7a616c0ee681ad4dccb3119167f3e5effcaeb26c
[samba.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "system/filesys.h"
32 #include "srv_pipe_internal.h"
33 #include "../librpc/gen_ndr/ndr_schannel.h"
34 #include "../libcli/auth/schannel.h"
35 #include "../libcli/auth/spnego.h"
36 #include "dcesrv_ntlmssp.h"
37 #include "dcesrv_gssapi.h"
38 #include "dcesrv_spnego.h"
39 #include "rpc_server.h"
40 #include "rpc_dce.h"
41 #include "smbd/smbd.h"
42 #include "auth.h"
43 #include "ntdomain.h"
44 #include "rpc_server/srv_pipe.h"
45 #include "rpc_server/rpc_contexts.h"
46
47 #undef DBGC_CLASS
48 #define DBGC_CLASS DBGC_RPC_SRV
49
50 /**
51  * Dump everything from the start of the end up of the provided data
52  * into a file, but only at debug level >= 50
53  **/
54 static void dump_pdu_region(const char *name, int v,
55                             DATA_BLOB *data, size_t start, size_t end)
56 {
57         int fd, i;
58         char *fname = NULL;
59         ssize_t sz;
60
61         if (DEBUGLEVEL < 50) return;
62
63         if (start > data->length || end > data->length || start > end) return;
64
65         for (i = 1; i < 100; i++) {
66                 if (v != -1) {
67                         fname = talloc_asprintf(talloc_tos(),
68                                                 "/tmp/%s_%d.%d.prs",
69                                                 name, v, i);
70                 } else {
71                         fname = talloc_asprintf(talloc_tos(),
72                                                 "/tmp/%s_%d.prs",
73                                                 name, i);
74                 }
75                 if (!fname) {
76                         return;
77                 }
78                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
79                 if (fd != -1 || errno != EEXIST) break;
80         }
81         if (fd != -1) {
82                 sz = write(fd, data->data + start, end - start);
83                 i = close(fd);
84                 if ((sz != end - start) || (i != 0) ) {
85                         DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
86                                   fname, (unsigned long)sz,
87                                   (unsigned long)end - start, i));
88                 } else {
89                         DEBUG(0,("created %s\n", fname));
90                 }
91         }
92         TALLOC_FREE(fname);
93 }
94
95 static DATA_BLOB generic_session_key(void)
96 {
97         return data_blob_const("SystemLibraryDTC", 16);
98 }
99
100 /*******************************************************************
101  Generate the next PDU to be returned from the data.
102 ********************************************************************/
103
104 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
105                                    struct pipe_auth_data *auth,
106                                    uint32_t call_id,
107                                    DATA_BLOB *rdata,
108                                    size_t data_sent_length,
109                                    DATA_BLOB *frag,
110                                    size_t *pdu_size)
111 {
112         union dcerpc_payload u;
113         uint8_t pfc_flags;
114         size_t data_left;
115         size_t data_to_send;
116         size_t frag_len;
117         size_t pad_len = 0;
118         size_t auth_len = 0;
119         NTSTATUS status;
120
121         ZERO_STRUCT(u.response);
122
123         /* Set up rpc packet pfc flags. */
124         if (data_sent_length == 0) {
125                 pfc_flags = DCERPC_PFC_FLAG_FIRST;
126         } else {
127                 pfc_flags = 0;
128         }
129
130         /* Work out how much we can fit in a single PDU. */
131         data_left = rdata->length - data_sent_length;
132
133         /* Ensure there really is data left to send. */
134         if (!data_left) {
135                 DEBUG(0, ("No data left to send !\n"));
136                 return NT_STATUS_BUFFER_TOO_SMALL;
137         }
138
139         status = dcerpc_guess_sizes(auth,
140                                     DCERPC_RESPONSE_LENGTH,
141                                     data_left,
142                                     RPC_MAX_PDU_FRAG_LEN,
143                                     SERVER_NDR_PADDING_SIZE,
144                                     &data_to_send, &frag_len,
145                                     &auth_len, &pad_len);
146         if (!NT_STATUS_IS_OK(status)) {
147                 return status;
148         }
149
150         /* Set up the alloc hint. This should be the data left to send. */
151         u.response.alloc_hint = data_left;
152
153         /* Work out if this PDU will be the last. */
154         if (data_sent_length + data_to_send >= rdata->length) {
155                 pfc_flags |= DCERPC_PFC_FLAG_LAST;
156         }
157
158         /* Prepare data to be NDR encoded. */
159         u.response.stub_and_verifier =
160                 data_blob_const(rdata->data + data_sent_length, data_to_send);
161
162         /* Store the packet in the data stream. */
163         status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
164                                           pfc_flags, auth_len, call_id,
165                                           &u, frag);
166         if (!NT_STATUS_IS_OK(status)) {
167                 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
168                 return status;
169         }
170
171         if (auth_len) {
172                 /* Set the proper length on the pdu, including padding.
173                  * Only needed if an auth trailer will be appended. */
174                 dcerpc_set_frag_length(frag, frag->length
175                                                 + pad_len
176                                                 + DCERPC_AUTH_TRAILER_LENGTH
177                                                 + auth_len);
178         }
179
180         if (auth_len) {
181                 status = dcerpc_add_auth_footer(auth, pad_len, frag);
182                 if (!NT_STATUS_IS_OK(status)) {
183                         data_blob_free(frag);
184                         return status;
185                 }
186         }
187
188         *pdu_size = data_to_send;
189         return NT_STATUS_OK;
190 }
191
192 /*******************************************************************
193  Generate the next PDU to be returned from the data in p->rdata. 
194 ********************************************************************/
195
196 bool create_next_pdu(struct pipes_struct *p)
197 {
198         size_t pdu_size = 0;
199         NTSTATUS status;
200
201         /*
202          * If we're in the fault state, keep returning fault PDU's until
203          * the pipe gets closed. JRA.
204          */
205         if (p->fault_state) {
206                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
207                 return true;
208         }
209
210         status = create_next_packet(p->mem_ctx, &p->auth,
211                                     p->call_id, &p->out_data.rdata,
212                                     p->out_data.data_sent_length,
213                                     &p->out_data.frag, &pdu_size);
214         if (!NT_STATUS_IS_OK(status)) {
215                 DEBUG(0, ("Failed to create packet with error %s, "
216                           "(auth level %u / type %u)\n",
217                           nt_errstr(status),
218                           (unsigned int)p->auth.auth_level,
219                           (unsigned int)p->auth.auth_type));
220                 return false;
221         }
222
223         /* Setup the counts for this PDU. */
224         p->out_data.data_sent_length += pdu_size;
225         p->out_data.current_pdu_sent = 0;
226         return true;
227 }
228
229
230 static bool pipe_init_outgoing_data(struct pipes_struct *p);
231
232 /*******************************************************************
233  Marshall a bind_nak pdu.
234 *******************************************************************/
235
236 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
237 {
238         NTSTATUS status;
239         union dcerpc_payload u;
240
241         /* Free any memory in the current return data buffer. */
242         pipe_init_outgoing_data(p);
243
244         /*
245          * Initialize a bind_nak header.
246          */
247
248         ZERO_STRUCT(u);
249
250         u.bind_nak.reject_reason  = 0;
251
252         /*
253          * Marshall directly into the outgoing PDU space. We
254          * must do this as we need to set to the bind response
255          * header and are never sending more than one PDU here.
256          */
257
258         status = dcerpc_push_ncacn_packet(p->mem_ctx,
259                                           DCERPC_PKT_BIND_NAK,
260                                           DCERPC_PFC_FLAG_FIRST |
261                                                 DCERPC_PFC_FLAG_LAST,
262                                           0,
263                                           pkt->call_id,
264                                           &u,
265                                           &p->out_data.frag);
266         if (!NT_STATUS_IS_OK(status)) {
267                 return False;
268         }
269
270         p->out_data.data_sent_length = 0;
271         p->out_data.current_pdu_sent = 0;
272
273         TALLOC_FREE(p->auth.auth_ctx);
274         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
275         p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
276         p->pipe_bound = False;
277
278         return True;
279 }
280
281 /*******************************************************************
282  Marshall a fault pdu.
283 *******************************************************************/
284
285 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
286 {
287         NTSTATUS status;
288         union dcerpc_payload u;
289
290         /* Free any memory in the current return data buffer. */
291         pipe_init_outgoing_data(p);
292
293         /*
294          * Initialize a fault header.
