crypto/tls: abort handshake if unrequested extensions are sent

[aarongable]

What version of Go are you using (go version)?

$ go version
go version go1.17.6 linux/amd64

$ go1.18beta2 version
go version go1.18beta2 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/aaron/.cache/go-build"
GOENV="/home/aaron/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/aaron/.local/share/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/aaron/.local/share/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3439747319=/tmp/go-build -gno-record-gcc-switches"
$ go1.18beta2 env

GO111MODULE=""

GOARCH="amd64"

GOBIN=""

GOCACHE="/home/aaron/.cache/go-build"

GOENV="/home/aaron/.config/go/env"

GOEXE=""

GOEXPERIMENT=""

GOFLAGS=""

GOHOSTARCH="amd64"

GOHOSTOS="linux"

GOINSECURE=""

GOMODCACHE="/home/aaron/.local/share/go/pkg/mod"

GONOPROXY=""

GONOSUMDB=""

GOOS="linux"

GOPATH="/home/aaron/.local/share/go"

GOPRIVATE=""

GOPROXY="https://proxy.golang.org,direct"

GOROOT="/home/aaron/sdk/go1.18beta2"

GOSUMDB="sum.golang.org"

GOTMPDIR=""

GOTOOLDIR="/home/aaron/sdk/go1.18beta2/pkg/tool/linux_amd64"

GOVCS=""

GOVERSION="go1.18beta2"

GCCGO="gccgo"

GOAMD64="v1"

AR="ar"

CC="gcc"

CXX="g++"

CGO_ENABLED="1"

GOMOD="/dev/null"

GOWORK=""

CGO_CFLAGS="-g -O2"

CGO_CPPFLAGS=""

CGO_CXXFLAGS="-g -O2"

CGO_FFLAGS="-g -O2"

CGO_LDFLAGS="-g -O2"

PKG_CONFIG="pkg-config"

GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build112163216=/tmp/go-build -gno-record-gcc-switches"

What did you do?

When processing a serverHello message, the extensions sent by the server are processed regardless of whether they were requested by the client. For example, a client could send a clientHello which does not include the SCTs extension, but any SCTs provided by the server will be accepted regardless.

The same appears to be true in the TLS 1.3 implementation.

What did you expect to see?

RFC 5246, Section 7.4.1.4 states “An extension type MUST NOT appear in the ServerHello unless the same extension type appeared in the corresponding ClientHello.”. Similarly, RFC 8446, Section 4.2 states “Implementations MUST NOT send extension responses if the remote endpoint did not send the corresponding extension requests... Upon receiving such an extension, an endpoint MUST abort the handshake with an unsupported_extension alert.”.

Therefore I expected that receiving an extension that was not requested would result in alertUnexpectedExtension being sent.

What did you see instead?

The handshake is not aborted.

It should be noted that, unlike #51088, the RFCs here do explicitly require that the connection be aborted if the other side presents a non-compliant message. At the same time, it does seem useful to always accept extensions like SCTs and Stapled OCSP regardless of whether they were explicitly requested by the client.

[seankhliao]

cc @golang/security

[aarongable]

I did a bit more digging, and it seems worth noting that both boringssl and openssl appear to enforce this requirement.