Test if the ServerHello includes an unknown cipher suite.

We never had coverage for that codepath.

Change-Id: Iba1b0a3ddca743745773c663995acccda9fa6970
Reviewed-on: https://boringssl-review.googlesource.com/8827
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/test/runner/runner.go

@@ -2082,6 +2082,8 @@ func addBasicTests() {
 }
 
 func addCipherSuiteTests() {
+	const bogusCipher = 0xfe00
+
 	for _, suite := range testCipherSuites {
 		const psk = "12345"
 		const pskIdentity = "luggage combo"
@@ -2256,6 +2258,29 @@ func addCipherSuiteTests() {
 		expectedError: ":WRONG_CIPHER_RETURNED:",
 	})
 
+	testCases = append(testCases, testCase{
+		name: "ServerHelloBogusCipher",
+		config: Config{
+			MaxVersion: VersionTLS12,
+			Bugs: ProtocolBugs{
+				SendCipherSuite: bogusCipher,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNKNOWN_CIPHER_RETURNED:",
+	})
+	testCases = append(testCases, testCase{
+		name: "ServerHelloBogusCipher-TLS13",
+		config: Config{
+			MaxVersion: VersionTLS13,
+			Bugs: ProtocolBugs{
+				SendCipherSuite: bogusCipher,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNKNOWN_CIPHER_RETURNED:",
+	})
+
 	testCases = append(testCases, testCase{
 		name: "WeakDH",
 		config: Config{
@@ -2305,7 +2330,6 @@ func addCipherSuiteTests() {
 	})
 
 	// The server must be tolerant to bogus ciphers.
-	const bogusCipher = 0x1234
 	testCases = append(testCases, testCase{
 		testType: serverTest,
 		name:     "UnknownCipher",