Tom Yu [Thu, 27 Sep 2012 21:18:18 +0000 (17:18 -0400)]
Cache TGS-REPs too
Changes in r25660 inadvertently failed to insert TGS-REPs into the
lookaside cache. Call finish_dispatch_cache() at the end of
dispatch() to handle this case.
The file 'checkbox blank.png' is unneeded and contains a space in the
name, unnecessarily interfering with running find | xargs over the
source tree. Remove it.
Ben Kaduk [Wed, 19 Sep 2012 16:13:30 +0000 (12:13 -0400)]
Update windows/README
The build instructions have changed somewhat, as have the requirements
for a build environment.
The default behavior for KRB5_CONFIG and KRB5CCNAME has also changed.
Attempt to remove mention of overly specific Windows versions that
are now quite old when the behavior persists in newer versions of Windows.
Document the usage of DNS by default and the reduced need for a large
krb5.ini file.
Talk a little more about the LSA cache.
Ben Kaduk [Tue, 18 Sep 2012 21:53:18 +0000 (17:53 -0400)]
Remove NSIS installs when upgrading to 64-bit
The NSIS installer appears to have only ever existed as a 32-bit
software. As such, unconditionally check the 32-bit registry tree
for an uninstall string; the architecture of the current package
being installed is not relevant to what was previously installed.
Ben Kaduk [Wed, 12 Sep 2012 18:17:59 +0000 (14:17 -0400)]
Improve LEASHAUTOINIT description
This installer option determines whether the -autoinit argument
is passed to the MIT Kerberos executable.
On startup, if this argument is passed, and if there are no tickets
in the default cache, and if no useful tickets can be imported from
the LSA cache, MIT Kerberos will open the get ticket dialog and prompt
for a password; this option does not appear to have any other effect.
Ben Kaduk [Wed, 12 Sep 2012 15:35:04 +0000 (11:35 -0400)]
Unregister error message key on library unload
Revision fcdd2de1 added the K5_KEY_GSS_KRB5_ERROR_MESSAGE key, and
registered it in the gssapi library initialization routine, but
did not unregister it in the libary finalization routine.
When the library is unloaded and reloaded in the same process,
this leads to an assertion failure, since we check that
destructors_set[keynum] is zero (no destructor set) when registering
a key in util/support/threads.c.
Unregister the key on library cleanup to resolve the error.
We already define EV_USE_REALTIME to 0 to avoid the use of
clock_gettime() (to avoid depending on librt). But in some build
environments libev can detect support for a monotonic clock, which
also results in using clock_gettime(). Define EV_USE_MONOTONIC to 0
as well to prevent this.
Ben Kaduk [Fri, 31 Aug 2012 17:41:26 +0000 (13:41 -0400)]
Use separate components for shortcuts
Since the Start Menu and Desktop are different folders, we should
use different components for the shortcuts in those folders, given
that components operate at directory granularity.
Take the opportunity to use the newer style for installing shortcuts
and registry keys, and make the names more descriptive.
Increment the buildlevel to ensure new files are installed.
Ben Kaduk [Thu, 23 Aug 2012 16:38:57 +0000 (12:38 -0400)]
Do not emit debug printfs under NODEBUG
These printfs spew to the console when command-line utilities
such as 'klist' and 'aklog' are run, reducing usability.
These printfs can also cause application hangs.
On a multiprocessor machine, when PuTTY and the ccapiserver are
running on different CPUs, PuTTY appears to deadlock with three
concurrent threads inside cci_debug_printf().
Ben Kaduk [Wed, 22 Aug 2012 03:19:56 +0000 (23:19 -0400)]
KfW version update for kfw-4.0-beta8
Also bump the build level, since beta 7 has started to escape into
the wild, and we want to ensure that the file version numbers
are strictly increasing.
Kevin Wasserman [Tue, 21 Aug 2012 15:44:46 +0000 (11:44 -0400)]
Fix KfW thread-local storage allocation issues
Allocate thread-local storage on demand; don't rely on
the DLL_THREAD_ATTACH case in DllMain() since pre-existing
threads will never execute that code.
Ben Kaduk [Thu, 16 Aug 2012 20:03:48 +0000 (16:03 -0400)]
Kill running processes on upgrades/uninstalls
The InstallValidate action of the windows installer will bring up
a dialog informing us that some currently running processes must
be terminated before installation may proceed, and offers to do so,
but does not actually kill the processes. We have our own code to
kill running processes which did not execute, for two reasons:
it was sequenced after InstallValidate, and we did not have a current
list of processes to look for.
Add the right processes to look for and kill, and use our own
process-killing code since it actually works.
Ben Kaduk [Wed, 15 Aug 2012 18:50:42 +0000 (14:50 -0400)]
Make finding 32-bit libs easier
Our 64-bit installer provides 32-bit libraries as well as 64-bit
libraries, but not all 32-bit applications (e.g., PuTTY, Pidgin)
are able to locate them in C:\Program Files\MIT\Kerberos .
Including an InstallDir key under the Wow6432Node tree lets them
work out-of-the-box; while here set all the registry keys in this
component in the compatibility tree, for consistency.
Ben Kaduk [Mon, 13 Aug 2012 22:01:47 +0000 (18:01 -0400)]
Upgrade 64-bit KfW installations
We use separate UpgradeCodes for 32- and 64-bit installers, so
we must check for both of them when seeing if we are upgrading an
old/existing installation.
Ben Kaduk [Mon, 13 Aug 2012 19:03:45 +0000 (15:03 -0400)]
Upgrade from KfW betas, too
Instead of using 3.9.9 as a conditional for the maximum version to
upgrade from, just use the current version.
This seems to pick up beta tags properly (so we can upgrade
from, e.g., beta 6 to beta 7 using the installer's upgrade tools),
and is future-proof.
