From 6485e33018338315b91175e7e209a4749af4d820 Mon Sep 17 00:00:00 2001 From: Apex Liu Date: Tue, 18 Sep 2018 02:46:41 +0800 Subject: [PATCH 1/9] compile on windows. --- external/libssh-win-static/include/config.h | 21 +++++++++---------- external/version.ini | 10 ++++----- server/tp_core/core/tp_core.vs2015.vcxproj | 1 + .../core/tp_core.vs2015.vcxproj.filters | 3 +++ .../protocol/telnet/tptelnet.vs2015.vcxproj | 2 +- .../telnet/tptelnet.vs2015.vcxproj.filters | 6 +++--- 6 files changed, 23 insertions(+), 20 deletions(-) diff --git a/external/libssh-win-static/include/config.h b/external/libssh-win-static/include/config.h index d4643f5..b18c7e1 100644 --- a/external/libssh-win-static/include/config.h +++ b/external/libssh-win-static/include/config.h @@ -6,15 +6,15 @@ #define PACKAGE "libssh" /* Version number of package */ -#define VERSION "0.7.4" +#define VERSION "0.7.5" /* #undef LOCALEDIR */ /* #undef DATADIR */ //#define LIBDIR "lib" //#define PLUGINDIR "plugins-4" /* #undef SYSCONFDIR */ -//#define BINARYDIR "E:/work/eomsoft/tmp/libssh/build" -//#define SOURCEDIR "E:/work/eomsoft/tmp/libssh" +//#define BINARYDIR "E:/work/tp4a/teleport/external/_download_/libssh-0.7.5/build" +//#define SOURCEDIR "E:/work/tp4a/teleport/external/_download_/libssh-0.7.5" /************************** HEADER FILES *************************/ @@ -81,28 +81,28 @@ /*************************** FUNCTIONS ***************************/ /* Define to 1 if you have the `EVP_aes128_ctr' function. */ -#define HAVE_OPENSSL_EVP_AES_CTR 1 +//#define HAVE_OPENSSL_EVP_AES_CTR 1 /* Define to 1 if you have the `EVP_aes128_cbc' function. */ -#define HAVE_OPENSSL_EVP_AES_CBC 1 +//#define HAVE_OPENSSL_EVP_AES_CBC 1 /* Define to 1 if you have the `snprintf' function. */ #define HAVE_SNPRINTF 1 /* Define to 1 if you have the `_snprintf' function. */ -/* #undef HAVE__SNPRINTF */ +#define HAVE__SNPRINTF 1 /* Define to 1 if you have the `_snprintf_s' function. */ -/* #undef HAVE__SNPRINTF_S */ +#define HAVE__SNPRINTF_S 1 /* Define to 1 if you have the `vsnprintf' function. */ #define HAVE_VSNPRINTF 1 /* Define to 1 if you have the `_vsnprintf' function. */ -/* #undef HAVE__VSNPRINTF */ +#define HAVE__VSNPRINTF 1 /* Define to 1 if you have the `_vsnprintf_s' function. */ -/* #undef HAVE__VSNPRINTF_S */ +#define HAVE__VSNPRINTF_S 1 /* Define to 1 if you have the `isblank' function. */ #define HAVE_ISBLANK 1 @@ -172,8 +172,7 @@ #define WITH_SFTP 1 /* Define to 1 if you want to enable SSH1 */ -/* #undef WITH_SSH1 */ -#define WITH_SSH1 +#define WITH_SSH1 1 /* Define to 1 if you want to enable server support */ #define WITH_SERVER 1 diff --git a/external/version.ini b/external/version.ini index 544e6fb..d9486fc 100644 --- a/external/version.ini +++ b/external/version.ini @@ -1,9 +1,9 @@ [external_ver] -openssl = 1.0.2h,1000208f -libuv = 1.18.0 -mbedtls = 2.6.1 -sqlite = 3170000 +openssl = 1.0.2p,1000210f +libuv = 1.23.0 +mbedtls = 2.12.0 +sqlite = 3250000 libssh = 0.7.5 jsoncpp = 0.10.6 -mongoose = 6.10 +mongoose = 6.12 diff --git a/server/tp_core/core/tp_core.vs2015.vcxproj b/server/tp_core/core/tp_core.vs2015.vcxproj index c0b36b9..fdcdae2 100644 --- a/server/tp_core/core/tp_core.vs2015.vcxproj +++ b/server/tp_core/core/tp_core.vs2015.vcxproj @@ -181,6 +181,7 @@ + diff --git a/server/tp_core/core/tp_core.vs2015.vcxproj.filters b/server/tp_core/core/tp_core.vs2015.vcxproj.filters index 4014d60..3d67ae0 100644 --- a/server/tp_core/core/tp_core.vs2015.vcxproj.filters +++ b/server/tp_core/core/tp_core.vs2015.vcxproj.filters @@ -109,6 +109,9 @@ main app + + mbedtls\library + diff --git a/server/tp_core/protocol/telnet/tptelnet.vs2015.vcxproj b/server/tp_core/protocol/telnet/tptelnet.vs2015.vcxproj index 01fa189..a5f9255 100644 --- a/server/tp_core/protocol/telnet/tptelnet.vs2015.vcxproj +++ b/server/tp_core/protocol/telnet/tptelnet.vs2015.vcxproj @@ -142,6 +142,7 @@ + @@ -165,7 +166,6 @@ - diff --git a/server/tp_core/protocol/telnet/tptelnet.vs2015.vcxproj.filters b/server/tp_core/protocol/telnet/tptelnet.vs2015.vcxproj.filters index b48feb8..cbac275 100644 --- a/server/tp_core/protocol/telnet/tptelnet.vs2015.vcxproj.filters +++ b/server/tp_core/protocol/telnet/tptelnet.vs2015.vcxproj.filters @@ -244,9 +244,6 @@ libuv\src\win - - libuv\src\win - libuv\src\win @@ -316,5 +313,8 @@ jsoncpp + + libuv\src\win + \ No newline at end of file From e8e07c19e2678cccace081363aab8b250f89365f Mon Sep 17 00:00:00 2001 From: Apex Liu Date: Tue, 18 Sep 2018 20:47:42 +0800 Subject: [PATCH 2/9] temp. --- build/.idea/build.iml | 6 ++---- build/build-py-static.sh | 8 ++++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/build/.idea/build.iml b/build/.idea/build.iml index 4eda48f..0e65e9b 100644 --- a/build/.idea/build.iml +++ b/build/.idea/build.iml @@ -1,10 +1,8 @@ - - - - + + diff --git a/build/build-py-static.sh b/build/build-py-static.sh index 4edd4bd..7851103 100755 --- a/build/build-py-static.sh +++ b/build/build-py-static.sh @@ -5,9 +5,9 @@ ################################################################ VER_PYTHON="3.4.4" VER_PYTHON_SHORT="3.4" -VER_OPENSSL="1.0.2h" -VER_SQLITE="3170000" -VER_PSUTIL="4.2.0" +VER_OPENSSL="1.0.2p" +VER_SQLITE="3250000" +# VER_PSUTIL="4.2.0" VER_PYTHON_LIB="${VER_PYTHON_SHORT}m" ################################################################ @@ -78,7 +78,7 @@ function step_download_files() dlfile "python source tarball" "https://www.python.org/ftp/python/${VER_PYTHON}/" "Python-${VER_PYTHON}.tgz" ${PATH_DOWNLOAD} dlfile "openssl source tarball" "https://www.openssl.org/source/" "openssl-${VER_OPENSSL}.tar.gz" ${PATH_DOWNLOAD} - dlfile "sqlite source tarball" "http://sqlite.org/2017/" "sqlite-autoconf-${VER_SQLITE}.tar.gz" ${PATH_DOWNLOAD} + dlfile "sqlite source tarball" "http://sqlite.org/2018/" "sqlite-autoconf-${VER_SQLITE}.tar.gz" ${PATH_DOWNLOAD} # dlfile "psutil source tarball" "https://pypi.python.org/packages/source/p/psutil/" "psutil-${VER_PSUTIL}.tar.gz" ${PATH_DOWNLOAD} # https://pypi.python.org/pypi?:action=display&name=psutil#downloads From 9618204c76af68dc901393e92fea9d837835f403 Mon Sep 17 00:00:00 2001 From: Apex Lu Date: Tue, 18 Sep 2018 23:41:26 +0800 Subject: [PATCH 3/9] build on Linux now. --- .gitignore | 2 +- build/.idea/build.iml | 4 +++- build/builder/build-external.py | 26 ++++++++++++++++---------- 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/.gitignore b/.gitignore index 99c0d01..24b0232 100644 --- a/.gitignore +++ b/.gitignore @@ -28,9 +28,9 @@ __pycache__ **/.idea/modules.xml **/.idea/dictionaries **/.idea/watcherTasks.xml -**/.idea/codeStyleSettings.xml **/.idea/inspectionProfiles **/.idea/vcs.xml +**/.idea/codeStyles *.css.map diff --git a/build/.idea/build.iml b/build/.idea/build.iml index 0e65e9b..14585d1 100644 --- a/build/.idea/build.iml +++ b/build/.idea/build.iml @@ -1,7 +1,9 @@ - + + + diff --git a/build/builder/build-external.py b/build/builder/build-external.py index 8eb1da1..bda74b6 100644 --- a/build/builder/build-external.py +++ b/build/builder/build-external.py @@ -43,13 +43,15 @@ class BuilderBase: def build_openssl(self): file_name = 'openssl-{}.zip'.format(env.ver_openssl) - _alt_ver = '_'.join(env.ver_openssl.split('.')) - if not utils.download_file('openssl source tarball', 'https://github.com/openssl/openssl/archive/OpenSSL_{}.zip'.format(_alt_ver), PATH_DOWNLOAD, file_name): - return self._build_openssl(file_name) def _build_openssl(self, file_name): - cc.e("this is a pure-virtual function.") + _alt_ver = '_'.join(env.ver_openssl.split('.')) + if not utils.download_file('openssl source tarball', 'https://github.com/openssl/openssl/archive/OpenSSL_{}.zip'.format(_alt_ver), PATH_DOWNLOAD, file_name): + return False + else: + return True + # cc.e("this is a pure-virtual function.") def build_libuv(self): file_name = 'libuv-{}.zip'.format(env.ver_libuv) @@ -127,6 +129,10 @@ class BuilderWin(BuilderBase): def _build_openssl(self, file_name): cc.n('build openssl static library from source code... ', end='') + + if not super()._build_openssl(file_name): + return + _chk_output = [ os.path.join(self.OPENSSL_PATH_SRC, 'out32', 'libeay32.lib'), os.path.join(self.OPENSSL_PATH_SRC, 'out32', 'ssleay32.lib'), @@ -233,8 +239,8 @@ class BuilderWin(BuilderBase): # fix source file utils.ensure_file_exists(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'include', 'mbedtls', 'config.h')) utils.copy_file(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'include', 'mbedtls'), os.path.join(self.MBEDTLS_PATH_SRC, 'include', 'mbedtls'), 'config.h') - utils.ensure_file_exists(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library', 'rsa.c')) - utils.copy_file(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library'), os.path.join(self.MBEDTLS_PATH_SRC, 'library'), 'rsa.c') + # utils.ensure_file_exists(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library', 'rsa.c')) + # utils.copy_file(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library'), os.path.join(self.MBEDTLS_PATH_SRC, 'library'), 'rsa.c') def _build_libuv(self, file_name): cc.n('prepare libuv source code... ', end='') @@ -390,8 +396,8 @@ class BuilderLinux(BuilderBase): # fix source file utils.ensure_file_exists(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'include', 'mbedtls', 'config.h')) utils.copy_file(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'include', 'mbedtls'), os.path.join(self.MBEDTLS_PATH_SRC, 'include', 'mbedtls'), 'config.h') - utils.ensure_file_exists(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library', 'rsa.c')) - utils.copy_file(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library'), os.path.join(self.MBEDTLS_PATH_SRC, 'library'), 'rsa.c') + # utils.ensure_file_exists(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library', 'rsa.c')) + # utils.copy_file(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library'), os.path.join(self.MBEDTLS_PATH_SRC, 'library'), 'rsa.c') old_p = os.getcwd() os.chdir(self.MBEDTLS_PATH_SRC) @@ -618,8 +624,8 @@ class BuilderMacOS(BuilderBase): # fix source file utils.ensure_file_exists(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'include', 'mbedtls', 'config.h')) utils.copy_file(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'include', 'mbedtls'), os.path.join(self.MBEDTLS_PATH_SRC, 'include', 'mbedtls'), 'config.h') - utils.ensure_file_exists(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library', 'rsa.c')) - utils.copy_file(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library'), os.path.join(self.MBEDTLS_PATH_SRC, 'library'), 'rsa.c') + # utils.ensure_file_exists(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library', 'rsa.c')) + # utils.copy_file(os.path.join(PATH_EXTERNAL, 'fix-external', 'mbedtls', 'library'), os.path.join(self.MBEDTLS_PATH_SRC, 'library'), 'rsa.c') old_p = os.getcwd() os.chdir(self.MBEDTLS_PATH_SRC) From 3db03008d64b7a0a69694d465c5590655d375dfa Mon Sep 17 00:00:00 2001 From: Apex Lu Date: Wed, 19 Sep 2018 02:04:34 +0800 Subject: [PATCH 4/9] try to fix telnet issues. --- build/builder/core/ver.py | 6 +- .../mbedtls/include/mbedtls/config.h | 470 ++++++++++++++++-- server/.idea/encodings.xml | 2 + server/tp_core/core/CMakeLists.txt | 2 +- server/tp_core/core/tp_core.rc | Bin 5176 -> 5184 bytes server/tp_core/core/ts_http_client.cpp | 34 +- server/tp_core/core/ts_ver.h | 12 +- .../protocol/telnet/telnet_session.cpp | 5 +- server/tp_web/src/ts_ver.h | 12 +- server/www/teleport/webroot/app/app_ver.py | 4 +- version.in | 8 +- 11 files changed, 477 insertions(+), 78 deletions(-) mode change 100644 => 100755 external/fix-external/mbedtls/include/mbedtls/config.h diff --git a/build/builder/core/ver.py b/build/builder/core/ver.py index b65d08a..846836c 100644 --- a/build/builder/core/ver.py +++ b/build/builder/core/ver.py @@ -1,3 +1,3 @@ -# -*- coding: utf8 -*- -VER_TP_SERVER = "3.0.2.9" -VER_TP_ASSIST = "3.0.1.6" +# -*- coding: utf8 -*- +VER_TP_SERVER = "3.0.3.11" +VER_TP_ASSIST = "3.0.1.6" diff --git a/external/fix-external/mbedtls/include/mbedtls/config.h b/external/fix-external/mbedtls/include/mbedtls/config.h old mode 100644 new mode 100755 index 846fd52..5e64d18 --- a/external/fix-external/mbedtls/include/mbedtls/config.h +++ b/external/fix-external/mbedtls/include/mbedtls/config.h @@ -1,14 +1,14 @@ /** * \file config.h - #### v2.6.1 * * \brief Configuration options (set of defines) * * This set of compile-time options may be used to enable * or disable features selectively, and reduce the global * memory footprint. - * - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + */ +/* + * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -48,10 +48,14 @@ * Requires support for asm() in compiler. * * Used in: + * library/aria.c * library/timing.c - * library/padlock.c * include/mbedtls/bn_mul.h * + * Required by: + * MBEDTLS_AESNI_C + * MBEDTLS_PADLOCK_C + * * Comment to disable the use of assembly code. */ #define MBEDTLS_HAVE_ASM @@ -84,6 +88,28 @@ */ //#define MBEDTLS_NO_UDBL_DIVISION +/** + * \def MBEDTLS_NO_64BIT_MULTIPLICATION + * + * The platform lacks support for 32x32 -> 64-bit multiplication. + * + * Used in: + * library/poly1305.c + * + * Some parts of the library may use multiplication of two unsigned 32-bit + * operands with a 64-bit result in order to speed up computations. On some + * platforms, this is not available in hardware and has to be implemented in + * software, usually in a library provided by the toolchain. + * + * Sometimes it is not desirable to have to link to that library. This option + * removes the dependency of that library on platforms that lack a hardware + * 64-bit multiplier by embedding a software implementation in Mbed TLS. + * + * Note that depending on the compiler, this may decrease performance compared + * to using the library function provided by the toolchain. + */ +//#define MBEDTLS_NO_64BIT_MULTIPLICATION + /** * \def MBEDTLS_HAVE_SSE2 * @@ -262,20 +288,38 @@ * * Uncomment a macro to enable alternate implementation of the corresponding * module. + * + * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their + * use constitutes a security risk. If possible, we recommend + * avoiding dependencies on them, and considering stronger message + * digests and ciphers instead. + * */ //#define MBEDTLS_AES_ALT //#define MBEDTLS_ARC4_ALT +//#define MBEDTLS_ARIA_ALT //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT +//#define MBEDTLS_CCM_ALT +//#define MBEDTLS_CHACHA20_ALT +//#define MBEDTLS_CHACHAPOLY_ALT +//#define MBEDTLS_CMAC_ALT //#define MBEDTLS_DES_ALT -//#define MBEDTLS_XTEA_ALT +//#define MBEDTLS_DHM_ALT +//#define MBEDTLS_ECJPAKE_ALT +//#define MBEDTLS_GCM_ALT +//#define MBEDTLS_NIST_KW_ALT //#define MBEDTLS_MD2_ALT //#define MBEDTLS_MD4_ALT //#define MBEDTLS_MD5_ALT +//#define MBEDTLS_POLY1305_ALT //#define MBEDTLS_RIPEMD160_ALT +//#define MBEDTLS_RSA_ALT //#define MBEDTLS_SHA1_ALT //#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA512_ALT +//#define MBEDTLS_XTEA_ALT + /* * When replacing the elliptic curve module, pleace consider, that it is * implemented with two .c files: @@ -315,6 +359,12 @@ * * Uncomment a macro to enable alternate implementation of the corresponding * function. + * + * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use + * constitutes a security risk. If possible, we recommend avoiding + * dependencies on them, and considering stronger message digests + * and ciphers instead. + * */ //#define MBEDTLS_MD2_PROCESS_ALT //#define MBEDTLS_MD4_PROCESS_ALT @@ -330,6 +380,11 @@ //#define MBEDTLS_AES_SETKEY_DEC_ALT //#define MBEDTLS_AES_ENCRYPT_ALT //#define MBEDTLS_AES_DECRYPT_ALT +//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT +//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT +//#define MBEDTLS_ECDSA_VERIFY_ALT +//#define MBEDTLS_ECDSA_SIGN_ALT +//#define MBEDTLS_ECDSA_GENKEY_ALT /** * \def MBEDTLS_ECP_INTERNAL_ALT @@ -417,12 +472,45 @@ /** * \def MBEDTLS_AES_ROM_TABLES * - * Store the AES tables in ROM. + * Use precomputed AES tables stored in ROM. + * + * Uncomment this macro to use precomputed AES tables stored in ROM. + * Comment this macro to generate AES tables in RAM at runtime. + * + * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb + * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the + * initialization time before the first AES operation can be performed. + * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c + * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded + * performance if ROM access is slower than RAM access. + * + * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. * - * Uncomment this macro to store the AES tables in ROM. */ //#define MBEDTLS_AES_ROM_TABLES +/** + * \def MBEDTLS_AES_FEWER_TABLES + * + * Use less ROM/RAM for AES tables. + * + * Uncommenting this macro omits 75% of the AES tables from + * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) + * by computing their values on the fly during operations + * (the tables are entry-wise rotations of one another). + * + * Tradeoff: Uncommenting this reduces the RAM / ROM footprint + * by ~6kb but at the cost of more arithmetic operations during + * runtime. Specifically, one has to compare 4 accesses within + * different tables to 4 accesses with additional arithmetic + * operations within the same table. The performance gain/loss + * depends on the system and memory details. + * + * This option is independent of \c MBEDTLS_AES_ROM_TABLES. + * + */ +//#define MBEDTLS_AES_FEWER_TABLES + /** * \def MBEDTLS_CAMELLIA_SMALL_MEMORY * @@ -453,6 +541,20 @@ */ #define MBEDTLS_CIPHER_MODE_CTR +/** + * \def MBEDTLS_CIPHER_MODE_OFB + * + * Enable Output Feedback mode (OFB) for symmetric ciphers. + */ +#define MBEDTLS_CIPHER_MODE_OFB + +/** + * \def MBEDTLS_CIPHER_MODE_XTS + * + * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. + */ +#define MBEDTLS_CIPHER_MODE_XTS + /** * \def MBEDTLS_CIPHER_NULL_CIPHER * @@ -514,6 +616,9 @@ * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA * * Uncomment this macro to enable weak ciphersuites + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers instead. */ //#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES @@ -550,6 +655,7 @@ #define MBEDTLS_ECP_DP_BP384R1_ENABLED #define MBEDTLS_ECP_DP_BP512R1_ENABLED #define MBEDTLS_ECP_DP_CURVE25519_ENABLED +#define MBEDTLS_ECP_DP_CURVE448_ENABLED /** * \def MBEDTLS_ECP_NIST_OPTIM @@ -619,6 +725,13 @@ * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA + * + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. + * */ #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -640,7 +753,7 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA */ -//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED @@ -718,6 +831,13 @@ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + * + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. + * */ #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED @@ -744,7 +864,7 @@ * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA */ -//#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED @@ -768,7 +888,7 @@ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */ -//#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED @@ -792,7 +912,7 @@ * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */ -//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED @@ -816,7 +936,7 @@ * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */ -//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED /** * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED @@ -1009,7 +1129,8 @@ /** * \def MBEDTLS_RSA_NO_CRT * - * Do not use the Chinese Remainder Theorem for the RSA private operation. + * Do not use the Chinese Remainder Theorem + * for the RSA private operation. * * Uncomment this macro to disable the use of CRT in RSA. * @@ -1053,6 +1174,17 @@ */ #define MBEDTLS_SSL_ALL_ALERT_MESSAGES +/** + * \def MBEDTLS_SSL_ASYNC_PRIVATE + * + * Enable asynchronous external private key operations in SSL. This allows + * you to configure an SSL connection to call an external cryptographic + * module to perform private key operations instead of performing the + * operation inside the library. + * + */ +//#define MBEDTLS_SSL_ASYNC_PRIVATE + /** * \def MBEDTLS_SSL_DEBUG_ALL * @@ -1156,8 +1288,15 @@ * misuse/misunderstand. * * Comment this to disable support for renegotiation. + * + * \note Even if this option is disabled, both client and server are aware + * of the Renegotiation Indication Extension (RFC 5746) used to + * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). + * (See \c mbedtls_ssl_conf_legacy_renegotiation for the + * configuration of this extension). + * */ -//#define MBEDTLS_SSL_RENEGOTIATION +#define MBEDTLS_SSL_RENEGOTIATION /** * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO @@ -1198,7 +1337,7 @@ * * Comment this macro to disable support for SSL 3.0 */ -#define MBEDTLS_SSL_PROTO_SSL3 +//#define MBEDTLS_SSL_PROTO_SSL3 /** * \def MBEDTLS_SSL_PROTO_TLS1 @@ -1364,6 +1503,30 @@ */ #define MBEDTLS_SSL_TRUNCATED_HMAC +/** + * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + * + * Fallback to old (pre-2.7), non-conforming implementation of the truncated + * HMAC extension which also truncates the HMAC key. Note that this option is + * only meant for a transitory upgrade period and is likely to be removed in + * a future version of the library. + * + * \warning The old implementation is non-compliant and has a security weakness + * (2^80 brute force attack on the HMAC key used for a single, + * uninterrupted connection). This should only be enabled temporarily + * when (1) the use of truncated HMAC is essential in order to save + * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use + * the fixed implementation yet (pre-2.7). + * + * \deprecated This option is deprecated and will likely be removed in a + * future version of Mbed TLS. + * + * Uncomment to fallback to old, non-compliant truncated HMAC implementation. + * + * Requires: MBEDTLS_SSL_TRUNCATED_HMAC + */ +//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + /** * \def MBEDTLS_THREADING_ALT * @@ -1470,6 +1633,9 @@ * * \note Currently compression can't be used with DTLS. * + * \deprecated This feature is deprecated and will be removed + * in the next major revision of the library. + * * Used in: library/ssl_tls.c * library/ssl_cli.c * library/ssl_srv.c @@ -1508,7 +1674,7 @@ * Enable the AES block cipher. * * Module: library/aes.c - * Caller: library/ssl_tls.c + * Caller: library/cipher.c * library/pem.c * library/ctr_drbg.c * @@ -1583,7 +1749,7 @@ * Enable the ARCFOUR stream cipher. * * Module: library/arc4.c - * Caller: library/ssl_tls.c + * Caller: library/cipher.c * * This module enables the following ciphersuites (if other requisites are * enabled as well): @@ -1597,6 +1763,11 @@ * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. If possible, we recommend avoidng dependencies on + * it, and considering stronger ciphers instead. + * */ #define MBEDTLS_ARC4_C @@ -1626,7 +1797,7 @@ * library/x509write_crt.c * library/x509write_csr.c */ -//#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_ASN1_WRITE_C /** * \def MBEDTLS_BASE64_C @@ -1650,6 +1821,7 @@ * library/ecp.c * library/ecdsa.c * library/rsa.c + * library/rsa_internal.c * library/ssl_tls.c * * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. @@ -1671,7 +1843,7 @@ * Enable the Camellia block cipher. * * Module: library/camellia.c - * Caller: library/ssl_tls.c + * Caller: library/cipher.c * * This module enables the following ciphersuites (if other requisites are * enabled as well): @@ -1718,7 +1890,59 @@ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */ -//#define MBEDTLS_CAMELLIA_C +#define MBEDTLS_CAMELLIA_C + +/** + * \def MBEDTLS_ARIA_C + * + * Enable the ARIA block cipher. + * + * Module: library/aria.c + * Caller: library/cipher.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * + * MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 + */ +//#define MBEDTLS_ARIA_C /** * \def MBEDTLS_CCM_C @@ -1732,7 +1956,7 @@ * This module enables the AES-CCM ciphersuites, if other requisites are * enabled as well. */ -//#define MBEDTLS_CCM_C +#define MBEDTLS_CCM_C /** * \def MBEDTLS_CERTS_C @@ -1746,6 +1970,26 @@ */ #define MBEDTLS_CERTS_C +/** + * \def MBEDTLS_CHACHA20_C + * + * Enable the ChaCha20 stream cipher. + * + * Module: library/chacha20.c + */ +#define MBEDTLS_CHACHA20_C + +/** + * \def MBEDTLS_CHACHAPOLY_C + * + * Enable the ChaCha20-Poly1305 AEAD algorithm. + * + * Module: library/chachapoly.c + * + * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C + */ +#define MBEDTLS_CHACHAPOLY_C + /** * \def MBEDTLS_CIPHER_C * @@ -1806,7 +2050,7 @@ * * Module: library/des.c * Caller: library/pem.c - * library/ssl_tls.c + * library/cipher.c * * This module enables the following ciphersuites (if other requisites are * enabled as well): @@ -1822,6 +2066,9 @@ * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA * * PEM_PARSE uses DES/3DES for decrypting encrypted keys. + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers instead. */ #define MBEDTLS_DES_C @@ -1836,6 +2083,13 @@ * * This module is used by the following key exchanges: * DHE-RSA, DHE-PSK + * + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. + * */ #define MBEDTLS_DHM_C @@ -1853,7 +2107,7 @@ * * Requires: MBEDTLS_ECP_C */ -//#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDH_C /** * \def MBEDTLS_ECDSA_C @@ -1868,7 +2122,7 @@ * * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C */ -//#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECDSA_C /** * \def MBEDTLS_ECJPAKE_C @@ -1901,7 +2155,7 @@ * * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED */ -//#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_C /** * \def MBEDTLS_ENTROPY_C @@ -1941,7 +2195,7 @@ * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other * requisites are enabled as well. */ -//#define MBEDTLS_GCM_C +#define MBEDTLS_GCM_C /** * \def MBEDTLS_HAVEGE_C @@ -1966,6 +2220,21 @@ */ //#define MBEDTLS_HAVEGE_C +/** + * \def MBEDTLS_HKDF_C + * + * Enable the HKDF algorithm (RFC 5869). + * + * Module: library/hkdf.c + * Caller: + * + * Requires: MBEDTLS_MD_C + * + * This module adds support for the Hashed Message Authentication Code + * (HMAC)-based key derivation function (HKDF). + */ +#define MBEDTLS_HKDF_C + /** * \def MBEDTLS_HMAC_DRBG_C * @@ -1980,6 +2249,19 @@ */ #define MBEDTLS_HMAC_DRBG_C +/** + * \def MBEDTLS_NIST_KW_C + * + * Enable the Key Wrapping mode for 128-bit block ciphers, + * as defined in NIST SP 800-38F. Only KW and KWP modes + * are supported. At the moment, only AES is approved by NIST. + * + * Module: library/nist_kw.c + * + * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C + */ +//#define MBEDTLS_NIST_KW_C + /** * \def MBEDTLS_MD_C * @@ -2001,6 +2283,11 @@ * Caller: * * Uncomment to enable support for (rare) MD2-signed X.509 certs. + * + * \warning MD2 is considered a weak message digest and its use constitutes a + * security risk. If possible, we recommend avoiding dependencies on + * it, and considering stronger message digests instead. + * */ //#define MBEDTLS_MD2_C @@ -2013,6 +2300,11 @@ * Caller: * * Uncomment to enable support for (rare) MD4-signed X.509 certs. + * + * \warning MD4 is considered a weak message digest and its use constitutes a + * security risk. If possible, we