Improved configuration file encryption in the database, added testing.
This commit is contained in:
Ylian Saint-Hilaire
parent
5b76a31644
commit
fc29e60939
57
db.js
57
db.js
|
|
@ -422,26 +422,21 @@ module.exports.CreateDB = function (parent, func) {
|
|||
let key;
|
||||
try {
|
||||
key = parent.crypto.pbkdf2Sync(password, salt, iterations, 32, 'sha384');
|
||||
} catch (e) {
|
||||
} catch (ex) {
|
||||
// If this previous call fails, it's probably because older pbkdf2 did not specify the hashing function, just use the default.
|
||||
key = parent.crypto.pbkdf2Sync(password, salt, iterations, 32);
|
||||
}
|
||||
return key
|
||||
}
|
||||
|
||||
obj.oldGetEncryptDataKey = function (password) {
|
||||
if (typeof password != 'string') return null;
|
||||
return parent.crypto.createHash('sha384').update(password).digest("raw").slice(0, 32);
|
||||
}
|
||||
|
||||
// Encrypt data
|
||||
obj.encryptData = function (password, plaintext) {
|
||||
let encryptionVersion = 0x1;
|
||||
let encryptionVersion = 0x01;
|
||||
let iterations = 100000
|
||||
const iv = parent.crypto.randomBytes(16);
|
||||
var key = obj.getEncryptDataKey(password, iv, iterations);
|
||||
if (key == null) return null;
|
||||
const aes = parent.crypto.createCipheriv("aes-256-gcm", key, iv);
|
||||
const aes = parent.crypto.createCipheriv('aes-256-gcm', key, iv);
|
||||
var ciphertext = aes.update(plaintext);
|
||||
let versionbuf = Buffer.allocUnsafe(2);
|
||||
versionbuf.writeUInt16BE(encryptionVersion);
|
||||
|
|
@ -454,35 +449,55 @@ module.exports.CreateDB = function (parent, func) {
|
|||
|
||||
// Decrypt data
|
||||
obj.decryptData = function (password, ciphertext) {
|
||||
let ciphertextBytes = Buffer.from(ciphertext, 'base64');
|
||||
try {
|
||||
const iv = ciphertextBytes.slice(0, 16);
|
||||
const data = ciphertextBytes.slice(16);
|
||||
let key = obj.oldGetEncryptDataKey(password);
|
||||
const aes = parent.crypto.createDecipheriv("aes-256-cbc", key, iv);
|
||||
let plaintextBytes = Buffer.from(aes.update(data));
|
||||
plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]);
|
||||
return plaintextBytes;
|
||||
} catch (e) {}
|
||||
// Adding an encryption version lets us avoid try catching in the future
|
||||
let ciphertextBytes = Buffer.from(ciphertext, 'base64');
|
||||
let encryptionVersion = ciphertextBytes.readUInt16BE(0);
|
||||
try {
|
||||
switch (encryptionVersion) {
|
||||
case 0x1:
|
||||
case 0x01:
|
||||
let iterations = ciphertextBytes.readUInt32BE(2);
|
||||
let authTag = ciphertextBytes.slice(6, 22);
|
||||
const iv = ciphertextBytes.slice(22, 38);
|
||||
const data = ciphertextBytes.slice(38);
|
||||
let key = obj.getEncryptDataKey(password, iv, iterations);
|
||||
if (key == null) return null;
|
||||
const aes = parent.crypto.createDecipheriv("aes-256-gcm", key, iv);
|
||||
const aes = parent.crypto.createDecipheriv('aes-256-gcm', key, iv);
|
||||
aes.setAuthTag(authTag);
|
||||
let plaintextBytes = Buffer.from(aes.update(data));
|
||||
plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]);
|
||||
return plaintextBytes;
|
||||
default:
|
||||
return null;
|
||||
return obj.oldDecryptData(password, ciphertextBytes);
|
||||
}
|
||||
} catch (ex) { return obj.oldDecryptData(password, ciphertextBytes); }
|
||||
}
|
||||
|
||||
// Encrypt data
|
||||
// The older encryption system uses CBC without integraty checking.
|
||||
// This method is kept only for testing
|
||||
obj.oldEncryptData = function (password, plaintext) {
|
||||
let key = parent.crypto.createHash('sha384').update(password).digest('raw').slice(0, 32);
|
||||
if (key == null) return null;
|
||||
const iv = parent.crypto.randomBytes(16);
|
||||
const aes = parent.crypto.createCipheriv('aes-256-cbc', key, iv);
|
||||
var ciphertext = aes.update(plaintext);
|
||||
ciphertext = Buffer.concat([iv, ciphertext, aes.final()]);
|
||||
return ciphertext.toString('base64');
|
||||
}
|
||||
|
||||
// Decrypt data
|
||||
// The older encryption system uses CBC without integraty checking.
|
||||
// This method is kept only to convert the old encryption to the new one.
