diff --git a/db.js b/db.js index 524e89bb..022a76be 100644 --- a/db.js +++ b/db.js @@ -422,26 +422,21 @@ module.exports.CreateDB = function (parent, func) { let key; try { key = parent.crypto.pbkdf2Sync(password, salt, iterations, 32, 'sha384'); - } catch (e) { + } catch (ex) { // If this previous call fails, it's probably because older pbkdf2 did not specify the hashing function, just use the default. key = parent.crypto.pbkdf2Sync(password, salt, iterations, 32); } return key } - obj.oldGetEncryptDataKey = function (password) { - if (typeof password != 'string') return null; - return parent.crypto.createHash('sha384').update(password).digest("raw").slice(0, 32); - } - // Encrypt data obj.encryptData = function (password, plaintext) { - let encryptionVersion = 0x1; + let encryptionVersion = 0x01; let iterations = 100000 const iv = parent.crypto.randomBytes(16); var key = obj.getEncryptDataKey(password, iv, iterations); if (key == null) return null; - const aes = parent.crypto.createCipheriv("aes-256-gcm", key, iv); + const aes = parent.crypto.createCipheriv('aes-256-gcm', key, iv); var ciphertext = aes.update(plaintext); let versionbuf = Buffer.allocUnsafe(2); versionbuf.writeUInt16BE(encryptionVersion); @@ -454,35 +449,55 @@ module.exports.CreateDB = function (parent, func) { // Decrypt data obj.decryptData = function (password, ciphertext) { - let ciphertextBytes = Buffer.from(ciphertext, 'base64'); - try { - const iv = ciphertextBytes.slice(0, 16); - const data = ciphertextBytes.slice(16); - let key = obj.oldGetEncryptDataKey(password); - const aes = parent.crypto.createDecipheriv("aes-256-cbc", key, iv); - let plaintextBytes = Buffer.from(aes.update(data)); - plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]); - return plaintextBytes; - } catch (e) {} // Adding an encryption version lets us avoid try catching in the future + let ciphertextBytes = Buffer.from(ciphertext, 'base64'); let encryptionVersion = ciphertextBytes.readUInt16BE(0); try { switch (encryptionVersion) { - case 0x1: + case 0x01: let iterations = ciphertextBytes.readUInt32BE(2); let authTag = ciphertextBytes.slice(6, 22); const iv = ciphertextBytes.slice(22, 38); const data = ciphertextBytes.slice(38); let key = obj.getEncryptDataKey(password, iv, iterations); if (key == null) return null; - const aes = parent.crypto.createDecipheriv("aes-256-gcm", key, iv); + const aes = parent.crypto.createDecipheriv('aes-256-gcm', key, iv); aes.setAuthTag(authTag); let plaintextBytes = Buffer.from(aes.update(data)); plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]); return plaintextBytes; default: - return null; + return obj.oldDecryptData(password, ciphertextBytes); } + } catch (ex) { return obj.oldDecryptData(password, ciphertextBytes); } + } + + // Encrypt data + // The older encryption system uses CBC without integraty checking. + // This method is kept only for testing + obj.oldEncryptData = function (password, plaintext) { + let key = parent.crypto.createHash('sha384').update(password).digest('raw').slice(0, 32); + if (key == null) return null; + const iv = parent.crypto.randomBytes(16); + const aes = parent.crypto.createCipheriv('aes-256-cbc', key, iv); + var ciphertext = aes.update(plaintext); + ciphertext = Buffer.concat([iv, ciphertext, aes.final()]); + return ciphertext.toString('base64'); + } + + // Decrypt data + // The older encryption system uses CBC without integraty checking. + // This method is kept only to convert the old encryption to the new one. + obj.oldDecryptData = function (password, ciphertextBytes) { + if (typeof password != 'string') return null; + try { + const iv = ciphertextBytes.slice(0, 16); + const data = ciphertextBytes.slice(16); + let key = parent.crypto.createHash('sha384').update(password).digest('raw').slice(0, 32); + const aes = parent.crypto.createDecipheriv('aes-256-cbc', key, iv); + let plaintextBytes = Buffer.from(aes.update(data)); + plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]); + return plaintextBytes; } catch (ex) { return null; } } diff --git a/meshcentral.js b/meshcentral.js index 95f2f602..f39942a5 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -139,7 +139,7 @@ function CreateMeshCentralServer(config, args) { try { require('./pass').hash('test', function () { }, 0); } catch (ex) { console.log('Old version of node, must upgrade.'); return; } // TODO: Not sure if this test works or not. // Check for invalid arguments - const validArguments = ['_', 'user', 'port', 'aliasport', 'mpsport', 'mpsaliasport', 'redirport', 'rediraliasport', 'cert', 'mpscert', 'deletedomain', 'deletedefaultdomain', 'showall', 'showusers', 'showitem', 'listuserids', 'showusergroups', 'shownodes', 'showallmeshes', 'showmeshes', 'showevents', 'showsmbios', 'showpower', 'clearpower', 'showiplocations', 'help', 'exactports', 'xinstall', 'xuninstall', 'install', 'uninstall', 'start', 'stop', 'restart', 'debug', 'filespath', 'datapath', 'noagentupdate', 'launch', 'noserverbackup', 'mongodb', 'mongodbcol', 'wanonly', 'lanonly', 'nousers', 'mpspass', 'ciralocalfqdn', 'dbexport', 'dbexportmin', 'dbimport', 'dbmerge', 'dbfix', 'dbencryptkey', 'selfupdate', 'tlsoffload', 'usenodedefaulttlsciphers', 'tlsciphers', 'userallowedip', 'userblockedip', 'swarmallowedip', 'agentallowedip', 'agentblockedip', 'fastcert', 'swarmport', 'logintoken', 'logintokenkey', 'logintokengen', 'mailtokengen', 'admin', 'unadmin', 'sessionkey', 'sessiontime', 'minify', 'minifycore', 'dblistconfigfiles', 'dbshowconfigfile', 'dbpushconfigfiles', 'dbpullconfigfiles', 'dbdeleteconfigfiles', 'vaultpushconfigfiles', 'vaultpullconfigfiles', 'vaultdeleteconfigfiles', 'configkey', 'loadconfigfromdb', 'npmpath', 'serverid', 'recordencryptionrecode', 'vault', 'token', 'unsealkey', 'name', 'log', 'dbstats', 'translate', 'createaccount', 'setuptelegram', 'resetaccount', 'pass', 'removesubdomain', 'adminaccount', 'domain', 'email', 'configfile', 'maintenancemode', 'nedbtodb', 'removetestagents', 'agentupdatetest', 'hashpassword', 'hashpass', 'indexmcrec', 'mpsdebug', 'dumpcores', 'dev', 'mysql', 'mariadb', 'trustedproxy']; + const validArguments = ['_', 'user', 'port', 'aliasport', 'mpsport', 'mpsaliasport', 'redirport', 'rediraliasport', 'cert', 'mpscert', 'deletedomain', 'deletedefaultdomain', 'showall', 'showusers', 'showitem', 'listuserids', 'showusergroups', 'shownodes', 'showallmeshes', 'showmeshes', 'showevents', 'showsmbios', 'showpower', 'clearpower', 'showiplocations', 'help', 'exactports', 'xinstall', 'xuninstall', 'install', 'uninstall', 'start', 'stop', 'restart', 'debug', 'filespath', 'datapath', 'noagentupdate', 'launch', 'noserverbackup', 'mongodb', 'mongodbcol', 'wanonly', 'lanonly', 'nousers', 'mpspass', 'ciralocalfqdn', 'dbexport', 'dbexportmin', 'dbimport', 'dbmerge', 'dbfix', 'dbencryptkey', 'selfupdate', 'tlsoffload', 'usenodedefaulttlsciphers', 'tlsciphers', 'userallowedip', 'userblockedip', 'swarmallowedip', 'agentallowedip', 'agentblockedip', 'fastcert', 'swarmport', 'logintoken', 'logintokenkey', 'logintokengen', 'mailtokengen', 'admin', 'unadmin', 'sessionkey', 'sessiontime', 'minify', 'minifycore', 'dblistconfigfiles', 'dbshowconfigfile', 'dbpushconfigfiles', 'oldencrypt', 'dbpullconfigfiles', 'dbdeleteconfigfiles', 'vaultpushconfigfiles', 'vaultpullconfigfiles', 'vaultdeleteconfigfiles', 'configkey', 'loadconfigfromdb', 'npmpath', 'serverid', 'recordencryptionrecode', 'vault', 'token', 'unsealkey', 'name', 