Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-08-15 19:50:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

Partial work for host-based ACM AMT activation.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2021-03-03 23:49:53 -08:00
parent cfb9af8609
commit 423daaf19d
11 changed files with 143 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
agents/meshcmd.js
View File

@ -1174,6 +1174,14 @@ function configureJsonControl(data) {
amtMei.on('error', function (e) { settings.apftunnel.sendMeiDeactivationState(1); });
amtMei.unprovision(1, function (status) { settings.apftunnel.sendMeiDeactivationState(status); }); // 0 = Success
break;
case 'startTlsHostConfig': // Request start of host based TLS ACM activation
var amtMeiModule, amtMei;
try { amtMeiModule = require('amt-mei'); amtMei = new amtMeiModule(); } catch (ex) { settings.apftunnel.sendStartTlsHostConfigResponse({ state: -103 }); break; }
amtMei.on('error', function (e) { settings.apftunnel.sendStartTlsHostConfigResponse({ state: -104 }); });
amtMei.startConfigurationHBased(Buffer.from(data.hash, 'hex'), data.hostVpn, data.dnsSuffixList, function (response) {
settings.apftunnel.sendStartTlsHostConfigResponse(response);
});
break;
case 'close': // Close the CIRA-LMS connection
exit(0);
break;

5
agents/meshcore.js
View File

@ -1197,6 +1197,11 @@ function handleServerCommand(data) {
amtMei.unprovision(1, function (status) { if (apftunnel) apftunnel.sendMeiDeactivationState(status); }); // 0 = Success
}
if (data.action == 'close') { try { apftunnel.disconnect(); } catch (e) { } apftunnel = null; } // Close the CIRA-LMS connection
if (data.action == 'startTlsHostConfig') { // Request start of host based TLS ACM activation
amt.startConfigurationHBased(Buffer.from(data.hash, 'hex'), data.hostVpn, data.dnsSuffixList, function (response) {
apftunnel.sendStartTlsHostConfigResponse(response);
});
}
}
apftunnel.onChannelClosed = function () { addAmtEvent('LMS tunnel closed.'); apftunnel = null; }
try { apftunnel.connect(); } catch (ex) { }

1
agents/modules_meshcmd/amt-apfclient.js
View File

@ -183,6 +183,7 @@ function CreateAPFClient(parent, args) {
obj.updateMeiState = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'meiState', value: state }); }
obj.sendMeiDeactivationState = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'deactivate', value: state }); }
obj.sendStartTlsHostConfigResponse = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'startTlsHostConfig', value: state }); }
function SendJsonControl(socket, o) {
var data = JSON.stringify(o)

23
agents/modules_meshcmd/amt-mei.js
View File

@ -419,8 +419,8 @@ function amt_heci() {
}, this, callback, optional);
}
this.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, callback) {
if ((certHash == null) || ((certHash.length != 32) && (certHash.length != 48))) { throw "Bad certHash"; }
this.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, func) {
if ((certHash == null) || ((certHash.length != 32) && (certHash.length != 48))) { func({ status: -101 }); }
var optional = [];
for (var i = 4; i < arguments.length; ++i) { optional.push(arguments[i]); }
@ -447,8 +447,23 @@ function amt_heci() {
opt.unshift({ status: header.Status });
}
fn.apply(this, opt);
}, callback, optional);
}, func, optional);
}
}
module.exports = amt_heci;
module.exports = amt_heci;
/*
AMT_STATUS_SUCCESS = 0,
AMT_STATUS_INTERNAL_ERROR = 1,
AMT_STATUS_INVALID_AMT_MODE = 3,
AMT_STATUS_INVALID_MESSAGE_LENGTH = 4,
AMT_STATUS_MAX_LIMIT_REACHED = 23,
AMT_STATUS_INVALID_PARAMETER = 36,
AMT_STATUS_RNG_GENERATION_IN_PROGRESS = 47,
AMT_STATUS_RNG_NOT_READY = 48,
AMT_STATUS_CERTIFICATE_NOT_READY = 49,
AMT_STATUS_INVALID_HANDLE = 2053
AMT_STATUS_NOT_FOUND = 2068,
*/

