diff --git a/CMakeLists.txt b/CMakeLists.txt index 2a85cb9..08eb8ea 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -98,6 +98,8 @@ add_executable (rpc commands.cpp activation.h activation.cpp + shbc.h + shbc.cpp heartbeat.h heartbeat.cpp lms.h diff --git a/MicroLMS/heci/PTHICommand.c b/MicroLMS/heci/PTHICommand.c index 807bd70..110d1ca 100644 --- a/MicroLMS/heci/PTHICommand.c +++ b/MicroLMS/heci/PTHICommand.c @@ -171,6 +171,10 @@ const PTHI_MESSAGE_HEADER GET_UUID_REQUEST_HEADER = { {AMT_MAJOR_VERSION, AMT_MINOR_VERSION}, 0, {{GET_UUID_REQUEST}}, 0 }; +const PTHI_MESSAGE_HEADER GET_START_CONFIG_HBASED_REQUEST_HEADER = { + {AMT_MAJOR_VERSION, AMT_MINOR_VERSION}, 0, {{GET_START_CONFIG_HBASED_REQUEST}}, 396 +}; + AMT_STATUS _call(const unsigned char *command, UINT32 command_size, UINT8 **readBuffer, UINT32 rcmd, unsigned int expSize) { UINT32 inBuffSize; @@ -1502,4 +1506,43 @@ AMT_STATUS pthi_GetUUID(AMT_UUID *uuid) return status; } +/* + * Start Configuration Host Based + * Arguments: + * request - host based configuration input parameters provided by the caller + * response - host based configuration output parameters returned to the caller + * Return values: (A status code returned in a response message that indicates whether the operation specified in the corresponding request message succeeded or failed. If the operation failed, this code indicates the specific reason for failure. Possible values described below.) + * AMT_STATUS_SUCCESS - Request succeeded. + * AMT_STATUS_INTERNAL_ERROR - An internal error to the AMT device has occurred. This may indicate an interface error, or a AMT application error. + * AMT_STATUS_INVALID_MESSAGE_LENGTH - Length field of header is invalid. + * + */ +AMT_STATUS pthi_StartConfigHBased(CFG_START_CONFIG_HBASED_REQUEST_INFO *request, CFG_START_CONFIG_HBASED_RESPONSE_INFO *response) +{ + UINT8* readBuffer = NULL; + UINT32 command_size = sizeof(CFG_START_CONFIG_HBASED_REQUEST); + unsigned char command[sizeof(CFG_START_CONFIG_HBASED_REQUEST)]; + AMT_STATUS status; + CFG_START_CONFIG_HBASED_RESPONSE* tmp_response; + + memset(command, 0, sizeof(CFG_START_CONFIG_HBASED_REQUEST)); + memcpy_s(command, sizeof(command), (char*)&(GET_START_CONFIG_HBASED_REQUEST_HEADER), sizeof(GET_START_CONFIG_HBASED_REQUEST_HEADER)); + + ((CFG_START_CONFIG_HBASED_REQUEST*)command)->Info.ServerHashAlgorithm = request->ServerHashAlgorithm; + ((CFG_START_CONFIG_HBASED_REQUEST*)command)->Info.HostVPNEnable = request->HostVPNEnable; + ((CFG_START_CONFIG_HBASED_REQUEST*)command)->Info.SuffixListLen = request->SuffixListLen; + memcpy_s(((CFG_START_CONFIG_HBASED_REQUEST*)command)->Info.ServerCertHash, 64, request->ServerCertHash, 64); + memcpy_s(((CFG_START_CONFIG_HBASED_REQUEST*)command)->Info.NetworkDnsSuffixList, 320, request->NetworkDnsSuffixList, 320); + + status = _call(command, command_size, &readBuffer, GET_START_CONFIG_HBASED_RESPONSE, sizeof(CFG_START_CONFIG_HBASED_RESPONSE)); + + if (status == AMT_STATUS_SUCCESS) + { + tmp_response = (CFG_START_CONFIG_HBASED_RESPONSE*)readBuffer; + memcpy_s(response, sizeof(CFG_START_CONFIG_HBASED_RESPONSE_INFO), &(tmp_response->Info), sizeof(CFG_START_CONFIG_HBASED_RESPONSE_INFO)); + } + if (readBuffer != NULL) free(readBuffer); + return status; +} + #endif diff --git