1--TEST--
2Testing peer fingerprint on connection
3--EXTENSIONS--
4openssl
5--SKIPIF--
6<?php
7if (!function_exists("proc_open")) die("skip no proc_open");
8?>
9--FILE--
10<?php
11$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'openssl_peer_fingerprint_basic.pem.tmp';
12$cacertFile = __DIR__ . DIRECTORY_SEPARATOR . 'openssl_peer_fingerprint_basic-ca.pem.tmp';
13
14$serverCode = <<<'CODE'
15    $serverUri = "ssl://127.0.0.1:64321";
16    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
17    $serverCtx = stream_context_create(['ssl' => [
18        'local_cert' => '%s'
19    ]]);
20
21    $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
22    phpt_notify();
23
24    @stream_socket_accept($server, 1);
25    @stream_socket_accept($server, 1);
26CODE;
27$serverCode = sprintf($serverCode, $certFile);
28
29$peerName = 'openssl_peer_fingerprint_basic';
30$clientCode = <<<'CODE'
31    $serverUri = "ssl://127.0.0.1:64321";
32    $clientFlags = STREAM_CLIENT_CONNECT;
33    $clientCtx = stream_context_create(['ssl' => [
34        'verify_peer'       => true,
35        'cafile'            => '%s',
36        'capture_peer_cert' => true,
37        'peer_name'         => '%s',
38    ]]);
39
40    phpt_wait();
41
42    stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '%s');
43    var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
44
45    stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', [
46        'sha256' => '%s',
47    ]);
48    var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
49CODE;
50
51include 'CertificateGenerator.inc';
52$certificateGenerator = new CertificateGenerator();
53$certificateGenerator->saveCaCert($cacertFile);
54$certificateGenerator->saveNewCertAsFileWithKey($peerName, $certFile);
55
56$actualMd5 = $certificateGenerator->getCertDigest('md5');
57$lastCharacter = substr($actualMd5, -1, 1);
58$brokenLastCharacter = dechex(hexdec($lastCharacter) ^ 1);
59$brokenMd5 = substr($actualMd5, 0, -1) . $brokenLastCharacter;
60$actualSha256 = $certificateGenerator->getCertDigest('sha256');
61
62$clientCode = sprintf($clientCode, $cacertFile, $peerName, $brokenMd5, $actualSha256);
63
64
65include 'ServerClientTestCase.inc';
66ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
67?>
68--CLEAN--
69<?php
70@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'openssl_peer_fingerprint_basic.pem.tmp');
71@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'openssl_peer_fingerprint_basic-ca.pem.tmp');
72?>
73--EXPECTF--
74Warning: stream_socket_client(): peer_fingerprint match failure in %s on line %d
75
76Warning: stream_socket_client(): Failed to enable crypto in %s on line %d
77
78Warning: stream_socket_client(): Unable to connect to ssl://127.0.0.1:64321 (Unknown error) in %s on line %d
79bool(false)
80resource(%d) of type (stream)
81