1
agents/modules_meshcore/amt-apfclient.js
View File

@ -183,6 +183,7 @@ function CreateAPFClient(parent, args) {
obj.updateMeiState = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'meiState', value: state }); }
obj.sendMeiDeactivationState = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'deactivate', value: state }); }
obj.sendStartTlsHostConfigResponse = function (state) { SendJsonControl(obj.forwardClient.ws, { action: 'startTlsHostConfig', value: state }); }
function SendJsonControl(socket, o) {
var data = JSON.stringify(o)

6
agents/modules_meshcore/amt-manage.js
View File

@ -157,6 +157,12 @@ function AmtManager(agent, db, isdebug) {
}
}
// Start host based ACM activation with TLS
obj.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, func) {
if ((amtMei == null) || (amtMeiState < 2)) { if (func != null) { func({ status: -100 }); } return; }
amtMei.startConfigurationHBased(certHash, hostVpn, dnsSuffixList, func);
}
}
module.exports = AmtManager;

23
agents/modules_meshcore/amt-mei.js
View File

@ -419,8 +419,8 @@ function amt_heci() {
}, this, callback, optional);
}
this.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, callback) {
if ((certHash == null) || ((certHash.length != 32) && (certHash.length != 48))) { throw "Bad certHash"; }
this.startConfigurationHBased = function startConfigurationHBased(certHash, hostVpn, dnsSuffixList, func) {
if ((certHash == null) || ((certHash.length != 32) && (certHash.length != 48))) { func({ status: -101 }); }
var optional = [];
for (var i = 4; i < arguments.length; ++i) { optional.push(arguments[i]); }
@ -447,8 +447,23 @@ function amt_heci() {
opt.unshift({ status: header.Status });
}
fn.apply(this, opt);
}, callback, optional);
}, func, optional);
}
}
module.exports = amt_heci;
module.exports = amt_heci;
/*
AMT_STATUS_SUCCESS = 0,
AMT_STATUS_INTERNAL_ERROR = 1,
AMT_STATUS_INVALID_AMT_MODE = 3,
AMT_STATUS_INVALID_MESSAGE_LENGTH = 4,
AMT_STATUS_MAX_LIMIT_REACHED = 23,
AMT_STATUS_INVALID_PARAMETER = 36,
AMT_STATUS_RNG_GENERATION_IN_PROGRESS = 47,
AMT_STATUS_RNG_NOT_READY = 48,
AMT_STATUS_CERTIFICATE_NOT_READY = 49,
AMT_STATUS_INVALID_HANDLE = 2053
AMT_STATUS_NOT_FOUND = 2068,
*/

