diff --git a/.gitignore b/.gitignore
index b91513d..7677215 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,9 +28,9 @@ __pycache__
**/.idea/modules.xml
**/.idea/dictionaries
**/.idea/watcherTasks.xml
-**/.idea/codeStyles
**/.idea/inspectionProfiles
**/.idea/vcs.xml
+**/.idea/codeStyles
*.css.map
diff --git a/build/build-py-static.sh b/build/build-py-static.sh
new file mode 100755
index 0000000..7851103
--- /dev/null
+++ b/build/build-py-static.sh
@@ -0,0 +1,195 @@
+#!/bin/bash
+
+################################################################
+# Basic settings.
+################################################################
+VER_PYTHON="3.4.4"
+VER_PYTHON_SHORT="3.4"
+VER_OPENSSL="1.0.2p"
+VER_SQLITE="3250000"
+# VER_PSUTIL="4.2.0"
+VER_PYTHON_LIB="${VER_PYTHON_SHORT}m"
+
+################################################################
+# DO NOT TOUCH FOLLOWING CODE
+################################################################
+
+FILE_PYTHON_STATIC_LIB="libpython${VER_PYTHON_LIB}.a"
+
+PATH_ROOT=$(cd "$(dirname "$0")"/..; pwd)
+PATH_EXT=${PATH_ROOT}/external
+PATH_DOWNLOAD=${PATH_EXT}/_download_
+PATH_TMP=${PATH_EXT}/linux/tmp
+PATH_FIX=${PATH_EXT}/fix-external
+PATH_RELEASE=${PATH_EXT}/linux/release
+
+
+PY_PATH_SRC=${PATH_TMP}/Python-${VER_PYTHON}
+#PATH_SRC=${PATH_TMP}/${VER_PYTHON}
+#PATH_INST=${PATH_RELEASE}/python
+OSSL_PATH_SRC=${PATH_TMP}/openssl-${VER_OPENSSL}
+
+function on_error()
+{
+ echo -e "\033[01m\033[31m"
+ echo "==================[ !! ERROR !! ]=================="
+ echo -e $1
+ echo "==================================================="
+ echo -e "\033[0m"
+ exit 1
+}
+
+function setp_build_git()
+{
+ # su -s
+ # yum install zlib-devel expat-devel libcurl-devel
+ # make prefix=/usr/local
+ # make prefix=/usr/local install
+ echo 'skip build git now.'
+}
+
+function dlfile()
+{
+ echo -n "Downloading $1 ..."
+ if [ ! -f "$4/$3" ]; then
+ echo ""
+ # curl --insecure https://www.python.org/ftp/python/3.4.3/${VER_PYTHON}.tgz -o "${PATH_PYTHON}/${VER_PYTHON}.tgz"
+ echo wget $2$3 -O "$4/$3"
+ wget --no-check-certificate $2$3 -O "$4/$3"
+
+ if [ ! -f "$4/$3" ]; then
+ on_error "Can not download $1: $3"
+ fi
+ else
+ echo " already exists, skip."
+ fi
+}
+
+function step_download_files()
+{
+ echo "download necessary source tarball ..."
+
+ if [ ! -d "${PATH_DOWNLOAD}" ]; then
+ mkdir -p "${PATH_DOWNLOAD}"
+ if [ ! -d "${PATH_DOWNLOAD}" ]; then
+ on_error "Can not create folder for download files."
+ fi
+ fi
+
+ dlfile "python source tarball" "https://www.python.org/ftp/python/${VER_PYTHON}/" "Python-${VER_PYTHON}.tgz" ${PATH_DOWNLOAD}
+ dlfile "openssl source tarball" "https://www.openssl.org/source/" "openssl-${VER_OPENSSL}.tar.gz" ${PATH_DOWNLOAD}
+ dlfile "sqlite source tarball" "http://sqlite.org/2018/" "sqlite-autoconf-${VER_SQLITE}.tar.gz" ${PATH_DOWNLOAD}
+
+ # dlfile "psutil source tarball" "https://pypi.python.org/packages/source/p/psutil/" "psutil-${VER_PSUTIL}.tar.gz" ${PATH_DOWNLOAD}
+ # https://pypi.python.org/pypi?:action=display&name=psutil#downloads
+
+ # echo -n "Downloading psutil source tarball ..."
+ # if [ ! -f "${PATH_DOWNLOAD}/psutil-${VER_PSUTIL}.tar.gz" ]; then
+ # echo ""
+ # echo "Because pypi.python.org limit, can not auto-download psutil, please visit following url:"
+ # echo " https://pypi.python.org/pypi?:action=display&name=psutil#downloads"
+ # echo "and download psutil-${VER_PSUTIL}.tar.gz and put it into folder:"
+ # echo " ${PATH_DOWNLOAD}"
+ # echo "after download, try again."
+ # on_error "psutil source tarball not exists."
+ # else
+ # echo " already exists, skip."
+ # fi
+}
+
+
+function step_prepare_source()
+{
+ echo "prepare source ..."
+
+ if [ ! -d "${PATH_TMP}" ]; then
+ mkdir -p "${PATH_TMP}"
+ if [ ! -d "${PATH_TMP}" ]; then
+ on_error "Can not create folder for tmp files."
+ fi
+ fi
+
+ if [ ! -d "${PATH_TMP}/Python-${VER_PYTHON}" ]; then
+ tar -zxvf "${PATH_DOWNLOAD}/Python-${VER_PYTHON}.tgz" -C "${PATH_TMP}"
+ fi
+
+ if [ ! -d "${PATH_TMP}/openssl-${VER_OPENSSL}" ]; then
+ tar -zxvf "${PATH_DOWNLOAD}/openssl-${VER_OPENSSL}.tar.gz" -C "${PATH_TMP}"
+ fi
+
+
+ if [ ! -d "${PATH_TMP}/sqlite-autoconf-${VER_SQLITE}" ]; then
+ tar -zxvf "${PATH_DOWNLOAD}/sqlite-autoconf-${VER_SQLITE}.tar.gz" -C "${PATH_TMP}"
+ fi
+
+ # if [ ! -d "${PATH_TMP}/psutil-${VER_PSUTIL}" ]; then
+ # tar -zxvf "${PATH_DOWNLOAD}/psutil-${VER_PSUTIL}.tar.gz" -C "${PATH_TMP}"
+ # fi
+
+ # cp -r "${PATH_TMP}/psutil-${VER_PSUTIL}/psutil" "${PATH_TMP}/Python-${VER_PYTHON}/Modules/."
+ cp -r "${PATH_TMP}/sqlite-autoconf-${VER_SQLITE}" "${PATH_TMP}/Python-${VER_PYTHON}/Modules/_sqlite/sqlite3"
+ cp -r "${PATH_FIX}/Python-${VER_PYTHON}" "${PATH_TMP}"
+}
+
+function step_build_openssl()
+{
+ echo -n "build openssl static library ..."
+
+ if [ ! -f "${PATH_RELEASE}/lib/libssl.a" ] || [ ! -f "${PATH_RELEASE}/lib/libcrypto.a" ]; then
+ echo ""
+ cd "${OSSL_PATH_SRC}"
+ ./config -fPIC --prefix=${PATH_RELEASE} --openssldir=${PATH_RELEASE}/openssl no-zlib no-shared
+ make
+ make install
+ cd "${PATH_ROOT}"
+
+ if [ ! -f "${PATH_RELEASE}/lib/libssl.a" ] || [ ! -f "${PATH_RELEASE}/lib/libcrypto.a" ]; then
+ on_error "Build openssl failed."
+ fi
+
+ else
+ echo " already exists, skip."
+ fi
+}
+
+
+function step_build_python()
+{
+ echo -n "build python static library ..."
+
+ if [ ! -f "${PATH_RELEASE}/lib/${FILE_PYTHON_STATIC_LIB}" ]; then
+ cd "${PY_PATH_SRC}"
+ cp "${PY_PATH_SRC}/Modules/Setup.dist" "${PY_PATH_SRC}/Modules/Setup"
+ LDFLAGS=-lrt ./configure --disable-shared --prefix=${PATH_RELEASE}
+ make
+ make altinstall
+ cd "${PATH_ROOT}"
+
+ if [ ! -f "${PATH_RELEASE}/lib/${FILE_PYTHON_STATIC_LIB}" ]; then
+ on_error "Build python failed."
+ fi
+
+ else
+ echo " already exists, skip."
+ fi
+}
+
+function step_finalize()
+{
+ # copy psutil *.py for release.
+ echo "finalize ..."
+
+ if [ ! -d "${PATH_RELEASE}/lib/python${VER_PYTHON_SHORT}/site-packages" ]; then
+ on_error "something goes wrong."
+ fi
+
+
+ # cp -r "${PATH_FIX}/psutil-${VER_PSUTIL}/psutil" "${PATH_RELEASE}/lib/python${VER_PYTHON_SHORT}/site-packages/psutil"
+}
+
+
+step_download_files
+step_prepare_source
+step_build_openssl
+step_build_python
+step_finalize
diff --git a/build/builder/build-external.py b/build/builder/build-external.py
index 240fff7..a52077e 100644
--- a/build/builder/build-external.py
+++ b/build/builder/build-external.py
@@ -46,7 +46,12 @@ class BuilderBase:
self._build_openssl(file_name)
def _build_openssl(self, file_name):
- cc.e("this is a pure-virtual function.")
