()
| 391 | } |
| 392 | |
| 393 | func (hs *serverHandshakeState) pickCipherSuite() error { |
| 394 | c := hs.c |
| 395 | |
| 396 | preferenceList := c.config.cipherSuites(isAESGCMPreferred(hs.clientHello.cipherSuites)) |
| 397 | |
| 398 | hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk) |
| 399 | if hs.suite == nil { |
| 400 | c.sendAlert(alertHandshakeFailure) |
| 401 | return fmt.Errorf("tls: no cipher suite supported by both client and server; client offered: %x", |
| 402 | hs.clientHello.cipherSuites) |
| 403 | } |
| 404 | c.cipherSuite = hs.suite.id |
| 405 | |
| 406 | for _, id := range hs.clientHello.cipherSuites { |
| 407 | if id == TLS_FALLBACK_SCSV { |
| 408 | // The client is doing a fallback connection. See RFC 7507. |
| 409 | if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) { |
| 410 | c.sendAlert(alertInappropriateFallback) |
| 411 | return errors.New("tls: client using inappropriate protocol fallback") |
| 412 | } |
| 413 | break |
| 414 | } |
| 415 | } |
| 416 | |
| 417 | return nil |
| 418 | } |
| 419 | |
| 420 | func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool { |
| 421 | if c.flags&suiteECDHE != 0 { |
no test coverage detected