From 5c54736678cb6a816477a05c70af25124662e4c6 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Thu, 20 Oct 2011 13:50:54 -0500
Subject: [PATCH] Removed "weak" option and implemented
 use-referrals/no-referrals

---
 lib/krb5/get_cred.c  | 8 ++++++--
 lib/krb5/krb5.h      | 3 ++-
 lib/krb5/principal.c | 4 ++--
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c
index 78f120cb9..9e7652e48 100644
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -1444,6 +1444,12 @@ next_rule:
     if(options & KRB5_GC_CACHED)
 	goto next_rule;
 
+    if(rule_opts & KRB5_NCRO_USE_REFERRALS)
+	flags.b.canonicalize = 1;
+    else if(rule_opts & KRB5_NCRO_NO_REFERRALS)
+	flags.b.canonicalize = 0;
+    else
+	flags.b.canonicalize = (options & KRB5_GC_CANONICALIZE) ? 1 : 0;
     if(options & KRB5_GC_USER_USER) {
 	flags.b.enc_tkt_in_skey = 1;
 	options |= KRB5_GC_NO_STORE;
@@ -1456,8 +1462,6 @@ next_rule:
 	flags.b.request_anonymous = 1; /* XXX ARGH confusion */
 	flags.b.constrained_delegation = 1;
     }
-    if (options & KRB5_GC_CANONICALIZE)
-	flags.b.canonicalize = 1;
 
     tgts = NULL;
     ret = _krb5_get_cred_kdc_any(context, flags, ccache,
diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h
index 5fa9e780c..84b3f0e22 100644
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -889,7 +889,8 @@ typedef struct {
 
 typedef enum krb5_name_canon_rule_options {
 	KRB5_NCRO_GC_ONLY = 1 << 0,
-	KRB5_NCRO_NO_REFERRALS = 1 << 1,
+	KRB5_NCRO_USE_REFERRALS = 1 << 1,
+	KRB5_NCRO_NO_REFERRALS = 1 << 2,
 	KRB5_NCRO_SECURE = 1 << 2
 } krb5_name_canon_rule_options;
 
diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c
index 0894658cd..3d443e8a2 100644
--- a/lib/krb5/principal.c
+++ b/lib/krb5/principal.c
@@ -1300,13 +1300,13 @@ rule_parse_token(krb5_context context, krb5_name_canon_rule rule,
     /* Rule options: */
     } else if (strcmp(tok, "secure") == 0) {
 	rule->options |= KRB5_NCRO_SECURE;
-    } else if (strcmp(tok, "weak") == 0) {
-	rule->options &= ~KRB5_NCRO_SECURE;
     } else if (strcmp(tok, "ccache_only") == 0) {
 	rule->options |= KRB5_NCRO_GC_ONLY;
     } else if (strcmp(tok, "no_referrals") == 0) {
 	rule->options |= KRB5_NCRO_NO_REFERRALS;
+	rule->options &= ~KRB5_NCRO_USE_REFERRALS;
     } else if (strcmp(tok, "use_referrals") == 0) {
+	rule->options |= KRB5_NCRO_USE_REFERRALS;
 	rule->options &= ~KRB5_NCRO_NO_REFERRALS;
     /* Rule ancilliary data: */
     } else if (strncmp(tok, "domain=", strlen("domain=")) == 0) {