+ _alt_ver = '_'.join(env.ver_openssl.split('.'))
+ if not utils.download_file('openssl source tarball', 'https://github.com/openssl/openssl/archive/OpenSSL_{}.zip'.format(_alt_ver), PATH_DOWNLOAD, file_name):
+ return False
+ else:
+ return True
+ # cc.e("this is a pure-virtual function.")
def build_libuv(self):
file_name = 'libuv-{}.zip'.format(env.ver_libuv)
diff --git a/build/builder/core/ver.py b/build/builder/core/ver.py
index c443d33..033c804 100644
--- a/build/builder/core/ver.py
+++ b/build/builder/core/ver.py
@@ -1,3 +1,3 @@
# -*- coding: utf8 -*-
-VER_TP_SERVER = "3.1.0.10"
+VER_TP_SERVER = "3.1.0.10"
VER_TP_ASSIST = "3.0.1.6"
diff --git a/common/teleport/teleport_const.h b/common/teleport/teleport_const.h
index 3c5b25e..05b436b 100644
--- a/common/teleport/teleport_const.h
+++ b/common/teleport/teleport_const.h
@@ -51,6 +51,7 @@
#define TP_SESS_STAT_ERR_RESET 7 // 会话结束,因为teleport核心服务重置了
#define TP_SESS_STAT_ERR_IO 8 // 会话结束,因为网络中断
#define TP_SESS_STAT_ERR_SESSION 9 // 会话结束,因为无效的会话ID
+#define TP_SESS_STAT_ERR_AUTH_TYPE 10 // 会话结束,因为不被允许的认证方式
#define TP_SESS_STAT_STARTED 100 // 已经连接成功了,开始记录录像了
#define TP_SESS_STAT_ERR_START_INTERNAL 104 // 会话结束,因为内部错误
#define TP_SESS_STAT_ERR_START_BAD_PKG 106 // 会话结束,因为收到错误的报文
diff --git a/external/fix-external/mbedtls/include/mbedtls/config.h b/external/fix-external/mbedtls/include/mbedtls/config.h
old mode 100644
new mode 100755
index 846fd52..5e64d18
--- a/external/fix-external/mbedtls/include/mbedtls/config.h
+++ b/external/fix-external/mbedtls/include/mbedtls/config.h
@@ -1,14 +1,14 @@
/**
* \file config.h
- #### v2.6.1
*
* \brief Configuration options (set of defines)
*
* This set of compile-time options may be used to enable
* or disable features selectively, and reduce the global
* memory footprint.
- *
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ */
+/*
+ * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -48,10 +48,14 @@
* Requires support for asm() in compiler.
*
* Used in:
+ * library/aria.c
* library/timing.c
- * library/padlock.c
* include/mbedtls/bn_mul.h
*
+ * Required by:
+ * MBEDTLS_AESNI_C
+ * MBEDTLS_PADLOCK_C
+ *
* Comment to disable the use of assembly code.
*/
#define MBEDTLS_HAVE_ASM
@@ -84,6 +88,28 @@
*/
//#define MBEDTLS_NO_UDBL_DIVISION
+/**
+ * \def MBEDTLS_NO_64BIT_MULTIPLICATION
+ *
+ * The platform lacks support for 32x32 -> 64-bit multiplication.
+ *
+ * Used in:
+ * library/poly1305.c
+ *
+ * Some parts of the library may use multiplication of two unsigned 32-bit
+ * operands with a 64-bit result in order to speed up computations. On some
+ * platforms, this is not available in hardware and has to be implemented in
+ * software, usually in a library provided by the toolchain.
+ *
+ * Sometimes it is not desirable to have to link to that library. This option
+ * removes the dependency of that library on platforms that lack a hardware
+ * 64-bit multiplier by embedding a software implementation in Mbed TLS.
+ *
+ * Note that depending on the compiler, this may decrease performance compared
+ * to using the library function provided by the toolchain.
+ */
+//#define MBEDTLS_NO_64BIT_MULTIPLICATION
+
/**
* \def MBEDTLS_HAVE_SSE2
*
@@ -262,20 +288,38 @@
*
* Uncomment a macro to enable alternate implementation of the corresponding
* module.
+ *
+ * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
+ * use constitutes a security risk. If possible, we recommend
+ * avoiding dependencies on them, and considering stronger message
+ * digests and ciphers instead.
+ *
*/
//#define MBEDTLS_AES_ALT
//#define MBEDTLS_ARC4_ALT
+//#define MBEDTLS_ARIA_ALT
//#define MBEDTLS_BLOWFISH_ALT
//#define MBEDTLS_CAMELLIA_ALT
+//#define MBEDTLS_CCM_ALT
+//#define MBEDTLS_CHACHA20_ALT
+//#define MBEDTLS_CHACHAPOLY_ALT
+//#define MBEDTLS_CMAC_ALT
//#define MBEDTLS_DES_ALT
-//#define MBEDTLS_XTEA_ALT
+//#define MBEDTLS_DHM_ALT
+//#define MBEDTLS_ECJPAKE_ALT
+//#define MBEDTLS_GCM_ALT
+//#define MBEDTLS_NIST_KW_ALT
//#define MBEDTLS_MD2_ALT
//#define MBEDTLS_MD4_ALT
//#define MBEDTLS_MD5_ALT
+//#define MBEDTLS_POLY1305_ALT
//#define MBEDTLS_RIPEMD160_ALT
+//#define MBEDTLS_RSA_ALT
//#define MBEDTLS_SHA1_ALT
//#define MBEDTLS_SHA256_ALT
//#define MBEDTLS_SHA512_ALT
+//#define MBEDTLS_XTEA_ALT
+
/*
* When replacing the elliptic curve module, pleace consider, that it is
* implemented with two .c files:
@@ -315,6 +359,12 @@
*
* Uncomment a macro to enable alternate implementation of the corresponding
* function.
+ *
+ * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
+ * constitutes a security risk. If possible, we recommend avoiding
+ * dependencies on them, and considering stronger message digests
+ * and ciphers instead.
+ *
*/
//#define MBEDTLS_MD2_PROCESS_ALT
//#define MBEDTLS_MD4_PROCESS_ALT
@@ -330,6 +380,11 @@
//#define MBEDTLS_AES_SETKEY_DEC_ALT
//#define MBEDTLS_AES_ENCRYPT_ALT
//#define MBEDTLS_AES_DECRYPT_ALT
+//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
+//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
+//#define MBEDTLS_ECDSA_VERIFY_ALT
+//#define MBEDTLS_ECDSA_SIGN_ALT
+//#define MBEDTLS_ECDSA_GENKEY_ALT
/**
* \def MBEDTLS_ECP_INTERNAL_ALT
@@ -417,12 +472,45 @@
/**
* \def MBEDTLS_AES_ROM_TABLES
*
- * Store the AES tables in ROM.
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
*
- * Uncomment this macro to store the AES tables in ROM.
*/
//#define MBEDTLS_AES_ROM_TABLES
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+//#define MBEDTLS_AES_FEWER_TABLES
+
/**
* \def MBEDTLS_CAMELLIA_SMALL_MEMORY
*
@@ -453,6 +541,20 @@
*/
#define MBEDTLS_CIPHER_MODE_CTR
+/**
+ * \def MBEDTLS_CIPHER_MODE_OFB
+ *
+ * Enable Output Feedback mode (OFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_OFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_XTS
+ *
+ * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
+ */
+#define MBEDTLS_CIPHER_MODE_XTS
+
/**
* \def MBEDTLS_CIPHER_NULL_CIPHER
*
@@ -514,6 +616,9 @@
* MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
*
* Uncomment this macro to enable weak ciphersuites
+ *
+ * \warning DES is considered a weak cipher and its use constitutes a
+ * security risk. We recommend considering stronger ciphers instead.
*/
//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
@@ -550,6 +655,7 @@
#define MBEDTLS_ECP_DP_BP384R1_ENABLED
#define MBEDTLS_ECP_DP_BP512R1_ENABLED
#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define MBEDTLS_ECP_DP_CURVE448_ENABLED
/**
* \def MBEDTLS_ECP_NIST_OPTIM
@@ -619,6 +725,13 @@
* MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+ *
+ * \warning Using DHE constitutes a security risk as it
+ * is not possible to validate custom DH parameters.
+ * If possible, it is recommended users should consider
+ * preferring other methods of key exchange.
+ * See dhm.h for more details.
+ *
*/
#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
@@ -640,7 +753,7 @@
* MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
*/
-//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
@@ -718,6 +831,13 @@
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
* MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *
+ * \warning Using DHE constitutes a security risk as it
+ * is not possible to validate custom DH parameters.
+ * If possible, it is recommended users should consider
+ * preferring other methods of key exchange.
+ * See dhm.h for more details.
+ *
*/
#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@@ -744,7 +864,7 @@
* MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
*/
-//#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
@@ -768,7 +888,7 @@
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
*/
-//#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
@@ -792,7 +912,7 @@
* MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
*/
-//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
@@ -816,7 +936,7 @@
* MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
*/
-//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
@@ -1009,7 +1129,8 @@
/**
* \def MBEDTLS_RSA_NO_CRT
*
- * Do not use the Chinese Remainder Theorem for the RSA private operation.
