From f3cf3884c935fa5d3561e87512766e337f11beb2 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 11 Feb 2000 15:59:35 +0000
Subject: Remove an old compatibility compromise from back when we started
 requiring checksums on messages.  With this change, you can't fiddle with
 subs if you don't have a valid checksum.

---
 server/kstuff.c | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

(limited to 'server/kstuff.c')

diff --git a/server/kstuff.c b/server/kstuff.c
index 8090272..04396fa 100644
--- a/server/kstuff.c
+++ b/server/kstuff.c
@@ -189,11 +189,9 @@ ZCheckRealmAuthentication(notice, from, realm)
             return ZAUTH_FAILED;
         checksum = compute_rlm_checksum(notice, session_key);
 
-        /* If checksum matches, packet is authentic.  Otherwise, check
-         * the authenticator as if we didn't have the session key cached
-         * and return ZAUTH_CKSUM_FAILED.  This is a rare case (since the
-         * ticket isn't cached after a checksum failure), so don't worry
-         * about the extra des_quad_cksum() call. */
+        /* If checksum matches, packet is authentic.  If not, we might
+	 * have an outdated session key, so keep going the slow way.
+	 */
         if (checksum == notice->z_checksum) {
 	    memcpy(__Zephyr_session, session_key, sizeof(C_Block));
 	    return ZAUTH_YES;
@@ -219,7 +217,7 @@ ZCheckRealmAuthentication(notice, from, realm)
     checksum = compute_rlm_checksum(notice, dat.session);
 #endif
     if (checksum != notice->z_checksum)
-        return ZAUTH_CKSUM_FAILED;
+        return ZAUTH_FAILED;
 
     /* Record the session key, expiry time, and source principal in the
      * hash table, so we can do a fast check next time. */
@@ -274,11 +272,9 @@ ZCheckAuthentication(notice, from)
 	    return ZAUTH_FAILED;
 	checksum = compute_checksum(notice, session_key);
 
-	/* If the checksum matches, the packet is authentic.  Otherwise,
-	 * check authenticator as if we didn't have the session key cached
-	 * and return ZAUTH_CKSUM_FAILED.  This is a rare case (since the
-	 * ticket isn't cached after a checksum failure), so don't worry
-	 * about the extra des_quad_cksum() call. */
+        /* If checksum matches, packet is authentic.  If not, we might
+	 * have an outdated session key, so keep going the slow way.
+	 */
 	if (checksum == notice->z_checksum) {
 	    memcpy(__Zephyr_session, session_key, sizeof(C_Block));
 	    return ZAUTH_YES;
@@ -305,7 +301,7 @@ ZCheckAuthentication(notice, from)
     checksum = compute_checksum(notice, dat.session);
 #endif
     if (checksum != notice->z_checksum)
-	return ZAUTH_CKSUM_FAILED;
+	return ZAUTH_FAILED;
 
     /* Record the session key, expiry time, and source principal in the
      * hash table, so we can do a fast check next time. */
-- 
cgit v1.2.3