mirror of https://github.com/tp4a/teleport
Merge remote-tracking branch 'remotes/origin/dev' into feature/python-3.7
commit
be816eb564
|
@ -28,9 +28,9 @@ __pycache__
|
|||
**/.idea/modules.xml
|
||||
**/.idea/dictionaries
|
||||
**/.idea/watcherTasks.xml
|
||||
**/.idea/codeStyles
|
||||
**/.idea/inspectionProfiles
|
||||
**/.idea/vcs.xml
|
||||
**/.idea/codeStyles
|
||||
|
||||
*.css.map
|
||||
|
||||
|
|
|
@ -0,0 +1,195 @@
|
|||
#!/bin/bash
|
||||
|
||||
################################################################
|
||||
# Basic settings.
|
||||
################################################################
|
||||
VER_PYTHON="3.4.4"
|
||||
VER_PYTHON_SHORT="3.4"
|
||||
VER_OPENSSL="1.0.2p"
|
||||
VER_SQLITE="3250000"
|
||||
# VER_PSUTIL="4.2.0"
|
||||
VER_PYTHON_LIB="${VER_PYTHON_SHORT}m"
|
||||
|
||||
################################################################
|
||||
# DO NOT TOUCH FOLLOWING CODE
|
||||
################################################################
|
||||
|
||||
FILE_PYTHON_STATIC_LIB="libpython${VER_PYTHON_LIB}.a"
|
||||
|
||||
PATH_ROOT=$(cd "$(dirname "$0")"/..; pwd)
|
||||
PATH_EXT=${PATH_ROOT}/external
|
||||
PATH_DOWNLOAD=${PATH_EXT}/_download_
|
||||
PATH_TMP=${PATH_EXT}/linux/tmp
|
||||
PATH_FIX=${PATH_EXT}/fix-external
|
||||
PATH_RELEASE=${PATH_EXT}/linux/release
|
||||
|
||||
|
||||
PY_PATH_SRC=${PATH_TMP}/Python-${VER_PYTHON}
|
||||
#PATH_SRC=${PATH_TMP}/${VER_PYTHON}
|
||||
#PATH_INST=${PATH_RELEASE}/python
|
||||
OSSL_PATH_SRC=${PATH_TMP}/openssl-${VER_OPENSSL}
|
||||
|
||||
function on_error()
|
||||
{
|
||||
echo -e "\033[01m\033[31m"
|
||||
echo "==================[ !! ERROR !! ]=================="
|
||||
echo -e $1
|
||||
echo "==================================================="
|
||||
echo -e "\033[0m"
|
||||
exit 1
|
||||
}
|
||||
|
||||
function setp_build_git()
|
||||
{
|
||||
# su -s
|
||||
# yum install zlib-devel expat-devel libcurl-devel
|
||||
# make prefix=/usr/local
|
||||
# make prefix=/usr/local install
|
||||
echo 'skip build git now.'
|
||||
}
|
||||
|
||||
function dlfile()
|
||||
{
|
||||
echo -n "Downloading $1 ..."
|
||||
if [ ! -f "$4/$3" ]; then
|
||||
echo ""
|
||||
# curl --insecure https://www.python.org/ftp/python/3.4.3/${VER_PYTHON}.tgz -o "${PATH_PYTHON}/${VER_PYTHON}.tgz"
|
||||
echo wget $2$3 -O "$4/$3"
|
||||
wget --no-check-certificate $2$3 -O "$4/$3"
|
||||
|
||||
if [ ! -f "$4/$3" ]; then
|
||||
on_error "Can not download $1: $3"
|
||||
fi
|
||||
else
|
||||
echo " already exists, skip."
|
||||
fi
|
||||
}
|
||||
|
||||
function step_download_files()
|
||||
{
|
||||
echo "download necessary source tarball ..."
|
||||
|
||||
if [ ! -d "${PATH_DOWNLOAD}" ]; then
|
||||
mkdir -p "${PATH_DOWNLOAD}"
|
||||
if [ ! -d "${PATH_DOWNLOAD}" ]; then
|
||||
on_error "Can not create folder for download files."
|
||||
fi
|
||||
fi
|
||||
|
||||
dlfile "python source tarball" "https://www.python.org/ftp/python/${VER_PYTHON}/" "Python-${VER_PYTHON}.tgz" ${PATH_DOWNLOAD}
|
||||
dlfile "openssl source tarball" "https://www.openssl.org/source/" "openssl-${VER_OPENSSL}.tar.gz" ${PATH_DOWNLOAD}
|
||||
dlfile "sqlite source tarball" "http://sqlite.org/2018/" "sqlite-autoconf-${VER_SQLITE}.tar.gz" ${PATH_DOWNLOAD}
|
||||
|
||||
# dlfile "psutil source tarball" "https://pypi.python.org/packages/source/p/psutil/" "psutil-${VER_PSUTIL}.tar.gz" ${PATH_DOWNLOAD}
|
||||
# https://pypi.python.org/pypi?:action=display&name=psutil#downloads
|
||||
|
||||
# echo -n "Downloading psutil source tarball ..."
|
||||
# if [ ! -f "${PATH_DOWNLOAD}/psutil-${VER_PSUTIL}.tar.gz" ]; then
|
||||
# echo ""
|
||||
# echo "Because pypi.python.org limit, can not auto-download psutil, please visit following url:"
|
||||
# echo " https://pypi.python.org/pypi?:action=display&name=psutil#downloads"
|
||||
# echo "and download psutil-${VER_PSUTIL}.tar.gz and put it into folder:"
|
||||
# echo " ${PATH_DOWNLOAD}"
|
||||
# echo "after download, try again."
|
||||
# on_error "psutil source tarball not exists."
|
||||
# else
|
||||
# echo " already exists, skip."
|
||||
# fi
|
||||
}
|
||||
|
||||
|
||||
function step_prepare_source()
|
||||
{
|
||||
echo "prepare source ..."
|
||||
|
||||
if [ ! -d "${PATH_TMP}" ]; then
|
||||
mkdir -p "${PATH_TMP}"
|
||||
if [ ! -d "${PATH_TMP}" ]; then
|
||||
on_error "Can not create folder for tmp files."
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -d "${PATH_TMP}/Python-${VER_PYTHON}" ]; then
|
||||
tar -zxvf "${PATH_DOWNLOAD}/Python-${VER_PYTHON}.tgz" -C "${PATH_TMP}"
|
||||
fi
|
||||
|
||||
if [ ! -d "${PATH_TMP}/openssl-${VER_OPENSSL}" ]; then
|
||||
tar -zxvf "${PATH_DOWNLOAD}/openssl-${VER_OPENSSL}.tar.gz" -C "${PATH_TMP}"
|
||||
fi
|
||||
|
||||
|
||||
if [ ! -d "${PATH_TMP}/sqlite-autoconf-${VER_SQLITE}" ]; then
|
||||
tar -zxvf "${PATH_DOWNLOAD}/sqlite-autoconf-${VER_SQLITE}.tar.gz" -C "${PATH_TMP}"
|
||||
fi
|
||||
|
||||
# if [ ! -d "${PATH_TMP}/psutil-${VER_PSUTIL}" ]; then
|
||||
# tar -zxvf "${PATH_DOWNLOAD}/psutil-${VER_PSUTIL}.tar.gz" -C "${PATH_TMP}"
|
||||
# fi
|
||||
|
||||
# cp -r "${PATH_TMP}/psutil-${VER_PSUTIL}/psutil" "${PATH_TMP}/Python-${VER_PYTHON}/Modules/."
|
||||
cp -r "${PATH_TMP}/sqlite-autoconf-${VER_SQLITE}" "${PATH_TMP}/Python-${VER_PYTHON}/Modules/_sqlite/sqlite3"
|
||||
cp -r "${PATH_FIX}/Python-${VER_PYTHON}" "${PATH_TMP}"
|
||||
}
|
||||
|
||||
function step_build_openssl()
|
||||
{
|
||||
echo -n "build openssl static library ..."
|
||||
|
||||
if [ ! -f "${PATH_RELEASE}/lib/libssl.a" ] || [ ! -f "${PATH_RELEASE}/lib/libcrypto.a" ]; then
|
||||
echo ""
|
||||
cd "${OSSL_PATH_SRC}"
|
||||
./config -fPIC --prefix=${PATH_RELEASE} --openssldir=${PATH_RELEASE}/openssl no-zlib no-shared
|
||||
make
|
||||
make install
|
||||
cd "${PATH_ROOT}"
|
||||
|
||||
if [ ! -f "${PATH_RELEASE}/lib/libssl.a" ] || [ ! -f "${PATH_RELEASE}/lib/libcrypto.a" ]; then
|
||||
on_error "Build openssl failed."
|
||||
fi
|
||||
|
||||
else
|
||||
echo " already exists, skip."
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
function step_build_python()
|
||||
{
|
||||
echo -n "build python static library ..."
|
||||
|
||||
if [ ! -f "${PATH_RELEASE}/lib/${FILE_PYTHON_STATIC_LIB}" ]; then
|
||||
cd "${PY_PATH_SRC}"
|
||||
cp "${PY_PATH_SRC}/Modules/Setup.dist" "${PY_PATH_SRC}/Modules/Setup"
|
||||
LDFLAGS=-lrt ./configure --disable-shared --prefix=${PATH_RELEASE}
|
||||
make
|
||||
make altinstall
|
||||
cd "${PATH_ROOT}"
|
||||
|
||||
if [ ! -f "${PATH_RELEASE}/lib/${FILE_PYTHON_STATIC_LIB}" ]; then
|
||||
on_error "Build python failed."
|
||||
fi
|
||||
|
||||
else
|
||||
echo " already exists, skip."
|
||||
fi
|
||||
}
|
||||
|
||||
function step_finalize()
|
||||
{
|
||||
# copy psutil *.py for release.
|
||||
echo "finalize ..."
|
||||
|
||||
if [ ! -d "${PATH_RELEASE}/lib/python${VER_PYTHON_SHORT}/site-packages" ]; then
|
||||
on_error "something goes wrong."