295          */
296
297         ZERO_STRUCT(u);
298
299         u.fault.status          = NT_STATUS_V(fault_status);
300         u.fault._pad            = data_blob_talloc_zero(p->mem_ctx, 4);
301
302         /*
303          * Marshall directly into the outgoing PDU space. We
304          * must do this as we need to set to the bind response
305          * header and are never sending more than one PDU here.
306          */
307
308         status = dcerpc_push_ncacn_packet(p->mem_ctx,
309                                           DCERPC_PKT_FAULT,
310                                           DCERPC_PFC_FLAG_FIRST |
311                                            DCERPC_PFC_FLAG_LAST |
312                                            DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
313                                           0,
314                                           p->call_id,
315                                           &u,
316                                           &p->out_data.frag);
317         if (!NT_STATUS_IS_OK(status)) {
318                 return False;
319         }
320
321         p->out_data.data_sent_length = 0;
322         p->out_data.current_pdu_sent = 0;
323
324         return True;
325 }
326
327 /*******************************************************************
328  Ensure a bind request has the correct abstract & transfer interface.
329  Used to reject unknown binds from Win2k.
330 *******************************************************************/
331
332 static bool check_bind_req(struct pipes_struct *p,
333                            struct ndr_syntax_id* abstract,
334                            struct ndr_syntax_id* transfer,
335                            uint32_t context_id)
336 {
337         struct pipe_rpc_fns *context_fns;
338         bool ok;
339
340         DEBUG(3,("check_bind_req for %s\n",
341                  get_pipe_name_from_syntax(talloc_tos(), abstract)));
342
343         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
344         if (rpc_srv_pipe_exists_by_id(abstract) &&
345            ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
346                 DEBUG(3, ("check_bind_req: %s -> %s rpc service\n",
347                           rpc_srv_get_pipe_cli_name(abstract),
348                           rpc_srv_get_pipe_srv_name(abstract)));
349         } else {
350                 return false;
351         }
352
353         ok = init_pipe_handles(p, abstract);
354         if (!ok) {
355                 DEBUG(1, ("Failed to init pipe handles!\n"));
356                 return false;
357         }
358
359         context_fns = talloc(p, struct pipe_rpc_fns);
360         if (context_fns == NULL) {
361                 DEBUG(0,("check_bind_req: talloc() failed!\n"));
362                 return false;
363         }
364
365         context_fns->next = context_fns->prev = NULL;
366         context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
367         context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
368         context_fns->context_id = context_id;
369         context_fns->syntax = *abstract;
370
371         /* add to the list of open contexts */
372
373         DLIST_ADD( p->contexts, context_fns );
374
375         return True;
376 }
377
378 /**
379  * Is a named pipe known?
380  * @param[in] cli_filename      The pipe name requested by the client
381  * @result                      Do we want to serve this?
382  */
383 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
384 {
385         const char *pipename = cli_filename;
386         NTSTATUS status;
387
388         if (strnequal(pipename, "\\PIPE\\", 6)) {
389                 pipename += 5;
390         }
391
392         if (*pipename == '\\') {
393                 pipename += 1;
394         }
395
396         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
397                 DEBUG(10, ("refusing spoolss access\n"));
398                 return false;
399         }
400
401         if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
402                 return true;
403         }
404
405         status = smb_probe_module("rpc", pipename);
406         if (!NT_STATUS_IS_OK(status)) {
407                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
408                 return false;
409         }
410         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
411
412         /*
413          * Scan the list again for the interface id
414          */
415         if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
416                 return true;
417         }
418
419         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
420                    pipename));
421
422         return false;
423 }
424
425 /*******************************************************************
426  Handle the first part of a SPNEGO bind auth.
427 *******************************************************************/
428
429 static bool pipe_spnego_auth_bind(struct pipes_struct *p,
430                                   TALLOC_CTX *mem_ctx,
431                                   struct dcerpc_auth *auth_info,
432                                   DATA_BLOB *response)
433 {
434         struct spnego_context *spnego_ctx;
435         NTSTATUS status;
436
437         status = spnego_server_auth_start(p,
438                                           (auth_info->auth_level ==
439                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
440                                           (auth_info->auth_level ==
441                                                 DCERPC_AUTH_LEVEL_PRIVACY),
442                                           true,
443                                           &auth_info->credentials,
444                                           response,
445                                           p->remote_address,
446                                           &spnego_ctx);
447         if (!NT_STATUS_IS_OK(status)) {
448                 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
449                           nt_errstr(status)));
450                 return false;
451         }
452
453         /* Make sure data is bound to the memctx, to be freed the caller */
454         talloc_steal(mem_ctx, response->data);
455
456         p->auth.auth_ctx = spnego_ctx;
457         p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
458
459         DEBUG(10, ("SPNEGO auth started\n"));
460
461         return true;
462 }
463
464 /*******************************************************************
465  Handle an schannel bind auth.
466 *******************************************************************/
467
468 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
469                                     TALLOC_CTX *mem_ctx,
470                                     struct dcerpc_auth *auth_info,
471                                     DATA_BLOB *response)
472 {
473         struct NL_AUTH_MESSAGE neg;
474         struct NL_AUTH_MESSAGE reply;
475         bool ret;
476         NTSTATUS status;
477         struct netlogon_creds_CredentialState *creds;
478         enum ndr_err_code ndr_err;
479         struct schannel_state *schannel_auth;
480
481         ndr_err = ndr_pull_struct_blob(
482                         &auth_info->credentials, mem_ctx, &neg,
483                         (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
484         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
485                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
486                 return false;
487         }
488
489         if (DEBUGLEVEL >= 10) {
490                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
491         }
492
493         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
494                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
495                 return false;
496         }
497
498         /*
499          * The neg.oem_netbios_computer.a key here must match the remote computer name
500          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
501          * operations that use credentials.
502          */
503
504         become_root();
505         status = schannel_get_creds_state(p, lp_private_dir(),
506                                             neg.oem_netbios_computer.a, &creds);
507         unbecome_root();
508
509         if (!NT_STATUS_IS_OK(status)) {
510                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
511                 return False;
512         }
513
514         schannel_auth = talloc(p, struct schannel_state);
515         if (!schannel_auth) {
516                 TALLOC_FREE(creds);
517                 return False;
518         }
519
520         schannel_auth->state = SCHANNEL_STATE_START;
521         schannel_auth->seq_num = 0;
522         schannel_auth->initiator = false;
523         schannel_auth->creds = creds;
524
525         /*
526          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
527          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
528          * struct of the person who opened the pipe. I need to test this further. JRA.
529          *
530          * VL. As we are mapping this to guest set the generic key
531          * "SystemLibraryDTC" key here. It's a bit difficult to test against
532          * W2k3, as it does not allow schannel binds against SAMR and LSA
533          * anymore.
