s3-dcerpc: finally remove the legaqcy spnego_type variable from pipe_auth_data
[samba.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "srv_pipe_internal.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/spnego.h"
35 #include "dcesrv_ntlmssp.h"
36 #include "dcesrv_gssapi.h"
37 #include "dcesrv_spnego.h"
38 #include "rpc_server.h"
39 #include "rpc_dce.h"
40
41 #undef DBGC_CLASS
42 #define DBGC_CLASS DBGC_RPC_SRV
43
44 /**
45  * Dump everything from the start of the end up of the provided data
46  * into a file, but only at debug level >= 50
47  **/
48 static void dump_pdu_region(const char *name, int v,
49                             DATA_BLOB *data, size_t start, size_t end)
50 {
51         int fd, i;
52         char *fname = NULL;
53         ssize_t sz;
54
55         if (DEBUGLEVEL < 50) return;
56
57         if (start > data->length || end > data->length || start > end) return;
58
59         for (i = 1; i < 100; i++) {
60                 if (v != -1) {
61                         fname = talloc_asprintf(talloc_tos(),
62                                                 "/tmp/%s_%d.%d.prs",
63                                                 name, v, i);
64                 } else {
65                         fname = talloc_asprintf(talloc_tos(),
66                                                 "/tmp/%s_%d.prs",
67                                                 name, i);
68                 }
69                 if (!fname) {
70                         return;
71                 }
72                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
73                 if (fd != -1 || errno != EEXIST) break;
74         }
75         if (fd != -1) {
76                 sz = write(fd, data->data + start, end - start);
77                 i = close(fd);
78                 if ((sz != end - start) || (i != 0) ) {
79                         DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
80                                   fname, (unsigned long)sz,
81                                   (unsigned long)end - start, i));
82                 } else {
83                         DEBUG(0,("created %s\n", fname));
84                 }
85         }
86         TALLOC_FREE(fname);
87 }
88
89 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
90 {
91         TALLOC_FREE(auth->a_u.auth_ntlmssp_state);
92 }
93
94 static void free_pipe_schannel_auth_data(struct pipe_auth_data *auth)
95 {
96         TALLOC_FREE(auth->a_u.schannel_auth);
97 }
98
99 static void free_pipe_gssapi_auth_data(struct pipe_auth_data *auth)
100 {
101         TALLOC_FREE(auth->a_u.gssapi_state);
102 }
103
104 static void free_pipe_spnego_auth_data(struct pipe_auth_data *auth)
105 {
106         TALLOC_FREE(auth->a_u.spnego_state);
107 }
108
109 static void free_pipe_auth_data(struct pipe_auth_data *auth)
110 {
111         if (auth->auth_data_free_func) {
112                 (*auth->auth_data_free_func)(auth);
113                 auth->auth_data_free_func = NULL;
114         }
115 }
116
117 static DATA_BLOB generic_session_key(void)
118 {
119         return data_blob("SystemLibraryDTC", 16);