|
||||
fi
|
||||
|
||||
|
||||
# cp -r "${PATH_FIX}/psutil-${VER_PSUTIL}/psutil" "${PATH_RELEASE}/lib/python${VER_PYTHON_SHORT}/site-packages/psutil"
|
||||
}
|
||||
|
||||
|
||||
step_download_files
|
||||
step_prepare_source
|
||||
step_build_openssl
|
||||
step_build_python
|
||||
step_finalize
|
|
@ -46,7 +46,12 @@ class BuilderBase:
|
|||
self._build_openssl(file_name)
|
||||
|
||||
def _build_openssl(self, file_name):
|
||||
cc.e("this is a pure-virtual function.")
|
||||
_alt_ver = '_'.join(env.ver_openssl.split('.'))
|
||||
if not utils.download_file('openssl source tarball', 'https://github.com/openssl/openssl/archive/OpenSSL_{}.zip'.format(_alt_ver), PATH_DOWNLOAD, file_name):
|
||||
return False
|
||||
else:
|
||||
return True
|
||||
# cc.e("this is a pure-virtual function.")
|
||||
|
||||
def build_libuv(self):
|
||||
file_name = 'libuv-{}.zip'.format(env.ver_libuv)
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# -*- coding: utf8 -*-
|
||||
VER_TP_SERVER = "3.1.0.10"
|
||||
VER_TP_SERVER = "3.1.0.10"
|
||||
VER_TP_ASSIST = "3.0.1.6"
|
||||
|
|
|
@ -51,6 +51,7 @@
|
|||
#define TP_SESS_STAT_ERR_RESET 7 // 会话结束,因为teleport核心服务重置了
|
||||
#define TP_SESS_STAT_ERR_IO 8 // 会话结束,因为网络中断
|
||||
#define TP_SESS_STAT_ERR_SESSION 9 // 会话结束,因为无效的会话ID
|
||||
#define TP_SESS_STAT_ERR_AUTH_TYPE 10 // 会话结束,因为不被允许的认证方式
|
||||
#define TP_SESS_STAT_STARTED 100 // 已经连接成功了,开始记录录像了
|
||||
#define TP_SESS_STAT_ERR_START_INTERNAL 104 // 会话结束,因为内部错误
|
||||
#define TP_SESS_STAT_ERR_START_BAD_PKG 106 // 会话结束,因为收到错误的报文
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
/**
|
||||
* \file config.h
|
||||
#### v2.6.1
|
||||
*
|
||||
* \brief Configuration options (set of defines)
|
||||
*
|
||||
* This set of compile-time options may be used to enable
|
||||
* or disable features selectively, and reduce the global
|
||||
* memory footprint.
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
*/
|
||||
/*
|
||||
* Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
|
@ -48,10 +48,14 @@
|
|||
* Requires support for asm() in compiler.
|
||||
*
|
||||
* Used in:
|
||||
* library/aria.c
|
||||
* library/timing.c
|
||||
* library/padlock.c
|
||||
* include/mbedtls/bn_mul.h
|
||||
*
|
||||
* Required by:
|
||||
* MBEDTLS_AESNI_C
|
||||
* MBEDTLS_PADLOCK_C
|
||||
*
|
||||
* Comment to disable the use of assembly code.
|
||||
*/
|
||||
#define MBEDTLS_HAVE_ASM
|
||||
|
@ -84,6 +88,28 @@
|
|||
*/
|
||||
//#define MBEDTLS_NO_UDBL_DIVISION
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_NO_64BIT_MULTIPLICATION
|
||||
*
|
||||
* The platform lacks support for 32x32 -> 64-bit multiplication.
|
||||
*
|
||||
* Used in:
|
||||
* library/poly1305.c
|
||||
*
|
||||
* Some parts of the library may use multiplication of two unsigned 32-bit
|
||||
* operands with a 64-bit result in order to speed up computations. On some
|
||||
* platforms, this is not available in hardware and has to be implemented in
|
||||
* software, usually in a library provided by the toolchain.
|
||||
*
|
||||
* Sometimes it is not desirable to have to link to that library. This option
|
||||
* removes the dependency of that library on platforms that lack a hardware
|
||||
* 64-bit multiplier by embedding a software implementation in Mbed TLS.
|
||||
*
|
||||
* Note that depending on the compiler, this may decrease performance compared
|
||||
* to using the library function provided by the toolchain.
|
||||
*/
|
||||
//#define MBEDTLS_NO_64BIT_MULTIPLICATION
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_HAVE_SSE2
|
||||
*
|
||||
|
@ -262,20 +288,38 @@
|
|||
*
|
||||
* Uncomment a macro to enable alternate implementation of the corresponding
|
||||
* module.
|
||||
*
|
||||
* \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
|
||||
* use constitutes a security risk. If possible, we recommend
|
||||
* avoiding dependencies on them, and considering stronger message
|
||||
* digests and ciphers instead.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_AES_ALT
|
||||
//#define MBEDTLS_ARC4_ALT
|
||||
//#define MBEDTLS_ARIA_ALT
|
||||
//#define MBEDTLS_BLOWFISH_ALT
|
||||
//#define MBEDTLS_CAMELLIA_ALT
|
||||
//#define MBEDTLS_CCM_ALT
|
||||
//#define MBEDTLS_CHACHA20_ALT
|
||||
//#define MBEDTLS_CHACHAPOLY_ALT
|
||||
//#define MBEDTLS_CMAC_ALT
|
||||
//#define MBEDTLS_DES_ALT
|
||||
//#define MBEDTLS_XTEA_ALT
|
||||
//#define MBEDTLS_DHM_ALT
|
||||
//#define MBEDTLS_ECJPAKE_ALT
|
||||
//#define MBEDTLS_GCM_ALT
|
||||
//#define MBEDTLS_NIST_KW_ALT
|
||||
//#define MBEDTLS_MD2_ALT
|
||||
//#define MBEDTLS_MD4_ALT
|
||||
//#define MBEDTLS_MD5_ALT
|
||||
//#define MBEDTLS_POLY1305_ALT
|
||||
//#define MBEDTLS_RIPEMD160_ALT
|
||||
//#define MBEDTLS_RSA_ALT
|
||||
//#define MBEDTLS_SHA1_ALT
|
||||
//#define MBEDTLS_SHA256_ALT
|
||||
//#define MBEDTLS_SHA512_ALT
|
||||
//#define MBEDTLS_XTEA_ALT
|
||||
|
||||
/*
|
||||
* When replacing the elliptic curve module, pleace consider, that it is
|
||||
* implemented with two .c files:
|
||||
|
@ -315,6 +359,12 @@
|
|||
*
|
||||
* Uncomment a macro to enable alternate implementation of the corresponding
|
||||
* function.
|
||||
*
|
||||
* \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
|
||||
* constitutes a security risk. If possible, we recommend avoiding
|
||||
* dependencies on them, and considering stronger message digests
|
||||
* and ciphers instead.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_MD2_PROCESS_ALT
|
||||
//#define MBEDTLS_MD4_PROCESS_ALT
|
||||
|
@ -330,6 +380,11 @@
|
|||
//#define MBEDTLS_AES_SETKEY_DEC_ALT
|
||||
//#define MBEDTLS_AES_ENCRYPT_ALT
|
||||
//#define MBEDTLS_AES_DECRYPT_ALT
|
||||
//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
|
||||
//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
|
||||
//#define MBEDTLS_ECDSA_VERIFY_ALT
|
||||
//#define MBEDTLS_ECDSA_SIGN_ALT
|
||||
//#define MBEDTLS_ECDSA_GENKEY_ALT
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_INTERNAL_ALT
|
||||
|
@ -417,12 +472,45 @@
|
|||
/**
|
||||
* \def MBEDTLS_AES_ROM_TABLES
|
||||
*
|
||||
* Store the AES tables in ROM.
|
||||
* Use precomputed AES tables stored in ROM.
|
||||
*
|
||||
* Uncomment this macro to use precomputed AES tables stored in ROM.
|
||||
* Comment this macro to generate AES tables in RAM at runtime.
|
||||
*
|
||||
* Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
|
||||
* (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
|
||||
* initialization time before the first AES operation can be performed.
|
||||
* It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
|
||||
* MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
|
||||
* performance if ROM access is slower than RAM access.
|
||||
*
|
||||
* This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
|
||||
*
|
||||
* Uncomment this macro to store the AES tables in ROM.
|
||||
*/
|
||||
//#define MBEDTLS_AES_ROM_TABLES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_AES_FEWER_TABLES
|
||||
*
|
||||
* Use less ROM/RAM for AES tables.
|
||||
*
|
||||
* Uncommenting this macro omits 75% of the AES tables from
|
||||
* ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
|
||||
* by computing their values on the fly during operations
|
||||
* (the tables are entry-wise rotations of one another).
|
||||
*
|
||||
* Tradeoff: Uncommenting this reduces the RAM / ROM footprint
|
||||
* by ~6kb but at the cost of more arithmetic operations during
|
||||
* runtime. Specifically, one has to compare 4 accesses within
|
||||
* different tables to 4 accesses with additional arithmetic
|
||||
* operations within the same table. The performance gain/loss
|
||||
* depends on the system and memory details.
|
||||
*
|
||||
* This option is independent of \c MBEDTLS_AES_ROM_TABLES.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_AES_FEWER_TABLES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CAMELLIA_SMALL_MEMORY
|
||||
*
|
||||
|
@ -453,6 +541,20 @@
|
|||
*/
|
||||
#define MBEDTLS_CIPHER_MODE_CTR
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CIPHER_MODE_OFB
|
||||
*
|
||||
* Enable Output Feedback mode (OFB) for symmetric ciphers.
|
||||
*/
|
||||
#define MBEDTLS_CIPHER_MODE_OFB
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CIPHER_MODE_XTS
|
||||
*
|
||||
* Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
|
||||
*/
|
||||
#define MBEDTLS_CIPHER_MODE_XTS
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CIPHER_NULL_CIPHER
|
||||
*
|
||||
|
@ -514,6 +616,9 @@
|
|||
* MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
|
||||
*
|
||||
* Uncomment this macro to enable weak ciphersuites
|
||||
*
|
||||
* \warning DES is considered a weak cipher and its use constitutes a
|
||||
* security risk. We recommend considering stronger ciphers instead.
|
||||
*/
|
||||
//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
|
||||
|
||||
|
@ -550,6 +655,7 @@
|
|||
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
|
||||
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
|
||||
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||
#define MBEDTLS_ECP_DP_CURVE448_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_NIST_OPTIM
|
||||
|
@ -619,6 +725,13 @@
|
|||
* MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
|
||||
*
|
||||
* \warning Using DHE constitutes a security risk as it
|
||||
* is not possible to validate custom DH parameters.
