Yes, I chose the second approach (hash of some relatively unique data) just
to avoid arbitrary limits, even if they are unlikely to be exceeded in
actual use. That's a general design objective throughout owfs.
I'm amused that you designed just about the same scheme, including the
hash, that is actually implemented. Part of the unique information is the
command line arguments, but Stefano found I botched the looping.
On Fri, May 2, 2014 at 11:00 AM, Stefano Miccoli <mo...@icloud.com> wrote:
> Actually your second option is exactly what is implemented in 2.9p4, with
> the md5 implementation from
> http://en.wikipedia.org/wiki/MD5#Simple_implementation, see SetupAntiloop
> in module/owserver/src/c/owserver.c
>
> My concerns about this approach are not linked to the security, but the
> robustness of the code. But of course, adding a dependency to a new library
> (like libuuid from util-linux) may not be the right answer.
>
> Stefano
>
> On 02 May 2014, at 16:30, Jerry Scharf <sch...@lagunawayconsulting.com>
> wrote:
>
> Paul,
>
> If all you are trying to do is loop detection, there are a couple ways I
> know to do it.
>
> The simplest way to do it is a "time to live" field like IP does it. Start
> it at some number (64 in standard for IP, but we would probably want it to
> be lower) and every time you forward it, decrement the TTL. When it hits 0,
> drop it (and possibly send an error back.) The number could be
> configurable, but something like 4 or 8 seems like a reasonable number.
> This requires no extra software and takes just a few lines to implement.
>
> The other way is to take a bunch of information like the IP address,
> owserver pid and a sequence number and run it through a cryptographic hash.
> The size is constant, the odds of duplication are vanishingly small and it
> discloses no information. You don't need anything secure, so 128 bit MD5 is
> fine and there may be even shorter ones. This requires having the crypto
> hash software available, which may be a challenge across the range of
> systems owserver can install.
>
> jerry
>
> On 05/02/2014 04:50 AM, Paul Alfille wrote:
>
> Good catch on the bug you patched.
>
> I'd love to open a discussion of the UUID feature.
>
> Let me state the problem area for background information:
> 1. owserver can be configured to send requests "upstream" -- to another
> owserver
> A. This is done at the command line or via a configuration file
> B This cannot be done by a mear user
> C There is no limit on the length of the chain of owserver redirections.
> 2. Any chain of owserver redirections will eventually reach an end unless
> there is a loop in the sequence.
> The solution: owserver adds a "unique token" (16 bytes of data) to the
> end of messages passing upstream, and makes sure incoming messages don't
> have it's unique token.
>
> Potential problems:
> 1. owserver could be altered to not look for the token
> A. Well, any rogue program or shell script that you allow to be run can
> be malicious.
> 2. The tokens could be altered in transit.
> A. Again, if you don't have control of your network traffic, anyone
> can inject any amount of traffic
> 3. The token might be non-unique
> A. The is a fail safe in terms of network traffic
> B Part of the 1-wire network would be inaccessible.
>
> Based on my analysis, the only real risk is non-unique tokens, and given
> the typically small extent of owserver networks, only modest uniqueness
> guarantees are needed.
>
> I thought of using an existing library (like UUID) but it's a nuisance
> for users to find and build another package. Especially since we are
> cross-platform and multiarchitecture. I try to reserve using libraries for
> complex and essential functions (like USB access).
>
> Still, I'm open to the debate.
>
> Paul
>
>
>
>
>
> On Thu, May 1, 2014 at 5:46 PM, Stefano Miccoli <mo...@icloud.com> wrote:
>
>> Thanks for including my suggestions in p4!
>>
>> I found a small bug in the new antiloop code
>> (module/owserver/src/c/owserver.c) please see the attached patch.
>>
>> Stefano
>>
>>
>>
>>
>> PS:
>>
>> in my opinion, instead of the MD5 hash of some process data, a UUID <
>> http://en.wikipedia.org/wiki/Universally_unique_identifier> would be
>> more appropriate for the antiloop feature.
>>
>> On 30 Apr 2014, at 02:35, Paul Alfille <paul.alfi...@gmail.com> wrote:
>>
>> Release Notes owfs 2.9p4
>> 4/30/2014
>>
>> New features
>> 1. Switch to git for source management
>> Still hosted on sourceforge.net
>> git clone git://git.code.sf.net/p/owfs/code owfs-code
>> cvs history brought over.
>> 2. Clean and test DS2409 (Microlan) hubs
>> Addressing problem found by Ors Tiszay
>> Works well with passive devices
>> Problems with powered slaves, but probably not a software issue.
>> 3. Improved and tested owserver protocol for server-to-server
>> communication
>> Use md5 hash for unique token
>> Fixed byte counting issue in write messages
>> Null-terminated string no longer required in path string
>> (problem pointed out by Stefano Miccoli)
>> 4. Added /system/configuration/version
>> Reports owserver version
>> Request from Stefano Miccoli
>>
>> Fixes
>> 1. Double initialization of mutex fixed
>> Show stopper in FreeBSD
>> Found by Johan Strom
>>
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform
>> available.
>> Simple to use. Nothing to install. Get started now for free."
>>
>> http://p.sf.net/sfu/SauceLabs_______________________________________________
>> Owfs-developers mailing list
>> Owfs-developers@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owfs-developers
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform
>> available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Owfs-developers mailing list
>> Owfs-developers@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/owfs-developers
>>
>>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for
> free."http://p.sf.net/sfu/SauceLabs
>
>
>
> _______________________________________________
> Owfs-developers mailing
> listOwfs-developers@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/owfs-developers
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
>
> http://p.sf.net/sfu/SauceLabs_______________________________________________
> Owfs-developers mailing list
> Owfs-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owfs-developers
>
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos. Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Owfs-developers mailing list
> Owfs-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owfs-developers
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Owfs-developers mailing list
Owfs-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owfs-developers
