Back in 2008, I had a revelation when it dawned on me that the POSIX function called strcasecmp()
compares strings case insensitively, but locale dependent. Because of this, “file
” and “FILE
” is not actually a case insensitive match in Turkish but is a match in most other locales. curl would sometimes fail in mysterious ways due to this. Mysterious to the users, now we know why.
Of course this behavior was no secret. The knowledge about this problem was widespread already then. It was just me who hadn’t realized this yet.
A custom replacement
To work around that problem for curl, we immediately implemented our own custom comparison replacement function that doesn’t care about locales. Internet protocols work the same way no matter which locale the user happens to prefer.
We did not go the POSIX route. The POSIX function for case insensitive string comparisons that ignores the locale is called strcasecmp_l()
but that uses a special locale argument and also doesn’t exist on non-POSIX platforms.
curl has used its custom set of functions since 7.19.1, released in early November 2008.
OpenSSL 3.0.3
Fast forward to May 2022. OpenSSL released their version 3.0.3. In the change-log for this release we learned that they now offer public functions for case insensitive string comparisons. Whatdoyouknow! They too have learned about the Turkish locale. Apparently to the degree that they feel they need to offer those functions in their already super-huge API set. Oh well, that is certainly their choice.
I can relate since we too have such functions in libcurl, but I have always regretted that we added them to the API since comparing strings is not libcurl’s core business. We did wrong then and we still live with the consequences several decades later.
OpenSSL however took the POSIX route and based their implementation on strcasecmp_l()
and use a global variable for the locale and an elaborate system to initialize that global and even a way to make things work if string comparisons are needed before that global variable is initialized etc.
This new system was complicated to the degree that it broke the library on several platforms, which curl users running Windows 7 figured out almost instantly. curl with OpenSSL 3.0.3 simply does not work on Windows 7 – at all.
Reasons for not exposing a string compare API
Libraries should only provide functions that are within their core objective. Not fluffy might be useful things. Reasons for this include:
- It adds to the complexity to users. Yet another function in the ever expanding set of function calls in the API.
- It increases the documentation size even more and makes the real things harder to find somewhere in there.
- It adds “attack surface” and areas where you can make errors and introduce security problems.
- You get more work since now you have additional functions to keep ABI and API stable for all eternity and you have to spend developer time and effort on making sure they remain so.
Do a custom one for OpenSSL?
I think there is a software law that goes something like this
eventually, all C libraries implement their own case insensitive string comparison functions
When I proposed they should implement their own custom function in discussions in one of the issues about this OpenSSL problem, the suggestion was shot down fairly quickly because of how hard it is to implement a such function that is as fast as the glibc version.
In my ears, that sounds like they prefer to stick with an overworked and complicated error-prone system, because an underlying function is faster, rather than going with simplicity and functionality at the price of sightly slower performance. In fairness, they say that case insensitive string comparisons are “6-7%” of the time spent in some (to me unknown) performance test they referred to. I have no way or intention to argue with that.
I think maybe they couldn’t really handle that idea from an outsider and they might just need a little more time to figure out the right way forward on their own. Then go with simple.
I am of course not in the best position to say how they should act on this. I’m just a spectator here. I may be completely wrong.
Update (May 23)
In a separate PR (4 days after this blog post went live), OpenSSL suddenly implemented their own and it was deemed that it would not hurt performance noticeably. Merged on May 23. Almost like they followed my recommendation!
OpenSSL’s current tolower() implementation used in the comparison function is similar to curl’s old one so I suspect curl’s current function is a tad bit faster.
Custom vs glibc performance
glibc truly has really fast string comparison implementations, with optimized assembly versions for the common architectures. Versions written in plain C tend to be slower.
However, the API and way to use those functions to make them locale independent is horrific because of the way it forces the caller to provide a locale argument (which could be the “C” locale – the equivalent of no locale).
The curl custom function
That talk about the slowness of custom string functions made us start discussing this topic a little in the curl IRC channel and we bounced around some ideas of what things the curl function does not already do and what it could do and how it compares against the glibc assembly version.
Also: the string comparisons in curl are certainly not that performance critical as they seem to be in OpenSSL and while used a lot in curl they are not used in the most important performance critical transfer-data code paths.
Optimizations
Frank Gevaerts took the lead and after some rounds and discussions backed up with tests, he ended up with an updated function that is 1.6 to 1.7 times faster than before his work. We dropped non-ASCII support in curl a while ago, which also made this task more straight-forward.
The two improvements:
- Use a lookup table for our own
toupper()
implementation instead of the previous simple condition + math. - Better end of loop handling: return immediately on mismatch, and a minor touch-up of the final check when the loop goes all the way to the end.
Measurements
The glibc assembler versions are still faster than curl’s custom functions and the exact speed improvements the above mentioned changes provide will of course depend both on platform and the test set.
Ships in 7.84.0
The faster libcurl functions will ship in curl 7.84.0. I doubt anyone will notice the difference!
For what it’s worth, OpenSSL did implement a dedicated string comparison function (openssl/openssl#18344), and it didn’t give them a significant performance cost in the end. It just took a while to arrive at this point.
@Ivan: yeps I noticed. I mean to do an update of this post saying this once they have merged that PR.
“Better end of loop handling: return immediately on mismatch,…”
Is it safe to return immediately on mismatch? No timing attacks?
Probably safe, just in case… 🙂
The entire thing was already pretty much timeable. That return used to be a break, but there was a bit of extra overhead after it.
This isn’t for crypto code.