a/MicroLMS/heci/PTHICommand.h b/MicroLMS/heci/PTHICommand.h index 8bd9e1c..825f149 100644 --- a/MicroLMS/heci/PTHICommand.h +++ b/MicroLMS/heci/PTHICommand.h @@ -479,6 +479,8 @@ typedef enum CERT_HASH_ALGORITHM_MD5 = 0, // 16 bytes CERT_HASH_ALGORITHM_SHA1, // 20 bytes CERT_HASH_ALGORITHM_SHA256, // 32 bytes + CERT_HASH_ALGORITHM_SHA384, // 48 bytes + CERT_HASH_ALGORITHM_SHA224, // 28 bytes CERT_HASH_ALGORITHM_SHA512, // 64 bytes } CERT_HASH_ALGORITHM; @@ -664,6 +666,36 @@ typedef struct _CFG_GET_UUID_RESPONSE AMT_UUID UUID; } CFG_GET_UUID_RESPONSE; +typedef struct _CFG_START_CONFIG_HBASED_REQUEST_INFO +{ + CERT_HASH_ALGORITHM ServerHashAlgorithm; + UINT8 ServerCertHash[CERT_HASH_MAX_LENGTH]; + AMT_BOOLEAN HostVPNEnable; + UINT32 SuffixListLen; + CHAR NetworkDnsSuffixList[320]; + +} CFG_START_CONFIG_HBASED_REQUEST_INFO; + +typedef struct _CFG_START_CONFIG_HBASED_REQUEST +{ + PTHI_MESSAGE_HEADER Header; + CFG_START_CONFIG_HBASED_REQUEST_INFO Info; + +} CFG_START_CONFIG_HBASED_REQUEST; + +typedef struct _CFG_START_CONFIG_HBASED_RESPONSE_INFO +{ + UINT8 HashAlgorithm; + UINT8 AMTCertHash[CERT_HASH_MAX_LENGTH]; +} CFG_START_CONFIG_HBASED_RESPONSE_INFO; + + +typedef struct _CFG_START_CONFIG_HBASED_RESPONSE +{ + PTHI_RESPONSE_MESSAGE_HEADER Header; + CFG_START_CONFIG_HBASED_RESPONSE_INFO Info; +} CFG_START_CONFIG_HBASED_RESPONSE; + #pragma pack() @@ -701,6 +733,7 @@ AMT_STATUS pthi_Unprovision(CFG_PROVISIONING_MODE provisionMode); AMT_STATUS pthi_GetStateEHBC(AMT_EHBC_STATE *state); AMT_STATUS pthi_GetControlMode(int *state); AMT_STATUS pthi_GetUUID(AMT_UUID *uuid); +AMT_STATUS pthi_StartConfigHBased(CFG_START_CONFIG_HBASED_REQUEST_INFO* request, CFG_START_CONFIG_HBASED_RESPONSE_INFO* response); #define PROVISIONING_MODE_REQUEST 0x04000008 #define PROVISIONING_MODE_RESPONSE 0x04800008 @@ -831,6 +864,9 @@ const PTHI_MESSAGE_HEADER GET_CONTROL_MODE_HEADER; #define GET_UUID_REQUEST 0x400005c #define GET_UUID_RESPONSE 0x480005c +#define GET_START_CONFIG_HBASED_REQUEST 0x400008b +#define GET_START_CONFIG_HBASED_RESPONSE 0x480008b + #endif #endif diff --git a/commands.cpp b/commands.cpp index f68b675..2b67ed0 100644 --- a/commands.cpp +++ b/commands.cpp @@ -415,3 +415,80 @@ bool cmd_get_lan_interface_settings(lan_interface_settings& lan_interface_settin return false; } + +bool cmd_start_config_host_based(config_host_based_settings& server_cert, config_host_based_settings& amt_cert) +{ + // initialize HECI interface + if (heci_Init(NULL, PTHI_CLIENT) == 0) return false; + + CFG_START_CONFIG_HBASED_REQUEST_INFO request; + CFG_START_CONFIG_HBASED_RESPONSE_INFO response; + + memset(&request, 0, sizeof(CFG_START_CONFIG_HBASED_REQUEST_INFO)); + memset(&response, 0, sizeof(CFG_START_CONFIG_HBASED_RESPONSE_INFO)); + + if (server_cert.algorithm == "MD5") + { + request.ServerHashAlgorithm = CERT_HASH_ALGORITHM_MD5; + } + else if (server_cert.algorithm == "SHA1") + { + request.ServerHashAlgorithm = CERT_HASH_ALGORITHM_SHA1; + } + else if (server_cert.algorithm == "SHA256") + { + request.ServerHashAlgorithm = CERT_HASH_ALGORITHM_SHA256; + } + else if (server_cert.algorithm == "SHA512") + { + request.ServerHashAlgorithm = CERT_HASH_ALGORITHM_SHA512; + } + else + { + return false; + } + + int hashSize; + std::vector