Add krb5_allow_weak_crypto API

Add an API to allow apps to override the profile setting of
allow_weak_crypto, so that aklog can work with krb5 1.8 out of the box
until OpenAFS finishes migrating away from DES.

ticket: 6645
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23663 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 45 insertions, 0 deletions

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 0941273..63b6971 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -2553,6 +2553,11 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac,
                 krb5_timestamp authtime, krb5_const_principal principal,
                 const krb5_keyblock *server, const krb5_keyblock *privsvr);
 
+/* Allows the appplication to override the profile's allow_weak_crypto setting.
+ * Primarily for use by aklog. */
+krb5_error_code KRB5_CALLCONV
+krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable);
+
 #if TARGET_OS_MAC
 #    pragma pack(pop)
 #endif
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index 8c2b59f..2fad9e9 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -14,6 +14,7 @@ STLIBOBJS= \
 	addr_comp.o	\
 	addr_order.o	\
 	addr_srch.o	\
+	allow_weak.o	\
 	appdefault.o	\
 	auth_con.o	\
 	authdata.o	\
diff --git a/src/lib/krb5/krb/allow_weak.c b/src/lib/krb5/krb/allow_weak.c
new file mode 100644
index 0000000..1290d1f
--- /dev/null
+++ b/src/lib/krb5/krb/allow_weak.c
@@ -0,0 +1,38 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/krb5/krb/allow_weak.c
+ *
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Implements krb5_allow_weak_crypto.
+ */
+
+#include "k5-int.h"
+
+krb5_error_code KRB5_CALLCONV
+krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable)
+{
+    context->allow_weak_crypto = (enable != FALSE);
+    return 0;
+}
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 2bfbeea..1a1ae45 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -108,6 +108,7 @@ krb5_524_convert_creds
 krb5_address_compare
 krb5_address_order
 krb5_address_search
+krb5_allow_weak_crypto
 krb5_aname_to_localname
 krb5_anonymous_principal
 krb5_anonymous_realm