|
||||
* If possible, it is recommended users should consider
|
||||
* preferring other methods of key exchange.
|
||||
* See dhm.h for more details.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
|
||||
|
||||
|
@ -640,7 +753,7 @@
|
|||
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
|
||||
*/
|
||||
//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
|
@ -718,6 +831,13 @@
|
|||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* \warning Using DHE constitutes a security risk as it
|
||||
* is not possible to validate custom DH parameters.
|
||||
* If possible, it is recommended users should consider
|
||||
* preferring other methods of key exchange.
|
||||
* See dhm.h for more details.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
||||
|
||||
|
@ -744,7 +864,7 @@
|
|||
* MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
|
||||
*/
|
||||
//#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
|
@ -768,7 +888,7 @@
|
|||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
*/
|
||||
//#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
||||
|
@ -792,7 +912,7 @@
|
|||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
|
||||
*/
|
||||
//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
|
@ -816,7 +936,7 @@
|
|||
* MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
|
||||
*/
|
||||
//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
||||
|
@ -1009,7 +1129,8 @@
|
|||
/**
|
||||
* \def MBEDTLS_RSA_NO_CRT
|
||||
*
|
||||
* Do not use the Chinese Remainder Theorem for the RSA private operation.
|
||||
* Do not use the Chinese Remainder Theorem
|
||||
* for the RSA private operation.
|
||||
*
|
||||
* Uncomment this macro to disable the use of CRT in RSA.
|
||||
*
|
||||
|
@ -1053,6 +1174,17 @@
|
|||
*/
|
||||
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
*
|
||||
* Enable asynchronous external private key operations in SSL. This allows
|
||||
* you to configure an SSL connection to call an external cryptographic
|
||||
* module to perform private key operations instead of performing the
|
||||
* operation inside the library.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_DEBUG_ALL
|
||||
*
|
||||
|
@ -1156,8 +1288,15 @@
|
|||
* misuse/misunderstand.
|
||||
*
|
||||
* Comment this to disable support for renegotiation.
|
||||
*
|
||||
* \note Even if this option is disabled, both client and server are aware
|
||||
* of the Renegotiation Indication Extension (RFC 5746) used to
|
||||
* prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
|
||||
* (See \c mbedtls_ssl_conf_legacy_renegotiation for the
|
||||
* configuration of this extension).
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_SSL_RENEGOTIATION
|
||||
#define MBEDTLS_SSL_RENEGOTIATION
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
|
||||
|
@ -1198,7 +1337,7 @@
|
|||
*
|
||||
* Comment this macro to disable support for SSL 3.0
|
||||
*/
|
||||
#define MBEDTLS_SSL_PROTO_SSL3
|
||||
//#define MBEDTLS_SSL_PROTO_SSL3
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_PROTO_TLS1
|
||||
|
@ -1364,6 +1503,30 @@
|
|||
*/
|
||||
#define MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
|
||||
*
|
||||
* Fallback to old (pre-2.7), non-conforming implementation of the truncated
|
||||
* HMAC extension which also truncates the HMAC key. Note that this option is
|
||||
* only meant for a transitory upgrade period and is likely to be removed in
|
||||
* a future version of the library.
|
||||
*
|
||||
* \warning The old implementation is non-compliant and has a security weakness
|
||||
* (2^80 brute force attack on the HMAC key used for a single,
|
||||
* uninterrupted connection). This should only be enabled temporarily
|
||||
* when (1) the use of truncated HMAC is essential in order to save
|
||||
* bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
|
||||
* the fixed implementation yet (pre-2.7).
|
||||
*
|
||||
* \deprecated This option is deprecated and will likely be removed in a
|
||||
* future version of Mbed TLS.
|
||||
*
|
||||
* Uncomment to fallback to old, non-compliant truncated HMAC implementation.
|
||||
*
|
||||
* Requires: MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
*/
|
||||
//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_THREADING_ALT
|
||||
*
|
||||
|
@ -1470,6 +1633,9 @@
|
|||
*
|
||||
* \note Currently compression can't be used with DTLS.
|
||||
*
|
||||
* \deprecated This feature is deprecated and will be removed
|
||||
* in the next major revision of the library.
|
||||
*
|
||||
* Used in: library/ssl_tls.c
|
||||
* library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
|
@ -1508,7 +1674,7 @@
|
|||
* Enable the AES block cipher.
|
||||
*
|
||||
* Module: library/aes.c
|
||||
* Caller: library/ssl_tls.c
|
||||
* Caller: library/cipher.c
|
||||
* library/pem.c
|
||||
* library/ctr_drbg.c
|
||||
*
|
||||
|
@ -1583,7 +1749,7 @@
|
|||
* Enable the ARCFOUR stream cipher.
|
||||
*
|
||||
* Module: library/arc4.c
|
||||
* Caller: library/ssl_tls.c
|
||||
* Caller: library/cipher.c
|
||||
*
|
||||
* This module enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
|
@ -1597,6 +1763,11 @@
|
|||
* MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
|
||||
* MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
|
||||
*
|
||||
* \warning ARC4 is considered a weak cipher and its use constitutes a
|
||||
* security risk. If possible, we recommend avoidng dependencies on
|
||||
* it, and considering stronger ciphers instead.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_ARC4_C
|
||||
|
||||
|
@ -1626,7 +1797,7 @@
|
|||
* library/x509write_crt.c
|
||||
* library/x509write_csr.c
|
||||
*/
|
||||
//#define MBEDTLS_ASN1_WRITE_C
|
||||
#define MBEDTLS_ASN1_WRITE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_BASE64_C
|
||||
|
@ -1650,6 +1821,7 @@
|
|||
* library/ecp.c
|
||||
* library/ecdsa.c
|
||||
* library/rsa.c
|
||||
* library/rsa_internal.c
|
||||
* library/ssl_tls.c
|
||||
*
|
||||
* This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
|
||||
|
@ -1671,7 +1843,7 @@
|
|||
* Enable the Camellia block cipher.
|
||||
*
|
||||
* Module: library/camellia.c
|
||||
* Caller: library/ssl_tls.c
|
||||
* Caller: library/cipher.c
|
||||
*
|
||||
* This module enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
|
@ -1718,7 +1890,59 @@
|
|||
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
*/
|
||||
//#define MBEDTLS_CAMELLIA_C
|
||||
#define MBEDTLS_CAMELLIA_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ARIA_C
|
||||
*
|
||||
* Enable the ARIA block cipher.
|
||||
*
|
||||
* Module: library/aria.c
|
||||
* Caller: library/cipher.c
|
||||
*
|
||||
* This module enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
*
|
||||
* MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
|
||||
*/
|
||||
//#define MBEDTLS_ARIA_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CCM_C
|
||||
|
@ -1732,7 +1956,7 @@
|
|||
* This module enables the AES-CCM ciphersuites, if other requisites are
|
||||
* enabled as well.
|
||||
*/
|
||||
//#define MBEDTLS_CCM_C
|
||||
#define MBEDTLS_CCM_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CERTS_C
|
||||
|
@ -1746,6 +1970,26 @@
|
|||
*/
|
||||
#define MBEDTLS_CERTS_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CHACHA20_C
|
||||
*
|
||||
* Enable the ChaCha20 stream cipher.
|
||||
*
|
||||
* Module: library/chacha20.c
|
||||
*/
|
||||
#define MBEDTLS_CHACHA20_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CHACHAPOLY_C
|
||||
*
|
||||
* Enable the ChaCha20-Poly1305 AEAD algorithm.
|
||||
*
|
||||
* Module: library/chachapoly.c
|
||||
*
|
||||
* This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
|
||||
*/
|
||||
#define MBEDTLS_CHACHAPOLY_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CIPHER_C
|
||||
*
|
||||
|
@ -1806,7 +2050,7 @@
|
|||
*
|
||||
* Module: library/des.c
|
||||
* Caller: library/pem.c
|
||||
* library/ssl_tls.c
|
||||
* library/cipher.c
|
||||
*
|
||||
* This module enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
|
@ -1822,6 +2066,9 @@
|
|||
* MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
|
||||
*
|
||||
* PEM_PARSE uses DES/3DES for decrypting encrypted keys.
|
||||
*
|
||||
* \warning DES is considered a weak cipher and its use constitutes a
|
||||
* security risk. We recommend considering stronger ciphers instead.
|
||||
*/
|
||||
#define MBEDTLS_DES_C
|
||||
|
||||
|
@ -1836,6 +2083,13 @@
|
|||
*
|
||||
* This module is used by the following key exchanges:
|
||||
* DHE-RSA, DHE-PSK
|
||||
*
|
||||
* \warning Using DHE constitutes a security risk as it
|
||||
* is not possible to validate custom DH parameters.
|
||||
* If possible, it is recommended users should consider
|
||||
* preferring other methods of key exchange.
|
||||
* See dhm.h for more details.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_DHM_C
|
||||
|
||||
|
@ -1853,7 +2107,7 @@
|
|||
*
|
||||
* Requires: MBEDTLS_ECP_C
|
||||
*/
|
||||
//#define MBEDTLS_ECDH_C
|
||||
#define MBEDTLS_ECDH_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECDSA_C
|
||||
|
@ -1868,7 +2122,7 @@
|
|||
*
|
||||
* Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
|
||||
*/
|
||||
//#define MBEDTLS_ECDSA_C
|
||||
#define MBEDTLS_ECDSA_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECJPAKE_C
|
||||
|
@ -1901,7 +2155,7 @@
|
|||
*
|
||||
* Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
|
||||
*/
|
||||
//#define MBEDTLS_ECP_C
|
||||
#define MBEDTLS_ECP_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ENTROPY_C
|
||||
|
@ -1941,7 +2195,7 @@
|
|||
* This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
|
||||
* requisites are enabled as well.
|
||||
*/
|
||||
//#define MBEDTLS_GCM_C
|
||||
#define MBEDTLS_GCM_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_HAVEGE_C
|
||||
|
@ -1966,6 +2220,21 @@
|
|||
*/
|
||||
//#define MBEDTLS_HAVEGE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_HKDF_C
|
||||
*
|
||||
* Enable the HKDF algorithm (RFC 5869).
