Only allow message_bridge to connect with matching config sha256
We've been seeing a ton of crashes becasue the config doesn't match, and
a node is out of range, or the client is asking for a channel which
doesn't exist. Honestly, there is no real use case at this point in
time for accepting connections from clients who aren't running the same
code. We can't read the logs if we were to allow it, and the effort
required to support that is massive. We'll probably run into send too
fast issues, would run into flatbuffer version problems (maybe), and all
sorts of other problems. The cost to reward ratio doesn't work.
So, as part of connecting, send the sha256 sum of the config. The
server will disconnect any clients who don't have a matching config, and
increment a counter in the status message.
Change-Id: I99520713efc644252f2c7cf5dc53720c4fc19974
Signed-off-by: Austin Schuh <austin.schuh@bluerivertech.com>
diff --git a/aos/events/logging/BUILD b/aos/events/logging/BUILD
index d421fae..bfa51fa 100644
--- a/aos/events/logging/BUILD
+++ b/aos/events/logging/BUILD
@@ -146,6 +146,7 @@
":buffer_encoder",
":logger_fbs",
":log_backend",
+ "//aos:sha256",
"//aos:uuid",
"//aos:configuration",
"//aos:flatbuffer_merge",
@@ -158,7 +159,6 @@
"@com_github_google_flatbuffers//:flatbuffers",
"@com_github_google_glog//:glog",
"@com_google_absl//absl/types:span",
- "@boringssl//:crypto",
] + select({
"//tools:cpu_k8": [
":s3_fetcher",
@@ -380,6 +380,7 @@
deps = [
":log_namer",
"//aos:configuration",
+ "//aos:sha256",
"//aos/events:event_loop",
"//aos/events:simulated_event_loop",
"//aos/network:message_bridge_server_fbs",
@@ -435,6 +436,7 @@
"//aos:configuration",
"//aos:init",
"//aos:json_to_flatbuffer",
+ "//aos:sha256",
"//aos/events:simulated_event_loop",
"@com_github_gflags_gflags//:gflags",
"@com_github_google_glog//:glog",
diff --git a/aos/events/logging/log_cat.cc b/aos/events/logging/log_cat.cc
index b9e940c..b06cf20 100644
--- a/aos/events/logging/log_cat.cc
+++ b/aos/events/logging/log_cat.cc
@@ -13,6 +13,7 @@
#include "aos/events/simulated_event_loop.h"
#include "aos/init.h"
#include "aos/json_to_flatbuffer.h"
+#include "aos/sha256.h"
#include "gflags/gflags.h"
DEFINE_string(
@@ -131,9 +132,8 @@
.max_vector_size = static_cast<size_t>(
FLAGS_max_vector_size)})
<< std::endl;
- CHECK_EQ(
- full_header->configuration_sha256()->string_view(),
- aos::logger::Sha256(raw_header_reader->raw_log_file_header().span()));
+ CHECK_EQ(full_header->configuration_sha256()->string_view(),
+ aos::Sha256(raw_header_reader->raw_log_file_header().span()));
full_header = raw_header_reader->log_file_header();
}
diff --git a/aos/events/logging/log_writer.cc b/aos/events/logging/log_writer.cc
index d559311..17c8da2 100644
--- a/aos/events/logging/log_writer.cc
+++ b/aos/events/logging/log_writer.cc
@@ -11,6 +11,7 @@
#include "aos/network/message_bridge_server_generated.h"
#include "aos/network/team_number.h"
#include "aos/network/timestamp_channel.h"
+#include "aos/sha256.h"
namespace aos {
namespace logger {
diff --git a/aos/events/logging/logfile_sorting.cc b/aos/events/logging/logfile_sorting.cc
index cf53552..f0161c9 100644
--- a/aos/events/logging/logfile_sorting.cc
+++ b/aos/events/logging/logfile_sorting.cc
@@ -11,9 +11,9 @@
#include "aos/events/logging/logfile_utils.h"
#include "aos/flatbuffer_merge.h"
#include "aos/flatbuffers.h"
+#include "aos/sha256.h"
#include "aos/time/time.h"
#include "dirent.h"
-#include "openssl/sha.h"
#include "sys/stat.h"
#if ENABLE_S3
@@ -2196,19 +2196,5 @@
return stream;
}
-std::string Sha256(const absl::Span<const uint8_t> str) {
- unsigned char hash[SHA256_DIGEST_LENGTH];
- SHA256_CTX sha256;
- SHA256_Init(&sha256);
- SHA256_Update(&sha256, str.data(), str.size());
- SHA256_Final(hash, &sha256);
- std::stringstream ss;
- for (int i = 0; i < SHA256_DIGEST_LENGTH; i++) {
- ss << std::hex << std::setw(2) << std::setfill('0')
- << static_cast<int>(hash[i]);
- }
- return ss.str();
-}
-
} // namespace logger
} // namespace aos
diff --git a/aos/events/logging/logfile_sorting.h b/aos/events/logging/logfile_sorting.h
index 9e99bb2..6f895f1 100644
--- a/aos/events/logging/logfile_sorting.h
+++ b/aos/events/logging/logfile_sorting.h
@@ -153,9 +153,6 @@
// Recursively searches for logfiles in argv[1] and onward.
std::vector<std::string> FindLogs(int argc, char **argv);
-// Returns the sha256 of a span.
-std::string Sha256(const absl::Span<const uint8_t> str);
-
} // namespace logger
} // namespace aos
diff --git a/aos/events/logging/multinode_logger_test_lib.h b/aos/events/logging/multinode_logger_test_lib.h
index 1f04ef6..7502e4d 100644
--- a/aos/events/logging/multinode_logger_test_lib.h
+++ b/aos/events/logging/multinode_logger_test_lib.h
@@ -59,13 +59,13 @@
};
constexpr std::string_view kCombinedConfigSha1() {
- return "c8cd3762e42a4e19b2155f63ccec97d1627a2fbd34d3da3ea6541128ca22b899";
+ return "e630fdd5533159ddad89075f93d9df90ae93a5a5841d6af7e1ec86875792bf27";
}
constexpr std::string_view kSplitConfigSha1() {
- return "0ee6360b3e82a46f3f8b241661934abac53957d494a81ed1938899c220334954";
+ return "7ed547b800f84e5b56825d11d39d3686fb770c2021658c3a9031f2cbf94e82a4";
}
constexpr std::string_view kReloggedSplitConfigSha1() {
- return "cc31e1a644dd7bf65d72247aea3e09b3474753e01921f3b6272f8233f288a16b";
+ return "7b17a3349852133aa56790fce93650b82455bad36ac669a4adebf33419c8ece9";
}
LoggerState MakeLoggerState(NodeEventLoopFactory *node,