Merge branch 'release/2.1.0' into develop

CMakeLists.txt

@@ -3,7 +3,7 @@ set(project_name "SSF")
 project(${project_name})
 
 set(SSF_VERSION_MAJOR 2)
-set(SSF_VERSION_MINOR 0)
+set(SSF_VERSION_MINOR 1)
 set(SSF_VERSION_FIX 0)
 set(SSF_VERSION_BOUNCE 2)
 set(SSF_VERSION_TRANSPORT 1)
@@ -43,12 +43,10 @@ set(project_EXEC_DIR "${project_BINARY_DIR}/ssf/${project_EXEC_DIR_NAME}")
 add_subdirectory("${project_THIRDPARTY_DIR}/cmake-build-system")
 include(HelpersIdeTarget)
 
-set(BOOST_ROOT
-      "${project_THIRDPARTY_DIR}/boost" CACHE PATH "Path of boost library")
+set(BOOST_ROOT "${project_THIRDPARTY_DIR}/boost" CACHE PATH "Path of boost library")
 message("** BOOST_ROOT: ${BOOST_ROOT}")
 
-set(OPENSSL_ROOT_DIR
-      "${project_THIRDPARTY_DIR}/openssl" CACHE PATH "Path of openssl library")
+set(OPENSSL_ROOT_DIR "${project_THIRDPARTY_DIR}/openssl" CACHE PATH "Path of openssl library")
 message("** OPENSSL_ROOT_DIR: ${OPENSSL_ROOT_DIR}")
 
 # ---- Third party parameters
@@ -115,19 +113,26 @@ include_directories(${project_BINARY_DIR})
 
 # --- Test certs
 set(SSF_CERT_TEST_ROOT_FILES
-    "${project_ROOT_DIR}/certs/certificate.crt"
-    "${project_ROOT_DIR}/certs/dh4096.pem"
-    "${project_ROOT_DIR}/certs/private.key")
+  "${project_ROOT_DIR}/certs/certificate.crt"
+  "${project_ROOT_DIR}/certs/dh4096.pem"
+  "${project_ROOT_DIR}/certs/private.key")
 set(SSF_CERT_TEST_TRUSTED_FILES
-    "${project_ROOT_DIR}/certs/trusted/ca.crt"
+  "${project_ROOT_DIR}/certs/trusted/ca.crt"
 )
 
+# --- Copy test certs in ssf install dir
+set(project_EXEC_CERTS_DIR "${project_EXEC_DIR}/certs")
+file(MAKE_DIRECTORY ${project_EXEC_CERTS_DIR})
+file(MAKE_DIRECTORY ${project_EXEC_CERTS_DIR}/trusted)
+
+file(COPY ${SSF_CERT_TEST_ROOT_FILES} DESTINATION ${project_EXEC_CERTS_DIR})
+file(COPY ${SSF_CERT_TEST_TRUSTED_FILES} DESTINATION "${project_EXEC_CERTS_DIR}/trusted")
+
 # --- Unit tests
 if (BUILD_UNIT_TESTS OR BUILD_FRAMEWORK_UNIT_TESTS)
   include(GTest)
 
-  set(GTEST_ROOT_DIR
-        "${project_THIRDPARTY_DIR}/gtest" CACHE PATH "Path of gtest library")
+  set(GTEST_ROOT_DIR "${project_THIRDPARTY_DIR}/gtest" CACHE PATH "Path of gtest library")
 
   # --- Extract GTest archive in build directory
   gtest_unpack_archive()

README.md

@@ -5,9 +5,9 @@
 ### Requirements
 
   * Winrar >= 5.2.1 (Third party builds on windows)
-  * Boost >= 1.56.0
+  * Boost >= 1.61.0
   * OpenSSL >= 1.0.2
-  * Google Test >= 1.7.0
+  * Google Test = 1.7.0
   * CMake >= 2.8.11
   * nasm (openssl build on windows)
   * Perl | Active Perl >= 5.20 (openssl build on windows)
@@ -43,7 +43,7 @@ If you are using *openssl-1.0.2a*, you need to fix the file ``crypto/x509v3/v3_s
 Copy [the diff from OpenSSL Github](https://github.com/openssl/openssl/commit/77b1f87214224689a84db21d2eb54e9497186d93.diff)
 (ignore the 2 first lines) and put it in ``PROJECT_PATH/third_party/openssl/patches``. The build script will then patch the sources.
 