534          */
535
536         ret = session_info_set_session_key(p->session_info, generic_session_key());
537
538         if (!ret) {
539                 DEBUG(0, ("session_info_set_session_key failed\n"));
540                 return false;
541         }
542
543         /*** SCHANNEL verifier ***/
544
545         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
546         reply.Flags                             = 0;
547         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
548                                                       * this has any meaning
549                                                       * here - gd */
550
551         ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
552                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
553         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
554                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
555                 return false;
556         }
557
558         if (DEBUGLEVEL >= 10) {
559                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
560         }
561
562         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
563                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
564
565         /* We're finished with this bind - no more packets. */
566         p->auth.auth_ctx = schannel_auth;
567         p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
568
569         p->pipe_bound = True;
570
571         return True;
572 }
573
574 /*******************************************************************
575  Handle an NTLMSSP bind auth.
576 *******************************************************************/
577
578 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
579                                    TALLOC_CTX *mem_ctx,
580                                    struct dcerpc_auth *auth_info,
581                                    DATA_BLOB *response)
582 {
583         struct auth_ntlmssp_state *ntlmssp_state = NULL;
584         NTSTATUS status;
585
586         if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
587                 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
588                 return false;
589         }
590
591         /* We have an NTLMSSP blob. */
592         status = ntlmssp_server_auth_start(p,
593                                            (auth_info->auth_level ==
594                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
595                                            (auth_info->auth_level ==
596                                                 DCERPC_AUTH_LEVEL_PRIVACY),
597                                            true,
598                                            &auth_info->credentials,
599                                            response,
600                                            p->remote_address,
601                                            &ntlmssp_state);
602         if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
603                 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
604                           nt_errstr(status)));
605                 return false;
606         }
607
608         /* Make sure data is bound to the memctx, to be freed the caller */
609         talloc_steal(mem_ctx, response->data);
610
611         p->auth.auth_ctx = ntlmssp_state;
612         p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
613
614         DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
615
616         return true;
617 }
618
619 /*******************************************************************
620  Process an NTLMSSP authentication response.
621  If this function succeeds, the user has been authenticated
622  and their domain, name and calling workstation stored in
623  the pipe struct.
624 *******************************************************************/
625
626 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
627                                 struct auth_ntlmssp_state *ntlmssp_ctx,
628                                 enum dcerpc_AuthLevel auth_level,
629                                 struct auth_session_info **session_info)
630 {
631         NTSTATUS status;
632         bool ret;
633
634         DEBUG(5, (__location__ ": checking user details\n"));
635
636         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
637            ensure the underlying NTLMSSP flags are also set. If not we should
638            refuse the bind. */
639
640         status = ntlmssp_server_check_flags(ntlmssp_ctx,
641                                             (auth_level ==
642                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
643                                             (auth_level ==
644                                                 DCERPC_AUTH_LEVEL_PRIVACY));
645         if (!NT_STATUS_IS_OK(status)) {
646                 DEBUG(0, (__location__ ": Client failed to negotatie proper "
647                           "security for rpc connection\n"));
648                 return false;
649         }
650
651         TALLOC_FREE(*session_info);
652
653         status = ntlmssp_server_get_user_info(ntlmssp_ctx,
654                                                 mem_ctx, session_info);
655         if (!NT_STATUS_IS_OK(status)) {
656                 DEBUG(0, (__location__ ": failed to obtain the server info "
657                           "for authenticated user: %s\n", nt_errstr(status)));
658                 return false;
659         }
660
661         if ((*session_info)->security_token == NULL) {
662                 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
663                 return false;
664         }
665
666         /*
667          * We're an authenticated bind over smb, so the session key needs to
668          * be set to "SystemLibraryDTC". Weird, but this is what Windows
669          * does. See the RPC-SAMBA3SESSIONKEY.
670          */
671
672         ret = session_info_set_session_key((*session_info), generic_session_key());
673         if (!ret) {
674                 DEBUG(0, ("Failed to set session key!\n"));
675                 return false;
676         }
677
678         return true;
679 }
680
681 /*******************************************************************
682  Handle a GSSAPI bind auth.
683 *******************************************************************/
684
685 static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
686                                   TALLOC_CTX *mem_ctx,
687                                   struct dcerpc_auth *auth_info,
688                                   DATA_BLOB *response)
689 {
690         NTSTATUS status;
691         struct gse_context *gse_ctx = NULL;
692
693         status = gssapi_server_auth_start(p,
694                                           (auth_info->auth_level ==
695                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
696                                           (auth_info->auth_level ==
697                                                 DCERPC_AUTH_LEVEL_PRIVACY),
698                                           true,
699                                           &auth_info->credentials,
700                                           response,
701                                           &gse_ctx);
702         if (!NT_STATUS_IS_OK(status)) {
703                 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
704                           nt_errstr(status)));
705                 goto err;
706         }
707
708         /* Make sure data is bound to the memctx, to be freed the caller */
709         talloc_steal(mem_ctx, response->data);
710
711         p->auth.auth_ctx = gse_ctx;
712         p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
713
714         DEBUG(10, ("KRB5 auth started\n"));
715
716         return true;
717
718 err:
719         TALLOC_FREE(gse_ctx);
720         return false;
721 }
722
723 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
724                                          struct gse_context *gse_ctx,
725                                          const struct tsocket_address *remote_address,
726                                          struct auth_session_info **session_info)
727 {
728         NTSTATUS status;
729         bool bret;
730
731         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
732            ensure the underlying flags are also set. If not we should
733            refuse the bind. */
734
735         status = gssapi_server_check_flags(gse_ctx);
736         if (!NT_STATUS_IS_OK(status)) {
737                 DEBUG(0, ("Requested Security Layers not honored!\n"));
738                 return status;
739         }
740
741         status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
742                                              remote_address, session_info);
743         if (!NT_STATUS_IS_OK(status)) {
744                 DEBUG(0, (__location__ ": failed to obtain the server info "
745                           "for authenticated user: %s\n", nt_errstr(status)));
746                 return status;
747         }
748
749         /*
750          * We're an authenticated bind over smb, so the session key needs to
751          * be set to "SystemLibraryDTC". Weird, but this is what Windows
752          * does. See the RPC-SAMBA3SESSIONKEY.
753          */
754
755         bret = session_info_set_session_key((*session_info), generic_session_key());
756         if (!bret) {
757                 return NT_STATUS_ACCESS_DENIED;
758         }
759
760         return NT_STATUS_OK;
761 }
762
763 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
764 {
765         enum spnego_mech auth_type;
766         struct auth_ntlmssp_state *ntlmssp_ctx;
767         struct spnego_context *spnego_ctx;
768         struct gse_context *gse_ctx;
769         void *mech_ctx;
770         NTSTATUS status;
771
772         switch (p->auth.auth_type) {
773         case DCERPC_AUTH_TYPE_NTLMSSP:
774                 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
775                                                     struct auth_ntlmssp_state);
776                 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
777                                                 p->auth.auth_level,
778                                                 &p->session_info)) {
779                         return NT_STATUS_ACCESS_DENIED;
780                 }
781                 break;
782         case DCERPC_AUTH_TYPE_KRB5:
783                 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
784                                                 struct gse_context);
785                 status = pipe_gssapi_verify_final(p, gse_ctx,
786                                                   p->remote_address,
787                                                   &p->session_info);
788                 if (!NT_STATUS_IS_OK(status)) {
789                         DEBUG(1, ("gssapi bind failed with: %s",
790                                   nt_errstr(status)));
791                         return status;
792                 }
793                 break;
794         case DCERPC_AUTH_TYPE_SPNEGO:
795                 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
796                                                    struct spnego_context);
797                 status = spnego_get_negotiated_mech(spnego_ctx,
798                                                     &auth_type, &mech_ctx);
799                 if (!NT_STATUS_IS_OK(status)) {
800                         DEBUG(0, ("Bad SPNEGO state (%s)\n",
801                                   nt_errstr(status)));
802                         return status;
803                 }
804                 switch(auth_type) {
805                 case SPNEGO_KRB5:
806                         gse_ctx = talloc_get_type_abort(mech_ctx,
807                                                         struct gse_context);
808                         status = pipe_gssapi_verify_final(p, gse_ctx,
809                                                           p->remote_address,
810                                                           &p->session_info);
811                         if (!NT_STATUS_IS_OK(status)) {
812                                 DEBUG(1, ("gssapi bind failed with: %s",
813                                           nt_errstr(status)));
814                                 return status;
815                         }
816                         break;
817                 case SPNEGO_NTLMSSP:
818                         ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
819                                                 struct auth_ntlmssp_state);
820                         if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
821                                                         p->auth.auth_level,
822                                                         &p->session_info)) {
823                                 return NT_STATUS_ACCESS_DENIED;
824                         }
825                         break;
826                 default:
827                         DEBUG(0, (__location__ ": incorrect spnego type "
828                                   "(%d).\n", auth_type));
829                         return NT_STATUS_ACCESS_DENIED;
830                 }
831                 break;
832         default:
833                 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
834                           (unsigned int)p->auth.auth_type));
835                 return NT_STATUS_ACCESS_DENIED;
836         }
837
838         p->pipe_bound = true;
839
840         return NT_STATUS_OK;
