Robbie Harwood [Mon, 8 Oct 2018 20:02:12 +0000 (16:02 -0400)]
Prefer TCP to UDP for password changes
When password changes are performed over UDP, spotty networks may
cause the client to retransmit. This leads to replay errors if the
kpasswd server receives both requests, which hide the actual request
status and make it appear that the password has not been changed, when
it may in fact have been. Use TCP instead with UDP fallback to avoid
this issue.
Add a -f flag to ktutil addent. If specified, the enctype need not be
specified (although it can be) and ktutil will request etype-info from
the KDC to produce the string-to-key parameters.
Mubashir Kazia [Sat, 24 Jun 2017 19:47:53 +0000 (19:47 +0000)]
Add API to retrieve etype-info from KDC
Add the krb5_get_etype_info() API, which sends an initial ticket
request to the KDC and extracts an enctype, salt, and s2kparams value
from the first KDC reply. This function will help ktutil use the
correct salt and s2kparams when creating keytabs.
[ghudson@mit.edu: renamed API to krb5_get_etype_info() and adjusted
behavior]
Change the default dump filename for iprop to "replica_datatrans", and
the iprop poll interval profile variable to "iprop_replica_poll",
preserving compatibility with the old name.
Isaac Boukris [Sat, 15 Sep 2018 07:28:48 +0000 (10:28 +0300)]
Don't rely on default realm in S4U2Self client
When converting server principal to enterprise name (to be possibly
used for cross-realm), ignore the realm when reparsing, to avoid a
spurious error if a default realm isn't configured.
[ghudson@mit.edu: added rewritten test case; edited commit message]
Commit 28fd0a934cdc7b3b42ce213c6d334d4edf1ab591 muted a warning from
bison about shift/reduce conflicts in the grammer. However, the
extension for suppressing the warning is bison-only. Revert that
portion of the change and live with the warning rather than adding
additional conditionalization. Reported by Michael Osipov.
The LDAP KDB module contained a duplicate set of functions to marshal
osa_princ_ent_ret structures, perhaps to avoid a circular dependency
on libkadm5srv before KDB modules were dynamically loaded. We have
been using the libkadm5srv versions of those functions from the DB2
KDB module since release 1.8. Use them from the LDAP KDB module as
well.
Since no rpcgen output remains in princ_xdr.c and princ_xdr.h, add
emacs mode lines for the krb5 C style to those files and make small
formatting adjustments to match.
The documentation for pkinit_identities implies that we try harder to
use each value before ignoring the rest, when in fact we only go as
far as the first successful parse. Soften the language and describe
the most likely use case for multiple values under the current
semantics.
pkinit_identity.c:parse_fs_options() could crash if the first
strtok_r() call returns NULL, which happens when the residual string
begins with ','. Fix this bug by checking for a leading comma and
checking the strtok_r() result, and add a test case. Reported by Bean
Zhang.
Also return EINVAL rather than 0 on invalid input, and don't leave an
allocated value in idopts->cert_filename if we fail to copy the key
filename.
gcc warns that the `if` statement doesn't guard the length
assignment, which is true. However, it wouldn't make sense for the
length assignment to be guarded by the `if` clause anyway, since the
previous statement is a `goto`. De-indent for clarity.
If gss_add_cred() is called with both an input_cred_handle and an
output_cred_handle, it creates a new credential with the elements of
the input credential plus the requested element. Making a shallow
copy of mechs_array and cred_array from the old credential creates
aliased pointers which become invalid when one of the two credentials
is released, leading to use-after-free and double-free errors.
Instead, make a full copy of the input cred for this case. Make this
copy at the beginning so that union_cred can always be modified in
place (and freed on error using gss_release_cred() if we created it),
removing the need for new_union_cred, new_mechs_array, and
new_cred_array. Use a stack object for target_mechs to simplify
cleanup and reduce the number of failure cases.
GSSAPI provides no facility for copying a credential; since we mostly
use the GSSAPI as our SPI for mechanisms, we have no simple way to
copy mechanism creds when copying the union cred. Use
gss_export_cred() and gss_import_cred() if the mechanism provides
them; otherwise fall back to gss_inquire_cred() and
gss_acquire_cred().
If gss_add_cred() is called with no input_cred_handle, it creates a
new credential with one element. At the end of the function, use the
created credential as the output container, rather than creating a
second one and leaking the first.
