From b9b2aa55babc26041308f532206bf54387c8a1a1 Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Tue, 6 Apr 2021 09:22:26 -0700
Subject: [PATCH] Improved MeshCMD server authentication.

---
 agents/MeshCmd-signed.exe   | Bin 4432768 -> 4433016 bytes
 agents/MeshCmd64-signed.exe | Bin 4047232 -> 4047480 bytes
 agents/meshcmd.js           |   7 ++++++-
 meshcentral.js              |   2 +-
 meshuser.js                 |   4 +++-
 mqttbroker.js               |   8 +++++---
 package.json                |  14 +++++++++++++-
 7 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/agents/MeshCmd-signed.exe b/agents/MeshCmd-signed.exe
index 72e03d9a9b904e847bf879229af5185360a51061..c8609c70e23d603d0d1e0b71133b5d353e1aedcc 100644
GIT binary patch
delta 1432
zcmX}keLT~700(fJsg{k&5c4pp7*l(2BN}Z^^RO4%R$ZhTCelT=^l){Ijygk3{VF7n
zspzz$3FmQ2l(WRSkW-e()8Wi=r~BT$?scEn>;2E?_4<4gpJu?9J2K!^u`oC_R~iR%
zhYv`SWw2Bk>>qGI8$bX$z#3pJuns^1>j7N=1)u>vKp(&W2EYcu5WoUPfH7bKYy?aJ
zGXMve0~UZKU<Kd-YhV*#18fGi09yfDzz!e)_J9LG1RQ~Fz;=KHkO7KZ2BQYHW|0u7
za0L}`0=@uffHU9%>;PN=H()0~2i)awg$H#GdQ!d10E+Wt8l{F*?*bU|kZNZCIy>&^
zC{b7>UKE2rC5$?86z|RB1#<B`HWwczh!aIcM1}E10(?XaglT6QL+KwFDC2O!aRKOr
z0+9$TgxiFIxOhPvL^{AUf)eCRB(%ksVF1HJ!}UxvNGW0%uKjQEZv%6KdQ=P(IrS%I
zZa2K65$Z|v6q9h`h*wra6XMY%e1G4Rk3%ZQ&I|YY`G)A~+FPF$p;=$*H?KPq#%kJ=
z$ve@yx0ELrOFWkiNWPt3t>HKpr2hWUH$HgfHda7JrqXddlX<jW{Iq2it;^}cByOJF
zzH$zGDcz#xF?9EqXL5q4;tnp2(ISg8D==z%wb(IczRaejC)WgUb+QW;1vbT(f;<?_
z2c?=W*}^h`J7252|4gV`QXSd7)kHJme(JKi@QUrys+*+zYI8dgF`LIucJ}k`-Eli!
z-@cmvi_|}@m5jwaxW|({qX|kHX6y)$KKbQ+3~=akESMIe6DrmUzimLRz}s8f^(yoU
zbsJiE{M6Nq*|to|tgE))vet9Ez3bJ#RjTh7l|SnwJVjE<NJ6VQ^HEW19(ua|z-?ZL
z7foK%#3#yFnDjg%?uO3%Qcp>NJeWD!GR6(B@ESu*T|0QJcvwi6ZKSg|kCYVI4>9-w
z`PCTJ%UU>04iRsAE+){(GzytQ2_ku{LE5Kyr>M~|B!Wyqkl0c;N1s{KUab>v7`X%!