|
||||
*
|
||||
* Module: library/hkdf.c
|
||||
* Caller:
|
||||
*
|
||||
* Requires: MBEDTLS_MD_C
|
||||
*
|
||||
* This module adds support for the Hashed Message Authentication Code
|
||||
* (HMAC)-based key derivation function (HKDF).
|
||||
*/
|
||||
#define MBEDTLS_HKDF_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_HMAC_DRBG_C
|
||||
*
|
||||
|
@ -1980,6 +2249,19 @@
|
|||
*/
|
||||
#define MBEDTLS_HMAC_DRBG_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_NIST_KW_C
|
||||
*
|
||||
* Enable the Key Wrapping mode for 128-bit block ciphers,
|
||||
* as defined in NIST SP 800-38F. Only KW and KWP modes
|
||||
* are supported. At the moment, only AES is approved by NIST.
|
||||
*
|
||||
* Module: library/nist_kw.c
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
|
||||
*/
|
||||
//#define MBEDTLS_NIST_KW_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_MD_C
|
||||
*
|
||||
|
@ -2001,6 +2283,11 @@
|
|||
* Caller:
|
||||
*
|
||||
* Uncomment to enable support for (rare) MD2-signed X.509 certs.
|
||||
*
|
||||
* \warning MD2 is considered a weak message digest and its use constitutes a
|
||||
* security risk. If possible, we recommend avoiding dependencies on
|
||||
* it, and considering stronger message digests instead.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_MD2_C
|
||||
|
||||
|
@ -2013,6 +2300,11 @@
|
|||
* Caller:
|
||||
*
|
||||
* Uncomment to enable support for (rare) MD4-signed X.509 certs.
|
||||
*
|
||||
* \warning MD4 is considered a weak message digest and its use constitutes a
|
||||
* security risk. If possible, we recommend avoiding dependencies on
|
||||
* it, and considering stronger message digests instead.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_MD4_C
|
||||
|
||||
|
@ -2026,8 +2318,15 @@
|
|||
* library/pem.c
|
||||
* library/ssl_tls.c
|
||||
*
|
||||
* This module is required for SSL/TLS and X.509.
|
||||
* PEM_PARSE uses MD5 for decrypting encrypted keys.
|
||||
* This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
|
||||
* depending on the handshake parameters. Further, it is used for checking
|
||||
* MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
|
||||
* encrypted keys.
|
||||
*
|
||||
* \warning MD5 is considered a weak message digest and its use constitutes a
|
||||
* security risk. If possible, we recommend avoiding dependencies on
|
||||
* it, and considering stronger message digests instead.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_MD5_C
|
||||
|
||||
|
@ -2135,7 +2434,7 @@
|
|||
*
|
||||
* This modules adds support for encoding / writing PEM files.
|
||||
*/
|
||||
//#define MBEDTLS_PEM_WRITE_C
|
||||
#define MBEDTLS_PEM_WRITE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PK_C
|
||||
|
@ -2180,7 +2479,7 @@
|
|||
*
|
||||
* Uncomment to enable generic public key write functions.
|
||||
*/
|
||||
//#define MBEDTLS_PK_WRITE_C
|
||||
#define MBEDTLS_PK_WRITE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PKCS5_C
|
||||
|
@ -2246,6 +2545,16 @@
|
|||
*/
|
||||
#define MBEDTLS_PLATFORM_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_POLY1305_C
|
||||
*
|
||||
* Enable the Poly1305 MAC algorithm.
|
||||
*
|
||||
* Module: library/poly1305.c
|
||||
* Caller: library/chachapoly.c
|
||||
*/
|
||||
#define MBEDTLS_POLY1305_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RIPEMD160_C
|
||||
*
|
||||
|
@ -2255,7 +2564,7 @@
|
|||
* Caller: library/md.c
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_RIPEMD160_C
|
||||
#define MBEDTLS_RIPEMD160_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_RSA_C
|
||||
|
@ -2263,6 +2572,7 @@
|
|||
* Enable the RSA public-key cryptosystem.
|
||||
*
|
||||
* Module: library/rsa.c
|
||||
* library/rsa_internal.c
|
||||
* Caller: library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* library/ssl_tls.c
|
||||
|
@ -2289,6 +2599,11 @@
|
|||
*
|
||||
* This module is required for SSL/TLS up to version 1.1, for TLS 1.2
|
||||
* depending on the handshake parameters, and for SHA1-signed certificates.
|
||||
*
|
||||
* \warning SHA-1 is considered a weak message digest and its use constitutes
|
||||
* a security risk. If possible, we recommend avoiding dependencies
|
||||
* on it, and considering stronger message digests instead.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_SHA1_C
|
||||
|
||||
|
@ -2517,7 +2832,7 @@
|
|||
*
|
||||
* This module is used for reading X.509 certificate request.
|
||||
*/
|
||||
//#define MBEDTLS_X509_CSR_PARSE_C
|
||||
#define MBEDTLS_X509_CSR_PARSE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_X509_CREATE_C
|
||||
|
@ -2530,7 +2845,7 @@
|
|||
*
|
||||
* This module is the basis for creating X.509 certificates and CSRs.
|
||||
*/
|
||||
//#define MBEDTLS_X509_CREATE_C
|
||||
#define MBEDTLS_X509_CREATE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_X509_CRT_WRITE_C
|
||||
|
@ -2543,7 +2858,7 @@
|
|||
*
|
||||
* This module is required for X.509 certificate creation.
|
||||
*/
|
||||
//#define MBEDTLS_X509_CRT_WRITE_C
|
||||
#define MBEDTLS_X509_CRT_WRITE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_X509_CSR_WRITE_C
|
||||
|
@ -2556,7 +2871,7 @@
|
|||
*
|
||||
* This module is required for X.509 certificate request writing.
|
||||
*/
|
||||
//#define MBEDTLS_X509_CSR_WRITE_C
|
||||
#define MBEDTLS_X509_CSR_WRITE_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_XTEA_C
|
||||
|
@ -2641,7 +2956,7 @@
|
|||
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
|
||||
/* Note: your snprintf must correclty zero-terminate the buffer! */
|
||||
#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
|
||||
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
|
||||
|
||||
|
@ -2650,7 +2965,51 @@
|
|||
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
|
||||
|
||||
/* SSL options */
|
||||
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
|
||||
|
||||
/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||
*
|
||||
* Maximum fragment length in bytes.
|
||||
*
|
||||
* Determines the size of both the incoming and outgoing TLS I/O buffers.
|
||||
*
|
||||
* Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
* will override this length by setting maximum incoming and/or outgoing
|
||||
* fragment length, respectively.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
|
||||
|
||||
/** \def MBEDTLS_SSL_IN_CONTENT_LEN
|
||||
*
|
||||
* Maximum incoming fragment length in bytes.
|
||||
*
|
||||
* Uncomment to set the size of the inward TLS buffer independently of the
|
||||
* outward buffer.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
|
||||
|
||||
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
*
|
||||
* Maximum outgoing fragment length in bytes.
|
||||
*
|
||||
* Uncomment to set the size of the outward TLS buffer independently of the
|
||||
* inward buffer.
|
||||
*
|
||||
* It is possible to save RAM by setting a smaller outward buffer, while keeping
|
||||
* the default inward 16384 byte buffer to conform to the TLS specification.
|
||||
*
|
||||
* The minimum required outward buffer size is determined by the handshake
|
||||
* protocol's usage. Handshaking will fail if the outward buffer is too small.
|
||||
* The specific size requirement depends on the configured ciphers and any
|
||||
* certificate data which is sent during the handshake.
|
||||
*
|
||||
* For absolute minimum RAM usage, it's best to enable
|
||||
* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
|
||||
* reduces both incoming and outgoing buffer sizes. However this is only
|
||||
* guaranteed if the other end of the connection also supports the TLS
|
||||
* max_fragment_len extension. Otherwise the connection may fail.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
|
||||
|
||||
//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
|
||||
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
|
||||
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
|
||||
|
@ -2677,8 +3036,13 @@
|
|||
* Allow SHA-1 in the default TLS configuration for certificate signing.
|
||||
* Without this build-time option, SHA-1 support must be activated explicitly
|
||||
* through mbedtls_ssl_conf_cert_profile. Turning on this option is not
|
||||
* recommended because of it is possible to generte SHA-1 collisions, however
|
||||
* recommended because of it is possible to generate SHA-1 collisions, however
|
||||
* this may be safe for legacy infrastructure where additional controls apply.
|
||||
*
|
||||
* \warning SHA-1 is considered a weak message digest and its use constitutes
|
||||
* a security risk. If possible, we recommend avoiding dependencies
|
||||
* on it, and considering stronger message digests instead.
|
||||
*
|
||||
*/
|
||||
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||||
|
||||
|
@ -2689,14 +3053,40 @@
|
|||
* The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
|
||||
* default. At the time of writing, there is no practical attack on the use
|
||||
* of SHA-1 in handshake signatures, hence this option is turned on by default
|
||||
* for compatibility with existing peers.
|
||||
* to preserve compatibility with existing peers, but the general
|
||||
* warning applies nonetheless:
|
||||
*
|
||||
* \warning SHA-1 is considered a weak message digest and its use constitutes
|
||||
* a security risk. If possible, we recommend avoiding dependencies
|
||||
* on it, and considering stronger message digests instead.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
|
||||
|
||||
/**
|
||||
* Uncomment the macro to let mbed TLS use your alternate implementation of
|
||||
* mbedtls_platform_zeroize(). This replaces the default implementation in
|
||||
* platform_util.c.
|
||||
*
|
||||
* mbedtls_platform_zeroize() is a widely used function across the library to
|
||||
* zero a block of memory. The implementation is expected to be secure in the
|
||||
* sense that it has been written to prevent the compiler from removing calls
|
||||
* to mbedtls_platform_zeroize() as part of redundant code elimination
|
||||
* optimizations. However, it is difficult to guarantee that calls to
|
||||
* mbedtls_platform_zeroize() will not be optimized by the compiler as older
|
||||
* versions of the C language standards do not provide a secure implementation
|
||||
* of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to
|
||||
* configure their own implementation of mbedtls_platform_zeroize(), for
|
||||
* example by using directives specific to their compiler, features from newer
|
||||
* C standards (e.g using memset_s() in C11) or calling a secure memset() from
|
||||
* their system (e.g explicit_bzero() in BSD).
