EverydayTech Platform - Developer Reference
Complete Source Code Documentation - All Applications
Loading...
Searching...
No Matches
mpsserver.js
Go to the documentation of this file.
1/**
2* @description MeshCentral Intel(R) AMT MPS server
3* @author Ylian Saint-Hilaire
4* @copyright Intel Corporation 2018-2022
5* @license Apache-2.0
6* @version v0.0.1
7*/
8
9/*jslint node: true */
10/*jshint node: true */
11/*jshint strict:false */
12/*jshint -W097 */
13/*jshint esversion: 6 */
14'use strict';
15
16// Construct a Intel AMT MPS server object
17module.exports.CreateMpsServer = function (parent, db, args, certificates) {
18 var obj = {};
19 obj.fs = require('fs');
20 obj.path = require('path');
21 obj.parent = parent;
22 obj.db = db;
23 obj.args = args;
24 obj.certificates = certificates;
25 obj.ciraConnections = {}; // NodeID --> [ Socket ]
26 var tlsSessionStore = {}; // Store TLS session information for quick resume.
27 var tlsSessionStoreCount = 0; // Number of cached TLS session information in store.
28 const constants = (require('crypto').constants ? require('crypto').constants : require('constants')); // require('constants') is deprecated in Node 11.10, use require('crypto').constants instead.
29 const common = require('./common.js');
30 const net = require('net');
31 const tls = require('tls');
32 const MAX_IDLE = 90000; // 90 seconds max idle time, higher than the typical KEEP-ALIVE periode of 60 seconds
33 const KEEPALIVE_INTERVAL = 30; // 30 seconds is typical keepalive interval for AMT CIRA connection
34
35 // This MPS server is also a tiny HTTPS server. HTTP responses are here.
36 obj.httpResponses = {
37 '/': '<!DOCTYPE html><html><head><meta charset=\"UTF-8\"></head><body>MeshCentral MPS server.<br />Intel&reg; AMT computers should connect here.</body></html>'
38 //'/text.ico': { file: 'c:\\temp\\test.iso', maxserve: 3, maxtime: Date.now() + 15000 }
39 };
40
41 // Set the MPS external port only if it's not set to zero and we are not in LAN mode.
42 if ((args.lanonly != true) && (args.mpsport !== 0)) {
43 if (obj.args.mpstlsoffload) {
44 obj.server = net.createServer(onConnection);
45 } else {
46 if (obj.args.mpshighsecurity) {
47 // Higher security TLS 1.2 and 1.3 only, some older Intel AMT CIRA connections will fail.
48 obj.server = tls.createServer({ key: certificates.mps.key, cert: certificates.mps.cert, requestCert: true, rejectUnauthorized: false, ciphers: "HIGH:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_CHACHA20_POLY1305_SHA256", secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1 }, onConnection)
49 } else {
50 // Lower security MPS in order to support older Intel AMT CIRA connections, we have to turn on TLSv1.
51 obj.server = tls.createServer({ key: certificates.mps.key, cert: certificates.mps.cert, minVersion: 'TLSv1', requestCert: true, rejectUnauthorized: false, ciphers: "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA:@SECLEVEL=0", secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION }, onConnection)
52 }
53 //obj.server.on('error', function () { console.log('MPS tls server error'); });
54 obj.server.on('newSession', function (id, data, cb) { if (tlsSessionStoreCount > 1000) { tlsSessionStoreCount = 0; tlsSessionStore = {}; } tlsSessionStore[id.toString('hex')] = data; tlsSessionStoreCount++; cb(); });
55 obj.server.on('resumeSession', function (id, cb) { cb(null, tlsSessionStore[id.toString('hex')] || null); });
56 }
57
58 obj.server.listen(args.mpsport, args.mpsportbind, function () {
59 console.log("MeshCentral Intel(R) AMT server running on " + certificates.AmtMpsName + ":" + args.mpsport + ((args.mpsaliasport != null) ? (", alias port " + args.mpsaliasport) : "") + ".");
60 obj.parent.authLog('mps', 'Server listening on ' + ((args.mpsportbind != null) ? args.mpsportbind : '0.0.0.0') + ' port ' + args.mpsport + '.');
61 }).on("error", function (err) { console.error("ERROR: MeshCentral Intel(R) AMT server port " + args.mpsport + " is not available. Check if the MeshCentral is already running."); if (args.exactports) { process.exit(); } });
62
63 obj.server.on('tlsClientError', function (err, tlssocket) { if (args.mpsdebug) { var remoteAddress = tlssocket.remoteAddress; if (tlssocket.remoteFamily == 'IPv6') { remoteAddress = '[' + remoteAddress + ']'; } console.log('MPS:Invalid TLS connection from ' + remoteAddress + ':' + tlssocket.remotePort + '.'); } });
64 }
65
66 obj.parent.updateServerState('mps-port', args.mpsport);
67 obj.parent.updateServerState('mps-name', certificates.AmtMpsName);
68 if (args.mpsaliasport != null) { obj.parent.updateServerState('mps-alias-port', args.mpsaliasport); }
69
70 const APFProtocol = {
71 UNKNOWN: 0,
72 DISCONNECT: 1,
73 SERVICE_REQUEST: 5,
74 SERVICE_ACCEPT: 6,
75 USERAUTH_REQUEST: 50,
76 USERAUTH_FAILURE: 51,
77 USERAUTH_SUCCESS: 52,
78 GLOBAL_REQUEST: 80,
79 REQUEST_SUCCESS: 81,
80 REQUEST_FAILURE: 82,
81 CHANNEL_OPEN: 90,
82 CHANNEL_OPEN_CONFIRMATION: 91,
83 CHANNEL_OPEN_FAILURE: 92,
84 CHANNEL_WINDOW_ADJUST: 93,
85 CHANNEL_DATA: 94,
86 CHANNEL_CLOSE: 97,
87 PROTOCOLVERSION: 192,
88 KEEPALIVE_REQUEST: 208,
89 KEEPALIVE_REPLY: 209,
90 KEEPALIVE_OPTIONS_REQUEST: 210,
91 KEEPALIVE_OPTIONS_REPLY: 211,
92 JSON_CONTROL: 250 // This is a Mesh specific command that sends JSON to and from the MPS server.
93 };
94
95 /*
96 const APFDisconnectCode = {
97 HOST_NOT_ALLOWED_TO_CONNECT: 1,
98 PROTOCOL_ERROR: 2,
99 KEY_EXCHANGE_FAILED: 3,
100 RESERVED: 4,
101 MAC_ERROR: 5,
102 COMPRESSION_ERROR: 6,
103 SERVICE_NOT_AVAILABLE: 7,
104 PROTOCOL_VERSION_NOT_SUPPORTED: 8,
105 HOST_KEY_NOT_VERIFIABLE: 9,
106 CONNECTION_LOST: 10,
107 BY_APPLICATION: 11,
108 TOO_MANY_CONNECTIONS: 12,
109 AUTH_CANCELLED_BY_USER: 13,
110 NO_MORE_AUTH_METHODS_AVAILABLE: 14,
111 INVALID_CREDENTIALS: 15,
112 CONNECTION_TIMED_OUT: 16,
113 BY_POLICY: 17,
114 TEMPORARILY_UNAVAILABLE: 18
115 };
116
117 const APFChannelOpenFailCodes = {
118 ADMINISTRATIVELY_PROHIBITED: 1,
119 CONNECT_FAILED: 2,
120 UNKNOWN_CHANNEL_TYPE: 3,
121 RESOURCE_SHORTAGE: 4,
122 };
123 */
124
125 const APFChannelOpenFailureReasonCode = {
126 AdministrativelyProhibited: 1,
127 ConnectFailed: 2,
128 UnknownChannelType: 3,
129 ResourceShortage: 4,
130 };
131
132 // Stat counters
133 var connectionCount = 0;
134 var userAuthRequestCount = 0;
135 var incorrectPasswordCount = 0;
136 var meshNotFoundCount = 0;
137 var unknownTlsNodeCount = 0;
138 var unknownTlsMeshIdCount = 0;
139 var addedTlsDeviceCount = 0;
140 var unknownNodeCount = 0;
141 var unknownMeshIdCount = 0;
142 var addedDeviceCount = 0;
143 var ciraTimeoutCount = 0;
144 var protocolVersionCount = 0;
145 var badUserNameLengthCount = 0;
146 var channelOpenCount = 0;
147 var channelOpenConfirmCount = 0;
148 var channelOpenFailCount = 0;
149 var channelCloseCount = 0;
150 var disconnectCommandCount = 0;
151 var socketClosedCount = 0;
152 var socketErrorCount = 0;
153 var maxDomainDevicesReached = 0;
154
155 // Add a CIRA connection to the connection list
156 function addCiraConnection(socket) {
157 // Check if there is already a connection of the same type
158 var sameType = false, connections = obj.ciraConnections[socket.tag.nodeid];
159 if (connections != null) { for (var i in connections) { var conn = connections[i]; if (conn.tag.connType === socket.tag.connType) { sameType = true; } } }
160
161 // Add this connection to the connections list
162 if (connections == null) { obj.ciraConnections[socket.tag.nodeid] = [socket]; } else { obj.ciraConnections[socket.tag.nodeid].push(socket); }
163
164 // Update connectivity state
165 // Report the new state of a CIRA/Relay/LMS connection after a short delay. This is to wait for the connection to have the bounded ports setup before we advertise this new connection.
166 socket.xxStartHold = 1;
167 var f = function setConnFunc() {
168 delete setConnFunc.socket.xxStartHold;
169 const ciraArray = obj.ciraConnections[setConnFunc.socket.tag.nodeid];
170 if ((ciraArray != null) && ((ciraArray.indexOf(setConnFunc.socket) >= 0))) { // Check if this connection is still present
171 if (setConnFunc.socket.tag.connType == 0) {
172 // Intel AMT CIRA connection. This connection indicates the remote device is present.
173 obj.parent.SetConnectivityState(setConnFunc.socket.tag.meshid, setConnFunc.socket.tag.nodeid, setConnFunc.socket.tag.connectTime, 2, 7, null, { name: socket.tag.name }); // 7 = Present
174 } else if (setConnFunc.socket.tag.connType == 1) {
175 // Intel AMT Relay connection. This connection does not give any information about the remote device's power state.
176 obj.parent.SetConnectivityState(setConnFunc.socket.tag.meshid, setConnFunc.socket.tag.nodeid, setConnFunc.socket.tag.connectTime, 8, 0, null, { name: socket.tag.name }); // 0 = Unknown
177 }
178 // Intel AMT LMS connection (connType == 2), we don't notify of these connections except telling the Intel AMT manager about them.
