Actually your second option is exactly what is implemented in 2.9p4, with the
md5 implementation from http://en.wikipedia.org/wiki/MD5#Simple_implementation,
see SetupAntiloop in module/owserver/src/c/owserver.c
My concerns about this approach are not linked to the security, but the
robustness of the code. But of course, adding a dependency to a new library
(like libuuid from util-linux) may not be the right answer.
Stefano
On 02 May 2014, at 16:30, Jerry Scharf <sch...@lagunawayconsulting.com> wrote:
> Paul,
>
> If all you are trying to do is loop detection, there are a couple ways I know
> to do it.
>
> The simplest way to do it is a "time to live" field like IP does it. Start it
> at some number (64 in standard for IP, but we would probably want it to be
> lower) and every time you forward it, decrement the TTL. When it hits 0, drop
> it (and possibly send an error back.) The number could be configurable, but
> something like 4 or 8 seems like a reasonable number. This requires no extra
> software and takes just a few lines to implement.
>
> The other way is to take a bunch of information like the IP address, owserver
> pid and a sequence number and run it through a cryptographic hash. The size
> is constant, the odds of duplication are vanishingly small and it discloses
> no information. You don't need anything secure, so 128 bit MD5 is fine and
> there may be even shorter ones. This requires having the crypto hash software
> available, which may be a challenge across the range of systems owserver can
> install.
>
> jerry
>
> On 05/02/2014 04:50 AM, Paul Alfille wrote:
>> Good catch on the bug you patched.
>>
>> I'd love to open a discussion of the UUID feature.
>>
>> Let me state the problem area for background information:
>> 1. owserver can be configured to send requests "upstream" -- to another
>> owserver
>> A. This is done at the command line or via a configuration file
>> B This cannot be done by a mear user
>> C There is no limit on the length of the chain of owserver redirections.
>> 2. Any chain of owserver redirections will eventually reach an end unless
>> there is a loop in the sequence.
>> The solution: owserver adds a "unique token" (16 bytes of data) to the
>> end of messages passing upstream, and makes sure incoming messages don't
>> have it's unique token.
>>
>> Potential problems:
>> 1. owserver could be altered to not look for the token
>> A. Well, any rogue program or shell script that you allow to be run can be
>> malicious.
>> 2. The tokens could be altered in transit.
>> A. Again, if you don't have control of your network traffic, anyone can
>> inject any amount of traffic
>> 3. The token might be non-unique
>> A. The is a fail safe in terms of network traffic
>> B Part of the 1-wire network would be inaccessible.
>>
>> Based on my analysis, the only real risk is non-unique tokens, and given the
>> typically small extent of owserver networks, only modest uniqueness
>> guarantees are needed.
>>
>> I thought of using an existing library (like UUID) but it's a nuisance for
>> users to find and build another package. Especially since we are
>> cross-platform and multiarchitecture. I try to reserve using libraries for
>> complex and essential functions (like USB access).
>>
>> Still, I'm open to the debate.
>>
>> Paul
>>
>>
>>
>>
>>
>> On Thu, May 1, 2014 at 5:46 PM, Stefano Miccoli <mo...@icloud.com> wrote:
>> Thanks for including my suggestions in p4!
>>
>> I found a small bug in the new antiloop code
>> (module/owserver/src/c/owserver.c) please see the attached patch.
>>
>> Stefano
>>
>>
>>
>>
>> PS:
>>
>> in my opinion, instead of the MD5 hash of some process data, a UUID
>> <http://en.wikipedia.org/wiki/Universally_unique_identifier> would be more
>> appropriate for the antiloop feature.
>>
>> On 30 Apr 2014, at 02:35, Paul Alfille <paul.alfi...@gmail.com> wrote:
>>
>>> Release Notes owfs 2.9p4
>>> 4/30/2014
>>>
>>> New features
>>> 1. Switch to git for source management
>>> Still hosted on sourceforge.net
>>> git clone git://git.code.sf.net/p/owfs/code owfs-code
>>> cvs history brought over.
>>> 2. Clean and test DS2409 (Microlan) hubs
>>> Addressing problem found by Ors Tiszay
>>> Works well with passive devices
>>> Problems with powered slaves, but probably not a software issue.
>>> 3. Improved and tested owserver protocol for server-to-server communication
>>> Use md5 hash for unique token
>>> Fixed byte counting issue in write messages
>>> Null-terminated string no longer required in path string
>>> (problem pointed out by Stefano Miccoli)
>>> 4. Added /system/configuration/version
>>> Reports owserver version
>>> Request from Stefano Miccoli
>>>
>>> Fixes
>>> 1. Double initialization of mutex fixed
>>> Show stopper in FreeBSD
>>> Found by Johan Strom
>>>
>>> ------------------------------------------------------------------------------
>>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>>> unparalleled scalability from the best Selenium testing platform available.
>>> Simple to use. Nothing to install. Get started now for free."
>>> http://p.sf.net/sfu/SauceLabs_______________________________________________
>>> Owfs-developers mailing list
>>> Owfs-developers@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/owfs-developers
>>
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Owfs-developers mailing list
>> Owfs-developers@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owfs-developers
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>>
>>
>> _______________________________________________
>> Owfs-developers mailing list
>> Owfs-developers@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owfs-developers
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs_______________________________________________
> Owfs-developers mailing list
> Owfs-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owfs-developers
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Owfs-developers mailing list
Owfs-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owfs-developers