+ * Do not use the Chinese Remainder Theorem
+ * for the RSA private operation.
*
* Uncomment this macro to disable the use of CRT in RSA.
*
@@ -1053,6 +1174,17 @@
*/
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
+/**
+ * \def MBEDTLS_SSL_ASYNC_PRIVATE
+ *
+ * Enable asynchronous external private key operations in SSL. This allows
+ * you to configure an SSL connection to call an external cryptographic
+ * module to perform private key operations instead of performing the
+ * operation inside the library.
+ *
+ */
+//#define MBEDTLS_SSL_ASYNC_PRIVATE
+
/**
* \def MBEDTLS_SSL_DEBUG_ALL
*
@@ -1156,8 +1288,15 @@
* misuse/misunderstand.
*
* Comment this to disable support for renegotiation.
+ *
+ * \note Even if this option is disabled, both client and server are aware
+ * of the Renegotiation Indication Extension (RFC 5746) used to
+ * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
+ * (See \c mbedtls_ssl_conf_legacy_renegotiation for the
+ * configuration of this extension).
+ *
*/
-//#define MBEDTLS_SSL_RENEGOTIATION
+#define MBEDTLS_SSL_RENEGOTIATION
/**
* \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
@@ -1198,7 +1337,7 @@
*
* Comment this macro to disable support for SSL 3.0
*/
-#define MBEDTLS_SSL_PROTO_SSL3
+//#define MBEDTLS_SSL_PROTO_SSL3
/**
* \def MBEDTLS_SSL_PROTO_TLS1
@@ -1364,6 +1503,30 @@
*/
#define MBEDTLS_SSL_TRUNCATED_HMAC
+/**
+ * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+ *
+ * Fallback to old (pre-2.7), non-conforming implementation of the truncated
+ * HMAC extension which also truncates the HMAC key. Note that this option is
+ * only meant for a transitory upgrade period and is likely to be removed in
+ * a future version of the library.
+ *
+ * \warning The old implementation is non-compliant and has a security weakness
+ * (2^80 brute force attack on the HMAC key used for a single,
+ * uninterrupted connection). This should only be enabled temporarily
+ * when (1) the use of truncated HMAC is essential in order to save
+ * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
+ * the fixed implementation yet (pre-2.7).
+ *
+ * \deprecated This option is deprecated and will likely be removed in a
+ * future version of Mbed TLS.
+ *
+ * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
+ *
+ * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
+ */
+//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+
/**
* \def MBEDTLS_THREADING_ALT
*
@@ -1470,6 +1633,9 @@
*
* \note Currently compression can't be used with DTLS.
*
+ * \deprecated This feature is deprecated and will be removed
+ * in the next major revision of the library.
+ *
* Used in: library/ssl_tls.c
* library/ssl_cli.c
* library/ssl_srv.c
@@ -1508,7 +1674,7 @@
* Enable the AES block cipher.
*
* Module: library/aes.c
- * Caller: library/ssl_tls.c
+ * Caller: library/cipher.c
* library/pem.c
* library/ctr_drbg.c
*
@@ -1583,7 +1749,7 @@
* Enable the ARCFOUR stream cipher.
*
* Module: library/arc4.c
- * Caller: library/ssl_tls.c
+ * Caller: library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -1597,6 +1763,11 @@
* MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
* MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
* MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+ *
+ * \warning ARC4 is considered a weak cipher and its use constitutes a
+ * security risk. If possible, we recommend avoidng dependencies on
+ * it, and considering stronger ciphers instead.
+ *
*/
#define MBEDTLS_ARC4_C
@@ -1626,7 +1797,7 @@
* library/x509write_crt.c
* library/x509write_csr.c
*/
-//#define MBEDTLS_ASN1_WRITE_C
+#define MBEDTLS_ASN1_WRITE_C
/**
* \def MBEDTLS_BASE64_C
@@ -1650,6 +1821,7 @@
* library/ecp.c
* library/ecdsa.c
* library/rsa.c
+ * library/rsa_internal.c
* library/ssl_tls.c
*
* This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
@@ -1671,7 +1843,7 @@
* Enable the Camellia block cipher.
*
* Module: library/camellia.c
- * Caller: library/ssl_tls.c
+ * Caller: library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -1718,7 +1890,59 @@
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
*/
-//#define MBEDTLS_CAMELLIA_C
+#define MBEDTLS_CAMELLIA_C
+
+/**
+ * \def MBEDTLS_ARIA_C
+ *
+ * Enable the ARIA block cipher.
+ *
+ * Module: library/aria.c
+ * Caller: library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *
+ * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
+ * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
+ * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
+ * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
+ */
+//#define MBEDTLS_ARIA_C
/**
* \def MBEDTLS_CCM_C
@@ -1732,7 +1956,7 @@
* This module enables the AES-CCM ciphersuites, if other requisites are
* enabled as well.
*/
-//#define MBEDTLS_CCM_C
+#define MBEDTLS_CCM_C
/**
* \def MBEDTLS_CERTS_C
@@ -1746,6 +1970,26 @@
*/
#define MBEDTLS_CERTS_C
+/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 stream cipher.
+ *
+ * Module: library/chacha20.c
+ */
+#define MBEDTLS_CHACHA20_C
+
+/**
+ * \def MBEDTLS_CHACHAPOLY_C
+ *
+ * Enable the ChaCha20-Poly1305 AEAD algorithm.
+ *
+ * Module: library/chachapoly.c
+ *
+ * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
+ */
+#define MBEDTLS_CHACHAPOLY_C
+
/**
* \def MBEDTLS_CIPHER_C
*
@@ -1806,7 +2050,7 @@
*
* Module: library/des.c
* Caller: library/pem.c
- * library/ssl_tls.c
+ * library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -1822,6 +2066,9 @@
* MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
*
* PEM_PARSE uses DES/3DES for decrypting encrypted keys.
+ *
+ * \warning DES is considered a weak cipher and its use constitutes a
+ * security risk. We recommend considering stronger ciphers instead.
*/
#define MBEDTLS_DES_C
@@ -1836,6 +2083,13 @@
*
* This module is used by the following key exchanges:
* DHE-RSA, DHE-PSK
+ *
+ * \warning Using DHE constitutes a security risk as it
+ * is not possible to validate custom DH parameters.
+ * If possible, it is recommended users should consider
+ * preferring other methods of key exchange.
+ * See dhm.h for more details.
+ *
*/
#define MBEDTLS_DHM_C
@@ -1853,7 +2107,7 @@
*
* Requires: MBEDTLS_ECP_C
*/
-//#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECDH_C
/**
* \def MBEDTLS_ECDSA_C
@@ -1868,7 +2122,7 @@
*
* Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
*/
-//#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECDSA_C
/**
* \def MBEDTLS_ECJPAKE_C
@@ -1901,7 +2155,7 @@
*
* Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
*/
-//#define MBEDTLS_ECP_C
+#define MBEDTLS_ECP_C
/**
* \def MBEDTLS_ENTROPY_C
@@ -1941,7 +2195,7 @@
* This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
* requisites are enabled as well.
*/
-//#define MBEDTLS_GCM_C
+#define MBEDTLS_GCM_C
/**
* \def MBEDTLS_HAVEGE_C
@@ -1966,6 +2220,21 @@
*/
//#define MBEDTLS_HAVEGE_C
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module: library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+#define MBEDTLS_HKDF_C
+
/**
* \def MBEDTLS_HMAC_DRBG_C
*
@@ -1980,6 +2249,19 @@
*/
#define MBEDTLS_HMAC_DRBG_C
+/**
+ * \def MBEDTLS_NIST_KW_C
+ *
+ * Enable the Key Wrapping mode for 128-bit block ciphers,
+ * as defined in NIST SP 800-38F. Only KW and KWP modes
+ * are supported. At the moment, only AES is approved by NIST.
+ *
+ * Module: library/nist_kw.c
+ *
+ * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
+ */
+//#define MBEDTLS_NIST_KW_C
+
/**
* \def MBEDTLS_MD_C
*
@@ -2001,6 +2283,11 @@
* Caller:
*
* Uncomment to enable support for (rare) MD2-signed X.509 certs.
+ *
+ * \warning MD2 is considered a weak message digest and its use constitutes a
+ * security risk. If possible, we recommend avoiding dependencies on
+ * it, and considering stronger message digests instead.
+ *
*/
//#define MBEDTLS_MD2_C
@@ -2013,6 +2300,11 @@
* Caller:
*
* Uncomment to enable support for (rare) MD4-signed X.509 certs.
+ *
+ * \warning MD4 is considered a weak message digest and its use constitutes a
+ * security risk. If possible, we recommend avoiding dependencies on
+ * it, and considering stronger message digests instead.
+ *
*/
//#define MBEDTLS_MD4_C
@@ -2026,8 +2318,15 @@
* library/pem.c
* library/ssl_tls.c
*
- * This module is required for SSL/TLS and X.509.
- * PEM_PARSE uses MD5 for decrypting encrypted keys.
+ * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
+ * depending on the handshake parameters. Further, it is used for checking
+ * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
+ * encrypted keys.
+ *
+ * \warning MD5 is considered a weak message digest and its use constitutes a
+ * security risk. If possible, we recommend avoiding dependencies on
+ * it, and considering stronger message digests instead.
+ *
*/
#define MBEDTLS_MD5_C
@@ -2135,7 +2434,7 @@
*
* This modules adds support for encoding / writing PEM files.
