6 files changed, 53 insertions, 22 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 76993f397a..a4ac496c21 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -606,7 +606,8 @@ krb5_error_code krb5_sync_disk_file(krb5_context, FILE *fp);
 
 krb5_error_code krb5int_init_context_kdc(krb5_context *);
 
-krb5_error_code krb5_os_init_context(krb5_context, krb5_boolean);
+krb5_error_code krb5_os_init_context(krb5_context context, profile_t profile,
+                                     krb5_flags flags);
 
 void krb5_os_free_context(krb5_context);
 
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c6a1ba2a4e..21698fe06d 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -2695,6 +2695,9 @@ krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
  * begin "func-proto.h"
  */
 
+#define KRB5_INIT_CONTEXT_SECURE 0x1 /** Use secure context configuration */
+#define KRB5_INIT_CONTEXT_KDC    0x2 /** Use KDC configuration if available */
+
 /**
  * Create a krb5 library context.
  *
@@ -2735,6 +2738,26 @@ krb5_error_code KRB5_CALLCONV
 krb5_init_secure_context(krb5_context *context);
 
 /**
+ * Create a krb5 library context using a specified profile.
+ *
+ * @param [in]  profile         Profile object (NULL to create default profile)
+ * @param [in]  flags           Context initialization flags
+ * @param [out] context         Library context
+ *
+ * Create a context structure, optionally using a specified profile and
+ * initialization flags.  If @a profile is NULL, the default profile will be
+ * created from config files.  If @a profile is non-null, a copy of it will be
+ * made for the new context; the caller should still clean up its copy.  Valid
+ * flag values are:
+ *
+ * @li @c KRB5_INIT_CONTEXT_SECURE Ignore environment variables
+ * @li @c KRB5_INIT_CONTEXT_KDC    Use KDC configuration if creating profile
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_init_context_profile(struct _profile_t *profile, krb5_flags flags,
+                          krb5_context *context);
+
+/**
  * Free a krb5 library context.
  *
  * @param [in] context          Library context
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index c5bac1330a..048f723408 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -72,18 +72,12 @@ extern krb5_error_code krb5_vercheck();
 extern void krb5_win_ccdll_load(krb5_context context);
 #endif
 
-static krb5_error_code init_common (krb5_context *, krb5_boolean, krb5_boolean);
+static krb5_error_code init_common(profile_t profile, krb5_flags flags,
+                                   krb5_context *context_out);
 
 krb5_error_code KRB5_CALLCONV
 krb5_init_context(krb5_context *context)
 {
-
-    return init_common (context, FALSE, FALSE);
-}
-
-krb5_error_code KRB5_CALLCONV
-krb5_init_secure_context(krb5_context *context)
-{
     /*
      * This is rather silly, but should improve our chances of
      * retaining the krb5_brand array in the final linked library,
@@ -95,19 +89,26 @@ krb5_init_secure_context(krb5_context *context)
      * If someday we grow an API to actually return the string, we can
      * get rid of this silliness.
      */
-    int my_false = (krb5_brand[0] == 0);
+    int my_zero = (krb5_brand[0] == 0);
+
+    return krb5_init_context_profile(NULL, my_zero, context);
+}
 
-    return init_common(context, TRUE, my_false);
+krb5_error_code KRB5_CALLCONV
+krb5_init_secure_context(krb5_context *context)
+{
+    return krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_SECURE, context);
 }
 
 krb5_error_code
 krb5int_init_context_kdc(krb5_context *context)
 {
-    return init_common (context, FALSE, TRUE);
+    return krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, context);
 }
 
-static krb5_error_code
-init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
+krb5_error_code
+krb5_init_context_profile(profile_t profile, krb5_flags flags,
+                          krb5_context *context_out)
 {
     krb5_context ctx = 0;
     krb5_error_code retval;
@@ -145,7 +146,7 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
      * The context being NULL is ok.
      */
     krb5_win_ccdll_load(ctx);
-
+p
     /*
      * krb5_vercheck() is defined in win_glue.c, and this is
      * where we handle the timebomb and version server checks.
@@ -155,16 +156,16 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
         return retval;
 #endif
 
-    *context = 0;
+    *context_out = NULL;
 
     ctx = calloc(1, sizeof(struct _krb5_context));
     if (!ctx)
         return ENOMEM;
     ctx->magic = KV5M_CONTEXT;
 
-    ctx->profile_secure = secure;
+    ctx->profile_secure = (flags & KRB5_INIT_CONTEXT_SECURE) != 0;
 
-    if ((retval = krb5_os_init_context(ctx, kdc)))
+    if ((retval = krb5_os_init_context(ctx, profile, flags)) != 0)
         goto cleanup;
 
     retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS,
@@ -254,10 +255,10 @@ init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
     ctx->udp_pref_limit = -1;
     ctx->trace_callback = NULL;
 #ifndef DISABLE_TRACING
-    if (!secure)
+    if (!ctx->profile_secure)
         krb5int_init_trace(ctx);
 #endif
-    *context = ctx;
+    *context_out = ctx;
     return 0;
 
 cleanup:
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index edc4b1fc58..20bb6803da 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -385,6 +385,7 @@ krb5_get_tgs_ktypes
 krb5_get_time_offsets
 krb5_get_validated_creds
 krb5_init_context
+krb5_init_context_profile
 krb5_init_creds_free
 krb5_init_creds_get
 krb5_init_creds_get_creds
diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
index 98b8ae2307..1ed1bc0df7 100644
--- a/src/lib/krb5/os/init_os_ctx.c
+++ b/src/lib/krb5/os/init_os_ctx.c
@@ -358,7 +358,7 @@ os_init_paths(krb5_context ctx, krb5_boolean kdc)
 }
 
 krb5_error_code
-krb5_os_init_context(krb5_context ctx, krb5_boolean kdc)
+krb5_os_init_context(krb5_context ctx, profile_t profile, krb5_flags flags)
 {
     krb5_os_context os_ctx;
     krb5_error_code    retval = 0;
@@ -378,7 +378,11 @@ krb5_os_init_context(krb5_context ctx, krb5_boolean kdc)
     PLUGIN_DIR_INIT(&ctx->libkrb5_plugins);
     ctx->preauth_context = NULL;
 
-    retval = os_init_paths(ctx, kdc);
+    /* Use the profile we were handed, or create one from config files. */
+    if (profile)
+        retval = profile_copy(profile, &ctx->profile);
+    else
+        retval = os_init_paths(ctx, (flags & KRB5_INIT_CONTEXT_KDC) != 0);
     if (retval)
         return retval;
 
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 032faf759c..6ba6368a3a 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -409,3 +409,4 @@ EXPORTS
 ; new in 1.10
 	krb5_sname_match				@384
 	k5_kt_get_principal				@385 ; PRIVATE GSSAPI
+	krb5_init_context				@386