zzHx}u?PUdQC-JTFg-ibAa2sPV@IItcpzcV*cLwbjlF<Jjz+gIBh$Og{r{_z37R9?G
zJ`DSax-Yhf`7U2-SuodZL6A;XIp%#GN+c(c@~IQ^)#cg6lS_9+{gul0cgXnDM@Jhc
zUdTUl58mva)S1^lWoDfgIg%~$SZZ`lzIL87jTvT-hZJgje;#Z9VEvv`@@tYtboTft
zm0pM%oLaCcz`An-O&>hB*Bgs*O&#20N-4uf{63g+r!4LI6E}XblgKZlHaCZ*F-=NH
zA3JFg5UE?NGKgP~7;6!~J)%5J@*i^UI_<@b(~;fa^eR;iS982>EM5=lmwkt%qs?YA
zYE-tIndqCi7^jq>zE@?n7r$y;aag!HNZ4OApoSC@0lxLZhlfOekz_D{*>8VtBx(Sc
zi0Yg&$~invH|*OIfu?7u&o)$Trz8Y#{XAha^n)LKpE=Em-}c%5$I#MxAr4aP>A&T2
z-m<+p+S$&Tg{twg?TL&gn{ckY{dQ^11%qR;67;d_S(n}acw;21<ypc}$k%nHGDEBj
zGMe3~Nq*FO=<=Vv%n0K9=y)lI%+}3M%D(m&Ze^2HzsVb`nTVcOSLkg`IupJ?$-YMq
z+}%Bs6FN949<8f-jk#zzo`_R@ENpIyc<Ar9961-dxAL(}GlcC|eQLS%aJLW5dhxKi
tb!F+auY5;?oEEyOT(LVtVGW$j(_bpTpCyhh>KfAS<|hX$t%9{c{sycShZq0=

delta 1309
zcmWl|3pf)9902fbOjy<$vQ`}$&7<t0OlEm3ua**(N2e=RZWN01I@j{J^kBMF^D50F
zV?7u(SzcY*mhAG$Bi&bqOQB0&%&v>>f4}eh>68N0X@vmQkcdPPi;7Mnx1mNa<VcZu
zQsn<pP!H-uG&F$ApdmDZ#t;LSLlcOFD<BT8gm`EQ&7e741uY-}u7*Uo2Cjwc;CIjx
zT0v{L9+IF9w1pcW8QMX6=l~tzMz{$&K?<Zo8l=mlNavtOc?OT2;byo6x<CeWg<GK;
zWI}hyg4<*Uk3F1c@kxotc*%BTH?qA`YyvOdj!YIJ<=$p_k<FgaOBUJeJ!~j*Z1*lx
zqZCht%6xVfHA39q?bMSNjd9@Fzx2-`Y9^EEr4C$Wp4i9dA?-$B+k$odhMZT}>XLT)
zllv|LS$Y9mw~|^_nwdu~>+*CL+TF8E8giVJeb&Wm#(CdJQR)ue%$I__r5LM*H*Z}?
zy+t7-dL*H!f}O+P<TEOxR5%i2!iRM%^c7@Iv%UBImV~URVYf1}c8P1@G{I;M>F3pD
zi+XI)hqf`tv!4Wx)`m?oZuZBGSA@D%OJ1@D-jxri`oy2;VSdMrE4#Orv5D?YLA7R-
zldsAoi=0!wPu1oV$IsRkwd_<C@Y{}09psWu`=(N}+5FHZ-<0?`d9nhdZMZV^cDM3<
zVaI_nws%_ad0o^(CXVodm0JFK@CY|C19fiA>d8Y>LGxNwVi#lk@_B{8{7p@_JMK_(
z07lvzN*k!xHW`)wUYL;_YB(J;?;Gv!Fmk^54?^BqJjXFz6=g9UusAhzcW#$p>Gt;x
zx5aK_5|l}m&_=|b3vi}x*-WR?BB&k)Mh<8E&n%cAjr3`BeX4Q=<-O^8R{J}f2h)`5
zBr$zP+T%l%U<f>9`-M66JSYErvQ=-N%q#qt(%DYLnDB5V+mvtevHBFwm8Hcqtuf}s
z<|Ubg`h$kUUr7vqSK{l=uTfpSq(@gg>5_J8i25>i;*xiW7B^mVQdMmKuQc#mKB6^a
zda)kinZWbL?fP7iKl{(Vxlb>%RB?LJ@PvSX01J(2O=VZf2IKI{mY?|vjK_*Sh&ATa
z+`v7DFFjby9^<z?lib0@zF0cfvtvS88BZ6@uAT0)Mj#@p9!7q7w~jr1ZGW`~PGaGa
z_T@o!_Uv`$k11i#+|y6sYD+}+A@j_I=NVXTmsQ$sPRod~e$ewf-*f?9>GD4A)~XQZ
zLCy8d4uJ=v&`*FCkhBxI(<TPmejo80W$u2tFj(#t$^V%3bJ1Bw!NpSp67hO^ao6BY
zbhISQZ{yLwlG{E-q?KwfYsL&M@6{<@^!^ss=+tpq>i$FA43gukw*x)%UcG8oZo5Bs
