external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-09 15:40:18 +00:00
Code Issues Releases Wiki Activity

Added support for user inner server authentication.

Browse source
This commit is contained in:
Ylian Saint-Hilaire 2021-04-02 17:20:36 -07:00
parent e163bff7e3
commit 72799f0346
3 changed files with 172 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

22
meshuser.js
View file

@ -102,8 +102,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
function cleanRemoteAddr(addr) { if (addr.startsWith('::ffff:')) { return addr.substring(7); } else { return addr; } }
// Send a PING/PONG message
function sendPing() { obj.ws.send('{"action":"ping"}'); }
function sendPong() { obj.ws.send('{"action":"pong"}'); }
function sendPing() { try { obj.ws.send('{"action":"ping"}'); } catch (ex) { } }
function sendPong() { try { obj.ws.send('{"action":"pong"}'); } catch (ex) { } }
// Setup the agent PING/PONG timers
if ((typeof args.browserping == 'number') && (obj.pingtimer == null)) { obj.pingtimer = setInterval(sendPing, args.browserping * 1000); }
@ -5544,24 +5544,6 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
//console.log(command, file);
break;
}
case 'serverAuth': { // This command is used to perform server "inner" authentication.
if (common.validateString(command.cnonce, 1, 256) == false) break; // Check the client nonce
if (common.validateString(command.tlshash, 1, 512) == false) break; // Check the TLS hash
// Check that the TLS hash is an acceptable one.
var h = Buffer.from(command.tlshash, 'hex').toString('binary');
if ((parent.webCertificateHashs[domain.id] != h) && (parent.webCertificateFullHashs[domain.id] != h) && (parent.defaultWebCertificateHash != h) && (parent.defaultWebCertificateFullHash != h)) { obj.close(); return; }
// TLS hash check is a success, sign the request.
// Perform the hash signature using the server agent certificate
var nonce = parent.crypto.randomBytes(48);
var signData = Buffer.from(command.cnonce, 'base64').toString('binary') + h + nonce.toString('binary'); // Client Nonce + TLS Hash + Server Nonce
parent.parent.certificateOperations.acceleratorPerformSignature(0, signData, null, function (tag, signature) {
// Send back our certificate + nonce + signature
ws.send(JSON.stringify({ 'action': 'serverAuth', 'cert': Buffer.from(parent.agentCertificateAsn1, 'binary').toString('base64'), 'nonce': nonce.toString('base64'), 'signature': Buffer.from(signature,'binary').toString('base64') }));
});
break;
}
default: {
// Unknown user action
console.log('Unknown action from user ' + user.name + ': ' + command.action + '.');