179 // If the AMT manager is present, start management of this device
180 if (obj.parent.amtManager != null) { obj.parent.amtManager.startAmtManagement(setConnFunc.socket.tag.nodeid, setConnFunc.socket.tag.connType, setConnFunc.socket); }
181 }
182 }
183 f.socket = socket;
184 setTimeout(f, 300);
185 }
186
187 // Remove a CIRA connection from the connection list
188 function removeCiraConnection(socket) {
189 // If the AMT manager is present, stop management of this device
190 if (obj.parent.amtManager != null) { obj.parent.amtManager.stopAmtManagement(socket.tag.nodeid, socket.tag.connType, socket); }
191
192 // Remove the connection from the list if present.
193 const ciraArray = obj.ciraConnections[socket.tag.nodeid];
194 if (ciraArray == null) return;
195 var i = ciraArray.indexOf(socket);
196 if (i == -1) return;
197 ciraArray.splice(i, 1);
198 if (ciraArray.length == 0) { delete obj.ciraConnections[socket.tag.nodeid]; } else { obj.ciraConnections[socket.tag.nodeid] = ciraArray; }
199
200 // If we are removing a connection during the hold period, don't clear any state since it was never set.
201 if (socket.xxStartHold == 1) return;
202
203 // Check if there is already a connection of the same type
204 var sameType = false, connections = obj.ciraConnections[socket.tag.nodeid];
205 if (connections != null) { for (var i in connections) { var conn = connections[i]; if (conn.tag.connType === socket.tag.connType) { sameType = true; } } }
206 if (sameType == true) return; // if there is a connection of the same type, don't change the connection state.
207
208 // Update connectivity state
209 if (socket.tag.connType == 0) {
210 obj.parent.ClearConnectivityState(socket.tag.meshid, socket.tag.nodeid, 2, null, { name: socket.tag.name }); // CIRA
211 } else if (socket.tag.connType == 1) {
212 obj.parent.ClearConnectivityState(socket.tag.meshid, socket.tag.nodeid, 8, null, { name: socket.tag.name }); // Relay
213 }
214 }
215
216 // Return statistics about this MPS server
217 obj.getStats = function () {
218 var ciraConnectionCount = 0;
219 for (var i in obj.ciraConnections) { ciraConnectionCount += obj.ciraConnections[i].length; }
220 return {
221 ciraConnections: ciraConnectionCount,
222 tlsSessionStore: Object.keys(tlsSessionStore).length,
223 connectionCount: connectionCount,
224 userAuthRequestCount: userAuthRequestCount,
225 incorrectPasswordCount: incorrectPasswordCount,
226 meshNotFoundCount: meshNotFoundCount,
227 unknownTlsNodeCount: unknownTlsNodeCount,
228 unknownTlsMeshIdCount: unknownTlsMeshIdCount,
229 addedTlsDeviceCount: addedTlsDeviceCount,
230 unknownNodeCount: unknownNodeCount,
231 unknownMeshIdCount: unknownMeshIdCount,
232 addedDeviceCount: addedDeviceCount,
233 ciraTimeoutCount: ciraTimeoutCount,
234 protocolVersionCount: protocolVersionCount,
235 badUserNameLengthCount: badUserNameLengthCount,
236 channelOpenCount: channelOpenCount,
237 channelOpenConfirmCount: channelOpenConfirmCount,
238 channelOpenFailCount: channelOpenFailCount,
239 channelCloseCount: channelCloseCount,
240 disconnectCommandCount: disconnectCommandCount,
241 socketClosedCount: socketClosedCount,
242 socketErrorCount: socketErrorCount,
243 maxDomainDevicesReached: maxDomainDevicesReached
244 };
245 }
246
247 // Required for TLS piping to MQTT broker
248 function SerialTunnel(options) {
249 var obj = new require('stream').Duplex(options);
250 obj.forwardwrite = null;
251 obj.updateBuffer = function (chunk) { this.push(chunk); };
252 obj._write = function (chunk, encoding, callback) { if (obj.forwardwrite != null) { obj.forwardwrite(chunk); } else { console.err("Failed to fwd _write."); } if (callback) callback(); }; // Pass data written to forward
253 obj._read = function (size) { }; // Push nothing, anything to read should be pushed from updateBuffer()
254 return obj;
255 }
256
257 // Return's the length of an MQTT packet
258 function getMQTTPacketLength(chunk) {
259 var packet_len = 0;
260 if (chunk.readUInt8(0) == 16) {
261 if (chunk.readUInt8(1) < 128) {
262 packet_len += chunk.readUInt8(1) + 2;
263 } else {
264 // continuation bit, get real value and do next
265 packet_len += (chunk.readUInt8(1) & 0x7F) + 2;
266 if (chunk.readUInt8(2) < 128) {
267 packet_len += 1 + chunk.readUInt8(2) * 128;
268 } else {
269 packet_len += 1 + (chunk.readUInt8(2) & 0x7F) * 128;
270 if (chunk.readUInt8(3) < 128) {
271 packet_len += 1 + chunk.readUInt8(3) * 128 * 128;
272 } else {
273 packet_len += 1 + (chunk.readUInt8(3) & 0x7F) * 128 * 128;
274 if (chunk.readUInt8(4) < 128) {
275 packet_len += 1 + chunk.readUInt8(4) * 128 * 128 * 128;
276 } else {
277 packet_len += 1 + (chunk.readUInt8(4) & 0x7F) * 128 * 128 * 128;
278 }
279 }
280 }
281 }
282 }
283 return packet_len;
284 }
285
286 obj.onWebSocketConnection = function (socket, req) {
287 connectionCount++;
288 // connType: 0 = CIRA, 1 = Relay, 2 = LMS
289 socket.tag = { first: true, connType: 0, clientCert: null, accumulator: '', activetunnels: 0, boundPorts: [], websocket: true, socket: socket, host: null, nextchannelid: 4, channels: {}, nextsourceport: 0, meiState: {} };
290 socket.SetupChannel = function SetupChannel(targetport) { return SetupChannel.parent.SetupChannel(SetupChannel.conn, targetport); }
291 socket.SetupChannel.parent = obj;
292 socket.SetupChannel.conn = socket;
293 socket.websocket = 1;
294 socket.ControlMsg = function ControlMsg(message) { return ControlMsg.parent.SendJsonControl(ControlMsg.conn, message); }
295 socket.ControlMsg.parent = obj;
296 socket.ControlMsg.conn = socket;
297 socket.remoteAddr = req.clientIp;
298 socket.remotePort = socket._socket.remotePort;
299 socket._socket.bytesReadEx = 0;
300 socket._socket.bytesWrittenEx = 0;
301 parent.debug('mps', "New CIRA websocket connection");
302
303 socket.on('message', function (data) {
304 if (args.mpsdebug) { var buf = Buffer.from(data, 'binary'); console.log("MPS <-- (" + buf.length + "):" + buf.toString('hex')); } // Print out received bytes
305
306 // Traffic accounting
307 parent.webserver.trafficStats.LMSIn += (this._socket.bytesRead - this._socket.bytesReadEx);
308 parent.webserver.trafficStats.LMSOut += (this._socket.bytesWritten - this._socket.bytesWrittenEx);
309 this._socket.bytesReadEx = this._socket.bytesRead;
310 this._socket.bytesWrittenEx = this._socket.bytesWritten;
311
312 this.tag.accumulator += data.toString('binary'); // Append as binary string
313 try {
314 // Parse all of the APF data we can
315 var l = 0;
316 do { l = ProcessCommand(this); if (l > 0) { this.tag.accumulator = this.tag.accumulator.substring(l); } } while (l > 0);
317 if (l < 0) { this.terminate(); }
318 } catch (e) {
319 console.log(e);
320 }
321 });
322
323 socket.addListener('close', function () {
324 // Traffic accounting
325 parent.webserver.trafficStats.LMSIn += (this._socket.bytesRead - this._socket.bytesReadEx);
326 parent.webserver.trafficStats.LMSOut += (this._socket.bytesWritten - this._socket.bytesWrittenEx);
327 this._socket.bytesReadEx = this._socket.bytesRead;
328 this._socket.bytesWrittenEx = this._socket.bytesWritten;
329
330 socketClosedCount++;
331 parent.debug('mps', "CIRA websocket closed", this.tag.meshid, this.tag.nodeid);
332 removeCiraConnection(socket);
333 });
334
335 socket.addListener('error', function (e) {
336 socketErrorCount++;
337 parent.debug('mps', "CIRA websocket connection error", e);
338 });
339 }
340
341 // Called when a new TLS/TCP connection is accepted
342 function onConnection(socket) {
343 connectionCount++;
344 // connType: 0 = CIRA, 1 = Relay, 2 = LMS
345 if (obj.args.mpstlsoffload) {
346 socket.tag = { first: true, connType: 0, clientCert: null, accumulator: '', activetunnels: 0, boundPorts: [], socket: socket, host: null, nextchannelid: 4, channels: {}, nextsourceport: 0, meiState: {} };
347 } else {
348 socket.tag = { first: true, connType: 0, clientCert: socket.getPeerCertificate(true), accumulator: '', activetunnels: 0, boundPorts: [], socket: socket, host: null, nextchannelid: 4, channels: {}, nextsourceport: 0, meiState: {} };
349 }
350 socket.SetupChannel = function SetupChannel(targetport) { return SetupChannel.parent.SetupChannel(SetupChannel.conn, targetport); }
351 socket.SetupChannel.parent = obj;
352 socket.SetupChannel.conn = socket;
353 socket.ControlMsg = function ControlMsg(message) { return ControlMsg.parent.SendJsonControl(ControlMsg.conn, message); }
354 socket.ControlMsg.parent = obj;
355 socket.ControlMsg.conn = socket;
356 socket.bytesReadEx = 0;
357 socket.bytesWrittenEx = 0;
358 socket.remoteAddr = cleanRemoteAddr(socket.remoteAddress);
359 //socket.remotePort is already present, no need to set it.