841 }
842
843 /*******************************************************************
844  Respond to a pipe bind request.
845 *******************************************************************/
846
847 static bool api_pipe_bind_req(struct pipes_struct *p,
848                                 struct ncacn_packet *pkt)
849 {
850         struct dcerpc_auth auth_info;
851         uint16 assoc_gid;
852         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
853         NTSTATUS status;
854         struct ndr_syntax_id id;
855         union dcerpc_payload u;
856         struct dcerpc_ack_ctx bind_ack_ctx;
857         DATA_BLOB auth_resp = data_blob_null;
858         DATA_BLOB auth_blob = data_blob_null;
859
860         /* No rebinds on a bound pipe - use alter context. */
861         if (p->pipe_bound) {
862                 DEBUG(2,("Rejecting bind request on bound rpc connection\n"));
863                 return setup_bind_nak(p, pkt);
864         }
865
866         if (pkt->u.bind.num_contexts == 0) {
867                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
868                 goto err_exit;
869         }
870
871         /*
872          * Try and find the correct pipe name to ensure
873          * that this is a pipe name we support.
874          */
875         id = pkt->u.bind.ctx_list[0].abstract_syntax;
876         if (rpc_srv_pipe_exists_by_id(&id)) {
877                 DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
878                           rpc_srv_get_pipe_cli_name(&id),
879                           rpc_srv_get_pipe_srv_name(&id)));
880         } else {
881                 status = smb_probe_module(
882                         "rpc", get_pipe_name_from_syntax(
883                                 talloc_tos(),
884                                 &id));
885
886                 if (NT_STATUS_IS_ERR(status)) {
887                         DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
888                                  "%s in bind request.\n",
889                                  get_pipe_name_from_syntax(talloc_tos(), &id)));
890
891                         return setup_bind_nak(p, pkt);
892                 }
893
894                 if (rpc_srv_get_pipe_interface_by_cli_name(
895                                 get_pipe_name_from_syntax(talloc_tos(),
896                                                           &id),
897                                 &id)) {
898                         DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
899                                   rpc_srv_get_pipe_cli_name(&id),
900                                   rpc_srv_get_pipe_srv_name(&id)));
901                 } else {
902                         DEBUG(0, ("module %s doesn't provide functions for "
903                                   "pipe %s!\n",
904                                   get_pipe_name_from_syntax(talloc_tos(), &id),
905                                   get_pipe_name_from_syntax(talloc_tos(), &id)));
906                         return setup_bind_nak(p, pkt);
907                 }
908         }
909
910         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
911
912         if (pkt->u.bind.assoc_group_id != 0) {
913                 assoc_gid = pkt->u.bind.assoc_group_id;
914         } else {
915                 assoc_gid = 0x53f0;
916         }
917
918         /*
919          * Create the bind response struct.
920          */
921
922         /* If the requested abstract synt uuid doesn't match our client pipe,
923                 reject the bind_ack & set the transfer interface synt to all 0's,
924                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
925                 unknown to NT4)
926                 Needed when adding entries to a DACL from NT5 - SK */
927
928         if (check_bind_req(p,
929                         &pkt->u.bind.ctx_list[0].abstract_syntax,
930                         &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
931                         pkt->u.bind.ctx_list[0].context_id)) {
932
933                 bind_ack_ctx.result = 0;
934                 bind_ack_ctx.reason = 0;
935                 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
936         } else {
937                 p->pipe_bound = False;
938                 /* Rejection reason: abstract syntax not supported */
939                 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
940                 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
941                 bind_ack_ctx.syntax = null_ndr_syntax_id;
942         }
943
944         /*
945          * Check if this is an authenticated bind request.
946          */
947         if (pkt->auth_length) {
948                 /* Quick length check. Won't catch a bad auth footer,
949                  * prevents overrun. */
950
951                 if (pkt->frag_length < RPC_HEADER_LEN +
952                                         DCERPC_AUTH_TRAILER_LENGTH +
953                                         pkt->auth_length) {
954                         DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
955                                 "too long for fragment %u.\n",
956                                 (unsigned int)pkt->auth_length,
957                                 (unsigned int)pkt->frag_length));
958                         goto err_exit;
959                 }
960
961                 /*
962                  * Decode the authentication verifier.
963                  */
964                 status = dcerpc_pull_dcerpc_auth(pkt,
965                                                  &pkt->u.bind.auth_info,
966                                                  &auth_info, p->endian);
967                 if (!NT_STATUS_IS_OK(status)) {
968                         DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
969                         goto err_exit;
970                 }
971
972                 auth_type = auth_info.auth_type;
973
974                 /* Work out if we have to sign or seal etc. */
975                 switch (auth_info.auth_level) {
976                 case DCERPC_AUTH_LEVEL_INTEGRITY:
977                         p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
978                         break;
979                 case DCERPC_AUTH_LEVEL_PRIVACY:
980                         p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
981                         break;
982                 case DCERPC_AUTH_LEVEL_CONNECT:
983                         p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT;
984                         break;
985                 default:
986                         DEBUG(0, ("Unexpected auth level (%u).\n",
987                                 (unsigned int)auth_info.auth_level ));
988                         goto err_exit;
989                 }
990
991                 switch (auth_type) {
992                 case DCERPC_AUTH_TYPE_NTLMSSP:
993                         if (!pipe_ntlmssp_auth_bind(p, pkt,
994                                                 &auth_info, &auth_resp)) {
995                                 goto err_exit;
996                         }
997                         assoc_gid = 0x7a77;
998                         break;
999
1000                 case DCERPC_AUTH_TYPE_SCHANNEL:
1001                         if (!pipe_schannel_auth_bind(p, pkt,
1002                                                 &auth_info, &auth_resp)) {
1003                                 goto err_exit;
1004                         }
1005                         break;
1006
1007                 case DCERPC_AUTH_TYPE_SPNEGO:
1008                         if (!pipe_spnego_auth_bind(p, pkt,
1009                                                 &auth_info, &auth_resp)) {
1010                                 goto err_exit;
1011                         }
1012                         break;
1013
1014                 case DCERPC_AUTH_TYPE_KRB5:
1015                         if (!pipe_gssapi_auth_bind(p, pkt,
1016                                                 &auth_info, &auth_resp)) {
1017                                 goto err_exit;
1018                         }
1019                         break;
1020
1021                 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1022                         if (p->transport == NCALRPC && p->ncalrpc_as_system) {
1023                                 TALLOC_FREE(p->session_info);
1024
1025                                 status = make_session_info_system(p,
1026                                                                   &p->session_info);
1027                                 if (!NT_STATUS_IS_OK(status)) {
1028                                         goto err_exit;
1029                                 }
1030
1031                                 auth_resp = data_blob_talloc(pkt,
1032                                                              "NCALRPC_AUTH_OK",
1033                                                              15);
1034
1035                                 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
1036                                 p->pipe_bound = true;
1037                         } else {
1038                                 goto err_exit;
1039                         }
1040                         break;
1041
1042                 case DCERPC_AUTH_TYPE_NONE:
1043                         break;
1044
1045                 default:
1046                         DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1047                         goto err_exit;
1048                 }
1049         }
1050
1051         if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1052                 /* Unauthenticated bind request. */
1053                 /* We're finished - no more packets. */
1054                 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1055                 /* We must set the pipe auth_level here also. */
1056                 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1057                 p->pipe_bound = True;
1058                 /* The session key was initialized from the SMB
1059                  * session in make_internal_rpc_pipe_p */
1060         }
1061
1062         ZERO_STRUCT(u.bind_ack);
1063         u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1064         u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1065         u.bind_ack.assoc_group_id = assoc_gid;
1066
1067         /* name has to be \PIPE\xxxxx */
1068         u.bind_ack.secondary_address =
1069                         talloc_asprintf(pkt, "\\PIPE\\%s",
1070                                         rpc_srv_get_pipe_srv_name(&id));
1071         if (!u.bind_ack.secondary_address) {
1072                 DEBUG(0, ("Out of memory!\n"));
1073                 goto err_exit;
1074         }
1075         u.bind_ack.secondary_address_size =
1076                                 strlen(u.bind_ack.secondary_address) + 1;
1077
1078         u.bind_ack.num_results = 1;
1079         u.bind_ack.ctx_list = &bind_ack_ctx;
1080
1081         /* NOTE: We leave the auth_info empty so we can calculate the padding
1082          * later and then append the auth_info --simo */
1083
1084         /*
1085          * Marshall directly into the outgoing PDU space. We
1086          * must do this as we need to set to the bind response
1087          * header and are never sending more than one PDU here.
