github
/
teleport
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/dev' into feature/python-3.7

pull/111/head
Apex Liu 2018-09-22 02:24:39 +08:00
parent 7943f50212 e326b3ac48
commit be816eb564
28 changed files with 910 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -28,9 +28,9 @@ __pycache__
**/.idea/modules.xml
**/.idea/dictionaries
**/.idea/watcherTasks.xml
**/.idea/codeStyles
**/.idea/inspectionProfiles
**/.idea/vcs.xml
**/.idea/codeStyles
*.css.map

195
build/build-py-static.sh Executable file
View File

@ -0,0 +1,195 @@
#!/bin/bash
################################################################
# Basic settings.
################################################################
VER_PYTHON="3.4.4"
VER_PYTHON_SHORT="3.4"
VER_OPENSSL="1.0.2p"
VER_SQLITE="3250000"
# VER_PSUTIL="4.2.0"
VER_PYTHON_LIB="${VER_PYTHON_SHORT}m"
################################################################
# DO NOT TOUCH FOLLOWING CODE
################################################################
FILE_PYTHON_STATIC_LIB="libpython${VER_PYTHON_LIB}.a"
PATH_ROOT=$(cd "$(dirname "$0")"/..; pwd)
PATH_EXT=${PATH_ROOT}/external
PATH_DOWNLOAD=${PATH_EXT}/_download_
PATH_TMP=${PATH_EXT}/linux/tmp
PATH_FIX=${PATH_EXT}/fix-external
PATH_RELEASE=${PATH_EXT}/linux/release
PY_PATH_SRC=${PATH_TMP}/Python-${VER_PYTHON}
#PATH_SRC=${PATH_TMP}/${VER_PYTHON}
#PATH_INST=${PATH_RELEASE}/python
OSSL_PATH_SRC=${PATH_TMP}/openssl-${VER_OPENSSL}
function on_error()
{
echo -e "\033[01m\033[31m"
echo "==================[ !! ERROR !! ]=================="
echo -e $1
echo "==================================================="
echo -e "\033[0m"
exit 1
}
function setp_build_git()
{
# su -s
# yum install zlib-devel expat-devel libcurl-devel
# make prefix=/usr/local
# make prefix=/usr/local install
echo 'skip build git now.'
}
function dlfile()
{
echo -n "Downloading $1 ..."
if [ ! -f "$4/$3" ]; then
echo ""
# curl --insecure https://www.python.org/ftp/python/3.4.3/${VER_PYTHON}.tgz -o "${PATH_PYTHON}/${VER_PYTHON}.tgz"
echo wget $2$3 -O "$4/$3"
wget --no-check-certificate $2$3 -O "$4/$3"
if [ ! -f "$4/$3" ]; then
on_error "Can not download $1: $3"
fi
else
echo " already exists, skip."
fi
}
function step_download_files()
{
echo "download necessary source tarball ..."
if [ ! -d "${PATH_DOWNLOAD}" ]; then
mkdir -p "${PATH_DOWNLOAD}"
if [ ! -d "${PATH_DOWNLOAD}" ]; then
on_error "Can not create folder for download files."
fi
fi
dlfile "python source tarball" "https://www.python.org/ftp/python/${VER_PYTHON}/" "Python-${VER_PYTHON}.tgz" ${PATH_DOWNLOAD}
dlfile "openssl source tarball" "https://www.openssl.org/source/" "openssl-${VER_OPENSSL}.tar.gz" ${PATH_DOWNLOAD}
dlfile "sqlite source tarball" "http://sqlite.org/2018/" "sqlite-autoconf-${VER_SQLITE}.tar.gz" ${PATH_DOWNLOAD}
# dlfile "psutil source tarball" "https://pypi.python.org/packages/source/p/psutil/" "psutil-${VER_PSUTIL}.tar.gz" ${PATH_DOWNLOAD}
# https://pypi.python.org/pypi?:action=display&name=psutil#downloads
# echo -n "Downloading psutil source tarball ..."
# if [ ! -f "${PATH_DOWNLOAD}/psutil-${VER_PSUTIL}.tar.gz" ]; then
# echo ""
# echo "Because pypi.python.org limit, can not auto-download psutil, please visit following url:"
# echo " https://pypi.python.org/pypi?:action=display&name=psutil#downloads"
# echo "and download psutil-${VER_PSUTIL}.tar.gz and put it into folder:"
# echo " ${PATH_DOWNLOAD}"
# echo "after download, try again."
# on_error "psutil source tarball not exists."
# else
# echo " already exists, skip."
# fi
}
function step_prepare_source()
{
echo "prepare source ..."
if [ ! -d "${PATH_TMP}" ]; then
mkdir -p "${PATH_TMP}"
if [ ! -d "${PATH_TMP}" ]; then
on_error "Can not create folder for tmp files."
fi
fi
if [ ! -d "${PATH_TMP}/Python-${VER_PYTHON}" ]; then
tar -zxvf "${PATH_DOWNLOAD}/Python-${VER_PYTHON}.tgz" -C "${PATH_TMP}"
fi
if [ ! -d "${PATH_TMP}/openssl-${VER_OPENSSL}" ]; then
tar -zxvf "${PATH_DOWNLOAD}/openssl-${VER_OPENSSL}.tar.gz" -C "${PATH_TMP}"
fi
if [ ! -d "${PATH_TMP}/sqlite-autoconf-${VER_SQLITE}" ]; then
tar -zxvf "${PATH_DOWNLOAD}/sqlite-autoconf-${VER_SQLITE}.tar.gz" -C "${PATH_TMP}"
fi
# if [ ! -d "${PATH_TMP}/psutil-${VER_PSUTIL}" ]; then
# tar -zxvf "${PATH_DOWNLOAD}/psutil-${VER_PSUTIL}.tar.gz" -C "${PATH_TMP}"
# fi
# cp -r "${PATH_TMP}/psutil-${VER_PSUTIL}/psutil" "${PATH_TMP}/Python-${VER_PYTHON}/Modules/."
cp -r "${PATH_TMP}/sqlite-autoconf-${VER_SQLITE}" "${PATH_TMP}/Python-${VER_PYTHON}/Modules/_sqlite/sqlite3"
cp -r "${PATH_FIX}/Python-${VER_PYTHON}" "${PATH_TMP}"
}
function step_build_openssl()
{
echo -n "build openssl static library ..."
if [ ! -f "${PATH_RELEASE}/lib/libssl.a" ] || [ ! -f "${PATH_RELEASE}/lib/libcrypto.a" ]; then
echo ""
cd "${OSSL_PATH_SRC}"
./config -fPIC --prefix=${PATH_RELEASE} --openssldir=${PATH_RELEASE}/openssl no-zlib no-shared
make
make install
cd "${PATH_ROOT}"
if [ ! -f "${PATH_RELEASE}/lib/libssl.a" ] || [ ! -f "${PATH_RELEASE}/lib/libcrypto.a" ]; then
on_error "Build openssl failed."
fi
else
echo " already exists, skip."
fi
}
function step_build_python()
{
echo -n "build python static library ..."
if [ ! -f "${PATH_RELEASE}/lib/${FILE_PYTHON_STATIC_LIB}" ]; then
cd "${PY_PATH_SRC}"
cp "${PY_PATH_SRC}/Modules/Setup.dist" "${PY_PATH_SRC}/Modules/Setup"
LDFLAGS=-lrt ./configure --disable-shared --prefix=${PATH_RELEASE}
make
make altinstall
cd "${PATH_ROOT}"
if [ ! -f "${PATH_RELEASE}/lib/${FILE_PYTHON_STATIC_LIB}" ]; then
on_error "Build python failed."
fi
else
echo " already exists, skip."
fi
}
function step_finalize()
{
# copy psutil *.py for release.
echo "finalize ..."
if [ ! -d "${PATH_RELEASE}/lib/python${VER_PYTHON_SHORT}/site-packages" ]; then
on_error "something goes wrong."
fi
# cp -r "${PATH_FIX}/psutil-${VER_PSUTIL}/psutil" "${PATH_RELEASE}/lib/python${VER_PYTHON_SHORT}/site-packages/psutil"
}
step_download_files
step_prepare_source
step_build_openssl
step_build_python
step_finalize