z9}e@89UC~dMMQ|)$-p9);kT<teFh`2EPQQb%vH1QBi8l`#ag2n%7i>tIQpow_r{ZQ
ze6S$8lb_+78ZL<AjaOcEZT!=}j=5J(vukN39>cR#7l&t0R2>^kx^=+O*1xg*YgN$o
z0bjby?)%!I#wb+{?#_xExYPkl>)vazZr=qLNRn77d*iv2grCCfj%sKpI3hHAh;lc_
oM$<I1v=W;_{`K#|tA6A?feo&^TJKR_6Q*wUEf{iAN<SdLf2k=}1ONa4

diff --git a/agents/MeshCmd64-signed.exe b/agents/MeshCmd64-signed.exe
index 2e04c399adf8ba980633cb06fdbb7decfee208a5..9215c9a2a8f5cbfeb27d3c72f5092c280dbcd64b 100644
GIT binary patch
delta 1408
zcmX}odo&XY90zclS>$mod4$?znljqFifu{hT*|9PIVG`KtZ5TN>1Hu&9;xGX=5f2n
z`;n5Qgf6K_U8F^gQHCyV$s?KM)cxIi?zz8nKL32r`F{WST@)%2%gIVa-9-e_>Ogi9
z!W${OE|em~Qp7)yKoy{X8bE_JKpkj+wLlYS0d1fIege7x1J(gOupa0G17HY@zy@Fp
zOn@oa2sQyMzyUL`8JGh+umD>C0a${qU>mRk#6~H?nlze8LWz-M*1!gA2P8lSw!jY9
z0|(#;c7UCY$T26oIZ3C~86$~eQ}xBirOtrTcw9<-t!_z=WAmBeI6e;-6V2v^;oSZF
zeCaqpPdbjtisG|RvY8=#7VacZqB~ACkYu2#S_Yx42o_|~EIuC^(KgYns908%gcL{B
zmk0)^8WM|e3I>6bj0{qZB`>omdTah`{F@*sl0H?cVWXX#TG)&1YL)a=(-KL^x?73&
z*M4m#VZ{TvA0mjBDiySYU)mIHdVik(sHZYmJl?vYK&wO;oUgnQgX-Pan0TGGj3K!!
z)MKmtJqDjzcO;tB1reIg^v%n!1*dT;`g<9<16)RHnb)Sk;z<^|{f_%|(RNAo1Da5v
zGJepPJk{Ik6>s+3CX()8yo)7rn0v=fJ}Z<d7WE>EKYXcMx4<alnR8TYpXANOiqaYB
zF`hY=Jr_(17FAb>sGsTB8o>;Gy`RaMQKPb7(r?%ajrvwe>BTD%@49;qbcNtG%Y$MU
zCcX3fU(IR0w;+x#O}thP7X&nvPMj75p(nVZ{Waa}%bBAmx@I4>E@ntu>(Bd`#rxa|
z>U(c7!U}V}WpIVb-8N(F^dPIH)Ri$Y+%i8WSDWI=D$p*z4bE2%)qed=sQavZws|~L
zdlh9hn|tc*U9Wz8*r9l_cS`oJOHTPUdbIq_=bkhxf?qw@iSuqhtbVNh)UsCqauqKj
zw$c^_j$}t$vaQ`wk_%d6+a>o)N^OJ&ifoG_MQPa&tflPx6p<`6d7D?(Q^a-)zZn~L
zfO{+G_1+?WX0<ZU(PX0B)ucyfsWVHpkfi<p00N<=f=WWF5cgZ~A_Enh;|JTsw2~2H
z{)Hi4+1YE3*6E9VRUUgAcP8}<>J+{m-FYki``Xnsrtj8N>Nq2tstCFZ0TILHds1_I
zQU2Zp^2|}PckPwEhnv0yazYt%ab^kFXUlOO=Q=|DCLfD*eq^%KGEFnw-BwfX)s`S4
zACcYsJ(pAyG>s#yD#)A?P6!XfEeonqG-%J>q4Oytu0=F&mD^1{qHqCcBQuy1SP;y)
zEwX2`oD9x5nx*cjD(cV_abrE7o(PlOsGKy~HTyX}=cZi+J+*3ZaDjOu=8%`IGW4pl
zbU7^NVcK=>CuQ?vhk=pPLuLutzo*3S*f_q%zPJPZB3o5C&2?@%E|;biG>Fk5lkz}=
z{Sx@rmLb^@e&?HyTmj~N{4}bw%ek`u(qmJZXxOHJAoq3EA6ij-PHivB85rv=q#7Zg
zJ6Yu$US=j_q`c^jId|`)ymPmRaPl?^IoZK@+NW<miziioGjzT0ziEhpT|Ks6K6~u@
z;qTlR_=n4hUD>&cJ>RAr>JxF+*)dgDv6YWx;)$Y>$(QB3VnW$}tQu@jn06b+a$bqL
zFRNSFy<^$VyZG@8jm#-n9Whou<AG*YV*YAVMEYdpxK^TYQ%mS>^h`qi3X$wX(0?Nc