360 socket.setEncoding('binary');
361 parent.debug('mps', "New CIRA connection");
362
363 // Setup the CIRA keep alive timer
364 socket.setTimeout(MAX_IDLE);
365 socket.on('timeout', () => { ciraTimeoutCount++; parent.debug('mps', "CIRA timeout, disconnecting."); obj.close(socket); });
366
367 socket.addListener('close', function () {
368 // Traffic accounting
369 parent.webserver.trafficStats.CIRAIn += (this.bytesRead - this.bytesReadEx);
370 parent.webserver.trafficStats.CIRAOut += (this.bytesWritten - this.bytesWrittenEx);
371 this.bytesReadEx = this.bytesRead;
372 this.bytesWrittenEx = this.bytesWritten;
373
374 socketClosedCount++;
375 parent.debug('mps', 'CIRA connection closed');
376 removeCiraConnection(socket);
377 });
378
379 socket.addListener('error', function (e) {
380 socketErrorCount++;
381 parent.debug('mps', 'CIRA connection error', e);
382 //console.log("MPS Error: " + socket.remoteAddress);
383 });
384
385 socket.addListener('data', function (data) {
386 if (args.mpsdebug) { var buf = Buffer.from(data, 'binary'); console.log("MPS <-- (" + buf.length + "):" + buf.toString('hex')); } // Print out received bytes
387
388 // Traffic accounting
389 parent.webserver.trafficStats.CIRAIn += (this.bytesRead - this.bytesReadEx);
390 parent.webserver.trafficStats.CIRAOut += (this.bytesWritten - this.bytesWrittenEx);
391 this.bytesReadEx = this.bytesRead;
392 this.bytesWrittenEx = this.bytesWritten;
393
394 socket.tag.accumulator += data;
395
396 // Detect if this is an HTTPS request, if it is, return a simple answer and disconnect. This is useful for debugging access to the MPS port.
397 if (socket.tag.first == true) {
398 if (socket.tag.accumulator.length < 5) return;
399 //if (!socket.tag.clientCert.subject) { console.log("MPS Connection, no client cert: " + socket.remoteAddress); socket.write('HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\nMeshCentral2 MPS server.\r\nNo client certificate given.'); obj.close(socket); return; }
400 if ((socket.tag.accumulator.substring(0, 4) == 'GET ') || (socket.tag.accumulator.substring(0, 5) == 'HEAD ')) {
401 if (args.mpsdebug) { console.log("MPS Connection, HTTP request detected: " + socket.remoteAddress); }
402 socket.removeAllListeners('data');
403 socket.removeAllListeners('close');
404 socket.on('data', onHttpData);
405 socket.on('close', onHttpClose);
406 obj.httpSocket = socket;
407 onHttpData.call(socket, data);
408 return;
409 }
410
411 // If the MQTT broker is active, look for inbound MQTT connections
412 if (parent.mqttbroker != null) {
413 var chunk = Buffer.from(socket.tag.accumulator, 'binary');
414 var packet_len = 0;
415 if (chunk.readUInt8(0) == 16) { packet_len = getMQTTPacketLength(chunk); }
416 if (chunk.readUInt8(0) == 16 && (socket.tag.accumulator.length < packet_len)) return; // Minimum MQTT detection
417
418 // check if it is MQTT, need more initial packet to probe
419 if (chunk.readUInt8(0) == 16 && ((chunk.slice(4, 8).toString() === 'MQTT') || (chunk.slice(5, 9).toString() === 'MQTT')
420 || (chunk.slice(6, 10).toString() === 'MQTT') || (chunk.slice(7, 11).toString() === 'MQTT'))) {
421 parent.debug('mps', "MQTT connection detected.");
422 socket.removeAllListeners('data');
423 socket.removeAllListeners('close');
424 socket.setNoDelay(true);
425 socket.serialtunnel = SerialTunnel();
426 socket.serialtunnel.xtransport = 'mps';
427 socket.serialtunnel.xip = socket.remoteAddress;
428 socket.on('data', function (b) { socket.serialtunnel.updateBuffer(Buffer.from(b, 'binary')) });
429 socket.serialtunnel.forwardwrite = function (b) { socket.write(b, 'binary') }
430 socket.on('close', function () { socket.serialtunnel.emit('end'); });
431
432 // Pass socket wrapper to the MQTT broker
433 parent.mqttbroker.handle(socket.serialtunnel);
434 socket.unshift(socket.tag.accumulator);
435 return;
436 }
437 }
438
439 socket.tag.first = false;
440
441 // Setup this node with certificate authentication
442 if (socket.tag.clientCert && socket.tag.clientCert.subject && socket.tag.clientCert.subject.O && socket.tag.clientCert.subject.O.length == 64) {
443 // This is a node where the MeshID is indicated within the CIRA certificate
444 var domainid = '', meshid;
445 var xx = socket.tag.clientCert.subject.O.split('/');
446 if (xx.length == 1) { meshid = xx[0]; } else { domainid = xx[0].toLowerCase(); meshid = xx[1]; }
447
448 // Check the incoming domain
449 var domain = obj.parent.config.domains[domainid];
450 if (domain == null) { console.log('CIRA connection for invalid domain. meshid: ' + meshid); obj.close(socket); return; }
451
452 socket.tag.domain = domain;
453 socket.tag.domainid = domainid;
454 socket.tag.meshid = 'mesh/' + domainid + '/' + meshid;
455 socket.tag.nodeid = 'node/' + domainid + '/' + require('crypto').createHash('sha384').update(common.hex2rstr(socket.tag.clientCert.modulus, 'binary')).digest('base64').replace(/\+/g, '@').replace(/\//g, '$');
456 socket.tag.name = socket.tag.clientCert.subject.CN;
457 socket.tag.connectTime = Date.now();
458 socket.tag.host = '';
459
460 // Fetch the node
461 obj.db.Get(socket.tag.nodeid, function (err, nodes) {
462 if ((nodes == null) || (nodes.length !== 1)) {
463 var mesh = obj.parent.webserver.meshes[socket.tag.meshid];
464 if (mesh == null) {
465 unknownTlsMeshIdCount++;
466 console.log('ERROR: Intel AMT CIRA connected with unknown groupid: ' + socket.tag.meshid);
467 obj.close(socket);
468 return;
469 } else if (mesh.mtype == 1) {
470 // Check if we already have too many devices for this domain
471 if (domain.limits && (typeof domain.limits.maxdevices == 'number')) {
472 db.isMaxType(domain.limits.maxdevices, 'node', domain.id, function (ismax, count) {
473 if (ismax == true) {
474 // Too many devices in this domain.
475 maxDomainDevicesReached++;
476 console.log('Too many devices on this domain to accept the CIRA connection. meshid: ' + socket.tag.meshid);
477 obj.close(socket);
478 } else {
479 // Attempts reverse DNS loopup on the device IP address
480 require('dns').reverse(socket.remoteAddr, function (err, hostnames) {
481 var hostname = socket.remoteAddr;
482 if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; }
483
484 // We are under the limit, create the new device.
485 // Node is not in the database, add it. Credentials will be empty until added by the user.
486 var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: domainid, intelamt: { user: (typeof socket.tag.meiState.amtuser == 'string') ? socket.tag.meiState.amtuser : '', pass: (typeof socket.tag.meiState.amtpass == 'string') ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
487 if (socket.tag.meiState != null) {
488 if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
489 if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
490 }
491 obj.db.Set(device);
492
493 // Event the new node
494 addedTlsDeviceCount++;
495 var change = 'CIRA added device ' + socket.tag.name + ' to mesh ' + mesh.name;
496 obj.parent.DispatchEvent(['*', socket.tag.meshid], obj, { etype: 'node', action: 'addnode', node: parent.webserver.CloneSafeNode(device), msg: change, domain: domainid });
497
498 // Add the connection to the MPS connection list
499 addCiraConnection(socket);
500 });
501 }
502 });
503 return;
504 } else {
505 // Attempts reverse DNS loopup on the device IP address
506 require('dns').reverse(socket.remoteAddr, function (err, hostnames) {
507 var hostname = socket.remoteAddr;
508 if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; }
509
510 // Node is not in the database, add it. Credentials will be empty until added by the user.
511 var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: domainid, intelamt: { user: (typeof socket.tag.meiState.amtuser == 'string') ? socket.tag.meiState.amtuser : '', pass: (typeof socket.tag.meiState.amtpass == 'string') ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
512 if (socket.tag.meiState != null) {
513 if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
514 if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
515 }
516 obj.db.Set(device);
517
518 // Event the new node
519 addedTlsDeviceCount++;
520 var change = 'CIRA added device ' + socket.tag.name + ' to mesh ' + mesh.name;
521 obj.parent.DispatchEvent(['*', socket.tag.meshid], obj, { etype: 'node', action: 'addnode', node: parent.webserver.CloneSafeNode(device), msg: change, domain: domainid });
522 });
523 }
524 } else {
525 // New CIRA connection for unknown node, disconnect.
526 unknownTlsNodeCount++;
527 console.log('CIRA connection for unknown node with incorrect group type. meshid: ' + socket.tag.meshid);
528 obj.close(socket);
529 return;
530 }
531 } else {
532 // Node is already present
533 var node = nodes[0];
534 socket.tag.meshid = node.meshid; // Correct the MeshID if the node has moved.
