Skip to content
  • Leigh B. Stoller's avatar
    Middle part of the event system changes. The main part of this change · 54bc15c4
    Leigh B. Stoller authored
    is to add HMACs to events to ensure they that events cannot be
    injected into an experiment by an unauthorized client.
    * The frontend now generates a secret key for each experiment and
      stores that into a file and in the DB.
    * Each of the event clients, as well as the event producers
      (scheduler, tevc) have a new -k option to specify the name of the
      file. Two new event library functions were added for clients to give
      the key:
        event_register_withkeyfile(char *name, int threaded, char *keyfile);
        event_register_withkeydata(char *name, int threaded,
    	   		       unsigned char *keydata, int keylen);
    * When the library is in possesion of a key, it will generate an HMAC
      and attach it to outgoing notifications. A client receiving a
      notification will compute an HMAC and compare it against the HMAC in
      the notification. If they do not compare, the notification is
      dropped with a warning message printed (the client callback never
      gets the notification). If the client has not provided a key, then
      the HMAC in the incoming notification is ignored.
    * The scheduler also takes a -k option, and will compute HMACs for all
      of the static events ahead of time. That keeps it off the critical
    * The tevc client also takes a -k option. However, tevc will always
      try to find the keyfile (default path) so that it can attach the
      HMAC to dynamic events before sending them to the scheduler (which
      will check to make sure it matches). The scheduler will not accept
      dynamic events without unless the HMAC is present and matches.
    * I have rebuilt the elvin librarys, removing all of the X goop and
      the SSL goop. Smaller binaries. So, I had to add -lcrypto to all of
      the client makefiles to that programs link.
    * The program-agent got a few more changes. The command string is no
      longer passed inside the event; it comes in when the program agent
      is started, via a config file generated from tmcd data. This gets
      rid of our mostly insecure remote execution facility.