Squash commits for KfW updates

windows ccapiserver: replace Sleep with event wait

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

fix warning in test_cc_credentials_iterator_next.c

include test_ccapi_iterators.h for check_cc_credentials_iterator_next

Make ccapiserver exit if its receiveloop thread terminates for any reason.

This happens, for example, when the rpc endpoint is already registered
by another ccapiserver process.  There's no reason to leave a zombie
process running that can't receive messages.

windows ccapi: launch server without console by default.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

windows ccapi: use a random challenge to authenticate ccapiserver.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

LeashView.cpp: only specify TVIF_TEXT if there is actually text.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: add runtime.wxi WIXINCLUDES in Makefile to fix dependencies.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

Windows leash64 fixes: use proper names for leash and krb5 dlls

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

Windows leash fixes: 'make install' installs leash exes.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: use MSVC 2010 merge modules

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: install leash32.exe

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: clean out unused #defines from Lglobals.h

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: use correct message id to obtain tgt from leash

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: update copyright notice in license.rtf

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fixes: install xpprof32

TODO: xpprof64!

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: purge support for old compilers

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: don't build installer into installer

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fixes: make leash ignore credentials that store config principals.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fix: make Leash_kdestroy() actually destroy k5 tickets

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fix: Add custom "Password incorrect" message to Leash_int_kinit_ex()

Overrides obscure KRB5KRB_AP_ERR_BAD_INTEGRITY message.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fixes: define USE_MESSAGE_BOX in leashdll code for user feedback.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fixes: krb5_get_init_creds_opt_init->krb5_get_init_creds_opt_alloc

Should enable leash to generate config credentials (needs verification!)

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fix: int -> size_t to fix warning in krb5routines.c

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fix: restructure low ticket warning popup code to workaround mfc bug

mfc bug causes assertions when dialog is generated from
within PreTranslateMessages() (MSG input param points to a global
variable which is corrupted in the dialog message loop).  So we need
to instead PostMessage() to cause the popup later.
Also fixed logic to cause warning dialog to actually be modal as intended
when the leash window is not minimized.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fixes: fix _snprintf usage; use full error code in leash_error_message

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw fixes: ccapiserver only quits after all clients detach.

Not sure if this is really a good idea or not...

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: generate manifests

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: generate leash shortcuts (desktop and start menu)

...also install xpprof64

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: fix 'K5_ORIGINAL_NAME' for 64 bit dlls.

...still need to actually to define _WIN64 for rc.exe though

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: purge bufferoverflowu from custom.dll

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: rename leash32/64.exe to simply leash.exe

Also install leash.exe in 64 bit installer.

Split cci_thread_init into per-process and per-thread portions

Call the per-thread code on thread attach and per-process once per
process.  Previously, while the function was named 'thread', it was
only actually called once per process.  Currently, the per-thread
code does nothing on non-windows platforms and is not even actually
invoked.

Fixes a windows bug when multiple non-main threads try to use ccapi
at the same time.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw leash: add -console option to create console for debug output

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: use _WIN64 names where appropriate

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw leash: bracket krb.con code with #ifndef NO_KRB4

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: install krb5.ini to CommonAppDataFolder, not WindowsFolder

...but only if there isn't already a krb5.ini in the WindowsFolder.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: "make install" also installs pdbs

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: leash32.pdb->leash.pdb

kfw installer: add site-local.wxi

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: leash htmlhelp file source

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: use html help in leash

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: "make install" installs htmlhelp (leash.chm)

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw installer: install leash help file (leash.chm)

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw: remove line breaks from html to fix table of contents generation

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw leash help: fix/add aliases for command help

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

kfw leash: fix bad data in get tickets dialog when -autoinit specified

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

ticket: 7050
version_fixed: 1.10
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25585 dc483132-0cff-0310-8789-dd5450dbe970

src/Makefile.in

@@ -196,7 +196,8 @@ WINMAKEFILES=Makefile \
 	windows\cns\Makefile windows\gina\Makefile \
 	windows\ms2mit\Makefile \
 	windows\wintel\Makefile windows\kfwlogon\Makefile \
-	windows\leashdll\Makefile windows\leash\Makefile
+	windows\leashdll\Makefile windows\leash\Makefile \
+	windows\leash\htmlhelp\Makefile
 
 ##DOS##Makefile-windows:: $(MKFDEP) $(WINMAKEFILES)
 
