Improved certificate checking.

2024-11-22 04:33:16 +03:00 · 2020-11-08 13:29:37 -08:00 · 2020-11-08 13:29:37 -08:00 · c8b465e632
commit c8b465e632
parent 7aef3cda0c
3 changed files with 18 additions and 2 deletions
--- a/agents/meshcore.js
+++ b/agents/meshcore.js
@ -776,7 +776,12 @@ function createMeshCore(agent) {
                                    var woptions = http.parseUri(xurl);
                                    woptions.perMessageDeflate = false;
                                    if (typeof data.perMessageDeflate == 'boolean') { woptions.perMessageDeflate = data.perMessageDeflate; }
+
+                                    // Perform manual server TLS certificate checking based on the certificate hash given by the server.
                                    woptions.rejectUnauthorized = 0;
+                                    woptions.checkServerIdentity = function checkServerIdentity(certs) { if ((checkServerIdentity.servertlshash != null) && (checkServerIdentity.servertlshash != certs[0].fingerprint.split(':').join('').toLowerCase())) { throw new Error('BadCert') } }
+                                    woptions.checkServerIdentity.servertlshash = data.servertlshash;
+
                                    //sendConsoleText(JSON.stringify(woptions));
                                    //sendConsoleText('TUNNEL: ' + JSON.stringify(data));
                                    var tunnel = http.request(woptions);
@ -1147,7 +1152,12 @@ function createMeshCore(agent) {
                    data.url = 'http' + getServerTargetUrlEx('*/').substring(2);
                    var agentFileHttpOptions = http.parseUri(data.url);
                    agentFileHttpOptions.path = data.urlpath;
-                    agentFileHttpOptions.rejectUnauthorized = 0; // TODO: Check TLS cert
+
+                    // Perform manual server TLS certificate checking based on the certificate hash given by the server.
+                    agentFileHttpOptions.rejectUnauthorized = 0;
+                    agentFileHttpOptions.checkServerIdentity = function checkServerIdentity(certs) { if ((checkServerIdentity.servertlshash != null) && (checkServerIdentity.servertlshash != certs[0].fingerprint.split(':').join('').toLowerCase())) { throw new Error('BadCert') } }
+                    agentFileHttpOptions.checkServerIdentity.servertlshash = data.servertlshash;
+
                    if (agentFileHttpOptions == null) break;
                    var agentFileHttpRequest = http.request(agentFileHttpOptions,
                        function (response) {
--- a/meshuser.js
+++ b/meshuser.js
@ -1328,6 +1328,10 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                        if (url.query.p == '1') { requiredNonRights = MESHRIGHT_NOTERMINAL; }
                        else if ((url.query.p == '4') || (url.query.p == '5')) { requiredNonRights = MESHRIGHT_NOFILES; }

+                        // Add server TLS cert hash
+                        const tlsCertHash = parent.webCertificateHashs[domain.id];
+                        if (tlsCertHash != null) { command.servertlshash = Buffer.from(tlsCertHash, 'binary').toString('hex'); }
+
                        // Add user consent messages
                        command.soptions = {};
                        if (typeof domain.consentmessages == 'object') {
--- a/webserver.js
+++ b/webserver.js
@ -3223,12 +3223,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {

    // Instruct one of more agents to download a URL to a given local drive location.
    function handleUploadFileBatchEx(cmd) {
+        var tlsCertHash = obj.webCertificateHashs[cmd.domain.id];
+        if (tlsCertHash != null) { tlsCertHash = Buffer.from(tlsCertHash, 'binary').toString('hex'); }
        for (var i in cmd.nodeids) {
            obj.GetNodeWithRights(cmd.domain, cmd.user, cmd.nodeids[i], function (node, rights, visible) {
                if ((node == null) || ((rights & 8) == 0) || (visible == false)) return; // We don't have remote control rights to this device
                var agentPath = ((node.agent.id > 0) && (node.agent.id < 5)) ? cmd.windowsPath : cmd.linuxPath;
                for (var f in cmd.files) {
-                    const acmd = { action: 'wget', overwrite: cmd.overwrite, urlpath: '/agentdownload.ashx?c=' + obj.parent.encodeCookie({ a: 'tmpdl', d: cmd.domain.id, nid: node._id, f: cmd.files[f].target }, obj.parent.loginCookieEncryptionKey), path: obj.path.join(agentPath, cmd.files[f].name) };
+                    const acmd = { action: 'wget', overwrite: cmd.overwrite, urlpath: '/agentdownload.ashx?c=' + obj.parent.encodeCookie({ a: 'tmpdl', d: cmd.domain.id, nid: node._id, f: cmd.files[f].target }, obj.parent.loginCookieEncryptionKey), path: obj.path.join(agentPath, cmd.files[f].name), servertlshash: tlsCertHash };
                    var agent = obj.wsagents[node._id];
                    if (agent != null) { try { agent.send(JSON.stringify(acmd)); } catch (ex) { } }
                    // TODO: Add support for peer servers.