120 }
121
122 /*******************************************************************
123  Generate the next PDU to be returned from the data.
124 ********************************************************************/
125
126 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
127                                    struct pipe_auth_data *auth,
128                                    uint32_t call_id,
129                                    DATA_BLOB *rdata,
130                                    size_t data_sent_length,
131                                    DATA_BLOB *frag,
132                                    size_t *pdu_size)
133 {
134         union dcerpc_payload u;
135         uint8_t pfc_flags;
136         size_t data_left;
137         size_t data_to_send;
138         size_t frag_len;
139         size_t pad_len = 0;
140         size_t auth_len = 0;
141         NTSTATUS status;
142
143         ZERO_STRUCT(u.response);
144
145         /* Set up rpc packet pfc flags. */
146         if (data_sent_length == 0) {
147                 pfc_flags = DCERPC_PFC_FLAG_FIRST;
148         } else {
149                 pfc_flags = 0;
150         }
151
152         /* Work out how much we can fit in a single PDU. */
153         data_left = rdata->length - data_sent_length;
154
155         /* Ensure there really is data left to send. */
156         if (!data_left) {
157                 DEBUG(0, ("No data left to send !\n"));
158                 return NT_STATUS_BUFFER_TOO_SMALL;
159         }
160
161         status = dcerpc_guess_sizes(auth,
162                                     DCERPC_RESPONSE_LENGTH,
163                                     data_left,
164                                     RPC_MAX_PDU_FRAG_LEN,
165                                     SERVER_NDR_PADDING_SIZE,
166                                     &data_to_send, &frag_len,
167                                     &auth_len, &pad_len);
168         if (!NT_STATUS_IS_OK(status)) {
169                 return status;
170         }
171
172         /* Set up the alloc hint. This should be the data left to send. */
173         u.response.alloc_hint = data_left;
174
175         /* Work out if this PDU will be the last. */
176         if (data_sent_length + data_to_send >= rdata->length) {
177                 pfc_flags |= DCERPC_PFC_FLAG_LAST;
178         }
179
180         /* Prepare data to be NDR encoded. */
181         u.response.stub_and_verifier =
182                 data_blob_const(rdata->data + data_sent_length, data_to_send);
183
184         /* Store the packet in the data stream. */
185         status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
186                                           pfc_flags, auth_len, call_id,
187                                           &u, frag);
188         if (!NT_STATUS_IS_OK(status)) {
189                 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
190                 return status;
191         }
192
193         if (auth_len) {
194                 /* Set the proper length on the pdu, including padding.
195                  * Only needed if an auth trailer will be appended. */
196                 dcerpc_set_frag_length(frag, frag->length
197                                                 + pad_len
198                                                 + DCERPC_AUTH_TRAILER_LENGTH
199                                                 + auth_len);
200         }
201
202         if (auth_len) {
203                 status = dcerpc_add_auth_footer(auth, pad_len, frag);
204                 if (!NT_STATUS_IS_OK(status)) {
205                         data_blob_free(frag);
206                         return status;
207                 }
208         }
209
210         *pdu_size = data_to_send;
211         return NT_STATUS_OK;
212 }
213
214 /*******************************************************************
215  Generate the next PDU to be returned from the data in p->rdata. 
216 ********************************************************************/
217
218 bool create_next_pdu(struct pipes_struct *p)
219 {
220         size_t pdu_size = 0;
221         NTSTATUS status;
222
223         /*
224          * If we're in the fault state, keep returning fault PDU's until
225          * the pipe gets closed. JRA.
226          */
227         if (p->fault_state) {
228                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
229                 return true;
230         }
231
232         status = create_next_packet(p->mem_ctx, &p->auth,
233                                     p->call_id, &p->out_data.rdata,
234                                     p->out_data.data_sent_length,
235                                     &p->out_data.frag, &pdu_size);
236         if (!NT_STATUS_IS_OK(status)) {
237                 DEBUG(0, ("Failed to create packet with error %s, "
238                           "(auth level %u / type %u)\n",
239                           nt_errstr(status),
240                           (unsigned int)p->auth.auth_level,
241                           (unsigned int)p->auth.auth_type));
242                 return false;
243         }
244
245         /* Setup the counts for this PDU. */
246         p->out_data.data_sent_length += pdu_size;
247         p->out_data.current_pdu_sent = 0;
248         return true;
249 }
250
251 /*******************************************************************
252  Process an NTLMSSP authentication response.
253  If this function succeeds, the user has been authenticated
254  and their domain, name and calling workstation stored in
255  the pipe struct.