recommend avoiding dependencies on + * it, and considering stronger message digests instead. + * */ //#define MBEDTLS_MD4_C @@ -2026,8 +2318,15 @@ * library/pem.c * library/ssl_tls.c * - * This module is required for SSL/TLS and X.509. - * PEM_PARSE uses MD5 for decrypting encrypted keys. + * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 + * depending on the handshake parameters. Further, it is used for checking + * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded + * encrypted keys. + * + * \warning MD5 is considered a weak message digest and its use constitutes a + * security risk. If possible, we recommend avoiding dependencies on + * it, and considering stronger message digests instead. + * */ #define MBEDTLS_MD5_C @@ -2135,7 +2434,7 @@ * * This modules adds support for encoding / writing PEM files. */ -//#define MBEDTLS_PEM_WRITE_C +#define MBEDTLS_PEM_WRITE_C /** * \def MBEDTLS_PK_C @@ -2180,7 +2479,7 @@ * * Uncomment to enable generic public key write functions. */ -//#define MBEDTLS_PK_WRITE_C +#define MBEDTLS_PK_WRITE_C /** * \def MBEDTLS_PKCS5_C @@ -2246,6 +2545,16 @@ */ #define MBEDTLS_PLATFORM_C +/** + * \def MBEDTLS_POLY1305_C + * + * Enable the Poly1305 MAC algorithm. + * + * Module: library/poly1305.c + * Caller: library/chachapoly.c + */ +#define MBEDTLS_POLY1305_C + /** * \def MBEDTLS_RIPEMD160_C * @@ -2255,7 +2564,7 @@ * Caller: library/md.c * */ -//#define MBEDTLS_RIPEMD160_C +#define MBEDTLS_RIPEMD160_C /** * \def MBEDTLS_RSA_C @@ -2263,6 +2572,7 @@ * Enable the RSA public-key cryptosystem. * * Module: library/rsa.c + * library/rsa_internal.c * Caller: library/ssl_cli.c * library/ssl_srv.c * library/ssl_tls.c @@ -2289,6 +2599,11 @@ * * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 * depending on the handshake parameters, and for SHA1-signed certificates. + * + * \warning SHA-1 is considered a weak message digest and its use constitutes + * a security risk. If possible, we recommend avoiding dependencies + * on it, and considering stronger message digests instead. + * */ #define MBEDTLS_SHA1_C @@ -2517,7 +2832,7 @@ * * This module is used for reading X.509 certificate request. */ -//#define MBEDTLS_X509_CSR_PARSE_C +#define MBEDTLS_X509_CSR_PARSE_C /** * \def MBEDTLS_X509_CREATE_C @@ -2530,7 +2845,7 @@ * * This module is the basis for creating X.509 certificates and CSRs. */ -//#define MBEDTLS_X509_CREATE_C +#define MBEDTLS_X509_CREATE_C /** * \def MBEDTLS_X509_CRT_WRITE_C @@ -2543,7 +2858,7 @@ * * This module is required for X.509 certificate creation. */ -//#define MBEDTLS_X509_CRT_WRITE_C +#define MBEDTLS_X509_CRT_WRITE_C /** * \def MBEDTLS_X509_CSR_WRITE_C @@ -2556,7 +2871,7 @@ * * This module is required for X.509 certificate request writing. */ -//#define MBEDTLS_X509_CSR_WRITE_C +#define MBEDTLS_X509_CSR_WRITE_C /** * \def MBEDTLS_XTEA_C @@ -2641,7 +2956,7 @@ //#define MBEDTLS_PLATFORM_FPRINTF_MACRO fprintf /**< Default fprintf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_PRINTF_MACRO printf /**< Default printf macro to use, can be undefined */ /* Note: your snprintf must correclty zero-terminate the buffer! */ -#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */ +//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf /**< Default snprintf macro to use, can be undefined */ //#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ //#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ @@ -2650,7 +2965,51 @@ //#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /**< Maximum entries in cache */ /* SSL options */ -//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ + +/** \def MBEDTLS_SSL_MAX_CONTENT_LEN + * + * Maximum fragment length in bytes. + * + * Determines the size of both the incoming and outgoing TLS I/O buffers. + * + * Uncommenting MBEDTLS_SSL_IN_CONTENT_LEN and/or MBEDTLS_SSL_OUT_CONTENT_LEN + * will override this length by setting maximum incoming and/or outgoing + * fragment length, respectively. + */ +//#define MBEDTLS_SSL_MAX_CONTENT_LEN 16384 + +/** \def MBEDTLS_SSL_IN_CONTENT_LEN + * + * Maximum incoming fragment length in bytes. + * + * Uncomment to set the size of the inward TLS buffer independently of the + * outward buffer. + */ +//#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 + +/** \def MBEDTLS_SSL_OUT_CONTENT_LEN + * + * Maximum outgoing fragment length in bytes. + * + * Uncomment to set the size of the outward TLS buffer independently of the + * inward buffer. + * + * It is possible to save RAM by setting a smaller outward buffer, while keeping + * the default inward 16384 byte buffer to conform to the TLS specification. + * + * The minimum required outward buffer size is determined by the handshake + * protocol's usage. Handshaking will fail if the outward buffer is too small. + * The specific size requirement depends on the configured ciphers and any + * certificate data which is sent during the handshake. + * + * For absolute minimum RAM usage, it's best to enable + * MBEDTLS_SSL_MAX_FRAGMENT_LENGTH and reduce MBEDTLS_SSL_MAX_CONTENT_LEN. This + * reduces both incoming and outgoing buffer sizes. However this is only + * guaranteed if the other end of the connection also supports the TLS + * max_fragment_len extension. Otherwise the connection may fail. + */ +//#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 + //#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ //#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */ //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ @@ -2677,8 +3036,13 @@ * Allow SHA-1 in the default TLS configuration for certificate signing. * Without this build-time option, SHA-1 support must be activated explicitly * through mbedtls_ssl_conf_cert_profile. Turning on this option is not - * recommended because of it is possible to generte SHA-1 collisions, however + * recommended because of it is possible to generate SHA-1 collisions, however * this may be safe for legacy infrastructure where additional controls apply. + * + * \warning SHA-1 is considered a weak message digest and its use constitutes + * a security risk. If possible, we recommend avoiding dependencies + * on it, and considering stronger message digests instead. + * */ // #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES @@ -2689,14 +3053,40 @@ * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by * default. At the time of writing, there is no practical attack on the use * of SHA-1 in handshake signatures, hence this option is turned on by default - * for compatibility with existing peers. + * to preserve compatibility with existing peers, but the general + * warning applies nonetheless: + * + * \warning SHA-1 is considered a weak message digest and its use constitutes + * a security risk. If possible, we recommend avoiding dependencies + * on it, and considering stronger message digests instead. + * */ #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE +/** + * Uncomment the macro to let mbed TLS use your alternate implementation of + * mbedtls_platform_zeroize(). This replaces the default implementation in + * platform_util.c. + * + * mbedtls_platform_zeroize() is a widely used function across the library to + * zero a block of memory. The implementation is expected to be secure in the + * sense that it has been written to prevent the compiler from removing calls + * to mbedtls_platform_zeroize() as part of redundant code elimination + * optimizations. However, it is difficult to guarantee that calls to + * mbedtls_platform_zeroize() will not be optimized by the compiler as older + * versions of the C language standards do not provide a secure implementation + * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to + * configure their own implementation of mbedtls_platform_zeroize(), for + * example by using directives specific to their compiler, features from newer + * C standards (e.g using memset_s() in C11) or calling a secure memset() from + * their system (e.g explicit_bzero() in BSD). + */ +//#define MBEDTLS_PLATFORM_ZEROIZE_ALT + /* \} name SECTION: Customisation configuration options */ /* Target and application specific configurations */ -//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "mbedtls/target_config.h" +//#define YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE "target_config.h" #if defined(TARGET_LIKE_MBED) && defined(YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE) #include YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE diff --git a/server/.idea/encodings.xml b/server/.idea/encodings.xml index ab92e64..a8db1e0 100644 --- a/server/.idea/encodings.xml +++ b/server/.idea/encodings.xml @@ -30,6 +30,7 @@ + @@ -41,6 +42,7 @@ + diff --git a/server/tp_core/core/CMakeLists.txt b/server/tp_core/core/CMakeLists.txt index b75d135..d593b71 100644 --- a/server/tp_core/core/CMakeLists.txt +++ b/server/tp_core/core/CMakeLists.txt @@ -33,7 +33,7 @@ include_directories( ) IF (CMAKE_SYSTEM_NAME MATCHES "Linux") - set(CMAKE_EXE_LINKER_FLAGS "-export-dynamic") +# set(CMAKE_EXE_LINKER_FLAGS "-export-dynamic") include_directories( ../../../external/linux/release/include ) diff --git a/server/tp_core/core/tp_core.rc b/server/tp_core/core/tp_core.rc index db204840fea94f7aa31af4a8f797408f37cdb6b3..32404a7fc5a38239b0ec9a7b452d73323f7d7ae4 100644 GIT binary patch delta 70 zcmdm?aX@3k0uFX#1|0@N2E)lqIke$yc~0@oZ#a%H0R{BHlJ|KfCmZmHZGOW2jS(ie J`95zX8vuRq5(5AL delta 53 zcmX@0u|s3S0uEL~1|0^o$;&ykA*{_eIc_rnnR*Onn|E`oLYb3yb4zaGb6^7ihvE%; diff --git a/server/tp_core/core/ts_http_client.cpp b/server/tp_core/core/ts_http_client.cpp index be43bfc..fbb9c6b 100644 --- a/server/tp_core/core/ts_http_client.cpp +++ b/server/tp_core/core/ts_http_client.cpp @@ -53,7 +53,7 @@ static void ev_handler(struct mg_connection *nc, int ev, void *ev_data) break; case MG_EV_HTTP_REPLY: nc->flags |= MG_F_CLOSE_IMMEDIATELY; - hdata->exit_flag = true; + //hdata->exit_flag = true; hdata->body.assign(hm->body.p, hm->body.len); break; case MG_EV_CLOSE: @@ -68,35 +68,41 @@ static void ev_handler(struct mg_connection *nc, int ev, void *ev_data) } } +static struct mg_mgr g_mg_mgr; +static bool is_mg_mgr_initialized = false; + bool ts_http_get(const ex_astr& url, ex_astr& body) { - struct mg_mgr mgr; - mg_mgr_init(&mgr, NULL); + if(!is_mg_mgr_initialized) { + mg_mgr_init(&g_mg_mgr, NULL); + is_mg_mgr_initialized = true; + } - mg_connection* nc = mg_connect_http(&mgr, ev_handler, url.c_str(), NULL, NULL); + mg_connection* nc = mg_connect_http(&g_mg_mgr, ev_handler, url.c_str(), NULL, NULL); if (NULL == nc) return false; - HTTP_DATA* hdata = new HTTP_DATA; - hdata->exit_flag = false; - hdata->have_error = false; + //HTTP_DATA* hdata = new HTTP_DATA; + HTTP_DATA hdata; + hdata.exit_flag = false; + hdata.have_error = false; - nc->user_data = hdata; + nc->user_data = &hdata; // int count = 0; - while (!hdata->exit_flag) + while (!hdata.exit_flag) { - mg_mgr_poll(&mgr, 100); + mg_mgr_poll(&g_mg_mgr, 100); // count++; // if (count > 2) // break; } - bool ret = !hdata->have_error; + bool ret = !hdata.have_error; if (ret) - body = hdata->body; + body = hdata.body; - delete hdata; - mg_mgr_free(&mgr); +// mg_mgr_free(&mgr); +// delete hdata; return ret; } diff --git a/server/tp_core/core/ts_ver.h b/server/tp_core/core/ts_ver.h index 09c2cec..60d5f59 100644 --- a/server/tp_core/core/ts_ver.h +++ b/server/tp_core/core/ts_ver.h @@ -1,6 +1,6 @@ -#ifndef __TS_SERVER_VER_H__ -#define __TS_SERVER_VER_H__ - -#define TP_SERVER_VER L"3.0.1.6" - -#endif // __TS_SERVER_VER_H__ +#ifndef __TS_SERVER_VER_H__ +#define __TS_SERVER_VER_H__ + +#define TP_SERVER_VER L"3.0.3.11" + +#endif // __TS_SERVER_VER_H__ diff --git a/server/tp_core/protocol/telnet/telnet_session.cpp b/server/tp_core/protocol/telnet/telnet_session.cpp index 7b4defc..545f4c5 100644 --- a/server/tp_core/protocol/telnet/telnet_session.cpp +++ b/server/tp_core/protocol/telnet/telnet_session.cpp @@ -542,7 +542,7 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) { { if (_this->_putty_replace_username(m_conn_client, m_conn_server)) { - _this->m_username_sent = true; +// _this->m_username_sent = true; is_processed = true; } } @@ -574,7 +574,7 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) { { if (_this->_parse_find_and_send(m_conn_server, m_conn_client, _this->m_username_prompt.c_str(), _this->m_acc_name.c_str())) { - _this->m_username_sent = true; +// _this->m_username_sent = true; is_processed = true; } } @@ -583,6 +583,7 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) { if (_this->_parse_find_and_send(m_conn_server, m_conn_client, _this->m_password_prompt.c_str(), _this->m_acc_secret.c_str())) { _this->m_password_sent = true; + _this->m_username_sent = true; is_processed = true; } } diff --git a/server/tp_web/src/ts_ver.h b/server/tp_web/src/ts_ver.h index f8f53d7..f0ffe7e 100644 --- a/server/tp_web/src/ts_ver.h +++ b/server/tp_web/src/ts_ver.h @@ -1,6 +1,6 @@ -#ifndef __TS_SERVER_VER_H__ -#define __TS_SERVER_VER_H__ - -#define TP_SERVER_VER L"3.0.0.1" - -#endif // __TS_SERVER_VER_H__ +#ifndef __TS_SERVER_VER_H__ +#define __TS_SERVER_VER_H__ + +#define TP_SERVER_VER L"3.0.0.1" + +#endif // __TS_SERVER_VER_H__ diff --git a/server/www/teleport/webroot/app/app_ver.py b/server/www/teleport/webroot/app/app_ver.py index 2ece8c9..b629b65 100644 --- a/server/www/teleport/webroot/app/app_ver.py +++ b/server/www/teleport/webroot/app/app_ver.py @@ -1,2 +1,2 @@ -# -*- coding: utf8 -*- -TP_SERVER_VER = "3.0.2.9" +# -*- coding: utf8 -*- +TP_SERVER_VER = "3.0.3.11" diff --git a/version.in b/version.in index bf4cc82..10b250a 100644 --- a/version.in +++ b/version.in @@ -13,7 +13,7 @@ Revision : 修订号。主版本号和次版本号都相同但修订号不同 Build : 构建号。构建号用于表明此版本发布之前进行了多少次构建及测试。某些情况下此版本号可以省略。 -TP_SERVER 3.0.2.9 # 整个服务端打包的版本 -TP_TPCORE 3.0.1.6 # 核心服务 tp_core 的版本 -TP_TPWEB 3.0.0.1 # web服务 tp_web 的版本(一般除非升级Python,否则不会变化) -TP_ASSIST 3.0.1.6 # 助手版本 +TP_SERVER 3.0.3.11 # 整个服务端打包的版本 +TP_TPCORE 3.0.3.11 # 核心服务 tp_core 的版本 +TP_TPWEB 3.0.0.1 # web服务 tp_web 的版本(一般除非升级Python,否则不会变化) +TP_ASSIST 3.0.1.6 # 助手版本 From 0521729c9152173fb0671eab3a5dad913c8ee6da Mon Sep 17 00:00:00 2001 From: Apex Liu Date: Thu, 20 Sep 2018 01:50:01 +0800 Subject: [PATCH 5/9] fixed: can not auto-login with telnet protocol for Huawei network device. --- .../protocol/telnet/telnet_session.cpp | 34 +++++++++++++++++-- server/www/teleport/.idea/teleport.iml | 2 +- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/server/tp_core/protocol/telnet/telnet_session.cpp b/server/tp_core/protocol/telnet/telnet_session.cpp index 545f4c5..37d1d5d 100644 --- a/server/tp_core/protocol/telnet/telnet_session.cpp +++ b/server/tp_core/protocol/telnet/telnet_session.cpp @@ -537,6 +537,8 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) { if (conn->is_server_side()) { +// EXLOG_BIN(m_conn_client->data().data(), m_conn_client->data().size(), "<-- client:"); + // յ˿ͻ˷ if (_this->m_is_putty_mode && !_this->m_username_sent) { @@ -566,7 +568,9 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) { } else { - // յ˷˷ص +// EXLOG_BIN(m_conn_server->data().data(), m_conn_server->data().size(), "--> server:"); + + // յ˷˷ص if (m_conn_server->data().data()[0] != TELNET_IAC) m_rec.record(TS_RECORD_TYPE_TELNET_DATA, m_conn_server->data().data(), m_conn_server->data().size()); @@ -603,11 +607,34 @@ sess_state TelnetSession::_do_relay(TelnetConn *conn) { bool TelnetSession::_parse_find_and_send(TelnetConn* conn_recv, TelnetConn* conn_remote, const char* find, const char* send) { +// EXLOGV("find prompt and send: [%s] => [%s]\n", find, send); +// EXLOG_BIN(conn_recv->data().data(), conn_recv->data().size(), "find prompt in data:"); + size_t find_len = strlen(find); size_t send_len = strlen(send); - if (0 == find_len || 0 == send_len) - return false; + if (0 == find_len || 0 == send_len || conn_recv->data().size() < find_len) { + return false; + } + int find_range = conn_recv->data().size() - find_len; + for (int i = 0; i <= find_range; ++i) + { + if (0 == memcmp(conn_recv->data().data() + i, find, find_len)) + { + conn_remote->send(conn_recv->data().data(), conn_recv->data().size()); + conn_recv->data().empty(); + + MemBuffer mbuf_msg; + mbuf_msg.reserve(128); + mbuf_msg.append((ex_u8*)send, send_len); + mbuf_msg.append((ex_u8*)"\x0d\x0a", 2); +// EXLOG_BIN(mbuf_msg.data(), mbuf_msg.size(), "find prompt and send:"); + conn_recv->send(mbuf_msg.data(), mbuf_msg.size()); + return true; + } + } + +#if 0 MemBuffer mbuf_msg; mbuf_msg.reserve(128); MemStream ms_msg(mbuf_msg); @@ -679,6 +706,7 @@ bool TelnetSession::_parse_find_and_send(TelnetConn* conn_recv, TelnetConn* conn return true; } } +#endif return false; } diff --git a/server/www/teleport/.idea/teleport.iml b/server/www/teleport/.idea/teleport.iml index d58057b..3887569 100644 --- a/server/www/teleport/.idea/teleport.iml +++ b/server/www/teleport/.idea/teleport.iml @@ -7,7 +7,7 @@ - + From b157988431e72e2e75382ac8a9894f8acea8cc29 Mon Sep 17 00:00:00 2001 From: Apex Liu Date: Thu, 20 Sep 2018 01:51:19 +0800 Subject: [PATCH 6/9] update version of Teleport Server. --- version.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/version.in b/version.in index 10b250a..87957a9 100644 --- a/version.in +++ b/version.in @@ -13,7 +13,7 @@ Revision : 修订号。主版本号和次版本号都相同但修订号不同 Build : 构建号。构建号用于表明此版本发布之前进行了多少次构建及测试。某些情况下此版本号可以省略。 -TP_SERVER 3.0.3.11 # 整个服务端打包的版本 -TP_TPCORE 3.0.3.11 # 核心服务 tp_core 的版本 +TP_SERVER 3.0.3.12 # 整个服务端打包的版本 +TP_TPCORE 3.0.3.12 # 核心服务 tp_core 的版本 TP_TPWEB 3.0.0.1 # web服务 tp_web 的版本(一般除非升级Python,否则不会变化) TP_ASSIST 3.0.1.6 # 助手版本 From 371e32867481810d93cc95a696c9426317a622d2 Mon Sep 17 00:00:00 2001 From: Apex Lu Date: Thu, 20 Sep 2018 02:15:16 +0800 Subject: [PATCH 7/9] update version. --- build/builder/core/ver.py | 2 +- server/tp_core/core/tp_core.rc | Bin 5184 -> 5184 bytes server/tp_core/core/ts_ver.h | 2 +- server/www/teleport/webroot/app/app_ver.py | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build/builder/core/ver.py b/build/builder/core/ver.py index 846836c..7fa547e 100644 --- a/build/builder/core/ver.py +++ b/build/builder/core/ver.py @@ -1,3 +1,3 @@ # -*- coding: utf8 -*- -VER_TP_SERVER = "3.0.3.11" +VER_TP_SERVER = "3.0.3.12" VER_TP_ASSIST = "3.0.1.6" diff --git a/server/tp_core/core/tp_core.rc b/server/tp_core/core/tp_core.rc index 32404a7fc5a38239b0ec9a7b452d73323f7d7ae4..c6e38a5b82ba4a63ee05907974adc1a9d8688d3a 100644 GIT binary patch delta 37 rcmX@0aX@3kG7d(g$;&wm8I3mI Date: Thu, 20 Sep 2018 10:32:45 +0800 Subject: [PATCH 8/9] =?UTF-8?q?1.