Note that a 64-bit installer will not pick up an existing 32-bit
install (or vice versa), but there does not seem to be infrastructure
to deal with this situation easily.
Also, "downgrading" by running an older installer with a newer version
already installed will cause both versions to be simultaneously
installed; only do this if you know what you're doing.
Benjamin Kaduk [Tue, 31 Jul 2012 20:12:27 +0000 (16:12 -0400)]
Avoid a crash when attempting to change password
In some cases we could keep stack garbage in a local pointer
variable until the cleanup at the end of the function wherein
krb5_free_context() would choke on the invalid non-NULL value.
Initialize to zero to avoid the issue (should be written as NULL
but stick to the prevailing style).
Benjamin Kaduk [Mon, 30 Jul 2012 20:50:55 +0000 (16:50 -0400)]
Rename old krb5.ini files away
We want to always use a new krb5.ini (and our search order guarantees
that we will), but users might be confused if there is still a file
named krb5.ini in the old location which is now non-functional.
However, it is rude to unconditionally delete the old file which may
potentially be the only copy a user has of their local changes.
Instead, rename the old file to a non-functioning name that indicates
it is no longer being used, so that it may be consulted if needed.
Only attempt the rename if we found an existing krb5.ini, and ignore errors
since this is not a critical part of the installation.
Kevin Wasserman [Mon, 30 Jul 2012 20:30:34 +0000 (16:30 -0400)]
Fix renew_until check for auto-renewal
This was completely wrong, but only caused a severe problem on 64 bit
builds. On 32 bit builds the result was effectively always 'success',
so it would always attempt to renew even if there was not sufficient time
left in the renewable lifetime. This did not have much observable
adverse effect. But on 64 bit builds it always failed and so never
attempted renewal.
Kevin Wasserman [Mon, 30 Jul 2012 13:46:24 +0000 (09:46 -0400)]
Always install krb5.ini in KfW 4.0 installer
Pre-existing krb5.ini files from old kfw versions will be overridden
due to the new search path, but not removed. This is the desired behavior
since old krb5.ini files are far more likely to cause problems than to
contain useful data.
Kevin Wasserman [Fri, 27 Jul 2012 20:41:06 +0000 (16:41 -0400)]
CCAPI client rpc fixes
On Windows XP, cci_os_ipc_thread_init() causes additional threads to be
spawned immediately, which results in a vicious cycle until Windows
resources are exhausted. Instead, defer thread_init() until it is really
needed.
Also, use the MSDN-recommended defaults for RPC calls instead of random
constants.
Kevin Wasserman [Wed, 18 Jul 2012 21:32:31 +0000 (17:32 -0400)]
Call CWinAppEx::InitInstance()
Without this, AfxGlobalsAddRef() is never called, so AfxGlobalsRelease()
does nothing, causing many leaks and a crash on exit in GdiplusShutdown()
on Vista.
Kevin Wasserman [Tue, 17 Jul 2012 17:51:46 +0000 (13:51 -0400)]
Use cc_user_set_default_name to 'make default'
In addition to calling krb5_cc_switch(), use
krb5int_cc_user_set_default_name() in CLeashView::OnMakeDefault()
to set the default ccache for all processes for the current user.
Kevin Wasserman [Sat, 5 May 2012 14:53:44 +0000 (10:53 -0400)]
Help updates for kfw 4.0
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[kaduk@mit.edu: Squash commits, a couple of grammar fixes, and also turn
a few instances of "Leash" into "MIT Kerberos". Trim trailing whitespace
and other whitespace tweaks to pass the commit hooks.]
Kevin Wasserman [Tue, 17 Jul 2012 17:17:46 +0000 (13:17 -0400)]
Fix leashdll code to search for existing tickets
When we have a desired principal, search the entire credential cache
collection for existing tickets for that principal before using a prompter.
If no principal is specified, check only the default cache.
Kevin Wasserman [Thu, 21 Jun 2012 19:30:24 +0000 (15:30 -0400)]
Use file mapping to marshall message data
GlobalAlloc() is no longer supported for this purpose.
Also split out leash message marshalling code into a separate function
acquire_tkt_send_message_leash and improve string copy safety.
Kevin Wasserman [Thu, 21 Jun 2012 17:27:27 +0000 (13:27 -0400)]
Set kfw GUI read-only princ flag when appropriate
When receiving a request to obtain tickets (from another process), if a
particular principal is requested, set the read-only flag to prevent
the user from changing the principal.
Kevin Wasserman [Thu, 21 Jun 2012 17:22:39 +0000 (13:22 -0400)]
Add 'read-only principal' flag
Reserve the high-order 16 bits of dlgtype for flags.
Add DLGFLAG_READONLY_PRINC. When specified, the get tickets dialog
does not allow the user to change the principal.
Kevin Wasserman [Fri, 15 Jun 2012 02:57:59 +0000 (22:57 -0400)]
Send kfw 'obtain ticket' messages to main frame
Previous versions of kfw would attempt to send 'obtain tickets' messages
directly to the 'view' window by sending to the first child of the main
frame. But with the ribbon UI, the ribbon toolbar is now the first child,
so that method no longer works. Instead we now send the message to the
main frame and the main frame forwards to the active view.
Kevin Wasserman [Sat, 2 Jun 2012 14:34:09 +0000 (10:34 -0400)]
KfW auto-complete support
Use the registry to store and retrieve principals for auto-complete.
Remember principals from successful autentications.
TODO: combine realm/username in principal; 'remember principal' checkbox;
reset button; add to support 'change password' dialog as well.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[kaduk@mit.edu: style cleanup, copyright/license on new file.]
projects / thirdparty / krb5.git / log
