On Wed, Mar 28, 2007 at 09:04:31PM +0200, u+codalist-p4pg_at_chalmers.se wrote:
> the patch is appreciated, hope it will be accepted
> (of course running all installations here secure-only anyway).
> 
> May be it's time to deprecate the cross-compatibility with old insecure
> installations? As a bonus, some code could be dropped.

I was thinking of changing it with something like the following patch,
which would still allow XOR to be reenabled at run-time if necessary.

Then at a later point I would just remove the code that implements the
old handshake which should be fairly easy to identify as it involves
anything that is disabled by the RPC2_secure_only variable.

Jan


diff --git a/rpc2-src/rpc2b.c b/rpc2-src/rpc2b.c
index 0a4eca1..825e488 100644
--- a/rpc2-src/rpc2b.c
+++ b/rpc2-src/rpc2b.c
@@ -112,15 +112,10 @@ long RPC2_Init(char *VId,		/* magic version string */
     if (RPC2_Preferred_Keysize > 64)
 	RPC2_Preferred_Keysize /= 8;
 
-    /* Do we accept only secure connections, default is no. This can
-     * be enabled by setting the RPC2SEC_ONLY environment variable.
-     * (and forced as disabled by setting RPC2SEC_ONLY=0/false/no)
-     *
-     * At some point once every client and server is 'expected' to run
-     * rpc2-2.0 or later we can change the default behaviour to accept
-     * only secure connections. */
+    /* Do we accept only secure connections, default is yes. This can be
+     * disabled by setting the RPC2SEC_ONLY to 0, false, no, (nada, forgetit) */
     env = getenv("RPC2SEC_ONLY");
-    RPC2_secure_only = env && memchr("0fFnN", *env, 5) == NULL;
+    RPC2_secure_only = !env || (env && memchr("0fFnN", *env, 5) == NULL);
 
     verbose = (Options && (Options->Flags & RPC2_OPTION_VERBOSE_INIT));
     secure_init(verbose);