7
build/builder/build-external.py
View File

@ -46,7 +46,12 @@ class BuilderBase:
self._build_openssl(file_name)
def _build_openssl(self, file_name):
cc.e("this is a pure-virtual function.")
_alt_ver = '_'.join(env.ver_openssl.split('.'))
if not utils.download_file('openssl source tarball', 'https://github.com/openssl/openssl/archive/OpenSSL_{}.zip'.format(_alt_ver), PATH_DOWNLOAD, file_name):
return False
else:
return True
# cc.e("this is a pure-virtual function.")
def build_libuv(self):
file_name = 'libuv-{}.zip'.format(env.ver_libuv)

2
build/builder/core/ver.py
View File

@ -1,3 +1,3 @@
# -*- coding: utf8 -*-
VER_TP_SERVER = "3.1.0.10"
VER_TP_SERVER = "3.1.0.10"
VER_TP_ASSIST = "3.0.1.6"

1
common/teleport/teleport_const.h
View File

@ -51,6 +51,7 @@
#define TP_SESS_STAT_ERR_RESET 7 // 会话结束因为teleport核心服务重置了
#define TP_SESS_STAT_ERR_IO 8 // 会话结束,因为网络中断
#define TP_SESS_STAT_ERR_SESSION 9 // 会话结束因为无效的会话ID
#define TP_SESS_STAT_ERR_AUTH_TYPE 10 // 会话结束,因为不被允许的认证方式
#define TP_SESS_STAT_STARTED 100 // 已经连接成功了,开始记录录像了
#define TP_SESS_STAT_ERR_START_INTERNAL 104 // 会话结束,因为内部错误
#define TP_SESS_STAT_ERR_START_BAD_PKG 106 // 会话结束,因为收到错误的报文

470
external/fix-external/mbedtls/include/mbedtls/config.h vendored Normal file → Executable file
View File