256 *******************************************************************/
257
258 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
259                                 struct auth_ntlmssp_state *ntlmssp_ctx,
260                                 enum dcerpc_AuthLevel auth_level,
261                                 struct client_address *client_id,
262                                 struct ndr_syntax_id *syntax,
263                                 struct auth_serversupplied_info **server_info)
264 {
265         DATA_BLOB session_key;
266         NTSTATUS status;
267         bool ret;
268
269         DEBUG(5, (__location__ ": pipe %s checking user details\n",
270                  get_pipe_name_from_syntax(talloc_tos(), syntax)));
271
272         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
273            ensure the underlying NTLMSSP flags are also set. If not we should
274            refuse the bind. */
275
276         status = ntlmssp_server_check_flags(ntlmssp_ctx,
277                                             (auth_level ==
278                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
279                                             (auth_level ==
280                                                 DCERPC_AUTH_LEVEL_PRIVACY));
281         if (!NT_STATUS_IS_OK(status)) {
282                 DEBUG(0, (__location__ ": Client failed to negotatie proper "
283                           "security for pipe %s\n",
284                           get_pipe_name_from_syntax(talloc_tos(), syntax)));
285                 return false;
286         }
287
288         TALLOC_FREE(*server_info);
289
290         status = ntlmssp_server_get_user_info(ntlmssp_ctx,
291                                                 mem_ctx, server_info);
292         if (!NT_STATUS_IS_OK(status)) {
293                 DEBUG(0, (__location__ ": failed to obtain the server info "
294                           "for authenticated user: %s\n", nt_errstr(status)));
295                 return false;
296         }
297
298         if ((*server_info)->ptok == NULL) {
299                 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
300                 return false;
301         }
302
303         /*
304          * We're an authenticated bind over smb, so the session key needs to
305          * be set to "SystemLibraryDTC". Weird, but this is what Windows
306          * does. See the RPC-SAMBA3SESSIONKEY.
307          */
308
309         session_key = generic_session_key();
310         if (session_key.data == NULL) {
311                 return false;
312         }
313
314         ret = server_info_set_session_key((*server_info), session_key);
315         data_blob_free(&session_key);
316         if (!ret) {
317                 DEBUG(0, ("Failed to set session key!\n"));
318                 return false;
319         }
320
321         return true;
322 }
323
324 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
325                                          struct gse_context *gse_ctx,
326                                          struct client_address *client_id,
327                                          struct auth_serversupplied_info **server_info);
328
329 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p);
330
331 /*******************************************************************
332  This is the "stage3" response after a bind request and reply.
333 *******************************************************************/
334
335 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
336 {
337         struct dcerpc_auth auth_info;
338         DATA_BLOB response = data_blob_null;
339         NTSTATUS status;
340
341         DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
342
343         if (pkt->auth_length == 0) {
344                 DEBUG(0, ("No auth field sent for bind request!\n"));
345                 goto err;
346         }
347
348         /* Ensure there's enough data for an authenticated request. */
349         if (pkt->frag_length < RPC_HEADER_LEN
350                                 + DCERPC_AUTH_TRAILER_LENGTH
351                                 + pkt->auth_length) {
352                         DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
353                                 "%u is too large.\n",
354                         (unsigned int)pkt->auth_length));
355                 goto err;
356         }
357
358         /*
359          * Decode the authentication verifier response.
360          */
361
362         status = dcerpc_pull_dcerpc_auth(pkt,
363                                          &pkt->u.auth3.auth_info,
364                                          &auth_info, p->endian);
365         if (!NT_STATUS_IS_OK(status)) {
366                 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
367                 goto err;
368         }
369
370         /* We must NEVER look at auth_info->auth_pad_len here,
371          * as old Samba client code gets it wrong and sends it
372          * as zero. JRA.