535 socket.tag.name = node.name;
536 if ((node.intelamt != null) && (node.intelamt.state == 2)) { socket.tag.host = node.intelamt.host; }
537 }
538
539 // Add the connection to the MPS connection list
540 addCiraConnection(socket);
541 });
542 } else {
543 // This node connected without certificate authentication, use password auth
544 //console.log('Intel AMT CIRA connected without certificate authentication');
545 }
546 }
547
548 try {
549 // Parse all of the APF data we can
550 var l = 0;
551 do { l = ProcessCommand(socket); if (l > 0) { socket.tag.accumulator = socket.tag.accumulator.substring(l); } } while (l > 0);
552 if (l < 0) { obj.close(socket); }
553 } catch (e) {
554 console.log(e);
555 }
556 });
557 }
558
559 // Process one APF command
560 function ProcessCommand(socket) {
561 var cmd = socket.tag.accumulator.charCodeAt(0);
562 var len = socket.tag.accumulator.length;
563 var data = socket.tag.accumulator;
564 if (len == 0) { return 0; }
565
566 switch (cmd) {
567 case APFProtocol.KEEPALIVE_REQUEST: {
568 if (len < 5) return 0;
569 parent.debug('mpscmd', '--> KEEPALIVE_REQUEST');
570 SendKeepAliveReply(socket, common.ReadInt(data, 1));
571 return 5;
572 }
573 case APFProtocol.KEEPALIVE_REPLY: {
574 if (len < 5) return 0;
575 parent.debug('mpscmd', '--> KEEPALIVE_REPLY');
576 return 5;
577 }
578 case APFProtocol.KEEPALIVE_OPTIONS_REPLY: {
579 if (len < 9) return 0;
580 const keepaliveInterval = common.ReadInt(data, 1);
581 const timeout = common.ReadInt(data, 5);
582 parent.debug('mpscmd', '--> KEEPALIVE_OPTIONS_REPLY', keepaliveInterval, timeout);
583 return 9;
584 }
585 case APFProtocol.PROTOCOLVERSION: {
586 if (len < 93) return 0;
587 protocolVersionCount++;
588 socket.tag.MajorVersion = common.ReadInt(data, 1);
589 socket.tag.MinorVersion = common.ReadInt(data, 5);
590 socket.tag.SystemId = guidToStr(common.rstr2hex(data.substring(13, 29))).toLowerCase();
591 parent.debug('mpscmd', '--> PROTOCOLVERSION', socket.tag.MajorVersion, socket.tag.MinorVersion, socket.tag.SystemId);
592 return 93;
593 }
594 case APFProtocol.USERAUTH_REQUEST: {
595 if (len < 13) return 0;
596 userAuthRequestCount++;
597 var usernameLen = common.ReadInt(data, 1);
598 if ((usernameLen > 2048) || (len < (5 + usernameLen))) return -1;
599 var username = data.substring(5, 5 + usernameLen);
600 var serviceNameLen = common.ReadInt(data, 5 + usernameLen);
601 if ((serviceNameLen > 2048) || (len < (9 + usernameLen + serviceNameLen))) return -1;
602 var serviceName = data.substring(9 + usernameLen, 9 + usernameLen + serviceNameLen);
603 var methodNameLen = common.ReadInt(data, 9 + usernameLen + serviceNameLen);
604 if ((methodNameLen > 2048) || (len < (13 + usernameLen + serviceNameLen + methodNameLen))) return -1;
605 var methodName = data.substring(13 + usernameLen + serviceNameLen, 13 + usernameLen + serviceNameLen + methodNameLen);
606 var passwordLen = 0, password = null;
607 if (methodName == 'password') {
608 passwordLen = common.ReadInt(data, 14 + usernameLen + serviceNameLen + methodNameLen);
609 if ((passwordLen > 2048) || (len < (18 + usernameLen + serviceNameLen + methodNameLen + passwordLen))) return -1;
610 password = data.substring(18 + usernameLen + serviceNameLen + methodNameLen, 18 + usernameLen + serviceNameLen + methodNameLen + passwordLen);
611 }
612 //console.log('MPS:USERAUTH_REQUEST user=' + username + ', service=' + serviceName + ', method=' + methodName + ', password=' + password);
613 parent.debug('mpscmd', '--> USERAUTH_REQUEST user=' + username + ', service=' + serviceName + ', method=' + methodName + ', password=' + password);
614
615 // If the login uses a cookie, check this now
616 if ((username == '**MeshAgentApfTunnel**') && (password != null)) {
617 const cookie = parent.decodeCookie(password, parent.loginCookieEncryptionKey);
618 if ((cookie == null) || (cookie.a !== 'apf')) {
619 incorrectPasswordCount++;
620 socket.ControlMsg({ action: 'console', msg: 'Invalid login username/password' });
621 parent.debug('mps', 'Incorrect password', username, password);
622 SendUserAuthFail(socket);
623 return -1;
624 }
625 if (obj.parent.webserver.meshes[cookie.m] == null) {
626 meshNotFoundCount++;
627 socket.ControlMsg({ action: 'console', msg: 'Device group not found (1): ' + cookie.m });
628 parent.debug('mps', 'Device group not found (1): ' + cookie.m, username, password);
629 SendUserAuthFail(socket);
630 return -1;
631 }
632
633 // Setup the connection
634 socket.tag.nodeid = cookie.n;
635 socket.tag.meshid = cookie.m;
636 socket.tag.connectTime = Date.now();
637
638 // Add the connection to the MPS connection list
639 addCiraConnection(socket);
640 SendUserAuthSuccess(socket); // Notify the auth success on the CIRA connection
641 return 18 + usernameLen + serviceNameLen + methodNameLen + passwordLen;
642 } else {
643 // Check the CIRA password
644 if ((args.mpspass != null) && (password != args.mpspass)) {
645 incorrectPasswordCount++;
646 socket.ControlMsg({ action: 'console', msg: 'Invalid login username/password' });
647 parent.debug('mps', 'Incorrect password', username, password);
648 SendUserAuthFail(socket);
649 return -1;
650 }
651
652 // Check the CIRA username, which should be the start of the MeshID.
653 if (usernameLen != 16) {
654 badUserNameLengthCount++;
655 socket.ControlMsg({ action: 'console', msg: 'Username length not 16' });
656 parent.debug('mps', 'Username length not 16', username, password);
657 SendUserAuthFail(socket);
658 return -1;
659 }
660 // Find the initial device group for this CIRA connection. Since Intel AMT does not allow @ or $ in the username, we escape these.
661 // For possible for CIRA-LMS connections to still send @ or $, so we need to escape both sides.
662 // The initial device group will tell us what device group type and domain this connection is for
663 var initialMesh = null;
664 const meshIdStart = ('/' + username).replace(/\@/g, 'X').replace(/\$/g, 'X');
665 if (obj.parent.webserver.meshes) {
666 for (var i in obj.parent.webserver.meshes) {
667 if (obj.parent.webserver.meshes[i]._id.replace(/\@/g, 'X').replace(/\$/g, 'X').indexOf(meshIdStart) > 0) {
668 initialMesh = obj.parent.webserver.meshes[i]; break;
669 }
670 }
671 }
672 if (initialMesh == null) {
673 meshNotFoundCount++;
674 socket.ControlMsg({ action: 'console', msg: 'Device group not found (2): ' + meshIdStart + ', u: ' + username + ', p: ' + password });
675 parent.debug('mps', 'Device group not found (2)', meshIdStart, username, password);
676 SendUserAuthFail(socket);
677 return -1;
678 }
679 }
680
681 // If this is a agent-less mesh, use the device guid 3 times as ID.
682 if (initialMesh.mtype == 1) {
683 // Intel AMT GUID (socket.tag.SystemId) will be used as NodeID
684 const systemid = socket.tag.SystemId.split('-').join('');
685 const nodeid = Buffer.from(systemid + systemid + systemid, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
686 const domain = obj.parent.config.domains[initialMesh.domain];
687 if (domain == null) return;
688 socket.tag.domain = domain;
689 socket.tag.domainid = initialMesh.domain;
690 if (socket.tag.name == null) { socket.tag.name = ''; }
691 socket.tag.nodeid = 'node/' + initialMesh.domain + '/' + nodeid; // Turn 16bit systemid guid into 48bit nodeid that is base64 encoded
692 socket.tag.connectTime = Date.now();
693
694 obj.db.Get(socket.tag.nodeid, function (err, nodes) {
695 if ((nodes == null) || (nodes.length !== 1)) {
696 // Check if we already have too many devices for this domain
697 if (domain.limits && (typeof domain.limits.maxdevices == 'number')) {
698 db.isMaxType(domain.limits.maxdevices, 'node', initialMesh.domain, function (ismax, count) {
699 if (ismax == true) {
700 // Too many devices in this domain.
701 maxDomainDevicesReached++;
702 console.log('Too many devices on this domain to accept the CIRA connection. meshid: ' + socket.tag.meshid);
703 obj.close(socket);
704 } else {
705 // Attempts reverse DNS loopup on the device IP address
706 require('dns').reverse(socket.remoteAddr, function (err, hostnames) {
707 var hostname = socket.remoteAddr;
708 if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; }
709
710 // Set the device group
711 socket.tag.meshid = initialMesh._id;
712
713 // We are under the limit, create the new device.
714 // Node is not in the database, add it. Credentials will be empty until added by the user.
715 var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: initialMesh.domain, intelamt: { user: (typeof socket.tag.meiState.amtuser == 'string') ? socket.tag.meiState.amtuser : '', pass: (typeof socket.tag.meiState.amtpass == 'string') ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
716 if (socket.tag.meiState != null) {
717 if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
718 if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
719 }
720 obj.db.Set(device);
721
722 // Event the new node
723 addedDeviceCount++;
724 var change = 'Added CIRA device ' + socket.tag.name + ' to group ' + initialMesh.name;
725 obj.parent.DispatchEvent(['*', socket.tag.meshid], obj, { etype: 'node', action: 'addnode', node: parent.webserver.CloneSafeNode(device), msg: change, domain: initialMesh.domain });
726
727 // Add the connection to the MPS connection list
728 addCiraConnection(socket);
729 SendUserAuthSuccess(socket); // Notify the auth success on the CIRA connection
730 });
731 }
732 });
733 return;
734 } else {
735 // Attempts reverse DNS loopup on the device IP address
736 const reverseDnsLookupHandler = function (err, hostnames) {
737 var hostname = socket.remoteAddr;
738 if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; }
739
740 // Set the device group
741 socket.tag.meshid = initialMesh._id;
742
743 // Node is not in the database, add it. Credentials will be empty until added by the user.
744 var device = { type: 'node', mtype: 1, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: socket.tag.name, icon: (socket.tag.meiState && socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: initialMesh.domain, intelamt: { user: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtuser == 'string')) ? socket.tag.meiState.amtuser : '', pass: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtpass == 'string')) ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
745 if (socket.tag.meiState != null) {
746 if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
747 if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
748 }
749 obj.db.Set(device);
750
751 // Event the new node
752 addedDeviceCount++;
753 var change = 'Added CIRA device ' + socket.tag.name + ' to group ' + initialMesh.name;
754 obj.parent.DispatchEvent(['*', socket.tag.meshid], obj, { etype: 'node', action: 'addnode', node: parent.webserver.CloneSafeNode(device), msg: change, domain: initialMesh.domain });
755 }
756 try { require('dns').reverse(socket.remoteAddr, reverseDnsLookupHandler); } catch (ex) { reverseDnsLookupHandler(ex, null); }
757 }
758 } else {
759 // Node is already present
760 var node = nodes[0];
761 socket.tag.meshid = node.meshid;
762 socket.tag.name = node.name;
763 if ((node.intelamt != null) && (node.intelamt.state == 2)) { socket.tag.host = node.intelamt.host; }
764 }
765
766 // Add the connection to the MPS connection list
767 addCiraConnection(socket);
768 SendUserAuthSuccess(socket); // Notify the auth success on the CIRA connection
769 });
770 } else if (initialMesh.mtype == 2) { // If this is a agent mesh, search the mesh for this device UUID
771 // Intel AMT GUID (socket.tag.SystemId) will be used to search the node
772 obj.db.getAmtUuidMeshNode(initialMesh.domain, initialMesh.mtype, socket.tag.SystemId, function (err, nodes) { // TODO: Need to optimize this request with indexes
773 if ((nodes == null) || (nodes.length === 0) || (obj.parent.webserver.meshes == null)) {
774 // New CIRA connection for unknown node, create a new device.
775 unknownNodeCount++;
776 console.log('CIRA connection for unknown node. groupid: ' + initialMesh._id + ', uuid: ' + socket.tag.SystemId);
777 //obj.close(socket);
778 //return;
779 var domain = obj.parent.config.domains[initialMesh.domain];
780 if (domain == null) return;
781
782 // Check if we already have too many devices for this domain
783 if (domain.limits && (typeof domain.limits.maxdevices == 'number')) {
784 db.isMaxType(domain.limits.maxdevices, 'node', initialMesh.domain, function (ismax, count) {
785 if (ismax == true) {
786 // Too many devices in this domain.