=E6=B7=BB=E5=8A=A0:=E9=A6=96=E6=AC=A1?= =?UTF-8?q?=E7=BB=91=E5=AE=9A=E5=8A=A8=E6=80=81=E8=BA=AB=E4=BB=BD=E8=AE=A4?= =?UTF-8?q?=E8=AF=81=E5=99=A8=E6=88=90=E5=8A=9F=E5=90=8E=EF=BC=8C=E4=B8=8D?= =?UTF-8?q?=E5=85=81=E8=AE=B8=E5=86=8D=E6=AC=A1=E7=BB=91=E5=AE=9A=202.?= =?UTF-8?q?=E7=AE=A1=E7=90=86=E5=91=98=E5=8F=AF=E8=A7=A3=E7=BB=91=E7=94=A8?= =?UTF-8?q?=E6=88=B7=E7=9A=84=E5=8A=A8=E6=80=81=E8=BA=AB=E4=BB=BD=E8=AF=81?= =?UTF-8?q?=E8=AE=A4=E8=AF=81=E5=99=A8=203.=E9=87=8D=E7=BD=AE=E5=AF=86?= =?UTF-8?q?=E7=A0=81=E6=97=B6=E4=BC=9A=E8=87=AA=E5=8A=A8=E5=88=A0=E9=99=A4?= =?UTF-8?q?=E8=80=81=E7=9A=84=E5=8A=A8=E6=80=81=E8=BA=AB=E4=BB=BD=E8=AF=81?= =?UTF-8?q?=E8=AE=A4=E8=AF=81=E5=99=A8(=E7=94=A8=E6=88=B7=E5=9C=A8?= =?UTF-8?q?=E4=B8=AA=E4=BA=BA=E4=B8=BB=E9=A1=B5=E4=B8=8A=E4=BF=AE=E6=94=B9?= =?UTF-8?q?=E4=B8=8D=E4=BC=9A=E5=88=A0=E9=99=A4)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- server/www/teleport/static/js/tp-const.js | 5 +++ .../www/teleport/static/js/user/bind-oath.js | 2 +- .../www/teleport/static/js/user/user-list.js | 18 ++++++++++ server/www/teleport/webroot/app/const.py | 1 + .../webroot/app/controller/__init__.py | 2 ++ .../teleport/webroot/app/controller/user.py | 34 ++++++++++++++++++- server/www/teleport/webroot/app/model/user.py | 6 +++- 7 files changed, 65 insertions(+), 3 deletions(-) mode change 100644 => 100755 server/www/teleport/static/js/tp-const.js mode change 100644 => 100755 server/www/teleport/static/js/user/bind-oath.js mode change 100644 => 100755 server/www/teleport/static/js/user/user-list.js mode change 100644 => 100755 server/www/teleport/webroot/app/const.py mode change 100644 => 100755 server/www/teleport/webroot/app/controller/__init__.py mode change 100644 => 100755 server/www/teleport/webroot/app/controller/user.py mode change 100644 => 100755 server/www/teleport/webroot/app/model/user.py diff --git a/server/www/teleport/static/js/tp-const.js b/server/www/teleport/static/js/tp-const.js old mode 100644 new mode 100755 index 5df2d8b..7a9cdeb --- a/server/www/teleport/static/js/tp-const.js +++ b/server/www/teleport/static/js/tp-const.js @@ -212,6 +212,7 @@ var TPE_CAPTCHA_EXPIRED = 10000; var TPE_CAPTCHA_MISMATCH = 10001; var TPE_OATH_MISMATCH = 10002; var TPE_SYS_MAINTENANCE = 10003; +var TPE_OATH_ALREADY_BIND = 10004; var TPE_USER_LOCKED = 10100; var TPE_USER_DISABLED = 10101; @@ -314,6 +315,10 @@ function tp_error_msg(error_code, message) { case TPE_SYS_MAINTENANCE: msg = '系统维护中'; break; + + case TPE_OATH_ALREADY_BIND: + msg = '该账号已经绑定了身份验证器,如无法使用,请联系管理员重置密码或更换登陆方式'; + break; case TPE_USER_LOCKED: msg = '账号已被锁定'; diff --git a/server/www/teleport/static/js/user/bind-oath.js b/server/www/teleport/static/js/user/bind-oath.js old mode 100644 new mode 100755 index d9f8f42..4e59b8e --- a/server/www/teleport/static/js/user/bind-oath.js +++ b/server/www/teleport/static/js/user/bind-oath.js @@ -182,7 +182,7 @@ $app.on_auth_user = function () { } $app.dom.auth.btn_submit.attr('disabled', 'disabled'); - $tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password}, + $tp.ajax_post_json('/user/verify-user', {username: str_username, password: str_password, check_bind_oath: true}, function (ret) { $app.dom.auth.btn_submit.removeAttr('disabled'); if (ret.code === TPE_OK) { diff --git a/server/www/teleport/static/js/user/user-list.js b/server/www/teleport/static/js/user/user-list.js old mode 100644 new mode 100755 index 65f0719..fb85bc1 --- a/server/www/teleport/static/js/user/user-list.js +++ b/server/www/teleport/static/js/user/user-list.js @@ -203,6 +203,8 @@ $app.on_table_users_cell_created = function (tbl, row_id, col_key, cell_obj) { $app.dlg_edit_user.show_edit(row_id); } else if (action === 'reset-password') { $app.dlg_reset_password.show_edit(row_id); + } else if (action === 'reset-oath-bind') { + $app._reset_oath_bind(user.id); } else if (action === 'lock') { $app._lock_users([user.id]); } else if (action === 'unlock') { @@ -349,6 +351,7 @@ $app.on_table_users_render_created = function (render) { h.push(''); h.push('
  • 重置密码
    • '); + h.push('
  • 重置身份验证器
    • '); h.push(''); h.push('
  • 删除
    • '); h.push(''); @@ -547,6 +550,21 @@ $app.set_selected_to_role = function (role_id, role_name) { }; +$app._reset_oath_bind = function (users) { + $tp.ajax_post_json('/user/do-unbind-oath', {users: users}, + function (ret) { + if (ret.code === TPE_OK) { + $tp.notify_success('重置身份验证器操作成功!'); + } else { + $tp.notify_error('重置身份验证器操作失败:' + tp_error_msg(ret.code, ret.message)); + } + }, + function () { + $tp.notify_error('网络故障,重置身份验证器操作失败!'); + } + ); +}; + $app._lock_users = function (users) { $tp.ajax_post_json('/user/update-users', {action: 'lock', users: users}, function (ret) { diff --git a/server/www/teleport/webroot/app/const.py b/server/www/teleport/webroot/app/const.py old mode 100644 new mode 100755 index c029c0f..c3c9a5e --- a/server/www/teleport/webroot/app/const.py +++ b/server/www/teleport/webroot/app/const.py @@ -198,6 +198,7 @@ TPE_CAPTCHA_EXPIRED = 10000 TPE_CAPTCHA_MISMATCH = 10001 TPE_OATH_MISMATCH = 10002 TPE_SYS_MAINTENANCE = 10003 +TPE_OATH_ALREADY_BIND = 10004 TPE_USER_LOCKED = 10100 TPE_USER_DISABLED = 10101 diff --git a/server/www/teleport/webroot/app/controller/__init__.py b/server/www/teleport/webroot/app/controller/__init__.py old mode 100644 new mode 100755 index 6f1c56f..d141f5b --- a/server/www/teleport/webroot/app/controller/__init__.py +++ b/server/www/teleport/webroot/app/controller/__init__.py @@ -78,6 +78,8 @@ controllers = [ (r'/user/verify-user', user.DoVerifyUserHandler), # - [json] 绑定身份认证器 (r'/user/do-bind-oath', user.DoBindOathHandler), + # - 取消绑定身份认证器 + (r'/user/do-unbind-oath', user.DoUnBindOathHandler), # # - 用户组管理页面 (r'/user/group', user.GroupListHandler), diff --git a/server/www/teleport/webroot/app/controller/user.py b/server/www/teleport/webroot/app/controller/user.py old mode 100644 new mode 100755 index 6085f70..4704179 --- a/server/www/teleport/webroot/app/controller/user.py +++ b/server/www/teleport/webroot/app/controller/user.py @@ -144,7 +144,12 @@ class DoVerifyUserHandler(TPBaseJsonHandler): except: return self.write_json(TPE_PARAM) - err, user_info = user.login(self, username, password=password) + try: + check_bind_oath = args['check_bind_oath'] + except: + check_bind_oath = False + + err, user_info = user.login(self, username, password=password, check_bind_oath=check_bind_oath) if err != TPE_OK: if err == TPE_NOT_EXISTS: err = TPE_USER_AUTH @@ -190,6 +195,28 @@ class DoBindOathHandler(TPBaseJsonHandler): return self.write_json(TPE_OK) +class DoUnBindOathHandler(TPBaseJsonHandler): + def post(self): + ret = self.check_privilege(TP_PRIVILEGE_USER_DELETE) + if ret != TPE_OK: + return + + args = self.get_argument('args', None) + if args is None: + return self.write_json(TPE_PARAM) + try: + args = json.loads(args) + except: + return self.write_json(TPE_JSON_FORMAT) + + try: + users = args['users'] + except: + return self.write_json(TPE_PARAM) + + # 把oath设置为空就是去掉oath验证 + err = user.update_oath_secret(self, users, '') + self.write_json(err) class OathSecretQrCodeHandler(TPBaseHandler): def get(self): @@ -752,6 +779,11 @@ class DoResetPasswordHandler(TPBaseJsonHandler): if mode == 4 and err == TPE_OK: user.remove_reset_token(token) + # 非用户自行修改密码的情况,都默认重置身份认证 + if mode != 5 and err == TPE_OK: + print("reset oath secret") + user.update_oath_secret(self, user_id, '') + self.write_json(err) else: diff --git a/server/www/teleport/webroot/app/model/user.py b/server/www/teleport/webroot/app/model/user.py old mode 100644 new mode 100755 index 0124d63..24d9d9e --- a/server/www/teleport/webroot/app/model/user.py +++ b/server/www/teleport/webroot/app/model/user.py @@ -49,7 +49,7 @@ def get_by_username(username): return TPE_OK, s.recorder[0] -def login(handler, username, password=None, oath_code=None): +def login(handler, username, password=None, oath_code=None, check_bind_oath=False): sys_cfg = tp_cfg().sys err, user_info = get_by_username(username) @@ -62,6 +62,10 @@ def login(handler, username, password=None, oath_code=None): # 尚未为此用户设置角色 return TPE_PRIVILEGE, None + if check_bind_oath == True and len(user_info['oath_secret']) != 0: + return TPE_OATH_ALREADY_BIND, None + + if user_info['state'] == TP_STATE_LOCKED: # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息 if sys_cfg.login.lock_timeout != 0: From e326b3ac487d2cced37bb076c17a1b7be67bf494 Mon Sep 17 00:00:00 2001 From: Apex Liu Date: Sat, 22 Sep 2018 00:51:56 +0800 Subject: [PATCH 9/9] =?UTF-8?q?=E4=BF=AE=E6=AD=A3=E4=BA=86=E6=97=A0?= =?UTF-8?q?=E6=B3=95=E8=BF=9C=E7=A8=8B=E8=BF=9E=E6=8E=A5SSHv1.99=E7=9A=84?= =?UTF-8?q?