373          */
374
375         switch (auth_info.auth_type) {
376         case DCERPC_AUTH_TYPE_NTLMSSP:
377                 status = ntlmssp_server_step(p->auth.a_u.auth_ntlmssp_state,
378                                              pkt, &auth_info.credentials,
379                                              &response);
380                 break;
381         case DCERPC_AUTH_TYPE_KRB5:
382                 status = gssapi_server_step(p->auth.a_u.gssapi_state,
383                                             pkt, &auth_info.credentials,
384                                             &response);
385                 break;
386         case DCERPC_AUTH_TYPE_SPNEGO:
387                 status = spnego_server_step(p->auth.a_u.spnego_state,
388                                             pkt, &auth_info.credentials,
389                                             &response);
390                 break;
391         default:
392                 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
393                           (unsigned int)auth_info.auth_type));
394                 return false;
395         }
396
397         if (NT_STATUS_EQUAL(status,
398                             NT_STATUS_MORE_PROCESSING_REQUIRED) ||
399             response.length) {
400                 DEBUG(0, (__location__ ": This was supposed to be the final "
401                           "leg, but crypto machinery claims a response is "
402                           "needed, aborting auth!\n"));
403                 data_blob_free(&response);
404                 goto err;
405         }
406         if (!NT_STATUS_IS_OK(status)) {
407                 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
408                 goto err;
409         }
410
411         /* Now verify auth was indeed successful and extract server info */
412         status = pipe_auth_verify_final(p);
413         if (!NT_STATUS_IS_OK(status)) {
414                 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
415                 goto err;
416         }
417
418         return true;
419
420 err:
421
422         free_pipe_auth_data(&p->auth);
423         return false;
424 }
425
426
427 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
428 {
429         enum spnego_mech auth_type;
430         struct auth_ntlmssp_state *ntlmssp_ctx;
431         struct gse_context *gse_ctx;
432         void *mech_ctx;
433         NTSTATUS status;
434
435         switch (p->auth.auth_type) {
436         case DCERPC_AUTH_TYPE_NTLMSSP:
437                 if (!pipe_ntlmssp_verify_final(p,
438                                         p->auth.a_u.auth_ntlmssp_state,
439                                         p->auth.auth_level,
440                                         p->client_id, &p->syntax,
441                                         &p->server_info)) {
442                         return NT_STATUS_ACCESS_DENIED;
443                 }
444                 break;
445         case DCERPC_AUTH_TYPE_KRB5:
446                 status = pipe_gssapi_verify_final(p,
447                                         p->auth.a_u.gssapi_state,
448                                         p->client_id,
449                                         &p->server_info);
450                 if (!NT_STATUS_IS_OK(status)) {
451                         DEBUG(1, ("gssapi bind failed with: %s",
452                                   nt_errstr(status)));
453                         return status;
454                 }
455                 break;
456         case DCERPC_AUTH_TYPE_SPNEGO:
457                 status = spnego_get_negotiated_mech(p->auth.a_u.spnego_state,
458                                                     &auth_type, &mech_ctx);
459                 if (!NT_STATUS_IS_OK(status)) {
460                         DEBUG(0, ("Bad SPNEGO state (%s)\n",
461                                   nt_errstr(status)));
462                         return status;
463                 }
464                 switch(auth_type) {
465                 case SPNEGO_KRB5:
466                         gse_ctx = talloc_get_type_abort(mech_ctx,
467                                                         struct gse_context);
468                         status = pipe_gssapi_verify_final(p, gse_ctx,
469                                                           p->client_id,
470                                                           &p->server_info);
471                         if (!NT_STATUS_IS_OK(status)) {
472                                 DEBUG(1, ("gssapi bind failed with: %s",
473                                           nt_errstr(status)));
474                                 return status;
475                         }
476                         break;
477                 case SPNEGO_NTLMSSP:
478                         ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
479                                                 struct auth_ntlmssp_state);
480                         if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
481                                                         p->auth.auth_level,
482                                                         p->client_id,
483                                                         &p->syntax,
484                                                         &p->server_info)) {
485                                 return NT_STATUS_ACCESS_DENIED;
486                         }
487                         break;
488                 default:
489                         DEBUG(0, (__location__ ": incorrect spnego type "
490                                   "(%d).\n", auth_type));
491                         return NT_STATUS_ACCESS_DENIED;
492                 }
493                 break;
494         default:
495                 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
496                           (unsigned int)p->auth.auth_type));
497                 return NT_STATUS_ACCESS_DENIED;
498         }
499
500         p->pipe_bound = true;
501
502         return NT_STATUS_OK;
503 }
504
505 static bool pipe_init_outgoing_data(struct pipes_struct *p);
506
507 /*******************************************************************
508  Marshall a bind_nak pdu.
509 *******************************************************************/
510
511 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
512 {
513         NTSTATUS status;
514         union dcerpc_payload u;
515
516         /* Free any memory in the current return data buffer. */
517         pipe_init_outgoing_data(p);
518
519         /*
520          * Initialize a bind_nak header.