@@ -326,6 +327,8 @@ WINMAKEFILES=Makefile \
 ##DOS##	$(WCONFIG) config < $@.in > $@
 ##DOS##windows\leash\Makefile: windows\leash\Makefile.in $(MKFDEP)
 ##DOS##	$(WCONFIG) config < $@.in > $@
+##DOS##windows\leash\htmlhelp\Makefile: windows\leash\htmlhelp\Makefile.in $(MKFDEP)
+##DOS##	$(WCONFIG) config < $@.in > $@
 
 clean-windows:: Makefile-windows
 
@@ -553,19 +556,30 @@ install-windows::
 	copy include\gssapi\gssapi_ext.h "$(KRB_INSTALL_DIR)\include\gssapi\."
 	copy lib\$(OUTPRE)*.lib "$(KRB_INSTALL_DIR)\lib\."
 	copy lib\$(OUTPRE)*.dll "$(KRB_INSTALL_DIR)\bin\."
+	copy lib\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
 	copy windows\cns\$(OUTPRE)krb5.exe "$(KRB_INSTALL_DIR)\bin\."
+	copy windows\cns\$(OUTPRE)krb5.pdb "$(KRB_INSTALL_DIR)\bin\."
 	copy appl\gss-sample\$(OUTPRE)gss-server.exe "$(KRB_INSTALL_DIR)\bin\."
+	copy appl\gss-sample\$(OUTPRE)gss-server.pdb "$(KRB_INSTALL_DIR)\bin\."
 	copy appl\gss-sample\$(OUTPRE)gss-client.exe "$(KRB_INSTALL_DIR)\bin\."
+	copy appl\gss-sample\$(OUTPRE)gss-client.pdb "$(KRB_INSTALL_DIR)\bin\."
 	copy windows\ms2mit\$(OUTPRE)*.exe "$(KRB_INSTALL_DIR)\bin\."
+	copy windows\ms2mit\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
 	copy windows\leashdll\$(OUTPRE)*.lib "$(KRB_INSTALL_DIR)\lib\."
 	copy windows\leashdll\$(OUTPRE)*.dll "$(KRB_INSTALL_DIR)\bin\."
+	copy windows\leashdll\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy windows\leash\$(OUTPRE)*.exe "$(KRB_INSTALL_DIR)\bin\."
+	copy windows\leash\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
 	copy windows\kfwlogon\$(OUTPRE)*.lib "$(KRB_INSTALL_DIR)\lib\."
 	copy windows\kfwlogon\$(OUTPRE)*.exe "$(KRB_INSTALL_DIR)\bin\."
 	copy windows\kfwlogon\$(OUTPRE)*.dll "$(KRB_INSTALL_DIR)\bin\."
+	copy windows\kfwlogon\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\."
 	copy util\windows\$(OUTPRE)*.lib $(KRB_INSTALL_DIR)\lib\."
 	copy util\wshelper\$(OUTPRE)$(DLIB).lib "$(KRB_INSTALL_DIR)\lib\."
 	copy util\wshelper\$(OUTPRE)$(DLIB).dll "$(KRB_INSTALL_DIR)\bin\."
+	copy util\wshelper\$(OUTPRE)$(DLIB).pdb "$(KRB_INSTALL_DIR)\bin\."
 	copy ccapi\lib\win\srctmp\$(OUTPRE)$(CCLIB).dll "$(KRB_INSTALL_DIR)\bin\."
+	copy ccapi\lib\win\srctmp\$(OUTPRE)$(CCLIB).pdb "$(KRB_INSTALL_DIR)\bin\."
 	copy ccapi\lib\win\srctmp\$(CCLIB).lib "$(KRB_INSTALL_DIR)\lib\."
 	copy ccapi\server\win\srctmp\$(OUTPRE)ccapiserver.exe "$(KRB_INSTALL_DIR)\bin\."
 	copy clients\kvno\$(OUTPRE)kvno.exe "$(KRB_INSTALL_DIR)\bin\."
@@ -576,6 +590,16 @@ install-windows::
 	copy clients\kdeltkt\$(OUTPRE)kdeltkt.exe "$(KRB_INSTALL_DIR)\bin\."
 	copy clients\kpasswd\$(OUTPRE)kpasswd.exe "$(KRB_INSTALL_DIR)\bin\."
 	copy clients\kswitch\$(OUTPRE)kswitch.exe "$(KRB_INSTALL_DIR)\bin\."
+	copy ccapi\server\win\srctmp\$(OUTPRE)ccapiserver.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy clients\kvno\$(OUTPRE)kvno.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy clients\klist\$(OUTPRE)klist.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy clients\kinit\$(OUTPRE)kinit.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy clients\kdestroy\$(OUTPRE)kdestroy.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy clients\kcpytkt\$(OUTPRE)kcpytkt.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy clients\kdeltkt\$(OUTPRE)kdeltkt.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy clients\kpasswd\$(OUTPRE)kpasswd.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy clients\kswitch\$(OUTPRE)kswitch.pdb "$(KRB_INSTALL_DIR)\bin\."
+	copy windows\leash\htmlhelp\*.chm "$(KRB_INSTALL_DIR)\bin\."
 
