1--TEST--
2Testing peer fingerprint on connection
3--SKIPIF--
4<?php
5if (!extension_loaded("openssl")) die("skip openssl not loaded");
6if (!function_exists("proc_open")) die("skip no proc_open");
7--FILE--
8<?php
9$serverCode = <<<'CODE'
10    $serverUri = "ssl://127.0.0.1:64321";
11    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
12    $serverCtx = stream_context_create(['ssl' => [
13        'local_cert' => __DIR__ . '/bug54992.pem'
14    ]]);
15
16    $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
17    phpt_notify();
18
19    @stream_socket_accept($server, 1);
20    @stream_socket_accept($server, 1);
21CODE;
22
23$clientCode = <<<'CODE'
24    $serverUri = "ssl://127.0.0.1:64321";
25    $clientFlags = STREAM_CLIENT_CONNECT;
26    $clientCtx = stream_context_create(['ssl' => [
27        'verify_peer'       => true,
28        'cafile'            => __DIR__ . '/bug54992-ca.pem',
29        'capture_peer_cert'    => true,
30        'peer_name'          => 'bug54992.local',
31    ]]);
32
33    phpt_wait();
34
35    // Run the following to get actual md5 (from sources root):
36    // openssl x509 -noout -fingerprint -md5 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
37    // Currently it's 4edbbaf40a6a4b6af22b6d6d9818378f
38    // One below is intentionally broken (compare the last character):
39    stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '4edbbaf40a6a4b6af22b6d6d98183780');
40    var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
41
42    // Run the following to get actual sha256 (from sources root):
43    // openssl x509 -noout -fingerprint -sha256 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
44    stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', [
45        'sha256' => 'b1d480a2f83594fa243d26378cf611f334d369e59558d87e3de1abe8f36cb997',
46    ]);
47    var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
48CODE;
49
50include 'ServerClientTestCase.inc';
51ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
52--EXPECTF--
53Warning: stream_socket_client(): peer_fingerprint match failure in %s on line %d
54
55Warning: stream_socket_client(): Failed to enable crypto in %s on line %d
56
57Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d
58bool(false)
59resource(%d) of type (stream)
60