521          */
522
523         ZERO_STRUCT(u);
524
525         u.bind_nak.reject_reason  = 0;
526
527         /*
528          * Marshall directly into the outgoing PDU space. We
529          * must do this as we need to set to the bind response
530          * header and are never sending more than one PDU here.
531          */
532
533         status = dcerpc_push_ncacn_packet(p->mem_ctx,
534                                           DCERPC_PKT_BIND_NAK,
535                                           DCERPC_PFC_FLAG_FIRST |
536                                                 DCERPC_PFC_FLAG_LAST,
537                                           0,
538                                           pkt->call_id,
539                                           &u,
540                                           &p->out_data.frag);
541         if (!NT_STATUS_IS_OK(status)) {
542                 return False;
543         }
544
545         p->out_data.data_sent_length = 0;
546         p->out_data.current_pdu_sent = 0;
547
548         free_pipe_auth_data(&p->auth);
549         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
550         p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
551         p->pipe_bound = False;
552
553         return True;
554 }
555
556 /*******************************************************************
557  Marshall a fault pdu.
558 *******************************************************************/
559
560 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
561 {
562         NTSTATUS status;
563         union dcerpc_payload u;
564
565         /* Free any memory in the current return data buffer. */
566         pipe_init_outgoing_data(p);
567
568         /*
569          * Initialize a fault header.
570          */
571
572         ZERO_STRUCT(u);
573
574         u.fault.status          = NT_STATUS_V(fault_status);
575         u.fault._pad            = data_blob_talloc_zero(p->mem_ctx, 4);
576
577         /*
578          * Marshall directly into the outgoing PDU space. We
579          * must do this as we need to set to the bind response
580          * header and are never sending more than one PDU here.
581          */
582
583         status = dcerpc_push_ncacn_packet(p->mem_ctx,
584                                           DCERPC_PKT_FAULT,
585                                           DCERPC_PFC_FLAG_FIRST |
586                                            DCERPC_PFC_FLAG_LAST |
587                                            DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
588                                           0,
589                                           p->call_id,
590                                           &u,
591                                           &p->out_data.frag);
592         if (!NT_STATUS_IS_OK(status)) {
593                 return False;
594         }
595
596         p->out_data.data_sent_length = 0;
597         p->out_data.current_pdu_sent = 0;
598
599         return True;
600 }
601
602 /*******************************************************************
603  Ensure a bind request has the correct abstract & transfer interface.
604  Used to reject unknown binds from Win2k.
605 *******************************************************************/
606
607 static bool check_bind_req(struct pipes_struct *p,
608                            struct ndr_syntax_id* abstract,
609                            struct ndr_syntax_id* transfer,
610                            uint32 context_id)
611 {
612         struct pipe_rpc_fns *context_fns;
613
614         DEBUG(3,("check_bind_req for %s\n",
615                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
616
617         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
618         if (rpc_srv_pipe_exists_by_id(abstract) &&
619            ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
620                 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
621                         rpc_srv_get_pipe_cli_name(abstract),
622                         rpc_srv_get_pipe_srv_name(abstract)));
623         } else {
624                 return false;
625         }
626
627         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
628         if (context_fns == NULL) {
629                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
630                 return False;
631         }
632
633         context_fns->next = context_fns->prev = NULL;
634         context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
635         context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
636         context_fns->context_id = context_id;
637
638         /* add to the list of open contexts */
639
640         DLIST_ADD( p->contexts, context_fns );
641
642         return True;
643 }
644
645 /**
646  * Is a named pipe known?
647  * @param[in] cli_filename      The pipe name requested by the client
648  * @result                      Do we want to serve this?