1088          */
1089
1090         status = dcerpc_push_ncacn_packet(p->mem_ctx,
1091                                           DCERPC_PKT_BIND_ACK,
1092                                           DCERPC_PFC_FLAG_FIRST |
1093                                                 DCERPC_PFC_FLAG_LAST,
1094                                           auth_resp.length,
1095                                           pkt->call_id,
1096                                           &u,
1097                                           &p->out_data.frag);
1098         if (!NT_STATUS_IS_OK(status)) {
1099                 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1100                           nt_errstr(status)));
1101         }
1102
1103         if (auth_resp.length) {
1104
1105                 status = dcerpc_push_dcerpc_auth(pkt,
1106                                                  auth_type,
1107                                                  auth_info.auth_level,
1108                                                  0,
1109                                                  1, /* auth_context_id */
1110                                                  &auth_resp,
1111                                                  &auth_blob);
1112                 if (!NT_STATUS_IS_OK(status)) {
1113                         DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1114                         goto err_exit;
1115                 }
1116         }
1117
1118         /* Now that we have the auth len store it into the right place in
1119          * the dcerpc header */
1120         dcerpc_set_frag_length(&p->out_data.frag,
1121                                 p->out_data.frag.length + auth_blob.length);
1122
1123         if (auth_blob.length) {
1124
1125                 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1126                                         auth_blob.data, auth_blob.length)) {
1127                         DEBUG(0, ("Append of auth info failed.\n"));
1128                         goto err_exit;
1129                 }
1130         }
1131
1132         /*
1133          * Setup the lengths for the initial reply.
1134          */
1135
1136         p->out_data.data_sent_length = 0;
1137         p->out_data.current_pdu_sent = 0;
1138
1139         TALLOC_FREE(auth_blob.data);
1140         return True;
1141
1142   err_exit:
1143
1144         data_blob_free(&p->out_data.frag);
1145         TALLOC_FREE(auth_blob.data);
1146         return setup_bind_nak(p, pkt);
1147 }
1148
1149 /*******************************************************************
1150  This is the "stage3" response after a bind request and reply.
1151 *******************************************************************/
1152
1153 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1154 {
1155         struct dcerpc_auth auth_info;
1156         DATA_BLOB response = data_blob_null;
1157         struct auth_ntlmssp_state *ntlmssp_ctx;
1158         struct spnego_context *spnego_ctx;
1159         struct gse_context *gse_ctx;
1160         NTSTATUS status;
1161
1162         DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1163
1164         if (pkt->auth_length == 0) {
1165                 DEBUG(0, ("No auth field sent for bind request!\n"));
1166                 goto err;
1167         }
1168
1169         /* Ensure there's enough data for an authenticated request. */
1170         if (pkt->frag_length < RPC_HEADER_LEN
1171                                 + DCERPC_AUTH_TRAILER_LENGTH
1172                                 + pkt->auth_length) {
1173                         DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1174                                 "%u is too large.\n",
1175                         (unsigned int)pkt->auth_length));
1176                 goto err;
1177         }
1178
1179         /*
1180          * Decode the authentication verifier response.
1181          */
1182
1183         status = dcerpc_pull_dcerpc_auth(pkt,
1184                                          &pkt->u.auth3.auth_info,
1185                                          &auth_info, p->endian);
1186         if (!NT_STATUS_IS_OK(status)) {
1187                 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1188                 goto err;
1189         }
1190
1191         /* We must NEVER look at auth_info->auth_pad_len here,
1192          * as old Samba client code gets it wrong and sends it
1193          * as zero. JRA.
1194          */
1195
1196         if (auth_info.auth_type != p->auth.auth_type) {
1197                 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1198                           "but auth was started as type %d!\n",
1199                           auth_info.auth_type, p->auth.auth_type));
1200                 goto err;
1201         }
1202
1203         switch (auth_info.auth_type) {
1204         case DCERPC_AUTH_TYPE_NTLMSSP:
1205                 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1206                                                     struct auth_ntlmssp_state);
1207                 status = ntlmssp_server_step(ntlmssp_ctx,
1208                                              pkt, &auth_info.credentials,
1209                                              &response);
1210                 break;
1211         case DCERPC_AUTH_TYPE_KRB5:
1212                 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1213                                                 struct gse_context);
1214                 status = gssapi_server_step(gse_ctx,
1215                                             pkt, &auth_info.credentials,
1216                                             &response);
1217                 break;
1218         case DCERPC_AUTH_TYPE_SPNEGO:
1219                 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1220                                                    struct spnego_context);
1221                 status = spnego_server_step(spnego_ctx,
1222                                             pkt, &auth_info.credentials,
1223                                             &response);
1224                 break;
1225         default:
1226                 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
1227                           (unsigned int)auth_info.auth_type));
1228                 return false;
1229         }
1230
1231         if (NT_STATUS_EQUAL(status,
1232                             NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1233             response.length) {
1234                 DEBUG(0, (__location__ ": This was supposed to be the final "
1235                           "leg, but crypto machinery claims a response is "
1236                           "needed, aborting auth!\n"));
1237                 data_blob_free(&response);
1238                 goto err;
1239         }
1240         if (!NT_STATUS_IS_OK(status)) {
1241                 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
1242                 goto err;
1243         }
1244
1245         /* Now verify auth was indeed successful and extract server info */
1246         status = pipe_auth_verify_final(p);
1247         if (!NT_STATUS_IS_OK(status)) {
1248                 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1249                 goto err;
1250         }
1251
1252         return true;
1253
1254 err:
1255
1256         TALLOC_FREE(p->auth.auth_ctx);
1257         return false;
1258 }
1259
1260 /****************************************************************************
1261  Deal with an alter context call. Can be third part of 3 leg auth request for
1262  SPNEGO calls.
1263 ****************************************************************************/
1264
1265 static bool api_pipe_alter_context(struct pipes_struct *p,
1266                                         struct ncacn_packet *pkt)
1267 {
1268         struct dcerpc_auth auth_info;
1269         uint16 assoc_gid;
1270         NTSTATUS status;
1271         union dcerpc_payload u;
1272         struct dcerpc_ack_ctx bind_ack_ctx;
1273         DATA_BLOB auth_resp = data_blob_null;
1274         DATA_BLOB auth_blob = data_blob_null;
1275         int pad_len = 0;
1276         struct auth_ntlmssp_state *ntlmssp_ctx;
1277         struct spnego_context *spnego_ctx;
1278         struct gse_context *gse_ctx;
1279
1280         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1281
1282         if (pkt->u.bind.assoc_group_id != 0) {
1283                 assoc_gid = pkt->u.bind.assoc_group_id;
1284         } else {
1285                 assoc_gid = 0x53f0;
1286         }
1287
1288         /*
1289          * Create the bind response struct.
