Add krb5_allow_weak_crypto API to enable weak enctypes

Add krb5_allow_weak_crypto parallel to the API introduced in MIT
Kerberos 1.8.  Enables or disables all enctypes marked as weak.
Add a new enctype flag marking weak enctypes (all of the ones that
are disabled by default).

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>

lib/krb5/crypto.c

@@ -67,6 +67,7 @@ struct krb5_crypto_data {
 #define F_PSEUDO	16	/* not a real protocol type */
 #define F_SPECIAL	32	/* backwards */
 #define F_DISABLED	64	/* enctype/checksum disabled */
+#define F_WEAK	       128	/* enctype is considered weak */
 
 struct salt_type {
     krb5_salttype type;
@@ -2612,7 +2613,7 @@ static struct encryption_type enctype_des_cbc_crc = {
     &keytype_des,
     &checksum_crc32,
     NULL,
-    F_DISABLED,
+    F_DISABLED|F_WEAK,
     evp_des_encrypt_key_ivec,
     0,
     NULL
@@ -2626,7 +2627,7 @@ static struct encryption_type enctype_des_cbc_md4 = {
     &keytype_des,
     &checksum_rsa_md4,
     &checksum_rsa_md4_des,
-    F_DISABLED,
+    F_DISABLED|F_WEAK,
     evp_des_encrypt_null_ivec,
     0,
     NULL
@@ -2640,7 +2641,7 @@ static struct encryption_type enctype_des_cbc_md5 = {
     &keytype_des,
     &checksum_rsa_md5,
     &checksum_rsa_md5_des,
-    F_DISABLED,
+    F_DISABLED|F_WEAK,
     evp_des_encrypt_null_ivec,
     0,
     NULL
@@ -2654,7 +2655,7 @@ static struct encryption_type enctype_des_cbc_none = {
     &keytype_des,
     &checksum_none,
     NULL,
-    F_PSEUDO|F_DISABLED,
+    F_PSEUDO|F_DISABLED|F_WEAK,
     evp_des_encrypt_null_ivec,
     0,
     NULL
@@ -2668,7 +2669,7 @@ static struct encryption_type enctype_des_cfb64_none = {
     &keytype_des_old,
     &checksum_none,
     NULL,
-    F_PSEUDO|F_DISABLED,
+    F_PSEUDO|F_DISABLED|F_WEAK,
     DES_CFB64_encrypt_null_ivec,
     0,
     NULL
@@ -2682,7 +2683,7 @@ static struct encryption_type enctype_des_pcbc_none = {
     &keytype_des_old,
     &checksum_none,
     NULL,
-    F_PSEUDO|F_DISABLED,
+    F_PSEUDO|F_DISABLED|F_WEAK,
     DES_PCBC_encrypt_key_ivec,
     0,
     NULL
@@ -4402,6 +4403,33 @@ krb5_enctype_enable(krb5_context context,
     return 0;
 }
 
+/**
+ * Enable or disable all weak encryption types
+ *
+ * @param context Kerberos 5 context
+ * @param enable true to enable, false to disable
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_allow_weak_crypto(krb5_context context,
+		       krb5_boolean enable)
+{
+    int i;
+
+    for(i = 0; i < num_etypes; i++)
+	if(etypes[i]->flags & F_WEAK) {
+	    if(enable)
+		etypes[i]->flags &= ~F_DISABLED;
+	    else
+		etypes[i]->flags |= F_DISABLED;
+	}
+    return 0;
+}
+
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_string_to_key_derived(krb5_context context,

lib/krb5/libkrb5-exports.def.in

@@ -21,6 +21,7 @@ EXPORTS
 	krb5_address_order
 	krb5_address_prefixlen_boundary
 	krb5_address_search
+	krb5_allow_weak_crypto
 	krb5_aname_to_localname
 	krb5_anyaddr
 	krb5_appdefault_boolean

lib/krb5/version-script.map

@@ -20,6 +20,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_address_order;
 		krb5_address_prefixlen_boundary;
 		krb5_address_search;
+		krb5_allow_weak_crypto;
 		krb5_aname_to_localname;
 		krb5_anyaddr;
 		krb5_appdefault_boolean;