=E4=BA=A4=E6=8D=A2=E6=9C=BA=E7=9A=84=E9=97=AE=E9=A2=98=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- build/builder/core/ver.py | 6 +- common/teleport/teleport_const.h | 1 + server/tp_core/core/tp_core.rc | Bin 5184 -> 5184 bytes server/tp_core/core/ts_ver.h | 12 +- server/tp_core/protocol/ssh/ssh_session.cpp | 238 ++++++++++-------- server/tp_core/protocol/ssh/ssh_session.h | 1 + .../tp_core/protocol/ssh/tpssh.vs2015.vcxproj | 1 + .../protocol/ssh/tpssh.vs2015.vcxproj.filters | 3 + .../www/teleport/static/js/asset/host-list.js | 6 +- .../teleport/static/js/audit/record-list.js | 3 + server/www/teleport/static/js/tp-const.js | 1 + server/www/teleport/webroot/app/app_ver.py | 4 +- version.in | 4 +- 13 files changed, 156 insertions(+), 124 deletions(-) diff --git a/build/builder/core/ver.py b/build/builder/core/ver.py index 7fa547e..9880449 100644 --- a/build/builder/core/ver.py +++ b/build/builder/core/ver.py @@ -1,3 +1,3 @@ -# -*- coding: utf8 -*- -VER_TP_SERVER = "3.0.3.12" -VER_TP_ASSIST = "3.0.1.6" +# -*- coding: utf8 -*- +VER_TP_SERVER = "3.0.4.16" +VER_TP_ASSIST = "3.0.1.6" diff --git a/common/teleport/teleport_const.h b/common/teleport/teleport_const.h index 3c5b25e..05b436b 100644 --- a/common/teleport/teleport_const.h +++ b/common/teleport/teleport_const.h @@ -51,6 +51,7 @@ #define TP_SESS_STAT_ERR_RESET 7 // ỰΪteleportķ #define TP_SESS_STAT_ERR_IO 8 // ỰΪж #define TP_SESS_STAT_ERR_SESSION 9 // ỰΪЧĻỰID +#define TP_SESS_STAT_ERR_AUTH_TYPE 10 // ỰΪ֤ʽ #define TP_SESS_STAT_STARTED 100 // Ѿӳɹˣʼ¼¼ #define TP_SESS_STAT_ERR_START_INTERNAL 104 // ỰΪڲ #define TP_SESS_STAT_ERR_START_BAD_PKG 106 // ỰΪյı diff --git a/server/tp_core/core/tp_core.rc b/server/tp_core/core/tp_core.rc index c6e38a5b82ba4a63ee05907974adc1a9d8688d3a..ca16a2a988b95274b3b7e3a22647dc16b0e85970 100644 GIT binary patch delta 61 zcmX@0aX@3k0uFW)1|0@N2D8b_IkaKy%{Mu2GXXhzAc@VpxmDqu$-B8FH}N^J0RY@? B4qE^K delta 61 zcmX@0aX@3k0uFX#1|0@N2BXQ#IkaKy%{Mu2GXXhzAc@VpxmDqu$-B8FH}N^J0RY+| B4o3h0 diff --git a/server/tp_core/core/ts_ver.h b/server/tp_core/core/ts_ver.h index dab96a3..4801aa9 100644 --- a/server/tp_core/core/ts_ver.h +++ b/server/tp_core/core/ts_ver.h @@ -1,6 +1,6 @@ -#ifndef __TS_SERVER_VER_H__ -#define __TS_SERVER_VER_H__ - -#define TP_SERVER_VER L"3.0.3.12" - -#endif // __TS_SERVER_VER_H__ +#ifndef __TS_SERVER_VER_H__ +#define __TS_SERVER_VER_H__ + +#define TP_SERVER_VER L"3.0.4.16" + +#endif // __TS_SERVER_VER_H__ diff --git a/server/tp_core/protocol/ssh/ssh_session.cpp b/server/tp_core/protocol/ssh/ssh_session.cpp index 1da871a..4dde76f 100644 --- a/server/tp_core/protocol/ssh/ssh_session.cpp +++ b/server/tp_core/protocol/ssh/ssh_session.cpp @@ -422,7 +422,7 @@ void SshSession::check_noop_timeout(ex_u32 t_now, ex_u32 timeout) { } int SshSession::_on_auth_password_request(ssh_session session, const char *user, const char *password, void *userdata) { - // õuserҪsession-id + // here, `user` is the session-id we need. SshSession *_this = (SshSession *)userdata; _this->m_sid = user; EXLOGV("[ssh] authenticating, session-id: %s\n", _this->m_sid.c_str()); @@ -441,6 +441,7 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user, _this->m_auth_type = _this->m_conn_info->auth_type; _this->m_acc_name = _this->m_conn_info->acc_username; _this->m_acc_secret = _this->m_conn_info->acc_secret; + _this->m_flags = _this->m_conn_info->protocol_flag; if (_this->m_conn_info->protocol_type != TP_PROTOCOL_TYPE_SSH) { EXLOGE("[ssh] session '%s' is not for SSH.\n", _this->m_sid.c_str()); _this->m_have_error = true; @@ -449,21 +450,18 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user, } } - // ڳԸsession-idȡõϢӲ¼SSH + // config and try to connect to real SSH host. EXLOGV("[ssh] try to connect to real SSH server %s:%d\n", _this->m_conn_ip.c_str(), _this->m_conn_port); _this->m_srv_session = ssh_new(); - // int verbosity = 4; - // ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity); - //ssh_set_blocking(_this->m_srv_session, 1); ssh_options_set(_this->m_srv_session, SSH_OPTIONS_HOST, _this->m_conn_ip.c_str()); int port = (int)_this->m_conn_port; ssh_options_set(_this->m_srv_session, SSH_OPTIONS_PORT, &port); #ifdef EX_DEBUG - // int flag = SSH_LOG_FUNCTIONS; - // ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &flag); +// int flag = SSH_LOG_FUNCTIONS; +// ssh_options_set(_this->m_srv_session, SSH_OPTIONS_LOG_VERBOSITY, &flag); #endif - // int val = 0; - // ssh_options_set(_this->m_srv_session, SSH_OPTIONS_STRICTHOSTKEYCHECK, &val); + int val = 0; + ssh_options_set(_this->m_srv_session, SSH_OPTIONS_STRICTHOSTKEYCHECK, &val); if (_this->m_auth_type != TP_AUTH_TYPE_NONE) @@ -490,108 +488,113 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user, _this->m_ssh_ver = ssh_get_version(_this->m_srv_session); EXLOGW("[ssh] real host is SSHv%d\n", _this->m_ssh_ver); +#if 0 // check supported auth type by host - //ssh_userauth_none(_this->m_srv_session, _this->m_acc_name.c_str()); - // rc = ssh_userauth_none(_this->m_srv_session, NULL); - // if (rc == SSH_AUTH_ERROR) { - // EXLOGE("[ssh] can not got auth type supported by real SSH server %s:%d.\n", _this->m_server_ip.c_str(), _this->m_server_port); - // _this->m_have_error = true; - // _this->m_retcode = SESS_STAT_ERR_AUTH_DENIED; - // return SSH_AUTH_ERROR; - // } - // // int auth_methods = ssh_userauth_list(_this->m_srv_session, NULL); - // const char* banner = ssh_get_issue_banner(_this->m_srv_session); - // if (NULL != banner) { - // EXLOGE("[ssh] issue banner: %s\n", banner); - // } + ssh_userauth_none(_this->m_srv_session, _this->m_acc_name.c_str()); + rc = ssh_userauth_none(_this->m_srv_session, NULL); + if (rc == SSH_AUTH_ERROR) { + EXLOGE("[ssh] can not got auth type supported by real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port); + _this->m_have_error = true; + _this->_session_error(TP_SESS_STAT_ERR_SESSION); + return SSH_AUTH_ERROR; + } + int auth_methods = ssh_userauth_list(_this->m_srv_session, _this->m_acc_name.c_str()); + + const char* banner = ssh_get_issue_banner(_this->m_srv_session); + if (NULL != banner) { + EXLOGE("[ssh] issue banner: %s\n", banner); + } +#endif + + int auth_methods = SSH_AUTH_METHOD_INTERACTIVE | SSH_AUTH_METHOD_PASSWORD | SSH_AUTH_METHOD_PUBLICKEY; + if (SSH_AUTH_ERROR != ssh_userauth_none(_this->m_srv_session, NULL)) + { + auth_methods = ssh_userauth_list(_this->m_srv_session, NULL); + EXLOGV("[ssh] allowed auth method: 0x%08x\n", auth_methods); + } + else + { + EXLOGW("[ssh] can not get allowed auth method, try each method we can.\n"); + } if (_this->m_auth_type == TP_AUTH_TYPE_PASSWORD) { - int retry_count = 0; + if (!(((auth_methods & SSH_AUTH_METHOD_INTERACTIVE) == SSH_AUTH_METHOD_INTERACTIVE) || ((auth_methods & SSH_AUTH_METHOD_PASSWORD) == SSH_AUTH_METHOD_PASSWORD))) + { + _this->_session_error(TP_SESS_STAT_ERR_AUTH_TYPE); + return SSH_AUTH_ERROR; + } + + + int retry_count = 0; - if (_this->m_ssh_ver == 1) { - // first try password for SSHv1 - rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str()); - for (;;) { - if (rc == SSH_AUTH_AGAIN) { - retry_count += 1; - if (retry_count >= 3) - break; - ex_sleep_ms(100); - rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str()); - continue; - } - if (rc == SSH_AUTH_SUCCESS) { - EXLOGW("[ssh] logon with password mode.\n"); - _this->m_is_logon = true; - return SSH_AUTH_SUCCESS; - } - else { - EXLOGW("[ssh] failed to login with password mode, got %d.\n", rc); - } - } - } + // first try interactive login mode if server allow. + if ((auth_methods & SSH_AUTH_METHOD_INTERACTIVE) == SSH_AUTH_METHOD_INTERACTIVE) + { + retry_count = 0; + rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL); + for (;;) { + if (rc == SSH_AUTH_AGAIN) { + retry_count += 1; + if (retry_count >= 5) + break; + ex_sleep_ms(500); + rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL); + continue; + } - // first try interactive login mode for SSHv2. - retry_count = 0; - rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL); - for (;;) { - if (rc == SSH_AUTH_AGAIN) { - retry_count += 1; - if (retry_count >= 5) - break; - ex_sleep_ms(500); - rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL); - continue; - } + if (rc != SSH_AUTH_INFO) + break; - if (rc != SSH_AUTH_INFO) - break; + int nprompts = ssh_userauth_kbdint_getnprompts(_this->m_srv_session); + if (0 == nprompts) { + rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL); + continue; + } - int nprompts = ssh_userauth_kbdint_getnprompts(_this->m_srv_session); - if (0 == nprompts) { - rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL); - continue; - } + for (int iprompt = 0; iprompt < nprompts; ++iprompt) { + char echo = 0; + const char* prompt = ssh_userauth_kbdint_getprompt(_this->m_srv_session, iprompt, &echo); + EXLOGV("[ssh] interactive login prompt: %s\n", prompt); - for (int iprompt = 0; iprompt < nprompts; ++iprompt) { - char echo = 0; - const char* prompt = ssh_userauth_kbdint_getprompt(_this->m_srv_session, iprompt, &echo); - EXLOGV("[ssh] interactive login prompt: %s\n", prompt); + rc = ssh_userauth_kbdint_setanswer(_this->m_srv_session, iprompt, _this->m_acc_secret.c_str()); + if (rc < 0) { + EXLOGE("[ssh] invalid password for interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port); + _this->m_have_error = true; + _this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED); + return SSH_AUTH_ERROR; + } + } - rc = ssh_userauth_kbdint_setanswer(_this->m_srv_session, iprompt, _this->m_acc_secret.c_str()); - if (rc < 0) { - EXLOGE("[ssh] invalid password for interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port); - _this->m_have_error = true; - _this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED); - return SSH_AUTH_ERROR; - } - } + rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL); + } + } - rc = ssh_userauth_kbdint(_this->m_srv_session, NULL, NULL); - } - - if (rc == SSH_AUTH_SUCCESS) { - EXLOGW("[ssh] logon with keyboard interactive mode.