1--TEST--
2Testing peer fingerprint on connection
3--SKIPIF--
4<?php
5if (!extension_loaded("openssl")) die("skip openssl not loaded");
6if (!function_exists("proc_open")) die("skip no proc_open");
7?>
8--FILE--
9<?php
10$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'openssl_peer_fingerprint_basic.pem.tmp';
11$cacertFile = __DIR__ . DIRECTORY_SEPARATOR . 'openssl_peer_fingerprint_basic-ca.pem.tmp';
12
13$serverCode = <<<'CODE'
14    $serverUri = "ssl://127.0.0.1:64321";
15    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
16    $serverCtx = stream_context_create(['ssl' => [
17        'local_cert' => '%s'
18    ]]);
19
20    $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
21    phpt_notify();
22
23    @stream_socket_accept($server, 1);
24    @stream_socket_accept($server, 1);
25CODE;
26$serverCode = sprintf($serverCode, $certFile);
27
28$peerName = 'openssl_peer_fingerprint_basic';
29$clientCode = <<<'CODE'
30    $serverUri = "ssl://127.0.0.1:64321";
31    $clientFlags = STREAM_CLIENT_CONNECT;
32    $clientCtx = stream_context_create(['ssl' => [
33        'verify_peer'       => true,
34        'cafile'            => '%s',
35        'capture_peer_cert' => true,
36        'peer_name'         => '%s',
37    ]]);
38
39    phpt_wait();
40
41    stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '%s');
42    var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
43
44    stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', [
45        'sha256' => '%s',
46    ]);
47    var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
48CODE;
49
50include 'CertificateGenerator.inc';
51$certificateGenerator = new CertificateGenerator();
52$certificateGenerator->saveCaCert($cacertFile);
53$certificateGenerator->saveNewCertAsFileWithKey($peerName, $certFile);
54
55$actualMd5 = $certificateGenerator->getCertDigest('md5');
56$lastCharacter = substr($actualMd5, -1, 1);
57$brokenLastCharacter = dechex(hexdec($lastCharacter) ^ 1);
58$brokenMd5 = substr($actualMd5, 0, -1) . $brokenLastCharacter;
59$actualSha256 = $certificateGenerator->getCertDigest('sha256');
60
61$clientCode = sprintf($clientCode, $cacertFile, $peerName, $brokenMd5, $actualSha256);
62
63
64include 'ServerClientTestCase.inc';
65ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
66?>
67--CLEAN--
68<?php
69@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'openssl_peer_fingerprint_basic.pem.tmp');
70@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'openssl_peer_fingerprint_basic-ca.pem.tmp');
71?>
72--EXPECTF--
73Warning: stream_socket_client(): peer_fingerprint match failure in %s on line %d
74
75Warning: stream_socket_client(): Failed to enable crypto in %s on line %d
76
77Warning: stream_socket_client(): unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d
78bool(false)
79resource(%d) of type (stream)
80