From 91704aced9f1fa3530128ee33b298e683cade9b7 Mon Sep 17 00:00:00 2001
From: matyhtf <mikan.tenny@gmail.com>
Date: Fri, 5 Mar 2021 16:35:09 +0800
Subject: [PATCH] Allow ssl client to only set certificate

---
 src/protocol/ssl.cc                       |  2 +
 tests/swoole_runtime/ssl/local_cert.phpt  | 59 +++++++++++++++++++++++
 tests/swoole_runtime/ssl/without_key.phpt | 59 +++++++++++++++++++++++
 3 files changed, 120 insertions(+)
 create mode 100644 tests/swoole_runtime/ssl/local_cert.phpt
 create mode 100644 tests/swoole_runtime/ssl/without_key.phpt

diff --git a/src/protocol/ssl.cc b/src/protocol/ssl.cc
index 18207fb2b58..d4a0e980716 100644
--- a/src/protocol/ssl.cc
+++ b/src/protocol/ssl.cc
@@ -437,6 +437,8 @@ bool SSLContext::create() {
                    ERR_reason_error_string(error), error);
             return false;
         }
+    }
+    if (!key_file.empty()) {
         /*
          * set the private key from KeyFile (may be the same as CertFile)
          */
diff --git a/tests/swoole_runtime/ssl/local_cert.phpt b/tests/swoole_runtime/ssl/local_cert.phpt
new file mode 100644
index 00000000000..0c9152a00c7
--- /dev/null
+++ b/tests/swoole_runtime/ssl/local_cert.phpt
@@ -0,0 +1,59 @@
+--TEST--
+swoole_runtime/ssl: client with local_cert/local_pk
+--SKIPIF--
+<?php
+require __DIR__ . '/../../include/skipif.inc';
+skip_if_no_ssl();
+?>
+--FILE--
+<?php
+require __DIR__ . '/../../include/bootstrap.php';
+
+swoole\runtime::enableCoroutine();
+
+$ready = new Chan;
+
+go(function () use ($ready) {
+    $context = stream_context_create();
+    stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
+    stream_context_set_option($context, 'ssl', 'verify_peer', true);
+    stream_context_set_option($context, 'ssl', 'local_cert', SSL_FILE_DIR.'/server.crt');
+    stream_context_set_option($context, 'ssl', 'local_pk', SSL_FILE_DIR.'/server.key');
+    stream_context_set_option($context, 'ssl', 'cafile', SSL_FILE_DIR.'/ca.crt');
+
+    $socket = stream_socket_server("ssl://0.0.0.0:8000", $errno, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $context);
+    if (!$socket) {
+        echo "$errstr ($errno)<br />\n";
+    } else {
+        $ready->push(true);
+        $conn = stream_socket_accept($socket);
+        fwrite($conn, 'The local time is ' . date('n/j/Y g:i a'));
+        fclose($conn);
+        fclose($socket);
+        echo "OK\n";
+    }
+});
+
+go(function () use ($ready) {
+    $ready->pop();
+
+    $context = stream_context_create();
+    stream_context_set_option($context, 'ssl', 'local_cert', SSL_FILE_DIR . '/client.crt');
+    stream_context_set_option($context, 'ssl', 'local_pk', SSL_FILE_DIR . '/client.key');
+
+    $fp = stream_socket_client("ssl://127.0.0.1:8000", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
+    if (!$fp) {
+        echo "$errstr ($errno)<br />\n";
+    } else {
+        $data = fread($fp, 8192);
+        fclose($fp);
+        Assert::assert(strpos($data, 'local time') !== false);
+        echo "OK\n";
+    }
+});
+
+swoole_event_wait();
+?>
+--EXPECT--
+OK
+OK
diff --git a/tests/swoole_runtime/ssl/without_key.phpt b/tests/swoole_runtime/ssl/without_key.phpt
new file mode 100644
index 00000000000..a4a4efad647
--- /dev/null
+++ b/tests/swoole_runtime/ssl/without_key.phpt
@@ -0,0 +1,59 @@
+--TEST--
+swoole_runtime/ssl: client without local_pk
+--SKIPIF--
+<?php
+require __DIR__ . '/../../include/skipif.inc';
+skip_if_no_ssl();
+?>
+--FILE--
+<?php
+require __DIR__ . '/../../include/bootstrap.php';
+
+swoole\runtime::enableCoroutine();
+
+$ready = new Chan;
+
+go(function () use ($ready) {
+    $context = stream_context_create();
+    stream_context_set_option($context, 'ssl', 'allow_self_signed', true);
+    stream_context_set_option($context, 'ssl', 'verify_peer', true);
+    stream_context_set_option($context, 'ssl', 'local_cert', SSL_FILE_DIR.'/server.crt');
+    stream_context_set_option($context, 'ssl', 'local_pk', SSL_FILE_DIR.'/server.key');
+    stream_context_set_option($context, 'ssl', 'cafile', SSL_FILE_DIR.'/ca.crt');
+
+    $socket = stream_socket_server("ssl://0.0.0.0:8000", $errno, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $context);
+    if (!$socket) {
+        echo "$errstr ($errno)<br />\n";
+    } else {
+        $ready->push(true);
+        $conn = stream_socket_accept($socket);
+        fwrite($conn, 'The local time is ' . date('n/j/Y g:i a'));
+        fclose($conn);
+        fclose($socket);
+        echo "OK\n";
+    }
+});
+
+go(function () use ($ready) {
+    $ready->pop();
+
+    $context = stream_context_create();
+    stream_context_set_option($context, 'ssl', 'local_cert', SSL_FILE_DIR . '/client.crt');
+
+    $fp = stream_socket_client("ssl://127.0.0.1:8000", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
+    if (!$fp) {
+        echo "$errstr ($errno)<br />\n";
+    } else {
+        $data = fread($fp, 8192);
+        fclose($fp);
+        Assert::assert(strpos($data, 'local time') !== false);
+        echo "OK\n";
+    }
+});
+
+swoole_event_wait();
+?>
+--EXPECTF--
+Warning: stream_socket_client(): ssl require key file in %s on line %d
+OK
+OK