaCha20 ciphers in the servers list. */
-        if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
-            c = sk_SSL_CIPHER_value(clnt, 0);
-            if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
-                /* ChaCha20 is client preferred, check server... */
-                int num = sk_SSL_CIPHER_num(srvr);
-                int found = 0;
-                for (i = 0; i < num; i++) {
-                    c = sk_SSL_CIPHER_value(srvr, i);
-                    if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
-                        found = 1;
-                        break;
-                    }
-                }
-                if (found) {
-                    prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num);
-                    /* if reserve fails, then there's likely a memory issue */
-                    if (prio_chacha != NULL) {
-                        /* Put all ChaCha20 at the top, starting with the one we just found */
-                        sk_SSL_CIPHER_push(prio_chacha, c);
-                        for (i++; i < num; i++) {
-                            c = sk_SSL_CIPHER_value(srvr, i);
-                            if (c->algorithm_enc == SSL_CHACHA20POLY1305)
-                                sk_SSL_CIPHER_push(prio_chacha, c);
-                        }
-                        /* Pull in the rest */
-                        for (i = 0; i < num; i++) {
-                            c = sk_SSL_CIPHER_value(srvr, i);
-                            if (c->algorithm_enc != SSL_CHACHA20POLY1305)
-                                sk_SSL_CIPHER_push(prio_chacha, c);
-                        }
-                        prio = prio_chacha;
-                    }
-                }
-            }
-        }
-# endif
     } else {
         prio = clnt;
+        in_group_flags = NULL;
         allow = srvr;
     }
 
@@ -4250,14 +4282,16 @@
     for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
         c = sk_SSL_CIPHER_value(prio, i);
 
+        ok = 1;
+
         /* Skip ciphers not supported by the protocol version */
         if (!SSL_IS_DTLS(s) &&
             ((s->version < c->min_tls) || (s->version > c->max_tls)))
-            continue;
+            ok = 0;
         if (SSL_IS_DTLS(s) &&
             (DTLS_VERSION_LT(s->version, c->min_dtls) ||
              DTLS_VERSION_GT(s->version, c->max_dtls)))
-            continue;
+            ok = 0;
 
         /*
          * Since TLS 1.3 ciphersuites can be used with any auth or
@@ -4279,10 +4313,10 @@
 #ifndef OPENSSL_NO_PSK
             /* with PSK there must be server callback set */
             if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
-                continue;
+                ok = 0;
 #endif                          /* OPENSSL_NO_PSK */
 
-            ok = (alg_k & mask_k) && (alg_a & mask_a);
+            ok = ok && (alg_k & mask_k) && (alg_a & mask_a);
 #ifdef CIPHER_DEBUG
             fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
                     alg_a, mask_k, mask_a, (void *)c, c->name);
@@ -4299,6 +4333,14 @@
 
             if (!ok)
                 continue;
+
+            safari_ec = 0;
+#if !defined(OPENSSL_NO_EC)
+            if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)) {
+                if (s->s3->is_probably_safari)
+                    safari_ec = 1;
+            }
+#endif
         }
         ii = sk_SSL_CIPHER_find(allow, c);
         if (ii >= 0) {
@@ -4306,14 +4348,7 @@
             if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
                               c->strength_bits, 0, (void *)c))
                 continue;
-#if !defined(OPENSSL_NO_EC)
-            if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
-                && s->s3->is_probably_safari) {
-                if (!ret)
-                    ret = sk_SSL_CIPHER_value(allow, ii);
-                continue;
-            }
-#endif
+
             if (prefer_sha256) {
                 const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
 