36
amtmanager.js
View File

@ -246,6 +246,10 @@ module.exports.CreateAmtManager = function (parent) {
delete dev.pendingUpdatedMeiState;
attemptInitialContact(dev);
break;
case 'startTlsHostConfig':
if (dev.acmTlsInfo == null) break;
console.log(jsondata); // TODO: Start TLS activation.
break;
}
}
@ -345,6 +349,9 @@ module.exports.CreateAmtManager = function (parent) {
if (typeof dev.mpsConnection.tag.meiState['ProvisioningState'] == 'number') {
dev.intelamt.state = dev.aquired.state = dev.mpsConnection.tag.meiState['ProvisioningState'];
}
if ((typeof dev.mpsConnection.tag.meiState['Versions'] == 'object') && (typeof dev.mpsConnection.tag.meiState['Versions']['AMT'] == 'string')) {
dev.intelamt.ver = dev.aquired.version = dev.mpsConnection.tag.meiState['Versions']['AMT'];
}
if (typeof dev.mpsConnection.tag.meiState['Flags'] == 'number') {
const flags = dev.intelamt.flags = dev.mpsConnection.tag.meiState['Flags'];
if (flags & 2) { dev.aquired.controlMode = 1; } // CCM
@ -459,6 +466,9 @@ module.exports.CreateAmtManager = function (parent) {
dev.amtstack.BatchEnum(null, ['*AMT_GeneralSettings', '*IPS_HostBasedSetupService'], attemptLocalConnectResponse);
break;
case 3: // Local LAN
// Check if Intel AMT is activated. If not, stop here.
if ((dev.intelamt == null) || ((dev.intelamt.state != null) && (dev.intelamt.state != 2))) { removeAmtDevice(dev); return; }
// Handle the case where the Intel AMT local scanner found the device (connType 3)
parent.debug('amt', dev.name, "Attempt Initial Local Contact", dev.connType, dev.host);
if (typeof dev.host != 'string') { removeAmtDevice(dev); return; } // Local connection not valid
@ -1666,7 +1676,15 @@ module.exports.CreateAmtManager = function (parent) {
deactivateIntelAmtCCM(dev);
} else {
// We are not activated now, go to ACM directly.
activateIntelAmtAcm(dev, mesh.amt.password, acminfo);
// If this is Intel AMT 14 or better, we are going to attempt a host-based end-to-end TLS activation.
if (typeof dev.intelamt.ver == 'string') { var verSplit = dev.intelamt.ver.split('.'); if (verSplit.length >= 3) { dev.aquired.majorver = parseInt(verSplit[0]); dev.aquired.minorver = parseInt(verSplit[1]); } }
if (dev.aquired.majorver >= 14) {
// Perform host-based TLS ACM activation
activateIntelAmtTlsAcm(dev, mesh.amt.password, acminfo);
} else {
// Perform host-based ACM activation
activateIntelAmtAcm(dev, mesh.amt.password, acminfo);
}
}
}
}
@ -1769,6 +1787,22 @@ module.exports.CreateAmtManager = function (parent) {
return null; // Did not find a match
}
// Attempt Intel AMT TLS ACM activation
function activateIntelAmtTlsAcm(dev, password, acminfo) {
// Generate a random Intel AMT password if needed
if ((password == null) || (password == '')) { password = getRandomAmtPassword(); }
dev.temp = { pass: password, acminfo: acminfo };
// Get our ACM activation certificate chain
var acmTlsInfo = parent.certificateOperations.getAcmCertChain(parent.config.domains[dev.domainid], dev.temp.acminfo.fqdn, dev.temp.acminfo.hash);
if (acmTlsInfo.error == 1) { dev.consoleMsg(acmTlsInfo.errorText); removeAmtDevice(dev); return; }
dev.acmTlsInfo = acmTlsInfo;
// Send the MEI command to enable TLS connections
dev.consoleMsg("Performing TLS ACM activation...");
dev.controlMsg({ action: 'startTlsHostConfig', hash: acmTlsInfo.hash, hostVpn: false, dnsSuffixList: null });
}
// Attempt Intel AMT ACM activation
function activateIntelAmtAcm(dev, password, acminfo) {
// Generate a random Intel AMT password if needed