 install-unix:: 
 	$(INSTALL_SCRIPT) krb5-config \

src/ccapi/common/win/OldCC/autolock.hxx

@@ -35,10 +35,8 @@ public:
     ~CcOsLock()     {DeleteCriticalSection(&cs);       valid = false;}
     void lock()     {if (valid) EnterCriticalSection(&cs);}
     void unlock()   {if (valid) LeaveCriticalSection(&cs);}
-#if 0
     bool trylock()  {return valid ? (TryEnterCriticalSection(&cs) ? true : false)
                                   : false; }
-#endif
 };
 
 class CcAutoLock {
@@ -50,4 +48,13 @@ public:
     ~CcAutoLock() { m_lock.unlock(); }
 };
 
+class CcAutoTryLock {
+    CcOsLock& m_lock;
+    bool m_locked;
+public:
+    CcAutoTryLock(CcOsLock& lock):m_lock(lock) { m_locked = m_lock.trylock(); }
+    ~CcAutoTryLock() { if (m_locked) m_lock.unlock(); m_locked = false; }
+    bool IsLocked() const { return m_locked; }
+};
+
 #endif /* __AUTOLOCK_HXX */

src/ccapi/common/win/win-utils.h

@@ -42,7 +42,8 @@ static enum ccapiMsgType {
     CCMSG_REQUEST_REPLY,
     CCMSG_DISCONNECT,
     CCMSG_LISTEN,
-    CCMSG_PING
+    CCMSG_PING,
+    CCMSG_QUIT
     };
 
 char*                   clientEndpoint(const char* UUID);

src/ccapi/lib/ccapi_context.c

@@ -79,12 +79,12 @@ static cc_int32 cci_context_sync (cci_context_t in_context,
 #pragma mark -
 #endif
 
-MAKE_INIT_FUNCTION(cci_thread_init);
-MAKE_FINI_FUNCTION(cci_thread_fini);
+MAKE_INIT_FUNCTION(cci_process_init);
+MAKE_FINI_FUNCTION(cci_process_fini);
 
 /* ------------------------------------------------------------------------ */
 
-static int cci_thread_init (void)
+static int cci_process_init (void)
 {
     cc_int32 err = ccNoError;
 
@@ -93,7 +93,7 @@ static int cci_thread_init (void)
     }
 
     if (!err) {
-        err = cci_ipc_thread_init ();
+        err = cci_ipc_process_init ();
     }
 
     if (!err) {
@@ -105,9 +105,9 @@ static int cci_thread_init (void)
 
 /* ------------------------------------------------------------------------ */
 
-static void cci_thread_fini (void)
+static void cci_process_fini (void)
 {
-    if (!INITIALIZER_RAN (cci_thread_init) || PROGRAM_EXITING ()) {
+    if (!INITIALIZER_RAN (cci_process_init) || PROGRAM_EXITING ()) {
 	return;
     }
 
@@ -134,7 +134,7 @@ cc_int32 cc_initialize (cc_context_t  *out_context,
     if (!out_context) { err = cci_check_error (ccErrBadParam); }
 
     if (!err) {
-        err = CALL_INIT_FUNCTION (cci_thread_init);
+        err = CALL_INIT_FUNCTION (cci_process_init);
     }
 
     if (!err) {

src/ccapi/lib/ccapi_ipc.c

@@ -28,6 +28,13 @@
 
 /* ------------------------------------------------------------------------ */
 
+cc_int32 cci_ipc_process_init (void)
+{
+    return cci_os_ipc_process_init ();
+}
+
+/* ------------------------------------------------------------------------ */
+
 cc_int32 cci_ipc_thread_init (void)
 {
     return cci_os_ipc_thread_init ();

src/ccapi/lib/ccapi_ipc.h

@@ -28,6 +28,8 @@
 
 #include "cci_common.h"
 