-* Copy [GTest archive](http://code.google.com/p/googletest/downloads/list) in ``third_party/gtest``
+* Copy [GTest archive](https://github.com/google/googletest/archive/release-1.7.0.zip) in ``third_party/gtest``
 
  ```bash
  cp gtest-1.X.Y.zip PROJECT_PATH/third_party/gtest
@@ -85,7 +85,7 @@ cp boost_1_XX_Y.tar.bz2 PROJECT_PATH/third_party/boost
 cp openssl-1.0.XY.tar.gz PROJECT_PATH/third_party/openssl
 ```
 
-* Copy [GTest archive](http://code.google.com/p/googletest/downloads/list) in ``third_party/gtest``
+* Copy [GTest archive](https://github.com/google/googletest/archive/release-1.7.0.zip) in ``third_party/gtest``
 
 ```bash
 cp gtest-1.X.Y.zip PROJECT_PATH/third_party/gtest
@@ -127,7 +127,7 @@ cp boost_1_XX_Y.tar.bz2 PROJECT_PATH/third_party/boost
 cp openssl-1.0.XY.tar.gz PROJECT_PATH/third_party/openssl
 ```
 
-* Copy [GTest archive](http://code.google.com/p/googletest/downloads/list) in ``third_party/gtest``
+* Copy [GTest archive](https://github.com/google/googletest/archive/release-1.7.0.zip) in ``third_party/gtest``
 
 ```bash
 cp gtest-1.X.Y.zip PROJECT_PATH/third_party/gtest
@@ -235,19 +235,23 @@ The chain will be CLIENT -> SERVER1:PORT1 -> SERVER2:PORT2 -> SERVER3:PORT3 -> T
 ### Standard command line
 
 ```plaintext
-ssf<c|s>[.exe] [-h] [-L loc:ip:dest] [-R rem:ip:dest] [-D port] [-F port] [-U loc:ip:dest] [-V rem:ip:dest] [-b bounce_file] [-c config_file] [-p port] [host]
+ssf<c|s>[.exe] [-h] [-v verb_level] [-q] [-L loc:ip:dest] [-R rem:ip:dest] [-D port] [-F port] [-U loc:ip:dest] [-V rem:ip:dest] [-X port] [-Y port] [-b bounce_file] [-c config_file] [-p port] [host]
 ```
 
-* host : the IP address or the name of the remote server to connect to.
-* -p : *port* is the port on which to listen (for the server) or to connect (for the client). The default value is 8011.
+* -v : Verbosity level (critical, error, warning, info, debug, trace), default is info
+* -q : Quiet mode (no log)
 * -L : TCP port forwarding with *loc* as the local TCP port, *ip* and *dest* as destination toward which the forward should be done from the server.
 * -R : TCP remote port forwarding with *rem* as the TCP port to forward from the remote host, *ip* and *dest* as destination toward which the forward should be done from the client.
 * -D : open a port (*port*) on the client to connect to a SOCKS server on the server from the client.
 * -F : open a port (*port*) on the server to connect to a SOCKS server on the client from the server.
 * -U : UDP port forwarding with *loc* as the UDP port to forward from the client, *ip* and *dest* as destination toward which the forward should be done from the server.
 * -V : UDP remote port forwarding with *rem* as the UDP port to forward from the server, *ip* and *dest* as destination toward which the forward should be done from the client.
+* -X : open a port (*port*) on the client side, each connection to that port creates a process with I/O forwarded to/from the server side (the binary used can be set with the config file)
+* -Y : open a port (*port*) on the server side, each connection to that port creates a process with I/O forwarded to/from the client side (the binary used can be set with the config file)
 * -b : *bounce_file* is the file containing the list of relays to use.
 * -c : *config_file* is the config file containing configuration for SSF (TLS configuration).
+* -p : *port* is the port on which to listen (for the server) or to connect (for the client). The default value is 8011.
+* host : the IP address or the name of the remote server to connect to.
 
 #### Server example
 
@@ -328,13 +332,39 @@ ssfcp[.exe] [-b bounce_file] [-c config_file] [-p port] remote_host@path/to/file
             "key_path": "./certs/private.key",
             "dh_path": "./certs/dh4096.pem",
             "cipher_alg": "DHE-RSA-AES256-GCM-SHA384"
+        },
+        "http_proxy": {
+            "host": "proxy.example.com",
+            "port": "3128",
+            "credentials": {
+                "username": "user",
+                "password": "password",
+                "domain": "EXAMPLE.COM",
+                "reuse_ntlm": "true",
+                "reuse_kerb": "true"
+            }
+        },
+        "services": {
+            "shell": {
+                "path": "/bin/bash",
+                "args": ""
+            }
         }
     }
 }
 ```
 
-* *tls.ca_cert_path* : relative or absolute path to the CA certificate file
-* *tls.cert_path*    : relative or absolute path to the instance certificate file
-* *tls.key_path*     : relative or absolute path to the private key file
-* *tls.dh_path*      : relative or absolute path to the Diffie-Hellman file
-* *tls.cipher_alg*   : cypher algorithm
+* *tls.ca_cert_path*      : relative or absolute path to the CA certificate file
+* *tls.cert_path*         : relative or absolute path to the instance certificate file
+* *tls.key_path*          : relative or absolute path to the private key file
+* *tls.dh_path*           : relative or absolute path to the Diffie-Hellman file
+* *tls.cipher_alg*        : cipher algorithm
+* *http_proxy.host*                   : HTTP proxy host
+* *http_proxy.port*                   : HTTP proxy port
+* *http_proxy.credentials.username*   : proxy username credentials (all platform: Basic or Digest, Windows: NTLM and Negotiate if reuse = false)
+* *http_proxy.credentials.password*   : proxy password credentials (all platform: Basic or Digest, Windows: NTLM and Negotiate if reuse = false)
+* *http_proxy.credentials.domain*     : user domain (NTLM and Negotiate auth on Windows only)
+* *http_proxy.credentials.reuse_ntlm* : reuse current computer user credentials to authenticate with proxy NTLM auth (SSO)
+* *http_proxy.credentials.reuse_kerb* : reuse current computer user credentials (Kerberos ticket) to authenticate with proxy Negotiate auth (SSO)
+* *services.shell.path* : binary path used for shell creation (optional)
+* *services.shell.args* : binary arguments used for shell creation (optional)

