Make compile for weak crypto global (HEIM_WEAK_CRYPTO) and use it for GSSAPI too

configure.in

@@ -61,6 +61,8 @@ LT_INIT([shared static win32-dll])
 AM_CONDITIONAL(ENABLE_SHARED, test "$enable_shared" = "yes")
 rk_VERSIONSCRIPT
 
+AC_DEFINE(HEIM_WEAK_CRYPTO, 1, [Define if you want support for weak crypto])
+
 rk_TEST_PACKAGE(openldap,
 [#include <lber.h>
 #include <ldap.h>],

lib/gssapi/krb5/get_mic.c

@@ -33,6 +33,8 @@
 
 #include "gsskrb5_locl.h"
 
+#ifdef HEIM_WEAK_CRYPTO
+
 static OM_uint32
 mic_des
            (OM_uint32 * minor_status,
@@ -125,6 +127,7 @@ mic_des
   *minor_status = 0;
   return GSS_S_COMPLETE;
 }
+#endif
 
 static OM_uint32
 mic_des3
@@ -301,8 +304,12 @@ OM_uint32 _gsskrb5_get_mic
 
   switch (keytype) {
   case KEYTYPE_DES :
+#ifdef HEIM_WEAK_CRYPTO
       ret = mic_des (minor_status, ctx, context, qop_req,
 		     message_buffer, message_token, key);
+#else
+      ret = GSS_S_FAILURE;
+#endif
       break;
   case KEYTYPE_DES3 :
       ret = mic_des3 (minor_status, ctx, context, qop_req,

lib/gssapi/krb5/unwrap.c

@@ -33,6 +33,8 @@
 
 #include "gsskrb5_locl.h"
 
+#ifdef HEIM_WEAK_CRYPTO
+
 static OM_uint32
 unwrap_des
            (OM_uint32 * minor_status,
@@ -182,6 +184,7 @@ unwrap_des
 	  output_message_buffer->length);
   return GSS_S_COMPLETE;
 }
+#endif
 
 static OM_uint32
 unwrap_des3
@@ -416,9 +419,13 @@ OM_uint32 _gsskrb5_unwrap
 
   switch (keytype) {
   case KEYTYPE_DES :
+#ifdef HEIM_WEAK_CRYPTO
       ret = unwrap_des (minor_status, ctx,
 			input_message_buffer, output_message_buffer,
 			conf_state, qop_state, key);
+#else
+      ret = GSS_S_FAILURE;
+#endif
       break;
   case KEYTYPE_DES3 :
       ret = unwrap_des3 (minor_status, ctx, context,

lib/gssapi/krb5/verify_mic.c

@@ -33,6 +33,8 @@
 
 #include "gsskrb5_locl.h"
 
+#ifdef HEIM_WEAK_CRYPTO
+
 static OM_uint32
 verify_mic_des
            (OM_uint32 * minor_status,
@@ -129,6 +131,7 @@ verify_mic_des
 
   return GSS_S_COMPLETE;
 }
+#endif
 
 static OM_uint32
 verify_mic_des3
@@ -296,9 +299,13 @@ _gsskrb5_verify_mic_internal
     krb5_enctype_to_keytype (context, key->keytype, &keytype);
     switch (keytype) {
     case KEYTYPE_DES :
+#ifdef HEIM_WEAK_CRYPTO
 	ret = verify_mic_des (minor_status, ctx, context,
 			      message_buffer, token_buffer, qop_state, key,
 			      type);
+#else
+      ret = GSS_S_FAILURE;
+#endif
 	break;
     case KEYTYPE_DES3 :
 	ret = verify_mic_des3 (minor_status, ctx, context,

lib/gssapi/krb5/wrap.c

@@ -168,7 +168,11 @@ _gsskrb5_wrap_size_limit (
 
   switch (keytype) {
   case KEYTYPE_DES :
+#ifdef HEIM_WEAK_CRYPTO
       ret = sub_wrap_size(req_output_size, max_input_size, 8, 22);
+#else
+      ret = GSS_S_FAILURE;
+#endif
       break;
   case KEYTYPE_ARCFOUR:
   case KEYTYPE_ARCFOUR_56:
@@ -188,6 +192,8 @@ _gsskrb5_wrap_size_limit (
   return ret;
 }
 
