4 files changed, 61 insertions, 1 deletions

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index df0db67f88c..84a62a69061 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2405,6 +2405,59 @@ char *smb_get_krb5_error_message(krb5_context context,
 	return ret;
 }
 
+
+/**
+* @brief Return the kerberos library setting for "libdefaults:allow_weak_crypto"
+*
+* @param context	The krb5_context
+*
+* @return krb5_boolean
+*
+* Function returns true if weak crypto is allowd, false if not
+*/
+
+krb5_boolean smb_krb5_get_allowed_weak_crypto(krb5_context context)
+#if defined(HAVE_KRB5_CONFIG_GET_BOOL_DEFAULT)
+{
+	return krb5_config_get_bool_default(context,
+					    NULL,
+					    FALSE,
+					    "libdefaults",
+					    "allow_weak_crypto",
+					    NULL);
+}
+#elif defined(HAVE_PROFILE_H) && defined(HAVE_KRB5_GET_PROFILE)
+{
+#include <profile.h>
+	krb5_error_code ret;
+	krb5_boolean ret_default = false;
+	profile_t profile;
+	int ret_profile;
+
+	ret = krb5_get_profile(context,
+			       &profile);
+	if (ret) {
+		return ret_default;
+	}
+
+	ret = profile_get_boolean(profile,
+				  "libdefaults",
+				  "allow_weak_crypto",
+				  NULL, /* subsubname */
+				  ret_default, /* def_val */
+				  &ret_profile /* *ret_default */);
+	if (ret) {
+		return ret_default;
+	}
+
+	profile_release(profile);
+
+	return ret_profile;
+}
+#else
+#error UNKNOWN_KRB5_CONFIG_ROUTINES
+#endif
+
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
  int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 0977f8e06ea..ee06f556e3d 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -306,6 +306,8 @@ int smb_krb5_create_key_from_string(krb5_context context,
 				    krb5_enctype enctype,
 				    krb5_keyblock *key);
 
+krb5_boolean smb_krb5_get_allowed_weak_crypto(krb5_context context);
+
 #endif /* HAVE_KRB5 */
 
 int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure
index bed63d67ba4..cb53629480f 100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -162,6 +162,7 @@ conf.define('HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96', 1)
 conf.define('HAVE_KRB5_PRINCIPAL_GET_NUM_COMP', 1)
 conf.define('HAVE_GSSAPI_GSSAPI_SPNEGO_H', 1)
 conf.define('HAVE_FLAGS_IN_KRB5_CREDS', 1)
+conf.define('HAVE_KRB5_CONFIG_GET_BOOL_DEFAULT', 1)
 
 heimdal_includedirs = []
 heimdal_libdirs = []
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index a62d00bdbbf..b971cf79b5f 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -62,6 +62,8 @@ conf.CHECK_FUNCS_IN('des_set_key','crypto')
 conf.CHECK_FUNCS_IN('copy_Authenticator', 'asn1')
 conf.CHECK_FUNCS_IN('roken_getaddrinfo_hostspec', 'roken')
 
+conf.CHECK_HEADERS('profile.h')
+
 if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi gssapi_krb5'):
     have_gssapi=True
 
@@ -103,7 +105,9 @@ conf.CHECK_FUNCS('''
        krb5_get_init_creds_keyblock krb5_get_init_creds_keytab
        krb5_make_principal krb5_build_principal_alloc_va
        krb5_cc_get_lifetime krb5_cc_retrieve_cred
-       krb5_free_checksum_contents krb5_c_make_checksum krb5_create_checksum''',
+       krb5_free_checksum_contents krb5_c_make_checksum krb5_create_checksum
+       krb5_config_get_bool_default krb5_get_profile
+       ''',
      lib='krb5 k5crypto')
 conf.CHECK_DECLS('''krb5_get_credentials_for_user
                     krb5_auth_con_set_req_cksumtype''',