From 0e69492ba56b44e4200ece62baa3097aa6cd2a34 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Fri, 12 Mar 2021 13:44:42 -0800 Subject: [PATCH] Fixed terminal issue. --- MeshCentralServer.njsproj | 2 +- amthelloserver.js => amtprovisioningserver.js | 2 +- certoperations.js | 107 ++++++++++++++++++ meshcentral.js | 4 +- meshuser.js | 11 +- public/scripts/agent-redir-ws-0.1.1.js | 6 +- views/default.handlebars | 5 +- webserver.js | 1 + 8 files changed, 127 insertions(+), 11 deletions(-) rename amthelloserver.js => amtprovisioningserver.js (99%) diff --git a/MeshCentralServer.njsproj b/MeshCentralServer.njsproj index b904f8cf..81ac6309 100644 --- a/MeshCentralServer.njsproj +++ b/MeshCentralServer.njsproj @@ -98,7 +98,7 @@ - + diff --git a/amthelloserver.js b/amtprovisioningserver.js similarity index 99% rename from amthelloserver.js rename to amtprovisioningserver.js index b6771273..65a48450 100644 --- a/amthelloserver.js +++ b/amtprovisioningserver.js @@ -17,7 +17,7 @@ // Construct the Intel AMT hello server. This is used for Intel AMT bare-metal activation on the local LAN. // This server can receive a notification from Intel AMT and attempt activation. // In Intel documentation, this is called the Setup and Configuration Application (SCA) -module.exports.CreateAmtHelloServer = function (parent, config) { +module.exports.CreateAmtProvisioningServer = function (parent, config) { var obj = {}; // WSMAN stack diff --git a/certoperations.js b/certoperations.js index e27fae89..33e380e8 100644 --- a/certoperations.js +++ b/certoperations.js @@ -355,6 +355,113 @@ module.exports.CertificateOperations = function (parent) { return AmtSetupBinStack.AmtSetupBinEncode(setupbin); } + + // Get a bare metal setup.bin file + obj.GetBareMetalSetupBinFile = function (amtacmactivation, oldmebxpass, newmebxpass, domain, user) { + // Create a setup.bin file for our own root cert + // Get the wiadcard certificate hash + var wildcardCertSha256 = null; + for (var i = 0; i < amtacmactivation.acmmatch.length; i++) { if (amtacmactivation.acmmatch[i].cn == '*') { wildcardCertSha256 = amtacmactivation.acmmatch[i].sha256; } } + + // Create the Setup.bin stack + const AmtSetupBinStack = require('./amt/amt-setupbin')(); + var setupbin = AmtSetupBinStack.AmtSetupBinCreate(3, 1); // Version 3, 1 = Records will not be consumed. + var certRootName = 'MeshCentral'; + + // Figure out what trusted FQDN to use. + var trustedFQDN = parent.config.settings.amtprovisioningserver.trustedfqdn + + // Figure out the provisioning server port + var port = 9971; + if (typeof parent.config.settings.amtprovisioningserver.port == 'number') { port = parent.config.settings.amtprovisioningserver.port; } + + // Figure out the provisioning server IP address + var ipaddr = '192.168.2.147'; // TODO + if (typeof parent.config.settings.amtprovisioningserver.ip == 'string') { ipaddr = parent.config.settings.amtprovisioningserver.ip; } + var ipaddrSplit = ipaddr.split('.'); + var ipaddrStr = String.fromCharCode(parseInt(ipaddrSplit[3])) + String.fromCharCode(parseInt(ipaddrSplit[2])) + String.fromCharCode(parseInt(ipaddrSplit[1])) + String.fromCharCode(parseInt(ipaddrSplit[0])); + + // Create a new record + var r = {}; + r.typeIdentifier = 1; + r.flags = 1; // Valid, unscrambled record. + r.chunkCount = 0; + r.headerByteCount = 0; + r.number = 0; + r.variables = []; + setupbin.records.push(r); + + // Create "Current MEBx Password" variable + var v = {}; + v.moduleid = 1; + v.varid = 1; + v.length = -1; + v.value = oldmebxpass; + setupbin.records[0].variables.push(v); + + // Create "New MEBx Password" variable + v = {}; + v.moduleid = 1; + v.varid = 2; + v.length = -1; + v.value = newmebxpass; + setupbin.records[0].variables.push(v); + + // Create "User Defined Certificate Addition" variable + v = {}; + v.moduleid = 2; + v.varid = 8; + v.length = -1; + v.value = String.fromCharCode(2) + Buffer.from(wildcardCertSha256, 'hex').toString('binary') + String.fromCharCode(certRootName.length) + certRootName; // 2 = SHA256 hash type + setupbin.records[0].variables.push(v); + + // Create "PKI DNS Suffix" variable + v = {}; + v.moduleid = 2; + v.varid = 3; + v.length = -1; + v.value = trustedFQDN; + setupbin.records[0].variables.push(v); + + // Create "Configuration Server FQDN" variable + v = {}; + v.moduleid = 2; + v.varid = 4; + v.length = -1; + v.value = trustedFQDN; + setupbin.records[0].variables.push(v); + + // Create "Provisioning Server Address" variable + v = {}; + v.moduleid = 2; + v.varid = 17; + v.length = -1; + v.value = ipaddrStr; + setupbin.records[0].variables.push(v); + + // Create "Provisioning Server Port Number" variable + v = {}; + v.moduleid = 2; + v.varid = 18; + v.length = -1; + v.value = port; + setupbin.records[0].variables.push(v); + + // Create "Remote Configuration Enabled (RCFG)" variable + v = {}; + v.moduleid = 2; + v.varid = 5; + v.length = -1; + v.value = '1'; // Turn on + setupbin.records[0].variables.push(v); + + // Write to log file + obj.logAmtActivation(domain, { time: new Date(), action: 'setupbin', domain: domain.id, userid: user._id, oldmebx: oldmebxpass, newmebx: newmebxpass, rootname: certRootName, hash: wildcardCertSha256, dns: 'rootcert.meshcentral.com' }); + + // Encode the setup.bin file + return AmtSetupBinStack.AmtSetupBinEncode(setupbin); + } + // Return the certificate of the remote HTTPS server obj.loadPfxCertificate = function (filename, password) { var r = { certs: [], keys: [] }; diff --git a/meshcentral.js b/meshcentral.js index 6e301e20..2c94c1de 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -1650,8 +1650,8 @@ function CreateMeshCentralServer(config, args) { }); // Setup Intel AMT hello server - if ((typeof config.settings.amthelloserver == 'object') && (typeof config.settings.amthelloserver.devicegroup == 'string') && (typeof config.settings.amthelloserver.newmebxpassword == 'string') && (typeof config.settings.amthelloserver.trustedfqdn == 'string')) { - obj.amthelloserver = require('./amthelloserver').CreateAmtHelloServer(obj, config.settings.amthelloserver); + if ((typeof config.settings.amtprovisioningserver == 'object') && (typeof config.settings.amtprovisioningserver.devicegroup == 'string') && (typeof config.settings.amtprovisioningserver.newmebxpassword == 'string') && (typeof config.settings.amtprovisioningserver.trustedfqdn == 'string')) { + obj.amtProvisioningServer = require('./amtprovisioningserver').CreateAmtProvisioningServer(obj, config.settings.amtprovisioningserver); } // Start collecting server stats every 5 minutes diff --git a/meshuser.js b/meshuser.js index cb0ea3d4..4a9d0806 100644 --- a/meshuser.js +++ b/meshuser.js @@ -5283,8 +5283,15 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use case 'amtsetupbin': { if ((command.oldmebxpass != 'admin') && (common.validateString(command.oldmebxpass, 8, 16) == false)) break; // Check password if (common.validateString(command.newmebxpass, 8, 16) == false) break; // Check password - var bin = parent.parent.certificateOperations.GetSetupBinFile(domain.amtacmactivation, command.oldmebxpass, command.newmebxpass, domain, user); - try { ws.send(JSON.stringify({ action: 'amtsetupbin', file: Buffer.from(bin, 'binary').toString('base64') })); } catch (ex) { } + if ((command.baremetal) && (parent.parent.amtProvisioningServer != null)) { + // Create bare metal setup.bin + var bin = parent.parent.certificateOperations.GetBareMetalSetupBinFile(domain.amtacmactivation, command.oldmebxpass, command.newmebxpass, domain, user); + try { ws.send(JSON.stringify({ action: 'amtsetupbin', file: Buffer.from(bin, 'binary').toString('base64') })); } catch (ex) { } + } else { + // Create standard setup.bin + var bin = parent.parent.certificateOperations.GetSetupBinFile(domain.amtacmactivation, command.oldmebxpass, command.newmebxpass, domain, user); + try { ws.send(JSON.stringify({ action: 'amtsetupbin', file: Buffer.from(bin, 'binary').toString('base64') })); } catch (ex) { } + } break; } case 'meshToolInfo': { diff --git a/public/scripts/agent-redir-ws-0.1.1.js b/public/scripts/agent-redir-ws-0.1.1.js index 49687239..26c45322 100644 --- a/public/scripts/agent-redir-ws-0.1.1.js +++ b/public/scripts/agent-redir-ws-0.1.1.js @@ -172,11 +172,11 @@ var CreateAgentRedirect = function (meshserver, module, serverPublicNamePort, au if (typeof e.data == 'string') { obj.xxOnControlCommand(e.data); } else { - // If only 1 byte - if ((cmdAccLen == 0) && (e.data.byteLength == 1)) return; // Ignore single byte data, this is a keep alive. - // Send the data to the module if (obj.m.ProcessBinaryCommand) { + // If only 1 byte + if ((cmdAccLen == 0) && (e.data.byteLength < 4)) return; // Ignore any commands less than 4 bytes. + // Send as Binary Command if (cmdAccLen != 0) { // Accumulator is active diff --git a/views/default.handlebars b/views/default.handlebars index 2ca95879..f6542f43 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -4267,7 +4267,8 @@ x += addHtmlValue("Old Password", ''); x += addHtmlValue("New Password*", ''); x += addHtmlValue("New Password*", ''); - x += ' ' + "* 8 characters, 1 upper, 1 lower, 1 numeric, 1 non-alpha numeric." + ''; + if (features2 & 0x00000020) { x += ''; } // Intel AMT LAN provisioning server is active. + x += '
' + "* 8 characters, 1 upper, 1 lower, 1 numeric, 1 non-alpha numeric." + '
'; setDialogMode(2, "Intel® AMT ACM", 3, showAmtAcmSetupEx, x); Q('dp1password0').focus(); validateAmtAcmSetupEx(); @@ -4281,7 +4282,7 @@ } function showAmtAcmSetupEx() { - meshserver.send({ action: 'amtsetupbin', oldmebxpass: Q('dp1password0').value, newmebxpass: Q('dp1password1').value }); + meshserver.send({ action: 'amtsetupbin', oldmebxpass: Q('dp1password0').value, newmebxpass: Q('dp1password1').value, baremetal: ((features2 & 0x00000020) && (Q('dp1lanprov').checked)) }); } // Display the Intel AMT scanning dialog box diff --git a/webserver.js b/webserver.js index b931cd42..e01adf3f 100644 --- a/webserver.js +++ b/webserver.js @@ -2476,6 +2476,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if ((obj.parent.firebase != null) && (obj.parent.firebase.pushOnly != true)) { features2 += 0x00000004; } // Indicates the server supports Firebase two-way push messaging if (obj.parent.webpush != null) { features2 += 0x00000008; } // Indicates web push is enabled if (((obj.args.noagentupdate == 1) || (obj.args.noagentupdate == true))) { features2 += 0x00000010; } // No agent update + if (parent.amtProvisioningServer != null) { features2 += 0x00000020; } // Intel AMT LAN provisioning server // Create a authentication cookie const authCookie = obj.parent.encodeCookie({ userid: dbGetFunc.user._id, domainid: domain.id, ip: req.clientIp }, obj.parent.loginCookieEncryptionKey);