649  */
650 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
651 {
652         const char *pipename = cli_filename;
653         NTSTATUS status;
654
655         if (strnequal(pipename, "\\PIPE\\", 6)) {
656                 pipename += 5;
657         }
658
659         if (*pipename == '\\') {
660                 pipename += 1;
661         }
662
663         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
664                 DEBUG(10, ("refusing spoolss access\n"));
665                 return false;
666         }
667
668         if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
669                 return true;
670         }
671
672         status = smb_probe_module("rpc", pipename);
673         if (!NT_STATUS_IS_OK(status)) {
674                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
675                 return false;
676         }
677         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
678
679         /*
680          * Scan the list again for the interface id
681          */
682         if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
683                 return true;
684         }
685
686         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
687                    pipename));
688
689         return false;
690 }
691
692 /*******************************************************************
693  Handle the first part of a SPNEGO bind auth.
694 *******************************************************************/
695
696 static bool pipe_spnego_auth_bind(struct pipes_struct *p,
697                                   TALLOC_CTX *mem_ctx,
698                                   struct dcerpc_auth *auth_info,
699                                   DATA_BLOB *response)
700 {
701         struct spnego_context *spnego_ctx;
702         NTSTATUS status;
703
704         status = spnego_server_auth_start(p,
705                                           (auth_info->auth_level ==
706                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
707                                           (auth_info->auth_level ==
708                                                 DCERPC_AUTH_LEVEL_PRIVACY),
709                                           true,
710                                           &auth_info->credentials,
711                                           response,
712                                           &spnego_ctx);
713         if (!NT_STATUS_IS_OK(status)) {
714                 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
715                           nt_errstr(status)));
716                 return false;
717         }
718
719         /* Make sure data is bound to the memctx, to be freed the caller */
720         talloc_steal(mem_ctx, response->data);
721
722         p->auth.a_u.spnego_state = spnego_ctx;
723         p->auth.auth_data_free_func = &free_pipe_spnego_auth_data;
724         p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
725
726         DEBUG(10, ("SPNEGO auth started\n"));
727
728         return true;
729 }
730
731 /*******************************************************************
732  Handle an schannel bind auth.
733 *******************************************************************/
734
735 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
736                                     TALLOC_CTX *mem_ctx,
737                                     struct dcerpc_auth *auth_info,
738                                     DATA_BLOB *response)
739 {
740         struct NL_AUTH_MESSAGE neg;
741         struct NL_AUTH_MESSAGE reply;
742         bool ret;
743         NTSTATUS status;
744         struct netlogon_creds_CredentialState *creds;
745         DATA_BLOB session_key;
746         enum ndr_err_code ndr_err;
747
748         ndr_err = ndr_pull_struct_blob(
749                         &auth_info->credentials, mem_ctx, &neg,
750                         (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
751         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
752                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
753                 return false;
754         }
755
756         if (DEBUGLEVEL >= 10) {
757                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
758         }
759
760         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
761                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
762                 return false;
763         }
764
765         /*
766          * The neg.oem_netbios_computer.a key here must match the remote computer name
767          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
768          * operations that use credentials.
769          */
770
771         become_root();
772         status = schannel_get_creds_state(p, lp_private_dir(),
773                                             neg.oem_netbios_computer.a, &creds);
774         unbecome_root();
775
776         if (!NT_STATUS_IS_OK(status)) {
777                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
778                 return False;
779         }
780
781         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
782         if (!p->auth.a_u.schannel_auth) {
783                 TALLOC_FREE(creds);
784                 return False;
785         }
786
787         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
788         p->auth.a_u.schannel_auth->seq_num = 0;
789         p->auth.a_u.schannel_auth->initiator = false;
790         p->auth.a_u.schannel_auth->creds = creds;
791
792         /*
793          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
794          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
795          * struct of the person who opened the pipe. I need to test this further. JRA.
796          *
797          * VL. As we are mapping this to guest set the generic key
798          * "SystemLibraryDTC" key here. It's a bit difficult to test against
799          * W2k3, as it does not allow schannel binds against SAMR and LSA
800          * anymore.