If gss_inquire_cred_by_mech() is called with a mechanism and there is
no corresponding mechanism credential in the union cred, return
GSS_S_NO_CRED (as Heimdal does) instead of interrogating the mechanism
about the default credential.
strftime() is specified in C89. The tree has not built without a
native strftime() at least as far back as 1.7 (because it is used
unconditionally in kdb5_mkey.c) and possibly for much longer. Remove
the two copies of the NetBSD strftime.c and the fallback ctime() in
logger.c.
In logger.c:klog_vsyslog(), check the return value of localtime(). In
ldap_principal2.c:getstringtime(), check the strftime() result and
don't leak strtime on error.
Greg Hudson [Fri, 31 Aug 2018 17:19:21 +0000 (13:19 -0400)]
Fix name of .pdb file in ccapi/test/Makefile.in
The -Fd cl option specifies the location of the program database
filename, which should have the extension .pdb. Using a .obj
extension causes a build failure with MSVC version 14.15.26726.
Greg Hudson [Wed, 29 Aug 2018 19:04:13 +0000 (15:04 -0400)]
Check return values of time functions
Where ctime(), localtime(), or localtime_r() is used, check for
failure even if it is unlikely (reported by Bean Zhang). Constify the
strdate() return type in kdb5_mkey.c and kadmin.c and the
ctime_uint32() return type in kproplog.c. Use localtime_r()
unconditionally in str_conv.c as there is already a wrapper in that
file for the case where the platform doesn't have it. Remove an
inoperative localtime() call in ktutil.c.
Greg Hudson [Tue, 28 Aug 2018 01:10:53 +0000 (21:10 -0400)]
Check strdup return in kadm5_get_config_params()
When copying the realm string, if strdup() returns NULL, fail out with
ENOMEM instead of pretending the realm wasn't specified. When copying
KRB5_DEFAULT_SUPPORTED_ENCTYPES, if strdup() returns NULL, fail out
with ENOMEM instead of crashing. Reported by Bean Zhang.
Greg Hudson [Fri, 3 Aug 2018 04:36:10 +0000 (00:36 -0400)]
Limit matching of user-to-user ccache credentials
In krb5int_cc_creds_match_request(), do not yield a user-to-user
credential if the caller is not looking for one; it would not be
useful when a normal service ticket (encrypted in the service key) is
required. Reported by Todd Lubin.
Greg Hudson [Fri, 3 Aug 2018 15:07:03 +0000 (11:07 -0400)]
Don't tag S4U2Proxy result creds as user-to-user
S4U2Proxy and user-to-user tickets are both obtained using a
second-ticket input, but only user-to-user tickets are encrypted in
the session key of the second ticket. In gc_via_tkt.c, stop deducing
the is_skey flag from the presence of a second ticket and instead set
it based on the request KDC options.
Greg Hudson [Fri, 24 Aug 2018 15:40:39 +0000 (11:40 -0400)]
Add kvno option for user-to-user
Add a --u2u option to kvno, with an argument to specify a credential
cache containing a krbtgt for the server principal. Move the
-allow_svr test from appl/user_to_user to a new test script and add
additional tests. Suggested by Chris Hecker.
Greg Hudson [Fri, 10 Aug 2018 15:58:11 +0000 (11:58 -0400)]
Check public_oid in gss_export_cred()
In gss_export_cred(), check the gssint_get_public_oid() result as well
as the gssint_get_mechanism() result. There are probably no cases
where the former returns NULL and the latter does not, but it is easy
to be more obviously correct. Reported by Bean Zhang.
Greg Hudson [Wed, 8 Aug 2018 19:30:38 +0000 (15:30 -0400)]
Update many documentation links to https
Use secure URLs in the documentation where possible. The Sphinx web
site does not appear to have a valid server cert, but does have a more
official URL.
Greg Hudson [Wed, 8 Aug 2018 15:45:28 +0000 (11:45 -0400)]
Add kdestroy -p option
Add an option to destroy a cache within a collection by principal
name. This option can be used together with -c to specify the
collection. Also document that kdestroy -A and -c can be used
together (ticket 8602).
On Solaris, AX_PTHREAD can include -D_POSIX_PTHREAD_SEMANTICS in
PTHREAD_CFLAGS, which affects which variants of getpwnam_r() and
getpwuid_r() are declared by system headers. In configure.in, use
PTHREAD_CFLAGS when testing for those functions to make sure that the
tests see the same variants as the build will.