*/
-//#define MBEDTLS_PEM_WRITE_C
+#define MBEDTLS_PEM_WRITE_C
/**
* \def MBEDTLS_PK_C
@@ -2180,7 +2479,7 @@
*
* Uncomment to enable generic public key write functions.
*/
-//#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PK_WRITE_C
/**
* \def MBEDTLS_PKCS5_C
@@ -2246,6 +2545,16 @@
*/
#define MBEDTLS_PLATFORM_C
+/**
+ * \def MBEDTLS_POLY1305_C
+ *
+ * Enable the Poly1305 MAC algorithm.
+ *
+ * Module: library/poly1305.c
+ * Caller: library/chachapoly.c
+ */
+#define MBEDTLS_POLY1305_C
+
/**
* \def MBEDTLS_RIPEMD160_C
*
@@ -2255,7 +2564,7 @@
* Caller: library/md.c
*
*/
-//#define MBEDTLS_RIPEMD160_C
+#define MBEDTLS_RIPEMD160_C
/**
* \def MBEDTLS_RSA_C
@@ -2263,6 +2572,7 @@
* Enable the RSA public-key cryptosystem.
*
* Module: library/rsa.c
+ * library/rsa_internal.c
* Caller: library/ssl_cli.c
* library/ssl_srv.c
* library/ssl_tls.c
@@ -2289,6 +2599,11 @@
*
* This module is required for SSL/TLS up to version 1.1, for TLS 1.2
* depending on the handshake parameters, and for SHA1-signed certificates.
+ *
+ * \warning SHA-1 is considered a weak message digest and its use constitutes
+ * a security risk. If possible, we recommend avoiding dependencies
+ * on it, and considering stronger message digests instead.
+ *
*/
#define MBEDTLS_SHA1_C
@@ -2517,7 +2832,7 @@
*
* This module is used for reading X.509 certificate request.
*/
-//#define MBEDTLS_X509_CSR_PARSE_C
+#define MBEDTLS_X509_CSR_PARSE_C
/**
* \def MBEDTLS_X509_CREATE_C
@@ -2530,7 +2845,7 @@
*
* This module is the basis for creating X.509 certificates and CSRs.
*/
-//#define MBEDTLS_X509_CREATE_C
+#define MBEDTLS_X509_CREATE_C
/**
* \def MBEDTLS_X509_CRT_WRITE_C
@@ -2543,7 +2858,7 @@
*
* This module is required for X.509 certificate creation.
*/
-//#define MBEDTLS_X509_CRT_WRITE_C
+#define MBEDTLS_X509_CRT_WRITE_C
/**
* \def MBEDTLS_X509_CSR_WRITE_C
@@ -2556,7 +2871,7 @@
*
* This module is required for X.509 certificate request writing.
*/
-//#define MBEDTLS_X509_CSR_WRITE_C
+#define MBEDTLS_X509_CSR_WRITE_C
/**
* \def MBEDTLS_XTEA_C
@@ -2641,7 +2956,7 @@
//#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */
/* Note: your snprintf must correclty zero-terminate the buffer! */
-#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
@@ -2650,7 +2965,51 @@
//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */
/* SSL options */
-//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
+
+/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
+ *
+ * Maximum fragment length in bytes.
+ *
+ * Determines the size of both the incoming and outgoing TLS I/O buffers.
+ *
+ * Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN
+ * will override this length by setting maximum incoming and/or outgoing
+ * fragment length, respectively.
+ */
+//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384
+
+/** \def MBEDTLS_SSL_IN_CONTENT_LEN
+ *
+ * Maximum incoming fragment length in bytes.
+ *
+ * Uncomment to set the size of the inward TLS buffer independently of the
+ * outward buffer.
+ */
+//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384
+
+/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
+ *
+ * Maximum outgoing fragment length in bytes.
+ *
+ * Uncomment to set the size of the outward TLS buffer independently of the
+ * inward buffer.
+ *
+ * It is possible to save RAM by setting a smaller outward buffer, while keeping
+ * the default inward 16384 byte buffer to conform to the TLS specification.
+ *
+ * The minimum required outward buffer size is determined by the handshake
+ * protocol's usage. Handshaking will fail if the outward buffer is too small.
+ * The specific size requirement depends on the configured ciphers and any
+ * certificate data which is sent during the handshake.
+ *
+ * For absolute minimum RAM usage, it's best to enable
+ * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This
+ * reduces both incoming and outgoing buffer sizes. However this is only
+ * guaranteed if the other end of the connection also supports the TLS
+ * max_fragment_len extension. Otherwise the connection may fail.
+ */
+//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384
+
//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
@@ -2677,8 +3036,13 @@
* Allow SHA-1 in the default TLS configuration for certificate signing.
* Without this build-time option, SHA-1 support must be activated explicitly
* through mbedtls_ssl_conf_cert_profile. Turning on this option is not
- * recommended because of it is possible to generte SHA-1 collisions, however
+ * recommended because of it is possible to generate SHA-1 collisions, however
* this may be safe for legacy infrastructure where additional controls apply.
+ *
+ * \warning SHA-1 is considered a weak message digest and its use constitutes
+ * a security risk. If possible, we recommend avoiding dependencies
+ * on it, and considering stronger message digests instead.
+ *
*/
// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
@@ -2689,14 +3053,40 @@
* The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
* default. At the time of writing, there is no practical attack on the use
* of SHA-1 in handshake signatures, hence this option is turned on by default
- * for compatibility with existing peers.
+ * to preserve compatibility with existing peers, but the general
+ * warning applies nonetheless:
+ *
+ * \warning SHA-1 is considered a weak message digest and its use constitutes
+ * a security risk. If possible, we recommend avoiding dependencies
+ * on it, and considering stronger message digests instead.
+ *
*/
#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
+/**
+ * Uncomment the macro to let mbed TLS use your alternate implementation of
+ * mbedtls_platform_zeroize(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * mbedtls_platform_zeroize() is a widely used function across the library to
+ * zero a block of memory. The implementation is expected to be secure in the
+ * sense that it has been written to prevent the compiler from removing calls
+ * to mbedtls_platform_zeroize() as part of redundant code elimination
+ * optimizations. However, it is difficult to guarantee that calls to
+ * mbedtls_platform_zeroize() will not be optimized by the compiler as older
+ * versions of the C language standards do not provide a secure implementation
+ * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to
+ * configure their own implementation of mbedtls_platform_zeroize(), for
+ * example by using directives specific to their compiler, features from newer
+ * C standards (e.g using memset_s() in C11) or calling a secure memset() from
+ * their system (e.g explicit_bzero() in BSD).