|
||||
*/
|
||||
//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
|
||||
|
||||
/* \} name SECTION: Customisation configuration options */
|
||||
|
||||
/* Target and application specific configurations */
|
||||
//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h"
|
||||
//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
|
||||
|
||||
#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
|
||||
#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
|
||||
|
|
|
@ -6,15 +6,15 @@
|
|||
#define PACKAGE "libssh"
|
||||
|
||||
/* Version number of package */
|
||||
#define VERSION "0.7.4"
|
||||
#define VERSION "0.7.5"
|
||||
|
||||
/* #undef LOCALEDIR */
|
||||
/* #undef DATADIR */
|
||||
//#define LIBDIR "lib"
|
||||
//#define PLUGINDIR "plugins-4"
|
||||
/* #undef SYSCONFDIR */
|
||||
//#define BINARYDIR "E:/work/eomsoft/tmp/libssh/build"
|
||||
//#define SOURCEDIR "E:/work/eomsoft/tmp/libssh"
|
||||
//#define BINARYDIR "E:/work/tp4a/teleport/external/_download_/libssh-0.7.5/build"
|
||||
//#define SOURCEDIR "E:/work/tp4a/teleport/external/_download_/libssh-0.7.5"
|
||||
|
||||
/************************** HEADER FILES *************************/
|
||||
|
||||
|
@ -81,28 +81,28 @@
|
|||
/*************************** FUNCTIONS ***************************/
|
||||
|
||||
/* Define to 1 if you have the `EVP_aes128_ctr' function. */
|
||||
#define HAVE_OPENSSL_EVP_AES_CTR 1
|
||||
//#define HAVE_OPENSSL_EVP_AES_CTR 1
|
||||
|
||||
/* Define to 1 if you have the `EVP_aes128_cbc' function. */
|
||||
#define HAVE_OPENSSL_EVP_AES_CBC 1
|
||||
//#define HAVE_OPENSSL_EVP_AES_CBC 1
|
||||
|
||||
/* Define to 1 if you have the `snprintf' function. */
|
||||
#define HAVE_SNPRINTF 1
|
||||
|
||||
/* Define to 1 if you have the `_snprintf' function. */
|
||||
/* #undef HAVE__SNPRINTF */
|
||||
#define HAVE__SNPRINTF 1
|
||||
|
||||
/* Define to 1 if you have the `_snprintf_s' function. */
|
||||
/* #undef HAVE__SNPRINTF_S */
|
||||
#define HAVE__SNPRINTF_S 1
|
||||
|
||||
/* Define to 1 if you have the `vsnprintf' function. */
|
||||
#define HAVE_VSNPRINTF 1
|
||||
|
||||
/* Define to 1 if you have the `_vsnprintf' function. */
|
||||
/* #undef HAVE__VSNPRINTF */
|
||||
#define HAVE__VSNPRINTF 1
|
||||
|
||||
/* Define to 1 if you have the `_vsnprintf_s' function. */
|
||||
/* #undef HAVE__VSNPRINTF_S */
|
||||
#define HAVE__VSNPRINTF_S 1
|
||||
|
||||
/* Define to 1 if you have the `isblank' function. */
|
||||
#define HAVE_ISBLANK 1
|
||||
|
@ -172,8 +172,7 @@
|
|||
#define WITH_SFTP 1
|
||||
|
||||
/* Define to 1 if you want to enable SSH1 */
|
||||
/* #undef WITH_SSH1 */
|
||||
#define WITH_SSH1
|
||||
#define WITH_SSH1 1
|
||||
|
||||
/* Define to 1 if you want to enable server support */
|
||||
#define WITH_SERVER 1
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
<file url="file://$PROJECT_DIR$/tp_core/core/ts_web_rpc.h" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_conn.cpp" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_conn.h" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_keys.cpp" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_package.cpp" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_package.h" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_core/protocol/rdp/rdp_proxy.cpp" charset="GBK" />
|
||||
|
@ -41,6 +42,7 @@
|
|||
<file url="file://$PROJECT_DIR$/tp_core/protocol/ssh/ssh_session.cpp" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_core/protocol/ssh/ssh_session.h" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_core/protocol/telnet/telnet_conn.cpp" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_core/protocol/telnet/telnet_session.cpp" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_web/src/main.cpp" charset="GBK" />
|
||||
<file url="file://$PROJECT_DIR$/tp_web/src/ts_env.cpp" charset="GBK" />
|
||||
</component>
|
||||
|
|
|
@ -33,7 +33,7 @@ include_directories(
|
|||
)
|
||||
|
||||
IF (CMAKE_SYSTEM_NAME MATCHES "Linux")
|
||||
set(CMAKE_EXE_LINKER_FLAGS "-export-dynamic")
|
||||
# set(CMAKE_EXE_LINKER_FLAGS "-export-dynamic")
|
||||
include_directories(
|
||||
../../../external/linux/release/include
|
||||
)
|
||||
|
|
Binary file not shown.
|
@ -53,7 +53,7 @@ static void ev_handler(struct mg_connection *nc, int ev, void *ev_data)
|
|||
break;
|
||||
case MG_EV_HTTP_REPLY:
|
||||
nc->flags |= MG_F_CLOSE_IMMEDIATELY;
|
||||
hdata->exit_flag = true;
|
||||
//hdata->exit_flag = true;
|
||||
hdata->body.assign(hm->body.p, hm->body.len);
|
||||
break;
|
||||
case MG_EV_CLOSE:
|
||||
|
@ -68,35 +68,41 @@ static void ev_handler(struct mg_connection *nc, int ev, void *ev_data)
|
|||
}
|
||||
}
|
||||
|
||||
static struct mg_mgr g_mg_mgr;
|
||||
static bool is_mg_mgr_initialized = false;
|
||||
|
||||
bool ts_http_get(const ex_astr& url, ex_astr& body)
|
||||
{
|
||||
struct mg_mgr mgr;
|
||||
mg_mgr_init(&mgr, NULL);
|
||||
if(!is_mg_mgr_initialized) {
|
||||
mg_mgr_init(&g_mg_mgr, NULL);
|
||||
is_mg_mgr_initialized = true;
|
||||
}
|
||||
|
||||
mg_connection* nc = mg_connect_http(&mgr, ev_handler, url.c_str(), NULL, NULL);
|
||||
mg_connection* nc = mg_connect_http(&g_mg_mgr, ev_handler, url.c_str(), NULL, NULL);
|
||||
if (NULL == nc)
|
||||
return false;
|
||||
|
||||
HTTP_DATA* hdata = new HTTP_DATA;
|
||||
hdata->exit_flag = false;
|
||||
hdata->have_error = false;
|
||||
//HTTP_DATA* hdata = new HTTP_DATA;
|
||||
HTTP_DATA hdata;
|
||||
hdata.exit_flag = false;
|
||||
hdata.have_error = false;
|
||||
|
||||
nc->user_data = hdata;
|
||||
nc->user_data = &hdata;
|
||||
|
||||
// int count = 0;
|
||||
while (!hdata->exit_flag)
|
||||
while (!hdata.exit_flag)
|
||||
{
|
||||
mg_mgr_poll(&mgr, 100);
|
||||
mg_mgr_poll(&g_mg_mgr, 100);
|
||||
// count++;
|
||||
// if (count > 2)
|
||||
// break;
|
||||
}
|
||||
|
||||
bool ret = !hdata->have_error;
|
||||
bool ret = !hdata.have_error;
|
||||
if (ret)
|
||||
body = hdata->body;
|
||||
body = hdata.body;
|
||||
|
||||
delete hdata;
|
||||
mg_mgr_free(&mgr);
|
||||
// mg_mgr_free(&mgr);
|
||||
// delete hdata;
|
||||
return ret;
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#ifndef __TS_SERVER_VER_H__
|
||||
#define __TS_SERVER_VER_H__
|
||||
|
||||
#define TP_SERVER_VER L"3.0.2.7"
|
||||
#define TP_SERVER_VER L"3.0.4.16"
|
||||
|
||||
#endif // __TS_SERVER_VER_H__
|
||||
|
|
|
@ -422,7 +422,7 @@ void SshSession::check_noop_timeout(ex_u32 t_now, ex_u32 timeout) {
|
|||
}
|
||||
|
||||
int SshSession::_on_auth_password_request(ssh_session session, const char *user, const char *password, void *userdata) {
|
||||
// 这里拿到的user就是我们要的session-id。
|
||||
// here, `user` is the session-id we need.
|
||||
SshSession *_this = (SshSession *)userdata;
|
||||
_this->m_sid = user;
|
||||
EXLOGV("[ssh] authenticating, session-id: %s\n", _this->m_sid.c_str());
|
||||
|
@ -441,6 +441,7 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
|
|||
_this->m_auth_type = _this->m_conn_info->auth_type;
|
||||
_this->m_acc_name = _this->m_conn_info->acc_username;
|
||||
_this->m_acc_secret = _this->m_conn_info->acc_secret;
|
||||
_this->m_flags = _this->m_conn_info->protocol_flag;
|
||||
if (_this->m_conn_info->protocol_type != TP_PROTOCOL_TYPE_SSH) {
|
||||
EXLOGE("[ssh] session '%s' is not for SSH.\n", _this->m_sid.c_str());
|
||||
_this->m_have_error = true;
|
||||
|
@ -449,21 +450,18 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
|
|||
}
|
||||
}
|
||||
|
||||
// 现在尝试根据session-id获取得到的信息,连接并登录真正的SSH服务器
|
||||
// config and try to connect to real SSH host.
