is to add HMACs to events to ensure they that events cannot be
injected into an experiment by an unauthorized client.
* The frontend now generates a secret key for each experiment and
stores that into a file and in the DB.
* Each of the event clients, as well as the event producers
(scheduler, tevc) have a new -k option to specify the name of the
file. Two new event library functions were added for clients to give
event_register_withkeyfile(char *name, int threaded, char *keyfile);
event_register_withkeydata(char *name, int threaded,
unsigned char *keydata, int keylen);
* When the library is in possesion of a key, it will generate an HMAC
and attach it to outgoing notifications. A client receiving a
notification will compute an HMAC and compare it against the HMAC in
the notification. If they do not compare, the notification is
dropped with a warning message printed (the client callback never
gets the notification). If the client has not provided a key, then
the HMAC in the incoming notification is ignored.
* The scheduler also takes a -k option, and will compute HMACs for all
of the static events ahead of time. That keeps it off the critical
* The tevc client also takes a -k option. However, tevc will always
try to find the keyfile (default path) so that it can attach the
HMAC to dynamic events before sending them to the scheduler (which
will check to make sure it matches). The scheduler will not accept
dynamic events without unless the HMAC is present and matches.
* I have rebuilt the elvin librarys, removing all of the X goop and
the SSL goop. Smaller binaries. So, I had to add -lcrypto to all of
the client makefiles to that programs link.
* The program-agent got a few more changes. The command string is no
longer passed inside the event; it comes in when the program agent
is started, via a config file generated from tmcd data. This gets
rid of our mostly insecure remote execution facility.