cert_bytes; + util_hex_string_to_bytes(server_cert.hash, cert_bytes); + std::copy(std::begin(cert_bytes), std::end(cert_bytes), request.ServerCertHash); + + // start secure host based configuration + AMT_STATUS amt_status = pthi_StartConfigHBased(&request, &response); + + if (amt_status == 0) + { + switch (response.HashAlgorithm) + { + case CERT_HASH_ALGORITHM_MD5: + amt_cert.algorithm = "MD5"; + hashSize = 16; + break; + case CERT_HASH_ALGORITHM_SHA1: + amt_cert.algorithm = "SHA1"; + hashSize = 20; + break; + case CERT_HASH_ALGORITHM_SHA256: + amt_cert.algorithm = "SHA256"; + hashSize = 32; + break; + case CERT_HASH_ALGORITHM_SHA512: + amt_cert.algorithm = "SHA512"; + hashSize = 64; + break; + default: + case CERT_HASH_ALGORITHM_SHA384: + case CERT_HASH_ALGORITHM_SHA224: + return false; + } + + std::vector hash; + hash.resize(hashSize); + std::copy(response.AMTCertHash, response.AMTCertHash + hashSize, std::begin(hash)); + util_bytes_to_hex_string(hash, amt_cert.hash); + + return true; + } + + return false; +} diff --git a/commands.h b/commands.h index b9ad220..e9809d1 100644 --- a/commands.h +++ b/commands.h @@ -37,6 +37,12 @@ struct fqdn_settings std::string fqdn; }; +struct config_host_based_settings +{ + std::string hash; + std::string algorithm; +}; + bool cmd_is_admin(); bool cmd_get_version(std::string& version); bool cmd_get_build_number(std::string& version); @@ -50,5 +56,6 @@ bool cmd_get_wired_mac_address(std::vector& address); bool cmd_get_certificate_hashes(std::vector& hash_entries); bool cmd_get_remote_access_connection_status(int& network_status, int& remote_status, int& remote_trigger, std::string& mps_hostname); bool cmd_get_lan_interface_settings(lan_interface_settings& lan_interface_settings, bool wired_interface = true); +bool cmd_start_config_host_based(config_host_based_settings& server_cert, config_host_based_settings& amt_cert); #endif \ No newline at end of file diff --git a/lms.cpp b/lms.cpp index 5599dd3..13044f0 100644 --- a/lms.cpp +++ b/lms.cpp @@ -15,13 +15,22 @@ #include #endif -SOCKET lms_connect() +SOCKET lms_connect(bool securePort) { std::string lmsAddress = "localhost"; - std::string lmsPort = "16992"; + std::string lmsPort; SOCKET s = INVALID_SOCKET; struct addrinfo *addr, hints; + if (securePort) + { + lmsPort = "16993"; + } + else + { + lmsPort = "16992"; + } + #ifdef _WIN32 WSADATA wsa; if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) diff --git a/lms.h b/lms.h index 9f51f55..ac43f0c 100644 --- a/lms.h +++ b/lms.h @@ -28,6 +28,6 @@ static inline int closesocket(int fd) #define SD_BOTH SHUT_RDWR #endif -SOCKET lms_connect(); +SOCKET lms_connect(bool securePort = false); #endif \ No newline at end of file diff --git a/main.cpp b/main.cpp index 3c5497a..300268c 100644 --- a/main.cpp +++ b/main.cpp @@ -11,6 +11,7 @@ #include "lms.h" #include "commands.h" #include "activation.h" +#include "shbc.h" #include "heartbeat.h" #include "utils.h" #include "usage.h" @@ -62,6 +63,7 @@ int main(int argc, char* argv[]) std::string arg_info; bool arg_verbose = false; bool arg_nocertcheck = false; + bool secureHostBasedConfig = false; if (argc == 1) { @@ -185,7 +187,7 @@ int main(int argc, char* argv[]) memset(&lms_socket, 0, sizeof(SOCKET)); // set receive handler - client.set_message_handler([&client, &mx, &cv, &lms_socket, arg_verbose](web::websockets::client::websocket_incoming_message ret_msg) + client.set_message_handler([&client, &mx, &cv, &lms_socket, arg_verbose, &secureHostBasedConfig](web::websockets::client::websocket_incoming_message ret_msg) { // kick the timer std::chrono::time_point now = std::chrono::system_clock::now(); @@ -262,6 +264,57 @@ int main(int argc, char* argv[]) return; } + if (msgMethod.compare("secure_config_request") == 0) + { + std::string certAlgo; + std::string certHash; + + // get server configuration + try + { + tmp = parsed[U("payload")].as_string(); + web::json::value parsed_cert_info = web::json::value::parse(tmp); + + out = parsed_cert_info[U("algorithm")].as_string(); + certAlgo = utility::conversions::to_utf8string(out); + + out = parsed_cert_info[U("hash")].as_string(); + certHash = utility::conversions::to_utf8string(out); + } + catch (...) + { + std::cerr << std::endl << "JSON format error. Unable to parse message." << std::endl; + return; + } + + // send secure config request + config_host_based_settings server_cert; + config_host_based_settings amt_cert; + server_cert.algorithm = certAlgo; + server_cert.hash = certHash; + if (cmd_start_config_host_based(server_cert, amt_cert)) + { + // create the response + std::string response; + if (!shbc_create_response(amt_cert.algorithm, amt_cert.hash, response)) return; + + // send it + web::websockets::client::websocket_outgoing_message send_websocket_msg; + std::string send_websocket_buffer(response); + send_websocket_msg.set_utf8_message(send_websocket_buffer); + client.send(send_websocket_msg).wait(); + + // use secure host post for LMS going forward + secureHostBasedConfig = true; + + return; + + } + + return; + } + + // process any messages we can // - if success, done // - if error, get out @@ -312,7 +365,7 @@ int main(int argc, char* argv[]) try { // conntect to lms - lms_socket = lms_connect(); + lms_socket = lms_connect(secureHostBasedConfig); } catch (...) { diff --git a/shbc.cpp b/shbc.cpp new file mode 100644 index 0000000..3c0d273 --- /dev/null +++ b/shbc.cpp @@ -0,0 +1,72 @@ +/********************************************************************* +* Copyright (c) Intel Corporation 2019 - 2020 +* SPDX-License-Identifier: Apache-2.0 +**********************************************************************/ + +#include "activation.h" +#include +#include +#include +#include +#include +#include "version.h" +#include "commands.h" +#include "network.h" +#include "utils.h" + +bool get_response_payload(std::string cert_algo, std::string cert_hash, web::json::value& payload) +{ + web::json::value value; + utility::string_t tmp; + web::json::value configParams; + + // get client string + tmp = utility::conversions::convertstring(cert_algo); + configParams[U("algorithm")] = web::json::value::string(tmp); + + // get certificate hashes + tmp = utility::conversions::convertstring(cert_hash); + configParams[U("hash")] = web::json::value::string(tmp); + + payload = configParams; + + return true; +} + +bool shbc_create_response(std::string cert_algo, std::string cert_hash, std::string& response) +{ + web::json::value msg; + + utility::string_t tmp = utility::conversions::convertstring("secure_config_response"); + msg[U("method")] = web::json::value::string(tmp); + + tmp = utility::conversions::convertstring(""); + msg[U("apiKey")] = web::json::value::string(tmp); + + tmp = utility::conversions::convertstring(PROJECT_VER); + msg[U("appVersion")] = web::json::value::string(tmp); + + tmp = utility::conversions::convertstring(PROTOCOL_VERSION); + msg[U("protocolVersion")] = web::json::value::string(tmp); + + tmp = utility::conversions::convertstring(""); + msg[U("status")] = web::json::value::string(tmp); + + tmp = utility::conversions::convertstring(""); + msg[U("message")] = web::json::value::string(tmp); + + // get the activation payload + web::json::value responsePayload; + if (!get_response_payload(cert_algo, cert_hash, responsePayload)) return false; + + // serialize payload + std::string serializedPayload = utility::conversions::to_utf8string(responsePayload.serialize()); + std::string encodedPayload = util_encode_base64(serializedPayload); + utility::string_t payload = utility::conversions::to_string_t(encodedPayload); + msg[U("payload")] = web::json::value::string(payload); + + // serialize the entire message + response = utility::conversions::to_utf8string(msg.serialize()); + + return true; +} \ No newline at end of file diff --git a/shbc.h b/shbc.h new file mode 100644 index 0000000..73d5b99 --- /dev/null +++ b/shbc.h @@ -0,0 +1,19 @@ +/********************************************************************* +* Copyright (c) Intel Corporation 2019 - 2020 +* SPDX-License-Identifier: Apache-2.0 +**********************************************************************/ + +#ifndef __SHBC_H__ +#define __SHBC_H__ + +#include + +#ifdef _WIN32 +#define convertstring to_utf16string +#else +#define convertstring to_utf8string +#endif + +bool shbc_create_response(std::string cert_algo, std::string cert_hash, std::string& response); + +#endif \ No newline at end of file diff --git a/utils.cpp b/utils.cpp index 345b2b5..c8a9e02 100644 --- a/utils.cpp +++ b/utils.cpp @@ -57,3 +57,32 @@ bool util_format_uuid(std::vector uuid_bytes, std::string& uuid_s return true; } +bool util_hex_string_to_bytes(std::string hex_string, std::vector& hex_bytes) +{ + hex_bytes.clear(); + + for (int i = 0; i < hex_string.length(); i += 2) + { + std::string byte_string = hex_string.substr(i, 2); + byte_string[0] = tolower(byte_string[0]); + byte_string[1] = tolower(byte_string[1]); + unsigned char value = (char)strtol(byte_string.c_str(), NULL, 16); + hex_bytes.push_back(value); + } + + return true; +} + +bool util_bytes_to_hex_string(std::vector hex_bytes, std::string& hex_string) +{ + hex_string.clear(); + + for (unsigned char hex_char : hex_bytes) + { + char hex[10]; + snprintf(hex, 10, "%02x", hex_char); + hex_string += hex; + } + + return true; +} \ No newline at end of file diff --git a/utils.h b/utils.h index 471a947..3b48bac 100644 --- a/utils.h +++ b/utils.h @@ -13,5 +13,7 @@ std::string util_encode_base64(std::string str); std::string util_decode_base64(std::string str); bool util_is_printable(std::string str); bool util_format_uuid(std::vector uuid_bytes, std::string& uuid_string); +bool util_hex_string_to_bytes(std::string hex_string, std::vector& hex_bytes); +bool util_bytes_to_hex_string(std::vector hex_bytes, std::string& hex_string); #endif \ No newline at end of file