From 06cb618b9c627ebbdf3fd117c8fda644f66dcb24 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Sat, 24 Oct 2020 23:34:00 -0700 Subject: [PATCH] AMT Manager now configures randomized MPS passwords. --- amtmanager.js | 24 +++++++++++++++--------- db.js | 11 ++++++++--- meshuser.js | 5 ++++- webserver.js | 9 +++++---- 4 files changed, 32 insertions(+), 17 deletions(-) diff --git a/amtmanager.js b/amtmanager.js index 01bbf790..eeff17c4 100644 --- a/amtmanager.js +++ b/amtmanager.js @@ -614,14 +614,15 @@ module.exports.CreateAmtManager = function (parent) { // Check if anything changes if (device.intelamt == null) { device.intelamt = {}; } - if (dev.aquired.version && (typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); } - if (dev.aquired.user && (typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); } - if (dev.aquired.pass && (typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); } - if (dev.aquired.host && (typeof dev.aquired.host == 'string') && (dev.aquired.host != device.host)) { change = 1; log = 1; device.host = dev.aquired.host; changes.push('host'); } - if (dev.aquired.realm && (typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); } - if (dev.aquired.hash && (typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); } - if (dev.aquired.tls && (typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); } - if ((dev.aquired.state != null) && (typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); } + if ((typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); } + if ((typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); } + if ((typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); } + if ((typeof dev.aquired.mpspass == 'string') && (dev.aquired.mpspass != device.intelamt.mpspass)) { change = 1; log = 1; device.intelamt.mpspass = dev.aquired.mpspass; changes.push('AMT MPS pass'); } + if ((typeof dev.aquired.host == 'string') && (dev.aquired.host != device.host)) { change = 1; log = 1; device.host = dev.aquired.host; changes.push('host'); } + if ((typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); } + if ((typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); } + if ((typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); } + if ((typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); } // Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch if ((typeof dev.aquired.warn == 'number')) { if ((dev.aquired.warn == 0) && (device.intelamt.warn != null)) { delete device.intelamt.warn; change = 1; } else if (dev.aquired.warn != device.intelamt.warn) { device.intelamt.warn = dev.aquired.warn; change = 1; } } @@ -1165,6 +1166,7 @@ module.exports.CreateAmtManager = function (parent) { var serverNameSplit = dev.cira.mpsName.split('.'); dev.cira.mpsPort = ((parent.args.mpsaliasport != null) ? parent.args.mpsaliasport : parent.args.mpsport); dev.cira.mpsAddressFormat = 201; // 201 = FQDN, 3 = IPv4 + dev.cira.mpsPass = getRandomAmtPassword(); if ((serverNameSplit.length == 4) && (parseInt(serverNameSplit[0]) == serverNameSplit[0]) && (parseInt(serverNameSplit[1]) == serverNameSplit[1]) && (parseInt(serverNameSplit[2]) == serverNameSplit[2]) && (parseInt(serverNameSplit[3]) == serverNameSplit[3])) { dev.cira.mpsAddressFormat = 3; } // Check if our server is already present @@ -1207,7 +1209,7 @@ module.exports.CreateAmtManager = function (parent) { function addMpsServer(dev) { // Add the MPS server if not present if (dev.cira.mpsPresent == null) { - dev.amtstack.AMT_RemoteAccessService_AddMpServer(dev.cira.mpsName, dev.cira.mpsAddressFormat, dev.cira.mpsPort, 2, null, dev.cira.meshidx, 'P@ssw0rd', dev.cira.mpsName, function (stack, name, response, status) { + dev.amtstack.AMT_RemoteAccessService_AddMpServer(dev.cira.mpsName, dev.cira.mpsAddressFormat, dev.cira.mpsPort, 2, null, dev.cira.meshidx, dev.cira.mpsPass, dev.cira.mpsName, function (stack, name, response, status) { const dev = stack.dev; if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request. if (status != 200) { dev.consoleMsg("Failed to create new MPS server (" + status + ")."); removeAmtDevice(dev); return; } @@ -1215,6 +1217,10 @@ module.exports.CreateAmtManager = function (parent) { dev.cira.mpsPresent = getItem(response.Body.MpServer.ReferenceParameters.SelectorSet.Selector, '@Name', 'Name').Value; dev.consoleMsg("Created