@ -1,14 +1,14 @@
/**
* \file config.h
#### v2.6.1
*
* \brief Configuration options (set of defines)
*
* This set of compile-time options may be used to enable
* or disable features selectively, and reduce the global
* memory footprint.
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
*/
/*
* Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@ -48,10 +48,14 @@
* Requires support for asm() in compiler.
*
* Used in:
* library/aria.c
* library/timing.c
* library/padlock.c
* include/mbedtls/bn_mul.h
*
* Required by:
* MBEDTLS_AESNI_C
* MBEDTLS_PADLOCK_C
*
* Comment to disable the use of assembly code.
*/
#define MBEDTLS_HAVE_ASM
@ -84,6 +88,28 @@
*/
//#define MBEDTLS_NO_UDBL_DIVISION
/**
* \def MBEDTLS_NO_64BIT_MULTIPLICATION
*
* The platform lacks support for 32x32 -> 64-bit multiplication.
*
* Used in:
* library/poly1305.c
*
* Some parts of the library may use multiplication of two unsigned 32-bit
* operands with a 64-bit result in order to speed up computations. On some
* platforms, this is not available in hardware and has to be implemented in
* software, usually in a library provided by the toolchain.
*
* Sometimes it is not desirable to have to link to that library. This option
* removes the dependency of that library on platforms that lack a hardware
* 64-bit multiplier by embedding a software implementation in Mbed TLS.
*
* Note that depending on the compiler, this may decrease performance compared
* to using the library function provided by the toolchain.
*/
//#define MBEDTLS_NO_64BIT_MULTIPLICATION
/**
* \def MBEDTLS_HAVE_SSE2
*
@ -262,20 +288,38 @@
*
* Uncomment a macro to enable alternate implementation of the corresponding
* module.
*
* \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
* use constitutes a security risk. If possible, we recommend
* avoiding dependencies on them, and considering stronger message
* digests and ciphers instead.
*
*/
//#define MBEDTLS_AES_ALT
//#define MBEDTLS_ARC4_ALT
//#define MBEDTLS_ARIA_ALT
//#define MBEDTLS_BLOWFISH_ALT
//#define MBEDTLS_CAMELLIA_ALT
//#define MBEDTLS_CCM_ALT
//#define MBEDTLS_CHACHA20_ALT
//#define MBEDTLS_CHACHAPOLY_ALT
//#define MBEDTLS_CMAC_ALT
//#define MBEDTLS_DES_ALT
//#define MBEDTLS_XTEA_ALT
//#define MBEDTLS_DHM_ALT
//#define MBEDTLS_ECJPAKE_ALT
//#define MBEDTLS_GCM_ALT
//#define MBEDTLS_NIST_KW_ALT
//#define MBEDTLS_MD2_ALT
//#define MBEDTLS_MD4_ALT
//#define MBEDTLS_MD5_ALT
//#define MBEDTLS_POLY1305_ALT
//#define MBEDTLS_RIPEMD160_ALT
//#define MBEDTLS_RSA_ALT
//#define MBEDTLS_SHA1_ALT
//#define MBEDTLS_SHA256_ALT
//#define MBEDTLS_SHA512_ALT
//#define MBEDTLS_XTEA_ALT
/*
* When replacing the elliptic curve module, pleace consider, that it is
* implemented with two .c files:
@ -315,6 +359,12 @@
*
* Uncomment a macro to enable alternate implementation of the corresponding
* function.
*
* \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
* constitutes a security risk. If possible, we recommend avoiding
* dependencies on them, and considering stronger message digests
* and ciphers instead.
*
*/
//#define MBEDTLS_MD2_PROCESS_ALT
//#define MBEDTLS_MD4_PROCESS_ALT
@ -330,6 +380,11 @@
//#define MBEDTLS_AES_SETKEY_DEC_ALT
//#define MBEDTLS_AES_ENCRYPT_ALT
//#define MBEDTLS_AES_DECRYPT_ALT
//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
//#define MBEDTLS_ECDSA_VERIFY_ALT
//#define MBEDTLS_ECDSA_SIGN_ALT
//#define MBEDTLS_ECDSA_GENKEY_ALT
/**
* \def MBEDTLS_ECP_INTERNAL_ALT
@ -417,12 +472,45 @@
/**
* \def MBEDTLS_AES_ROM_TABLES
*
* Store the AES tables in ROM.
* Use precomputed AES tables stored in ROM.
*
* Uncomment this macro to use precomputed AES tables stored in ROM.
* Comment this macro to generate AES tables in RAM at runtime.
*
* Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
* (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
* initialization time before the first AES operation can be performed.
* It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
* MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
* performance if ROM access is slower than RAM access.
*
* This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
*
* Uncomment this macro to store the AES tables in ROM.
*/
//#define MBEDTLS_AES_ROM_TABLES
/**
* \def MBEDTLS_AES_FEWER_TABLES
*
* Use less ROM/RAM for AES tables.
*
* Uncommenting this macro omits 75% of the AES tables from
* ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
* by computing their values on the fly during operations
* (the tables are entry-wise rotations of one another).
*
* Tradeoff: Uncommenting this reduces the RAM / ROM footprint
* by ~6kb but at the cost of more arithmetic operations during
* runtime. Specifically, one has to compare 4 accesses within
* different tables to 4 accesses with additional arithmetic
* operations within the same table. The performance gain/loss
* depends on the system and memory details.
*
* This option is independent of \c MBEDTLS_AES_ROM_TABLES.
*
*/
//#define MBEDTLS_AES_FEWER_TABLES
/**
* \def MBEDTLS_CAMELLIA_SMALL_MEMORY
*
@ -453,6 +541,20 @@
*/
#define MBEDTLS_CIPHER_MODE_CTR
/**
* \def MBEDTLS_CIPHER_MODE_OFB
*
* Enable Output Feedback mode (OFB) for symmetric ciphers.
*/
#define MBEDTLS_CIPHER_MODE_OFB
/**
* \def MBEDTLS_CIPHER_MODE_XTS
*
* Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
*/
#define MBEDTLS_CIPHER_MODE_XTS
/**
* \def MBEDTLS_CIPHER_NULL_CIPHER
*
@ -514,6 +616,9 @@
* MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
*
* Uncomment this macro to enable weak ciphersuites
*
* \warning DES is considered a weak cipher and its use constitutes a
* security risk. We recommend considering stronger ciphers instead.
*/
//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
@ -550,6 +655,7 @@
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
#define MBEDTLS_ECP_DP_CURVE448_ENABLED
/**
* \def MBEDTLS_ECP_NIST_OPTIM
@ -619,6 +725,13 @@
* MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
*
* \warning Using DHE constitutes a security risk as it
* is not possible to validate custom DH parameters.
* If possible, it is recommended users should consider
* preferring other methods of key exchange.
* See dhm.h for more details.
*
*/
#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
@ -640,7 +753,7 @@
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
*/
//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
@ -718,6 +831,13 @@
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
*
* \warning Using DHE constitutes a security risk as it
* is not possible to validate custom DH parameters.
* If possible, it is recommended users should consider
* preferring other methods of key exchange.
* See dhm.h for more details.
*
*/
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@ -744,7 +864,7 @@
* MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
*/
//#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
@ -768,7 +888,7 @@
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
*/
//#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
@ -792,7 +912,7 @@
* MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
*/
//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
@ -816,7 +936,7 @@
* MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
*/
//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
@ -1009,7 +1129,8 @@
/**
* \def MBEDTLS_RSA_NO_CRT
*
* Do not use the Chinese Remainder Theorem for the RSA private operation.
* Do not use the Chinese Remainder Theorem
* for the RSA private operation.
*
* Uncomment this macro to disable the use of CRT in RSA.
*
@ -1053,6 +1174,17 @@
*/
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
/**
* \def MBEDTLS_SSL_ASYNC_PRIVATE
*
* Enable asynchronous external private key operations in SSL. This allows
* you to configure an SSL connection to call an external cryptographic
* module to perform private key operations instead of performing the
* operation inside the library.
*
*/
//#define MBEDTLS_SSL_ASYNC_PRIVATE
/**
* \def MBEDTLS_SSL_DEBUG_ALL
*
@ -1156,8 +1288,15 @@
* misuse/misunderstand.
*
* Comment this to disable support for renegotiation.
*
* \note Even if this option is disabled, both client and server are aware
* of the Renegotiation Indication Extension (RFC 5746) used to
* prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
* (See \c mbedtls_ssl_conf_legacy_renegotiation for the
* configuration of this extension).
*
*/
//#define MBEDTLS_SSL_RENEGOTIATION
#define MBEDTLS_SSL_RENEGOTIATION
/**
* \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
@ -1198,7 +1337,7 @@
*
* Comment this macro to disable support for SSL 3.0
*/
#define MBEDTLS_SSL_PROTO_SSL3
//#define MBEDTLS_SSL_PROTO_SSL3
/**
* \def MBEDTLS_SSL_PROTO_TLS1
@ -1364,6 +1503,30 @@
*/
#define MBEDTLS_SSL_TRUNCATED_HMAC
/**
* \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
*
* Fallback to old (pre-2.7), non-conforming implementation of the truncated
* HMAC extension which also truncates the HMAC key. Note that this option is
* only meant for a transitory upgrade period and is likely to be removed in
* a future version of the library.
*
* \warning The old implementation is non-compliant and has a security weakness
* (2^80 brute force attack on the HMAC key used for a single,
* uninterrupted connection). This should only be enabled temporarily
* when (1) the use of truncated HMAC is essential in order to save
* bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
* the fixed implementation yet (pre-2.7).
*
* \deprecated This option is deprecated and will likely be removed in a
* future version of Mbed TLS.
*
* Uncomment to fallback to old, non-compliant truncated HMAC implementation.
*
* Requires: MBEDTLS_SSL_TRUNCATED_HMAC
*/
//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
/**
* \def MBEDTLS_THREADING_ALT
*
@ -1470,6 +1633,9 @@
*
* \note Currently compression can't be used with DTLS.
*
* \deprecated This feature is deprecated and will be removed
* in the next major revision of the library.
*
* Used in: library/ssl_tls.c
* library/ssl_cli.c
* library/ssl_srv.c
@ -1508,7 +1674,7 @@
* Enable the AES block cipher.
*
* Module: library/aes.c
* Caller: library/ssl_tls.c
* Caller: library/cipher.c
* library/pem.c
* library/ctr_drbg.c
*
@ -1583,7 +1749,7 @@
* Enable the ARCFOUR stream cipher.
*
* Module: library/arc4.c
* Caller: library/ssl_tls.c
* Caller: library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
@ -1597,6 +1763,11 @@
* MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
* MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
* MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
*
* \warning ARC4 is considered a weak cipher and its use constitutes a
* security risk. If possible, we recommend avoidng dependencies on
* it, and considering stronger ciphers instead.
*
*/
#define MBEDTLS_ARC4_C
@ -1626,7 +1797,7 @@
* library/x509write_crt.c
* library/x509write_csr.c
*/
//#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_ASN1_WRITE_C
/**
* \def MBEDTLS_BASE64_C
@ -1650,6 +1821,7 @@
* library/ecp.c
* library/ecdsa.c
* library/rsa.c
* library/rsa_internal.c
* library/ssl_tls.c
*
* This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
@ -1671,7 +1843,7 @@
* Enable the Camellia block cipher.
*
* Module: library/camellia.c