1290          */
1291
1292         /* If the requested abstract synt uuid doesn't match our client pipe,
1293                 reject the bind_ack & set the transfer interface synt to all 0's,
1294                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1295                 unknown to NT4)
1296                 Needed when adding entries to a DACL from NT5 - SK */
1297
1298         if (check_bind_req(p,
1299                         &pkt->u.bind.ctx_list[0].abstract_syntax,
1300                         &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1301                         pkt->u.bind.ctx_list[0].context_id)) {
1302
1303                 bind_ack_ctx.result = 0;
1304                 bind_ack_ctx.reason = 0;
1305                 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1306         } else {
1307                 p->pipe_bound = False;
1308                 /* Rejection reason: abstract syntax not supported */
1309                 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1310                 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1311                 bind_ack_ctx.syntax = null_ndr_syntax_id;
1312         }
1313
1314         /*
1315          * Check if this is an authenticated alter context request.
1316          */
1317         if (pkt->auth_length) {
1318                 /* Quick length check. Won't catch a bad auth footer,
1319                  * prevents overrun. */
1320
1321                 if (pkt->frag_length < RPC_HEADER_LEN +
1322                                         DCERPC_AUTH_TRAILER_LENGTH +
1323                                         pkt->auth_length) {
1324                         DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1325                                 "too long for fragment %u.\n",
1326                                 (unsigned int)pkt->auth_length,
1327                                 (unsigned int)pkt->frag_length ));
1328                         goto err_exit;
1329                 }
1330
1331                 status = dcerpc_pull_dcerpc_auth(pkt,
1332                                                  &pkt->u.bind.auth_info,
1333                                                  &auth_info, p->endian);
1334                 if (!NT_STATUS_IS_OK(status)) {
1335                         DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1336                         goto err_exit;
1337                 }
1338
1339                 /* We can only finish if the pipe is unbound for now */
1340                 if (p->pipe_bound) {
1341                         DEBUG(0, (__location__ ": Pipe already bound, "
1342                                   "Altering Context not yet supported!\n"));
1343                         goto err_exit;
1344                 }
1345
1346                 if (auth_info.auth_type != p->auth.auth_type) {
1347                         DEBUG(0, ("Auth type mismatch! Client sent %d, "
1348                                   "but auth was started as type %d!\n",
1349                                   auth_info.auth_type, p->auth.auth_type));
1350                         goto err_exit;
1351                 }
1352
1353
1354                 switch (auth_info.auth_type) {
1355                 case DCERPC_AUTH_TYPE_SPNEGO:
1356                         spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1357                                                         struct spnego_context);
1358                         status = spnego_server_step(spnego_ctx,
1359                                                     pkt,
1360                                                     &auth_info.credentials,
1361                                                     &auth_resp);
1362                         break;
1363
1364                 case DCERPC_AUTH_TYPE_KRB5:
1365                         gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1366                                                         struct gse_context);
1367                         status = gssapi_server_step(gse_ctx,
1368                                                     pkt,
1369                                                     &auth_info.credentials,
1370                                                     &auth_resp);
1371                         break;
1372                 case DCERPC_AUTH_TYPE_NTLMSSP:
1373                         ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1374                                                     struct auth_ntlmssp_state);
1375                         status = ntlmssp_server_step(ntlmssp_ctx,
1376                                                      pkt,
1377                                                      &auth_info.credentials,
1378                                                      &auth_resp);
1379                         break;
1380
1381                 default:
1382                         DEBUG(3, (__location__ ": Usupported auth type (%d) "
1383                                   "in alter-context call\n",
1384                                   auth_info.auth_type));
1385                         goto err_exit;
1386                 }
1387
1388                 if (NT_STATUS_IS_OK(status)) {
1389                         /* third leg of auth, verify auth info */
1390                         status = pipe_auth_verify_final(p);
1391                         if (!NT_STATUS_IS_OK(status)) {
1392                                 DEBUG(0, ("Auth Verify failed (%s)\n",
1393                                           nt_errstr(status)));
1394                                 goto err_exit;
1395                         }
1396                 } else if (NT_STATUS_EQUAL(status,
1397                                         NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1398                         DEBUG(10, ("More auth legs required.\n"));
1399                 } else {
1400                         DEBUG(0, ("Auth step returned an error (%s)\n",
1401                                   nt_errstr(status)));
1402                         goto err_exit;
1403                 }
1404         }
1405
1406         ZERO_STRUCT(u.alter_resp);
1407         u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1408         u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1409         u.alter_resp.assoc_group_id = assoc_gid;
1410
1411         /* secondary address CAN be NULL
1412          * as the specs say it's ignored.
1413          * It MUST be NULL to have the spoolss working.
1414          */
1415         u.alter_resp.secondary_address = "";
1416         u.alter_resp.secondary_address_size = 1;
1417
1418         u.alter_resp.num_results = 1;
1419         u.alter_resp.ctx_list = &bind_ack_ctx;
1420
1421         /* NOTE: We leave the auth_info empty so we can calculate the padding
1422          * later and then append the auth_info --simo */
1423
1424         /*
1425          * Marshall directly into the outgoing PDU space. We
1426          * must do this as we need to set to the bind response
1427          * header and are never sending more than one PDU here.
1428          */
1429
1430         status = dcerpc_push_ncacn_packet(p->mem_ctx,
1431                                           DCERPC_PKT_ALTER_RESP,
1432                                           DCERPC_PFC_FLAG_FIRST |
1433                                                 DCERPC_PFC_FLAG_LAST,
1434                                           auth_resp.length,
1435                                           pkt->call_id,
1436                                           &u,
1437                                           &p->out_data.frag);
1438         if (!NT_STATUS_IS_OK(status)) {
1439                 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1440                           nt_errstr(status)));
1441         }
1442
1443         if (auth_resp.length) {
1444
1445                 /* Work out any padding needed before the auth footer. */
1446                 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1447                 if (pad_len) {
1448                         pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1449                         DEBUG(10, ("auth pad_len = %u\n",
1450                                    (unsigned int)pad_len));
1451                 }
1452
1453                 status = dcerpc_push_dcerpc_auth(pkt,
1454                                                  auth_info.auth_type,
1455                                                  auth_info.auth_level,
1456                                                  pad_len,
1457                                                  1, /* auth_context_id */
1458                                                  &auth_resp,
1459                                                  &auth_blob);
1460                 if (!NT_STATUS_IS_OK(status)) {
1461                         DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1462                         goto err_exit;
1463                 }
1464         }
1465
1466         /* Now that we have the auth len store it into the right place in
1467          * the dcerpc header */
1468         dcerpc_set_frag_length(&p->out_data.frag,
1469                                 p->out_data.frag.length +
1470                                         pad_len + auth_blob.length);
1471
1472         if (auth_resp.length) {
1473                 if (pad_len) {
1474                         char pad[SERVER_NDR_PADDING_SIZE];
1475                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1476                         if (!data_blob_append(p->mem_ctx,
1477                                                 &p->out_data.frag,
1478                                                 pad, pad_len)) {
1479                                 DEBUG(0, ("api_pipe_bind_req: failed to add "
1480                                           "%u bytes of pad data.\n",
1481                                           (unsigned int)pad_len));
1482                                 goto err_exit;
1483                         }
1484                 }
1485
1486                 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1487                                         auth_blob.data, auth_blob.length)) {
1488                         DEBUG(0, ("Append of auth info failed.\n"));
1489                         goto err_exit;
1490                 }
1491         }
1492
1493         /*
1494          * Setup the lengths for the initial reply.