11
amtscanner.js
View File

@ -287,15 +287,18 @@ module.exports.CreateAmtScanner = function (parent) {
obj.changeConnectState = function (tag, minorVersion, majorVersion, provisioningState, openPort, dualPorts, rinfo, user) {
//var provisioningStates = { 0: 'Pre', 1: 'in', 2: 'Post' };
//var provisioningStateStr = provisioningStates[provisioningState];
//console.log('Intel AMT ' + majorVersion + '.' + minorVersion + ', ' + provisioningStateStr + '-Provisioning at ' + rinfo.address + ', Open Ports: [' + openPort + '], tag: ' + tag);
//console.log('Intel AMT ' + majorVersion + '.' + minorVersion + ', ' + provisioningStateStr + '-Provisioning at ' + rinfo.address + ', Open Ports: [' + openPort + '], tag: ' + tag + ', dualPorts: ' + dualPorts);
var scaninfo = obj.scanTableTags[tag];
if (scaninfo != undefined) {
scaninfo.lastpong = Date.now();
if (scaninfo.state == 0) {
scaninfo.state = 1;
scaninfo.nodeinfo.intelamt.tls = (((openPort == 16993) || (dualPorts == true)) ? 1 : 0);
scaninfo.nodeinfo.intelamt.ver = majorVersion + '.' + minorVersion;
scaninfo.nodeinfo.intelamt.state = provisioningState;
if ((openPort == 16993) || (dualPorts == true)) { scaninfo.nodeinfo.intelamt.tls = 1; }
else if (openPort == 16992) { scaninfo.nodeinfo.intelamt.tls = 0; }
if (majorVersion > 0) { // Older versions of Intel AMT report the AMT version.
scaninfo.nodeinfo.intelamt.ver = majorVersion + '.' + minorVersion;
scaninfo.nodeinfo.intelamt.state = provisioningState;
}
obj.parent.SetConnectivityState(scaninfo.nodeinfo.meshid, scaninfo.nodeinfo._id, scaninfo.lastpong, 4, 7); // Report power state as "present" (7).
obj.changeAmtState(scaninfo.nodeinfo._id, scaninfo.nodeinfo.intelamt.ver, provisioningState, scaninfo.nodeinfo.intelamt.tls);
if (obj.parent.amtManager != null) { obj.parent.amtManager.startAmtManagement(scaninfo.nodeinfo._id, 3, scaninfo.nodeinfo.host); }

36
certoperations.js
View File

@ -28,6 +28,42 @@ module.exports.CertificateOperations = function (parent) {
const TopLevelDomainExtendedSupport = { 'net': 2, 'com': 2, 'arpa': 3, 'org': 2, 'gov': 2, 'edu': 2, 'de': 2, 'fr': 3, 'cn': 3, 'nl': 3, 'br': 3, 'mx': 3, 'uk': 3, 'pl': 3, 'tw': 3, 'ca': 3, 'fi': 3, 'be': 3, 'ru': 3, 'se': 3, 'ch': 2, 'dk': 2, 'ar': 3, 'es': 3, 'no': 3, 'at': 3, 'in': 3, 'tr': 3, 'cz': 2, 'ro': 3, 'hu': 3, 'nz': 3, 'pt': 3, 'il': 3, 'gr': 3, 'co': 3, 'ie': 3, 'za': 3, 'th': 3, 'sg': 3, 'hk': 3, 'cl': 2, 'lt': 3, 'id': 3, 'hr': 3, 'ee': 3, 'bg': 3, 'ua': 2 };
// Sign a Intel AMT TLS ACM activation request
obj.getAcmCertChain = function (domain, fqdn, hash) {
if ((domain == null) || (domain.amtacmactivation == null) || (domain.amtacmactivation.certs == null) || (fqdn == null) || (hash == null)) return { action: 'acmactivate', error: 1, errorText: 'Invalid arguments' };
if (parent.common.validateString(fqdn, 4, 256) == false) return { action: 'acmactivate', error: 1, errorText: "Invalid FQDN argument." };
if (parent.common.validateString(hash, 16, 256) == false) return { action: 'acmactivate', error: 1, errorText: "Invalid hash argument." };
// Look for the signing certificate
var signkey = null, certChain = null, hashAlgo = null, certIndex = null;
for (var i in domain.amtacmactivation.certs) {
const certEntry = domain.amtacmactivation.certs[i];
if ((certEntry.sha256 == hash) && ((certEntry.cn == '*') || (certEntry.cn == fqdn))) { hashAlgo = 'sha256'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
if ((certEntry.sha1 == hash) && ((certEntry.cn == '*') || (certEntry.cn == fqdn))) { hashAlgo = 'sha1'; signkey = certEntry.key; certChain = certEntry.certs; certIndex = i; break; }
}
if (signkey == null) return { action: 'acmactivate', error: 2, errorText: "No signing certificate found." }; // Did not find a match.
// If the matching certificate our wildcard root cert, we can use the root to match any FQDN
if (domain.amtacmactivation.certs[certIndex].cn == '*') {
// Create a leaf certificate that matches the FQDN we want
// TODO: This is an expensive operation, work on ways to pre-generate or cache this leaf certificate.
var rootcert = { cert: domain.amtacmactivation.certs[certIndex].rootcert, key: obj.pki.privateKeyFromPem(domain.amtacmactivation.certs[certIndex].key) };
var leafcert = obj.IssueWebServerCertificate(rootcert, false, fqdn, 'mc', 'Intel(R) Client Setup Certificate', { serverAuth: true, '2.16.840.1.113741.1.2.3': true }, false);
// Setup the certificate chain and key
certChain = [obj.pki.certificateToPem(leafcert.cert), obj.pki.certificateToPem(domain.amtacmactivation.certs[certIndex].rootcert)];
signkey = obj.pki.privateKeyToPem(leafcert.key);
} else {
// Make sure the cert chain is in PEM format
var certChain2 = [];
for (var i in certChain) { certChain2.push("-----BEGIN CERTIFICATE-----\r\n" + certChain[i] + "\r\n-----END CERTIFICATE-----\r\n"); }
certChain = certChain2;
}
// Hash the leaf certificate and return the certificate chain and signing key
return { action: 'acmactivate', certs: certChain, signkey: signkey, hash: obj.getCertHash(certChain[0]) };
}
// Sign a Intel AMT ACM activation request
obj.signAcmRequest = function (domain, request, user, pass, ipport, nodeid, meshid, computerName, agentId) {
if ((domain == null) || (domain.amtacmactivation == null) || (domain.amtacmactivation.certs == null) || (request == null) || (request.nonce == null) || (request.realm == null) || (request.fqdn == null) || (request.hash == null)) return { 'action': 'acmactivate', 'error': 1, 'errorText': 'Invalid arguments' };