|
||||
obj.oldDecryptData = function (password, ciphertextBytes) {
|
||||
if (typeof password != 'string') return null;
|
||||
try {
|
||||
const iv = ciphertextBytes.slice(0, 16);
|
||||
const data = ciphertextBytes.slice(16);
|
||||
let key = parent.crypto.createHash('sha384').update(password).digest('raw').slice(0, 32);
|
||||
const aes = parent.crypto.createDecipheriv('aes-256-cbc', key, iv);
|
||||
let plaintextBytes = Buffer.from(aes.update(data));
|
||||
plaintextBytes = Buffer.concat([plaintextBytes, aes.final()]);
|
||||
return plaintextBytes;
|
||||
} catch (ex) { return null; }
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -139,7 +139,7 @@ function CreateMeshCentralServer(config, args) {
|
|||
try { require('./pass').hash('test', function () { }, 0); } catch (ex) { console.log('Old version of node, must upgrade.'); return; } // TODO: Not sure if this test works or not.
|
||||
|
||||
// Check for invalid arguments
|
||||
const validArguments = ['_', 'user', 'port', 'aliasport', 'mpsport', 'mpsaliasport', 'redirport', 'rediraliasport', 'cert', 'mpscert', 'deletedomain', 'deletedefaultdomain', 'showall', 'showusers', 'showitem', 'listuserids', 'showusergroups', 'shownodes', 'showallmeshes', 'showmeshes', 'showevents', 'showsmbios', 'showpower', 'clearpower', 'showiplocations', 'help', 'exactports', 'xinstall', 'xuninstall', 'install', 'uninstall', 'start', 'stop', 'restart', 'debug', 'filespath', 'datapath', 'noagentupdate', 'launch', 'noserverbackup', 'mongodb', 'mongodbcol', 'wanonly', 'lanonly', 'nousers', 'mpspass', 'ciralocalfqdn', 'dbexport', 'dbexportmin', 'dbimport', 'dbmerge', 'dbfix', 'dbencryptkey', 'selfupdate', 'tlsoffload', 'usenodedefaulttlsciphers', 'tlsciphers', 'userallowedip', 'userblockedip', 'swarmallowedip', 'agentallowedip', 'agentblockedip', 'fastcert', 'swarmport', 'logintoken', 'logintokenkey', 'logintokengen', 'mailtokengen', 'admin', 'unadmin', 'sessionkey', 'sessiontime', 'minify', 'minifycore', 'dblistconfigfiles', 'dbshowconfigfile', 'dbpushconfigfiles', 'dbpullconfigfiles', 'dbdeleteconfigfiles', 'vaultpushconfigfiles', 'vaultpullconfigfiles', 'vaultdeleteconfigfiles', 'configkey', 'loadconfigfromdb', 'npmpath', 'serverid', 'recordencryptionrecode', 'vault', 'token', 'unsealkey', 'name', 'log', 'dbstats', 'translate', 'createaccount', 'setuptelegram', 'resetaccount', 'pass', 'removesubdomain', 'adminaccount', 'domain', 'email', 'configfile', 'maintenancemode', 'nedbtodb', 'removetestagents', 'agentupdatetest', 'hashpassword', 'hashpass', 'indexmcrec', 'mpsdebug', 'dumpcores', 'dev', 'mysql', 'mariadb', 'trustedproxy'];
|
||||
const validArguments = ['_', 'user', 'port', 'aliasport', 'mpsport', 'mpsaliasport', 'redirport', 'rediraliasport', 'cert', 'mpscert', 'deletedomain', 'deletedefaultdomain', 'showall', 'showusers', 'showitem', 'listuserids', 'showusergroups', 'shownodes', 'showallmeshes', 'showmeshes', 'showevents', 'showsmbios', 'showpower', 'clearpower', 'showiplocations', 'help', 'exactports', 'xinstall', 'xuninstall', 'install', 'uninstall', 'start', 'stop', 'restart', 'debug', 'filespath', 'datapath', 'noagentupdate', 'launch', 'noserverbackup', 'mongodb', 'mongodbcol', 'wanonly', 'lanonly', 'nousers', 'mpspass', 'ciralocalfqdn', 'dbexport', 'dbexportmin', 'dbimport', 'dbmerge', 'dbfix', 'dbencryptkey', 'selfupdate', 'tlsoffload', 'usenodedefaulttlsciphers', 'tlsciphers', 'userallowedip', 'userblockedip', 'swarmallowedip', 'agentallowedip', 'agentblockedip', 'fastcert', 'swarmport', 'logintoken', 'logintokenkey', 'logintokengen', 'mailtokengen', 'admin', 'unadmin', 'sessionkey', 'sessiontime', 'minify', 'minifycore', 'dblistconfigfiles', 'dbshowconfigfile', 'dbpushconfigfiles', 'oldencrypt', 'dbpullconfigfiles', 'dbdeleteconfigfiles', 'vaultpushconfigfiles', 'vaultpullconfigfiles', 'vaultdeleteconfigfiles', 'configkey', 'loadconfigfromdb', 'npmpath', 'serverid', 'recordencryptionrecode', 'vault', 'token', 'unsealkey', 'name', 'log', 'dbstats', 'translate', 'createaccount', 'setuptelegram', 'resetaccount', 'pass', 'removesubdomain', 'adminaccount', 'domain', 'email', 'configfile', 'maintenancemode', 'nedbtodb', 'removetestagents', 'agentupdatetest', 'hashpassword', 'hashpass', 'indexmcrec', 'mpsdebug', 'dumpcores', 'dev', 'mysql', 'mariadb', 'trustedproxy'];