@@ -4325,13 +4360,38 @@
                     ret = tmp;
                 continue;
             }
-            ret = sk_SSL_CIPHER_value(allow, ii);
+
+            if (in_group_flags != NULL && in_group_flags[i] == 1) {
+                /* This element of |prio| is in a group. Update
+                 * the minimum index found so far and continue
+                 * looking. */
+                if (group_min == -1 || group_min > ii)
+                    group_min = ii;
+            } else {
+                if (group_min != -1 && group_min < ii)
+                    ii = group_min;
+                if (safari_ec) {
+                    if (!ret)
+                        ret = sk_SSL_CIPHER_value(allow, ii);
+                    continue;
+                }
+                ret = sk_SSL_CIPHER_value(allow, ii);
+                break;
+            }
+        }
+
+        if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
+            /* We are about to leave a group, but we found a match
+             * in it, so that's our answer. */
+            if (safari_ec) {
+                if (!ret)
+                    ret = sk_SSL_CIPHER_value(allow, group_min);
+                continue;
+            }
+            ret = sk_SSL_CIPHER_value(allow, group_min);
             break;
         }
     }
-#ifndef OPENSSL_NO_CHACHA
-    sk_SSL_CIPHER_free(prio_chacha);
-#endif
     return ret;
 }
 
diff --color -uNr a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
--- a/ssl/ssl_ciph.c	2022-11-01 20:36:10.000000000 +0800
+++ b/ssl/ssl_ciph.c	2022-12-25 15:35:32.000000000 +0800
@@ -43,7 +43,8 @@
 #define SSL_ENC_CHACHA_IDX      19
 #define SSL_ENC_ARIA128GCM_IDX  20
 #define SSL_ENC_ARIA256GCM_IDX  21
-#define SSL_ENC_NUM_IDX         22
+#define SSL_ENC_CHACHA20_D_IDX  22
+#define SSL_ENC_NUM_IDX         23
 
 /* NB: make sure indices in these tables match values above */
 
@@ -76,6 +77,7 @@
     {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
     {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
     {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
+    {SSL_CHACHA20POLY1305_D, NID_chacha20_poly1305_draft}, /* SSL_ENC_CHACHA20POLY1305_IDX 22 */
 };
 
 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
@@ -192,6 +194,7 @@
     const SSL_CIPHER *cipher;
     int active;
     int dead;
+    int in_group;
     struct cipher_order_st *next, *prev;
 } CIPHER_ORDER;
 
@@ -275,6 +278,7 @@
     {0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256},
     {0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA},
     {0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20},
+    {0, SSL_TXT_CHACHA20_D, NULL, 0, 0, 0, SSL_CHACHA20POLY1305_D},
 
     {0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA},
     {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
@@ -296,6 +300,7 @@
     {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
     {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
     {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
+    {0, "TLS13", NULL, 0, 0, 0, 0, 0, TLS1_3_VERSION},
 
     /* strength classes */
     {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
@@ -681,6 +686,7 @@
         co_list[co_list_num].next = NULL;
         co_list[co_list_num].prev = NULL;
         co_list[co_list_num].active = 0;
+        co_list[co_list_num].in_group = 0;
         co_list_num++;
     }
 
@@ -774,8 +780,8 @@
                                   uint32_t alg_auth, uint32_t alg_enc,
                                   uint32_t alg_mac, int min_tls,
                                   uint32_t algo_strength, int rule,
-                                  int32_t strength_bits, CIPHER_ORDER **head_p,
-                                  CIPHER_ORDER **tail_p)
+                                  int32_t strength_bits, int in_group,
+                                  CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 {
     CIPHER_ORDER *head, *tail, *curr, *next, *last;
     const SSL_CIPHER *cp;
@@ -783,9 +789,9 @@
 
 #ifdef CIPHER_DEBUG
     fprintf(stderr,
-            "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
+            "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d) g:%d\n",
             rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
-            algo_strength, strength_bits);
+            algo_strength, strength_bits, in_group);
 #endif
 
     if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
@@ -862,6 +868,7 @@
             if (!curr->active) {
                 ll_append_tail(&head, curr, &tail);
                 curr->active = 1;
+                curr->in_group = in_group;
             }
         }
         /* Move the added cipher to this location */
@@ -869,6 +876,7 @@
             /* reverse == 0 */
             if (curr->active) {
                 ll_append_tail(&head, curr, &tail);
+                curr->in_group = 0;
             }
         } else if (rule == CIPHER_DEL) {
             /* reverse == 1 */
@@ -880,6 +888,7 @@
                  */
                 ll_append_head(&head, curr, &tail);
                 curr->active = 0;
+                curr->in_group = 0;
             }
         } else if (rule == CIPHER_BUMP) {
             if (curr->active)
@@ -947,8 +956,8 @@
      */
     for (i = max_strength_bits; i >= 0; i--)
         if (number_uses[i] > 0)
-            ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
-                                  tail_p);
+            ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0,
+                                  head_p, tail_p);
 