kAhejZgx+_o(Q3}Z&j(`sYzj+v9|`;PqwDVOF%`JK0n^co5dZ)H

delta 1285
zcmWl|3p~>a902g!V&PiYCL+(sBW7VGnO&|Ib!w+{>!Fl!HW#BsU2Kw#&#s90qX&^T
zlh2sC9iI<V6dh_No#Zic$O@g9yzYMY{d~UjSG6c!suoqnL!r-<=3GGqq1EN7DwIHl
z`ac@3f;vzaV&H112lb%={1&c(ShyA%LL+DlaS#s)&;+i7rqB$ohvv`%Zh)513R*)O
zXbbJ&MraQm;3nt@ouD&xft#VLT!nHYsRfu}H%Nr;kOa3t59kTKAQ^6j+n~1`GrZk%
z8W$fM9d+Kx(Z|u5$c%|P=j7;!px*it1SeHKaEJV)%C|>PzPZo$)=PBDpGd2Ol0xD}
z(RyYBY&i~}yoqhRsX3)4@b`Mc?pxmRyL2hj&kDXj8g#!&KTTQ~s)MO=u5OcGtf0&r
zlbGg@QgYTy&OSQ(A^r0zHg)NF(Lj&Eve}InWNA`9Hg-Z;9NRhdpbAx4;?TRDmxbJ`
zr=)WI_$H@5*U<_u<94}}wG$=FS}D6f+Qr1^6bs8DWU?0u<a<6khbSj&FCmL%i0oRf
zO(cCoe{W*^q=T1CP1egB6ts>^8k8z+bEEygoGt907L=()CrUZ^()5%SMonB*ot0vK
z?TlGswtBh`pWvSnro6YLCGg4N3-t}$VCxW<+k*$D*5(xQ(pf^w9eN^Gc^k{_(izq>
z>Wk1wJ6x7-IwxVe)WFrOWa$&zFNon9!x^h^3ndhAER~&zll=K;!MgoS^vy}y)ZzQ>
z;v;_9^*?o0o)Eu&5>EV4vUK`^HLlYt-<H-D)Xz&|d>Gu<XlRKz9(<hAe#8xpry}+W
z%9j9764}ec!|ND{iqUuB@8fH+D1DtR9y+8qGt!lNcbo2D2qy$o8!@uxo3Wtq+i!Gt
z#&H8~S|0Uj9>--w6l<HU(F~)NR-aZRtdWA}CgeW!nGeWsD&pw*+g9ee&PKdC)c$r^
z{36WaImKfU;ZF315i>`AW0oG>_TINcm3P&R{&gk?GZ38^wfjQcm=~Mb;km1Qry{^O
zd$ig7&Gqh1DZ}4o&)u4S^+K>FIsX(s^R;s(BPv2EUM^|*t5Y!GFlu5sPLr6jiv~=%
z-4Z+fZ1TrKTzTDKR&d!5<tws?po={Bn|O=u{OUs~7NVhy7~GRO>w|ZbE@$=8k8k5t
z<TmV3MKnLvw6@I;5h4TaO+5`23Z3ysor0eiX9MS=E#5_?YpH^rnwM+(dwXm9Q;G@>
z)cuh#mA2}JNeK5EN_BiMBP1?7)uV8dYwJvVIagDrsXHVZ|Ll2PVcenau{xY=lSV`f
zvF0*#1F66-YeF@Vl`RxvYmys}J(LyO=tNwuN&Khrl`yfxdec);roBSHjM&w3Czeaj
zs3|`8I_Bh7>F|&#Gimj(Ce7*Hd@Vixn5e$|BlBN(@%qPodvccef73?H1$1NXuX|;(
z+OMtwLat%;c|m5XUrUeoY|}5p^wfbXMa^H1#M0i^UPRU<<Rifk=SJ#P^o3<ZO?B<l
zx!lP!Rw#FOwy#;q!H~G_?C%uVjX9%-(}pYWS9D!SJ{~#5k8TKEj5p|E<ynXWA4pCo
fZS3CLTq!-bU$oRcF(WJ<6B`Zcl~Yl<-+=!BdB|vY

diff --git a/agents/meshcmd.js b/agents/meshcmd.js
index f216fa5b..2e0a2b41 100644
--- a/agents/meshcmd.js
+++ b/agents/meshcmd.js
@@ -70,7 +70,7 @@ function onVerifyServer(clientName, certs) {
     if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
 
     // If we have the serverid, used delayed server authentication
-    if (settings.serverid != null) { settings.meshServerTlsHash = certs[certs.length - 1].fingerprint.split(':').join(''); return; }