1495          */
1496
1497         p->out_data.data_sent_length = 0;
1498         p->out_data.current_pdu_sent = 0;
1499
1500         TALLOC_FREE(auth_blob.data);
1501         return True;
1502
1503   err_exit:
1504
1505         data_blob_free(&p->out_data.frag);
1506         TALLOC_FREE(auth_blob.data);
1507         return setup_bind_nak(p, pkt);
1508 }
1509
1510 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1511                        const struct api_struct *api_rpc_cmds, int n_cmds,
1512                        const struct ndr_syntax_id *syntax);
1513
1514 /****************************************************************************
1515  Find the correct RPC function to call for this request.
1516  If the pipe is authenticated then become the correct UNIX user
1517  before doing the call.
1518 ****************************************************************************/
1519
1520 static bool api_pipe_request(struct pipes_struct *p,
1521                                 struct ncacn_packet *pkt)
1522 {
1523         bool ret = False;
1524         struct pipe_rpc_fns *pipe_fns;
1525
1526         if (!p->pipe_bound) {
1527                 DEBUG(1, ("Pipe not bound!\n"));
1528                 data_blob_free(&p->out_data.rdata);
1529                 return false;
1530         }
1531
1532         if (!become_authenticated_pipe_user(p->session_info)) {
1533                 DEBUG(1, ("Failed to become pipe user!\n"));
1534                 data_blob_free(&p->out_data.rdata);
1535                 return false;
1536         }
1537
1538         /* get the set of RPC functions for this context */
1539
1540         pipe_fns = find_pipe_fns_by_context(p->contexts,
1541                                             pkt->u.request.context_id);
1542
1543         if ( pipe_fns ) {
1544                 TALLOC_CTX *frame = talloc_stackframe();
1545
1546                 DEBUG(5, ("Requested %s rpc service\n",
1547                           get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
1548
1549                 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
1550                                  &pipe_fns->syntax);
1551
1552                 TALLOC_FREE(frame);
1553         }
1554         else {
1555                 DEBUG(0, ("No rpc function table associated with context "
1556                           "[%d]\n",
1557                           pkt->u.request.context_id));
1558         }
1559
1560         unbecome_authenticated_pipe_user();
1561
1562         return ret;
1563 }
1564
1565 /*******************************************************************
1566  Calls the underlying RPC function for a named pipe.
1567  ********************************************************************/
1568
1569 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1570                        const struct api_struct *api_rpc_cmds, int n_cmds,
1571                        const struct ndr_syntax_id *syntax)
1572 {
1573         int fn_num;
1574         uint32_t offset1;
1575
1576         /* interpret the command */
1577         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1578                  get_pipe_name_from_syntax(talloc_tos(), syntax),
1579                  pkt->u.request.opnum));
1580
1581         if (DEBUGLEVEL >= 50) {
1582                 fstring name;
1583                 slprintf(name, sizeof(name)-1, "in_%s",
1584                          get_pipe_name_from_syntax(talloc_tos(), syntax));
1585                 dump_pdu_region(name, pkt->u.request.opnum,
1586                                 &p->in_data.data, 0,
1587                                 p->in_data.data.length);
1588         }
1589
1590         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1591                 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1592                     api_rpc_cmds[fn_num].fn != NULL) {
1593                         DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1594                                   api_rpc_cmds[fn_num].name));
1595                         break;
1596                 }
1597         }
1598
1599         if (fn_num == n_cmds) {
1600                 /*
1601                  * For an unknown RPC just return a fault PDU but
1602                  * return True to allow RPC's on the pipe to continue
1603                  * and not put the pipe into fault state. JRA.
1604                  */
1605                 DEBUG(4, ("unknown\n"));
1606                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1607                 return True;
1608         }
1609
1610         offset1 = p->out_data.rdata.length;
1611
1612         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
1613                 fn_num, api_rpc_cmds[fn_num].fn));
1614         /* do the actual command */
1615         if(!api_rpc_cmds[fn_num].fn(p)) {
1616                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1617                          get_pipe_name_from_syntax(talloc_tos(), syntax),
1618                          api_rpc_cmds[fn_num].name));
1619                 data_blob_free(&p->out_data.rdata);
1620                 return False;
1621         }
1622
1623         if (p->bad_handle_fault_state) {
1624                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1625                 p->bad_handle_fault_state = False;
1626                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1627                 return True;
1628         }
1629
1630         if (p->rng_fault_state) {
1631                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1632                 p->rng_fault_state = False;
1633                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1634                 return True;
1635         }
1636
1637         if (DEBUGLEVEL >= 50) {
1638                 fstring name;
1639                 slprintf(name, sizeof(name)-1, "out_%s",
1640                          get_pipe_name_from_syntax(talloc_tos(), syntax));
1641                 dump_pdu_region(name, pkt->u.request.opnum,
1642                                 &p->out_data.rdata, offset1,
1643                                 p->out_data.rdata.length);
1644         }
1645
1646         DEBUG(5,("api_rpcTNP: called %s successfully\n",
1647                  get_pipe_name_from_syntax(talloc_tos(), syntax)));
1648
1649         /* Check for buffer underflow in rpc parsing */
1650         if ((DEBUGLEVEL >= 10) &&
1651             (pkt->frag_length < p->in_data.data.length)) {
1652                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1653                 dump_data(10, p->in_data.data.data + pkt->frag_length,
1654                               p->in_data.data.length - pkt->frag_length);
1655         }
1656
1657         return True;
1658 }
1659
1660 /****************************************************************************
1661  Initialise an outgoing packet.
1662 ****************************************************************************/
1663
1664 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1665 {
1666         output_data *o_data = &p->out_data;
1667
1668         /* Reset the offset counters. */
1669         o_data->data_sent_length = 0;
1670         o_data->current_pdu_sent = 0;
1671
1672         data_blob_free(&o_data->frag);
1673
1674         /* Free any memory in the current return data buffer. */
1675         data_blob_free(&o_data->rdata);
1676
1677         return True;
1678 }
1679
1680 /****************************************************************************
1681  Sets the fault state on incoming packets.
1682 ****************************************************************************/
1683
1684 void set_incoming_fault(struct pipes_struct *p)
1685 {
1686         data_blob_free(&p->in_data.data);
1687         p->in_data.pdu_needed_len = 0;
1688         p->in_data.pdu.length = 0;
1689         p->fault_state = True;
1690
1691         DEBUG(10, ("Setting fault state\n"));
1692 }
1693
1694 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1695                                     struct ncacn_packet *pkt,
1696                                     DATA_BLOB *raw_pkt)
1697 {
1698         NTSTATUS status;
1699         size_t hdr_size = DCERPC_REQUEST_LENGTH;
1700         size_t pad_len;
1701
1702         DEBUG(10, ("Checking request auth.\n"));
1703
1704         if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1705                 hdr_size += 16;
1706         }
1707
1708         /* in case of sealing this function will unseal the data in place */
1709         status = dcerpc_check_auth(auth, pkt,
1710                                    &pkt->u.request.stub_and_verifier,
1711                                    hdr_size, raw_pkt,
1712                                    &pad_len);
1713         if (!NT_STATUS_IS_OK(status)) {
1714                 return status;
1715         }
1716
1717
1718         /* remove padding and auth trailer,
1719          * this way the caller will get just the data */
1720         if (pkt->auth_length) {
1721                 size_t trail_len = pad_len
1722                                         + DCERPC_AUTH_TRAILER_LENGTH
1723                                         + pkt->auth_length;
1724                 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1725                         return NT_STATUS_INFO_LENGTH_MISMATCH;
1726                 }
1727                 pkt->u.request.stub_and_verifier.length -= trail_len;
1728         }
1729
1730         return NT_STATUS_OK;
1731 }
1732
1733 /****************************************************************************
1734  Processes a request pdu. This will do auth processing if needed, and
1735  appends the data into the complete stream if the LAST flag is not set.
1736 ****************************************************************************/
1737
1738 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1739 {
1740         NTSTATUS status;
1741         DATA_BLOB data;
1742
1743         if (!p->pipe_bound) {
1744                 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1745                 set_incoming_fault(p);
1746                 return False;
1747         }
1748
1749         /* Store the opnum */
1750         p->opnum = pkt->u.request.opnum;
1751
1752         status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1753         if (!NT_STATUS_IS_OK(status)) {
1754                 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1755                           nt_errstr(status)));
1756                 set_incoming_fault(p);
1757                 return false;
1758         }
1759
1760         data = pkt->u.request.stub_and_verifier;
1761
1762         /*
1763          * Check the data length doesn't go over the 15Mb limit.