     OPENSSL_free(number_uses);
     return 1;
@@ -962,7 +971,7 @@
     uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
     int min_tls;
     const char *l, *buf;
-    int j, multi, found, rule, retval, ok, buflen;
+    int j, multi, found, rule, retval, ok, buflen, in_group = 0, has_group = 0;
     uint32_t cipher_id = 0;
     char ch;
 
@@ -973,18 +982,66 @@
 
         if (ch == '\0')
             break;              /* done */
-        if (ch == '-') {
+        if (in_group) {
+            if (ch == ']') {
+                if (!in_group) {
+                    SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+                           SSL_R_UNEXPECTED_GROUP_CLOSE);
+                    retval = found = in_group = 0;
+                    break;
+                }
+                if (*tail_p)
+                    (*tail_p)->in_group = 0;
+                in_group = 0;
+                l++;
+                continue;
+            }
+            if (ch == '|') {
+                rule = CIPHER_ADD;
+                l++;
+                continue;
+            } else if (!(ch >= 'a' && ch <= 'z')
+                       && !(ch >= 'A' && ch <= 'Z')
+                       && !(ch >= '0' && ch <= '9')) {
+                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+                       SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
+                retval = found = in_group = 0;
+                break;
+            } else {
+                rule = CIPHER_ADD;
+            }
+        } else if (ch == '-') {
             rule = CIPHER_DEL;
             l++;
         } else if (ch == '+') {
             rule = CIPHER_ORD;
             l++;
+        } else if (ch == '!' && has_group) {
+            SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+                   SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
+            retval = found = in_group = 0;
+            break;
         } else if (ch == '!') {
             rule = CIPHER_KILL;
             l++;
+        } else if (ch == '@' && has_group) {
+            SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+                   SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
+            retval = found = in_group = 0;
+            break;
         } else if (ch == '@') {
             rule = CIPHER_SPECIAL;
             l++;
+        } else if (ch == '[') {
+            if (in_group) {
+                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_NESTED_GROUP);
+                retval = found = in_group = 0;
+                break;
+            }
+            in_group = 1;
+            has_group = 1;
+            l++;
+            continue;
         } else {
             rule = CIPHER_ADD;
         }
@@ -1009,7 +1066,7 @@
             while (((ch >= 'A') && (ch <= 'Z')) ||
                    ((ch >= '0') && (ch <= '9')) ||
                    ((ch >= 'a') && (ch <= 'z')) ||
-                   (ch == '-') || (ch == '.') || (ch == '='))
+                   (ch == '-') || (ch == '.') || (ch == '=') || (ch == '_'))
 #else
             while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
                    || (ch == '='))
@@ -1026,7 +1083,9 @@
                  * alphanumeric, so we call this an error.
                  */
                 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
-                return 0;
+                retval = found = in_group = 0;
+                l++;
+                break;
             }
 
             if (rule == CIPHER_SPECIAL) {
@@ -1203,8 +1262,8 @@
         } else if (found) {
             ssl_cipher_apply_rule(cipher_id,
                                   alg_mkey, alg_auth, alg_enc, alg_mac,
-                                  min_tls, algo_strength, rule, -1, head_p,
-                                  tail_p);
+                                  min_tls, algo_strength, rule, -1, in_group,
+                                  head_p, tail_p);
         } else {
             while ((*l != '\0') && !ITEM_SEP(*l))
                 l++;
@@ -1213,6 +1272,11 @@
             break;              /* done */
     }
 
+    if (in_group) {
+        SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
+        retval = 0;
+    }
+
     return retval;
 }
 