+    if (settings.serverid != null) { settings.meshServerTlsHash = certs[certs.length - 1].fingerprint.replace(/:/g, ''); return; }
 
     // Otherwise, use server HTTPS certificate hash
     try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
@@ -2064,6 +2064,11 @@ function OnServerWebSocket(msg, s, head) {
                 var signDataHash = hasher.syncHash(Buffer.concat([Buffer.from(settings.serverAuthClientNonce, 'base64'), Buffer.from(settings.meshServerTlsHash, 'hex'), Buffer.from(command.nonce, 'base64')]));
                 if (require('RSA').verify(require('RSA').TYPES.SHA384, cert, signDataHash, Buffer.from(command.signature, 'base64')) == false) { console.log("Unable to authenticate the server, invalid signature."); process.exit(1); return; }
 
+                // Switch to using HTTPS TLS certificate for authentication
+                delete settings.serverid;
+                settings.serverhttpshash = settings.meshServerTlsHash;
+                delete settings.meshServerTlsHash;
+
                 // Figure out the 2FA token to use if any
                 var xtoken = null;
                 if (settings.emailtoken) { xtoken = '**email**'; }
diff --git a/meshcentral.js b/meshcentral.js
index fbf5095e..b0f632f3 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -3115,7 +3115,7 @@ function mainStart() {
         if (passport != null) { modules.push(...passport); }
         if (sessionRecording == true) { modules.push('image-size'); } // Need to get the remote desktop JPEG sizes to index the recodring file.
         if (config.letsencrypt != null) { if (nodeVersion < 8) { addServerWarning("Let's Encrypt support requires Node v8.x or higher.", !args.launch); } else { modules.push('acme-client'); } } // Add acme-client module
-        if (config.settings.mqtt != null) { modules.push('aedes'); } // Add MQTT Modules
+        if (config.settings.mqtt != null) { modules.push('aedes@0.39.0'); } // Add MQTT Modules
         if (config.settings.mysql != null) { modules.push('mysql'); } // Add MySQL.
