1--TEST--
2TLS server rate-limits client-initiated renegotiation
3--EXTENSIONS--
4openssl
5--SKIPIF--
6<?php
7if (!function_exists("proc_open")) die("skip no proc_open");
8exec('openssl help', $out, $code);
9if ($code > 0) die("skip couldn't locate openssl binary");
10if(substr(PHP_OS, 0, 3) == 'WIN') {
11    die('skip not suitable for Windows');
12}
13?>
14--FILE--
15<?php
16$certFile = __DIR__ . DIRECTORY_SEPARATOR . 'stream_server_reneg_limit.pem.tmp';
17
18/**
19 * This test uses the openssl binary directly to initiate renegotiation. At this time it's not
20 * possible renegotiate the TLS handshake in PHP userland, so using the openssl s_client binary
21 * command is the only feasible way to test renegotiation limiting functionality. It's not an ideal
22 * solution, but it's really the only way to get test coverage on the rate-limiting functionality
23 * given current limitations.
24 */
25
26$serverCode = <<<'CODE'
27    $printed = false;
28    $serverUri = "ssl://127.0.0.1:64321";
29    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
30    $serverCtx = stream_context_create(['ssl' => [
31        'local_cert' => '%s',
32        // TLS 1.3 does not support renegotiation.
33        'max_proto_version' => STREAM_CRYPTO_PROTO_TLSv1_2,
34        'reneg_limit' => 0,
35        'reneg_window' => 30,
36        'reneg_limit_callback' => function($stream) use (&$printed) {
37            if (!$printed) {
38                $printed = true;
39                var_dump($stream);
40            }
41        }
42    ]]);
43
44    $server = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
45    phpt_notify();
46
47    $clients = [];
48    while (1) {
49        $r = array_merge([$server], $clients);
50        $w = $e = [];
51
52        stream_select($r, $w, $e, $timeout=42);
53
54        foreach ($r as $sock) {
55            if ($sock === $server && ($client = stream_socket_accept($server, $timeout = 42))) {
56                $clientId = (int) $client;
57                $clients[$clientId] = $client;
58            } elseif ($sock !== $server) {
59                $clientId = (int) $sock;
60                $buffer = fread($sock, 1024);
61                if (strlen($buffer)) {
62                    continue;
63                } elseif (!is_resource($sock) || feof($sock)) {
64                    unset($clients[$clientId]);
65                    break 2;
66                }
67            }
68        }
69    }
70CODE;
71$serverCode = sprintf($serverCode, $certFile);
72
73$clientCode = <<<'CODE'
74    phpt_wait();
75
76    $cmd = 'openssl s_client -connect 127.0.0.1:64321';
77    $descriptorSpec = [["pipe", "r"], ["pipe", "w"], ["pipe", "w"]];
78    $process = proc_open($cmd, $descriptorSpec, $pipes);
79
80    list($stdin, $stdout, $stderr) = $pipes;
81
82    // Trigger renegotiation twice
83    // Server settings only allow one per second (should result in disconnection)
84    fwrite($stdin, "R\nR\nR\nR\n");
85
86    $lines = [];
87    while(!feof($stderr)) {
88        fgets($stderr);
89    }
90
91    fclose($stdin);
92    fclose($stdout);
93    fclose($stderr);
94    proc_terminate($process);
95CODE;
96
97include 'CertificateGenerator.inc';
98$certificateGenerator = new CertificateGenerator();
99$certificateGenerator->saveNewCertAsFileWithKey('stream_security_level', $certFile);
100
101include 'ServerClientTestCase.inc';
102ServerClientTestCase::getInstance()->run($serverCode, $clientCode);
103?>
104--CLEAN--
105<?php
106@unlink(__DIR__ . DIRECTORY_SEPARATOR . 'stream_server_reneg_limit.pem.tmp');
107?>
108--EXPECTF--
109resource(%d) of type (stream)
110