[ghudson@mit.edu: rewrote commit message and comment]
Greg Hudson [Wed, 1 Aug 2018 19:53:12 +0000 (15:53 -0400)]
Don't include all MEMORY ccaches in collection
In the MEMORY ccache implementation, only yield a cache in the
per-type cursor if it is the context default cache, matching the
behavior of FILE after commit 45360c9688ca963f75a2480f2cf818424fc3dc7b
(ticket 6955).
Alejandro Perez [Wed, 1 Aug 2018 07:56:54 +0000 (09:56 +0200)]
Extend gss-sample timeout from 10s to 300s
Some GSS mechanisms (such as GSS EAP - RFC 7055) require user
interaction, and ten seconds is too little to allow users to select
the identity they want to use or type their password. Make gss-client
and gss-server more useful for testing these mechanisms by extending
its timeout to five minutes.
Chris Hecker [Wed, 25 Jul 2018 05:57:23 +0000 (00:57 -0500)]
Allow u2u requests when -allow_svr is set
If KRB5_KDB_DISALLOW_SVR is set on the server principal, still allow
user-to-user tickets to be issued unless KRB5_KDB_DISALLOW_DUP_SKEY is
also set. This change makes the KDC_ERR_MUST_USE_USER2USER error
message more appropriate.
ticket: 2641
[ghudson@mit.edu: added test case; updated documentation based on
suggestions by Patrick Moore; edited commit message]
With Python 3, sys.stdout.write() of a partial line followed by
sys.stdin.readline() does not display the partial line. Add explicit
flushes to make prompts visible in k5test.py.
Commit af5b77c887bfff24603715f8296c00d5eb839b0c (ticket 8348) removed
the interface-scanning workaround for platforms without pktinfo
support, so there is no longer an interaction between the krb5kdc -w
option and this workaround.
It's been policy for a while now not to create "dead hunks" like
these. A great deal of this code simply doesn't work because it
hasn't been kept up-to-date, and may never have worked. Eliminate
these dead hunks along with the complexity to support them.
Remove python2 dependencies in .travis.yml and add python3-paste.
Convert t_daemon.py and jsonwalker.py to python3. csjon has no
python3 version, so replace it with python's built-in JSON module.
python3-pyrad isn't available for Trusty, so krad and OTP tests are
currently not exercised by Travis.
Commit b8814745049b5f401e3ae39a81dc1e14598ae48c (ticket 8576) added a
zero-terminated copy of the input string in
krb5int_arcfour_string_to_key(). This copy should be zeroed when
freed as the input string typically contains a password.
A memory ccache iterator stores an alias into the cache object's
linked list of credentials. If the cache is reinitialized while the
iterator is active, the alias becomes invalid. Also, multiple handles
referencing the same memory ccache all use aliases to the same data
object; if one of the handles is destroyed, the other contains a
dangling pointer.
Fix the first issue by adding a generation counter to the cache and to
cursors, incremented each time the cache is initialized or destroyed.
Check the generation on each cursor step and end the iteration if the
list was invalidated. Fix the second issue by adding a reference
count to the cache object, counting one reference for the table slot
and one for each open handle. Empty the cache object on each destroy
operation, but only release the object when the last handle to it is
destroyed or closed.
Add regression tests for the two issues to t_cc.c.
Move the build commands to a shell script, run with the -e flag so any
failure causes the script to exit. In the script, verify that "make
distclean" removes everything produced by "make" and "make check".
The executable "python" has traditionally been Python 2, but is
becoming more ambiguous as operating systems transition towards Python
3. Look for "python2" in the path in preference to "python", and
check that what we found isn't Python 3.
Remove the "#!/usr/bin/python" headers at the start of Python test
scripts since we run them explicitly under python, not as executables.
Execute paste-kdcproxy.py via sys.executable in t_proxy.py so that it
doesn't need a #!/usr/bin/python header.
DNS canonicalization can interfere with the fallback tests by changing
"localhost" to have multiple components, or (less likely) changing the
parent domain of foo.krbtest.com or foo.krbtest2.com.
Greg Hudson [Thu, 28 Jun 2018 04:15:11 +0000 (00:15 -0400)]
Improve ulog memory hygiene
Add a helper create_log_context() to initialize a krb5_context's
kdblog_context field, setting ulogfd to -1. Use it in ulog_set_role()
and ulog_map(). In ulog_fini(), release ulogfd if it is not -1.