801          */
802
803         session_key = generic_session_key();
804         if (session_key.data == NULL) {
805                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
806                           " key\n"));
807                 return false;
808         }
809
810         ret = server_info_set_session_key(p->server_info, session_key);
811
812         data_blob_free(&session_key);
813
814         if (!ret) {
815                 DEBUG(0, ("server_info_set_session_key failed\n"));
816                 return false;
817         }
818
819         /*** SCHANNEL verifier ***/
820
821         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
822         reply.Flags                             = 0;
823         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
824                                                       * this has any meaning
825                                                       * here - gd */
826
827         ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
828                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
829         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
830                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
831                 return false;
832         }
833
834         if (DEBUGLEVEL >= 10) {
835                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
836         }
837
838         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
839                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
840
841         /* We're finished with this bind - no more packets. */
842         p->auth.auth_data_free_func = &free_pipe_schannel_auth_data;
843         p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
844
845         p->pipe_bound = True;
846
847         return True;
848 }
849
850 /*******************************************************************
851  Handle an NTLMSSP bind auth.
852 *******************************************************************/
853
854 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
855                                    TALLOC_CTX *mem_ctx,
856                                    struct dcerpc_auth *auth_info,
857                                    DATA_BLOB *response)
858 {
859         NTSTATUS status;
860
861         if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
862                 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
863                 return false;
864         }
865
866         /* We have an NTLMSSP blob. */
867         status = ntlmssp_server_auth_start(p,
868                                            (auth_info->auth_level ==
869                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
870                                            (auth_info->auth_level ==
871                                                 DCERPC_AUTH_LEVEL_PRIVACY),
872                                            true,
873                                            &auth_info->credentials,
874                                            response,
875                                            &p->auth.a_u.auth_ntlmssp_state);
876         if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
877                 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
878                           nt_errstr(status)));
879                 return false;
880         }
881
882         /* Make sure data is bound to the memctx, to be freed the caller */
883         talloc_steal(mem_ctx, response->data);
884
885         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
886         p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
887
888         DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
889
890         return true;
891 }
892
893 /*******************************************************************
894  Handle a GSSAPI bind auth.
895 *******************************************************************/
896
897 static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
898                                   TALLOC_CTX *mem_ctx,
899                                   struct dcerpc_auth *auth_info,
900                                   DATA_BLOB *response)
901 {
902         NTSTATUS status;
903         struct gse_context *gse_ctx = NULL;
904
905         status = gssapi_server_auth_start(p,
906                                           (auth_info->auth_level ==
907                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
908                                           (auth_info->auth_level ==
909                                                 DCERPC_AUTH_LEVEL_PRIVACY),
910                                           true,
911                                           &auth_info->credentials,
912                                           response,
913                                           &gse_ctx);
914         if (!NT_STATUS_IS_OK(status)) {
915                 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
916                           nt_errstr(status)));
917                 goto err;
918         }
919
920         /* Make sure data is bound to the memctx, to be freed the caller */
921         talloc_steal(mem_ctx, response->data);
922
923         p->auth.a_u.gssapi_state = gse_ctx;
924         p->auth.auth_data_free_func = &free_pipe_gssapi_auth_data;
925         p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
926
927         DEBUG(10, ("KRB5 auth started\n"));
928
929         return true;
930
931 err:
932         TALLOC_FREE(gse_ctx);
933         return false;
934 }
935
936 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
937                                          struct gse_context *gse_ctx,
938                                          struct client_address *client_id,
939                                          struct auth_serversupplied_info **server_info)
940 {
941         DATA_BLOB session_key;
942         NTSTATUS status;
943         bool bret;
944
945         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
946            ensure the underlying flags are also set. If not we should
947            refuse the bind. */
948
949         status = gssapi_server_check_flags(gse_ctx);
950         if (!NT_STATUS_IS_OK(status)) {
951                 DEBUG(0, ("Requested Security Layers not honored!\n"));
952                 return status;
953         }
954
955         status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
956                                              client_id, server_info);
957         if (!NT_STATUS_IS_OK(status)) {
958                 DEBUG(0, (__location__ ": failed to obtain the server info "
959                           "for authenticated user: %s\n", nt_errstr(status)));
960                 return status;
961         }
962
963         if ((*server_info)->ptok == NULL) {
964                 status = create_local_token(*server_info);
965                 if (!NT_STATUS_IS_OK(status)) {
966                         DEBUG(1, ("Failed to create local user token (%s)\n",
967                                   nt_errstr(status)));
968                         status = NT_STATUS_ACCESS_DENIED;
969                         return status;
970                 }
971         }
972
973         /* TODO: this is what the ntlmssp code does with the session_key, check
974          * it is ok with gssapi too */
975         /*
976          * We're an authenticated bind over smb, so the session key needs to
977          * be set to "SystemLibraryDTC". Weird, but this is what Windows
978          * does. See the RPC-SAMBA3SESSIONKEY.