new MPS server."); addMpsPolicy(dev); + + // Update the device with the MPS password + dev.aquired.mpspass = dev.cira.mpsPass; + UpdateDevice(dev); }); } else { // MPS server is present, check MPS trigger policy diff --git a/db.js b/db.js index 4a1464fe..f58db236 100644 --- a/db.js +++ b/db.js @@ -276,7 +276,7 @@ module.exports.CreateDB = function (parent, func) { function performTypedRecordEncrypt(data) { if (obj.dbRecordsEncryptKey == null) return data; if (data.type == 'user') { return performPartialRecordEncrypt(Clone(data), ['otpkeys', 'otphkeys', 'otpsecret', 'salt', 'hash', 'oldpasswords']); } - else if ((data.type == 'node') && (data.intelamt != null)) { var xdata = Clone(data); xdata.intelamt = performPartialRecordEncrypt(xdata.intelamt, ['user', 'pass']); return xdata; } + else if ((data.type == 'node') && (data.intelamt != null)) { var xdata = Clone(data); xdata.intelamt = performPartialRecordEncrypt(xdata.intelamt, ['user', 'pass', 'mpspass']); return xdata; } else if ((data.type == 'mesh') && (data.amt != null)) { var xdata = Clone(data); xdata.amt = performPartialRecordEncrypt(xdata.amt, ['password']); return xdata; } return data; } @@ -1566,7 +1566,10 @@ module.exports.CreateDB = function (parent, func) { function dbNodeChange(nodeChange, added) { common.unEscapeLinksFieldName(nodeChange.fullDocument); const node = nodeChange.fullDocument; - if (node.intelamt && node.intelamt.pass) { delete node.intelamt.pass; } // Remove the Intel AMT password before eventing this. + if (node.intelamt != null) { // Remove the Intel AMT password and MPS password before eventing this. + if (node.intelamt.pass != null) { node.intelamt.pass = 1; } + if (node.intelamt.mpspass != null) { node.intelamt.mpspass = 1; } + } parent.DispatchEvent(['*', node.meshid], obj, { etype: 'node', action: (added ? 'addnode' : 'changenode'), node: node, nodeid: node._id, domain: node.domain, nolog: 1 }); } @@ -1587,7 +1590,9 @@ module.exports.CreateDB = function (parent, func) { mesh.nolog = 1; delete mesh.type; delete mesh._id; - if (mesh.amt) { delete mesh.amt.password; } // Remove the Intel AMT password if present + if (mesh.amt != null) { + if (delete mesh.amt.password != null) { mesh.amt.password = 1; } // Remove the Intel AMT password if present + } parent.DispatchEvent(['*', mesh.meshid], obj, mesh); } diff --git a/meshuser.js b/meshuser.js index dfe06a4c..09d2a41d 100644 --- a/meshuser.js +++ b/meshuser.js @@ -674,7 +674,10 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use delete docs[i].meshid; // Remove Intel AMT credential if present - if (docs[i].intelamt != null && docs[i].intelamt.pass != null) { delete docs[i].intelamt.pass; } + if (docs[i].intelamt != null) { + if (docs[i].intelamt.pass != null) { docs[i].intelamt.pass = 1; } + if (docs[i].intelamt.mpspass != null) { docs[i].intelamt.mpspass = 1; } + } // If GeoLocation not enabled, remove any node location information if (domain.geolocation != true) { diff --git a/webserver.js b/webserver.js index d9f75994..d1d0cd38 100644 --- a/webserver.js +++ b/webserver.js @@ -5899,10 +5899,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { obj.CloneSafeNode = function (node) { if (typeof node != 'object') { return node; } var r = node; - if (r.intelamt && r.intelamt.pass) { + if ((r.intelamt != null) && ((r.intelamt.pass != null) || (r.intelamt.mpspass != null))) { r = Object.assign({}, r); // Shallow clone r.intelamt = Object.assign({}, r.intelamt); // Shallow clone - delete r.intelamt.pass; // Remove the Intel AMT password from the node + if (r.intelamt.pass != null) { r.intelamt.pass = 1; }; // Remove the Intel AMT administrator password from the node + if (r.intelamt.mpspass != null) { r.intelamt.mpspass = 1; }; // Remove the Intel AMT MPS password from the node } return r; } @@ -5911,10 +5912,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { obj.CloneSafeMesh = function (mesh) { if (typeof mesh != 'object') { return mesh; } var r = mesh; - if (r.amt && r.amt.password) { + if ((r.amt != null) && (r.amt.password != null)) { r = Object.assign({}, r); // Shallow clone r.amt = Object.assign({}, r.amt); // Shallow clone - delete r.amt.password; // Remove the Intel AMT password from the policy + if (r.amt.password != null) { r.amt.password = 1; } // Remove the Intel AMT password from the policy } return r; }