'log', 'dbstats', 'translate', 'createaccount', 'setuptelegram', 'resetaccount', 'pass', 'removesubdomain', 'adminaccount', 'domain', 'email', 'configfile', 'maintenancemode', 'nedbtodb', 'removetestagents', 'agentupdatetest', 'hashpassword', 'hashpass', 'indexmcrec', 'mpsdebug', 'dumpcores', 'dev', 'mysql', 'mariadb', 'trustedproxy']; for (var arg in obj.args) { obj.args[arg.toLocaleLowerCase()] = obj.args[arg]; if (validArguments.indexOf(arg.toLocaleLowerCase()) == -1) { console.log('Invalid argument "' + arg + '", use --help.'); return; } } const ENVVAR_PREFIX = "meshcentral_" let envArgs = [] @@ -1029,7 +1029,27 @@ function CreateMeshCentralServer(config, args) { // Show a list of all configuration files in the database if (obj.args.dblistconfigfiles) { - obj.db.GetAllType('cfile', function (err, docs) { if (err == null) { if (docs.length == 0) { console.log("No files found."); } else { for (var i in docs) { console.log(docs[i]._id.split('/')[1] + ', ' + Buffer.from(docs[i].data, 'base64').length + ' bytes.'); } } } else { console.log('Unable to read from database.'); } process.exit(); }); return; + obj.db.GetAllType('cfile', function (err, docs) { + if (err == null) { + if (docs.length == 0) { + console.log("No files found."); + } else { + for (var i in docs) { + if (typeof obj.args.dblistconfigfiles == 'string') { + const data = obj.db.decryptData(obj.args.dblistconfigfiles, docs[i].data); + if (data == null) { + console.log(docs[i]._id.split('/')[1] + ', ' + Buffer.from(docs[i].data, 'base64').length + ' encrypted bytes - Unable to decrypt.'); + } else { + console.log(docs[i]._id.split('/')[1] + ', ' + data.length + ' bytes, decoded correctly.'); + } + } else { + console.log(docs[i]._id.split('/')[1] + ', ' + Buffer.from(docs[i].data, 'base64').length + ' encrypted bytes.'); + } + } + } + } else { console.log('Unable to read from database.'); } process.exit(); + }); + return; } // Display the content of a configuration file in the database @@ -1074,7 +1094,11 @@ function CreateMeshCentralServer(config, args) { const path = obj.path.join(obj.args.dbpushconfigfiles, files[i]), binary = Buffer.from(obj.fs.readFileSync(path, { encoding: 'binary' }), 'binary'); console.log('Pushing ' + file + ', ' + binary.length + ' bytes.'); lockCount++; - obj.db.setConfigFile(file, obj.db.encryptData(obj.args.configkey, binary), function () { if ((--lockCount) == 0) { console.log('Done.'); process.exit(); } }); + if (obj.args.oldencrypt) { + obj.db.setConfigFile(file, obj.db.oldEncryptData(obj.args.configkey, binary), function () { if ((--lockCount) == 0) { console.log('Done.'); process.exit(); } }); + } else { + obj.db.setConfigFile(file, obj.db.encryptData(obj.args.configkey, binary), function () { if ((--lockCount) == 0) { console.log('Done.'); process.exit(); } }); + } } } if (--lockCount == 0) { process.exit(); } diff --git a/webserver.js b/webserver.js index a95a11da..c22d8e22 100644 --- a/webserver.js +++ b/webserver.js @@ -6884,7 +6884,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF if (domain == null) { parent.debug('web', 'Got agent connection with bad domain or blocked IP address ' + req.clientIp + ', holding.'); return; } if (domain.agentkey && ((req.query.key == null) || (domain.agentkey.indexOf(req.query.key) == -1))) { return; } // If agent key is required and not provided or not valid, just hold the websocket and do nothing. //console.log('Agent connect: ' + req.clientIp); - try { obj.meshAgentHandler.CreateMeshAgent(obj, obj.db, ws, req, obj.args, domain); } catch (e) { console.log(e); } + try { obj.meshAgentHandler.CreateMeshAgent(obj, obj.db, ws, req, obj.args, domain); } catch (ex) { console.log(e); } }); // Setup MQTT broker over websocket