From e75417fde1dafdfe20910e073841c94c663d6caa Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 13 Aug 2019 15:56:19 -0700
Subject: [PATCH 1/2] Added build option to enforce check for cipher suite in
 `server_hello` from server. Enabled using `WOLFSSL_STRICT_CIPHER_SUITE`. Some
 cipher suites could be allowed if they were supported a build-time even
 though not sent in the cipher suite list in `client_hello`.

Example log output for test case where `client_hello` sent a cipher suite list and server choose a cipher suite not in the list:

```
wolfSSL Entering DoServerHello
ServerHello did not use cipher suite from ClientHello
wolfSSL Leaving DoHandShakeMsgType(), return -501
wolfSSL Leaving DoHandShakeMsg(), return -501
```

RFC 5246: 7.4.1.3: Server Hello:  `cipher_suite: The single cipher suite selected by the server from the list in ClientHello.cipher_suites.`
---
 src/internal.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 718c26b0d..51c555892 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -18172,6 +18172,23 @@ exit_dpk:
         ssl->options.cipherSuite  = cs1;
         compression = input[i++];
 
+#ifdef WOLFSSL_STRICT_CIPHER_SUITE
+        {
+            word32 idx, found = 0;
+            /* confirm server_hello cipher suite is one sent in client_hello */
+            for (idx = 0; idx < ssl->suites->suiteSz; idx += 2) {
+                if (ssl->suites->suites[idx]   == cs0 &&
+                    ssl->suites->suites[idx+1] == cs1) {
+                    found = idx;
+                }
+            }
+            if (!found) {
+                WOLFSSL_MSG("ServerHello did not use cipher suite from ClientHello");
+                return MATCH_SUITE_ERROR;
+            }
+        }
+#endif
+
         if (compression != NO_COMPRESSION && !ssl->options.usingCompression) {
             WOLFSSL_MSG("Server forcing compression w/o support");
             return COMPRESSION_ERROR;

From eb68ad162b6e51e3ee8b938863ca0802521fee10 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 16 Aug 2019 10:20:25 -0700
Subject: [PATCH 2/2] Enable strict cipher suite checking by default. Changed
 to enable by default and can be disabled using
 `WOLFSSL_NO_STRICT_CIPHER_SUITE`.

---
 src/internal.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 51c555892..9a885cd7a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -18172,14 +18172,15 @@ exit_dpk:
         ssl->options.cipherSuite  = cs1;
         compression = input[i++];
 
-#ifdef WOLFSSL_STRICT_CIPHER_SUITE
+#ifndef WOLFSSL_NO_STRICT_CIPHER_SUITE
         {
             word32 idx, found = 0;
             /* confirm server_hello cipher suite is one sent in client_hello */
             for (idx = 0; idx < ssl->suites->suiteSz; idx += 2) {
                 if (ssl->suites->suites[idx]   == cs0 &&
                     ssl->suites->suites[idx+1] == cs1) {
-                    found = idx;
+                    found = 1;
+                    break;
                 }
             }
             if (!found) {
@@ -18187,7 +18188,7 @@ exit_dpk:
                 return MATCH_SUITE_ERROR;
             }
         }
-#endif
+#endif /* !WOLFSSL_NO_STRICT_CIPHER_SUITE */
 
         if (compression != NO_COMPRESSION && !ssl->options.usingCompression) {
             WOLFSSL_MSG("Server forcing compression w/o support");