From a3d712d207078c1e06fd96244405907aa3932f90 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Thu, 12 Nov 2020 18:42:26 -0800
Subject: [PATCH] Server peering fixes.

---
 db.js          |  8 ++++----
 multiserver.js | 12 +++++++-----
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/db.js b/db.js
index e82290a9..31a54f00 100644
--- a/db.js
+++ b/db.js
@@ -448,7 +448,7 @@ module.exports.CreateDB = function (parent, func) {
                 } else {
                     obj.fileChangeStream = obj.file.watch([{ $match: { $or: [{ 'fullDocument.type': { $in: ['node', 'mesh', 'user', 'ugrp'] } }, { 'operationType': 'delete' }] } }], { fullDocument: 'updateLookup' });
                     obj.fileChangeStream.on('change', function (change) {
-                        if (change.operationType == 'update') {
+                        if ((change.operationType == 'update') || (change.operationType == 'replace')) {
                             switch (change.fullDocument.type) {
                                 case 'node': { dbNodeChange(change, false); break; } // A node has changed
                                 case 'mesh': { dbMeshChange(change, false); break; } // A device group has changed
@@ -1579,7 +1579,7 @@ module.exports.CreateDB = function (parent, func) {
     // Called when a node has changed
     function dbNodeChange(nodeChange, added) {
         common.unEscapeLinksFieldName(nodeChange.fullDocument);
-        const node = nodeChange.fullDocument;
+        const node = performTypedRecordDecrypt([nodeChange.fullDocument])[0];
         if (node.intelamt != null) { // Remove the Intel AMT password and MPS password before eventing this.
             if (node.intelamt.pass != null) { node.intelamt.pass = 1; }
             if (node.intelamt.mpspass != null) { node.intelamt.mpspass = 1; }
@@ -1591,7 +1591,7 @@ module.exports.CreateDB = function (parent, func) {
     function dbMeshChange(meshChange, added) {
         if (parent.webserver == null) return;
         common.unEscapeLinksFieldName(meshChange.fullDocument);
-        const mesh = meshChange.fullDocument;
+        const mesh = performTypedRecordDecrypt([meshChange.fullDocument])[0];
 
         // Update the mesh object in memory
         const mmesh = parent.webserver.meshes[mesh._id];
@@ -1613,7 +1613,7 @@ module.exports.CreateDB = function (parent, func) {
     // Called when a user account has changed
     function dbUserChange(userChange, added) {
         if (parent.webserver == null) return;
-        const user = userChange.fullDocument;
+        const user = performTypedRecordDecrypt([userChange.fullDocument])[0];
 
         // Update the user object in memory
         const muser = parent.webserver.users[user._id];
diff --git a/multiserver.js b/multiserver.js
index 49afc763..1314648e 100644
--- a/multiserver.js
+++ b/multiserver.js
@@ -624,12 +624,14 @@ module.exports.CreateMultiServer = function (parent, args) {
             peerTunnel.ws2.on('open', function () {
                 peerTunnel.parent.parent.debug('peer', 'FTunnel ' + peerTunnel.serverid + ': Connected');
 
-                // Get the peer server's certificate and compute the server public key hash
-                var serverCert = obj.forge.pki.certificateFromAsn1(obj.forge.asn1.fromDer(peerTunnel.ws2._socket.getPeerCertificate().raw.toString('binary')));
-                var serverCertHashHex = Buffer.from(obj.forge.pki.getPublicKeyFingerprint(serverCert.publicKey, { encoding: 'binary', md: obj.forge.md.sha384.create() }), 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
+                if (peerTunnel.ws2._socket.getPeerCertificate != null) {
+                    // Get the peer server's certificate and compute the server public key hash
+                    var serverCert = obj.forge.pki.certificateFromAsn1(obj.forge.asn1.fromDer(peerTunnel.ws2._socket.getPeerCertificate().raw.toString('binary')));
+                    var serverCertHashHex = Buffer.from(obj.forge.pki.getPublicKeyFingerprint(serverCert.publicKey, { encoding: 'binary', md: obj.forge.md.sha384.create() }), 'binary').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
 
-                // Check if the peer certificate is the expected one for this serverid
-                if ((obj.peerServers[serverid] == null) || (obj.peerServers[serverid].serverCertHash != serverCertHashHex)) { console.log('ERROR: Outer certificate hash mismatch (1). (' + peerTunnel.url + ', ' + peerTunnel.serverid + ').'); peerTunnel.close(); return; }
+                    // Check if the peer certificate is the expected one for this serverid
+                    if ((obj.peerServers[serverid] == null) || (obj.peerServers[serverid].serverCertHash != serverCertHashHex)) { console.log('ERROR: Outer certificate hash mismatch (1). (' + peerTunnel.url + ', ' + peerTunnel.serverid + ').'); peerTunnel.close(); return; }
+                }
 
                 // Connection accepted, resume the web socket to start the data flow
                 peerTunnel.ws1._socket.resume();