third_party/boost/README.md

@@ -0,0 +1,10 @@
+# Windows i386 executables only
+
+This project needs to patch boost build system (add extra compilation flags).
+
+Rename the patches directory for your boost version to ```patches```.
+
+Start from a clean build directory. The patches will be applied at CMake project generation (```cmake ..```).
+
+Renaming example:
+* boost-1.61.0: ```patches-boost-1.61.0``` -> ```patches```

third_party/boost/patches-boost-1.61.0/00_win32.patch

@@ -0,0 +1,22 @@
+--- a/libs/context/build/Jamfile.v2
++++ b/libs/context/build/Jamfile.v2
+@@ -116,7 +116,7 @@
+
+ actions masm
+ {
+-    ml /c /Fo"$(<)" "$(>)"
++    ml /safeseh /c /Fo"$(<)" "$(>)"
+ }
+
+ actions masm64
+--- a/tools/build/src/tools/msvc.jam
++++ b/tools/build/src/tools/msvc.jam
+@@ -1113,7 +1113,7 @@
+         # Turn on some options for i386 assembler
+         #  -coff  generate COFF format object file (compatible with cl.exe output)
+         local default-assembler-amd64 = ml64 ;
+-        local default-assembler-i386  = "ml -coff" ;
++        local default-assembler-i386  = "ml -coff -safeseh" ;
+         local default-assembler-ia64  = ias ;
+         local default-assembler-ia64  = armasm ;
+

third_party/gtest/README.md

@@ -0,0 +1,6 @@
+# Issues with new google test archive format
+
+* Rename zip file from ```googletest-release-1.7.0.zip``` to ```gtest-1.7.0.zip```
+* Rename archive internal root folder from ```googletest-release-1.7.0``` to ```gtest-1.7.0```
+
+This will be fixed in a future version.

tools/generate_release.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+# This script generates an archive release
+# Includes :
+#   - SSF binaries
+#   - UPXed SSF binaries
+#   - tests certs (for test purpose only)
+#
+
+set -e
+
+echo "Usage: ./generate_release.sh SSF_VERSION CMAKE_GENERATOR ABS_SSF_SOURCE_DIR OUTPUT_FILEPATH"
+
+if [ -z "$1" ]; then "First arg is VERSION"; exit 1; else VERSION="$1"; fi
+if [ -z "$2" ]; then "Second arg is CMAKE_GENERATOR"; exit 1; else CMAKE_GENERATOR="$2"; fi
+if [ -z "$3" ]; then "Third arg is ABS_SSF_SOURCE_DIR"; exit 1; else ABS_SSF_SOURCE_DIR="$3"; fi
+if [ -z "$4" ]; then "Fourth arg is OUTPUT_FILE"; exit 1; else OUTPUT_FILEPATH="$4"; fi
+
+PWD=`pwd`
+
+TMP_BUILD_DIR="${PWD}/tmp_build_release"
+TARGET="ssf-${VERSION}"
+INSTALL_BIN_PATH="${TMP_BUILD_DIR}/ssf/${TARGET}"
+
+echo "* VERSION: '${VERSION}'"
+echo "* CMAKE_GENERATOR: '${CMAKE_GENERATOR}'"
+echo "* ABS_SSF_SOURCE_DIR: '${ABS_SSF_SOURCE_DIR}'"
+echo "* OUTPUT_FILEPATH: '${OUTPUT_FILEPATH}'"
+
+echo "* Create tmp build directory '${TMP_BUILD_DIR}'"
+mkdir -p ${TMP_BUILD_DIR}
+
+cd ${TMP_BUILD_DIR}
+echo "* CMake pre processing"
+cmake ${ABS_SSF_SOURCE_DIR} -DCMAKE_BUILD_TYPE=Release -G "${CMAKE_GENERATOR}"
+
+echo "* Build binaries"
+cmake --build . --target install --config Release
+
+echo "* UPX binaries"
+for BIN_PATH in ${INSTALL_BIN_PATH}/ssf*;
+do
+  BIN_NAME=`basename ${BIN_PATH}`
+  upx --best -o "${INSTALL_BIN_PATH}/upx-${BIN_NAME}" ${BIN_PATH}
+done
+
+echo "* Install directory '${INSTALL_BIN_PATH}'"
+cd "${INSTALL_BIN_PATH}/.."
+
+echo "* Create tar archive '${OUTPUT_FILEPATH}'"
+tar -czf "${OUTPUT_FILEPATH}" "${TARGET}"
+
+echo "* Clean tmp build directory '${TMP_BUILD_DIR}'"
+rm -rf "${TMP_BUILD_DIR}"