xref: /php-src/ext/openssl/tests/gh9310.phpt (revision 505e8d2a) 
1--TEST--
2GH-9310: local_cert and local_pk do not respect open_basedir restriction
3--EXTENSIONS--
4openssl
5--SKIPIF--
6<?php
7if (!function_exists("proc_open")) die("skip no proc_open");
8?>
9--FILE--
10<?php
11include 'ServerClientTestCase.inc';
12
13$baseDir = __DIR__ . '/gh9310';
14@mkdir($baseDir);
15$baseDirCertFile = $baseDir . '/cert.crt';
16$baseDirPkFile = $baseDir . '/private.key';
17$certFile = __DIR__ . '/gh9310.crt';
18$pkFile = __DIR__ . '/gh9310.key';
19
20include 'CertificateGenerator.inc';
21$certificateGenerator = new CertificateGenerator();
22$certificateGenerator->saveNewCertAndKey('gh9310', $certFile, $pkFile);
23
24copy($certFile, $baseDirCertFile);
25copy($pkFile, $baseDirPkFile);
26copy(__DIR__ . '/sni_server_uk_cert.pem', $baseDir . '/sni_server_uk_cert.pem');
27
28
29$serverCodeTemplate = <<<'CODE'
30    ini_set('log_errors', 'On');
31    ini_set('open_basedir',  __DIR__ . '/gh9310');
32    $serverUri = "ssl://127.0.0.1:64321";
33    $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
34    $serverCtx = stream_context_create(['ssl' => [
35        'local_cert' => '%s',
36        'local_pk' => '%s',
37    ]]);
38
39    $sock = stream_socket_server($serverUri, $errno, $errstr, $serverFlags, $serverCtx);
40    phpt_notify();
41
42    $link = stream_socket_accept($sock);
43CODE;
44
45$clientCode = <<<'CODE'
46    $serverUri = "ssl://127.0.0.1:64321";
47    $clientFlags = STREAM_CLIENT_CONNECT;
48
49    $clientCtx = stream_context_create(['ssl' => [
50        'verify_peer' => false,
51        'verify_peer_name' => false
52    ]]);
53
54    phpt_wait();
55    @stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx);
56CODE;
57
58$sniServerCodeV1 = <<<'CODE'
59    ini_set('log_errors', 'On');
60    ini_set('open_basedir', __DIR__ . '/gh9310');
61    $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
62    $ctx = stream_context_create(['ssl' => [
63        'SNI_server_certs' => [
64            "cs.php.net" => __DIR__ . "/sni_server_cs.pem",
65        ]
66    ]]);
67
68    $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
69    phpt_notify();
70
71    stream_socket_accept($server);
72CODE;
73
74$sniServerCodeV2 = <<<'CODE'
75    ini_set('log_errors', 'On');
76    ini_set('open_basedir', __DIR__ . '/gh9310');
77    $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
78    $ctx = stream_context_create(['ssl' => [
79        'SNI_server_certs' => [
80            "uk.php.net" => [
81                'local_cert' => __DIR__ . '/gh9310/sni_server_uk_cert.pem',
82                'local_pk' => __DIR__ . '/sni_server_uk_key.pem',
83            ]
84        ]
85    ]]);
86
87    $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
88    phpt_notify();
89
90    stream_socket_accept($server);
91CODE;
92
93$sniServerCodeV3 = <<<'CODE'
94    ini_set('log_errors', 'On');
95    ini_set('open_basedir', __DIR__ . '/gh9310');
96    $flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
97    $ctx = stream_context_create(['ssl' => [
98        'SNI_server_certs' => [
99            "us.php.net" => [
100                'local_cert' => __DIR__ . '/sni_server_us_cert.pem',
101                'local_pk' => __DIR__ . '/sni_server_us_key.pem',
102            ]
103        ]
104    ]]);
105
106    $server = stream_socket_server('tls://127.0.0.1:64321', $errno, $errstr, $flags, $ctx);
107    phpt_notify();
108
109    stream_socket_accept($server);
110CODE;
111
112$sniClientCodeTemplate = <<<'CODE'
113    $flags = STREAM_CLIENT_CONNECT;
114    $ctxArr = [
115        'cafile' => __DIR__ . '/sni_server_ca.pem',
116    ];
117
118    phpt_wait();
119
120    $ctxArr['peer_name'] = '%s';
121    $ctx = stream_context_create(['ssl' => $ctxArr]);
122    @stream_socket_client("tls://127.0.0.1:64321", $errno, $errstr, 1, $flags, $ctx);
123CODE;
124
125$serverCode = sprintf($serverCodeTemplate, $baseDirCertFile . "\0test", $baseDirPkFile);
126ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
127
128$serverCode = sprintf($serverCodeTemplate, $baseDirCertFile, $baseDirPkFile . "\0test");
129ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
130
131$serverCode = sprintf($serverCodeTemplate, $certFile, $pkFile);
132ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
133
134$serverCode = sprintf($serverCodeTemplate, $baseDirCertFile, $pkFile);
135ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
136
137$sniClientCode = sprintf($sniClientCodeTemplate, 'cs.php.net');
138ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV1);
139
140$sniClientCode = sprintf($sniClientCodeTemplate, 'uk.php.net');
141ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV2);
142
143$sniClientCode = sprintf($sniClientCodeTemplate, 'us.php.net');
144ServerClientTestCase::getInstance()->run($sniClientCode, $sniServerCodeV3);
145
146?>
147--CLEAN--
148<?php
149$baseDir = __DIR__ . '/gh9310';
150
151@unlink(__DIR__ . '/gh9310.crt');
152@unlink(__DIR__ . '/gh9310.key');
153@unlink($baseDir . '/cert.crt');
154@unlink($baseDir . '/private.key');
155@unlink($baseDir . '/sni_server_uk_cert.pem');
156@rmdir($baseDir);
157?>
158--EXPECTF--
159PHP Warning:  stream_socket_accept(): Path for local_cert in ssl stream context option must not contain any null bytes in %s
160PHP Warning:  stream_socket_accept(): Unable to get real path of certificate file `%scert.crt' in %s
161PHP Warning:  stream_socket_accept(): Failed to enable crypto in %s
162PHP Warning:  stream_socket_accept(): Accept failed: %s
163PHP Warning:  stream_socket_accept(): Path for local_pk in ssl stream context option must not contain any null bytes in %s
164PHP Warning:  stream_socket_accept(): Unable to get real path of private key file `%sprivate.key' in %s
165PHP Warning:  stream_socket_accept(): Failed to enable crypto in %s
166PHP Warning:  stream_socket_accept(): Accept failed: %s
167PHP Warning:  stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310.crt) is not within the allowed path(s): (%sgh9310) in %s
168PHP Warning:  stream_socket_accept(): Unable to get real path of certificate file `%sgh9310.crt' in %s
169PHP Warning:  stream_socket_accept(): Failed to enable crypto in %s
170PHP Warning:  stream_socket_accept(): Accept failed: %s
171PHP Warning:  stream_socket_accept(): open_basedir restriction in effect. File(%sgh9310.key) is not within the allowed path(s): (%sgh9310) in %s
172PHP Warning:  stream_socket_accept(): Unable to get real path of private key file `%sgh9310.key' in %s
173PHP Warning:  stream_socket_accept(): Failed to enable crypto in %s
174PHP Warning:  stream_socket_accept(): Accept failed: %s
175PHP Warning:  stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_cs.pem) is not within the allowed path(s): (%sgh9310) in %s
176PHP Warning:  stream_socket_accept(): Failed setting local cert chain file `%ssni_server_cs.pem'; file not found in %s
177PHP Warning:  stream_socket_accept(): Failed to enable crypto in %s
178PHP Warning:  stream_socket_accept(): Accept failed: %s
179PHP Warning:  stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_uk_key.pem) is not within the allowed path(s): (%sgh9310) in %s
180PHP Warning:  stream_socket_accept(): Failed setting local private key file `%ssni_server_uk_key.pem';  could not open file in %s
181PHP Warning:  stream_socket_accept(): Failed to enable crypto in %s
182PHP Warning:  stream_socket_accept(): Accept failed: %s
183PHP Warning:  stream_socket_accept(): open_basedir restriction in effect. File(%ssni_server_us_cert.pem) is not within the allowed path(s): (%sgh9310) in %s
184PHP Warning:  stream_socket_accept(): Failed setting local cert chain file `%ssni_server_us_cert.pem'; could not open file in %s
185PHP Warning:  stream_socket_accept(): Failed to enable crypto in %s
186PHP Warning:  stream_socket_accept(): Accept failed: %s
187