@@ -1376,7 +1440,7 @@
     int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
 
     if (ret && ctx->cipher_list != NULL)
-        return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,
+        return update_cipher_list(&ctx->cipher_list->ciphers, &ctx->cipher_list_by_id,
                                   ctx->tls13_ciphersuites);
 
     return ret;
@@ -1389,10 +1453,10 @@
 
     if (s->cipher_list == NULL) {
         if ((cipher_list = SSL_get_ciphers(s)) != NULL)
-            s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
+            s->cipher_list->ciphers = sk_SSL_CIPHER_dup(cipher_list);
     }
     if (ret && s->cipher_list != NULL)
-        return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,
+        return update_cipher_list(&s->cipher_list->ciphers, &s->cipher_list_by_id,
                                   s->tls13_ciphersuites);
 
     return ret;
@@ -1400,17 +1464,20 @@
 
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                                              STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
-                                             STACK_OF(SSL_CIPHER) **cipher_list,
+                                             struct ssl_cipher_preference_list_st **cipher_list,
                                              STACK_OF(SSL_CIPHER) **cipher_list_by_id,
                                              const char *rule_str,
                                              CERT *c)
 {
-    int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
+    int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
     uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
-    STACK_OF(SSL_CIPHER) *cipherstack;
+    STACK_OF(SSL_CIPHER) *cipherstack = NULL;
     const char *rule_p;
     CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
     const SSL_CIPHER **ca_list = NULL;
+    uint8_t *in_group_flags = NULL;
+    unsigned int num_in_group_flags = 0;
+    struct ssl_cipher_preference_list_st *pref_list = NULL;
 
     /*
      * Return with error if nothing to do.
@@ -1459,16 +1526,16 @@
      * preference).
      */
     ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
-                          -1, &head, &tail);
-    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
-                          &tail);
-    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
-                          &tail);
+                          -1, 0, &head, &tail);
+    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0,
+                          &head, &tail);
+    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0,
+                          &head, &tail);
 
     /* Within each strength group, we prefer GCM over CHACHA... */
-    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
+    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, 0,
                           &head, &tail);
-    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
+    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, 0,
                           &head, &tail);
 
     /*
@@ -1477,13 +1544,13 @@
      * strength.
      */
     ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
-                          -1, &head, &tail);
+                          -1, 0, &head, &tail);
 
     /* Temporarily enable everything else for sorting */
-    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
+    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
 
     /* Low priority for MD5 */
-    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
+    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, 0, &head,
                           &tail);
 
     /*
@@ -1491,16 +1558,16 @@
      * disabled. (For applications that allow them, they aren't too bad, but
      * we prefer authenticated ciphers.)
      */
-    ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
+    ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
                           &tail);
 
-    ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
+    ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
                           &tail);
-    ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
+    ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
                           &tail);
 
     /* RC4 is sort-of broken -- move to the end */
-    ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
+    ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
                           &tail);
 
     /*
@@ -1516,7 +1583,7 @@
      * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
      * TODO(openssl-team): is there an easier way to accomplish all this?
      */
-    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
+    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, 0,
                           &head, &tail);
 
     /*
@@ -1532,15 +1599,18 @@
      * Because we now bump ciphers to the top of the list, we proceed in
      * reverse order of preference.
      */
-    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
+    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1, 0,
                           &head, &tail);
     ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
-                          CIPHER_BUMP, -1, &head, &tail);
+                          CIPHER_BUMP, -1, 0, &head, &tail);
     ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
-                          CIPHER_BUMP, -1, &head, &tail);
+                          CIPHER_BUMP, -1, 0, &head, &tail);
+
+    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_3_VERSION, 0, CIPHER_BUMP, -1, 0,
+                          &head, &tail);
 
     /* Now disable everything (maintaining the ordering!) */
-    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
+    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
 
     /*
      * We also need cipher aliases for selecting based on the rule_str.
@@ -1554,9 +1624,8 @@
     num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
     ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
     if (ca_list == NULL) {
-        OPENSSL_free(co_list);
         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-        return NULL;          /* Failure */
+        goto err;               /* Failure */
     }
     ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
                                disabled_mkey, disabled_auth, disabled_enc,
@@ -1581,29 +1650,19 @@
 
     OPENSSL_free(ca_list);      /* Not needed anymore */
 
-    if (!ok) {                  /* Rule processing failure */
-        OPENSSL_free(co_list);
-        return NULL;
-    }
+    if (!ok)
+        goto err;               /* Rule processing failure */
 
     /*
      * Allocate new "cipherstack" for the result, return with error
      * if we cannot get one.
      */
-    if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
-        OPENSSL_free(co_list);
-        return NULL;
-    }
+    if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
+        goto err;
 
