crypto/tls: Server can specify an unadvertised cipher suite

During the TLS handshake, check the cipher suite the server selects is one of those offered in the ClientHello. The code was checking it was in the larger list that was sometimes whittled down for the ClientHello. Fixes #13174 Change-Id: Iad8eebbcfa5027f30403b9700c43cfa949e135bb Reviewed-on: https://go-review.googlesource.com/16698Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>

crypto/tls: Server can specify an unadvertised cipher suite
During the TLS handshake, check the cipher suite the server selects is one of those offered in the ClientHello. The code was checking it was in the larger list that was sometimes whittled down for the ClientHello. Fixes #13174 Change-Id: Iad8eebbcfa5027f30403b9700c43cfa949e135bb Reviewed-on: https://go-review.googlesource.com/16698Reviewed-by: Adam Langley <agl@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
db4ef216 · Ralph Corderoy · Russ Cox · b717090e · db4ef216 · db4ef216
Commit db4ef216 authored Nov 07, 2015 by Ralph Corderoy Committed by Russ Cox Nov 26, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 53 additions and 2 deletions

handshake_client.go src/crypto/tls/handshake_client.go +2 -2

handshake_client_test.go src/crypto/tls/handshake_client_test.go +51 -0

No files found.
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -165,10 +165,10 @@ NextCipherSuite:
 	c.vers = vers
 	c.haveVers = true

-	suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)
+	suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite)
 	if suite == nil {
 		c.sendAlert(alertHandshakeFailure)
-		return fmt.Errorf("tls: server selected an unsupported cipher suite")
+		return errors.New("tls: server chose an unconfigured cipher suite")
 	}

 	hs := &clientHandshakeState{

--- a/src/crypto/tls/handshake_client_test.go
+++ b/src/crypto/tls/handshake_client_test.go
@@ -19,6 +19,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"testing"
 	"time"
 )
@@ -643,3 +644,53 @@ func TestNoIPAddressesInSNI(t *testing.T) {
 		}
 	}
 }
+
+func TestServerSelectingUnconfiguredCipherSuite(t *testing.T) {
+	// This checks that the server can't select a cipher suite that the
+	// client didn't offer. See #13174.
+
+	c, s := net.Pipe()
+	errChan := make(chan error, 1)
+
+	go func() {
+		client := Client(c, &Config{
+			ServerName:   "foo",
+			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
+		})
+		errChan <- client.Handshake()
+	}()
+
+	var header [5]byte
+	if _, err := io.ReadFull(s, header[:]); err != nil {
+		t.Fatal(err)
+	}
+	recordLen := int(header[3])<<8 | int(header[4])
+
+	record := make([]byte, recordLen)
+	if _, err := io.ReadFull(s, record); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a ServerHello that selects a different cipher suite than the
+	// sole one that the client offered.
+	serverHello := &serverHelloMsg{
+		vers:        VersionTLS12,
+		random:      make([]byte, 32),
+		cipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384,
+	}
+	serverHelloBytes := serverHello.marshal()
+
+	s.Write([]byte{
+		byte(recordTypeHandshake),
+		byte(VersionTLS12 >> 8),
+		byte(VersionTLS12 & 0xff),
+		byte(len(serverHelloBytes) >> 8),
+		byte(len(serverHelloBytes)),
+	})
+	s.Write(serverHelloBytes)
+	s.Close()
+
+	if err := <-errChan; !strings.Contains(err.Error(), "unconfigured cipher") {
+		t.Fatalf("Expected error about unconfigured cipher suite but got %q", err)
+	}
+}