+ */
+//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
+
/* \} name SECTION: Customisation configuration options */
/* Target and application specific configurations */
-//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h"
+//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h"
#if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE)
#include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE
diff --git a/external/libssh-win-static/include/config.h b/external/libssh-win-static/include/config.h
index d4643f5..b18c7e1 100644
--- a/external/libssh-win-static/include/config.h
+++ b/external/libssh-win-static/include/config.h
@@ -6,15 +6,15 @@
#define PACKAGE "libssh"
/* Version number of package */
-#define VERSION "0.7.4"
+#define VERSION "0.7.5"
/* #undef LOCALEDIR */
/* #undef DATADIR */
//#define LIBDIR "lib"
//#define PLUGINDIR "plugins-4"
/* #undef SYSCONFDIR */
-//#define BINARYDIR "E:/work/eomsoft/tmp/libssh/build"
-//#define SOURCEDIR "E:/work/eomsoft/tmp/libssh"
+//#define BINARYDIR "E:/work/tp4a/teleport/external/_download_/libssh-0.7.5/build"
+//#define SOURCEDIR "E:/work/tp4a/teleport/external/_download_/libssh-0.7.5"
/************************** HEADER FILES *************************/
@@ -81,28 +81,28 @@
/*************************** FUNCTIONS ***************************/
/* Define to 1 if you have the `EVP_aes128_ctr' function. */
-#define HAVE_OPENSSL_EVP_AES_CTR 1
+//#define HAVE_OPENSSL_EVP_AES_CTR 1
/* Define to 1 if you have the `EVP_aes128_cbc' function. */
-#define HAVE_OPENSSL_EVP_AES_CBC 1
+//#define HAVE_OPENSSL_EVP_AES_CBC 1
/* Define to 1 if you have the `snprintf' function. */
#define HAVE_SNPRINTF 1
/* Define to 1 if you have the `_snprintf' function. */
-/* #undef HAVE__SNPRINTF */
+#define HAVE__SNPRINTF 1
/* Define to 1 if you have the `_snprintf_s' function. */
-/* #undef HAVE__SNPRINTF_S */
+#define HAVE__SNPRINTF_S 1
/* Define to 1 if you have the `vsnprintf' function. */
#define HAVE_VSNPRINTF 1
/* Define to 1 if you have the `_vsnprintf' function. */
-/* #undef HAVE__VSNPRINTF */
+#define HAVE__VSNPRINTF 1
/* Define to 1 if you have the `_vsnprintf_s' function. */
-/* #undef HAVE__VSNPRINTF_S */
+#define HAVE__VSNPRINTF_S 1
/* Define to 1 if you have the `isblank' function. */
#define HAVE_ISBLANK 1
@@ -172,8 +172,7 @@
#define WITH_SFTP 1
/* Define to 1 if you want to enable SSH1 */
-/* #undef WITH_SSH1 */
-#define WITH_SSH1
+#define WITH_SSH1 1
/* Define to 1 if you want to enable server support */
#define WITH_SERVER 1
diff --git a/server/.idea/encodings.xml b/server/.idea/encodings.xml
index ab92e64..a8db1e0 100644
--- a/server/.idea/encodings.xml
+++ b/server/.idea/encodings.xml
@@ -30,6 +30,7 @@
+
@@ -41,6 +42,7 @@
+
diff --git a/server/tp_core/core/CMakeLists.txt b/server/tp_core/core/CMakeLists.txt
index b75d135..d593b71 100644
--- a/server/tp_core/core/CMakeLists.txt
+++ b/server/tp_core/core/CMakeLists.txt
@@ -33,7 +33,7 @@ include_directories(
)
IF (CMAKE_SYSTEM_NAME MATCHES "Linux")
- set(CMAKE_EXE_LINKER_FLAGS "-export-dynamic")
+# set(CMAKE_EXE_LINKER_FLAGS "-export-dynamic")
include_directories(
../../../external/linux/release/include
)
diff --git a/server/tp_core/core/tp_core.rc b/server/tp_core/core/tp_core.rc
index 1faeaa4..a4987d5 100644
Binary files a/server/tp_core/core/tp_core.rc and b/server/tp_core/core/tp_core.rc differ
diff --git a/server/tp_core/core/ts_http_client.cpp b/server/tp_core/core/ts_http_client.cpp
index be43bfc..fbb9c6b 100644
--- a/server/tp_core/core/ts_http_client.cpp
+++ b/server/tp_core/core/ts_http_client.cpp
@@ -53,7 +53,7 @@ static void ev_handler(struct mg_connection *nc, int ev, void *ev_data)
break;
case MG_EV_HTTP_REPLY:
nc->flags |= MG_F_CLOSE_IMMEDIATELY;
- hdata->exit_flag = true;
+ //hdata->exit_flag = true;
hdata->body.assign(hm->body.p, hm->body.len);
break;
case MG_EV_CLOSE:
@@ -68,35 +68,41 @@ static void ev_handler(struct mg_connection *nc, int ev, void *ev_data)
}
}
+static struct mg_mgr g_mg_mgr;
+static bool is_mg_mgr_initialized = false;
+
bool ts_http_get(const ex_astr& url, ex_astr& body)
{
- struct mg_mgr mgr;
- mg_mgr_init(&mgr, NULL);
+ if(!is_mg_mgr_initialized) {
+ mg_mgr_init(&g_mg_mgr, NULL);
+ is_mg_mgr_initialized = true;
+ }
- mg_connection* nc = mg_connect_http(&mgr, ev_handler, url.c_str(), NULL, NULL);
+ mg_connection* nc = mg_connect_http(&g_mg_mgr, ev_handler, url.c_str(), NULL, NULL);
if (NULL == nc)
return false;
- HTTP_DATA* hdata = new HTTP_DATA;
- hdata->exit_flag = false;
- hdata->have_error = false;
+ //HTTP_DATA* hdata = new HTTP_DATA;
+ HTTP_DATA hdata;
+ hdata.exit_flag = false;
+ hdata.have_error = false;
- nc->user_data = hdata;
+ nc->user_data = &hdata;
// int count = 0;
- while (!hdata->exit_flag)
+ while (!hdata.exit_flag)
{
- mg_mgr_poll(&mgr, 100);
+ mg_mgr_poll(&g_mg_mgr, 100);
// count++;
// if (count > 2)
// break;
}
- bool ret = !hdata->have_error;
+ bool ret = !hdata.have_error;
if (ret)
- body = hdata->body;
+ body = hdata.body;
- delete hdata;
- mg_mgr_free(&mgr);
+// mg_mgr_free(&mgr);
+// delete hdata;
return ret;
}
diff --git a/server/tp_core/core/ts_ver.h b/server/tp_core/core/ts_ver.h
index be4855b..d86f4bf 100644
--- a/server/tp_core/core/ts_ver.h
+++ b/server/tp_core/core/ts_ver.h
@@ -1,6 +1,6 @@
#ifndef __TS_SERVER_VER_H__
#define __TS_SERVER_VER_H__
-#define TP_SERVER_VER L"3.0.2.7"
+#define TP_SERVER_VER L"3.0.4.16"
#endif // __TS_SERVER_VER_H__
diff --git a/server/tp_core/protocol/ssh/ssh_session.cpp b/server/tp_core/protocol/ssh/ssh_session.cpp
index 1da871a..4dde76f 100644
--- a/server/tp_core/protocol/ssh/ssh_session.cpp
+++ b/server/tp_core/protocol/ssh/ssh_session.cpp
@@ -422,7 +422,7 @@ void SshSession::check_noop_timeout(ex_u32 t_now, ex_u32 timeout) {
}
int SshSession::_on_auth_password_request(ssh_session session, const char *user, const char *password, void *userdata) {
- // 这里拿到的user就是我们要的session-id。
+ // here, `user` is the session-id we need.
SshSession *_this = (SshSession *)userdata;
_this->m_sid = user;
EXLOGV("[ssh] authenticating, session-id: %s\n", _this->m_sid.c_str());
@@ -441,6 +441,7 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
_this->m_auth_type = _this->m_conn_info->auth_type;
_this->m_acc_name = _this->m_conn_info->acc_username;
_this->m_acc_secret = _this->m_conn_info->acc_secret;
+ _this->m_flags = _this->m_conn_info->protocol_flag;
if (_this->m_conn_info->protocol_type != TP_PROTOCOL_TYPE_SSH) {
EXLOGE("[ssh] session '%s' is not for SSH.\n", _this->m_sid.c_str());
_this->m_have_error = true;
@@ -449,21 +450,18 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
}
}
- // 现在尝试根据session-id获取得到的信息,连接并登录真正的SSH服务器
+ // config and try to connect to real SSH host.
EXLOGV("[ssh] try to connect to real SSH server %s:%d\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
_this->m_srv_session = ssh_new();
- // int verbosity = 4;
- // ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
- //ssh_set_blocking(_this->m_srv_session, 1);
ssh_options_set(_this->m_srv_session, SSH_OPTIONS_HOST, _this->m_conn_ip.c_str());
int port = (int)_this->m_conn_port;
ssh_options_set(_this->m_srv_session, SSH_OPTIONS_PORT, &port);
#ifdef EX_DEBUG
- // int flag = SSH_LOG_FUNCTIONS;
- // ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &flag);
+// int flag = SSH_LOG_FUNCTIONS;
+// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &flag);
#endif
- // int val = 0;
- // ssh_options_set(_this->m_srv_session, SSH_OPTIONS_STRICTHOSTKEYCHECK, &val);
+ int val = 0;
+ ssh_options_set(_this->m_srv_session, SSH_OPTIONS_STRICTHOSTKEYCHECK, &val);
if (_this->m_auth_type != TP_AUTH_TYPE_NONE)
@@ -490,108 +488,113 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
_this->m_ssh_ver = ssh_get_version(_this->m_srv_session);
EXLOGW("[ssh] real host is SSHv%d\n", _this->m_ssh_ver);
+#if 0
// check supported auth type by host
- //ssh_userauth_none(_this->m_srv_session, _this->m_acc_name.c_str());
- // rc = ssh_userauth_none(_this->m_srv_session, NULL);
- // if (rc == SSH_AUTH_ERROR) {
- // EXLOGE("[ssh] can not got auth type supported by real SSH server %s:%d.\n", _this->m_server_ip.c_str(), _this->m_server_port);
- // _this->m_have_error = true;
- // _this->m_retcode = SESS_STAT_ERR_AUTH_DENIED;
- // return SSH_AUTH_ERROR;
- // }
- // // int auth_methods = ssh_userauth_list(_this->m_srv_session, NULL);
- // const char* banner = ssh_get_issue_banner(_this->m_srv_session);
- // if (NULL != banner) {
- // EXLOGE("[ssh] issue banner: %s\n", banner);
- // }
+ ssh_userauth_none(_this->m_srv_session, _this->m_acc_name.c_str());
+ rc = ssh_userauth_none(_this->m_srv_session, NULL);
+ if (rc == SSH_AUTH_ERROR) {
+ EXLOGE("[ssh] can not got auth type supported by real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
+ _this->m_have_error = true;
+ _this->_session_error(TP_SESS_STAT_ERR_SESSION);
+ return SSH_AUTH_ERROR;
+ }
+ int auth_methods = ssh_userauth_list(_this->m_srv_session, _this->m_acc_name.c_str());
+
+ const char* banner = ssh_get_issue_banner(_this->m_srv_session);
+ if (NULL != banner) {
+ EXLOGE("[ssh] issue banner: %s\n", banner);
+ }
+#endif
+
+ int auth_methods = SSH_AUTH_METHOD_INTERACTIVE | SSH_AUTH_METHOD_PASSWORD | SSH_AUTH_METHOD_PUBLICKEY;
+ if (SSH_AUTH_ERROR != ssh_userauth_none(_this->m_srv_session, NULL))
+ {
+ auth_methods = ssh_userauth_list(_this->m_srv_session, NULL);
+ EXLOGV("[ssh] allowed auth method: 0x%08x\n", auth_methods);
+ }
+ else
+ {
+ EXLOGW("[ssh] can not get allowed auth method, try each method we can.\n");
+ }
if (_this->m_auth_type == TP_AUTH_TYPE_PASSWORD) {
- int retry_count = 0;
+ if (!(((auth_methods & SSH_AUTH_METHOD_INTERACTIVE) == SSH_AUTH_METHOD_INTERACTIVE) || ((auth_methods & SSH_AUTH_METHOD_PASSWORD) == SSH_AUTH_METHOD_PASSWORD)))
+ {
+ _this->_session_error(TP_SESS_STAT_ERR_AUTH_TYPE);
+ return SSH_AUTH_ERROR;
+ }
+
+
+ int retry_count = 0;
- if (_this->m_ssh_ver == 1) {
- // first try password for SSHv1
- rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str());
- for (;;) {
- if (rc == SSH_AUTH_AGAIN) {
- retry_count += 1;
- if (retry_count >= 3)
- break;
- ex_sleep_ms(100);
- rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str());
- continue;
- }
- if (rc == SSH_AUTH_SUCCESS) {
- EXLOGW("[ssh] logon with password mode.\n");
- _this->m_is_logon = true;
- return SSH_AUTH_SUCCESS;
- }
- else {
- EXLOGW("[ssh] failed to login with password mode, got %d.\n", rc);
- }
- }
- }
+ // first try interactive login mode if server allow.