* Caller: library/ssl_tls.c
* Caller: library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
@ -1718,7 +1890,59 @@
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
*/
//#define MBEDTLS_CAMELLIA_C
#define MBEDTLS_CAMELLIA_C
/**
* \def MBEDTLS_ARIA_C
*
* Enable the ARIA block cipher.
*
* Module: library/aria.c
* Caller: library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
*
* MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
*/
//#define MBEDTLS_ARIA_C
/**
* \def MBEDTLS_CCM_C
@ -1732,7 +1956,7 @@
* This module enables the AES-CCM ciphersuites, if other requisites are
* enabled as well.
*/
//#define MBEDTLS_CCM_C
#define MBEDTLS_CCM_C
/**
* \def MBEDTLS_CERTS_C
@ -1746,6 +1970,26 @@
*/
#define MBEDTLS_CERTS_C
/**
* \def MBEDTLS_CHACHA20_C
*
* Enable the ChaCha20 stream cipher.
*
* Module: library/chacha20.c
*/
#define MBEDTLS_CHACHA20_C
/**
* \def MBEDTLS_CHACHAPOLY_C
*
* Enable the ChaCha20-Poly1305 AEAD algorithm.
*
* Module: library/chachapoly.c
*
* This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
*/
#define MBEDTLS_CHACHAPOLY_C
/**
* \def MBEDTLS_CIPHER_C
*
@ -1806,7 +2050,7 @@
*
* Module: library/des.c
* Caller: library/pem.c
* library/ssl_tls.c
* library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
@ -1822,6 +2066,9 @@
* MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
*
* PEM_PARSE uses DES/3DES for decrypting encrypted keys.
*
* \warning DES is considered a weak cipher and its use constitutes a
* security risk. We recommend considering stronger ciphers instead.
*/
#define MBEDTLS_DES_C
@ -1836,6 +2083,13 @@
*
* This module is used by the following key exchanges:
* DHE-RSA, DHE-PSK
*
* \warning Using DHE constitutes a security risk as it
* is not possible to validate custom DH parameters.
* If possible, it is recommended users should consider
* preferring other methods of key exchange.
* See dhm.h for more details.
*
*/
#define MBEDTLS_DHM_C
@ -1853,7 +2107,7 @@
*
* Requires: MBEDTLS_ECP_C
*/
//#define MBEDTLS_ECDH_C
#define MBEDTLS_ECDH_C
/**
* \def MBEDTLS_ECDSA_C
@ -1868,7 +2122,7 @@
*
* Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
*/
//#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECDSA_C
/**
* \def MBEDTLS_ECJPAKE_C
@ -1901,7 +2155,7 @@
*
* Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
*/
//#define MBEDTLS_ECP_C
#define MBEDTLS_ECP_C
/**
* \def MBEDTLS_ENTROPY_C
@ -1941,7 +2195,7 @@
* This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
* requisites are enabled as well.
*/
//#define MBEDTLS_GCM_C
#define MBEDTLS_GCM_C
/**
* \def MBEDTLS_HAVEGE_C
@ -1966,6 +2220,21 @@
*/
//#define MBEDTLS_HAVEGE_C
/**
* \def MBEDTLS_HKDF_C
*
* Enable the HKDF algorithm (RFC 5869).
*
* Module: library/hkdf.c
* Caller:
*
* Requires: MBEDTLS_MD_C
*
* This module adds support for the Hashed Message Authentication Code
* (HMAC)-based key derivation function (HKDF).
*/
#define MBEDTLS_HKDF_C
/**
* \def MBEDTLS_HMAC_DRBG_C
*
@ -1980,6 +2249,19 @@
*/
#define MBEDTLS_HMAC_DRBG_C
/**
* \def MBEDTLS_NIST_KW_C
*
* Enable the Key Wrapping mode for 128-bit block ciphers,
* as defined in NIST SP 800-38F. Only KW and KWP modes
* are supported. At the moment, only AES is approved by NIST.
*
* Module: library/nist_kw.c
*
* Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
*/
//#define MBEDTLS_NIST_KW_C
/**
* \def MBEDTLS_MD_C
*
@ -2001,6 +2283,11 @@
* Caller:
*
* Uncomment to enable support for (rare) MD2-signed X.509 certs.
*
* \warning MD2 is considered a weak message digest and its use constitutes a
* security risk. If possible, we recommend avoiding dependencies on
* it, and considering stronger message digests instead.
*
*/
//#define MBEDTLS_MD2_C
@ -2013,6 +2300,11 @@
* Caller:
*
* Uncomment to enable support for (rare) MD4-signed X.509 certs.
*
* \warning MD4 is considered a weak message digest and its use constitutes a
* security risk. If possible, we recommend avoiding dependencies on
* it, and considering stronger message digests instead.
*
*/
//#define MBEDTLS_MD4_C
@ -2026,8 +2318,15 @@
* library/pem.c
* library/ssl_tls.c
*
* This module is required for SSL/TLS and X.509.
* PEM_PARSE uses MD5 for decrypting encrypted keys.
* This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
* depending on the handshake parameters. Further, it is used for checking
* MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
* encrypted keys.
*
* \warning MD5 is considered a weak message digest and its use constitutes a
* security risk. If possible, we recommend avoiding dependencies on
* it, and considering stronger message digests instead.
*
*/
#define MBEDTLS_MD5_C
@ -2135,7 +2434,7 @@
*
* This modules adds support for encoding / writing PEM files.
*/
//#define MBEDTLS_PEM_WRITE_C
#define MBEDTLS_PEM_WRITE_C
/**
* \def MBEDTLS_PK_C
@ -2180,7 +2479,7 @@
*
* Uncomment to enable generic public key write functions.
*/
//#define MBEDTLS_PK_WRITE_C
#define MBEDTLS_PK_WRITE_C
/**
* \def MBEDTLS_PKCS5_C
@ -2246,6 +2545,16 @@
*/
#define MBEDTLS_PLATFORM_C
/**
* \def MBEDTLS_POLY1305_C
*
* Enable the Poly1305 MAC algorithm.
*
* Module: library/poly1305.c
* Caller: library/chachapoly.c
*/
#define MBEDTLS_POLY1305_C
/**
* \def MBEDTLS_RIPEMD160_C
*
@ -2255,7 +2564,7 @@
* Caller: library/md.c
*
*/
//#define MBEDTLS_RIPEMD160_C
#define MBEDTLS_RIPEMD160_C
/**
* \def MBEDTLS_RSA_C
@ -2263,6 +2572,7 @@
* Enable the RSA public-key cryptosystem.
*
* Module: library/rsa.c
* library/rsa_internal.c
* Caller: library/ssl_cli.c
* library/ssl_srv.c
* library/ssl_tls.c
@ -2289,6 +2599,11 @@
*
* This module is required for SSL/TLS up to version 1.1, for TLS 1.2
* depending on the handshake parameters, and for SHA1-signed certificates.
*
* \warning SHA-1 is considered a weak message digest and its use constitutes
* a security risk. If possible, we recommend avoiding dependencies
* on it, and considering stronger message digests instead.
*
*/
#define MBEDTLS_SHA1_C
@ -2517,7 +2832,7 @@
*
* This module is used for reading X.509 certificate request.
*/
//#define MBEDTLS_X509_CSR_PARSE_C
#define MBEDTLS_X509_CSR_PARSE_C
/**
* \def MBEDTLS_X509_CREATE_C
@ -2530,7 +2845,7 @@
*
* This module is the basis for creating X.509 certificates and CSRs.
*/
//#define MBEDTLS_X509_CREATE_C
#define MBEDTLS_X509_CREATE_C
/**
* \def MBEDTLS_X509_CRT_WRITE_C
@ -2543,7 +2858,7 @@
*
* This module is required for X.509 certificate creation.
*/
//#define MBEDTLS_X509_CRT_WRITE_C
#define MBEDTLS_X509_CRT_WRITE_C
/**
* \def MBEDTLS_X509_CSR_WRITE_C
@ -2556,7 +2871,7 @@
*
* This module is required for X.509 certificate request writing.
*/
//#define MBEDTLS_X509_CSR_WRITE_C
#define MBEDTLS_X509_CSR_WRITE_C
/**
* \def MBEDTLS_XTEA_C
@ -2641,7 +2956,7 @@
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
/* Note: your snprintf must correclty zero-terminate the buffer! */
#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
@ -2650,7 +2965,51 @@
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
/* SSL options */
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
*
* Maximum fragment length in bytes.
*
* Determines the size of both the incoming and outgoing TLS I/O buffers.
*
* Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN
* will override this length by setting maximum incoming and/or outgoing
* fragment length, respectively.
*/
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
/** \def MBEDTLS_SSL_IN_CONTENT_LEN
*
* Maximum incoming fragment length in bytes.
*
* Uncomment to set the size of the inward TLS buffer independently of the
* outward buffer.
*/
//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
*
* Maximum outgoing fragment length in bytes.
*
* Uncomment to set the size of the outward TLS buffer independently of the
* inward buffer.
*
* It is possible to save RAM by setting a smaller outward buffer, while keeping
* the default inward 16384 byte buffer to conform to the TLS specification.
*
* The minimum required outward buffer size is determined by the handshake
* protocol's usage. Handshaking will fail if the outward buffer is too small.
* The specific size requirement depends on the configured ciphers and any
* certificate data which is sent during the handshake.
*
* For absolute minimum RAM usage, it's best to enable
* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
* reduces both incoming and outgoing buffer sizes. However this is only
* guaranteed if the other end of the connection also supports the TLS
* max_fragment_len extension. Otherwise the connection may fail.
*/
//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
@ -2677,8 +3036,13 @@
* Allow SHA-1 in the default TLS configuration for certificate signing.
* Without this build-time option, SHA-1 support must be activated explicitly
* through mbedtls_ssl_conf_cert_profile. Turning on this option is not
* recommended because of it is possible to generte SHA-1 collisions, however
* recommended because of it is possible to generate SHA-1 collisions, however
* this may be safe for legacy infrastructure where additional controls apply.
*
* \warning SHA-1 is considered a weak message digest and its use constitutes
* a security risk. If possible, we recommend avoiding dependencies
* on it, and considering stronger message digests instead.
*
*/
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
@ -2689,14 +3053,40 @@
* The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
* default. At the time of writing, there is no practical attack on the use
* of SHA-1 in handshake signatures, hence this option is turned on by default
* for compatibility with existing peers.
* to preserve compatibility with existing peers, but the general
* warning applies nonetheless:
*
* \warning SHA-1 is considered a weak message digest and its use constitutes
* a security risk. If possible, we recommend avoiding dependencies
* on it, and considering stronger message digests instead.
*
*/
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
/**
* Uncomment the macro to let mbed TLS use your alternate implementation of
* mbedtls_platform_zeroize(). This replaces the default implementation in
* platform_util.c.
*
* mbedtls_platform_zeroize() is a widely used function across the library to
* zero a block of memory. The implementation is expected to be secure in the
* sense that it has been written to prevent the compiler from removing calls
* to mbedtls_platform_zeroize() as part of redundant code elimination
* optimizations. However, it is difficult to guarantee that calls to
* mbedtls_platform_zeroize() will not be optimized by the compiler as older
* versions of the C language standards do not provide a secure implementation
* of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to
* configure their own implementation of mbedtls_platform_zeroize(), for
* example by using directives specific to their compiler, features from newer
* C standards (e.g using memset_s() in C11) or calling a secure memset() from
* their system (e.g explicit_bzero() in BSD).
*/
//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
/* \} name SECTION: Customisation configuration options */
/* Target and application specific configurations */
//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h"
//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE

