crypto/tls: don't select ECC ciphersuites with no mutual curve.

The existing code that tried to prevent ECC ciphersuites from being selected when there were no mutual curves still left |suite| set. This lead to a panic on a nil pointer when there were no acceptable ciphersuites at all. Thanks to George Kadianakis for pointing it out. R=golang-dev, r, bradfitz CC=golang-dev https://golang.org/cl/5857043
2025-12-08 06:10:04 +00:00 · 2012-03-23 10:48:51 -04:00 · 2012-03-23 10:48:51 -04:00 · 1d8ec87135
commit 1d8ec87135
parent 76cf6bac07
2 changed files with 10 additions and 4 deletions
--- a/src/pkg/crypto/tls/handshake_server.go
+++ b/src/pkg/crypto/tls/handshake_server.go
@ -60,21 +60,23 @@ FindCipherSuite:
 	for _, id := range clientHello.cipherSuites {
 		for _, supported := range config.cipherSuites() {
 			if id == supported {
-				suite = nil
+				var candidate *cipherSuite
+
 				for _, s := range cipherSuites {
 					if s.id == id {
-						suite = s
+						candidate = s
 						break
 					}
 				}
-				if suite == nil {
+				if candidate == nil {
 					continue
 				}
 				// Don't select a ciphersuite which we can't
 				// support for this client.
-				if suite.elliptic && !ellipticOk {
+				if candidate.elliptic && !ellipticOk {
 					continue
 				}
+				suite = candidate
 				break FindCipherSuite
 			}
 		}