ssl: support wildcard matching for verify_subject_alt_name

[crazytan]

As discussed in #1272 , I made changes so that an optional character * is allowed at the end of string in verify_subject_alt_name option. For example, spiffe://foo.com/* will match all names starting with spiffe://foo.com/. The wildcard is only allowed in the end of path, not host.

[mattklein123]

Beyond doc/format failures, small perf comments. @myidpt could you take a quick look?

[mattklein123]

perf nit: If you are going to call strlen() you might as well just walk both strings at the same time char by char. Also, probably don't need to do the direct compare first and then do this (could just do direct compare in same code path probably) but that's not as big of a deal to me.

[crazytan]

agree that the code is not very efficient. Will rewrite so that it only takes one walk through both strings.

[mattklein123]

I don't think you can always safely dereference *(p - 1). Please add test for this while fixing.

[PiotrSikora]

This whole function is low-level C instead of C++11.

Please consider using std::string::back() and std::string::compare(0, uriPattern.length() - 1, uri)

[mattklein123]

Yes that would be much better. :)

[crazytan]

I'm confused but std::string::compare is what I was using. So should I use pointer walk through or string::compare?

[PiotrSikora]

You should use std::string::back() - O(1), std::string::length() - O(1) and std::string::compare() - O(n).

Previously, you were using strlen() - O(n) and std::string::compare() - O(n), i.e. walking the same string twice, which resulted in suboptimal performance, although the difference is probably negligible.

[crazytan]

got it. Since my original strlen() was unnecessary, I'll change back to string::compare() to match c++11 style so that future change will be easier.

[mattklein123]

@crazytan looks like you fixed the bug. Anyway, this impl is OK with me, but also happy to have it redone the way @PiotrSikora mentioned. I will let the two of you sort it out.

[mattklein123]

I think you will need to use strncmp() here since IIRC compare will go off end of string. (See ASAN failure).

[PiotrSikora]

That's because the wrong method is used here. It should be:

uriPattern.compare(0, pattern_len - 1, uri)

for NULL-terminated string, instead of:

uriPattern.compare(0, pattern_len - 1, uri, pattern_len - 1)

which specifies length of the uri string.

[crazytan]

the problem here is, if uriPattern="foo.bar/*" and uri="foo.bar/baz", uriPattern.compare(0, pattern_len - 1, uri) would give negative result -3. And this cannot be distinguished from the case as uriPattern="foo.aar" and uri="foo.bar", for which compare gives result -1. So I'll have to use strncmp() or pointer walk but again it's not C++11 style.

[crazytan]

from doc:

value <0: Either the value of the first character that does not match is lower in the compared string, or all compared characters match but the compared string is shorter.

[PiotrSikora]

Sigh, indeed. What a terrible API.

[crazytan]

I'll use strncmp() then.

[PiotrSikora]

I'm not sure if this should pass (logically, not according to the code).

[crazytan]

why not? ;) the first case fall back to uriPattern == uri. For the rest two uri is compared as a buffer and the prefixes all agree.

[PiotrSikora]

I only meant the last one, i.e. spiffe://lyft.com/ matches spiffe://lyft.com/*, which doesn't feel right.

[crazytan]

I see... I'll make this a false case

[PiotrSikora]

Could you also add test for:

EXPECT_TRUE(ContextImpl::uriMatch("spiffe://lyft.com/*", "spiffe://lyft.com/foo/bar"));

[crazytan]

will add

[PiotrSikora]

Perhaps

if (pattern_len > 1 && uriPattern.substr(pattern_len - 2) == '/*') {

would be more readable?

[crazytan]

agree

[PiotrSikora]

s/in the end/at the end/.

[PiotrSikora]

s/in the end/at the end/.

[PiotrSikora]

Please remove space and perhaps replace this with the same example as in docs (i.e. foo.com/*).

[crazytan]

I tried foo.com/* but compiler gave me this weird error:

error: "/*" within comment [-Werror=comment]

[PiotrSikora]

Just remove the example, then.

[mattklein123]

Small nit. LGTM pending @PiotrSikora +1

[mattklein123]

nit: const size_t

[myidpt]

Could you make it clear that this wildcard support is only for URI type SAN. And also for DNS type SAN, there's a wildcard support for "*.foo.com" style?

[myidpt]

nit: Maybe move this function after dNSNameMatch, to be consistent with the order in the .h file.

[PiotrSikora]

It just occurred to me that there is ASN1_STRING_length(), which is O(1), so this could be changed to:

std::string crt_san(reinterpret_cast<char *>(ASN1_STRING_data(str)), ASN1_STRING_length(str));

and then we could compare strings only if crt_san.length() >= uriPattern.length() and use std::string::compare() again.

Sorry for not catching this yesterday!

[crazytan]

I'll fix this along with the problem mentioned below.

[crazytan]

a side question though, if we use string (const char* s, size_t n) then isn't it also O(n)? Since the constructor always copies the characters

[mattklein123]

Yes, that is correct. Optimally, You would just pass char* and length to the function, then still use strncmp (or compare if you can). At this point though let's just get something working that everyone agrees with. :)

[crazytan]

cool, I'll stick to the current way then

[PiotrSikora]

...it is. Feel free to ignore this.

Alternatively, you could use ASN1_STRING_length() and pass size_t to do the crt_san_len >= uriPattern.length() check and use std::string::compare().

[crazytan]

right. I'll pass size_t since it also makes DNS match easier.

[myidpt]

Sorry to bring this up ... I feel like how this function is called (line 203 in context_impl.cc) is not right. It should be:
dNSNameMatch(dns_name, config_san)
config_san should be the pattern, not dns_name from the cert.

It makes sense to me that we support wildcard in config, not in certificates. Unfortunately I didn't notice this when I modified this function. This was unnoticed because we don't have integration tests, nor did we tell users this wildcard is supported.
@mattklein123 Could you confirm?

[mattklein123]

@myidpt yes that make sense to me. Can we fix?

[crazytan]

@myidpt @mattklein123 I can fix this and update the doc. So the SAN field, whether it's URI or DNS, should never contain a wildcard; and we allow configs to optionally use wildcard to match multiple SAN values.

[myidpt]

Thank you very much. Please also make sure the function signature (parameter naming&order) aligns with the uriMatch function :)

[PiotrSikora]

You probably want to save this to a local variable before the for loop.

[crazytan]

why?

[PiotrSikora]

To avoid extra calls to ASN1_STRING_length() (since I don't think it will get inlined) and dereference of str.

[PiotrSikora]

Same here.

[PiotrSikora]

I'd prefer if you add new test cases, so that we have both exact match and wildcard covered.

[crazytan]

I think unit tests already cover both cases. The purpose of integration tests should just be making sure that the overall flow works?

[PiotrSikora]

I disagree, especially when most of the verification and SAN extraction is actually happening in 3rd-party library, which isn't involved at all in those unit tests.

[mattklein123]

FWIW, I disagree also. Please keep the existing test and add a new one. Changing this code almost always breaks something / someone so the more coverage we have the better. (Hence why we are now at like 60 comments on a tiny PR).

[mattklein123]

@crazytan friendly ping to make the requested changes so that we can close this out. Thank you.

[mattklein123]

Closing this for now. Please reopen when ready to finish.