Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION

Add -client_renegotiation flag support.  The -client_renegotiation flag is
equivalent to SSL_OP_ALLOW_CLIENT_RENEGOTIATION. Add support to the app,
the config code, and the documentation.

Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION to the SSL tests. We don't need to
always enable it, but there are so many tests so this is the easiest thing
to do.

Add a test where client tries to renegotiate and it fails as expected. Add
a test where server tries to renegotiate and it succeeds. The second test
is supported by a new flag, -immediate_renegotiation, which is ignored on
the client.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15184)

1 files changed, 6 insertions, 0 deletions

diff --git a/apps/s_server.c b/apps/s_server.c
index 5d9e8cd568..51b5c9d381 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -78,6 +78,7 @@ static int accept_socket = -1;
 static int s_nbio = 0;
 static int s_nbio_test = 0;
 static int s_crlf = 0;
+static int immediate_reneg = 0;
 static SSL_CTX *ctx = NULL;
 static SSL_CTX *ctx2 = NULL;
 static int www = 0;
@@ -1258,6 +1259,9 @@ int s_server_main(int argc, char *argv[])
             if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format))
                 goto opthelp;
             break;
+        case OPT_S_IMMEDIATE_RENEG:
+            immediate_reneg = 1;
+            break;
         case OPT_S_CASES:
         case OPT_S_NUM_TICKETS:
         case OPT_ANTI_REPLAY:
@@ -2784,6 +2788,8 @@ static int init_ssl_connection(SSL *con)
     } else {
         do {
             i = SSL_accept(con);
+            if (immediate_reneg)
+                SSL_renegotiate(con);
 
             if (i <= 0)
                 retry = is_retryable(con, i);