-    /* Add TLSv1.3 ciphers first - we always prefer those if possible */
-    for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
-        if (!sk_SSL_CIPHER_push(cipherstack,
-                                sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
-            OPENSSL_free(co_list);
-            sk_SSL_CIPHER_free(cipherstack);
-            return NULL;
-        }
-    }
+    in_group_flags = OPENSSL_malloc(num_of_ciphers);
+    if (!in_group_flags)
+        goto err;
 
     /*
      * The cipher selection for the list is done. The ciphers are added
@@ -1611,26 +1670,50 @@
      */
     for (curr = head; curr != NULL; curr = curr->next) {
         if (curr->active) {
-            if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
-                OPENSSL_free(co_list);
-                sk_SSL_CIPHER_free(cipherstack);
-                return NULL;
-            }
+            if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
+                goto err;
+            in_group_flags[num_in_group_flags++] = curr->in_group;
 #ifdef CIPHER_DEBUG
             fprintf(stderr, "<%s>\n", curr->cipher->name);
 #endif
         }
     }
+
     OPENSSL_free(co_list);      /* Not needed any longer */
+    co_list = NULL;
 
-    if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
-        sk_SSL_CIPHER_free(cipherstack);
-        return NULL;
-    }
-    sk_SSL_CIPHER_free(*cipher_list);
-    *cipher_list = cipherstack;
+    if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack))
+        goto err;
+
+    pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
+    if (!pref_list)
+        goto err;
+    pref_list->ciphers = cipherstack;
+    pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
+    if (!pref_list->in_group_flags)
+        goto err;
+    memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
+    OPENSSL_free(in_group_flags);
+    in_group_flags = NULL;
+    if (*cipher_list != NULL)
+        ssl_cipher_preference_list_free(*cipher_list);
+    *cipher_list = pref_list;
+    pref_list = NULL;
 
     return cipherstack;
+
+err:
+    if (co_list)
+        OPENSSL_free(co_list);
+    if (in_group_flags)
+        OPENSSL_free(in_group_flags);
+    if (cipherstack)
+        sk_SSL_CIPHER_free(cipherstack);
+    if (pref_list && pref_list->in_group_flags)
+        OPENSSL_free(pref_list->in_group_flags);
+    if (pref_list)
+        OPENSSL_free(pref_list);
+    return NULL;
 }
 
 char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
@@ -1791,6 +1874,9 @@
     case SSL_CHACHA20POLY1305:
         enc = "CHACHA20/POLY1305(256)";
         break;
+    case SSL_CHACHA20POLY1305_D:
+        enc = "CHACHA20/POLY1305-Draft(256)";
+        break;
     default:
         enc = "unknown";
         break;
@@ -2115,7 +2201,7 @@
         out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;
     } else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) {
         out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8;
-    } else if (c->algorithm_enc & SSL_CHACHA20POLY1305) {
+    } else if (c->algorithm_enc & (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_D)) {
         out = 16;
     } else if (c->algorithm_mac & SSL_AEAD) {
         /* We're supposed to have handled all the AEAD modes above */
diff --color -uNr a/ssl/ssl_err.c b/ssl/ssl_err.c
--- a/ssl/ssl_err.c	2022-11-01 20:36:10.000000000 +0800
+++ b/ssl/ssl_err.c	2022-12-25 15:28:59.873389966 +0800
@@ -968,6 +968,9 @@
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
     "missing tmp ecdh key"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS),
+    "mixed special operator with groups"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "nested group"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
     "mixed handshake and non handshake data"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
@@ -1206,11 +1209,14 @@
     "unable to load ssl3 md5 routines"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES),
     "unable to load ssl3 sha1 routines"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_GROUP_CLOSE), "unexpected group close"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_CCS_MESSAGE),
     "unexpected ccs message"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA),
     "unexpected end of early data"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP),
+    "unexpected operator in group"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "unknown alert type"},
diff --color -uNr a/ssl/ssl_lib.c b/ssl/ssl_lib.c
--- a/ssl/ssl_lib.c	2022-11-01 20:36:10.000000000 +0800
+++ b/ssl/ssl_lib.c	2022-12-25 15:28:59.875390018 +0800
@@ -1128,6 +1128,71 @@
     return X509_VERIFY_PARAM_set1(ssl->param, vpm);
 }
 
