On Wed, Mar 28, 2007 at 09:04:31PM +0200, [EMAIL PROTECTED] wrote:
> the patch is appreciated, hope it will be accepted
> (of course running all installations here secure-only anyway).
>
> May be it's time to deprecate the cross-compatibility with old insecure
> installations? As a bonus, some code could be dropped.
I was thinking of changing it with something like the following patch,
which would still allow XOR to be reenabled at run-time if necessary.
Then at a later point I would just remove the code that implements the
old handshake which should be fairly easy to identify as it involves
anything that is disabled by the RPC2_secure_only variable.
Jan
diff --git a/rpc2-src/rpc2b.c b/rpc2-src/rpc2b.c
index 0a4eca1..825e488 100644
--- a/rpc2-src/rpc2b.c
+++ b/rpc2-src/rpc2b.c
@@ -112,15 +112,10 @@ long RPC2_Init(char *VId, /* magic version string
*/
if (RPC2_Preferred_Keysize > 64)
RPC2_Preferred_Keysize /= 8;
- /* Do we accept only secure connections, default is no. This can
- * be enabled by setting the RPC2SEC_ONLY environment variable.
- * (and forced as disabled by setting RPC2SEC_ONLY=0/false/no)
- *
- * At some point once every client and server is 'expected' to run
- * rpc2-2.0 or later we can change the default behaviour to accept
- * only secure connections. */
+ /* Do we accept only secure connections, default is yes. This can be
+ * disabled by setting the RPC2SEC_ONLY to 0, false, no, (nada, forgetit)
*/
env = getenv("RPC2SEC_ONLY");
- RPC2_secure_only = env && memchr("0fFnN", *env, 5) == NULL;
+ RPC2_secure_only = !env || (env && memchr("0fFnN", *env, 5) == NULL);
verbose = (Options && (Options->Flags & RPC2_OPTION_VERBOSE_INIT));
secure_init(verbose);