21
external/libssh-win-static/include/config.h vendored
View File

@ -6,15 +6,15 @@
#define PACKAGE "libssh"
/* Version number of package */
#define VERSION "0.7.4"
#define VERSION "0.7.5"
/* #undef LOCALEDIR */
/* #undef DATADIR */
//#define LIBDIR "lib"
//#define PLUGINDIR "plugins-4"
/* #undef SYSCONFDIR */
//#define BINARYDIR "E:/work/eomsoft/tmp/libssh/build"
//#define SOURCEDIR "E:/work/eomsoft/tmp/libssh"
//#define BINARYDIR "E:/work/tp4a/teleport/external/_download_/libssh-0.7.5/build"
//#define SOURCEDIR "E:/work/tp4a/teleport/external/_download_/libssh-0.7.5"
/************************** HEADER FILES *************************/
@ -81,28 +81,28 @@
/*************************** FUNCTIONS ***************************/
/* Define to 1 if you have the `EVP_aes128_ctr' function. */
#define HAVE_OPENSSL_EVP_AES_CTR 1
//#define HAVE_OPENSSL_EVP_AES_CTR 1
/* Define to 1 if you have the `EVP_aes128_cbc' function. */
#define HAVE_OPENSSL_EVP_AES_CBC 1
//#define HAVE_OPENSSL_EVP_AES_CBC 1
/* Define to 1 if you have the `snprintf' function. */
#define HAVE_SNPRINTF 1
/* Define to 1 if you have the `_snprintf' function. */
/* #undef HAVE__SNPRINTF */
#define HAVE__SNPRINTF 1
/* Define to 1 if you have the `_snprintf_s' function. */
/* #undef HAVE__SNPRINTF_S */
#define HAVE__SNPRINTF_S 1
/* Define to 1 if you have the `vsnprintf' function. */
#define HAVE_VSNPRINTF 1
/* Define to 1 if you have the `_vsnprintf' function. */
/* #undef HAVE__VSNPRINTF */
#define HAVE__VSNPRINTF 1
/* Define to 1 if you have the `_vsnprintf_s' function. */
/* #undef HAVE__VSNPRINTF_S */
#define HAVE__VSNPRINTF_S 1
/* Define to 1 if you have the `isblank' function. */
#define HAVE_ISBLANK 1
@ -172,8 +172,7 @@
#define WITH_SFTP 1
/* Define to 1 if you want to enable SSH1 */
/* #undef WITH_SSH1 */
#define WITH_SSH1
#define WITH_SSH1 1
/* Define to 1 if you want to enable server support */
#define WITH_SERVER 1

2
server/.idea/encodings.xml
View File

@ -30,6 +30,7 @@
<file url="file://$PROJECT_DIR$/tp_core/core/ts_web_rpc.h" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_conn.cpp" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_conn.h" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_keys.cpp" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_package.cpp" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_package.h" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_proxy.cpp" charset="GBK" />
@ -41,6 +42,7 @@
<file url="file://$PROJECT_DIR$/tp_core/protocol/ssh/ssh_session.cpp" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_core/protocol/ssh/ssh_session.h" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_core/protocol/telnet/telnet_conn.cpp" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_core/protocol/telnet/telnet_session.cpp" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_web/src/main.cpp" charset="GBK" />
<file url="file://$PROJECT_DIR$/tp_web/src/ts_env.cpp" charset="GBK" />
</component>

2
server/tp_core/core/CMakeLists.txt
View File

@ -33,7 +33,7 @@ include_directories(
)
IF (CMAKE_SYSTEM_NAME MATCHES "Linux")
set(CMAKE_EXE_LINKER_FLAGS "-export-dynamic")
# set(CMAKE_EXE_LINKER_FLAGS "-export-dynamic")
include_directories(
../../../external/linux/release/include
)

BIN
server/tp_core/core/tp_core.rc
View File

Binary file not shown.

34
server/tp_core/core/ts_http_client.cpp
View File

@ -53,7 +53,7 @@ static void ev_handler(struct mg_connection *nc, int ev, void *ev_data)
break;
case MG_EV_HTTP_REPLY:
nc->flags |= MG_F_CLOSE_IMMEDIATELY;
hdata->exit_flag = true;
//hdata->exit_flag = true;
hdata->body.assign(hm->body.p, hm->body.len);
break;
case MG_EV_CLOSE:
@ -68,35 +68,41 @@ static void ev_handler(struct mg_connection *nc, int ev, void *ev_data)
}
}
static struct mg_mgr g_mg_mgr;
static bool is_mg_mgr_initialized = false;
bool ts_http_get(const ex_astr& url, ex_astr& body)
{
struct mg_mgr mgr;
mg_mgr_init(&mgr, NULL);
if(!is_mg_mgr_initialized) {
mg_mgr_init(&g_mg_mgr, NULL);
is_mg_mgr_initialized = true;
}
mg_connection* nc = mg_connect_http(&mgr, ev_handler, url.c_str(), NULL, NULL);
mg_connection* nc = mg_connect_http(&g_mg_mgr, ev_handler, url.c_str(), NULL, NULL);
if (NULL == nc)
return false;
HTTP_DATA* hdata = new HTTP_DATA;
hdata->exit_flag = false;
hdata->have_error = false;
//HTTP_DATA* hdata = new HTTP_DATA;
HTTP_DATA hdata;
hdata.exit_flag = false;
hdata.have_error = false;
nc->user_data = hdata;
nc->user_data = &hdata;
// int count = 0;
while (!hdata->exit_flag)
while (!hdata.exit_flag)
{
mg_mgr_poll(&mgr, 100);
mg_mgr_poll(&g_mg_mgr, 100);
// count++;
// if (count > 2)
// break;
}
bool ret = !hdata->have_error;
bool ret = !hdata.have_error;
if (ret)
body = hdata->body;
body = hdata.body;
delete hdata;
mg_mgr_free(&mgr);
// mg_mgr_free(&mgr);
// delete hdata;
return ret;
}

2
server/tp_core/core/ts_ver.h
View File

@ -1,6 +1,6 @@
#ifndef __TS_SERVER_VER_H__
#define __TS_SERVER_VER_H__
#define TP_SERVER_VER L"3.0.2.7"
#define TP_SERVER_VER L"3.0.4.16"
#endif // __TS_SERVER_VER_H__