+void ssl_cipher_preference_list_free(struct ssl_cipher_preference_list_st
+                                     *cipher_list)
+{
+    sk_SSL_CIPHER_free(cipher_list->ciphers);
+    OPENSSL_free(cipher_list->in_group_flags);
+    OPENSSL_free(cipher_list);
+}
+
+struct ssl_cipher_preference_list_st*
+ssl_cipher_preference_list_dup(struct ssl_cipher_preference_list_st
+                               *cipher_list)
+{
+    struct ssl_cipher_preference_list_st* ret = NULL;
+    size_t n = sk_SSL_CIPHER_num(cipher_list->ciphers);
+
+    ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
+    if (!ret)
+        goto err;
+    ret->ciphers = NULL;
+    ret->in_group_flags = NULL;
+    ret->ciphers = sk_SSL_CIPHER_dup(cipher_list->ciphers);
+    if (!ret->ciphers)
+        goto err;
+    ret->in_group_flags = OPENSSL_malloc(n);
+    if (!ret->in_group_flags)
+        goto err;
+    memcpy(ret->in_group_flags, cipher_list->in_group_flags, n);
+    return ret;
+
+err:
+   if (ret->ciphers)
+       sk_SSL_CIPHER_free(ret->ciphers);
+   if (ret)
+       OPENSSL_free(ret);
+   return NULL;
+}
+
+struct ssl_cipher_preference_list_st*
+ssl_cipher_preference_list_from_ciphers(STACK_OF(SSL_CIPHER) *ciphers)
+{
+    struct ssl_cipher_preference_list_st* ret = NULL;
+    size_t n = sk_SSL_CIPHER_num(ciphers);
+
+    ret = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
+    if (!ret)
+        goto err;
+    ret->ciphers = NULL;
+    ret->in_group_flags = NULL;
+    ret->ciphers = sk_SSL_CIPHER_dup(ciphers);
+    if (!ret->ciphers)
+        goto err;
+    ret->in_group_flags = OPENSSL_malloc(n);
+    if (!ret->in_group_flags)
+        goto err;
+    memset(ret->in_group_flags, 0, n);
+    return ret;
+
+err:
+    if (ret->ciphers)
+        sk_SSL_CIPHER_free(ret->ciphers);
+    if (ret)
+        OPENSSL_free(ret);
+    return NULL;
+}
+
 X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
 {
     return ctx->param;
@@ -1168,7 +1233,8 @@
     BUF_MEM_free(s->init_buf);
 
     /* add extra stuff */
-    sk_SSL_CIPHER_free(s->cipher_list);
+    if (s->cipher_list != NULL)
+        ssl_cipher_preference_list_free(s->cipher_list);
     sk_SSL_CIPHER_free(s->cipher_list_by_id);
     sk_SSL_CIPHER_free(s->tls13_ciphersuites);
     sk_SSL_CIPHER_free(s->peer_ciphers);
@@ -2466,9 +2532,9 @@
 {
     if (s != NULL) {
         if (s->cipher_list != NULL) {
-            return s->cipher_list;
+            return (s->cipher_list->ciphers);
         } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
-            return s->ctx->cipher_list;
+            return (s->ctx->cipher_list->ciphers);
         }
     }
     return NULL;
@@ -2542,8 +2608,8 @@
  * preference */
 STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
 {
-    if (ctx != NULL)
-        return ctx->cipher_list;
+    if (ctx != NULL && ctx->cipher_list != NULL)
+        return ctx->cipher_list->ciphers;
     return NULL;
 }
 
@@ -3087,7 +3153,7 @@
                                 ret->tls13_ciphersuites,
                                 &ret->cipher_list, &ret->cipher_list_by_id,
                                 SSL_DEFAULT_CIPHER_LIST, ret->cert)
-        || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+        || sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
         goto err2;
     }
@@ -3263,7 +3329,7 @@
 #ifndef OPENSSL_NO_CT
     CTLOG_STORE_free(a->ctlog_store);
 #endif
-    sk_SSL_CIPHER_free(a->cipher_list);
+    ssl_cipher_preference_list_free(a->cipher_list);
     sk_SSL_CIPHER_free(a->cipher_list_by_id);
     sk_SSL_CIPHER_free(a->tls13_ciphersuites);
     ssl_cert_free(a->cert);
@@ -3929,13 +3995,15 @@
 
