more Intel AMT ACM work...

This commit is contained in:
Ylian Saint-Hilaire 2019-06-22 22:06:50 -07:00
parent f1e6c49ed2
commit 82300f0cbe
7 changed files with 53 additions and 6 deletions

Binary file not shown.

Binary file not shown.

View File

@ -57,7 +57,13 @@ var Small_IntelAmtWebApp = "H4sIAAAAAAAEAHq/e7+Noou/c0hkgCuA0+pcchQHwq9CeXNgFzwZ
function onVerifyServer(clientName, certs) {
if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
if (serverhash != null) { console.log('Error: Failed to verify server certificate.'); throw 'Invalid server certificate'; }
console.log(settings.serverhttpshash);
if (settings.serverhttpshash != null) {
console.log('Error: Failed to verify server certificate.');
console.log('Server TLS hash: ' + certs[i].fingerprint.replace(/:/g, ''));
exit(255);
throw 'Invalid server certificate';
}
}
// Various utility functions
@ -927,7 +933,8 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
// Establish WebSocket connection to activation server
var options = http.parseUri(settings.url);
options.checkServerIdentity = function (clientName, certs) { }; // TODO
//options.checkServerIdentity = function (clientName, certs) { }; // TODO
options.checkServerIdentity = onVerifyServer;
options.rejectUnauthorized = false;
var connection = http.request(options);
connection.on('upgrade', function (response, socket) {

11
agents/meshcmd.min.js vendored
View File

@ -57,7 +57,13 @@ var Small_IntelAmtWebApp = "H4sIAAAAAAAEAHq/e7+Noou/c0hkgCuA0+pcchQHwq9CeXNgFzwZ
function onVerifyServer(clientName, certs) {
if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
if (serverhash != null) { console.log('Error: Failed to verify server certificate.'); throw 'Invalid server certificate'; }
console.log(settings.serverhttpshash);
if (settings.serverhttpshash != null) {
console.log('Error: Failed to verify server certificate.');
console.log('Server TLS hash: ' + certs[i].fingerprint.replace(/:/g, ''));
exit(255);
throw 'Invalid server certificate';
}
}
// Various utility functions
@ -927,7 +933,8 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
// Establish WebSocket connection to activation server
var options = http.parseUri(settings.url);
options.checkServerIdentity = function (clientName, certs) { }; // TODO
//options.checkServerIdentity = function (clientName, certs) { }; // TODO
options.checkServerIdentity = onVerifyServer;
options.rejectUnauthorized = false;
var connection = http.request(options);
connection.on('upgrade', function (response, socket) {

View File

@ -291,6 +291,15 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Build server information object
var serverinfo = { name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((parent.parent.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (args.lanonly != true) && (parent.certificates.CommonName != null) && (parent.certificates.CommonName.indexOf('.') != -1)), domainauth: ((domain.auth == 'sspi') || (domain.auth == 'ldap')) };
serverinfo.tlshash = Buffer.from(parent.webCertificateHashs[domain.id], 'binary').toString('hex').toUpperCase(); // SHA384 of server HTTPS certificate
if ((parent.parent.config.domains[domain.id].amtacmactivation != null) && (parent.parent.config.domains[domain.id].amtacmactivation.acmmatch != null)) {
var matchingDomains = [];
for (var i in parent.parent.config.domains[domain.id].amtacmactivation.acmmatch) {
var cn = parent.parent.config.domains[domain.id].amtacmactivation.acmmatch[i].cn;
if ((cn != '*') && (matchingDomains.indexOf(cn) == -1)) { matchingDomains.push(cn); }
}
if (matchingDomains.length > 0) { serverinfo.amtAcmFqdn = matchingDomains; }
}
if (args.notls == true) { serverinfo.https = false; } else { serverinfo.https = true; serverinfo.redirport = args.redirport; }
if (typeof domain.userconsentflags == 'number') { serverinfo.consent = domain.userconsentflags; }
if ((typeof domain.usersessionidletimeout == 'number') && (domain.usersessionidletimeout > 0)) { serverinfo.timeout = (domain.usersessionidletimeout * 60 * 1000); }

View File

@ -2577,6 +2577,9 @@
r += ' <a style=cursor:pointer;font-size:10px title="Add a new Intel&reg; AMT computer that is located on the local network." onclick=addDeviceToMesh(\"' + mesh._id + '\")>Add Local</a>';
r += ' <a style=cursor:pointer;font-size:10px title="Add a new Intel&reg; AMT computer by scanning the local network." onclick=addAmtScanToMesh(\"' + mesh._id + '\")>Scan Network</a>';
}
if ((features & 0x00100000) != 0) { // ACM activation
r += ' <a style=cursor:pointer;font-size:10px title="Perform Intel AMT admin control mode (ACM) activation." onclick=showAcmActivation(\"' + mesh._id + '\")>Activation</a>';
}
}
if (mesh.mtype == 2) {
r += ' <a style=cursor:pointer;font-size:10px title="Add a new computer to this mesh by installing the mesh agent." onclick=addAgentToMesh(\"' + mesh._id + '\")>Add Agent</a>';
@ -2599,6 +2602,27 @@
Q('dp1devicename').focus();
}
// Intel AMT Activation
function showAcmActivation(meshid) {
if (xxdialogMode) return;
var servername = serverinfo.name, mesh = meshes[meshid];
if ((servername.indexOf('.') == -1) || ((features & 2) != 0)) { servername = window.location.hostname; } // If the server name is not set or it's in LAN-only mode, use the URL hostname as server name.
var url, domainUrlNoSlash = domainUrl.substring(0, domainUrl.length - 1);
if (serverinfo.https == true) {
var portStr = (serverinfo.port == 443) ? '' : (":" + serverinfo.port);
url = "wss://" + servername + portStr + domainUrl;
} else {
var portStr = (serverinfo.port == 80) ? '' : (":" + serverinfo.port);
url = "ws://" + servername + portStr + domainUrl;
}
var x = "Perform Intel AMT admin control mode (ACM) activation to group \"" + EscapeHtml(mesh.name) + "\" by downloading the MeshCMD tool and running it like this:<br /><br />";
x += '<textarea readonly=readonly style=width:100%;resize:none;height:100px;overflow:auto;font-size:12px readonly>meshcmd amtacm --url ' + url + 'amtactivate?id=' + meshid.split('/')[2] + ' --serverhttpshash ' + serverinfo.tlshash + '</textarea>';
if (serverinfo.amtAcmFqdn != null) {
x += '<div style=margin-top:8px>Intel AMT will need to be set with a Trusted FQDN in MEBx or have a wired LAN on the network: <b>' + serverinfo.amtAcmFqdn.join(', ') + '</b></div>';
}
setDialogMode(2, "Intel&reg; AMT activation", 9, null, x);
}
// Display the Intel AMT scanning dialog box
function addAmtScanToMesh(meshid) {
if (xxdialogMode) return;

View File

@ -2215,7 +2215,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Agent is asking the server to sign an Intel AMT ACM activation request
var signResponse = parent.certificateOperations.signAcmRequest(domain, cmd, 'admin', amtpassword, ws.remoteaddrport, null, ws.meshid, null, null);
ws.send(JSON.stringify(signResponse));
//ws.send(JSON.stringify(signResponse)); // DEBUG***************************
break;
}
default: {