In ulog_map(), add a cleanup label and use it to finalize the log
context on failure, so that we don't (trivially) leak the mapped ulog.
To reduce the number of "retval = errno;" statements required for this
change, make extend_file_to() return a krb5_error_code.
The ulog leak on error was reported by Bean Zhang.
Greg Hudson [Tue, 26 Jun 2018 16:47:10 +0000 (12:47 -0400)]
Fix OTP secret file leak and whitespace removal
In read_secret_file() in the OTP kdcpreauth module, add a cleanup
label and free filename on exit. Also fix the whitespace stripping
code to correctly find the end offset, and use size_t rather than int
offsets. The leak was reported by Bean Zhang.
Robbie Harwood [Mon, 18 Jun 2018 21:49:52 +0000 (17:49 -0400)]
Fix garbage return in extract_cammacs()
If no cammacs were present, we would never initialize ret before
returning it. (extract_cammcs() is currently never called with an
empty or null list, so this does not manifest as a bug.)
Robbie Harwood [Tue, 3 Oct 2017 18:28:47 +0000 (14:28 -0400)]
Correctly handle fallback in KDC OTP callback
In otp_state.c:callback(), avoid invoking the failure callback when we
fall back to the next token. Since request_send() consumes the
request, don't try to free it.
[ghudson@mit.edu: added test case; edited commit message]
Greg Hudson [Sat, 19 May 2018 02:04:25 +0000 (22:04 -0400)]
Clean up Windows build CPU detection
In the main build, set a variable BITS based on the detected CPU type,
and use it in library name expansions rather than repeatedly checking
for the same three 64-bit architectures. Also remove an unused
variable WLIB, formerly used to name the winsock library.
In the installer build, detect the CPU type in the makefile and pass
it to candle with the -arch option. This sets $(sys.BUILDARCH) in wix
scripts and also sets the default value of Win64 in components so we
don't have to set it for each one.
Update the build instructions and appveyor.yml to reflect that the
builder no longer needs to set CPU.
Greg Hudson [Tue, 19 Jun 2018 17:03:05 +0000 (13:03 -0400)]
Fix minor leak in kdb5_util purge_mkeys
In kdb5_purge_mkeys(), if krb5_dbe_update_mkey_aux() fails, use the
cleanup label to free any allocated memory instead of returning
immediately. Reported by Bean Zhang.
Greg Hudson [Fri, 15 Jun 2018 15:40:13 +0000 (11:40 -0400)]
Fix minor leak in krb5_gss_inquire_cred()
If mechs is created but one of the generic_gss_add_oid_set_member()
calls fails, it leaks. Initialize mechs and free it in the fail
label. Also null mechs when we transfer ownership of it to the
caller, in case we later unify the success and failure exit paths.
Reported by Bean Zhang.
Greg Hudson [Fri, 15 Jun 2018 15:52:22 +0000 (11:52 -0400)]
Fix minor leak in localauth RULE handling
In aname_replacer(), initialize current, null it when transferring
ownership to the caller, and free it on cleanup. Otherwise it leaks
on failure. Reported by Bean Zhang.
Greg Hudson [Fri, 15 Jun 2018 15:31:04 +0000 (11:31 -0400)]
Fix minor leak in k5_os_hostaddr()
In k5_os_hostaddr(), if allocation of the result array fails, use the
cleanup handler so that the getaddrinfo() result is freed. Also
initialize the pointers which are freed in the cleanup handler for
safety. Reported by Bean Zhang.
Greg Hudson [Fri, 15 Jun 2018 15:20:34 +0000 (11:20 -0400)]
Fix minor leaks in principal conversions
In krb5_524_conv_principal(), if the realm we read from the profile is
too long for the result buffer, free the profile value before
returning.
In krb5_425_conv_principal(), if krb5_get_realm_domain() fails, still
free any leftover allocated data using a cleanup label. The only one
that could be left over is dummy_value which we could address easily
enough within the loop, but we shouldn't sidestep the cleanup code.
'register' is a reserved and unused keyword in C++17 so having it
present in the public headers presents a a compatibility issue. Also
in C the 'register' keyword is mostly obsolete, so remove all uses of
it.