238
server/tp_core/protocol/ssh/ssh_session.cpp
View File

@ -422,7 +422,7 @@ void SshSession::check_noop_timeout(ex_u32 t_now, ex_u32 timeout) {
}
int SshSession::_on_auth_password_request(ssh_session session, const char *user, const char *password, void *userdata) {
// 这里拿到的user就是我们要的session-id。
// here, `user` is the session-id we need.
SshSession *_this = (SshSession *)userdata;
_this->m_sid = user;
EXLOGV("[ssh] authenticating, session-id: %s\n", _this->m_sid.c_str());
@ -441,6 +441,7 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
_this->m_auth_type = _this->m_conn_info->auth_type;
_this->m_acc_name = _this->m_conn_info->acc_username;
_this->m_acc_secret = _this->m_conn_info->acc_secret;
_this->m_flags = _this->m_conn_info->protocol_flag;
if (_this->m_conn_info->protocol_type != TP_PROTOCOL_TYPE_SSH) {
EXLOGE("[ssh] session '%s' is not for SSH.\n", _this->m_sid.c_str());
_this->m_have_error = true;
@ -449,21 +450,18 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
}
}
// 现在尝试根据session-id获取得到的信息连接并登录真正的SSH服务器
// config and try to connect to real SSH host.
EXLOGV("[ssh] try to connect to real SSH server %s:%d\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
_this->m_srv_session = ssh_new();
// int verbosity = 4;
// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
//ssh_set_blocking(_this->m_srv_session, 1);
ssh_options_set(_this->m_srv_session, SSH_OPTIONS_HOST, _this->m_conn_ip.c_str());
int port = (int)_this->m_conn_port;
ssh_options_set(_this->m_srv_session, SSH_OPTIONS_PORT, &port);
#ifdef EX_DEBUG
// int flag = SSH_LOG_FUNCTIONS;
// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &flag);
// int flag = SSH_LOG_FUNCTIONS;
// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &flag);
#endif
// int val = 0;
// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_STRICTHOSTKEYCHECK, &val);
int val = 0;
ssh_options_set(_this->m_srv_session, SSH_OPTIONS_STRICTHOSTKEYCHECK, &val);
if (_this->m_auth_type != TP_AUTH_TYPE_NONE)
@ -490,108 +488,113 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
_this->m_ssh_ver = ssh_get_version(_this->m_srv_session);
EXLOGW("[ssh] real host is SSHv%d\n", _this->m_ssh_ver);
#if 0
// check supported auth type by host
//ssh_userauth_none(_this->m_srv_session, _this->m_acc_name.c_str());
// rc = ssh_userauth_none(_this->m_srv_session, NULL);
// if (rc == SSH_AUTH_ERROR) {
// EXLOGE("[ssh] can not got auth type supported by real SSH server %s:%d.\n", _this->m_server_ip.c_str(), _this->m_server_port);
// _this->m_have_error = true;
// _this->m_retcode = SESS_STAT_ERR_AUTH_DENIED;
// return SSH_AUTH_ERROR;
// }
// // int auth_methods = ssh_userauth_list(_this->m_srv_session, NULL);
// const char* banner = ssh_get_issue_banner(_this->m_srv_session);
// if (NULL != banner) {
// EXLOGE("[ssh] issue banner: %s\n", banner);
// }
ssh_userauth_none(_this->m_srv_session, _this->m_acc_name.c_str());
rc = ssh_userauth_none(_this->m_srv_session, NULL);
if (rc == SSH_AUTH_ERROR) {
EXLOGE("[ssh] can not got auth type supported by real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
_this->m_have_error = true;
_this->_session_error(TP_SESS_STAT_ERR_SESSION);
return SSH_AUTH_ERROR;
}
int auth_methods = ssh_userauth_list(_this->m_srv_session, _this->m_acc_name.c_str());
const char* banner = ssh_get_issue_banner(_this->m_srv_session);
if (NULL != banner) {
EXLOGE("[ssh] issue banner: %s\n", banner);
}
#endif
int auth_methods = SSH_AUTH_METHOD_INTERACTIVE | SSH_AUTH_METHOD_PASSWORD | SSH_AUTH_METHOD_PUBLICKEY;
if (SSH_AUTH_ERROR != ssh_userauth_none(_this->m_srv_session, NULL))
{
auth_methods = ssh_userauth_list(_this->m_srv_session, NULL);
EXLOGV("[ssh] allowed auth method: 0x%08x\n", auth_methods);
}
else
{
EXLOGW("[ssh] can not get allowed auth method, try each method we can.\n");
}
if (_this->m_auth_type == TP_AUTH_TYPE_PASSWORD) {
int retry_count = 0;
if (!(((auth_methods & SSH_AUTH_METHOD_INTERACTIVE) == SSH_AUTH_METHOD_INTERACTIVE) || ((auth_methods & SSH_AUTH_METHOD_PASSWORD) == SSH_AUTH_METHOD_PASSWORD)))
{
_this->_session_error(TP_SESS_STAT_ERR_AUTH_TYPE);
return SSH_AUTH_ERROR;
}
int retry_count = 0;
if (_this->m_ssh_ver == 1) {
// first try password for SSHv1
rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str());
for (;;) {
if (rc == SSH_AUTH_AGAIN) {
retry_count += 1;
if (retry_count >= 3)
break;
ex_sleep_ms(100);
rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str());
continue;
}
if (rc == SSH_AUTH_SUCCESS) {
EXLOGW("[ssh] logon with password mode.\n");
_this->m_is_logon = true;
return SSH_AUTH_SUCCESS;
}
else {
EXLOGW("[ssh] failed to login with password mode, got %d.\n", rc);
}
}
}
// first try interactive login mode if server allow.
if ((auth_methods & SSH_AUTH_METHOD_INTERACTIVE) == SSH_AUTH_METHOD_INTERACTIVE)
{
retry_count = 0;
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
for (;;) {
if (rc == SSH_AUTH_AGAIN) {
retry_count += 1;
if (retry_count >= 5)
break;
ex_sleep_ms(500);
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
continue;
}
// first try interactive login mode for SSHv2.
retry_count = 0;
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
for (;;) {
if (rc == SSH_AUTH_AGAIN) {
retry_count += 1;
if (retry_count >= 5)
break;
ex_sleep_ms(500);
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
continue;
}
if (rc != SSH_AUTH_INFO)
break;
if (rc != SSH_AUTH_INFO)
break;
int nprompts = ssh_userauth_kbdint_getnprompts(_this->m_srv_session);
if (0 == nprompts) {
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
continue;
}
int nprompts = ssh_userauth_kbdint_getnprompts(_this->m_srv_session);
if (0 == nprompts) {
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
continue;
}
for (int iprompt = 0; iprompt < nprompts; ++iprompt) {
char echo = 0;
const char* prompt = ssh_userauth_kbdint_getprompt(_this->m_srv_session, iprompt, &echo);
EXLOGV("[ssh] interactive login prompt: %s\n", prompt);
for (int iprompt = 0; iprompt < nprompts; ++iprompt) {
char echo = 0;
const char* prompt = ssh_userauth_kbdint_getprompt(_this->m_srv_session, iprompt, &echo);
EXLOGV("[ssh] interactive login prompt: %s\n", prompt);
rc = ssh_userauth_kbdint_setanswer(_this->m_srv_session, iprompt, _this->m_acc_secret.c_str());
if (rc < 0) {
EXLOGE("[ssh] invalid password for interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
_this->m_have_error = true;
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
return SSH_AUTH_ERROR;
}
}
rc = ssh_userauth_kbdint_setanswer(_this->m_srv_session, iprompt, _this->m_acc_secret.c_str());
if (rc < 0) {
EXLOGE("[ssh] invalid password for interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
_this->m_have_error = true;
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
return SSH_AUTH_ERROR;
}
}
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
}
}
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
}
if (rc == SSH_AUTH_SUCCESS) {
EXLOGW("[ssh] logon with keyboard interactive mode.\n");
_this->m_is_logon = true;
return SSH_AUTH_SUCCESS;
}
else {
EXLOGW("[ssh] failed to login with keyboard interactive mode, got %d, try password mode.\n", rc);
}
if (_this->m_ssh_ver != 1) {
// then try password mode if interactive mode does not supported by host with SSHv2.
rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str());
if (rc == SSH_AUTH_SUCCESS) {
EXLOGW("[ssh] logon with password mode.\n");
_this->m_is_logon = true;
return SSH_AUTH_SUCCESS;
}
else {
EXLOGW("[ssh] failed to login with password mode, got %d.\n", rc);
}
}
// and then try password login mode if server allow.
if ((auth_methods & SSH_AUTH_METHOD_PASSWORD) == SSH_AUTH_METHOD_PASSWORD)
{
retry_count = 0;
rc = ssh_userauth_password(_this->m_srv_session, NULL, _this->m_acc_secret.c_str());
for (;;) {
if (rc == SSH_AUTH_AGAIN) {
retry_count += 1;
if (retry_count >= 3)
break;
ex_sleep_ms(100);
rc = ssh_userauth_password(_this->m_srv_session, NULL, _this->m_acc_secret.c_str());
continue;
}
if (rc == SSH_AUTH_SUCCESS) {
EXLOGW("[ssh] logon with password mode.\n");
_this->m_is_logon = true;
return SSH_AUTH_SUCCESS;
}
else {
EXLOGE("[ssh] failed to login with password mode, got %d.\n", rc);
break;
}
}
}
EXLOGE("[ssh] can not use password mode or interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
_this->m_have_error = true;
@ -599,7 +602,13 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
return SSH_AUTH_ERROR;
}
else if (_this->m_auth_type == TP_AUTH_TYPE_PRIVATE_KEY) {
ssh_key key = NULL;
if ((auth_methods & SSH_AUTH_METHOD_PUBLICKEY) != SSH_AUTH_METHOD_PUBLICKEY) {
_this->m_have_error = true;
_this->_session_error(TP_SESS_STAT_ERR_AUTH_TYPE);
return SSH_AUTH_ERROR;
}
ssh_key key = NULL;
if (SSH_OK != ssh_pki_import_privkey_base64(_this->m_acc_secret.c_str(), NULL, NULL, NULL, &key)) {
EXLOGE("[ssh] can not import private-key for auth.\n");
_this->m_have_error = true;
@ -615,12 +624,11 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
_this->m_is_logon = true;
return SSH_AUTH_SUCCESS;
}
else {
EXLOGE("[ssh] failed to use private-key to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
_this->m_have_error = true;
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
return SSH_AUTH_ERROR;
}
EXLOGE("[ssh] failed to use private-key to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
_this->m_have_error = true;
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
return SSH_AUTH_ERROR;
}
else if (_this->m_auth_type == TP_AUTH_TYPE_NONE) {
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
@ -736,6 +744,11 @@ int SshSession::_on_client_shell_request(ssh_session session, ssh_channel channe
SshSession *_this = (SshSession *)userdata;
EXLOGD("[ssh] client request shell\n");
if ((_this->m_flags & TP_FLAG_SSH_SHELL) != TP_FLAG_SSH_SHELL)
{
EXLOGE("[ssh] ssh-shell disabled by ops-policy.\n");
return SSH_ERROR;
}
TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_CLIENT_SIDE, channel);
if (NULL == cp) {
@ -761,7 +774,7 @@ int SshSession::_on_client_shell_request(ssh_session session, ssh_channel channe
}
void SshSession::_on_client_channel_close(ssh_session session, ssh_channel channel, void *userdata) {
EXLOGV("---client channel closed.\n");
EXLOGV("[ssh] ---client channel closed.\n");
SshSession *_this = (SshSession *)userdata;
TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_CLIENT_SIDE, channel);
@ -896,6 +909,13 @@ int SshSession::_on_client_channel_subsystem_request(ssh_session session, ssh_ch
return SSH_ERROR;
}
if ((_this->m_flags & TP_FLAG_SSH_SFTP) != TP_FLAG_SSH_SFTP)
{
EXLOGE("[ssh] ssh-sftp disabled by ops-policy.\n");
return SSH_ERROR;
}
cp->type = TS_SSH_CHANNEL_TYPE_SFTP;
g_ssh_env.session_update(cp->db_id, TP_PROTOCOL_TYPE_SSH_SFTP, TP_SESS_STAT_STARTED);
@ -1099,7 +1119,7 @@ int SshSession::_on_server_channel_data(ssh_session session, ssh_channel channel
}
void SshSession::_on_server_channel_close(ssh_session session, ssh_channel channel, void *userdata) {
EXLOGV("---server channel closed.\n");
EXLOGV("[ssh] ---server channel closed.\n");
SshSession *_this = (SshSession *)userdata;
TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_SERVER_SIDE, channel);
if (NULL == cp) {

