- if (strcmp(proto, "MIT-MAGIC-COOKIE-1") != 0)
- return 0; /* wrong protocol attempted */
- if (dlen != x11_authdatalen)
- return 0; /* cookie was wrong length */
- if (memcmp(x11_authdata, data, dlen) != 0)
- return 0; /* cookie was wrong cookie! */
- return 1;
+
+ sfree(auth);
+}
+
+/*
+ * Fetch the real auth data for a given display string, and store
+ * it in an X11Auth structure. Returns NULL on success, or an error
+ * string.
+ */
+void x11_get_real_auth(void *authv, char *display)
+{
+ struct X11Auth *auth = (struct X11Auth *)authv;
+
+ auth->realproto = X11_NO_AUTH; /* in case next call does nothing */
+
+ auth->reallen = sizeof(auth->realdata);
+ platform_get_x11_auth(display, &auth->realproto,
+ auth->realdata, &auth->reallen);
+}
+
+static char *x11_verify(unsigned long peer_ip, int peer_port,
+ struct X11Auth *auth, char *proto,
+ unsigned char *data, int dlen)
+{
+ if (strcmp(proto, x11_authnames[auth->fakeproto]) != 0)
+ return "wrong authentication protocol attempted";
+ if (auth->fakeproto == X11_MIT) {
+ if (dlen != auth->fakelen)
+ return "MIT-MAGIC-COOKIE-1 data was wrong length";
+ if (memcmp(auth->fakedata, data, dlen) != 0)
+ return "MIT-MAGIC-COOKIE-1 data did not match";
+ }
+ if (auth->fakeproto == X11_XDM) {
+ unsigned long t;
+ time_t tim;
+ int i;
+
+ if (dlen != 24)
+ return "XDM-AUTHORIZATION-1 data was wrong length";
+ if (peer_port == -1)
+ return "cannot do XDM-AUTHORIZATION-1 without remote address data";
+ des_decrypt_xdmauth(auth->fakedata+9, data, 24);
+ if (memcmp(auth->fakedata, data, 8) != 0)
+ return "XDM-AUTHORIZATION-1 data failed check"; /* cookie wrong */
+ if (GET_32BIT_MSB_FIRST(data+8) != peer_ip)
+ return "XDM-AUTHORIZATION-1 data failed check"; /* IP wrong */
+ if ((int)GET_16BIT_MSB_FIRST(data+12) != peer_port)
+ return "XDM-AUTHORIZATION-1 data failed check"; /* port wrong */
+ t = GET_32BIT_MSB_FIRST(data+14);
+ for (i = 18; i < 24; i++)
+ if (data[i] != 0) /* zero padding wrong */
+ return "XDM-AUTHORIZATION-1 data failed check";
+ tim = time(NULL);
+ if (abs(t - tim) > 20*60) /* 20 minute clock skew should be OK */
+ return "XDM-AUTHORIZATION-1 time stamp was too far out";
+ }
+ /* implement other protocols here if ever required */
+ return NULL;