1--TEST--
2TLS server rate-limits client-initiated renegotiation
3--SKIPIF--
4<?php
5if (!extension_loaded("openssl")) die("skip openssl not loaded");
6if (!function_exists("proc_open")) die("skip no proc_open");
7exec('openssl help', $out, $code);
8if ($code > 0) die("skip couldn't locate openssl binary");
9if(substr(PHP_OS, 0, 3) == 'WIN') {
10   die('skip not suitable for Windows');
11}
12?>
13--FILE--
14<?php
15
16/**
17 * This test uses the openssl binary directly to initiate renegotiation. At this time it's not
18 * possible renegotiate the TLS handshake in PHP userland, so using the openssl s_client binary
19 * command is the only feasible way to test renegotiation limiting functionality. It's not an ideal
20 * solution, but it's really the only way to get test coverage on the rate-limiting functionality
21 * given current limitations.
22 */
23
24$serverCode = <<<'CODE'
25    $serverUri = "ssl://127.0.0.1:64321";
26    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
27    $serverCtx = stream_context_create(['ssl' => [
28        'local_cert' => __DIR__ . '/bug54992.pem',
29        'reneg_limit' => 0,
30        'reneg_window' => 30,
31        'reneg_limit_callback' => function($stream) {
32            var_dump($stream);
33        }
34    ]]);
35
36    $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
37    phpt_notify();
38
39    $clients = [];
40    while (1) {
41        $r = array_merge([$server], $clients);
42        $w = $e = [];
43
44        stream_select($r, $w, $e, $timeout=42);
45
46        foreach ($r as $sock) {
47            if ($sock === $server && ($client = stream_socket_accept($server, $timeout = 42))) {
48                $clientId = (int) $client;
49                $clients[$clientId] = $client;
50            } elseif ($sock !== $server) {
51                $clientId = (int) $sock;
52                $buffer = fread($sock, 1024);
53                if (strlen($buffer)) {
54                    continue;
55                } elseif (!is_resource($sock) || feof($sock)) {
56                    unset($clients[$clientId]);
57                    break 2;
58                }
59            }
60        }
61    }
62CODE;
63
64$clientCode = <<<'CODE'
65    $cmd = 'openssl s_client -connect 127.0.0.1:64321';
66    $descriptorSpec = [["pipe", "r"], ["pipe", "w"], ["pipe", "w"]];
67    $process = proc_open($cmd, $descriptorSpec, $pipes);
68
69    list($stdin, $stdout, $stderr) = $pipes;
70
71    // Trigger renegotiation twice
72    // Server settings only allow one per second (should result in disconnection)
73    fwrite($stdin, "R\nR\nR\nR\n");
74
75    $lines = [];
76    while(!feof($stderr)) {
77        fgets($stderr);
78    }
79
80    fclose($stdin);
81    fclose($stdout);
82    fclose($stderr);
83    proc_terminate($process);
84CODE;
85
86include 'ServerClientTestCase.inc';
87ServerClientTestCase::getInstance()->run($serverCode, $clientCode);
88--EXPECTF--
89resource(%d) of type (stream)
90