nttdots / go-dots Goto Github PK

I couldn't auth with root with nor without a password, the following error was printed.

ERRO[2019-03-23 13:07:41] [Lifetime Mngt Thread]: Failed to get all mitigation from DB
ERRO[2019-03-23 13:07:41] [Lifetime Mngt Thread]: Failed to get all Aliases from DB

For some reason alias.go doesn't print the auth error, even though there is a log.Printf line but I was able to get the real error by adding withError to active_acl_alias.go. The error was:

error="Error 1698: Access denied for user 'root'@'localhost'"

I don't think the auth issue with root is critical as nobody should do that anyway. However it seems the error logging is somehow broken.

Make sure that it can run CoAP over TCP

A lifetime of negative one (-1) indicates indefinite lifetime for the mitigation request

Section 5.3.3:
implementation of retrieval of the DOTS signals.

@lieunguyen-tma go-dots is using a CBOR library that could exhaust memory in 1 decode attempt of 9-10 bytes of malformed data.

Relevant Code

go-dots/dots_common/messages/message.go

import (
...
	"github.com/ugorji/go/codec"
...
)
...
func UnmarshalCbor(pdu *libcoap.Pdu, typ reflect.Type) (interface{}, error) {
    ...
    m := reflect.New(typ).Interface()
	d := codec.NewDecoderBytes(pdu.Data, dots_common.NewCborHandle())
    err := d.Decode(m)
    ...

Error (fatal error: out of memory)

For info about CBOR and security, see Section 8 of RFC 7049 (Security Considerations).

For more comparisons, see fxamacker/cbor.

How to Reproduce Problem

To reproduce the problem, attempt to decode 9-10 bytes of malformed CBOR data described in Section 8 of RFC 7049 using nttdots/go-dots function:
func UnmarshalCbor(pdu *libcoap.Pdu, typ reflect.Type) (interface{}, error)

Examples of CBOR data that can exhaust memory can be found on GitHub since Sep 2019 (possibly a lot earlier if you look beyond Go projects).

Background

RFC 7049 was published in 2013 with Section 8 warning of malformed CBOR data being used to exhaust system resources.

In Sep 2019, oasislabs/oasis-core discovered tiny malformed CBOR data can exhaust memory and traced the problem to the same CBOR library (ugorji/go) being used by nttdots/go-dots. They fixed the problem by switching to a more secure CBOR library.

In Feb 2020, smartcontractkit/chainlink had a CBOR security issue involving ugorji/go which was fixed by a GitHub PR titled "Switch to more secure CBOR library".

Decoding 9 bytes of bad CBOR data shouldn't exhaust memory.

6 | The mitigation has now terminated

Update YANG module of ietf-dots-signal for the latest draft

RFC7641

add missing-hb-allowed in session configuration

Treatment of identity for coupling of signal and data channel for both cases:

1. mutual authentication with certificates
2. mutual authentication without certificates

"mitigation-id:  Identifier for the mitigation request
represented using an integer.  This identifier MUST be unique for each
mitigation request bound to the DOTS client, i.e., the mitigation-id parameter
value in the mitigation request needs to be unique relative to the mitigation-
id parameter values of active mitigation requests conveyed from the DOTS
client to the DOTS server. 

This will simplify the code.

Section 5.4.1:
implementation of retrieval of the DOTS server configuration

introduced in -14 draft

4646(dedicated) or 5684(CoAP over DTLS) ?

The default port for DOTS signal channel is 5684 (Section 12.7 in [RFC7252] and Section 10.4 in [I-D.ietf-core-coap-tcp-tls])

Response Code update based on the latest draft

DOTS_protocol_specification_cheat_sheet.md refers to Content-Type option for CoAP while it should be called Content-Format. The content format is specified as application/cbor in the doc as well as in the source code but draft-ietf-dots-signal-channel specifies application/dots+cbor.

The URI-Path seems to be incorrect at least the cheat sheet as it specifies /.well-known/dots/v1/mitigate while the draft specifies /.well-known/dots/mitigate. The client code seems to be using the proper format but the server doesn't exactly verify it. By a quick look, it seems the server just looks if mitigate is defined in the URI, which isn't probably wrong as the draft mandates a certain order of options. To me it would sound reasonable to have versioned paths, too bad it's not currently allowed in the draft.

Implementation of Happy Eyeballs mechanism.
DOTS server and DOTS client of go-dots can listen on both IPv4 and IPv6, but there is no happy eyeballs mechanism.