crypto/tls: don't select ECC ciphersuites with no mutual curve.

The existing code that tried to prevent ECC ciphersuites from being
selected when there were no mutual curves still left |suite| set.
This lead to a panic on a nil pointer when there were no acceptable
ciphersuites at all.

Thanks to George Kadianakis for pointing it out.

R=golang-dev, r, bradfitz
CC=golang-dev
https://golang.org/cl/5857043

src/pkg/crypto/tls/handshake_server.go

@@ -60,21 +60,23 @@ FindCipherSuite:
 	for _, id := range clientHello.cipherSuites {
 		for _, supported := range config.cipherSuites() {
 			if id == supported {
-				suite = nil
+				var candidate *cipherSuite
+
 				for _, s := range cipherSuites {
 					if s.id == id {
-						suite = s
+						candidate = s
 						break
 					}
 				}
-				if suite == nil {
+				if candidate == nil {
 					continue
 				}
 				// Don't select a ciphersuite which we can't
 				// support for this client.
-				if suite.elliptic && !ellipticOk {
+				if candidate.elliptic && !ellipticOk {
 					continue
 				}
+				suite = candidate
 				break FindCipherSuite
 			}
 		}

src/pkg/crypto/tls/key_agreement.go

@@ -130,6 +130,10 @@ Curve:
 		}
 	}
 
+	if curveid == 0 {
+		return nil, errors.New("tls: no supported elliptic curves offered")
+	}
+
 	var x, y *big.Int
 	var err error
 	ka.privateKey, x, y, err = elliptic.GenerateKey(ka.curve, config.rand())