Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION

Add -client_renegotiation flag support.  The -client_renegotiation flag is
equivalent to SSL_OP_ALLOW_CLIENT_RENEGOTIATION. Add support to the app,
the config code, and the documentation.

Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION to the SSL tests. We don't need to
always enable it, but there are so many tests so this is the easiest thing
to do.

Add a test where client tries to renegotiate and it fails as expected. Add
a test where server tries to renegotiate and it succeeds. The second test
is supported by a new flag, -immediate_renegotiation, which is ignored on
the client.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15184)

4 files changed, 20 insertions, 8 deletions

diff --git a/apps/include/opt.h b/apps/include/opt.h
index c6ec09f882..5d85877301 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -155,13 +155,14 @@
         OPT_S__FIRST=3000, \
         OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
         OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
-        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
+        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \
+        OPT_S_LEGACYCONN, \
         OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \
         OPT_S_PRIORITIZE_CHACHA, \
         OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
         OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
         OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
-        OPT_S_MINPROTO, OPT_S_MAXPROTO, \
+        OPT_S_MINPROTO, OPT_S_MAXPROTO, OPT_S_IMMEDIATE_RENEG, \
         OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST
 
 # define OPT_S_OPTIONS \
@@ -179,6 +180,8 @@
         {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
         {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
             "Enable use of legacy renegotiation (dangerous)"}, \
+        {"client_renegotiation", OPT_S_CLIENTRENEG, '-', \
+            "Allow client-initiated renegotiation" }, \
         {"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
             "Disable all renegotiation."}, \
         {"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
@@ -208,6 +211,8 @@
         {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \
         {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \
         {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \
+        {"immediate_renegotiation", OPT_S_IMMEDIATE_RENEG, '-', \
+            "Immediately attempt renegotiation"}, \
         {"record_padding", OPT_S_RECORD_PADDING, 's', \
             "Block size to pad TLS 1.3 records to."}, \
         {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
@@ -228,6 +233,7 @@
         case OPT_S_NOTICKET: \
         case OPT_S_SERVERPREF: \
         case OPT_S_LEGACYRENEG: \
+        case OPT_S_CLIENTRENEG: \
         case OPT_S_LEGACYCONN: \
         case OPT_S_ONRESUMP: \
         case OPT_S_NOLEGACYCONN: \
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index bdd5051ee6..e3d9ec1916 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -1233,12 +1233,10 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
     for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
         const char *flag = sk_OPENSSL_STRING_value(str, i);
         const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
+
         if (SSL_CONF_cmd(cctx, flag, arg) <= 0) {
-            if (arg != NULL)
-                BIO_printf(bio_err, "Error with command: \"%s %s\"\n",
-                           flag, arg);
-            else
-                BIO_printf(bio_err, "Error with command: \"%s\"\n", flag);
+            BIO_printf(bio_err, "Call to SSL_CONF_cmd(%s, %s) failed\n",
+                       flag, arg == NULL ? "<NULL>" : arg);
             ERR_print_errors(bio_err);
             return 0;
         }
diff --git a/apps/s_client.c b/apps/s_client.c
index 1aa7a3b7de..1754d3e1a4 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1047,6 +1047,9 @@ int s_client_main(int argc, char **argv)
         case OPT_BRIEF:
             c_brief = verify_args.quiet = c_quiet = 1;
             break;
+        case OPT_S_IMMEDIATE_RENEG:
+            /* Option ignored on client. */
+            break;
         case OPT_S_CASES:
             if (ssl_args == NULL)
                 ssl_args = sk_OPENSSL_STRING_new_null();
@@ -2673,7 +2676,6 @@ int s_client_main(int argc, char **argv)
             tty_on = 1;
             if (in_init) {
                 in_init = 0;
-
                 if (c_brief) {
                     BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
                     print_ssl_summary(con);
diff --git a/apps/s_server.c b/apps/s_server.c
index 5d9e8cd568..51b5c9d381 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -78,6 +78,7 @@ static int accept_socket = -1;
 static int s_nbio = 0;
 static int s_nbio_test = 0;
 static int s_crlf = 0;
+static int immediate_reneg = 0;
 static SSL_CTX *ctx = NULL;
 static SSL_CTX *ctx2 = NULL;
 static int www = 0;
@@ -1258,6 +1259,9 @@ int s_server_main(int argc, char *argv[])
             if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format))
                 goto opthelp;
             break;
+        case OPT_S_IMMEDIATE_RENEG:
+            immediate_reneg = 1;
+            break;
         case OPT_S_CASES:
         case OPT_S_NUM_TICKETS:
         case OPT_ANTI_REPLAY:
@@ -2784,6 +2788,8 @@ static int init_ssl_connection(SSL *con)
     } else {
         do {
             i = SSL_accept(con);
+            if (immediate_reneg)
+                SSL_renegotiate(con);
 
             if (i <= 0)
                 retry = is_retryable(con, i);