+ if ((auth_methods & SSH_AUTH_METHOD_INTERACTIVE) == SSH_AUTH_METHOD_INTERACTIVE)
+ {
+ retry_count = 0;
+ rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
+ for (;;) {
+ if (rc == SSH_AUTH_AGAIN) {
+ retry_count += 1;
+ if (retry_count >= 5)
+ break;
+ ex_sleep_ms(500);
+ rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
+ continue;
+ }
- // first try interactive login mode for SSHv2.
- retry_count = 0;
- rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
- for (;;) {
- if (rc == SSH_AUTH_AGAIN) {
- retry_count += 1;
- if (retry_count >= 5)
- break;
- ex_sleep_ms(500);
- rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
- continue;
- }
+ if (rc != SSH_AUTH_INFO)
+ break;
- if (rc != SSH_AUTH_INFO)
- break;
+ int nprompts = ssh_userauth_kbdint_getnprompts(_this->m_srv_session);
+ if (0 == nprompts) {
+ rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
+ continue;
+ }
- int nprompts = ssh_userauth_kbdint_getnprompts(_this->m_srv_session);
- if (0 == nprompts) {
- rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
- continue;
- }
+ for (int iprompt = 0; iprompt < nprompts; ++iprompt) {
+ char echo = 0;
+ const char* prompt = ssh_userauth_kbdint_getprompt(_this->m_srv_session, iprompt, &echo);
+ EXLOGV("[ssh] interactive login prompt: %s\n", prompt);
- for (int iprompt = 0; iprompt < nprompts; ++iprompt) {
- char echo = 0;
- const char* prompt = ssh_userauth_kbdint_getprompt(_this->m_srv_session, iprompt, &echo);
- EXLOGV("[ssh] interactive login prompt: %s\n", prompt);
+ rc = ssh_userauth_kbdint_setanswer(_this->m_srv_session, iprompt, _this->m_acc_secret.c_str());
+ if (rc < 0) {
+ EXLOGE("[ssh] invalid password for interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
+ _this->m_have_error = true;
+ _this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
+ return SSH_AUTH_ERROR;
+ }
+ }
- rc = ssh_userauth_kbdint_setanswer(_this->m_srv_session, iprompt, _this->m_acc_secret.c_str());
- if (rc < 0) {
- EXLOGE("[ssh] invalid password for interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
- _this->m_have_error = true;
- _this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
- return SSH_AUTH_ERROR;
- }
- }
+ rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
+ }
+ }
- rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL);
- }
-
- if (rc == SSH_AUTH_SUCCESS) {
- EXLOGW("[ssh] logon with keyboard interactive mode.\n");
- _this->m_is_logon = true;
- return SSH_AUTH_SUCCESS;
- }
- else {
- EXLOGW("[ssh] failed to login with keyboard interactive mode, got %d, try password mode.\n", rc);
- }
-
- if (_this->m_ssh_ver != 1) {
- // then try password mode if interactive mode does not supported by host with SSHv2.
- rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str());
- if (rc == SSH_AUTH_SUCCESS) {
- EXLOGW("[ssh] logon with password mode.\n");
- _this->m_is_logon = true;
- return SSH_AUTH_SUCCESS;
- }
- else {
- EXLOGW("[ssh] failed to login with password mode, got %d.\n", rc);
- }
- }
+ // and then try password login mode if server allow.
+ if ((auth_methods & SSH_AUTH_METHOD_PASSWORD) == SSH_AUTH_METHOD_PASSWORD)
+ {
+ retry_count = 0;
+ rc = ssh_userauth_password(_this->m_srv_session, NULL, _this->m_acc_secret.c_str());
+ for (;;) {
+ if (rc == SSH_AUTH_AGAIN) {
+ retry_count += 1;
+ if (retry_count >= 3)
+ break;
+ ex_sleep_ms(100);
+ rc = ssh_userauth_password(_this->m_srv_session, NULL, _this->m_acc_secret.c_str());
+ continue;
+ }
+ if (rc == SSH_AUTH_SUCCESS) {
+ EXLOGW("[ssh] logon with password mode.\n");
+ _this->m_is_logon = true;
+ return SSH_AUTH_SUCCESS;
+ }
+ else {
+ EXLOGE("[ssh] failed to login with password mode, got %d.\n", rc);
+ break;
+ }
+ }
+ }
EXLOGE("[ssh] can not use password mode or interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
_this->m_have_error = true;
@@ -599,7 +602,13 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
return SSH_AUTH_ERROR;
}
else if (_this->m_auth_type == TP_AUTH_TYPE_PRIVATE_KEY) {
- ssh_key key = NULL;
+ if ((auth_methods & SSH_AUTH_METHOD_PUBLICKEY) != SSH_AUTH_METHOD_PUBLICKEY) {
+ _this->m_have_error = true;
+ _this->_session_error(TP_SESS_STAT_ERR_AUTH_TYPE);
+ return SSH_AUTH_ERROR;
+ }
+
+ ssh_key key = NULL;
if (SSH_OK != ssh_pki_import_privkey_base64(_this->m_acc_secret.c_str(), NULL, NULL, NULL, &key)) {
EXLOGE("[ssh] can not import private-key for auth.\n");
_this->m_have_error = true;
@@ -615,12 +624,11 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user,
_this->m_is_logon = true;
return SSH_AUTH_SUCCESS;
}
- else {
- EXLOGE("[ssh] failed to use private-key to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
- _this->m_have_error = true;
- _this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
- return SSH_AUTH_ERROR;
- }
+
+ EXLOGE("[ssh] failed to use private-key to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port);
+ _this->m_have_error = true;
+ _this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
+ return SSH_AUTH_ERROR;
}
else if (_this->m_auth_type == TP_AUTH_TYPE_NONE) {
_this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED);
@@ -736,6 +744,11 @@ int SshSession::_on_client_shell_request(ssh_session session, ssh_channel channe
SshSession *_this = (SshSession *)userdata;
EXLOGD("[ssh] client request shell\n");
+ if ((_this->m_flags & TP_FLAG_SSH_SHELL) != TP_FLAG_SSH_SHELL)
+ {
+ EXLOGE("[ssh] ssh-shell disabled by ops-policy.\n");
+ return SSH_ERROR;
+ }
TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_CLIENT_SIDE, channel);
if (NULL == cp) {
@@ -761,7 +774,7 @@ int SshSession::_on_client_shell_request(ssh_session session, ssh_channel channe
}
void SshSession::_on_client_channel_close(ssh_session session, ssh_channel channel, void *userdata) {
- EXLOGV("---client channel closed.\n");
+ EXLOGV("[ssh] ---client channel closed.\n");
SshSession *_this = (SshSession *)userdata;
TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_CLIENT_SIDE, channel);
@@ -896,6 +909,13 @@ int SshSession::_on_client_channel_subsystem_request(ssh_session session, ssh_ch
return SSH_ERROR;
}
+ if ((_this->m_flags & TP_FLAG_SSH_SFTP) != TP_FLAG_SSH_SFTP)
+ {
+ EXLOGE("[ssh] ssh-sftp disabled by ops-policy.\n");
+ return SSH_ERROR;
+ }
+
+
cp->type = TS_SSH_CHANNEL_TYPE_SFTP;
g_ssh_env.session_update(cp->db_id, TP_PROTOCOL_TYPE_SSH_SFTP, TP_SESS_STAT_STARTED);
@@ -1099,7 +1119,7 @@ int SshSession::_on_server_channel_data(ssh_session session, ssh_channel channel
}
void SshSession::_on_server_channel_close(ssh_session session, ssh_channel channel, void *userdata) {
- EXLOGV("---server channel closed.\n");