[ghudson@mit.edu: adjusted style of some of the affected lines]
Greg Hudson [Thu, 14 Jun 2018 14:52:33 +0000 (10:52 -0400)]
Fix minor leak in krb5_get_fallback_host_realm()
In domain_fallback_realm(), if profile_get_integer() fails, uhost is
leaked. Fix this bug by using the cleanup handler instead of
returning immediately. Reported by Bean Zhang.
Greg Hudson [Sun, 3 Jun 2018 20:41:18 +0000 (16:41 -0400)]
Stop using wshelper for SRV/TXT lookups
Add Windows-specific versions of k5_try_realm_txt_rr(),
k5_make_uri_query(), and krb5int_make_srv_query_realm(), bypassing
wshelper and using DnsQuery_UTF8() directly. Windows does not
currently know how to decode URI records and has no interface to allow
the caller to do so, so disable URI lookups on Windows for now.
Add a comment that dnsglue.h is not used on Windows (since DnsQuery
parses out and decodes SRV and TXT records for us), and remove the
header conditionals from it.
Greg Hudson [Sat, 2 Jun 2018 22:25:43 +0000 (18:25 -0400)]
Reorganize internal DNS interfaces
Move SRV lookup function declarations out of dnsglue.h into
os-proto.h, where the TXT lookup function is declared. Only include
dnsglue.h within files which need to parse DNS records.
To avoid needing MAXDNAME, use dynamic allocation for the results of
DNS lookups (including hostname canonicalization) where we currently
use fixed buffers. Remove clean_hostname from the accessor (nothing
uses it) and make it a static function within hostrealm.c.
Greg Hudson [Fri, 18 May 2018 05:05:46 +0000 (01:05 -0400)]
Require Visual Studio 2013 in Windows README
The recently added SPAKE edwards25519 code, adapted from BoringSSL,
makes frequent use of mixed declarations and code, which is supported
by VS2013 but not VS2012 and earlier. Require VS2013 as the minimum
version in the Windows README. Add suport for VS2013 and VS2015 to
the installer.
Greg Hudson [Wed, 16 May 2018 18:02:20 +0000 (11:02 -0700)]
Make plugin auto-registration work on Windows
Make plugin_base_dir subject to parameter expansion, and set its
default to %{LIBDIR}\plugins on Windows (%{LIBDIR} expands to the
directory where the krb5 DLL lives). For auto-registered modules,
assume that we will build 32-bit and 64-bit DLLs and name them
"modname32.dll" and "modname64.dll". In k5_plugin_register_dyn(), use
k5_path_join() instead of assuming the path separator is "/".
Greg Hudson [Wed, 16 May 2018 04:52:08 +0000 (21:52 -0700)]
Fix option parsing on Windows
Commit 8f9ade8ec50cde1176411085294f85ecfb2820a4 (ticket 8391) moved
the built-in getopt() and getopt_long() implementations from a static
library in util/windows to util/support, where (on Windows) it is
built into k5sprt32.dll or k5sprt64.dll. The getopt() interface uses
global variables opterr, optind, optopt, and optarg, each renamed via
macro to have a k5_ prefix when we use the built-in implementation.
Data objects exported from DLLs need special handling in Windows; they
must be marked as DATA in the DLL .def file, and they must be declared
with "__declspec(dllimport)" in calling code. Without this handling,
optind begins with a garbage value and getopt_long() returns -1
immediately, so client programs always behave as if they have no
arguments.
Stop unnecessarily declaring optind and optarg in client programs.
Declare the getopt() global variables with __declspec(dllimport) on
Windows, except when compiling getopt.c itself. When creating
libkrb5support.exports on Windows (this file is later used by
lib/Makefile.in to create k5sprt32.def), add a DATA tag to the data
objects.
Greg Hudson [Sun, 10 Jun 2018 22:32:13 +0000 (18:32 -0400)]
Use pkg.m4 macros
Add pkg.m4 from pkg-config 0.29.2 and include it in aclocal.m4. Use
PKG_CHECK_EXISTS for resolv_wrapper and PKG_CHECK_MODULES for libedit
and libverto. Based on a patch from Timo Gurr.
Greg Hudson [Wed, 6 Jun 2018 21:58:41 +0000 (17:58 -0400)]
Process profile includedir in sorted order
In the profile library, use k5_dir_filenames() so that files within an
included directory are read in a predictable order (alphanumeric
within the C locale).
