add chacha20-smarter.patch for openssl 1.1.0 in 123.09beta01

support bassie's Cloudflare backported chacha20 patch to only serve chacha20 ciphers if it's the preferred one for clients rather than server it based on server side preferences https://community.centminmod.com/posts/35727/

inc/openssl_install.inc

@@ -81,6 +81,28 @@ if [[ "$CLOUDFLARE_PATCHSSL" = [yY] && "$DETECTOPENSSL_ONEZERO" = '1.0' ]]; then
         fi
     # fi
 fi # CLOUDFLARE_PATCHSSL
+
+if [[ "$CLOUDFLARE_PATCHSSL" = [yY] && "$DETECTOPENSSL_ONEZERO" = '1.1' ]]; then
+        if [ -f "$(which figlet)" ]; then
+            figlet -ckf standard "Cloudflare OpenSSL 1.1 Smarter Chacha20 Patch"
+        fi
+        echo  "######################################################################"
+        echo "Patching OpenSSL 1.1.0 branch"
+        echo  "######################################################################"
+        echo "Cloudflare Smart ChaCha20 patch"
+        echo "https://community.centminmod.com/posts/35727/"
+        echo "only support ChaCha20 if client's preferred cipher"
+        echo  "######################################################################"
+        if [ ! -f "$CUR_DIR/patches/openssl/chacha20-smarter.patch" ]; then
+            patch -p1 < "$CUR_DIR/patches/openssl/chacha20-smarter.patch"
+        fi
+        echo  "######################################################################"
+        echo  "OpenSSL 1.1.0 branch Smart Chacha20 patched"
+        echo  "######################################################################"
+        if [ -f "$(which figlet)" ]; then
+            figlet -ckf standard "Cloudflare OpenSSL 1.1 Smarter Chacha20 Patched"
+        fi
+fi # CLOUDFLARE_PATCHSSL
 }
 
 installopenssl() {

patches/openssl/chacha20-smarter.patch

@@ -0,0 +1,52 @@
+From 4fb0dc4dfgtrh65876987ottjrt45657e08b35d6a Mon Sep 17 00:00:00 2001
+From: Bassie / Buik <allesisvoorbassiesdikkebuik@local>
+Date: Mon, 5 Sept 2016 19:09:47 -0800
+Subject: [PATCH] Use ChaCha20+Poly1305 if it is the client's most preferred cipher suite.
+
+Use OpenSSL 1.1 ChaCha20+Poly1305 if it is the client's most preferred cipher suite.
+
+Ported from OpenSSL 1.0.2g source: github.com/cloudflare/sslconfig/patches/openssl_chacha20_poly1305_draft_and_rfc_ossl102g.patch.
+
+Index: ssl/s3_lib.c
+===================================================================
+--- a/ssl/s3_lib.c 2016-08-25 17:29:22.000000000 +0200
++++ b/ssl/s3_lib.c 2016-09-04 19:54:21.749766219 +0200
+@@ -3582,6 +3582,8 @@
+     STACK_OF(SSL_CIPHER) *prio, *allow;
+     int i, ii, ok;
+     unsigned long alg_k, alg_a, mask_k, mask_a;
++    /* Port to OpenSSL 1.1 / Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */
++    int use_chacha = 0;
+
+     /* Let's see which ciphers we can support */
+
+@@ -3614,9 +3616,17 @@
+     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || tls1_suiteb(s)) {
+         prio = srvr;
+         allow = clnt;
++        /* Port to OpenSSL 1.1 / Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */
++        /* Use ChaPoly iff it's client's most preferred cipher suite */
++        if (sk_SSL_CIPHER_num(clnt) > 0) {
++            c = sk_SSL_CIPHER_value(clnt, 0);
++            if (c->algorithm_enc == SSL_CHACHA20POLY1305)
++                use_chacha = 1;
++        }
+     } else {
+         prio = clnt;
+         allow = srvr;
++        use_chacha = 1;
+     }
+
+     tls1_set_cert_validity(s);
+@@ -3633,6 +3643,11 @@
+             (DTLS_VERSION_LT(s->version, c->min_dtls) ||
+              DTLS_VERSION_GT(s->version, c->max_dtls)))
+             continue;
++        /* Port to OpenSSL 1.1 / Use ChaCha20+Poly1305 iff it's client's most preferred cipher suite */
++        /* Skip ChaCha unless top client priority */
++        if ((c->algorithm_enc == SSL_CHACHA20POLY1305) && !use_chacha)
++            continue;
++
+
+         mask_k = s->s3->tmp.mask_k;
+         mask_a = s->s3->tmp.mask_a;