+#ifdef HEIM_WEAK_CRYPTO
+
 static OM_uint32
 wrap_des
            (OM_uint32 * minor_status,
@@ -325,6 +331,8 @@ wrap_des
   return GSS_S_COMPLETE;
 }
 
+#endif
+
 static OM_uint32
 wrap_des3
            (OM_uint32 * minor_status,
@@ -553,9 +561,13 @@ OM_uint32 _gsskrb5_wrap
 
   switch (keytype) {
   case KEYTYPE_DES :
+#ifdef HEIM_WEAK_CRYPTO
       ret = wrap_des (minor_status, ctx, context, conf_req_flag,
 		      qop_req, input_message_buffer, conf_state,
 		      output_message_buffer, key);
+#else
+      ret = GSS_S_FAILURE;
+#endif
       break;
   case KEYTYPE_DES3 :
       ret = wrap_des3 (minor_status, ctx, context, conf_req_flag,

lib/krb5/crypto.c

@@ -36,8 +36,6 @@
 #include "krb5_locl.h"
 #include <pkinit_asn1.h>
 
-#define WEAK_ENCTYPES 1
-
 #ifndef HEIMDAL_SMALLER
 #define DES3_OLD_ENCTYPE 1
 #endif
@@ -182,7 +180,7 @@ struct evp_schedule {
 
 static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER;
 
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
 static void
 krb5_DES_random_key(krb5_context context,
 		    krb5_keyblock *key)
@@ -715,7 +713,7 @@ evp_cleanup(krb5_context context, struct key_data *kd)
  *
  */
 
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
 static struct salt_type des_salt[] = {
     {
 	KRB5_PW_SALT,
@@ -786,7 +784,7 @@ static struct key_type keytype_null = {
     NULL
 };
 
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
 static struct key_type keytype_des_old = {
     KEYTYPE_DES,
     "des-old",
@@ -812,7 +810,7 @@ static struct key_type keytype_des = {
     evp_cleanup,
     EVP_des_cbc
 };
-#endif /* WEAK_ENCTYPES */
+#endif /* HEIM_WEAK_CRYPTO */
 
 #ifdef DES3_OLD_ENCTYPE
 static struct key_type keytype_des3 = {
@@ -2056,7 +2054,7 @@ evp_encrypt(krb5_context context,
     return 0;
 }
 
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
 static krb5_error_code
 evp_des_encrypt_null_ivec(krb5_context context,
 			  struct key_data *key,
@@ -2505,7 +2503,7 @@ static struct encryption_type enctype_des3_cbc_none = {
     0,
     NULL
 };
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
 static struct encryption_type enctype_des_cbc_crc = {
     ETYPE_DES_CBC_CRC,
     "des-cbc-crc",
@@ -2590,7 +2588,7 @@ static struct encryption_type enctype_des_pcbc_none = {
     0,
     NULL
 };
-#endif /* WEAK_ENCTYPES */
+#endif /* HEIM_WEAK_CRYPTO */
 
 static struct encryption_type *etypes[] = {
     &enctype_aes256_cts_hmac_sha1,
@@ -2602,7 +2600,7 @@ static struct encryption_type *etypes[] = {
     &enctype_des3_cbc_md5,
     &enctype_old_des3_cbc_sha1,
 #endif
-#ifdef WEAK_ENCTYPES
+#ifdef HEIM_WEAK_CRYPTO
     &enctype_des_cbc_crc,
     &enctype_des_cbc_md4,
     &enctype_des_cbc_md5,