Send unsupported_extension on unexpected ServerHello extensions.

We were sending decode_error, but the spec explicitly says (RFC 5246):

   unsupported_extension
      sent by clients that receive an extended server hello containing
      an extension that they did not put in the corresponding client
      hello.  This message is always fatal.

Also add a test for this when it's a known but unoffered extension. We
actually end up putting these in different codepaths now due to the
custom extensions stuff.

Thanks to Eric Rescorla for pointing this out.

Change-Id: If6c8033d4cfe69ef8af5678b873b25e0dbadfc4f
Reviewed-on: https://boringssl-review.googlesource.com/9061
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/custom_extensions.c b/ssl/custom_extensions.c
index c94543d..4a9baa8 100644
--- a/ssl/custom_extensions.c
+++ b/ssl/custom_extensions.c
@@ -139,7 +139,7 @@
       !(ssl->s3->tmp.custom_extensions.sent & (1u << index))) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
     ERR_add_error_dataf("extension: %u", (unsigned)value);
-    *out_alert = SSL_AD_DECODE_ERROR;
+    *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
     return 0;
   }