mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2024-11-26 07:57:56 +03:00
Started work on server inner auth support in meshcmd.
This commit is contained in:
Ylian Saint-Hilaire
parent
51bdd97780
commit
e163bff7e3
@ -68,6 +68,7 @@ var FullSite_IntelAmtLocalWebApp = "H4sIAAAAAAAEAMQ5h3ajvNKvwu/9SnI2JICNa7zn4JLu
|
|||||||
// Check the server certificate fingerprint
|
// Check the server certificate fingerprint
|
||||||
function onVerifyServer(clientName, certs) {
|
function onVerifyServer(clientName, certs) {
|
||||||
if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
|
if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
|
||||||
|
settings.meshServerTlsHash = certs[certs.length - 1].fingerprint.split(':').join(''); // This is used to delayed server authentication
|
||||||
try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
|
try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
|
||||||
if (settings.serverhttpshash != null) {
|
if (settings.serverhttpshash != null) {
|
||||||
console.log('Error: Failed to verify server certificate.');
|
console.log('Error: Failed to verify server certificate.');
|
||||||
@ -2038,10 +2039,28 @@ function OnServerWebSocket(msg, s, head) {
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
case 'serverAuth': {
|
||||||
|
// Check that the server certificate matches the serverid we have
|
||||||
|
var hasher = require('SHA384Stream').create();
|
||||||
|
var certDer = Buffer.from(command.cert, 'base64');
|
||||||
|
var cert = require('tls').loadCertificate({ der: certDer });
|
||||||
|
if (cert.getKeyHash().toString('hex') != settings.serverid) { console.log("Unable to authenticate the server, invalid server identifier."); process.exit(1); return; }
|
||||||
|
|
||||||
|
// Hash the signed data and verify the server signature
|
||||||
|
var signDataHash = hasher.syncHash(Buffer.concat([Buffer.from(settings.serverAuthClientNonce, 'base64'), Buffer.from(settings.meshServerTlsHash, 'hex'), Buffer.from(command.nonce, 'base64')]));
|
||||||
|
if (require('RSA').verify(require('RSA').TYPES.SHA384, cert, signDataHash, Buffer.from(command.signature, 'base64')) == false) { console.log("Unable to authenticate the server, invalid signature."); process.exit(1); return; }
|
||||||
|
|
||||||
|
console.log('Server is authenticated'); // TODO: Send username/password to server.
|
||||||
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
s.on('error', function () { console.log("Server connection error."); process.exit(1); return; });
|
s.on('error', function () { console.log("Server connection error."); process.exit(1); return; });
|
||||||
s.on('close', function () { console.log("Server closed the connection."); process.exit(1); return; });
|
s.on('close', function () { console.log("Server closed the connection."); process.exit(1); return; });
|
||||||
|
|
||||||
|
// Perform inner server authentication
|
||||||
|
//settings.serverAuthClientNonce = require('EncryptionStream').GenerateRandom(48).toString('base64');
|
||||||
|
//s.write("{\"action\":\"serverAuth\",\"cnonce\":\"" + settings.serverAuthClientNonce + "\",\"tlshash\":\"" + settings.meshServerTlsHash + "\"}"); // Ask for server authentication
|
||||||
}
|
}
|
||||||
|
|
||||||
function startRouterEx() {
|
function startRouterEx() {
|
||||||
|
|||||||
@ -1344,7 +1344,8 @@ function getSystemInformation(func) {
|
|||||||
} catch (e) { }
|
} catch (e) { }
|
||||||
}
|
}
|
||||||
results.hardware.agentvers = process.versions;
|
results.hardware.agentvers = process.versions;
|
||||||
results.hash = require('SHA384Stream').create().syncHash(JSON.stringify(results)).toString('hex');
|
var hasher = require('SHA384Stream').create();
|
||||||
|
results.hash = hasher.syncHash(JSON.stringify(results)).toString('hex');
|
||||||
func(results);
|
func(results);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -1359,25 +1360,25 @@ function getSystemInformation(func) {
|
|||||||
p.then(function (res)
|
p.then(function (res)
|
||||||
{
|
{
|
||||||
results.volumes = res;
|
results.volumes = res;
|
||||||
results.hash = require('SHA384Stream').create().syncHash(JSON.stringify(results)).toString('hex');
|
results.hash = hasher.syncHash(JSON.stringify(results)).toString('hex');
|
||||||
func(results);
|
func(results);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
else if (require('identifiers').volumes != null)
|
else if (require('identifiers').volumes != null)
|
||||||
{
|
{
|
||||||
results.volumes = require('identifiers').volumes();
|
results.volumes = require('identifiers').volumes();
|
||||||
results.hash = require('SHA384Stream').create().syncHash(JSON.stringify(results)).toString('hex');
|
results.hash = hasher.syncHash(JSON.stringify(results)).toString('hex');
|
||||||
func(results);
|
func(results);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
results.hash = require('SHA384Stream').create().syncHash(JSON.stringify(results)).toString('hex');
|
results.hash = hasher.syncHash(JSON.stringify(results)).toString('hex');
|
||||||
func(results);
|
func(results);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
results.hash = require('SHA384Stream').create().syncHash(JSON.stringify(results)).toString('hex');
|
results.hash = hasher.syncHash(JSON.stringify(results)).toString('hex');
|
||||||
func(results);
|
func(results);
|
||||||
}
|
}
|
||||||
*/
|
*/
|
||||||
|
|||||||
18
meshuser.js
18
meshuser.js
@ -5544,6 +5544,24 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
|||||||
//console.log(command, file);
|
//console.log(command, file);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
case 'serverAuth': { // This command is used to perform server "inner" authentication.
|
||||||
|
if (common.validateString(command.cnonce, 1, 256) == false) break; // Check the client nonce
|
||||||
|
if (common.validateString(command.tlshash, 1, 512) == false) break; // Check the TLS hash
|
||||||
|
|
||||||
|
// Check that the TLS hash is an acceptable one.
|
||||||
|
var h = Buffer.from(command.tlshash, 'hex').toString('binary');
|
||||||
|
if ((parent.webCertificateHashs[domain.id] != h) && (parent.webCertificateFullHashs[domain.id] != h) && (parent.defaultWebCertificateHash != h) && (parent.defaultWebCertificateFullHash != h)) { obj.close(); return; }
|
||||||
|
|
||||||
|
// TLS hash check is a success, sign the request.
|
||||||
|
// Perform the hash signature using the server agent certificate
|
||||||
|
var nonce = parent.crypto.randomBytes(48);
|
||||||
|
var signData = Buffer.from(command.cnonce, 'base64').toString('binary') + h + nonce.toString('binary'); // Client Nonce + TLS Hash + Server Nonce
|
||||||
|
parent.parent.certificateOperations.acceleratorPerformSignature(0, signData, null, function (tag, signature) {
|
||||||
|
// Send back our certificate + nonce + signature
|
||||||
|
ws.send(JSON.stringify({ 'action': 'serverAuth', 'cert': Buffer.from(parent.agentCertificateAsn1, 'binary').toString('base64'), 'nonce': nonce.toString('base64'), 'signature': Buffer.from(signature,'binary').toString('base64') }));
|
||||||
|
});
|
||||||
|
break;
|
||||||
|
}
|
||||||
default: {
|
default: {
|
||||||
// Unknown user action
|
// Unknown user action
|
||||||
console.log('Unknown action from user ' + user.name + ': ' + command.action + '.');
|
console.log('Unknown action from user ' + user.name + ': ' + command.action + '.');
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user