Greg Hudson [Wed, 6 Jun 2018 22:26:42 +0000 (18:26 -0400)]
Fix Windows strerror_r() implementation
Commit 6351586a771e9a99e1e946cc9a0b6a87bbb14094 (ticket 7961)
introduced several variants of strerror_r(). The Windows one
contained a bug which made its return value undefined; fix that.
Greg Hudson [Mon, 21 May 2018 08:10:04 +0000 (01:10 -0700)]
Prune Leash sources
When Leash was imported in 2011-2012, some of its functionality was
removed either at compile-time or runtime--most notably krb4 support,
AFS integration, and editing of "properties" (registry values).
Remove most of the unnecessary material.
Document the new profile variables added for the LMDB KDB module and
the new configure option. Add a new admin section on database types,
and document the behavior of all current modules.
Add a new k5test function multidb_realms() which yields a realm using
BDB and a realm using LMDB. Run the tests in t_dump.py, t_iprop.py,
the lockout tests in t_policy.py, and kdbtest (in t_kdb.py) with both
databases.
If K5TEST_LMDB is set in the environment, use LMDB for all Python
tests and all tests in tests/dejagnu, with two exceptions
(t_unlockiter.py and t_kdb_locking.py) which test BDB-specific
behavior. To support those exceptions, add the "bdb_only" realm
initialization flag.
In t_iprop.py, be sure to properly clean up kpropd daemons, using a
new k5test realm method stop_kpropd() to stop a kpropd daemon started
with start_kpropd() and remove it from the realm's list.
Add a new KDB module using LMDB. For this module, combine policy and
principal databases into one environment with two databases, but split
out principal lockout fields into a separate environment so that
nothing blocks KDC writes for more than a trivial amount of time.
Greg Hudson [Fri, 11 May 2018 18:02:41 +0000 (14:02 -0400)]
Remove unused Windows sources
windows/build and windows/installer/nsis are not used by the KfW 4.x
build process. windows/wintel was removed from the build in commit 530043377ee6f39b9ca95c13f6260602e6fe7674. windows/cns and most of the
windows/lib objects were removed from the build in commit 52fa910f413e016b3d432ce34e2d5bcea3230a7d. Most of the Leash krb4
files were removed from the build in commit 9f097418620513813ecc086bcd9002b6e07bf2a1; some unnecessary includes of
the corresponding header files remain, so delete those now.
LeashControlPanel.cpp was not part of the leash build when the leash
sources were imported into this tree.
Greg Hudson [Fri, 11 May 2018 17:43:42 +0000 (13:43 -0400)]
Stop building CNS for Windows
CNS is an old Windows ticket manager which was long ago supplanted by
leash. We have been building it and copying it in "nmake install",
but not including it in the KfW installer. Remove it from the build,
and trim windows/lib down to just the part used by leashdll and leash
(loadfuncs.obj).
Greg Hudson [Wed, 9 May 2018 16:37:44 +0000 (12:37 -0400)]
Update Windows build instructions
Modify windows/README for Visual Studio 2017, which has separate
32-bit and 64-bit command prompts (and which seems to omit uicc from
the 64-bit path). Mention the need for MFC if building leash, and
describe how to build without leash.
Greg Hudson [Tue, 8 May 2018 14:31:26 +0000 (07:31 -0700)]
Update kfw installer for VS2017, WiX 3.11.1
For Visual Studio 2017 (aka 15.0), add a Visual C tools version
number, and use %VCToolsRedistDir% to find the merge modules. WiX
toolset 3.11.1 requires an xmlns attribute to the WixLocalization tag.
Greg Hudson [Mon, 7 May 2018 02:29:40 +0000 (22:29 -0400)]
Fix Leash build error with recent Visual Studio
Visual Studio 2015 and later do not allow manipulation of the _flag
field inside a file handle. In Leash's out2con.cpp (used only for the
debugging -console flag), do not try to mark the allocated file handle
as free after copying it to *stdout; a one-time memory leak here is
unimportant.
Greg Hudson [Sat, 5 May 2018 21:53:54 +0000 (17:53 -0400)]
Don't specify MFC library in Leash build
Since MFC 3.0 (which shipped with Visual C++ 2.0, decades ago) it has
been unnecessary to specify the MFC library in the link line; the
headers can magically add the right one. Guessing the MFC version
from $(VISUALSTUDIOVERSION) does not work with Visual Studio 2017 (we
guess 150; the correct value is 140).
projects / thirdparty / krb5.git / log