1
server/tp_core/protocol/ssh/ssh_session.h
View File

@ -132,6 +132,7 @@ private:
ex_u16 m_conn_port;
ex_astr m_acc_name;
ex_astr m_acc_secret;
ex_u32 m_flags;
int m_auth_type;
bool m_is_logon;

1
server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj
View File

@ -109,6 +109,7 @@
<ClInclude Include="..\..\..\..\common\libex\include\ex\ex_types.h" />
<ClInclude Include="..\..\..\..\common\libex\include\ex\ex_util.h" />
<ClInclude Include="..\..\..\..\common\libex\include\ex\ex_winsrv.h" />
<ClInclude Include="..\..\..\..\common\teleport\teleport_const.h" />
<ClInclude Include="..\..\..\..\external\jsoncpp\include\json\json.h" />
<ClInclude Include="..\..\..\..\external\libssh-win-static\include\libssh\callbacks.h" />
<ClInclude Include="..\..\..\..\external\libssh-win-static\include\libssh\libssh.h" />

3
server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj.filters
View File

@ -113,6 +113,9 @@
<ClInclude Include="..\..\..\..\external\jsoncpp\include\json\json.h">
<Filter>jsoncpp</Filter>
</ClInclude>
<ClInclude Include="..\..\..\..\common\teleport\teleport_const.h">
<Filter>common</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="tpssh.cpp">

37
server/tp_core/protocol/telnet/telnet_session.cpp
View File

@ -537,6 +537,8 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
if (conn->is_server_side())
{
// EXLOG_BIN(m_conn_client->data().data(), m_conn_client->data().size(), "<-- client:");
// 收到了客户端发来的数据
if (_this->m_is_putty_mode && !_this->m_username_sent)
{
@ -566,7 +568,9 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
}
else
{
// 收到了服务端返回的数据
// EXLOG_BIN(m_conn_server->data().data(), m_conn_server->data().size(), "--> server:");
// 收到了服务端返回的数据
if (m_conn_server->data().data()[0] != TELNET_IAC)
m_rec.record(TS_RECORD_TYPE_TELNET_DATA, m_conn_server->data().data(), m_conn_server->data().size());
@ -574,7 +578,7 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
{
if (_this->_parse_find_and_send(m_conn_server, m_conn_client, _this->m_username_prompt.c_str(), _this->m_acc_name.c_str()))
{
_this->m_username_sent = true;
// _this->m_username_sent = true;
is_processed = true;
}
}
@ -584,6 +588,7 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
{
_this->m_username_sent = true;
_this->m_password_sent = true;
_this->m_username_sent = true;
is_processed = true;
}
}
@ -603,11 +608,34 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
bool TelnetSession::_parse_find_and_send(TelnetConn* conn_recv, TelnetConn* conn_remote, const char* find, const char* send)
{
// EXLOGV("find prompt and send: [%s] => [%s]\n", find, send);
// EXLOG_BIN(conn_recv->data().data(), conn_recv->data().size(), "find prompt in data:");
size_t find_len = strlen(find);
size_t send_len = strlen(send);
if (0 == find_len || 0 == send_len)
return false;
if (0 == find_len || 0 == send_len || conn_recv->data().size() < find_len) {
return false;
}
int find_range = conn_recv->data().size() - find_len;
for (int i = 0; i <= find_range; ++i)
{
if (0 == memcmp(conn_recv->data().data() + i, find, find_len))
{
conn_remote->send(conn_recv->data().data(), conn_recv->data().size());
conn_recv->data().empty();
MemBuffer mbuf_msg;
mbuf_msg.reserve(128);
mbuf_msg.append((ex_u8*)send, send_len);
mbuf_msg.append((ex_u8*)"\x0d\x0a", 2);
// EXLOG_BIN(mbuf_msg.data(), mbuf_msg.size(), "find prompt and send:");
conn_recv->send(mbuf_msg.data(), mbuf_msg.size());
return true;
}
}
#if 0
MemBuffer mbuf_msg;
mbuf_msg.reserve(128);
MemStream ms_msg(mbuf_msg);
@ -679,6 +707,7 @@ bool TelnetSession::_parse_find_and_send(TelnetConn* conn_recv, TelnetConn* conn
return true;
}
}
#endif
return false;
}

6
server/www/teleport/static/js/asset/host-list.js
View File

@ -859,7 +859,6 @@ $app.create_dlg_edit_host = function () {
cid: dlg.field_cid,
desc: dlg.field_desc
};
console.log(args);
// 如果id为-1表示创建否则表示更新
$tp.ajax_post_json('/asset/update-host', args,
@ -1148,7 +1147,6 @@ $app.create_dlg_accounts = function () {
$tp.ajax_post_json('/asset/get-accounts', {host_id: dlg.host.id},
function (ret) {
if (ret.code === TPE_OK) {
console.log('account:', ret.data);
$app.table_acc.set_data(cb_stack, {}, {total: ret.data.length, page_index: 1, data: ret.data});
} else {
$app.table_acc.set_data(cb_stack, {}, {total: 0, page_index: 1, data: {}});
@ -1519,6 +1517,10 @@ $app.create_dlg_edit_account = function () {
}
dlg.dom.auth_type.empty().append($(html.join('')));
if(!_.isNull(dlg.account))
dlg.dom.auth_type.val(dlg.account.auth_type);
dlg.on_auth_change();
};

3
server/www/teleport/static/js/audit/record-list.js
View File

@ -328,6 +328,9 @@ $app.on_table_host_render_created = function (render) {
case TP_SESS_STAT_ERR_SESSION:
msg = '无效会话';
break;
case TP_SESS_STAT_ERR_AUTH_TYPE:
msg = '无效认证方式';
break;
default:
msg = '未知状态 [' + fields.state + ']';
}

6
server/www/teleport/static/js/tp-const.js Normal file → Executable file
View File