787 maxDomainDevicesReached++;
788 console.log('Too many devices on this domain to accept the CIRA connection. meshid: ' + socket.tag.meshid);
789 obj.close(socket);
790 } else {
791 // Attempts reverse DNS loopup on the device IP address
792 require('dns').reverse(socket.remoteAddr, function (err, hostnames) {
793 var hostname = socket.remoteAddr;
794 if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; }
795
796 // Set the device group
797 socket.tag.meshid = initialMesh._id;
798
799 const systemid = socket.tag.SystemId.split('-').join('');
800 const nodeid = Buffer.from(systemid + systemid + systemid, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
801 socket.tag.domain = domain;
802 socket.tag.domainid = initialMesh.domain;
803 socket.tag.name = hostname;
804 socket.tag.nodeid = 'node/' + initialMesh.domain + '/' + nodeid; // Turn 16bit systemid guid into 48bit nodeid that is base64 encoded
805 socket.tag.connectTime = Date.now();
806
807 // Node is not in the database, add it. Credentials will be empty until added by the user.
808 var device = { type: 'node', mtype: 2, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: hostname, icon: (socket.tag.meiState && socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: initialMesh.domain, intelamt: { user: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtuser == 'string')) ? socket.tag.meiState.amtuser : '', pass: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtpass == 'string')) ? socket.tag.meiState.amtpass : '', tls: 0, state: 2, agent: { id: 0, caps: 0 } } };
809 if (socket.tag.meiState != null) {
810 if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
811 if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
812 }
813 obj.db.Set(device);
814
815 // Event the new node
816 addedDeviceCount++;
817 var change = 'Added CIRA device ' + socket.tag.name + ' to group ' + initialMesh.name;
818 obj.parent.DispatchEvent(['*', socket.tag.meshid], obj, { etype: 'node', action: 'addnode', node: parent.webserver.CloneSafeNode(device), msg: change, domain: initialMesh.domain });
819
820 // Add the connection to the MPS connection list
821 addCiraConnection(socket);
822 SendUserAuthSuccess(socket); // Notify the auth success on the CIRA connection
823 });
824 }
825 });
826 return;
827 } else {
828 // Attempts reverse DNS loopup on the device IP address
829 require('dns').reverse(socket.remoteAddr, function (err, hostnames) {
830 var hostname = socket.remoteAddr;
831 if ((err == null) && (hostnames != null) && (hostnames.length > 0)) { hostname = hostnames[0]; }
832
833 // Set the device group
834 socket.tag.meshid = initialMesh._id;
835
836 const systemid = socket.tag.SystemId.split('-').join('');
837 const nodeid = Buffer.from(systemid + systemid + systemid, 'hex').toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
838 socket.tag.domain = domain;
839 socket.tag.domainid = initialMesh.domain;
840 socket.tag.name = hostname;
841 socket.tag.nodeid = 'node/' + initialMesh.domain + '/' + nodeid; // Turn 16bit systemid guid into 48bit nodeid that is base64 encoded
842 socket.tag.connectTime = Date.now();
843
844 // Node is not in the database, add it. Credentials will be empty until added by the user.
845 var device = { type: 'node', mtype: 2, _id: socket.tag.nodeid, meshid: socket.tag.meshid, name: hostname, icon: (socket.tag.meiState && socket.tag.meiState.isBatteryPowered) ? 2 : 1, host: hostname, domain: initialMesh.domain, agent: { ver: 0, id: 0, caps: 0 }, intelamt: { uuid: socket.tag.SystemId, user: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtuser == 'string')) ? socket.tag.meiState.amtuser : '', pass: ((socket.tag.meiState) && (typeof socket.tag.meiState.amtpass == 'string')) ? socket.tag.meiState.amtpass : '', tls: 0, state: 2 } };
846 if (socket.tag.meiState != null) {
847 if ((typeof socket.tag.meiState.desc == 'string') && (socket.tag.meiState.desc.length > 0) && (socket.tag.meiState.desc.length < 1024)) { device.desc = socket.tag.meiState.desc; }
848 if ((typeof socket.tag.meiState.Versions == 'object') && (typeof socket.tag.meiState.Versions.Sku == 'string')) { device.intelamt.sku = parseInt(socket.tag.meiState.Versions.Sku); }
849 }
850 obj.db.Set(device);
851
852 // Event the new node
853 addedDeviceCount++;
854 var change = 'Added CIRA device ' + socket.tag.name + ' to group ' + initialMesh.name;
855 obj.parent.DispatchEvent(['*', socket.tag.meshid], obj, { etype: 'node', action: 'addnode', node: parent.webserver.CloneSafeNode(device), msg: change, domain: initialMesh.domain });
856
857 // Add the connection to the MPS connection list
858 addCiraConnection(socket);
859 SendUserAuthSuccess(socket); // Notify the auth success on the CIRA connection
860 });
861 }
862 return;
863 }
864
865 // Looking at nodes that match this UUID, select one in the same domain and mesh type.
866 var node = null;
867 for (var i in nodes) {
868 if (initialMesh.domain == nodes[i].domain) {
869 var nodemesh = obj.parent.webserver.meshes[nodes[i].meshid];
870 if ((nodemesh != null) && (nodemesh.mtype == 2)) { node = nodes[i]; }
871 }
872 }
873
874 if (node == null) {
875 // New CIRA connection for unknown node, disconnect.
876 unknownNodeCount++;
877 console.log('CIRA connection for unknown node. candidate(s): ' + nodes.length + ', groupid: ' + initialMesh._id + ', uuid: ' + socket.tag.SystemId);
878 obj.close(socket);
879 return;
880 }
881
882 // Node is present
883 if ((node.intelamt != null) && (node.intelamt.state == 2)) { socket.tag.host = node.intelamt.host; }
884 socket.tag.nodeid = node._id;
885 socket.tag.meshid = node.meshid;
886 socket.tag.connectTime = Date.now();
887
888 // Add the connection to the MPS connection list
889 addCiraConnection(socket);
890 SendUserAuthSuccess(socket); // Notify the auth success on the CIRA connection
891 });
892 } else { // Unknown mesh type
893 // New CIRA connection for unknown node, disconnect.
894 unknownMeshIdCount++;
895 console.log('CIRA connection to a unknown group type. groupid: ' + socket.tag.meshid);
896 obj.close(socket);
897 return;
898 }
899 return 18 + usernameLen + serviceNameLen + methodNameLen + passwordLen;
900 }
901 case APFProtocol.SERVICE_REQUEST: {
902 if (len < 5) return 0;
903 var xserviceNameLen = common.ReadInt(data, 1);
904 if (xserviceNameLen > 2048) return -1;
905 if (len < 5 + xserviceNameLen) return 0;
906 var xserviceName = data.substring(5, 5 + xserviceNameLen);
907 parent.debug('mpscmd', '--> SERVICE_REQUEST', xserviceName);
908 if (xserviceName == "pfwd@amt.intel.com") { SendServiceAccept(socket, "pfwd@amt.intel.com"); }
909 if (xserviceName == "auth@amt.intel.com") { SendServiceAccept(socket, "auth@amt.intel.com"); }
910 return 5 + xserviceNameLen;
911 }
912 case APFProtocol.GLOBAL_REQUEST: {
913 if (len < 14) return 0;
914 var requestLen = common.ReadInt(data, 1);
915 if (requestLen > 2048) return -1;
916 if (len < 14 + requestLen) return 0;
917 var request = data.substring(5, 5 + requestLen);
918 //var wantResponse = data.charCodeAt(5 + requestLen);
919
920 if (request == 'tcpip-forward') {
921 var addrLen = common.ReadInt(data, 6 + requestLen);
922 if (len < 14 + requestLen + addrLen) return 0;
923 var addr = data.substring(10 + requestLen, 10 + requestLen + addrLen);
924 var port = common.ReadInt(data, 10 + requestLen + addrLen);
925 parent.debug('mpscmd', '--> GLOBAL_REQUEST', request, addr + ':' + port);
926 if (socket.tag.boundPorts.indexOf(port) == -1) { socket.tag.boundPorts.push(port); }
927 SendTcpForwardSuccessReply(socket, port);
928 //5900 port is the last TCP port on which connections for forwarding are to be cancelled. Ports order: 16993, 16992, 664, 623, 16995, 16994, 5900
929 //Request keepalive interval time
930 if (port === 5900) { SendKeepaliveOptionsRequest(socket, KEEPALIVE_INTERVAL, 0); }
931 return 14 + requestLen + addrLen;
932 }
933
934 if (request == 'cancel-tcpip-forward') {
935 var addrLen = common.ReadInt(data, 6 + requestLen);
936 if (len < 14 + requestLen + addrLen) return 0;
937 var addr = data.substring(10 + requestLen, 10 + requestLen + addrLen);
938 var port = common.ReadInt(data, 10 + requestLen + addrLen);
939 parent.debug('mpscmd', '--> GLOBAL_REQUEST', request, addr + ':' + port);
940 var portindex = socket.tag.boundPorts.indexOf(port);
941 if (portindex >= 0) { socket.tag.boundPorts.splice(portindex, 1); }
942 SendTcpForwardCancelReply(socket);
943 return 14 + requestLen + addrLen;
944 }
945
946 if (request == 'udp-send-to@amt.intel.com') {
947 var addrLen = common.ReadInt(data, 6 + requestLen);
948 if (len < 26 + requestLen + addrLen) return 0;
949 var addr = data.substring(10 + requestLen, 10 + requestLen + addrLen);
950 var port = common.ReadInt(data, 10 + requestLen + addrLen);
951 var oaddrLen = common.ReadInt(data, 14 + requestLen + addrLen);
952 if (len < 26 + requestLen + addrLen + oaddrLen) return 0;
953 var oaddr = data.substring(18 + requestLen, 18 + requestLen + addrLen);
