From b5338b746af68af6d0660a97ecceff41b7c8214d Mon Sep 17 00:00:00 2001 From: Joko Sastriawan Date: Tue, 15 Nov 2022 14:12:12 -0700 Subject: [PATCH] fix: AMT Direct TLS connection and Digest authentication - fix: ensure TLS is used when TLS is enabled - add constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION for TLS client connection for newer Nodejs - ensure nc of AMT redirection Digest authentication to have at 8 bytes length --- interceptor.js | 2 +- views/default-mobile.handlebars | 7 ++++++- views/default.handlebars | 7 ++++++- webserver.js | 2 +- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/interceptor.js b/interceptor.js index 7585620e..c6e4a878 100644 --- a/interceptor.js +++ b/interceptor.js @@ -395,7 +395,7 @@ module.exports.CreateRedirInterceptor = function (args) { if (obj.amt.digestRealm) { // Replace this authentication digest with a server created one // We have everything we need to authenticate - var nc = obj.ws.authCNonceCount; + var nc = '0'+ (10000000 + obj.ws.authCNonceCount).toString().substring(1);// set NC at least 8 bytes obj.ws.authCNonceCount++; var digest = obj.ComputeDigesthash(obj.args.user, obj.args.pass, obj.amt.digestRealm, 'POST', authurl, obj.amt.digestQOP, obj.amt.digestNonce, nc, obj.ws.authCNonce); diff --git a/views/default-mobile.handlebars b/views/default-mobile.handlebars index 58c2c549..a62288b3 100644 --- a/views/default-mobile.handlebars +++ b/views/default-mobile.handlebars @@ -4173,7 +4173,12 @@ desktop.m.useZRLE = (desktopsettings.encoding < 3); desktop.m.showmouse = true; desktop.m.onScreenSizeChange = function (o, x, y) { if (fullscreen) { QS('deskarea3').width = (x * fullscreenzoom) + 'px'; QS('deskarea3').height = (y * fullscreenzoom) + 'px'; } deskAdjust(); } - desktop.Start(desktopNode._id, 16994, '*', '*', 0); + // Use TLS if TLS is set + if (desktopNode.conn==4 && desktopNode.intelamt!=null && desktopNode.intelamt.tls==1) { + desktop.Start(desktopNode._id, 16995, '*', '*', 1); + } else { + desktop.Start(desktopNode._id, 16994, '*', '*', 0); + } desktop.contype = 2; } else if ((contype == null) || (contype == 1) || ((contype == 3) && (currentNode.agent.id > 4))) { // Setup the Mesh Agent remote desktop diff --git a/views/default.handlebars b/views/default.handlebars index 59ed2830..1449d1d3 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -8904,7 +8904,12 @@ } } }; - desktop.Start(desktopNode._id, 16994, '*', '*', 0); + // Use TLS if TLS is set + if (desktopNode.conn==4 && desktopNode.intelamt!=null && desktopNode.intelamt.tls==1) { + desktop.Start(desktopNode._id, 16995, '*', '*', 1); + } else { + desktop.Start(desktopNode._id, 16994, '*', '*', 0); + } desktop.contype = 2; } else if ((contype == null) || (contype == 1) || ((contype == 3) && ((currentNode.agent.id > 4) && ((debugmode == null))))) { // Setup the Mesh Agent remote desktop diff --git a/webserver.js b/webserver.js index df4d5b94..463c1220 100644 --- a/webserver.js +++ b/webserver.js @@ -4826,7 +4826,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF ws._socket.resume(); } else { // If TLS is going to be used, setup a TLS socket - var tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false }; + var tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; if (req.query.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; } ws.forwardclient = obj.tls.connect(port, node.host, tlsoptions, function () { // The TLS connection method is the same as TCP, but located a bit differently.