@ -49,6 +49,7 @@ var TP_SESS_STAT_ERR_BAD_PKG = 6; // 会话结束,因为收到错误的报文
var TP_SESS_STAT_ERR_RESET = 7; // 会话结束因为teleport核心服务重置了
var TP_SESS_STAT_ERR_IO = 8; // 会话结束,因为网络中断
var TP_SESS_STAT_ERR_SESSION = 9; // 会话结束因为无效的会话ID
var TP_SESS_STAT_ERR_AUTH_TYPE = 10; // // 会话结束,因为服务端不支持此认证方式
var TP_SESS_STAT_STARTED = 100; // 已经连接成功了,开始记录录像了
var TP_SESS_STAT_ERR_START_INTERNAL = 104; // 会话结束,因为内部错误
var TP_SESS_STAT_ERR_START_BAD_PKG = 106; // 会话结束,因为收到错误的报文
@ -212,6 +213,7 @@ var TPE_CAPTCHA_EXPIRED = 10000;
var TPE_CAPTCHA_MISMATCH = 10001;
var TPE_OATH_MISMATCH = 10002;
var TPE_SYS_MAINTENANCE = 10003;
var TPE_OATH_ALREADY_BIND = 10004;
var TPE_USER_LOCKED = 10100;
var TPE_USER_DISABLED = 10101;
@ -314,6 +316,10 @@ function tp_error_msg(error_code, message) {
case TPE_SYS_MAINTENANCE:
msg = '系统维护中';
break;
case TPE_OATH_ALREADY_BIND:
msg = '该账号已经绑定了身份验证器,如无法使用,请联系管理员重置密码或更换登陆方式';
break;
case TPE_USER_LOCKED:
msg = '账号已被锁定';

2
server/www/teleport/static/js/user/bind-oath.js Normal file → Executable file
View File

@ -182,7 +182,7 @@ $app.on_auth_user = function () {
}
$app.dom.auth.btn_submit.attr('disabled', 'disabled');
$tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password},
$tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password, check_bind_oath: true},
function (ret) {
$app.dom.auth.btn_submit.removeAttr('disabled');
if (ret.code === TPE_OK) {

18
server/www/teleport/static/js/user/user-list.js Normal file → Executable file
View File

@ -203,6 +203,8 @@ $app.on_table_users_cell_created = function (tbl, row_id, col_key, cell_obj) {
$app.dlg_edit_user.show_edit(row_id);
} else if (action === 'reset-password') {
$app.dlg_reset_password.show_edit(row_id);
} else if (action === 'reset-oath-bind') {
$app._reset_oath_bind(user.id);
} else if (action === 'lock') {
$app._lock_users([user.id]);
} else if (action === 'unlock') {
@ -349,6 +351,7 @@ $app.on_table_users_render_created = function (render) {
h.push('<li role="separator" class="divider"></li>');
h.push('<li><a href="javascript:;" data-action="reset-password"><i class="fa fa-street-view fa-fw"></i> 重置密码</a></li>');
h.push('<li><a href="javascript:;" data-action="reset-oath-bind"><i class="fa fa-street-view fa-fw"></i> 重置身份验证器</a></li>');
h.push('<li role="separator" class="divider"></li>');
h.push('<li><a href="javascript:;" data-action="remove"><i class="fa fa-times-circle fa-fw"></i> 删除</a></li>');
h.push('</ul>');
@ -547,6 +550,21 @@ $app.set_selected_to_role = function (role_id, role_name) {
};
$app._reset_oath_bind = function (users) {
$tp.ajax_post_json('/user/do-unbind-oath', {users: users},
function (ret) {
if (ret.code === TPE_OK) {
$tp.notify_success('重置身份验证器操作成功!');
} else {
$tp.notify_error('重置身份验证器操作失败:' + tp_error_msg(ret.code, ret.message));
}
},
function () {
$tp.notify_error('网络故障,重置身份验证器操作失败!');
}
);
};
$app._lock_users = function (users) {
$tp.ajax_post_json('/user/update-users', {action: 'lock', users: users},
function (ret) {

2
server/www/teleport/webroot/app/app_ver.py
View File

@ -1,2 +1,2 @@
# -*- coding: utf8 -*-
TP_SERVER_VER = "3.1.0.10"
TP_SERVER_VER = "3.1.0.10"

1
server/www/teleport/webroot/app/const.py Normal file → Executable file
View File

@ -198,6 +198,7 @@ TPE_CAPTCHA_EXPIRED = 10000
TPE_CAPTCHA_MISMATCH = 10001
TPE_OATH_MISMATCH = 10002
TPE_SYS_MAINTENANCE = 10003
TPE_OATH_ALREADY_BIND = 10004
TPE_USER_LOCKED = 10100
TPE_USER_DISABLED = 10101

2
server/www/teleport/webroot/app/controller/__init__.py Normal file → Executable file
View File

@ -78,6 +78,8 @@ controllers = [
(r'/user/verify-user', user.DoVerifyUserHandler),
# - [json] 绑定身份认证器
(r'/user/do-bind-oath', user.DoBindOathHandler),
# - 取消绑定身份认证器
(r'/user/do-unbind-oath', user.DoUnBindOathHandler),
#
# - 用户组管理页面
(r'/user/group', user.GroupListHandler),

34
server/www/teleport/webroot/app/controller/user.py Normal file → Executable file
View File

@ -144,7 +144,12 @@ class DoVerifyUserHandler(TPBaseJsonHandler):
except:
return self.write_json(TPE_PARAM)
err, user_info = user.login(self, username, password=password)
try:
check_bind_oath = args['check_bind_oath']
except:
check_bind_oath = False
err, user_info = user.login(self, username, password=password, check_bind_oath=check_bind_oath)
if err != TPE_OK:
if err == TPE_NOT_EXISTS:
err = TPE_USER_AUTH
@ -190,6 +195,28 @@ class DoBindOathHandler(TPBaseJsonHandler):
return self.write_json(TPE_OK)
class DoUnBindOathHandler(TPBaseJsonHandler):
def post(self):
ret = self.check_privilege(TP_PRIVILEGE_USER_DELETE)
if ret != TPE_OK:
return
args = self.get_argument('args', None)
if args is None:
return self.write_json(TPE_PARAM)
try:
args = json.loads(args)
except:
return self.write_json(TPE_JSON_FORMAT)
try:
users = args['users']
except:
return self.write_json(TPE_PARAM)
# 把oath设置为空就是去掉oath验证
err = user.update_oath_secret(self, users, '')
self.write_json(err)
class OathSecretQrCodeHandler(TPBaseHandler):
def get(self):
@ -752,6 +779,11 @@ class DoResetPasswordHandler(TPBaseJsonHandler):
if mode == 4 and err == TPE_OK:
user.remove_reset_token(token)
# 非用户自行修改密码的情况,都默认重置身份认证
if mode != 5 and err == TPE_OK:
print("reset oath secret")
user.update_oath_secret(self, user_id, '')
self.write_json(err)
else:

6
server/www/teleport/webroot/app/model/user.py Normal file → Executable file
View File

@ -49,7 +49,7 @@ def get_by_username(username):
return TPE_OK, s.recorder[0]
def login(handler, username, password=None, oath_code=None):
def login(handler, username, password=None, oath_code=None, check_bind_oath=False):
sys_cfg = tp_cfg().sys
err, user_info = get_by_username(username)
@ -62,6 +62,10 @@ def login(handler, username, password=None, oath_code=None):
# 尚未为此用户设置角色
return TPE_PRIVILEGE, None
if check_bind_oath == True and len(user_info['oath_secret']) != 0:
return TPE_OATH_ALREADY_BIND, None
if user_info['state'] == TP_STATE_LOCKED:
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
if sys_cfg.login.lock_timeout != 0:

2
version.in
View File

@ -14,6 +14,6 @@ Build 构建号。构建号用于表明此版本发布之前进行了多少
TP_SERVER 3.1.0.10 # 整个服务端打包的版本
TP_TPCORE 3.0.2.7 # 核心服务 tp_core 的版本
TP_TPCORE 3.0.4.16 # 核心服务 tp_core 的版本
TP_TPWEB 3.1.0.10 # web服务 tp_web 的版本一般除非升级Python否则不会变化
TP_ASSIST 3.0.1.6 # 助手版本