1--TEST-- 2TLS server rate-limits client-initiated renegotiation 3--SKIPIF-- 4<?php 5if (!extension_loaded("openssl")) die("skip openssl not loaded"); 6if (!function_exists("proc_open")) die("skip no proc_open"); 7exec('openssl help', $out, $code); 8if ($code > 0) die("skip couldn't locate openssl binary"); 9if(substr(PHP_OS, 0, 3) == 'WIN') { 10 die('skip not suitable for Windows'); 11} 12?> 13--FILE-- 14<?php 15$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_server_reneg_limit.pem.tmp'; 16 17/** 18 * This test uses the openssl binary directly to initiate renegotiation. At this time it's not 19 * possible renegotiate the TLS handshake in PHP userland, so using the openssl s_client binary 20 * command is the only feasible way to test renegotiation limiting functionality. It's not an ideal 21 * solution, but it's really the only way to get test coverage on the rate-limiting functionality 22 * given current limitations. 23 */ 24 25$serverCode = <<<'CODE' 26 $printed = false; 27 $serverUri = "ssl://127.0.0.1:64321"; 28 $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN; 29 $serverCtx = stream_context_create(['ssl' => [ 30 'local_cert' => '%s', 31 // TLS 1.3 does not support renegotiation. 32 'max_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_2, 33 'reneg_limit' => 0, 34 'reneg_window' => 30, 35 'reneg_limit_callback' => function($stream) use (&$printed) { 36 if (!$printed) { 37 $printed = true; 38 var_dump($stream); 39 } 40 } 41 ]]); 42 43 $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx); 44 phpt_notify(); 45 46 $clients = []; 47 while (1) { 48 $r = array_merge([$server], $clients); 49 $w = $e = []; 50 51 stream_select($r, $w, $e, $timeout=42); 52 53 foreach ($r as $sock) { 54 if ($sock === $server && ($client = stream_socket_accept($server, $timeout = 42))) { 55 $clientId = (int) $client; 56 $clients[$clientId] = $client; 57 } elseif ($sock !== $server) { 58 $clientId = (int) $sock; 59 $buffer = fread($sock, 1024); 60 if (strlen($buffer)) { 61 continue; 62 } elseif (!is_resource($sock) || feof($sock)) { 63 unset($clients[$clientId]); 64 break 2; 65 } 66 } 67 } 68 } 69CODE; 70$serverCode = sprintf($serverCode, $certFile); 71 72$clientCode = <<<'CODE' 73 $cmd = 'openssl s_client -connect 127.0.0.1:64321'; 74 $descriptorSpec = [["pipe", "r"], ["pipe", "w"], ["pipe", "w"]]; 75 $process = proc_open($cmd, $descriptorSpec, $pipes); 76 77 list($stdin, $stdout, $stderr) = $pipes; 78 79 // Trigger renegotiation twice 80 // Server settings only allow one per second (should result in disconnection) 81 fwrite($stdin, "R\nR\nR\nR\n"); 82 83 $lines = []; 84 while(!feof($stderr)) { 85 fgets($stderr); 86 } 87 88 fclose($stdin); 89 fclose($stdout); 90 fclose($stderr); 91 proc_terminate($process); 92CODE; 93 94include 'CertificateGenerator.inc'; 95$certificateGenerator = new CertificateGenerator(); 96$certificateGenerator->saveNewCertAsFileWithKey('stream_security_level', $certFile); 97 98include 'ServerClientTestCase.inc'; 99ServerClientTestCase::getInstance()->run($serverCode, $clientCode); 100?> 101--CLEAN-- 102<?php 103@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_server_reneg_limit.pem.tmp'); 104?> 105--EXPECTF-- 106resource(%d) of type (stream) 107