|
||||
EXLOGV("[ssh] try to connect to real SSH server %s:%d\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
|
||||
_this->m_srv_session = ssh_new();
|
||||
// int verbosity = 4;
|
||||
// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
|
||||
//ssh_set_blocking(_this->m_srv_session, 1);
|
||||
ssh_options_set(_this->m_srv_session, SSH_OPTIONS_HOST, _this->m_conn_ip.c_str());
|
||||
int port = (int)_this->m_conn_port;
|
||||
ssh_options_set(_this->m_srv_session, SSH_OPTIONS_PORT, &port);
|
||||
#ifdef EX_DEBUG
|
||||
// int flag = SSH_LOG_FUNCTIONS;
|
||||
// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &flag);
|
||||
// int flag = SSH_LOG_FUNCTIONS;
|
||||
// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &flag);
|
||||
#endif
|
||||
// int val = 0;
|
||||
// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_STRICTHOSTKEYCHECK, &val);
|
||||
int val = 0;
|
||||
ssh_options_set(_this->m_srv_session, SSH_OPTIONS_STRICTHOSTKEYCHECK, &val);
|
||||
|
||||
|
||||
if (_this->m_auth_type != TP_AUTH_TYPE_NONE)
|
||||
|
@ -490,108 +488,113 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
|
|||
_this->m_ssh_ver = ssh_get_version(_this->m_srv_session);
|
||||
EXLOGW("[ssh] real host is SSHv%d\n", _this->m_ssh_ver);
|
||||
|
||||
#if 0
|
||||
// check supported auth type by host
|
||||
//ssh_userauth_none(_this->m_srv_session, _this->m_acc_name.c_str());
|
||||
// rc = ssh_userauth_none(_this->m_srv_session, NULL);
|
||||
// if (rc == SSH_AUTH_ERROR) {
|
||||
// EXLOGE("[ssh] can not got auth type supported by real SSH server %s:%d.\n", _this->m_server_ip.c_str(), _this->m_server_port);
|
||||
// _this->m_have_error = true;
|
||||
// _this->m_retcode = SESS_STAT_ERR_AUTH_DENIED;
|
||||
// return SSH_AUTH_ERROR;
|
||||
// }
|
||||
// // int auth_methods = ssh_userauth_list(_this->m_srv_session, NULL);
|
||||
// const char* banner = ssh_get_issue_banner(_this->m_srv_session);
|
||||
// if (NULL != banner) {
|
||||
// EXLOGE("[ssh] issue banner: %s\n", banner);
|
||||
// }
|
||||
ssh_userauth_none(_this->m_srv_session, _this->m_acc_name.c_str());
|
||||
rc = ssh_userauth_none(_this->m_srv_session, NULL);
|
||||
if (rc == SSH_AUTH_ERROR) {
|
||||
EXLOGE("[ssh] can not got auth type supported by real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
|
||||
_this->m_have_error = true;
|
||||
_this->_session_error(TP_SESS_STAT_ERR_SESSION);
|
||||
return SSH_AUTH_ERROR;
|
||||
}
|
||||
|
||||
int auth_methods = ssh_userauth_list(_this->m_srv_session, _this->m_acc_name.c_str());
|
||||
|
||||
const char* banner = ssh_get_issue_banner(_this->m_srv_session);
|
||||
if (NULL != banner) {
|
||||
EXLOGE("[ssh] issue banner: %s\n", banner);
|
||||
}
|
||||
#endif
|
||||
|
||||
int auth_methods = SSH_AUTH_METHOD_INTERACTIVE | SSH_AUTH_METHOD_PASSWORD | SSH_AUTH_METHOD_PUBLICKEY;
|
||||
if (SSH_AUTH_ERROR != ssh_userauth_none(_this->m_srv_session, NULL))
|
||||
{
|
||||
auth_methods = ssh_userauth_list(_this->m_srv_session, NULL);
|
||||
EXLOGV("[ssh] allowed auth method: 0x%08x\n", auth_methods);
|
||||
}
|
||||
else
|
||||
{
|
||||
EXLOGW("[ssh] can not get allowed auth method, try each method we can.\n");
|
||||
}
|
||||
|
||||
if (_this->m_auth_type == TP_AUTH_TYPE_PASSWORD) {
|
||||
int retry_count = 0;
|
||||
if (!(((auth_methods & SSH_AUTH_METHOD_INTERACTIVE) == SSH_AUTH_METHOD_INTERACTIVE) || ((auth_methods & SSH_AUTH_METHOD_PASSWORD) == SSH_AUTH_METHOD_PASSWORD)))
|
||||
{
|
||||
_this->_session_error(TP_SESS_STAT_ERR_AUTH_TYPE);
|
||||
return SSH_AUTH_ERROR;
|
||||
}
|
||||
|
||||
|
||||
int retry_count = 0;
|
||||
|
||||
if (_this->m_ssh_ver == 1) {
|
||||
// first try password for SSHv1
|
||||
rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str());
|
||||
for (;;) {
|
||||
if (rc == SSH_AUTH_AGAIN) {
|
||||
retry_count += 1;
|
||||
if (retry_count >= 3)
|
||||
break;
|
||||
ex_sleep_ms(100);
|
||||
rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str());
|
||||
continue;
|
||||
}
|
||||
if (rc == SSH_AUTH_SUCCESS) {
|
||||
EXLOGW("[ssh] logon with password mode.\n");
|
||||
_this->m_is_logon = true;
|
||||
return SSH_AUTH_SUCCESS;
|
||||
}
|
||||
else {
|
||||
EXLOGW("[ssh] failed to login with password mode, got %d.\n", rc);
|
||||
}
|
||||
}
|
||||
}
|
||||
// first try interactive login mode if server allow.
|
||||
if ((auth_methods & SSH_AUTH_METHOD_INTERACTIVE) == SSH_AUTH_METHOD_INTERACTIVE)
|
||||
{
|
||||
retry_count = 0;
|
||||
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
|
||||
for (;;) {
|
||||
if (rc == SSH_AUTH_AGAIN) {
|
||||
retry_count += 1;
|
||||
if (retry_count >= 5)
|
||||
break;
|
||||
ex_sleep_ms(500);
|
||||
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
|
||||
continue;
|
||||
}
|
||||
|
||||
// first try interactive login mode for SSHv2.
|
||||
retry_count = 0;
|
||||
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
|
||||
for (;;) {
|
||||
if (rc == SSH_AUTH_AGAIN) {
|
||||
retry_count += 1;
|
||||
if (retry_count >= 5)
|
||||
break;
|
||||
ex_sleep_ms(500);
|
||||
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
|
||||
continue;
|
||||
}
|
||||
if (rc != SSH_AUTH_INFO)
|
||||
break;
|
||||
|
||||
if (rc != SSH_AUTH_INFO)
|
||||
break;
|
||||
int nprompts = ssh_userauth_kbdint_getnprompts(_this->m_srv_session);
|
||||
if (0 == nprompts) {
|
||||
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
|
||||
continue;
|
||||
}
|
||||
|
||||
int nprompts = ssh_userauth_kbdint_getnprompts(_this->m_srv_session);
|
||||
if (0 == nprompts) {
|
||||
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
|
||||
continue;
|
||||
}
|
||||
for (int iprompt = 0; iprompt < nprompts; ++iprompt) {
|
||||
char echo = 0;
|
||||
const char* prompt = ssh_userauth_kbdint_getprompt(_this->m_srv_session, iprompt, &echo);
|
||||
EXLOGV("[ssh] interactive login prompt: %s\n", prompt);
|
||||
|
||||
for (int iprompt = 0; iprompt < nprompts; ++iprompt) {
|
||||
char echo = 0;
|
||||
const char* prompt = ssh_userauth_kbdint_getprompt(_this->m_srv_session, iprompt, &echo);
|
||||
EXLOGV("[ssh] interactive login prompt: %s\n", prompt);
|
||||
rc = ssh_userauth_kbdint_setanswer(_this->m_srv_session, iprompt, _this->m_acc_secret.c_str());
|
||||
if (rc < 0) {
|
||||
EXLOGE("[ssh] invalid password for interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
|
||||
_this->m_have_error = true;
|
||||
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
|
||||
return SSH_AUTH_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
rc = ssh_userauth_kbdint_setanswer(_this->m_srv_session, iprompt, _this->m_acc_secret.c_str());
|
||||
if (rc < 0) {
|
||||
EXLOGE("[ssh] invalid password for interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
|
||||
_this->m_have_error = true;
|
||||
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
|
||||
return SSH_AUTH_ERROR;
|
||||
}
|
||||
}
|
||||
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
|
||||
}
|
||||
}
|
||||
|
||||
rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
|
||||
}
|
||||
|
||||
if (rc == SSH_AUTH_SUCCESS) {
|
||||
EXLOGW("[ssh] logon with keyboard interactive mode.\n");
|
||||
_this->m_is_logon = true;
|
||||
return SSH_AUTH_SUCCESS;
|
||||
}
|
||||
else {
|
||||
EXLOGW("[ssh] failed to login with keyboard interactive mode, got %d, try password mode.\n", rc);
|
||||
}
|
||||
|
||||
if (_this->m_ssh_ver != 1) {
|
||||
// then try password mode if interactive mode does not supported by host with SSHv2.
|
||||
rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str());
|
||||
if (rc == SSH_AUTH_SUCCESS) {
|
||||
EXLOGW("[ssh] logon with password mode.\n");
|
||||
_this->m_is_logon = true;
|
||||
return SSH_AUTH_SUCCESS;
|
||||
}
|
||||
else {
|
||||
EXLOGW("[ssh] failed to login with password mode, got %d.\n", rc);
|
||||
}
|
||||
}
|
||||
// and then try password login mode if server allow.