         //if (config.settings.mysql != null) { modules.push('@mysql/xdevapi'); } // Add MySQL, official driver (https://dev.mysql.com/doc/dev/connector-nodejs/8.0/)
         if (config.settings.mongodb != null) { modules.push('mongodb'); modules.push('saslprep'); } // Add MongoDB, official driver.
diff --git a/meshuser.js b/meshuser.js
index dc405e1b..e3b95265 100644
--- a/meshuser.js
+++ b/meshuser.js
@@ -5146,7 +5146,9 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                     // Get the node and the rights for this node
                     parent.GetNodeWithRights(domain, user, command.nodeids[i], function (node, rights, visible) {
                         // If this device is connected on MQTT, send a wake action.
-                        if (rights != 0) { parent.parent.mqttbroker.publish(node._id, command.topic, command.msg); }
+                        if (rights != 0) {
+                            parent.parent.mqttbroker.publish(node._id, command.topic, command.msg);
+                        }
                     });
                 }
 
diff --git a/mqttbroker.js b/mqttbroker.js
index 87494d97..26a9ca4f 100644
--- a/mqttbroker.js
+++ b/mqttbroker.js
@@ -13,9 +13,9 @@ module.exports.CreateMQTTBroker = function (parent, db, args) {
     obj.db = db;
     obj.args = args;
     obj.connections = {}; // NodesID --> client array
-    const aedes = require("aedes")();
+    const aedes = require('aedes')();
     obj.handle = aedes.handle;
-    const allowedSubscriptionTopics = [ 'presence' ];
+    const allowedSubscriptionTopics = ['presence', 'console', 'powerAction'];
     const denyError = new Error('denied');
     var authError = new Error('Auth error')
     authError.returnCode = 1
@@ -127,7 +127,9 @@ module.exports.CreateMQTTBroker = function (parent, db, args) {
         if (typeof message == 'string') { message = Buffer.from(message); }
         for (var i in clients) {
             // Only publish to client that subscribe to the topic
-            if (clients[i].subscriptions[topic] != null) { clients[i].publish({ cmd: 'publish', qos: 0, topic: topic, payload: message, retain: false }); }
+            if (clients[i].subscriptions[topic] != null) {
+                clients[i].publish({ cmd: 'publish', qos: 0, topic: topic, payload: message, retain: false }, function () { });
+            }
         }
     }
 
diff --git a/package.json b/package.json
index 47c4f48f..c18d3dd1 100644
--- a/package.json
+++ b/package.json
@@ -36,6 +36,9 @@
     "sample-config-advanced.json"
   ],
   "dependencies": {
+    "aedes": "^0.45.0",
+    "archiver": "^4.0.2",
+    "archiver-zip-encrypted": "^1.0.8",
     "body-parser": "^1.19.0",
     "cbor": "~5.2.0",
     "compression": "^1.7.4",
@@ -44,14 +47,23 @@
     "express": "^4.17.0",
     "express-handlebars": "^3.1.0",
     "express-ws": "^4.0.0",
+    "image-size": "^0.9.7",
     "ipcheck": "^0.1.0",
+    "loadavg-windows": "^1.1.1",
     "minimist": "^1.2.0",
+    "mongodb": "^3.6.5",
     "multiparty": "^4.2.1",
     "nedb": "^1.8.0",
     "node-forge": "^0.10.0",
+    "node-rdpjs-2": "^0.3.5",
+    "node-windows": "^1.0.0-beta.5",
+    "otplib": "^10.2.3",
+    "saslprep": "^1.0.3",
+    "web-push": "^3.4.4",
     "ws": "^6.2.1",
     "xmldom": "^0.5.0",
-    "yauzl": "^2.10.0"
+    "yauzl": "^2.10.0",
+    "yubikeyotp": "^0.2.0"
   },
   "repository": {
     "type": "git",