|
||||
for (var arg in obj.args) { obj.args[arg.toLocaleLowerCase()] = obj.args[arg]; if (validArguments.indexOf(arg.toLocaleLowerCase()) == -1) { console.log('Invalid argument "' + arg + '", use --help.'); return; } }
|
||||
const ENVVAR_PREFIX = "meshcentral_"
|
||||
let envArgs = []
|
||||
|
|
@ -1029,7 +1029,27 @@ function CreateMeshCentralServer(config, args) {
|
|||
|
||||
// Show a list of all configuration files in the database
|
||||
if (obj.args.dblistconfigfiles) {
|
||||
obj.db.GetAllType('cfile', function (err, docs) { if (err == null) { if (docs.length == 0) { console.log("No files found."); } else { for (var i in docs) { console.log(docs[i]._id.split('/')[1] + ', ' + Buffer.from(docs[i].data, 'base64').length + ' bytes.'); } } } else { console.log('Unable to read from database.'); } process.exit(); }); return;
|
||||
obj.db.GetAllType('cfile', function (err, docs) {
|
||||
if (err == null) {
|
||||
if (docs.length == 0) {
|
||||
console.log("No files found.");
|
||||
} else {
|
||||
for (var i in docs) {
|
||||
if (typeof obj.args.dblistconfigfiles == 'string') {
|
||||
const data = obj.db.decryptData(obj.args.dblistconfigfiles, docs[i].data);
|
||||
if (data == null) {
|
||||
console.log(docs[i]._id.split('/')[1] + ', ' + Buffer.from(docs[i].data, 'base64').length + ' encrypted bytes - Unable to decrypt.');
|
||||
} else {
|
||||
console.log(docs[i]._id.split('/')[1] + ', ' + data.length + ' bytes, decoded correctly.');
|
||||
}
|
||||
} else {
|
||||
console.log(docs[i]._id.split('/')[1] + ', ' + Buffer.from(docs[i].data, 'base64').length + ' encrypted bytes.');
|
||||
}
|
||||
}
|
||||
}
|
||||
} else { console.log('Unable to read from database.'); } process.exit();
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
// Display the content of a configuration file in the database
|
||||
|
|
@ -1074,7 +1094,11 @@ function CreateMeshCentralServer(config, args) {
|
|||
const path = obj.path.join(obj.args.dbpushconfigfiles, files[i]), binary = Buffer.from(obj.fs.readFileSync(path, { encoding: 'binary' }), 'binary');
|
||||
console.log('Pushing ' + file + ', ' + binary.length + ' bytes.');
|
||||
lockCount++;
|
||||
obj.db.setConfigFile(file, obj.db.encryptData(obj.args.configkey, binary), function () { if ((--lockCount) == 0) { console.log('Done.'); process.exit(); } });
|
||||
if (obj.args.oldencrypt) {
|
||||
obj.db.setConfigFile(file, obj.db.oldEncryptData(obj.args.configkey, binary), function () { if ((--lockCount) == 0) { console.log('Done.'); process.exit(); } });
|
||||
} else {
|
||||
obj.db.setConfigFile(file, obj.db.encryptData(obj.args.configkey, binary), function () { if ((--lockCount) == 0) { console.log('Done.'); process.exit(); } });
|
||||
}
|
||||
}
|
||||
}
|
||||
if (--lockCount == 0) { process.exit(); }
|
||||
|
|
|
|||
|
|
@ -6884,7 +6884,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
|||
if (domain == null) { parent.debug('web', 'Got agent connection with bad domain or blocked IP address ' + req.clientIp + ', holding.'); return; }
|
||||
if (domain.agentkey && ((req.query.key == null) || (domain.agentkey.indexOf(req.query.key) == -1))) { return; } // If agent key is required and not provided or not valid, just hold the websocket and do nothing.
|
||||
//console.log('Agent connect: ' + req.clientIp);
|
||||
try { obj.meshAgentHandler.CreateMeshAgent(obj, obj.db, ws, req, obj.args, domain); } catch (e) { console.log(e); }
|
||||
try { obj.meshAgentHandler.CreateMeshAgent(obj, obj.db, ws, req, obj.args, domain); } catch (ex) { console.log(e); }
|
||||
});
|
||||
|
||||
// Setup MQTT broker over websocket
|
||||
|
|
|
|||
Loading…
Reference in New Issue