954 var oport = common.ReadInt(data, 18 + requestLen + addrLen + oaddrLen);
955 var datalen = common.ReadInt(data, 22 + requestLen + addrLen + oaddrLen);
956 if (len < 26 + requestLen + addrLen + oaddrLen + datalen) return 0;
957 parent.debug('mpscmd', '--> GLOBAL_REQUEST', request, addr + ':' + port, oaddr + ':' + oport, datalen);
958 // TODO
959 return 26 + requestLen + addrLen + oaddrLen + datalen;
960 }
961
962 return 6 + requestLen;
963 }
964 case APFProtocol.CHANNEL_OPEN: {
965 if (len < 33) return 0;
966 var ChannelTypeLength = common.ReadInt(data, 1);
967 if (ChannelTypeLength > 2048) return -1;
968 if (len < (33 + ChannelTypeLength)) return 0;
969
970 // Decode channel identifiers and window size
971 var ChannelType = data.substring(5, 5 + ChannelTypeLength);
972 var SenderChannel = common.ReadInt(data, 5 + ChannelTypeLength);
973 var WindowSize = common.ReadInt(data, 9 + ChannelTypeLength);
974
975 // Decode the target
976 var TargetLen = common.ReadInt(data, 17 + ChannelTypeLength);
977 if (TargetLen > 2048) return -1;
978 if (len < (33 + ChannelTypeLength + TargetLen)) return 0;
979 var Target = data.substring(21 + ChannelTypeLength, 21 + ChannelTypeLength + TargetLen);
980 var TargetPort = common.ReadInt(data, 21 + ChannelTypeLength + TargetLen);
981
982 // Decode the source
983 var SourceLen = common.ReadInt(data, 25 + ChannelTypeLength + TargetLen);
984 if (SourceLen > 2048) return -1;
985 if (len < (33 + ChannelTypeLength + TargetLen + SourceLen)) return 0;
986 var Source = data.substring(29 + ChannelTypeLength + TargetLen, 29 + ChannelTypeLength + TargetLen + SourceLen);
987 var SourcePort = common.ReadInt(data, 29 + ChannelTypeLength + TargetLen + SourceLen);
988
989 channelOpenCount++;
990 parent.debug('mpscmd', '--> CHANNEL_OPEN', ChannelType, SenderChannel, WindowSize, Target + ':' + TargetPort, Source + ':' + SourcePort);
991
992 // Check if we understand this channel type
993 //if (ChannelType.toLowerCase() == "direct-tcpip")
994 {
995 // We don't understand this channel type, send an error back
996 SendChannelOpenFailure(socket, SenderChannel, APFChannelOpenFailureReasonCode.UnknownChannelType);
997 return 33 + ChannelTypeLength + TargetLen + SourceLen;
998 }
999
1000 /*
1001 // This is a correct connection. Lets get it setup
1002 var MeshAmtEventEndpoint = { ServerChannel: GetNextBindId(), AmtChannel: SenderChannel, MaxWindowSize: 2048, CurrentWindowSize:2048, SendWindow: WindowSize, InfoHeader: "Target: " + Target + ":" + TargetPort + ", Source: " + Source + ":" + SourcePort};
1003 // TODO: Connect this socket for a WSMAN event
1004 SendChannelOpenConfirmation(socket, SenderChannel, MeshAmtEventEndpoint.ServerChannel, MeshAmtEventEndpoint.MaxWindowSize);
1005 */
1006
1007 return 33 + ChannelTypeLength + TargetLen + SourceLen;
1008 }
1009 case APFProtocol.CHANNEL_OPEN_CONFIRMATION:
1010 {
1011 if (len < 17) return 0;
1012 var RecipientChannel = common.ReadInt(data, 1);
1013 var SenderChannel = common.ReadInt(data, 5);
1014 var WindowSize = common.ReadInt(data, 9);
1015 socket.tag.activetunnels++;
1016 var cirachannel = socket.tag.channels[RecipientChannel];
1017 if (cirachannel == null) { /*console.log("MPS Error in CHANNEL_OPEN_CONFIRMATION: Unable to find channelid " + RecipientChannel);*/ return 17; }
1018 cirachannel.amtchannelid = SenderChannel;
1019 cirachannel.sendcredits = cirachannel.amtCiraWindow = WindowSize;
1020 channelOpenConfirmCount++;
1021 parent.debug('mpscmd', '--> CHANNEL_OPEN_CONFIRMATION', RecipientChannel, SenderChannel, WindowSize);
1022 if (cirachannel.closing == 1) {
1023 // Close this channel
1024 SendChannelClose(cirachannel.socket, cirachannel.amtchannelid);
1025 } else {
1026 cirachannel.state = 2;
1027 // Send any pending data
1028 if (cirachannel.sendBuffer != null) {
1029 if (cirachannel.sendBuffer.length <= cirachannel.sendcredits) {
1030 // Send the entire pending buffer
1031 SendChannelData(cirachannel.socket, cirachannel.amtchannelid, cirachannel.sendBuffer);
1032 cirachannel.sendcredits -= cirachannel.sendBuffer.length;
1033 delete cirachannel.sendBuffer;
1034 if (cirachannel.onSendOk) { cirachannel.onSendOk(cirachannel); }
1035 } else {
1036 // Send a part of the pending buffer
1037 SendChannelData(cirachannel.socket, cirachannel.amtchannelid, cirachannel.sendBuffer.slice(0, cirachannel.sendcredits));
1038 cirachannel.sendBuffer = cirachannel.sendBuffer.slice(cirachannel.sendcredits);
1039 cirachannel.sendcredits = 0;
1040 }
1041 }
1042 // Indicate the channel is open
1043 if (cirachannel.onStateChange) { cirachannel.onStateChange(cirachannel, cirachannel.state); }
1044 }
1045 return 17;
1046 }
1047 case APFProtocol.CHANNEL_OPEN_FAILURE:
1048 {
1049 if (len < 17) return 0;
1050 var RecipientChannel = common.ReadInt(data, 1);
1051 var ReasonCode = common.ReadInt(data, 5);
1052 channelOpenFailCount++;
1053 parent.debug('mpscmd', '--> CHANNEL_OPEN_FAILURE', RecipientChannel, ReasonCode);
1054 var cirachannel = socket.tag.channels[RecipientChannel];
1055 if (cirachannel == null) { console.log("MPS Error in CHANNEL_OPEN_FAILURE: Unable to find channelid " + RecipientChannel); return 17; }
1056 if (cirachannel.state > 0) {
1057 cirachannel.state = 0;
1058 if (cirachannel.onStateChange) { cirachannel.onStateChange(cirachannel, cirachannel.state); }
1059 delete socket.tag.channels[RecipientChannel];
1060 }
1061 return 17;
1062 }
1063 case APFProtocol.CHANNEL_CLOSE:
1064 {
1065 if (len < 5) return 0;
1066 var RecipientChannel = common.ReadInt(data, 1);
1067 channelCloseCount++;
1068 parent.debug('mpscmd', '--> CHANNEL_CLOSE', RecipientChannel);
1069 var cirachannel = socket.tag.channels[RecipientChannel];
1070 if (cirachannel == null) { console.log("MPS Error in CHANNEL_CLOSE: Unable to find channelid " + RecipientChannel); return 5; }
1071 socket.tag.activetunnels--;
1072 if (cirachannel.state > 0) {
1073 cirachannel.state = 0;
1074 if (cirachannel.onStateChange) { cirachannel.onStateChange(cirachannel, cirachannel.state); }
1075 SendChannelClose(cirachannel.socket, cirachannel.amtchannelid);
1076 delete socket.tag.channels[RecipientChannel];
1077 }
1078 return 5;
1079 }
1080 case APFProtocol.CHANNEL_WINDOW_ADJUST:
1081 {
1082 if (len < 9) return 0;
1083 var RecipientChannel = common.ReadInt(data, 1);
1084 var ByteToAdd = common.ReadInt(data, 5);
1085 var cirachannel = socket.tag.channels[RecipientChannel];
1086 if (cirachannel == null) { console.log("MPS Error in CHANNEL_WINDOW_ADJUST: Unable to find channelid " + RecipientChannel); return 9; }
1087 cirachannel.sendcredits += ByteToAdd;
1088 parent.debug('mpscmd', '--> CHANNEL_WINDOW_ADJUST', RecipientChannel, ByteToAdd, cirachannel.sendcredits);
1089 if (cirachannel.state == 2 && cirachannel.sendBuffer != null) {
1090 // Compute how much data we can send
1091 if (cirachannel.sendBuffer.length <= cirachannel.sendcredits) {
1092 // Send the entire pending buffer
1093 SendChannelData(cirachannel.socket, cirachannel.amtchannelid, cirachannel.sendBuffer);
1094 cirachannel.sendcredits -= cirachannel.sendBuffer.length;
1095 delete cirachannel.sendBuffer;
1096 if (cirachannel.onSendOk) { cirachannel.onSendOk(cirachannel); }
1097 } else {
1098 // Send a part of the pending buffer
1099 SendChannelData(cirachannel.socket, cirachannel.amtchannelid, cirachannel.sendBuffer.slice(0, cirachannel.sendcredits));
1100 cirachannel.sendBuffer = cirachannel.sendBuffer.slice(cirachannel.sendcredits);
1101 cirachannel.sendcredits = 0;
1102 }
1103 }
1104 return 9;
1105 }
1106 case APFProtocol.CHANNEL_DATA:
1107 {
1108 if (len < 9) return 0;
1109 var RecipientChannel = common.ReadInt(data, 1);
1110 var LengthOfData = common.ReadInt(data, 5);
1111 if (SourceLen > 1048576) return -1;
1112 if (len < (9 + LengthOfData)) return 0;
1113 parent.debug('mpscmddata', '--> CHANNEL_DATA', RecipientChannel, LengthOfData);
1114 var cirachannel = socket.tag.channels[RecipientChannel];
1115 if (cirachannel == null) { console.log("MPS Error in CHANNEL_DATA: Unable to find channelid " + RecipientChannel); return 9 + LengthOfData; }
1116 if (cirachannel.state > 0) {
1117 cirachannel.amtpendingcredits += LengthOfData;
1118 if (cirachannel.onData) { cirachannel.onData(cirachannel, Buffer.from(data.substring(9, 9 + LengthOfData), 'binary')); }
1119 if (cirachannel.amtpendingcredits > (cirachannel.ciraWindow / 2)) {
1120 SendChannelWindowAdjust(cirachannel.socket, cirachannel.amtchannelid, cirachannel.amtpendingcredits); // Adjust the buffer window
1121 cirachannel.amtpendingcredits = 0;
1122 }
1123 }
1124 return 9 + LengthOfData;
1125 }
1126 case APFProtocol.DISCONNECT:
1127 {
1128 if (len < 7) return 0;
1129 var ReasonCode = common.ReadInt(data, 1);
1130 disconnectCommandCount++;
1131 parent.debug('mpscmd', '--> DISCONNECT', ReasonCode);
1132 removeCiraConnection(socket);
1133 return 7;
1134 }
1135 case APFProtocol.JSON_CONTROL: // This is a Mesh specific command that sends JSON to and from the MPS server.
