IETF Logo Mail Archive

Re: [Cbor] Robert Wilton's No Objection on draft-ietf-cbor-file-magic-11: (with COMMENT)

Carsten Bormann <cabo@tzi.org> Fri, 22 April 2022 12:56 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: cbor@ietfa.amsl.com
Delivered-To: cbor@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 796CB3A1049; Fri, 22 Apr 2022 05:56:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QWHC7Wo2sRwD; Fri, 22 Apr 2022 05:56:22 -0700 (PDT)
Received: from gabriel-smtp.zfn.uni-bremen.de (gabriel-smtp.zfn.uni-bremen.de [IPv6:2001:638:708:32::15]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB40B3A0AD9; Fri, 22 Apr 2022 05:56:18 -0700 (PDT)
Received: from [192.168.217.118] (p5089ad4f.dip0.t-ipconnect.de [80.137.173.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4KlDtQ1hkPzDCbq; Fri, 22 Apr 2022 14:56:14 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <BY5PR11MB4196532A7E6B9E0145225FF8B5F79@BY5PR11MB4196.namprd11.prod.outlook.com>
Date: Fri, 22 Apr 2022 14:56:13 +0200
Cc: Christian Amsüss <christian@amsuess.com>, "cbor@ietf.org" <cbor@ietf.org>, "draft-ietf-cbor-file-magic@ietf.org" <draft-ietf-cbor-file-magic@ietf.org>, The IESG <iesg@ietf.org>, "cbor-chairs@ietf.org" <cbor-chairs@ietf.org>
X-Mao-Original-Outgoing-Id: 672324973.7439229-ec4460ba6bcb7db74dcf735d3dc0bfd3
Content-Transfer-Encoding: quoted-printable
Message-Id: <777507FF-4F5A-49A3-83EA-E6FCBFDCCF41@tzi.org>
References: <165055913687.10023.13183316329683102967@ietfa.amsl.com> <1560B380-1BB5-498F-BF33-F57B85478052@tzi.org> <BY5PR11MB4196532A7E6B9E0145225FF8B5F79@BY5PR11MB4196.namprd11.prod.outlook.com>
To: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cbor/DqZWdkfj2wUaxCTVDcCG31qYgcs>
Subject: Re: [Cbor] Robert Wilton's No Objection on draft-ietf-cbor-file-magic-11: (with COMMENT)
X-BeenThere: cbor@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Concise Binary Object Representation \(CBOR\)" <cbor.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cbor>, <mailto:cbor-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cbor/>
List-Post: <mailto:cbor@ietf.org>
List-Help: <mailto:cbor-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cbor>, <mailto:cbor-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 12:56:26 -0000

Hi Rob,

On 2022-04-22, at 11:14, Rob Wilton (rwilton) <rwilton=40cisco.com@dmarc.ietf.org> wrote:
> 
> Hi Carsten,
> 
> One other thought on this (when I was out running this morning) …

Thank you for spending some of your running cycles on this — this class of cycles is precious (I'm not a running type, so CBOR was almost entirely designed under the shower).

> if C often does use strcpy (or even strncpy), then avoiding the zero byte isn't the only problem, it also has the risk of capturing arbitrary extra bytes which would presumably make the magic number check less reliable?

That is easily avoided by using strncpy(dst, buf, 8).
But that is advice we maybe don’t want to give (see below).

> My instinct here is that we keep the algorithm simple, don't avoid embedded zero bytes, don't zero terminate, and just state that robust implementations should not assume that the magic number is a null terminated string.  

We were assuming that some people would want to *store* it in a null-terminated string (after obtaining that using the strncpy processing above).

> Specifically, I'm assuming that C using strncpy isn't a security issue (because they don't know whether a file contains a magic number at all), just a reliability one, and that implementations will hopefully realize and fix this over time.  But this is just my opinion/suggestion.

I would love to hear more opinions out of the WG here.

My current state of mind is that we maybe fell into an analogon of the Postel Principle trap [1].
By anticipating how people will want to be lazy when implementing this, we may be *too* “conservative in what we send”.

But then, making life easy for implementers is important, and so making the first 8 bytes compatible with being stored in a C string may also be an appropriate accommodation.

Grüße, Carsten

[1]: https://datatracker.ietf.org/doc/draft-iab-protocol-maintenance/

PS.: I wrote

>> This is easy to fix by using
>> 
>> 0x63740000 + (ct / 255 + 1) * 256 + ct % 255 + 1
>> 
>> as the tag number (*).

More readable version (and entirely obvious in this form):

0x63740101 + (ct / 255) * 256 + ct % 255
where the content-format number ct < 255*255.

v2.23.0 | Report a Bug | By Email