1--TEST--
2TLS server rate-limits client-initiated renegotiation
3--SKIPIF--
4<?php
5if (!extension_loaded("openssl")) die("skip openssl not loaded");
6if (!function_exists("proc_open")) die("skip no proc_open");
7exec('openssl help', $out, $code);
8if ($code > 0) die("skip couldn't locate openssl binary");
9if(substr(PHP_OS, 0, 3) == 'WIN') {
10    die('skip not suitable for Windows');
11}
12?>
13--FILE--
14<?php
15$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_server_reneg_limit.pem.tmp';
16
17/**
18 * This test uses the openssl binary directly to initiate renegotiation. At this time it's not
19 * possible renegotiate the TLS handshake in PHP userland, so using the openssl s_client binary
20 * command is the only feasible way to test renegotiation limiting functionality. It's not an ideal
21 * solution, but it's really the only way to get test coverage on the rate-limiting functionality
22 * given current limitations.
23 */
24
25$serverCode = <<<'CODE'
26    $printed = false;
27    $serverUri = "ssl://127.0.0.1:64321";
28    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
29    $serverCtx = stream_context_create(['ssl' => [
30        'local_cert' => '%s',
31        // TLS 1.3 does not support renegotiation.
32        'max_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_2,
33        'reneg_limit' => 0,
34        'reneg_window' => 30,
35        'reneg_limit_callback' => function($stream) use (&$printed) {
36            if (!$printed) {
37                $printed = true;
38                var_dump($stream);
39            }
40        }
41    ]]);
42
43    $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
44    phpt_notify();
45
46    $clients = [];
47    while (1) {
48        $r = array_merge([$server], $clients);
49        $w = $e = [];
50
51        stream_select($r, $w, $e, $timeout=42);
52
53        foreach ($r as $sock) {
54            if ($sock === $server && ($client = stream_socket_accept($server, $timeout = 42))) {
55                $clientId = (int) $client;
56                $clients[$clientId] = $client;
57            } elseif ($sock !== $server) {
58                $clientId = (int) $sock;
59                $buffer = fread($sock, 1024);
60                if (strlen($buffer)) {
61                    continue;
62                } elseif (!is_resource($sock) || feof($sock)) {
63                    unset($clients[$clientId]);
64                    break 2;
65                }
66            }
67        }
68    }
69CODE;
70$serverCode = sprintf($serverCode, $certFile);
71
72$clientCode = <<<'CODE'
73    $cmd = 'openssl s_client -connect 127.0.0.1:64321';
74    $descriptorSpec = [["pipe", "r"], ["pipe", "w"], ["pipe", "w"]];
75    $process = proc_open($cmd, $descriptorSpec, $pipes);
76
77    list($stdin, $stdout, $stderr) = $pipes;
78
79    // Trigger renegotiation twice
80    // Server settings only allow one per second (should result in disconnection)
81    fwrite($stdin, "R\nR\nR\nR\n");
82
83    $lines = [];
84    while(!feof($stderr)) {
85        fgets($stderr);
86    }
87
88    fclose($stdin);
89    fclose($stdout);
90    fclose($stderr);
91    proc_terminate($process);
92CODE;
93
94include 'CertificateGenerator.inc';
95$certificateGenerator = new CertificateGenerator();
96$certificateGenerator->saveNewCertAsFileWithKey('stream_security_level', $certFile);
97
98include 'ServerClientTestCase.inc';
99ServerClientTestCase::getInstance()->run($serverCode, $clientCode);
100?>
101--CLEAN--
102<?php
103@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_server_reneg_limit.pem.tmp');
104?>
105--EXPECTF--
106resource(%d) of type (stream)
107