During renegotiation OpenSSL sends in ServerHello an extension not advertised by client in the second ClientHello #14875
Description
During renegotiation, when client doesn't advertise support in the second ClientHello support for ec_point_formats extension, the server will still include it in the ServerHello.
This is violation of RFC 5246 section 7.4.1.3:
extensions
A list of extensions. Note that only extensions offered by the
client can appear in the server's list.
and violation of a MUST NOT of section 7.4.1.4:
An extension type MUST NOT appear in the ServerHello unless the same
extension type appeared in the corresponding ClientHello. If a
client receives an extension type in ServerHello that it did not
request in the associated ClientHello, it MUST abort the handshake
with an unsupported_extension fatal alert.
Both master (3057311) and 1.1.1 branches are affected
reproducer
openssl req -x509 -newkey rsa -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj /CN=localhost -nodes -batch
openssl s_server -key /tmp/localhost.key -cert /tmp/localhost.crt -www 2>server.err >server.out &
openssl_pid=$!
git clone https://github.com/tomato42/tlsfuzzer
pushd tlsfuzzer
# won't be needed after https://github.com/tlsfuzzer/tlsfuzzer/pull/750 gets merged
git checkout renego-tests
git clone https://github.com/tlsfuzzer/tlslite-ng .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
git clone https://github.com/tlsfuzzer/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/src/ecdsa ecdsa
PYTHONPATH=. python scripts/test-renegotiation-changed-clienthello.py -d
popd
kill $openssl_pid
OpenSSL output
Could not read params of DH parameters from /tmp/cert.pem
Using default temp DH parameters
ACCEPT
read R BLOCK
read R BLOCK
read R BLOCK
read R BLOCK
406763CD417F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:309:
read R BLOCK
406763CD417F0000:error:0A000068:SSL routines:final_ems:inconsistent extms:ssl/statem/extensions.c:1165:
read R BLOCK
read R BLOCK
read R BLOCK
read R BLOCK
read R BLOCK
tlsfuzzer output
sanity ...
OK
drop supported_groups in renegotiation ...
OK
drop alpn in renegotiation ...
OK
drop supported_versions in renegotiation ...
OK
drop status_request in renegotiation ...
OK
drop ec_point_formats in renegotiation ...
Error encountered while processing node ExpectServerHello(description='second handshake') (child: <tlsfuzzer.expect.ExpectCertificate object at 0x7fc83bc5b580>) with last message being: <tlslite.messages.Message object at 0x7fc83bc17070>
Error while processing
Traceback (most recent call last):
File "scripts/test-renegotiation-changed-clienthello.py", line 408, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 239, in run
node.process(self.state, msg)
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 743, in process
self._process_extensions(state, cln_hello, srv_hello)
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/expect.py", line 627, in _process_extensions
raise AssertionError("Server sent unadvertised "
AssertionError: Server sent unadvertised extension of type ec_point_formats
drop psk_key_exchange_modes in renegotiation ...
OK
drop extended_master_secret in renegotiation ...
OK
drop key_share in renegotiation ...
OK
drop post_handshake_auth in renegotiation ...
OK
drop pre_shared_key in renegotiation ...
OK
sanity - renegotiation ...
OK
drop 18 in renegotiation ...
OK
sanity ...
OK
Test how server behaves when the renegotiation Client Hello is
changed compared to the initial ClientHello.
If the renegotiation is supposed to be disabled use the
test-renegotiation-disabled.py or
test-renegotiation-disabled-client-cert.py scripts to verify
that.
Test end
====================
version: 1
====================
TOTAL: 14
SKIP: 0
PASS: 13
XFAIL: 0
FAIL: 1
XPASS: 0
====================
FAILED:
'drop ec_point_formats in renegotiation'