1136 {
1137 if (len < 5) return 0;
1138 var jsondatalen = common.ReadInt(data, 1);
1139 if (jsondatalen > 1048576) return -1;
1140 if (len < (5 + jsondatalen)) return 0;
1141 var jsondata = null, jsondatastr = data.substring(5, 5 + jsondatalen);
1142 try { jsondata = JSON.parse(jsondatastr); } catch (ex) { }
1143 if ((jsondata == null) || (typeof jsondata.action != 'string')) return;
1144 parent.debug('mpscmd', '--> JSON_CONTROL', jsondata.action);
1145 switch (jsondata.action) {
1146 case 'connType':
1147 if ((socket.tag.connType != 0) || (socket.tag.SystemId != null)) return; // Once set, the connection type can't be changed.
1148 if (typeof jsondata.value != 'number') return;
1149 socket.tag.connType = jsondata.value; // 0 = CIRA, 1 = Relay, 2 = LMS
1150 //obj.SendJsonControl(socket, { action: 'mestate' }); // Request an MEI state refresh
1151 break;
1152 case 'meiState':
1153 if (socket.tag.connType != 2) break; // Only accept MEI state on CIRA-LMS connection
1154 socket.tag.meiState = jsondata.value;
1155 if (((socket.tag.name == '') || (socket.tag.name == null)) && (typeof jsondata.value.OsHostname == 'string')) { socket.tag.name = jsondata.value.OsHostname; }
1156 if (obj.parent.amtManager != null) { obj.parent.amtManager.mpsControlMessage(socket.tag.nodeid, socket, socket.tag.connType, jsondata); }
1157 break;
1158 case 'deactivate':
1159 case 'startTlsHostConfig':
1160 case 'stopConfiguration':
1161 if (socket.tag.connType != 2) break; // Only accept MEI state on CIRA-LMS connection
1162 if (obj.parent.amtManager != null) { obj.parent.amtManager.mpsControlMessage(socket.tag.nodeid, socket, socket.tag.connType, jsondata); }
1163 break;
1164 }
1165 return 5 + jsondatalen;
1166 }
1167 default:
1168 {
1169 parent.debug('mpscmd', '--> Unknown CIRA command: ' + cmd);
1170 return -1;
1171 }
1172 }
1173 }
1174
1175 // Disconnect CIRA tunnel
1176 obj.close = function (socket) {
1177 try { socket.end(); } catch (e) { try { socket.close(); } catch (e) { } }
1178 removeCiraConnection(socket);
1179 };
1180
1181 // Disconnect all CIRA tunnel for a given NodeId
1182 obj.closeAllForNode = function (nodeid) {
1183 var connections = obj.ciraConnections[nodeid];
1184 if (connections == null) return;
1185 for (var i in connections) { obj.close(connections[i]); }
1186 };
1187
1188 obj.SendJsonControl = function (socket, data) {
1189 if (socket.tag.connType == 0) return; // This command is valid only for connections that are not really CIRA.
1190 if (typeof data == 'object') { parent.debug('mpscmd', '<-- JSON_CONTROL', data.action); data = JSON.stringify(data); } else { parent.debug('mpscmd', '<-- JSON_CONTROL'); }
1191 Write(socket, String.fromCharCode(APFProtocol.JSON_CONTROL) + common.IntToStr(data.length) + data);
1192 }
1193
1194 function SendServiceAccept(socket, service) {
1195 parent.debug('mpscmd', '<-- SERVICE_ACCEPT', service);
1196 Write(socket, String.fromCharCode(APFProtocol.SERVICE_ACCEPT) + common.IntToStr(service.length) + service);
1197 }
1198
1199 function SendTcpForwardSuccessReply(socket, port) {
1200 parent.debug('mpscmd', '<-- REQUEST_SUCCESS', port);
1201 Write(socket, String.fromCharCode(APFProtocol.REQUEST_SUCCESS) + common.IntToStr(port));
1202 }
1203
1204 function SendTcpForwardCancelReply(socket) {
1205 parent.debug('mpscmd', '<-- REQUEST_SUCCESS');
1206 Write(socket, String.fromCharCode(APFProtocol.REQUEST_SUCCESS));
1207 }
1208
1209 /*
1210 function SendKeepAliveRequest(socket, cookie) {
1211 parent.debug('mpscmd', '<-- KEEPALIVE_REQUEST', cookie);
1212 Write(socket, String.fromCharCode(APFProtocol.KEEPALIVE_REQUEST) + common.IntToStr(cookie));
1213 }
1214 */
1215
1216 function SendKeepAliveReply(socket, cookie) {
1217 parent.debug('mpscmd', '<-- KEEPALIVE_REPLY', cookie);
1218 Write(socket, String.fromCharCode(APFProtocol.KEEPALIVE_REPLY) + common.IntToStr(cookie));
1219 }
1220
1221 function SendKeepaliveOptionsRequest(socket, keepaliveTime, timeout) {
1222 parent.debug('mpscmd', '<-- KEEPALIVE_OPTIONS_REQUEST', keepaliveTime, timeout);
1223 Write(socket, String.fromCharCode(APFProtocol.KEEPALIVE_OPTIONS_REQUEST) + common.IntToStr(keepaliveTime) + common.IntToStr(timeout));
1224 }
1225
1226 function SendChannelOpenFailure(socket, senderChannel, reasonCode) {
1227 parent.debug('mpscmd', '<-- CHANNEL_OPEN_FAILURE', senderChannel, reasonCode);
1228 Write(socket, String.fromCharCode(APFProtocol.CHANNEL_OPEN_FAILURE) + common.IntToStr(senderChannel) + common.IntToStr(reasonCode) + common.IntToStr(0) + common.IntToStr(0));
1229 }
1230
1231 /*
1232 function SendChannelOpenConfirmation(socket, recipientChannelId, senderChannelId, initialWindowSize) {
1233 parent.debug('mpscmd', '<-- CHANNEL_OPEN_CONFIRMATION', recipientChannelId, senderChannelId, initialWindowSize);
1234 Write(socket, String.fromCharCode(APFProtocol.CHANNEL_OPEN_CONFIRMATION) + common.IntToStr(recipientChannelId) + common.IntToStr(senderChannelId) + common.IntToStr(initialWindowSize) + common.IntToStr(-1));
1235 }
1236 */
1237
1238 function SendChannelOpen(socket, direct, channelid, windowsize, target, targetport, source, sourceport) {
1239 var connectionType = ((direct == true) ? 'direct-tcpip' : 'forwarded-tcpip');
1240 if ((target == null) || (target == null)) target = ''; // TODO: Reports of target being undefined that causes target.length to fail. This is a hack.
1241 parent.debug('mpscmd', '<-- CHANNEL_OPEN', connectionType, channelid, windowsize, target + ':' + targetport, source + ':' + sourceport);
1242 Write(socket, String.fromCharCode(APFProtocol.CHANNEL_OPEN) + common.IntToStr(connectionType.length) + connectionType + common.IntToStr(channelid) + common.IntToStr(windowsize) + common.IntToStr(-1) + common.IntToStr(target.length) + target + common.IntToStr(targetport) + common.IntToStr(source.length) + source + common.IntToStr(sourceport));
1243 }
1244
1245 function SendChannelClose(socket, channelid) {
1246 parent.debug('mpscmd', '<-- CHANNEL_CLOSE', channelid);
1247 Write(socket, String.fromCharCode(APFProtocol.CHANNEL_CLOSE) + common.IntToStr(channelid));
1248 }
1249
1250 // Send a buffer to a given channel
1251 function SendChannelData(socket, channelid, data) {
1252 parent.debug('mpscmddata', '<-- CHANNEL_DATA', channelid, data.length);
1253 const buf = Buffer.alloc(9 + data.length);
1254 buf[0] = APFProtocol.CHANNEL_DATA; // CHANNEL_DATA
1255 buf.writeInt32BE(channelid, 1); // ChannelID
1256 buf.writeInt32BE(data.length, 5); // Data Length
1257 data.copy(buf, 9, 0);
1258 WriteBuffer(socket, buf);
1259 }
1260
1261 function SendChannelWindowAdjust(socket, channelid, bytestoadd) {
1262 parent.debug('mpscmd', '<-- CHANNEL_WINDOW_ADJUST', channelid, bytestoadd);
1263 Write(socket, String.fromCharCode(APFProtocol.CHANNEL_WINDOW_ADJUST) + common.IntToStr(channelid) + common.IntToStr(bytestoadd));
1264 }
1265
1266 /*
1267 function SendDisconnect(socket, reasonCode) {
1268 parent.debug('mpscmd', '<-- DISCONNECT', reasonCode);
1269 Write(socket, String.fromCharCode(APFProtocol.DISCONNECT) + common.IntToStr(reasonCode) + common.ShortToStr(0));
1270 }
1271 */
1272
1273 function SendUserAuthFail(socket) {
1274 parent.debug('mpscmd', '<-- USERAUTH_FAILURE');
1275 Write(socket, String.fromCharCode(APFProtocol.USERAUTH_FAILURE) + common.IntToStr(8) + 'password' + common.ShortToStr(0));
1276 }
1277
1278 function SendUserAuthSuccess(socket) {
1279 parent.debug('mpscmd', '<-- USERAUTH_SUCCESS');
1280 Write(socket, String.fromCharCode(APFProtocol.USERAUTH_SUCCESS));
1281 }
1282
1283 // Send a string or buffer
1284 function Write(socket, data) {
1285 try {
1286 if (args.mpsdebug) {
1287 // Print out sent bytes
1288 var buf = Buffer.from(data, 'binary');
1289 console.log('MPS --> (' + buf.length + '):' + buf.toString('hex'));
1290 if (socket.websocket == 1) { socket.send(buf); } else { socket.write(buf); }
1291 } else {
1292 if (socket.websocket == 1) { socket.send(Buffer.from(data, 'binary')); } else { socket.write(Buffer.from(data, 'binary')); }
1293 }
1294 } catch (ex) { }
1295 }
1296
1297 // Send a buffer
1298 function WriteBuffer(socket, data) {
1299 try {
1300 if (args.mpsdebug) { console.log('MPS --> (' + buf.length + '):' + data.toString('hex')); } // Print out sent bytes
1301 if (socket.websocket == 1) { socket.send(data); } else { socket.write(data); }
1302 } catch (ex) { }
1303 }
1304
1305 // Returns a CIRA/Relay/LMS connection to a nodeid, use the best possible connection, CIRA first, Relay second, LMS third.
1306 // if oob is set to true, don't allow an LMS connection.
1307 obj.GetConnectionToNode = function (nodeid, targetport, oob) {
1308 var connectionArray = obj.ciraConnections[nodeid];
1309 if (connectionArray == null) return null;
1310 var selectConn = null;
1311 // Select the best connection, which is the one with the lowest connType value.
1312 for (var i in connectionArray) {
1313 var conn = connectionArray[i];
1314 if ((oob === true) && (conn.tag.connType == 2)) continue; // If an OOB connection is required, don't allow LMS connections.
