Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

okhttp: properly verify IPv6 address hosts #4292

Merged
merged 5 commits into from
Apr 3, 2018
Merged

okhttp: properly verify IPv6 address hosts #4292

merged 5 commits into from
Apr 3, 2018

Conversation

OnlyInAmerica
Copy link
Contributor

Address mismatch between IPv6 address hosts derived from URIs and X509 subjectAltName extensions as discussed in #4278

@OnlyInAmerica
okhttp: properly verify IPv6 address hosts
13f0d5a 
Address mismatch between IPv6 address hosts derived from URIs and X509 subjectAltName extensions
ericgribkoff
ericgribkoff reviewed Apr 2, 2018
View reviewed changes
Copy link
Contributor

@ericgribkoff ericgribkoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix! A few small comments to address, then we can get this in

okhttp/src/main/java/io/grpc/okhttp/OkHttpTlsUpgrader.java Outdated
*
* @return {@param host} in a form consistent with X509 certificates
*/
static String canonicalizeHost(String host) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be private

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is package-private with @VisibleForTesting (ala TLS_PROTOCOLS) acceptable?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, my mistake - yes, the visibility is fine, but the @VisibleForTesting annotation would be helpful.

okhttp/src/main/java/io/grpc/okhttp/OkHttpTlsUpgrader.java Outdated
* @return {@param host} in a form consistent with X509 certificates
*/
static String canonicalizeHost(String host) {
return host.replaceAll("[\\[\\]]", "");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be safe as-is, but we should be more conservative here: if the first and last characters are [ and ], strip only those two characters out. Otherwise, just return the string.

This would mean that we can add a test like assertEquals("[someIp]", canonicalizeHost("[[someIp]]"));. This address would, as in #4278, result in OkHostnameVerifier failing to match the host - but that's good, because having two brackets is malformed anyways, and probably indicates a bug somewhere else that we don't want to mask here.

okhttp/src/test/java/io/grpc/okhttp/OkHttpTlsUpgraderTest.java Outdated
assertEquals(canonicalizeHost("0:0:0:0:0:0:13.1.68.3"), "0:0:0:0:0:0:13.1.68.3");
assertEquals(canonicalizeHost("[0:0:0:0:0:0:13.1.68.3]"), "0:0:0:0:0:0:13.1.68.3");
assertEquals(canonicalizeHost("0:0:0:0:0:FFFF:129.144.52.38"), "0:0:0:0:0:FFFF:129.144.52.38");
assertEquals(canonicalizeHost("[0:0:0:0:0:FFFF:129.144.52.38]"), "0:0:0:0:0:FFFF:129.144.52.38");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this fails checkstyle (100 char limit per line)

okhttp/src/test/java/io/grpc/okhttp/OkHttpTlsUpgraderTest.java Outdated

@Test public void upgrade_canonicalizeHost() {
// IPv4
assertEquals(canonicalizeHost("127.0.0.1"), "127.0.0.1");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The argument order for assertEquals is reversed. These should be in the form: assertEquals("ip", canonicalizeHost("ip")). (this results in better output when a test fails, as error message will label the first argument as the expected value and the second argument as the actual value)

okhttp/src/test/java/io/grpc/okhttp/OkHttpTlsUpgraderTest.java Outdated
@@ -32,4 +34,44 @@
|| OkHttpTlsUpgrader.TLS_PROTOCOLS.indexOf(Protocol.GRPC_EXP)
< OkHttpTlsUpgrader.TLS_PROTOCOLS.indexOf(Protocol.HTTP_2));
}

@Test public void upgrade_canonicalizeHost() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests coverage look good to me (with the addition of a case to ensure we don't strip out additional brackets for malformed URIs). Out of curiosity, what methodology went into choosing the test hosts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will update to ensure we don't strip out additional brackets.

I lifted these from okhttp's HostnameVerifierTest, so I'll add some attribution.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's simplify the tests somewhat here, which will also remove the need for attribution - we actually don't care about all of the edge cases that the linked test case covers, because we don't need to distinguish between IP addresses and hostnames. Probably just the following are enough:

assertEquals("::1", canonicalizeHost("::1"));
assertEquals("::1", canonicalizeHost("[::1]"));
assertEquals("127.0.0.1", canonicalizeHost("127.0.0.1"));
assertEquals("some.long.url.com", canonicalizeHost("some.long.url.com"));

// Extra square brackets in a malformed URI are retained
assertEquals("[::1]", canonicalizeHost("[[::1]]"));

Also, does it make sense to rename the test method to just canonicalizeHost, as this isn't testing any other part of the upgrade logic?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Is canonicalizeHosts ok to avoid clash with the static import of canonicalizeHost?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good to me

@ericgribkoff ericgribkoff added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Apr 2, 2018
@ericgribkoff ericgribkoff self-assigned this Apr 2, 2018
@ericgribkoff ericgribkoff added kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run and removed kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run labels Apr 2, 2018
@OnlyInAmerica
Copy link
Contributor Author

fixed whitespace issue to appease travis. One more time from the top 🥁

@ericgribkoff ericgribkoff added the kokoro:force-run Add this label to a PR to tell Kokoro to re-run all tests. Not generally necessary label Apr 3, 2018
@kokoro-team kokoro-team removed kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run kokoro:force-run Add this label to a PR to tell Kokoro to re-run all tests. Not generally necessary labels Apr 3, 2018
@ericgribkoff ericgribkoff merged commit 5b802de into grpc:master Apr 3, 2018
@ericgribkoff
Copy link
Contributor

Thanks!

@ericgribkoff ericgribkoff mentioned this pull request Apr 3, 2018
Closed
@lock lock bot locked as resolved and limited conversation to collaborators Jan 18, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ericgribkoff ericgribkoff ericgribkoff approved these changes

Assignees

@ericgribkoff ericgribkoff

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@OnlyInAmerica @ericgribkoff @kokoro-team