|
||||
if ((auth_methods & SSH_AUTH_METHOD_PASSWORD) == SSH_AUTH_METHOD_PASSWORD)
|
||||
{
|
||||
retry_count = 0;
|
||||
rc = ssh_userauth_password(_this->m_srv_session, NULL, _this->m_acc_secret.c_str());
|
||||
for (;;) {
|
||||
if (rc == SSH_AUTH_AGAIN) {
|
||||
retry_count += 1;
|
||||
if (retry_count >= 3)
|
||||
break;
|
||||
ex_sleep_ms(100);
|
||||
rc = ssh_userauth_password(_this->m_srv_session, NULL, _this->m_acc_secret.c_str());
|
||||
continue;
|
||||
}
|
||||
if (rc == SSH_AUTH_SUCCESS) {
|
||||
EXLOGW("[ssh] logon with password mode.\n");
|
||||
_this->m_is_logon = true;
|
||||
return SSH_AUTH_SUCCESS;
|
||||
}
|
||||
else {
|
||||
EXLOGE("[ssh] failed to login with password mode, got %d.\n", rc);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
EXLOGE("[ssh] can not use password mode or interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
|
||||
_this->m_have_error = true;
|
||||
|
@ -599,7 +602,13 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
|
|||
return SSH_AUTH_ERROR;
|
||||
}
|
||||
else if (_this->m_auth_type == TP_AUTH_TYPE_PRIVATE_KEY) {
|
||||
ssh_key key = NULL;
|
||||
if ((auth_methods & SSH_AUTH_METHOD_PUBLICKEY) != SSH_AUTH_METHOD_PUBLICKEY) {
|
||||
_this->m_have_error = true;
|
||||
_this->_session_error(TP_SESS_STAT_ERR_AUTH_TYPE);
|
||||
return SSH_AUTH_ERROR;
|
||||
}
|
||||
|
||||
ssh_key key = NULL;
|
||||
if (SSH_OK != ssh_pki_import_privkey_base64(_this->m_acc_secret.c_str(), NULL, NULL, NULL, &key)) {
|
||||
EXLOGE("[ssh] can not import private-key for auth.\n");
|
||||
_this->m_have_error = true;
|
||||
|
@ -615,12 +624,11 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
|
|||
_this->m_is_logon = true;
|
||||
return SSH_AUTH_SUCCESS;
|
||||
}
|
||||
else {
|
||||
EXLOGE("[ssh] failed to use private-key to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
|
||||
_this->m_have_error = true;
|
||||
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
|
||||
return SSH_AUTH_ERROR;
|
||||
}
|
||||
|
||||
EXLOGE("[ssh] failed to use private-key to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
|
||||
_this->m_have_error = true;
|
||||
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
|
||||
return SSH_AUTH_ERROR;
|
||||
}
|
||||
else if (_this->m_auth_type == TP_AUTH_TYPE_NONE) {
|
||||
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
|
||||
|
@ -736,6 +744,11 @@ int SshSession::_on_client_shell_request(ssh_session session, ssh_channel channe
|
|||
SshSession *_this = (SshSession *)userdata;
|
||||
|
||||
EXLOGD("[ssh] client request shell\n");
|
||||
if ((_this->m_flags & TP_FLAG_SSH_SHELL) != TP_FLAG_SSH_SHELL)
|
||||
{
|
||||
EXLOGE("[ssh] ssh-shell disabled by ops-policy.\n");
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_CLIENT_SIDE, channel);
|
||||
if (NULL == cp) {
|
||||
|
@ -761,7 +774,7 @@ int SshSession::_on_client_shell_request(ssh_session session, ssh_channel channe
|
|||
}
|
||||
|
||||
void SshSession::_on_client_channel_close(ssh_session session, ssh_channel channel, void *userdata) {
|
||||
EXLOGV("---client channel closed.\n");
|
||||
EXLOGV("[ssh] ---client channel closed.\n");
|
||||
SshSession *_this = (SshSession *)userdata;
|
||||
|
||||
TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_CLIENT_SIDE, channel);
|
||||
|
@ -896,6 +909,13 @@ int SshSession::_on_client_channel_subsystem_request(ssh_session session, ssh_ch
|
|||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
if ((_this->m_flags & TP_FLAG_SSH_SFTP) != TP_FLAG_SSH_SFTP)
|
||||
{
|
||||
EXLOGE("[ssh] ssh-sftp disabled by ops-policy.\n");
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
|
||||
cp->type = TS_SSH_CHANNEL_TYPE_SFTP;
|
||||
g_ssh_env.session_update(cp->db_id, TP_PROTOCOL_TYPE_SSH_SFTP, TP_SESS_STAT_STARTED);
|
||||
|
||||
|
@ -1099,7 +1119,7 @@ int SshSession::_on_server_channel_data(ssh_session session, ssh_channel channel
|
|||
}
|
||||
|
||||
void SshSession::_on_server_channel_close(ssh_session session, ssh_channel channel, void *userdata) {
|
||||
EXLOGV("---server channel closed.\n");
|
||||
EXLOGV("[ssh] ---server channel closed.\n");
|
||||
SshSession *_this = (SshSession *)userdata;
|
||||
TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_SERVER_SIDE, channel);
|
||||
if (NULL == cp) {
|
||||
|
|
|
@ -132,6 +132,7 @@ private:
|
|||
ex_u16 m_conn_port;
|
||||
ex_astr m_acc_name;
|
||||
ex_astr m_acc_secret;
|
||||
ex_u32 m_flags;
|
||||
int m_auth_type;
|
||||
|
||||
bool m_is_logon;
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
<ClInclude Include="..\..\..\..\common\libex\include\ex\ex_types.h" />
|
||||
<ClInclude Include="..\..\..\..\common\libex\include\ex\ex_util.h" />
|
||||
<ClInclude Include="..\..\..\..\common\libex\include\ex\ex_winsrv.h" />
|
||||
<ClInclude Include="..\..\..\..\common\teleport\teleport_const.h" />
|
||||
<ClInclude Include="..\..\..\..\external\jsoncpp\include\json\json.h" />
|
||||
<ClInclude Include="..\..\..\..\external\libssh-win-static\include\libssh\callbacks.h" />
|
||||
<ClInclude Include="..\..\..\..\external\libssh-win-static\include\libssh\libssh.h" />
|
||||
|
|
|
@ -113,6 +113,9 @@
|
|||
<ClInclude Include="..\..\..\..\external\jsoncpp\include\json\json.h">
|
||||
<Filter>jsoncpp</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="..\..\..\..\common\teleport\teleport_const.h">
|
||||
<Filter>common</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="tpssh.cpp">
|
||||
|
|
|
@ -537,6 +537,8 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
|
|||
|
||||
if (conn->is_server_side())
|
||||
{
|
||||
// EXLOG_BIN(m_conn_client->data().data(), m_conn_client->data().size(), "<-- client:");
|
||||
|
||||
// 收到了客户端发来的数据
|
||||
if (_this->m_is_putty_mode && !_this->m_username_sent)
|
||||
{
|
||||
|
@ -566,7 +568,9 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
|
|||
}
|
||||
else
|
||||
{
|
||||
// 收到了服务端返回的数据
|
||||
// EXLOG_BIN(m_conn_server->data().data(), m_conn_server->data().size(), "--> server:");
|
||||
|
||||
// 收到了服务端返回的数据
|
||||
if (m_conn_server->data().data()[0] != TELNET_IAC)
|
||||
m_rec.record(TS_RECORD_TYPE_TELNET_DATA, m_conn_server->data().data(), m_conn_server->data().size());
|
||||
|
||||
|
@ -574,7 +578,7 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
|
|||
{
|
||||
if (_this->_parse_find_and_send(m_conn_server, m_conn_client, _this->m_username_prompt.c_str(), _this->m_acc_name.c_str()))
|
||||
{
|
||||
_this->m_username_sent = true;
|
||||
// _this->m_username_sent = true;
|
||||
is_processed = true;
|
||||
}
|
||||
}
|
||||
|
@ -584,6 +588,7 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
|
|||
{
|
||||
_this->m_username_sent = true;
|
||||
_this->m_password_sent = true;
|
||||
_this->m_username_sent = true;
|
||||
is_processed = true;
|
||||
}
|
||||
}
|
||||
|
@ -603,11 +608,34 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
|
|||
|
||||
bool TelnetSession::_parse_find_and_send(TelnetConn* conn_recv, TelnetConn* conn_remote, const char* find, const char* send)
|
||||
{
|
||||
// EXLOGV("find prompt and send: [%s] => [%s]\n", find, send);
|
||||
// EXLOG_BIN(conn_recv->data().data(), conn_recv->data().size(), "find prompt in data:");
|
||||
|
||||
size_t find_len = strlen(find);
|
||||
size_t send_len = strlen(send);
|
||||
if (0 == find_len || 0 == send_len)
|
||||
return false;
|
||||
if (0 == find_len || 0 == send_len || conn_recv->data().size() < find_len) {
|
||||
return false;
|
||||
}
|
||||
|
||||
int find_range = conn_recv->data().size() - find_len;
|
||||
for (int i = 0; i <= find_range; ++i)
|
||||
{
|
||||
if (0 == memcmp(conn_recv->data().data() + i, find, find_len))
|
||||
{
|
||||
conn_remote->send(conn_recv->data().data(), conn_recv->data().size());
|
||||
conn_recv->data().empty();
|
||||
|
||||
MemBuffer mbuf_msg;
|
||||
mbuf_msg.reserve(128);
|
||||
mbuf_msg.append((ex_u8*)send, send_len);
|
||||
mbuf_msg.append((ex_u8*)"\x0d\x0a", 2);
|
||||
// EXLOG_BIN(mbuf_msg.data(), mbuf_msg.size(), "find prompt and send:");
|
||||
conn_recv->send(mbuf_msg.data(), mbuf_msg.size());
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
#if 0
|
||||
MemBuffer mbuf_msg;
|
||||
mbuf_msg.reserve(128);
|
||||
MemStream ms_msg(mbuf_msg);
|
||||
|
@ -679,6 +707,7 @@ bool TelnetSession::_parse_find_and_send(TelnetConn* conn_recv, TelnetConn* conn
|