8
mpsserver.js
View File

@ -913,6 +913,7 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
var jsondata = null, jsondatastr = data.substring(5, 5 + jsondatalen);
try { jsondata = JSON.parse(jsondatastr); } catch (ex) { }
if ((jsondata == null) || (typeof jsondata.action != 'string')) return;
parent.debug('mpscmd', '--> JSON_CONTROL', jsondata.action);
switch (jsondata.action) {
case 'connType':
if ((socket.tag.connType != 0) || (socket.tag.SystemId != null)) return; // Once set, the connection type can't be changed.
@ -930,6 +931,10 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
if (socket.tag.connType != 2) break; // Only accept MEI state on CIRA-LMS connection
if (obj.parent.amtManager != null) { obj.parent.amtManager.mpsControlMessage(socket.tag.nodeid, socket, socket.tag.connType, jsondata); }
break;
case 'startTlsHostConfig':
if (socket.tag.connType != 2) break; // Only accept MEI state on CIRA-LMS connection
if (obj.parent.amtManager != null) { obj.parent.amtManager.mpsControlMessage(socket.tag.nodeid, socket, socket.tag.connType, jsondata); }
break;
}
return 5 + jsondatalen;
}
@ -956,8 +961,7 @@ module.exports.CreateMpsServer = function (parent, db, args, certificates) {
obj.SendJsonControl = function(socket, data) {
if (socket.tag.connType == 0) return; // This command is valid only for connections that are not really CIRA.
parent.debug('mpscmd', '<-- JSON_CONTROL');
if (typeof data == 'object') { data = JSON.stringify(data); }
if (typeof data == 'object') { parent.debug('mpscmd', '<-- JSON_CONTROL', data.action); data = JSON.stringify(data); } else { parent.debug('mpscmd', '<-- JSON_CONTROL'); }
Write(socket, String.fromCharCode(APFProtocol.JSON_CONTROL) + common.IntToStr(data.length) + data);
}