This turned out to be a simple typo of two similar variables. fdbserver
will still die as a result of this error, but it will die gracefully and
print out a slightly helpful error message.
The previous change was done in the optimistic hope that NID_subject_alt_name
could be handled in the same fashion as all the rest of the attributes we match
against. However, X509 is not a place for optimisim. Instead, it turns out
that the Subject Alternative Name is an X509v3 extension, and needs to be
handled separately.
Therefore, this change...
* Introduces the idea of Criteria matching against a location in the
certificate, and not just against the entirety of the certificate.
* Extracts the Subject Alternative Name extension, and allows iteration and
matching against its components.
* Extends our constraint language to sensibly match against SubjectAlternativeNames.
The `S.subjectAltName` syntax has been kept, but the value is now required to
provide what type of field the rest of the value is intended to match against.
The code currently supports DNS, EMAIL, URI, and IP. Prefix and suffix
matching is supported.
Both verify-test and plugin-test were updated to cover Subject Alternative Name
matching. I've additionally run plugin-test under valgrind to verify that I've
understood object lifetimes correctly.
This extends our language for specifying verification rules from, e.g.
S.O=XYZCorp
to also include two more operators
S.O>=XYZ # Prefix
S.O<=Corp # Suffix
both of which would match against an Organization of XYZCorp (among others).
The TLS code understands three different things it can verify: the subject, the
issuer, and the root. The existing code assumes that any attribute we can
verify against one of these is also verifyable against the others.
For Subject Alternative Name, this might not be true. There exists both
Subject Alternative Name and Issuer Alternative Name. This code change allows
one to write "I.subjectAltName=Foo", and we'll verifiy a Subject Alt Name
against the Issuer, which wouldn't be right. Issuer Alternative Name isn't a
requested feature (yet?), so I'm punting on this problem.
This includes...
* A minimal vcxproj file to list all the source files required for the build.
Some future Visual Studio user can come along and replace it with a real
actual vcxproj file with all the other metadata that I didn't bother to copy.
* A local.mk file to specify all the custom flags and libraries we need for
the build/link of the TLS plugin.
* Including the project in the list of all FDB sub-projects
* Fixes `make clean` to wipe all of lib/, including libFDBLibTLS.so
And offers a target of `bin/FDBLibTLS.so` that can be built, and I have
verified that it works with simulation.
Note that this requires a build image that contains the previous Dockerfile changes.
For some reason, on some platforms it ends up as a local symbol, even though we
point the linker at the symbol map to expose it. Double-requesting its
exportation makes it appear, though there's possibly a better solution.
Evan Tschannen