     /* dup the cipher_list and cipher_list_by_id stacks */
     if (s->cipher_list != NULL) {
-        if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
+        ret->cipher_list = ssl_cipher_preference_list_dup(s->cipher_list);
+        if (ret->cipher_list == NULL)
             goto err;
     }
-    if (s->cipher_list_by_id != NULL)
-        if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id))
-            == NULL)
+    if (s->cipher_list_by_id != NULL) {
+        ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id);
+        if (ret->cipher_list_by_id == NULL)
             goto err;
+    }
 
     /* Dup the client_CA list */
     if (!dup_ca_names(&ret->ca_names, s->ca_names)
diff --color -uNr a/ssl/ssl_local.h b/ssl/ssl_local.h
--- a/ssl/ssl_local.h	2022-11-01 20:36:10.000000000 +0800
+++ b/ssl/ssl_local.h	2022-12-25 15:28:59.876390044 +0800
@@ -230,12 +230,13 @@
 # define SSL_CHACHA20POLY1305    0x00080000U
 # define SSL_ARIA128GCM          0x00100000U
 # define SSL_ARIA256GCM          0x00200000U
+# define SSL_CHACHA20POLY1305_D  0x00400000U
 
 # define SSL_AESGCM              (SSL_AES128GCM | SSL_AES256GCM)
 # define SSL_AESCCM              (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
 # define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AESGCM|SSL_AESCCM)
 # define SSL_CAMELLIA            (SSL_CAMELLIA128|SSL_CAMELLIA256)
-# define SSL_CHACHA20            (SSL_CHACHA20POLY1305)
+# define SSL_CHACHA20            (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_D)
 # define SSL_ARIAGCM             (SSL_ARIA128GCM | SSL_ARIA256GCM)
 # define SSL_ARIA                (SSL_ARIAGCM)
 
@@ -732,9 +733,46 @@
     unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH];
 } SSL_CTX_EXT_SECURE;
 