+ EXLOGV("[ssh] ---server channel closed.\n");
SshSession *_this = (SshSession *)userdata;
TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_SERVER_SIDE, channel);
if (NULL == cp) {
diff --git a/server/tp_core/protocol/ssh/ssh_session.h b/server/tp_core/protocol/ssh/ssh_session.h
index dec1e1f..d0e6321 100644
--- a/server/tp_core/protocol/ssh/ssh_session.h
+++ b/server/tp_core/protocol/ssh/ssh_session.h
@@ -132,6 +132,7 @@ private:
ex_u16 m_conn_port;
ex_astr m_acc_name;
ex_astr m_acc_secret;
+ ex_u32 m_flags;
int m_auth_type;
bool m_is_logon;
diff --git a/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj b/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj
index 73c64cb..ec6de51 100644
--- a/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj
+++ b/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj
@@ -109,6 +109,7 @@
+
diff --git a/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj.filters b/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj.filters
index a4fd071..18936c4 100644
--- a/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj.filters
+++ b/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj.filters
@@ -113,6 +113,9 @@
jsoncpp
+
+ common
+
diff --git a/server/tp_core/protocol/telnet/telnet_session.cpp b/server/tp_core/protocol/telnet/telnet_session.cpp
index 8440f3e..242222e 100644
--- a/server/tp_core/protocol/telnet/telnet_session.cpp
+++ b/server/tp_core/protocol/telnet/telnet_session.cpp
@@ -537,6 +537,8 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
if (conn->is_server_side())
{
+// EXLOG_BIN(m_conn_client->data().data(), m_conn_client->data().size(), "<-- client:");
+
// 收到了客户端发来的数据
if (_this->m_is_putty_mode && !_this->m_username_sent)
{
@@ -566,7 +568,9 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
}
else
{
- // 收到了服务端返回的数据
+// EXLOG_BIN(m_conn_server->data().data(), m_conn_server->data().size(), "--> server:");
+
+ // 收到了服务端返回的数据
if (m_conn_server->data().data()[0] != TELNET_IAC)
m_rec.record(TS_RECORD_TYPE_TELNET_DATA, m_conn_server->data().data(), m_conn_server->data().size());
@@ -574,7 +578,7 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
{
if (_this->_parse_find_and_send(m_conn_server, m_conn_client, _this->m_username_prompt.c_str(), _this->m_acc_name.c_str()))
{
- _this->m_username_sent = true;
+// _this->m_username_sent = true;
is_processed = true;
}
}
@@ -584,6 +588,7 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
{
_this->m_username_sent = true;
_this->m_password_sent = true;
+ _this->m_username_sent = true;
is_processed = true;
}
}
@@ -603,11 +608,34 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) {
bool TelnetSession::_parse_find_and_send(TelnetConn* conn_recv, TelnetConn* conn_remote, const char* find, const char* send)
{
+// EXLOGV("find prompt and send: [%s] => [%s]\n", find, send);
+// EXLOG_BIN(conn_recv->data().data(), conn_recv->data().size(), "find prompt in data:");
+
size_t find_len = strlen(find);
size_t send_len = strlen(send);
- if (0 == find_len || 0 == send_len)
- return false;
+ if (0 == find_len || 0 == send_len || conn_recv->data().size() < find_len) {
+ return false;
+ }
+ int find_range = conn_recv->data().size() - find_len;
+ for (int i = 0; i <= find_range; ++i)
+ {
+ if (0 == memcmp(conn_recv->data().data() + i, find, find_len))
+ {
+ conn_remote->send(conn_recv->data().data(), conn_recv->data().size());
+ conn_recv->data().empty();
+
+ MemBuffer mbuf_msg;
+ mbuf_msg.reserve(128);
+ mbuf_msg.append((ex_u8*)send, send_len);
+ mbuf_msg.append((ex_u8*)"\x0d\x0a", 2);
+// EXLOG_BIN(mbuf_msg.data(), mbuf_msg.size(), "find prompt and send:");
+ conn_recv->send(mbuf_msg.data(), mbuf_msg.size());
+ return true;
+ }
+ }
+
+#if 0
MemBuffer mbuf_msg;
mbuf_msg.reserve(128);
MemStream ms_msg(mbuf_msg);
@@ -679,6 +707,7 @@ bool TelnetSession::_parse_find_and_send(TelnetConn* conn_recv, TelnetConn* conn
return true;
}
}
+#endif
return false;
}
diff --git a/server/www/teleport/static/js/asset/host-list.js b/server/www/teleport/static/js/asset/host-list.js
index 92596f0..2c451a9 100644
--- a/server/www/teleport/static/js/asset/host-list.js
+++ b/server/www/teleport/static/js/asset/host-list.js
@@ -859,7 +859,6 @@ $app.create_dlg_edit_host = function () {
cid: dlg.field_cid,
desc: dlg.field_desc
};
- console.log(args);
// 濡傛灉id涓-1琛ㄧず鍒涘缓锛屽惁鍒欒〃绀烘洿鏂
$tp.ajax_post_json('/asset/update-host', args,
@@ -1148,7 +1147,6 @@ $app.create_dlg_accounts = function () {
$tp.ajax_post_json('/asset/get-accounts', {host_id: dlg.host.id},
function (ret) {
if (ret.code === TPE_OK) {
- console.log('account:', ret.data);
$app.table_acc.set_data(cb_stack, {}, {total: ret.data.length, page_index: 1, data: ret.data});
} else {
$app.table_acc.set_data(cb_stack, {}, {total: 0, page_index: 1, data: {}});
@@ -1519,6 +1517,10 @@ $app.create_dlg_edit_account = function () {
}
dlg.dom.auth_type.empty().append($(html.join('')));
+
+ if(!_.isNull(dlg.account))
+ dlg.dom.auth_type.val(dlg.account.auth_type);
+
dlg.on_auth_change();
};
diff --git a/server/www/teleport/static/js/audit/record-list.js b/server/www/teleport/static/js/audit/record-list.js
index b8bea97..46eabca 100644
--- a/server/www/teleport/static/js/audit/record-list.js
+++ b/server/www/teleport/static/js/audit/record-list.js
@@ -328,6 +328,9 @@ $app.on_table_host_render_created = function (render) {
case TP_SESS_STAT_ERR_SESSION:
msg = '鏃犳晥浼氳瘽';
break;
+ case TP_SESS_STAT_ERR_AUTH_TYPE:
+ msg = '鏃犳晥璁よ瘉鏂瑰紡';
+ break;
default:
msg = '鏈煡鐘舵 [' + fields.state + ']';
}
diff --git a/server/www/teleport/static/js/tp-const.js b/server/www/teleport/static/js/tp-const.js
old mode 100644
new mode 100755
index 5df2d8b..9632605
--- a/server/www/teleport/static/js/tp-const.js
+++ b/server/www/teleport/static/js/tp-const.js
@@ -49,6 +49,7 @@ var TP_SESS_STAT_ERR_BAD_PKG = 6; // 浼氳瘽缁撴潫锛屽洜涓烘敹鍒伴敊璇殑鎶ユ枃
var TP_SESS_STAT_ERR_RESET = 7; // 浼氳瘽缁撴潫锛屽洜涓簍eleport鏍稿績鏈嶅姟閲嶇疆浜
var TP_SESS_STAT_ERR_IO = 8; // 浼氳瘽缁撴潫锛屽洜涓虹綉缁滀腑鏂
var TP_SESS_STAT_ERR_SESSION = 9; // 浼氳瘽缁撴潫锛屽洜涓烘棤鏁堢殑浼氳瘽ID
+var TP_SESS_STAT_ERR_AUTH_TYPE = 10; // // 浼氳瘽缁撴潫锛屽洜涓烘湇鍔$涓嶆敮鎸佹璁よ瘉鏂瑰紡
var TP_SESS_STAT_STARTED = 100; // 宸茬粡杩炴帴鎴愬姛浜嗭紝寮濮嬭褰曞綍鍍忎簡
var TP_SESS_STAT_ERR_START_INTERNAL = 104; // 浼氳瘽缁撴潫锛屽洜涓哄唴閮ㄩ敊璇
var TP_SESS_STAT_ERR_START_BAD_PKG = 106; // 浼氳瘽缁撴潫锛屽洜涓烘敹鍒伴敊璇殑鎶ユ枃
@@ -212,6 +213,7 @@ var TPE_CAPTCHA_EXPIRED = 10000;
var TPE_CAPTCHA_MISMATCH = 10001;
var TPE_OATH_MISMATCH = 10002;
var TPE_SYS_MAINTENANCE = 10003;
+var TPE_OATH_ALREADY_BIND = 10004;
var TPE_USER_LOCKED = 10100;
var TPE_USER_DISABLED = 10101;
@@ -314,6 +316,10 @@ function tp_error_msg(error_code, message) {
case TPE_SYS_MAINTENANCE:
msg = '绯荤粺缁存姢涓';
break;
+
+ case TPE_OATH_ALREADY_BIND:
+ msg = '璇ヨ处鍙峰凡缁忕粦瀹氫簡韬唤楠岃瘉鍣紝濡傛棤娉曚娇鐢紝璇疯仈绯荤鐞嗗憳閲嶇疆瀵嗙爜鎴栨洿鎹㈢櫥闄嗘柟寮';
+ break;
case TPE_USER_LOCKED:
msg = '璐﹀彿宸茶閿佸畾';
diff --git a/server/www/teleport/static/js/user/bind-oath.js b/server/www/teleport/static/js/user/bind-oath.js
old mode 100644
new mode 100755
index d9f8f42..4e59b8e
--- a/server/www/teleport/static/js/user/bind-oath.js
+++ b/server/www/teleport/static/js/user/bind-oath.js
@@ -182,7 +182,7 @@ $app.on_auth_user = function () {
}
$app.dom.auth.btn_submit.attr('disabled', 'disabled');
- $tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password},
+ $tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password, check_bind_oath: true},
function (ret) {
$app.dom.auth.btn_submit.removeAttr('disabled');
if (ret.code === TPE_OK) {
diff --git a/server/www/teleport/static/js/user/user-list.js b/server/www/teleport/static/js/user/user-list.js
old mode 100644
new mode 100755
index 65f0719..fb85bc1
--- a/server/www/teleport/static/js/user/user-list.js
+++ b/server/www/teleport/static/js/user/user-list.js
@@ -203,6 +203,8 @@ $app.on_table_users_cell_created = function (tbl, row_id, col_key, cell_obj) {
$app.dlg_edit_user.show_edit(row_id);
} else if (action === 'reset-password') {
$app.dlg_reset_password.show_edit(row_id);
+ } else if (action === 'reset-oath-bind') {
+ $app._reset_oath_bind(user.id);
} else if (action === 'lock') {
$app._lock_users([user.id]);
} else if (action === 'unlock') {
@@ -349,6 +351,7 @@ $app.on_table_users_render_created = function (render) {
h.push('');
h.push(' 閲嶇疆瀵嗙爜');
+ h.push(' 閲嶇疆韬唤楠岃瘉鍣');
h.push('');
h.push(' 鍒犻櫎');
h.push('');
@@ -547,6 +550,21 @@ $app.set_selected_to_role = function (role_id, role_name) {
};
+$app._reset_oath_bind = function (users) {
+ $tp.ajax_post_json('/user/do-unbind-oath', {users: users},
+ function (ret) {
+ if (ret.code === TPE_OK) {
+ $tp.notify_success('閲嶇疆韬唤楠岃瘉鍣ㄦ搷浣滄垚鍔燂紒');
+ } else {
+ $tp.notify_error('閲嶇疆韬唤楠岃瘉鍣ㄦ搷浣滃け璐ワ細' + tp_error_msg(ret.code, ret.message));
+ }
+ },
+ function () {
+ $tp.notify_error('缃戠粶鏁呴殰锛岄噸缃韩浠介獙璇佸櫒鎿嶄綔澶辫触锛');
+ }
+ );
+};
+
$app._lock_users = function (users) {
$tp.ajax_post_json('/user/update-users', {action: 'lock', users: users},
function (ret) {
diff --git a/server/www/teleport/webroot/app/app_ver.py b/server/www/teleport/webroot/app/app_ver.py
index 894de5b..4892dc8 100644
--- a/server/www/teleport/webroot/app/app_ver.py
+++ b/server/www/teleport/webroot/app/app_ver.py
@@ -1,2 +1,2 @@
# -*- coding: utf8 -*-
-TP_SERVER_VER = "3.1.0.10"
+TP_SERVER_VER = "3.1.0.10"
diff --git a/server/www/teleport/webroot/app/const.py b/server/www/teleport/webroot/app/const.py
old mode 100644
new mode 100755
index c029c0f..c3c9a5e
--- a/server/www/teleport/webroot/app/const.py
+++ b/server/www/teleport/webroot/app/const.py
@@ -198,6 +198,7 @@ TPE_CAPTCHA_EXPIRED = 10000
TPE_CAPTCHA_MISMATCH = 10001
TPE_OATH_MISMATCH = 10002
TPE_SYS_MAINTENANCE = 10003
+TPE_OATH_ALREADY_BIND = 10004
TPE_USER_LOCKED = 10100
TPE_USER_DISABLED = 10101
diff --git a/server/www/teleport/webroot/app/controller/__init__.py b/server/www/teleport/webroot/app/controller/__init__.py
old mode 100644
new mode 100755
index 6f1c56f..d141f5b
--- a/server/www/teleport/webroot/app/controller/__init__.py
+++ b/server/www/teleport/webroot/app/controller/__init__.py
@@ -78,6 +78,8 @@ controllers = [
(r'/user/verify-user', user.DoVerifyUserHandler),
# - [json] 缁戝畾韬唤璁よ瘉鍣
(r'/user/do-bind-oath', user.DoBindOathHandler),
+ # - 鍙栨秷缁戝畾韬唤璁よ瘉鍣
+ (r'/user/do-unbind-oath', user.DoUnBindOathHandler),
#
# - 鐢ㄦ埛缁勭鐞嗛〉闈
(r'/user/group', user.GroupListHandler),
diff --git a/server/www/teleport/webroot/app/controller/user.py b/server/www/teleport/webroot/app/controller/user.py
old mode 100644
new mode 100755
index 6085f70..4704179
--- a/server/www/teleport/webroot/app/controller/user.py
+++ b/server/www/teleport/webroot/app/controller/user.py
@@ -144,7 +144,12 @@ class DoVerifyUserHandler(TPBaseJsonHandler):
except:
return self.write_json(TPE_PARAM)
- err, user_info = user.login(self, username, password=password)
+ try:
+ check_bind_oath = args['check_bind_oath']
+ except:
+ check_bind_oath = False
+
+ err, user_info = user.login(self, username, password=password, check_bind_oath=check_bind_oath)
if err != TPE_OK:
if err == TPE_NOT_EXISTS:
err = TPE_USER_AUTH
@@ -190,6 +195,28 @@ class DoBindOathHandler(TPBaseJsonHandler):
return self.write_json(TPE_OK)
+class DoUnBindOathHandler(TPBaseJsonHandler):
+ def post(self):
+ ret = self.check_privilege(TP_PRIVILEGE_USER_DELETE)
+ if ret != TPE_OK:
+ return
+
+ args = self.get_argument('args', None)
+ if args is None:
+ return self.write_json(TPE_PARAM)
+ try:
+ args = json.loads(args)
+ except:
+ return self.write_json(TPE_JSON_FORMAT)
+
+ try:
+ users = args['users']
+ except:
+ return self.write_json(TPE_PARAM)
+
+ # 鎶妎ath璁剧疆涓虹┖灏辨槸鍘绘帀oath楠岃瘉
+ err = user.update_oath_secret(self, users, '')
+ self.write_json(err)
class OathSecretQrCodeHandler(TPBaseHandler):
def get(self):
@@ -752,6 +779,11 @@ class DoResetPasswordHandler(TPBaseJsonHandler):
if mode == 4 and err == TPE_OK:
user.remove_reset_token(token)
+ # 闈炵敤鎴疯嚜琛屼慨鏀瑰瘑鐮佺殑鎯呭喌锛岄兘榛樿閲嶇疆韬唤璁よ瘉
+ if mode != 5 and err == TPE_OK:
+ print("reset oath secret")
+ user.update_oath_secret(self, user_id, '')
+
self.write_json(err)
else:
diff --git a/server/www/teleport/webroot/app/model/user.py b/server/www/teleport/webroot/app/model/user.py
old mode 100644
new mode 100755
index 0124d63..24d9d9e
--- a/server/www/teleport/webroot/app/model/user.py
+++ b/server/www/teleport/webroot/app/model/user.py
@@ -49,7 +49,7 @@ def get_by_username(username):
return TPE_OK, s.recorder[0]
-def login(handler, username, password=None, oath_code=None):
+def login(handler, username, password=None, oath_code=None, check_bind_oath=False):
sys_cfg = tp_cfg().sys
err, user_info = get_by_username(username)
@@ -62,6 +62,10 @@ def login(handler, username, password=None, oath_code=None):
# 灏氭湭涓烘鐢ㄦ埛璁剧疆瑙掕壊
return TPE_PRIVILEGE, None
+ if check_bind_oath == True and len(user_info['oath_secret']) != 0:
+ return TPE_OATH_ALREADY_BIND, None
+
+
if user_info['state'] == TP_STATE_LOCKED:
# 鐢ㄦ埛宸茬粡琚攣瀹氾紝濡傛灉绯荤粺閰嶇疆涓轰竴瀹氭椂闂村悗鑷姩瑙i攣锛屽垯鏇存柊涓涓嬬敤鎴蜂俊鎭
if sys_cfg.login.lock_timeout != 0:
diff --git a/version.in b/version.in
index dc28807..ebf3e4a 100644
--- a/version.in
+++ b/version.in
@@ -14,6 +14,6 @@ Build 锛 鏋勫缓鍙枫傛瀯寤哄彿鐢ㄤ簬琛ㄦ槑姝ょ増鏈彂甯冧箣鍓嶈繘琛屼簡澶氬皯
TP_SERVER 3.1.0.10 # 鏁翠釜鏈嶅姟绔墦鍖呯殑鐗堟湰
-TP_TPCORE 3.0.2.7 # 鏍稿績鏈嶅姟 tp_core 鐨勭増鏈
+TP_TPCORE 3.0.4.16 # 鏍稿績鏈嶅姟 tp_core 鐨勭増鏈
TP_TPWEB 3.1.0.10 # web鏈嶅姟 tp_web 鐨勭増鏈紙涓鑸櫎闈炲崌绾ython锛屽惁鍒欎笉浼氬彉鍖栵級
TP_ASSIST 3.0.1.6 # 鍔╂墜鐗堟湰