|||
return true;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
return false;
|
||||
}
|
||||
|
|
|
@ -859,7 +859,6 @@ $app.create_dlg_edit_host = function () {
|
|||
cid: dlg.field_cid,
|
||||
desc: dlg.field_desc
|
||||
};
|
||||
console.log(args);
|
||||
|
||||
// 如果id为-1表示创建,否则表示更新
|
||||
$tp.ajax_post_json('/asset/update-host', args,
|
||||
|
@ -1148,7 +1147,6 @@ $app.create_dlg_accounts = function () {
|
|||
$tp.ajax_post_json('/asset/get-accounts', {host_id: dlg.host.id},
|
||||
function (ret) {
|
||||
if (ret.code === TPE_OK) {
|
||||
console.log('account:', ret.data);
|
||||
$app.table_acc.set_data(cb_stack, {}, {total: ret.data.length, page_index: 1, data: ret.data});
|
||||
} else {
|
||||
$app.table_acc.set_data(cb_stack, {}, {total: 0, page_index: 1, data: {}});
|
||||
|
@ -1519,6 +1517,10 @@ $app.create_dlg_edit_account = function () {
|
|||
}
|
||||
|
||||
dlg.dom.auth_type.empty().append($(html.join('')));
|
||||
|
||||
if(!_.isNull(dlg.account))
|
||||
dlg.dom.auth_type.val(dlg.account.auth_type);
|
||||
|
||||
dlg.on_auth_change();
|
||||
};
|
||||
|
||||
|
|
|
@ -328,6 +328,9 @@ $app.on_table_host_render_created = function (render) {
|
|||
case TP_SESS_STAT_ERR_SESSION:
|
||||
msg = '无效会话';
|
||||
break;
|
||||
case TP_SESS_STAT_ERR_AUTH_TYPE:
|
||||
msg = '无效认证方式';
|
||||
break;
|
||||
default:
|
||||
msg = '未知状态 [' + fields.state + ']';
|
||||
}
|
||||
|
|
|
@ -49,6 +49,7 @@ var TP_SESS_STAT_ERR_BAD_PKG = 6; // 会话结束,因为收到错误的报文
|
|||
var TP_SESS_STAT_ERR_RESET = 7; // 会话结束,因为teleport核心服务重置了
|
||||
var TP_SESS_STAT_ERR_IO = 8; // 会话结束,因为网络中断
|
||||
var TP_SESS_STAT_ERR_SESSION = 9; // 会话结束,因为无效的会话ID
|
||||
var TP_SESS_STAT_ERR_AUTH_TYPE = 10; // // 会话结束,因为服务端不支持此认证方式
|
||||
var TP_SESS_STAT_STARTED = 100; // 已经连接成功了,开始记录录像了
|
||||
var TP_SESS_STAT_ERR_START_INTERNAL = 104; // 会话结束,因为内部错误
|
||||
var TP_SESS_STAT_ERR_START_BAD_PKG = 106; // 会话结束,因为收到错误的报文
|
||||
|
@ -212,6 +213,7 @@ var TPE_CAPTCHA_EXPIRED = 10000;
|
|||
var TPE_CAPTCHA_MISMATCH = 10001;
|
||||
var TPE_OATH_MISMATCH = 10002;
|
||||
var TPE_SYS_MAINTENANCE = 10003;
|
||||
var TPE_OATH_ALREADY_BIND = 10004;
|
||||
|
||||
var TPE_USER_LOCKED = 10100;
|
||||
var TPE_USER_DISABLED = 10101;
|
||||
|
@ -314,6 +316,10 @@ function tp_error_msg(error_code, message) {
|
|||
case TPE_SYS_MAINTENANCE:
|
||||
msg = '系统维护中';
|
||||
break;
|
||||
|
||||
case TPE_OATH_ALREADY_BIND:
|
||||
msg = '该账号已经绑定了身份验证器,如无法使用,请联系管理员重置密码或更换登陆方式';
|
||||
break;
|
||||
|
||||
case TPE_USER_LOCKED:
|
||||
msg = '账号已被锁定';
|
||||
|
|
|
@ -182,7 +182,7 @@ $app.on_auth_user = function () {
|
|||
}
|
||||
|
||||
$app.dom.auth.btn_submit.attr('disabled', 'disabled');
|
||||
$tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password},
|
||||
$tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password, check_bind_oath: true},
|
||||
function (ret) {
|
||||
$app.dom.auth.btn_submit.removeAttr('disabled');
|
||||
if (ret.code === TPE_OK) {
|
||||
|
|
|
@ -203,6 +203,8 @@ $app.on_table_users_cell_created = function (tbl, row_id, col_key, cell_obj) {
|
|||
$app.dlg_edit_user.show_edit(row_id);
|
||||
} else if (action === 'reset-password') {
|
||||
$app.dlg_reset_password.show_edit(row_id);
|
||||
} else if (action === 'reset-oath-bind') {
|
||||
$app._reset_oath_bind(user.id);
|
||||
} else if (action === 'lock') {
|
||||
$app._lock_users([user.id]);
|
||||
} else if (action === 'unlock') {
|
||||
|
@ -349,6 +351,7 @@ $app.on_table_users_render_created = function (render) {
|
|||
|
||||
h.push('<li role="separator" class="divider"></li>');
|
||||
h.push('<li><a href="javascript:;" data-action="reset-password"><i class="fa fa-street-view fa-fw"></i> 重置密码</a></li>');
|
||||
h.push('<li><a href="javascript:;" data-action="reset-oath-bind"><i class="fa fa-street-view fa-fw"></i> 重置身份验证器</a></li>');
|
||||
h.push('<li role="separator" class="divider"></li>');
|
||||
h.push('<li><a href="javascript:;" data-action="remove"><i class="fa fa-times-circle fa-fw"></i> 删除</a></li>');
|
||||
h.push('</ul>');
|
||||
|
@ -547,6 +550,21 @@ $app.set_selected_to_role = function (role_id, role_name) {
|
|||
|
||||
};
|
||||
|
||||
$app._reset_oath_bind = function (users) {
|
||||
$tp.ajax_post_json('/user/do-unbind-oath', {users: users},
|
||||
function (ret) {
|
||||
if (ret.code === TPE_OK) {
|
||||
$tp.notify_success('重置身份验证器操作成功!');
|
||||
} else {
|
||||
$tp.notify_error('重置身份验证器操作失败:' + tp_error_msg(ret.code, ret.message));
|
||||
}
|
||||
},
|
||||
function () {
|
||||
$tp.notify_error('网络故障,重置身份验证器操作失败!');
|
||||
}
|
||||
);
|
||||
};
|
||||
|
||||
$app._lock_users = function (users) {
|
||||
$tp.ajax_post_json('/user/update-users', {action: 'lock', users: users},
|
||||
function (ret) {
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
# -*- coding: utf8 -*-
|
||||
TP_SERVER_VER = "3.1.0.10"
|
||||
TP_SERVER_VER = "3.1.0.10"
|
||||
|
|
|
@ -198,6 +198,7 @@ TPE_CAPTCHA_EXPIRED = 10000
|
|||
TPE_CAPTCHA_MISMATCH = 10001
|
||||
TPE_OATH_MISMATCH = 10002
|
||||
TPE_SYS_MAINTENANCE = 10003
|
||||
TPE_OATH_ALREADY_BIND = 10004
|
||||
|
||||
TPE_USER_LOCKED = 10100
|
||||
TPE_USER_DISABLED = 10101
|
||||
|
|
|
@ -78,6 +78,8 @@ controllers = [
|
|||
(r'/user/verify-user', user.DoVerifyUserHandler),
|
||||
# - [json] 绑定身份认证器
|
||||
(r'/user/do-bind-oath', user.DoBindOathHandler),
|
||||
# - 取消绑定身份认证器
|
||||
(r'/user/do-unbind-oath', user.DoUnBindOathHandler),
|
||||
#
|
||||
# - 用户组管理页面
|
||||
(r'/user/group', user.GroupListHandler),
|
||||
|
|
|
@ -144,7 +144,12 @@ class DoVerifyUserHandler(TPBaseJsonHandler):
|
|||
except:
|
||||
return self.write_json(TPE_PARAM)
|
||||
|
||||
err, user_info = user.login(self, username, password=password)
|
||||
try:
|
||||
check_bind_oath = args['check_bind_oath']
|
||||
except:
|
||||
check_bind_oath = False
|
||||
|
||||
err, user_info = user.login(self, username, password=password, check_bind_oath=check_bind_oath)
|
||||
if err != TPE_OK:
|
||||
if err == TPE_NOT_EXISTS:
|
||||
err = TPE_USER_AUTH
|
||||
|
@ -190,6 +195,28 @@ class DoBindOathHandler(TPBaseJsonHandler):
|
|||
|
||||
return self.write_json(TPE_OK)
|
||||
|
||||
class DoUnBindOathHandler(TPBaseJsonHandler):
|
||||
def post(self):
|
||||
ret = self.check_privilege(TP_PRIVILEGE_USER_DELETE)
|
||||
if ret != TPE_OK:
|
||||
return
|
||||
|
||||
args = self.get_argument('args', None)
|
||||
if args is None:
|
||||
return self.write_json(TPE_PARAM)
|
||||
try:
|
||||
args = json.loads(args)
|
||||
except:
|
||||
return self.write_json(TPE_JSON_FORMAT)
|
||||
|
||||
try:
|
||||
users = args['users']
|
||||
except:
|
||||
return self.write_json(TPE_PARAM)
|
||||
|
||||
# 把oath设置为空就是去掉oath验证
|
||||
err = user.update_oath_secret(self, users, '')
|
||||
self.write_json(err)
|
||||
|
||||
class OathSecretQrCodeHandler(TPBaseHandler):
|
||||
def get(self):
|
||||
|
@ -752,6 +779,11 @@ class DoResetPasswordHandler(TPBaseJsonHandler):
|
|||
if mode == 4 and err == TPE_OK:
|
||||
user.remove_reset_token(token)
|
||||
|
||||
# 非用户自行修改密码的情况,都默认重置身份认证
|
||||
if mode != 5 and err == TPE_OK:
|
||||
print("reset oath secret")
|
||||
user.update_oath_secret(self, user_id, '')
|
||||
|
||||
self.write_json(err)
|
||||
|
||||
else:
|
||||
|
|
|
@ -49,7 +49,7 @@ def get_by_username(username):
|
|||
return TPE_OK, s.recorder[0]
|
||||
|
||||
|
||||
def login(handler, username, password=None, oath_code=None):
|
||||
def login(handler, username, password=None, oath_code=None, check_bind_oath=False):
|
||||
sys_cfg = tp_cfg().sys
|
||||
|
||||
err, user_info = get_by_username(username)
|
||||
|
@ -62,6 +62,10 @@ def login(handler, username, password=None, oath_code=None):
|
|||
# 尚未为此用户设置角色
|
||||
return TPE_PRIVILEGE, None
|
||||
|
||||
if check_bind_oath == True and len(user_info['oath_secret']) != 0:
|
||||
return TPE_OATH_ALREADY_BIND, None
|
||||
|
||||
|
||||
if user_info['state'] == TP_STATE_LOCKED:
|
||||
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
|
||||
if sys_cfg.login.lock_timeout != 0:
|
||||
|
|
|
@ -14,6 +14,6 @@ Build : 构建号。构建号用于表明此版本发布之前进行了多少
|
|||
|
||||
|
||||
TP_SERVER 3.1.0.10 # 整个服务端打包的版本
|
||||
TP_TPCORE 3.0.2.7 # 核心服务 tp_core 的版本
|
||||
TP_TPCORE 3.0.4.16 # 核心服务 tp_core 的版本
|
||||
TP_TPWEB 3.1.0.10 # web服务 tp_web 的版本(一般除非升级Python,否则不会变化)
|
||||
TP_ASSIST 3.0.1.6 # 助手版本
|
||||
|
|
Loading…
Reference in New Issue