+cc_int32 cci_ipc_process_init (void);
+
 cc_int32 cci_ipc_thread_init (void);
 
 cc_int32 cci_ipc_send (enum cci_msg_id_t  in_request_name,

src/ccapi/lib/ccapi_os_ipc.h

@@ -28,6 +28,8 @@
 
 #include "cci_common.h"
 
+cc_int32 cci_os_ipc_process_init (void);
+
 cc_int32 cci_os_ipc_thread_init (void);
 
 cc_int32 cci_os_ipc (cc_int32      in_launch_server,

src/ccapi/lib/win/OldCC/client.cxx

@@ -195,12 +195,13 @@ DWORD find_server(Init::InitInfo& info, LPSTR endpoint) {
                                        psa,         // SA
                                        FALSE, 
                                        CREATE_NEW_PROCESS_GROUP | 
-                                       CREATE_NEW_CONSOLE |
                                        NORMAL_PRIORITY_CLASS |
-                                       // CREATE_NO_WINDOW |
-                                       // DETACHED_PROCESS |    /* KPK TODO: was set - restore */
-                                       0
-                                       ,
+#ifdef CCAPI_LAUNCH_SERVER_WITH_CONSOLE
+                                       CREATE_NEW_CONSOLE |
+#else
+                                       DETACHED_PROCESS |
+#endif
+                                       0,
                                        NULL,        // environment
                                        szDir,       // current dir
                                        &si,
@@ -236,11 +237,41 @@ DWORD find_server(Init::InitInfo& info, LPSTR endpoint) {
 
 }
 
+static
+DWORD
+make_random_challenge(DWORD *challenge_out) {
+    HCRYPTPROV provider;
+    DWORD status = 0;
+    *challenge_out = 0;
+    if (!CryptAcquireContext(&provider, NULL, NULL, PROV_RSA_FULL,
+                             CRYPT_VERIFYCONTEXT)) {
+        status = GetLastError();
+        cci_check_error(status);
+        return status;
+        }
+    if (!CryptGenRandom(provider, sizeof(*challenge_out),
+                        (BYTE *)challenge_out)) {
+        status = GetLastError();
+        cci_check_error(status);
+        return status;
+        }
+    if (!CryptReleaseContext(provider, 0)) {
+        /*
+         * Note: even though CryptReleaseContext() failed, we don't really
+         * care since a) we've already successfully obtained our challenge
+         * anyway and b) at least one of the potential errors, "ERROR_BUSY"
+         * does not really seem to be an error at all.  So GetLastError() is
+         * logged for informational purposes only and should not be returned.
+         */
+        cci_check_error(GetLastError());
+        }
+    return status;
+}
+
 static
 DWORD
 authenticate_server(Init::InitInfo& info) {
-    DWORD               challenge       = 17; // XXX - maybe use random number
-    DWORD               desired_response= challenge + 1;
+    DWORD               challenge, desired_response;
     HANDLE              hMap            = 0;
     LPSTR               mem_name        = 0;
     PDWORD              pvalue          = 0;
@@ -253,6 +284,12 @@ authenticate_server(Init::InitInfo& info) {
     status = alloc_name(&mem_name, "auth", isNT());
     cci_check_error(status);
 
+    if (!status) {
+        status = make_random_challenge(&challenge);
+        desired_response = challenge + 1;
+        cci_check_error(status);
+        }
+
     if (!status) {
         if (isNT()) {
             sa.nLength = sizeof(sa);
@@ -358,10 +395,11 @@ Client::Connect(char* ep OPTIONAL) {
     }
 
 DWORD Client::Initialize(char* ep OPTIONAL) {
-    CcAutoLock AL(Client::sLock);
+    CcAutoTryLock AL(Client::sLock);
+    if (!AL.IsLocked() || s_init)
+        return 0;
     SecureClient s;
     ccs_request_IfHandle  = NULL;
-    if (s_init) return 0;
     DWORD status = Client::Connect(ep);
     if (!status) s_init = true;
     return status;