\n"); - _this->m_is_logon = true; - return SSH_AUTH_SUCCESS; - } - else { - EXLOGW("[ssh] failed to login with keyboard interactive mode, got %d, try password mode.\n", rc); - } - - if (_this->m_ssh_ver != 1) { - // then try password mode if interactive mode does not supported by host with SSHv2. - rc = ssh_userauth_password(_this->m_srv_session, _this->m_acc_name.c_str(), _this->m_acc_secret.c_str()); - if (rc == SSH_AUTH_SUCCESS) { - EXLOGW("[ssh] logon with password mode.\n"); - _this->m_is_logon = true; - return SSH_AUTH_SUCCESS; - } - else { - EXLOGW("[ssh] failed to login with password mode, got %d.\n", rc); - } - } + // and then try password login mode if server allow. + if ((auth_methods & SSH_AUTH_METHOD_PASSWORD) == SSH_AUTH_METHOD_PASSWORD) + { + retry_count = 0; + rc = ssh_userauth_password(_this->m_srv_session, NULL, _this->m_acc_secret.c_str()); + for (;;) { + if (rc == SSH_AUTH_AGAIN) { + retry_count += 1; + if (retry_count >= 3) + break; + ex_sleep_ms(100); + rc = ssh_userauth_password(_this->m_srv_session, NULL, _this->m_acc_secret.c_str()); + continue; + } + if (rc == SSH_AUTH_SUCCESS) { + EXLOGW("[ssh] logon with password mode.\n"); + _this->m_is_logon = true; + return SSH_AUTH_SUCCESS; + } + else { + EXLOGE("[ssh] failed to login with password mode, got %d.\n", rc); + break; + } + } + } EXLOGE("[ssh] can not use password mode or interactive mode to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port); _this->m_have_error = true; @@ -599,7 +602,13 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user, return SSH_AUTH_ERROR; } else if (_this->m_auth_type == TP_AUTH_TYPE_PRIVATE_KEY) { - ssh_key key = NULL; + if ((auth_methods & SSH_AUTH_METHOD_PUBLICKEY) != SSH_AUTH_METHOD_PUBLICKEY) { + _this->m_have_error = true; + _this->_session_error(TP_SESS_STAT_ERR_AUTH_TYPE); + return SSH_AUTH_ERROR; + } + + ssh_key key = NULL; if (SSH_OK != ssh_pki_import_privkey_base64(_this->m_acc_secret.c_str(), NULL, NULL, NULL, &key)) { EXLOGE("[ssh] can not import private-key for auth.\n"); _this->m_have_error = true; @@ -615,12 +624,11 @@ int SshSession::_on_auth_password_request(ssh_session session, const char *user, _this->m_is_logon = true; return SSH_AUTH_SUCCESS; } - else { - EXLOGE("[ssh] failed to use private-key to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port); - _this->m_have_error = true; - _this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED); - return SSH_AUTH_ERROR; - } + + EXLOGE("[ssh] failed to use private-key to login to real SSH server %s:%d.\n", _this->m_conn_ip.c_str(), _this->m_conn_port); + _this->m_have_error = true; + _this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED); + return SSH_AUTH_ERROR; } else if (_this->m_auth_type == TP_AUTH_TYPE_NONE) { _this->_session_error(TP_SESS_STAT_ERR_AUTH_DENIED); @@ -736,6 +744,11 @@ int SshSession::_on_client_shell_request(ssh_session session, ssh_channel channe SshSession *_this = (SshSession *)userdata; EXLOGD("[ssh] client request shell\n"); + if ((_this->m_flags & TP_FLAG_SSH_SHELL) != TP_FLAG_SSH_SHELL) + { + EXLOGE("[ssh] ssh-shell disabled by ops-policy.\n"); + return SSH_ERROR; + } TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_CLIENT_SIDE, channel); if (NULL == cp) { @@ -761,7 +774,7 @@ int SshSession::_on_client_shell_request(ssh_session session, ssh_channel channe } void SshSession::_on_client_channel_close(ssh_session session, ssh_channel channel, void *userdata) { - EXLOGV("---client channel closed.\n"); + EXLOGV("[ssh] ---client channel closed.\n"); SshSession *_this = (SshSession *)userdata; TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_CLIENT_SIDE, channel); @@ -896,6 +909,13 @@ int SshSession::_on_client_channel_subsystem_request(ssh_session session, ssh_ch return SSH_ERROR; } + if ((_this->m_flags & TP_FLAG_SSH_SFTP) != TP_FLAG_SSH_SFTP) + { + EXLOGE("[ssh] ssh-sftp disabled by ops-policy.\n"); + return SSH_ERROR; + } + + cp->type = TS_SSH_CHANNEL_TYPE_SFTP; g_ssh_env.session_update(cp->db_id, TP_PROTOCOL_TYPE_SSH_SFTP, TP_SESS_STAT_STARTED); @@ -1099,7 +1119,7 @@ int SshSession::_on_server_channel_data(ssh_session session, ssh_channel channel } void SshSession::_on_server_channel_close(ssh_session session, ssh_channel channel, void *userdata) { - EXLOGV("---server channel closed.\n"); + EXLOGV("[ssh] ---server channel closed.\n"); SshSession *_this = (SshSession *)userdata; TP_SSH_CHANNEL_PAIR* cp = _this->_get_channel_pair(TP_SSH_SERVER_SIDE, channel); if (NULL == cp) { diff --git a/server/tp_core/protocol/ssh/ssh_session.h b/server/tp_core/protocol/ssh/ssh_session.h index dec1e1f..d0e6321 100644 --- a/server/tp_core/protocol/ssh/ssh_session.h +++ b/server/tp_core/protocol/ssh/ssh_session.h @@ -132,6 +132,7 @@ private: ex_u16 m_conn_port; ex_astr m_acc_name; ex_astr m_acc_secret; + ex_u32 m_flags; int m_auth_type; bool m_is_logon; diff --git a/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj b/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj index 73c64cb..ec6de51 100644 --- a/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj +++ b/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj @@ -109,6 +109,7 @@ + diff --git a/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj.filters b/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj.filters index a4fd071..18936c4 100644 --- a/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj.filters +++ b/server/tp_core/protocol/ssh/tpssh.vs2015.vcxproj.filters @@ -113,6 +113,9 @@ jsoncpp + + common + diff --git a/server/www/teleport/static/js/asset/host-list.js b/server/www/teleport/static/js/asset/host-list.js index 92596f0..2c451a9 100644 --- a/server/www/teleport/static/js/asset/host-list.js +++ b/server/www/teleport/static/js/asset/host-list.js @@ -859,7 +859,6 @@ $app.create_dlg_edit_host = function () { cid: dlg.field_cid, desc: dlg.field_desc }; - console.log(args); // 如果id为-1表示创建,否则表示更新 $tp.ajax_post_json('/asset/update-host', args, @@ -1148,7 +1147,6 @@ $app.create_dlg_accounts = function () { $tp.ajax_post_json('/asset/get-accounts', {host_id: dlg.host.id}, function (ret) { if (ret.code === TPE_OK) { - console.log('account:', ret.data); $app.table_acc.set_data(cb_stack, {}, {total: ret.data.length, page_index: 1, data: ret.data}); } else { $app.table_acc.set_data(cb_stack, {}, {total: 0, page_index: 1, data: {}}); @@ -1519,6 +1517,10 @@ $app.create_dlg_edit_account = function () { } dlg.dom.auth_type.empty().append($(html.join(''))); + + if(!_.isNull(dlg.account)) + dlg.dom.auth_type.val(dlg.account.auth_type); + dlg.on_auth_change(); }; diff --git a/server/www/teleport/static/js/audit/record-list.js b/server/www/teleport/static/js/audit/record-list.js index b8bea97..46eabca 100644 --- a/server/www/teleport/static/js/audit/record-list.js +++ b/server/www/teleport/static/js/audit/record-list.js @@ -328,6 +328,9 @@ $app.on_table_host_render_created = function (render) { case TP_SESS_STAT_ERR_SESSION: msg = '无效会话'; break; + case TP_SESS_STAT_ERR_AUTH_TYPE: + msg = '无效认证方式'; + break; default: msg = '未知状态 [' + fields.state + ']'; } diff --git a/server/www/teleport/static/js/tp-const.js b/server/www/teleport/static/js/tp-const.js index 7a9cdeb..9632605 100755 --- a/server/www/teleport/static/js/tp-const.js +++ b/server/www/teleport/static/js/tp-const.js @@ -49,6 +49,7 @@ var TP_SESS_STAT_ERR_BAD_PKG = 6; // 会话结束,因为收到错误的报文 var TP_SESS_STAT_ERR_RESET = 7; // 会话结束,因为teleport核心服务重置了 var TP_SESS_STAT_ERR_IO = 8; // 会话结束,因为网络中断 var TP_SESS_STAT_ERR_SESSION = 9; // 会话结束,因为无效的会话ID +var TP_SESS_STAT_ERR_AUTH_TYPE = 10; // // 会话结束,因为服务端不支持此认证方式 var TP_SESS_STAT_STARTED = 100; // 已经连接成功了,开始记录录像了 var TP_SESS_STAT_ERR_START_INTERNAL = 104; // 会话结束,因为内部错误 var TP_SESS_STAT_ERR_START_BAD_PKG = 106; // 会话结束,因为收到错误的报文 diff --git a/server/www/teleport/webroot/app/app_ver.py b/server/www/teleport/webroot/app/app_ver.py index 9c328f1..9349363 100644 --- a/server/www/teleport/webroot/app/app_ver.py +++ b/server/www/teleport/webroot/app/app_ver.py @@ -1,2 +1,2 @@ -# -*- coding: utf8 -*- -TP_SERVER_VER = "3.0.3.12" +# -*- coding: utf8 -*- +TP_SERVER_VER = "3.0.4.16" diff --git a/version.in b/version.in index 87957a9..f26fa87 100644 --- a/version.in +++ b/version.in @@ -13,7 +13,7 @@ Revision : 修订号。主版本号和次版本号都相同但修订号不同 Build : 构建号。构建号用于表明此版本发布之前进行了多少次构建及测试。某些情况下此版本号可以省略。 -TP_SERVER 3.0.3.12 # 整个服务端打包的版本 -TP_TPCORE 3.0.3.12 # 核心服务 tp_core 的版本 +TP_SERVER 3.0.4.16 # 整个服务端打包的版本 +TP_TPCORE 3.0.4.16 # 核心服务 tp_core 的版本 TP_TPWEB 3.0.0.1 # web服务 tp_web 的版本(一般除非升级Python,否则不会变化) TP_ASSIST 3.0.1.6 # 助手版本