1315 if ((typeof oob === 'number') && (conn.tag.connType !== oob)) continue; // if OOB specifies an exact connection type, filter on this type.
1316 if ((targetport != null) && (conn.tag.boundPorts.indexOf(targetport) == -1)) continue; // This connection does not route to the target port.
1317 if ((selectConn == null) || (conn.tag.connType < selectConn.tag.connType)) { selectConn = conn; }
1318 }
1319 return selectConn;
1320 }
1321
1322 // Setup a new channel to a nodeid, use the best possible connection, CIRA first, Relay second, LMS third.
1323 // if oob is set to true, don't allow an LMS connection.
1324 obj.SetupChannelToNode = function (nodeid, targetport, oob) {
1325 var conn = obj.GetConnectionToNode(nodeid, targetport, oob);
1326 if (conn == null) return null;
1327 return obj.SetupChannel(conn, targetport);
1328 }
1329
1330 // Setup a new channel
1331 obj.SetupChannel = function (socket, targetport) {
1332 var sourceport = (socket.tag.nextsourceport++ % 30000) + 1024;
1333 var cirachannel = { targetport: targetport, channelid: socket.tag.nextchannelid++, socket: socket, state: 1, sendcredits: 0, amtpendingcredits: 0, amtCiraWindow: 0, ciraWindow: 32768 };
1334 SendChannelOpen(socket, false, cirachannel.channelid, cirachannel.ciraWindow, socket.tag.host, targetport, '1.2.3.4', sourceport);
1335
1336 // This function writes data to this CIRA channel
1337 cirachannel.write = function (data) {
1338 if (cirachannel.state == 0) return false;
1339 if (typeof data == 'string') { data = Buffer.from(data, 'binary'); } // Make sure we always handle buffers when sending data.
1340 if (cirachannel.state == 1 || cirachannel.sendcredits == 0 || cirachannel.sendBuffer != null) {
1341 // Channel is connected, but we are out of credits. Add the data to the outbound buffer.
1342 if (cirachannel.sendBuffer == null) { cirachannel.sendBuffer = data; } else { cirachannel.sendBuffer = Buffer.concat([cirachannel.sendBuffer, data]); }
1343 return true;
1344 }
1345 // Compute how much data we can send
1346 if (data.length <= cirachannel.sendcredits) {
1347 // Send the entire message
1348 SendChannelData(cirachannel.socket, cirachannel.amtchannelid, data);
1349 cirachannel.sendcredits -= data.length;
1350 return true;
1351 }
1352 // Send a part of the message
1353 cirachannel.sendBuffer = data.slice(cirachannel.sendcredits);
1354 SendChannelData(cirachannel.socket, cirachannel.amtchannelid, data.slice(0, cirachannel.sendcredits));
1355 cirachannel.sendcredits = 0;
1356 return false;
1357 };
1358
1359 // This function closes this CIRA channel
1360 cirachannel.close = function () {
1361 if (cirachannel.state == 0 || cirachannel.closing == 1) return;
1362 if (cirachannel.state == 1) { cirachannel.closing = 1; cirachannel.state = 0; if (cirachannel.onStateChange) { cirachannel.onStateChange(cirachannel, cirachannel.state); } return; }
1363 cirachannel.state = 0;
1364 cirachannel.closing = 1;
1365 SendChannelClose(cirachannel.socket, cirachannel.amtchannelid);
1366 if (cirachannel.onStateChange) { cirachannel.onStateChange(cirachannel, cirachannel.state); }
1367 };
1368
1369 socket.tag.channels[cirachannel.channelid] = cirachannel;
1370 return cirachannel;
1371 };
1372
1373 // Change a node to a new meshid, this is called when a node changes groups.
1374 obj.changeDeviceMesh = function (nodeid, newMeshId) {
1375 var connectionArray = obj.ciraConnections[nodeid];
1376 if (connectionArray == null) return;
1377 for (var i in connectionArray) {
1378 var socket = connectionArray[i];
1379 if ((socket != null) && (socket.tag != null)) { socket.tag.meshid = newMeshId; }
1380 }
1381 }
1382
1383 // Called when handling incoming HTTP data
1384 function onHttpData(data) {
1385 if (this.xdata == null) { this.xdata = data; } else { this.xdata += data; }
1386 var headersize = this.xdata.indexOf('\r\n\r\n');
1387 if (headersize < 0) { if (this.xdata.length > 4096) { this.end(); } return; }
1388 var headers = this.xdata.substring(0, headersize).split('\r\n');
1389 if (headers.length < 1) { this.end(); return; }
1390 var headerObj = {};
1391 for (var i = 1; i < headers.length; i++) { var j = headers[i].indexOf(': '); if (i > 0) { headerObj[headers[i].substring(0, j).toLowerCase()] = headers[i].substring(j + 2); } }
1392 var hostHeader = (headerObj['host'] != null) ? ('Host: ' + headerObj['host'] + '\r\n') : '';
1393 var directives = headers[0].split(' ');
1394 if ((directives.length != 3) || ((directives[0] != 'GET') && (directives[0] != 'HEAD'))) { this.end(); return; }
1395 //console.log('WebServer, request', directives[0], directives[1]);
1396 var responseCode = 404, responseType = 'application/octet-stream', responseData = '', r = null;
1397
1398 // Check if this is a cookie request
1399 if (directives[1].startsWith('/c/')) {
1400 var cookie = obj.parent.decodeCookie(directives[1].substring(3).split('.')[0], obj.parent.loginCookieEncryptionKey, 30); // 30 minute timeout
1401 if ((cookie != null) && (cookie.a == 'f') && (typeof cookie.f == 'string')) {
1402 // Send the file header and pipe the rest of the file
1403 var filestats = null;
1404 try { filestats = obj.fs.statSync(cookie.f); } catch (ex) { }
1405 if ((filestats == null) || (typeof filestats.size != 'number') || (filestats.size <= 0)) {
1406 responseCode = 404; responseType = 'text/html'; responseData = 'File not found';
1407 } else {
1408 this.write('HTTP/1.1 200 OK\r\n' + hostHeader + 'Content-Type: ' + responseType + '\r\nConnection: keep-alive\r\nCache-Control: no-cache\r\nContent-Length: ' + filestats.size + '\r\n\r\n');
1409 if (directives[0] == 'GET') { obj.fs.createReadStream(cookie.f, { flags: 'r' }).pipe(this); }
1410 delete this.xdata;
1411 return;
1412 }
1413 }
1414 } else {
1415 // Check if we have a preset response
1416 if (obj.httpResponses != null) { r = obj.httpResponses[directives[1]]; }
1417 if ((r != null) && (r.maxtime != null) && (r.maxtime < Date.now())) { r = null; delete obj.httpResponses[directives[1]]; } // Check if this entry is expired.
1418 if (r != null) {
1419 if (typeof r == 'string') {
1420 responseCode = 200; responseType = 'text/html'; responseData = r;
1421 } else if (typeof r == 'object') {
1422 responseCode = 200;
1423 if (r.type) { responseType = r.type; }
1424 if (r.data) { responseData = r.data; }
1425 if (r.shortfile) { try { responseData = obj.fs.readFileSync(r.shortfile); } catch (ex) { responseCode = 404; responseType = 'text/html'; responseData = 'File not found'; } }
1426 if (r.file) {
1427 // Send the file header and pipe the rest of the file
1428 var filestats = null;
1429 try { filestats = obj.fs.statSync(r.file); } catch (ex) { }
1430 if ((filestats == null) || (typeof filestats.size != 'number') || (filestats.size <= 0)) {
1431 responseCode = 404; responseType = 'text/html'; responseData = 'File not found';
1432 } else {
1433 this.write('HTTP/1.1 200 OK\r\n' + hostHeader + 'Content-Type: ' + responseType + '\r\nConnection: keep-alive\r\nCache-Control: no-cache\r\nContent-Length: ' + filestats.size + '\r\n\r\n');
1434 if (directives[0] == 'GET') {
1435 obj.fs.createReadStream(r.file, { flags: 'r' }).pipe(this);
1436 if (typeof r.maxserve == 'number') { r.maxserve--; if (r.maxserve == 0) { delete obj.httpResponses[directives[1]]; } } // Check if this entry was server the maximum amount of times.
1437 }
1438 delete this.xdata;
1439 return;
1440 }
1441 }
1442 }
1443 } else {
1444 responseType = 'text/html';
1445 responseData = 'Invalid request';
1446 }
1447 }
1448 this.write('HTTP/1.1 ' + responseCode + ' OK\r\n' + hostHeader + 'Connection: keep-alive\r\nCache-Control: no-cache\r\nContent-Type: ' + responseType + '\r\nContent-Length: ' + responseData.length + '\r\n\r\n');
1449 this.write(responseData);
1450 delete this.xdata;
1451 }
1452
1453 // Called when handling HTTP data and the socket closes
1454 function onHttpClose() { }
1455
1456 // Add a HTTP file response
1457 obj.addHttpFileResponse = function (path, file, maxserve, minutes) {
1458 var r = { file: file };
1459 if (typeof maxserve == 'number') { r.maxserve = maxserve; }
1460 if (typeof minutes == 'number') { r.maxtime = Date.now() + (60000 * minutes); }
1461 obj.httpResponses[path] = r;
1462
1463 // Clean up any expired files
1464 const now = Date.now();
1465 for (var i in obj.httpResponses) { if ((obj.httpResponses[i].maxtime != null) && (obj.httpResponses[i].maxtime < now)) { delete obj.httpResponses[i]; } }
1466 }
1467
1468 // Drop all CIRA connections
1469 obj.dropAllConnections = function () {
1470 var dropCount = 0;
1471 for (var nodeid in obj.ciraConnections) {
1472 const connections = obj.ciraConnections[nodeid];
1473 for (var i in connections) { if (connections[i].end) { connections[i].end(); dropCount++; } } // This will drop all TCP CIRA connections
1474 }
1475 return dropCount;
1476 }
1477
1478 function guidToStr(g) { return g.substring(6, 8) + g.substring(4, 6) + g.substring(2, 4) + g.substring(0, 2) + "-" + g.substring(10, 12) + g.substring(8, 10) + "-" + g.substring(14, 16) + g.substring(12, 14) + "-" + g.substring(16, 20) + "-" + g.substring(20); }
1479
1480 // Clean a IPv6 address that encodes a IPv4 address
1481 function cleanRemoteAddr(addr) { if (typeof addr != 'string') { return null; } if (addr.indexOf('::ffff:') == 0) { return addr.substring(7); } else { return addr; } }
1482
1483 // Example, this will add a file to stream, served 2 times max and 3 minutes max.
1484 //obj.addHttpFileResponse('/a.png', 'c:\\temp\\MC2-LetsEncrypt.png', 2, 3);
1485
1486 return obj;
1487};