1764          * increased after observing a bug in the Windows NT 4.0 SP6a
1765          * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1766          * will not fit in the initial buffer of size 0x1068   --jerry 22/01/2002
1767          */
1768
1769         if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1770                 DEBUG(0, ("process_request_pdu: "
1771                           "rpc data buffer too large (%u) + (%u)\n",
1772                           (unsigned int)p->in_data.data.length,
1773                           (unsigned int)data.length));
1774                 set_incoming_fault(p);
1775                 return False;
1776         }
1777
1778         /*
1779          * Append the data portion into the buffer and return.
1780          */
1781
1782         if (data.length) {
1783                 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1784                                           data.data, data.length)) {
1785                         DEBUG(0, ("Unable to append data size %u "
1786                                   "to parse buffer of size %u.\n",
1787                                   (unsigned int)data.length,
1788                                   (unsigned int)p->in_data.data.length));
1789                         set_incoming_fault(p);
1790                         return False;
1791                 }
1792         }
1793
1794         if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1795                 bool ret = False;
1796                 /*
1797                  * Ok - we finally have a complete RPC stream.
1798                  * Call the rpc command to process it.
1799                  */
1800
1801                 /*
1802                  * Process the complete data stream here.
1803                  */
1804                 if (pipe_init_outgoing_data(p)) {
1805                         ret = api_pipe_request(p, pkt);
1806                 }
1807
1808                 return ret;
1809         }
1810
1811         return True;
1812 }
1813
1814 /****************************************************************************
1815  Processes a finished PDU stored in p->in_data.pdu.
1816 ****************************************************************************/
1817
1818 void process_complete_pdu(struct pipes_struct *p)
1819 {
1820         struct ncacn_packet *pkt = NULL;
1821         NTSTATUS status;
1822         bool reply = False;
1823
1824         if(p->fault_state) {
1825                 DEBUG(10,("RPC connection in fault state.\n"));
1826                 goto done;
1827         }
1828
1829         pkt = talloc(p->mem_ctx, struct ncacn_packet);
1830         if (!pkt) {
1831                 DEBUG(0, ("Out of memory!\n"));
1832                 goto done;
1833         }
1834
1835         /*
1836          * Ensure we're using the corrent endianness for both the
1837          * RPC header flags and the raw data we will be reading from.
1838          */
1839         if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1840                 p->endian = RPC_LITTLE_ENDIAN;
1841         } else {
1842                 p->endian = RPC_BIG_ENDIAN;
1843         }
1844         DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1845
1846         status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1847                                           pkt, p->endian);
1848         if (!NT_STATUS_IS_OK(status)) {
1849                 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1850                           nt_errstr(status)));
1851                 goto done;
1852         }
1853
1854         /* Store the call_id */
1855         p->call_id = pkt->call_id;
1856
1857         DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
1858
1859         switch (pkt->ptype) {
1860         case DCERPC_PKT_REQUEST:
1861                 reply = process_request_pdu(p, pkt);
1862                 break;
1863
1864         case DCERPC_PKT_PING: /* CL request - ignore... */
1865                 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1866                           (unsigned int)pkt->ptype));
1867                 break;
1868
1869         case DCERPC_PKT_RESPONSE: /* No responses here. */
1870                 DEBUG(0, ("Error - DCERPC_PKT_RESPONSE received from client"));
1871                 break;
1872
1873         case DCERPC_PKT_FAULT:
1874         case DCERPC_PKT_WORKING:
1875                 /* CL request - reply to a ping when a call in process. */
1876         case DCERPC_PKT_NOCALL:
1877                 /* CL - server reply to a ping call. */
1878         case DCERPC_PKT_REJECT:
1879         case DCERPC_PKT_ACK:
1880         case DCERPC_PKT_CL_CANCEL:
1881         case DCERPC_PKT_FACK:
1882         case DCERPC_PKT_CANCEL_ACK:
1883                 DEBUG(0, ("Error - Connectionless packet type %u received\n",
1884                           (unsigned int)pkt->ptype));
1885                 break;
1886
1887         case DCERPC_PKT_BIND:
1888                 /*
1889                  * We assume that a pipe bind is only in one pdu.
1890                  */
1891                 if (pipe_init_outgoing_data(p)) {
1892                         reply = api_pipe_bind_req(p, pkt);
1893                 }
1894                 break;
1895
1896         case DCERPC_PKT_BIND_ACK:
1897         case DCERPC_PKT_BIND_NAK:
1898                 DEBUG(0, ("Error - DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1899                           "packet type %u received.\n",
1900                           (unsigned int)pkt->ptype));
1901                 break;
1902
1903
1904         case DCERPC_PKT_ALTER:
1905                 /*
1906                  * We assume that a pipe bind is only in one pdu.
1907                  */
1908                 if (pipe_init_outgoing_data(p)) {
1909                         reply = api_pipe_alter_context(p, pkt);
1910                 }
1911                 break;
1912
1913         case DCERPC_PKT_ALTER_RESP:
1914                 DEBUG(0, ("Error - DCERPC_PKT_ALTER_RESP received: "
1915                           "Should only be server -> client.\n"));
1916                 break;
1917
1918         case DCERPC_PKT_AUTH3:
1919                 /*
1920                  * The third packet in an auth exchange.
1921                  */
1922                 if (pipe_init_outgoing_data(p)) {
1923                         reply = api_pipe_bind_auth3(p, pkt);
1924                 }
1925                 break;
1926
1927         case DCERPC_PKT_SHUTDOWN:
1928                 DEBUG(0, ("Error - DCERPC_PKT_SHUTDOWN received: "
1929                           "Should only be server -> client.\n"));
1930                 break;
1931
1932         case DCERPC_PKT_CO_CANCEL:
1933                 /* For now just free all client data and continue
1934                  * processing. */
1935                 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1936                          " Abandoning rpc call.\n"));
1937                 /* As we never do asynchronous RPC serving, we can
1938                  * never cancel a call (as far as I know).
1939                  * If we ever did we'd have to send a cancel_ack reply.
1940                  * For now, just free all client data and continue
1941                  * processing. */
1942                 reply = True;
1943                 break;
1944
1945 #if 0
1946                 /* Enable this if we're doing async rpc. */
1947                 /* We must check the outstanding callid matches. */
1948                 if (pipe_init_outgoing_data(p)) {
1949                         /* Send a cancel_ack PDU reply. */
1950                         /* We should probably check the auth-verifier here. */
1951                         reply = setup_cancel_ack_reply(p, pkt);
1952                 }
1953                 break;
1954 #endif
1955
1956         case DCERPC_PKT_ORPHANED:
1957                 /* We should probably check the auth-verifier here.
1958                  * For now just free all client data and continue
1959                  * processing. */
1960                 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
1961                           " Abandoning rpc call.\n"));
1962                 reply = True;
1963                 break;
1964
1965         default:
1966                 DEBUG(0, ("process_complete_pdu: "
1967                           "Unknown rpc type = %u received.\n",
1968                           (unsigned int)pkt->ptype));
1969                 break;
1970         }
1971
1972 done:
1973         if (!reply) {
1974                 DEBUG(3,("DCE/RPC fault sent!"));
1975                 set_incoming_fault(p);
1976                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1977                 TALLOC_FREE(pkt);
1978         } else {
1979                 /*
1980                  * Reset the lengths. We're ready for a new pdu.
1981                  */
1982                 TALLOC_FREE(p->in_data.pdu.data);
1983                 p->in_data.pdu_needed_len = 0;
1984                 p->in_data.pdu.length = 0;
1985         }
1986
1987         TALLOC_FREE(pkt);
1988 }
1989