+/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
+ * equal-preference groups. For TLS clients, the groups are moot because the
+ * server picks the cipher and groups cannot be expressed on the wire. However,
+ * for servers, the equal-preference groups allow the client's preferences to
+ * be partially respected. (This only has an effect with
+ * SSL_OP_CIPHER_SERVER_PREFERENCE).
+ *
+ * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
+ * All elements of a group have the same priority: no ordering is expressed
+ * within a group.
+ *
+ * The values in |ciphers| are in one-to-one correspondence with
+ * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
+ * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
+ * indicate that the corresponding SSL_CIPHER is not the last element of a
+ * group, or 0 to indicate that it is.
+ *
+ * For example, if |in_group_flags| contains all zeros then that indicates a
+ * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
+ * of the group (i.e. they are all in a one-element group).
+ *
+ * For a more complex example, consider:
+ *   ciphers:        A  B  C  D  E  F
+ *   in_group_flags: 1  1  0  0  1  0
+ *
+ * That would express the following, order:
+ *
+ *    A         E
+ *    B -> D -> F
+ *    C
+ */
+struct ssl_cipher_preference_list_st {
+   STACK_OF(SSL_CIPHER) *ciphers;
+   uint8_t *in_group_flags;
+};
+
+
 struct ssl_ctx_st {
     const SSL_METHOD *method;
-    STACK_OF(SSL_CIPHER) *cipher_list;
+    struct ssl_cipher_preference_list_st *cipher_list;
     /* same as above but sorted for lookup */
     STACK_OF(SSL_CIPHER) *cipher_list_by_id;
     /* TLSv1.3 specific ciphersuites */
@@ -1130,7 +1168,7 @@
     SSL_DANE dane;
     /* crypto */
     STACK_OF(SSL_CIPHER) *peer_ciphers;
-    STACK_OF(SSL_CIPHER) *cipher_list;
+    struct ssl_cipher_preference_list_st *cipher_list;
     STACK_OF(SSL_CIPHER) *cipher_list_by_id;
     /* TLSv1.3 specific ciphersuites */
     STACK_OF(SSL_CIPHER) *tls13_ciphersuites;
@@ -2268,7 +2306,7 @@
                                  const SSL_CIPHER *const *bp);
 __owur STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                                                     STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
-                                                    STACK_OF(SSL_CIPHER) **cipher_list,
+                                                    struct ssl_cipher_preference_list_st **cipher_list,
                                                     STACK_OF(SSL_CIPHER) **cipher_list_by_id,
                                                     const char *rule_str,
                                                     CERT *c);
@@ -2278,6 +2316,13 @@
                                 STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
                                 int fatal);
 void ssl_update_cache(SSL *s, int mode);
+struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_dup(
+        struct ssl_cipher_preference_list_st *cipher_list);
+void ssl_cipher_preference_list_free(
+        struct ssl_cipher_preference_list_st *cipher_list);
+struct ssl_cipher_preference_list_st* ssl_cipher_preference_list_from_ciphers(
+        STACK_OF(SSL_CIPHER) *ciphers);
+struct ssl_cipher_preference_list_st* ssl_get_cipher_preferences(SSL *s);
 __owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                               const EVP_MD **md, int *mac_pkey_type,
                               size_t *mac_secret_size, SSL_COMP **comp,
@@ -2363,7 +2408,7 @@
                                             CERT_PKEY *cpk);
 __owur const SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,
                                             STACK_OF(SSL_CIPHER) *clnt,
-                                            STACK_OF(SSL_CIPHER) *srvr);
+                                            struct ssl_cipher_preference_list_st *srvr);
 __owur int ssl3_digest_cached_records(SSL *s, int keep);
 __owur int ssl3_new(SSL *s);
 void ssl3_free(SSL *s);
diff --color -uNr a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
--- a/ssl/statem/statem_srvr.c	2022-11-01 20:36:10.000000000 +0800
+++ b/ssl/statem/statem_srvr.c	2022-12-25 15:28:59.877390070 +0800
@@ -1773,7 +1773,7 @@
     /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
     if (SSL_IS_TLS13(s)) {
         const SSL_CIPHER *cipher =
-            ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
+            ssl3_choose_cipher(s, ciphers, ssl_get_cipher_preferences(s));
 
         if (cipher == NULL) {
             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
@@ -1954,7 +1954,7 @@
             /* check if some cipher was preferred by call back */
             if (pref_cipher == NULL)
                 pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers,
-                                                 SSL_get_ciphers(s));
+                                                 ssl_get_cipher_preferences(s));
             if (pref_cipher == NULL) {
                 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                          SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
@@ -1963,8 +1963,9 @@
             }
 
             s->session->cipher = pref_cipher;
-            sk_SSL_CIPHER_free(s->cipher_list);
-            s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers);
+            ssl_cipher_preference_list_free(s->cipher_list);
+            s->cipher_list = ssl_cipher_preference_list_from_ciphers(
+                                                       s->peer_ciphers);
             sk_SSL_CIPHER_free(s->cipher_list_by_id);
             s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers);
         }
@@ -2277,7 +2278,7 @@
             /* In TLSv1.3 we selected the ciphersuite before resumption */
             if (!SSL_IS_TLS13(s)) {
                 cipher =
-                    ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s));
+                    ssl3_choose_cipher(s, s->peer_ciphers, ssl_get_cipher_preferences(s));
 
                 if (cipher == NULL) {
                     SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
diff --color -uNr a/util/libcrypto.num b/util/libcrypto.num
--- a/util/libcrypto.num	2022-11-01 20:36:10.000000000 +0800
+++ b/util/libcrypto.num	2022-12-25 15:28:59.879390122 +0800
@@ -4591,3 +4591,4 @@
 X509_REQ_set0_signature                 4545	1_1_1h	EXIST::FUNCTION:
 X509_REQ_set1_signature_algo            4546	1_1_1h	EXIST::FUNCTION:
 EC_KEY_decoded_from_explicit_params     4547	1_1_1h	EXIST::FUNCTION:EC
+EVP_chacha20_poly1305_draft             4548	1_1_1h	EXIST::FUNCTION:CHACHA,POLY1305