979          */
980
981         session_key = generic_session_key();
982         if (session_key.data == NULL) {
983                 return NT_STATUS_ACCESS_DENIED;
984         }
985
986         bret = server_info_set_session_key((*server_info), session_key);
987         data_blob_free(&session_key);
988         if (!bret) {
989                 return NT_STATUS_ACCESS_DENIED;
990         }
991
992         return NT_STATUS_OK;
993 }
994
995 /*******************************************************************
996  Respond to a pipe bind request.
997 *******************************************************************/
998
999 static bool api_pipe_bind_req(struct pipes_struct *p,
1000                                 struct ncacn_packet *pkt)
1001 {
1002         struct dcerpc_auth auth_info;
1003         uint16 assoc_gid;
1004         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1005         NTSTATUS status;
1006         struct ndr_syntax_id id;
1007         union dcerpc_payload u;
1008         struct dcerpc_ack_ctx bind_ack_ctx;
1009         DATA_BLOB auth_resp = data_blob_null;
1010         DATA_BLOB auth_blob = data_blob_null;
1011
1012         /* No rebinds on a bound pipe - use alter context. */
1013         if (p->pipe_bound) {
1014                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1015                          "pipe %s.\n",
1016                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1017                 return setup_bind_nak(p, pkt);
1018         }
1019
1020         if (pkt->u.bind.num_contexts == 0) {
1021                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1022                 goto err_exit;
1023         }
1024
1025         /*
1026          * Try and find the correct pipe name to ensure
1027          * that this is a pipe name we support.
1028          */
1029         id = pkt->u.bind.ctx_list[0].abstract_syntax;
1030         if (rpc_srv_pipe_exists_by_id(&id)) {
1031                 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1032                         rpc_srv_get_pipe_cli_name(&id),
1033                         rpc_srv_get_pipe_srv_name(&id)));
1034         } else {
1035                 status = smb_probe_module(
1036                         "rpc", get_pipe_name_from_syntax(
1037                                 talloc_tos(),
1038                                 &pkt->u.bind.ctx_list[0].abstract_syntax));
1039
1040                 if (NT_STATUS_IS_ERR(status)) {
1041                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1042                                 get_pipe_name_from_syntax(
1043                                         talloc_tos(),
1044                                         &pkt->u.bind.ctx_list[0].abstract_syntax)));
1045
1046                         return setup_bind_nak(p, pkt);
1047                 }
1048
1049                 if (rpc_srv_get_pipe_interface_by_cli_name(
1050                                 get_pipe_name_from_syntax(talloc_tos(),
1051                                                           &p->syntax),
1052                                 &id)) {
1053                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1054                                 rpc_srv_get_pipe_cli_name(&id),
1055                                 rpc_srv_get_pipe_srv_name(&id)));
1056                 } else {
1057                         DEBUG(0, ("module %s doesn't provide functions for "
1058                                   "pipe %s!\n",
1059                                   get_pipe_name_from_syntax(talloc_tos(),
1060                                                             &p->syntax),
1061                                   get_pipe_name_from_syntax(talloc_tos(),
1062                                                             &p->syntax)));
1063                         return setup_bind_nak(p, pkt);
1064                 }
1065         }
1066
1067         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1068
1069         if (pkt->u.bind.assoc_group_id != 0) {
1070                 assoc_gid = pkt->u.bind.assoc_group_id;
1071         } else {
1072                 assoc_gid = 0x53f0;
1073         }
1074
1075         /*
1076          * Create the bind response struct.
1077          */
1078
1079         /* If the requested abstract synt uuid doesn't match our client pipe,
1080                 reject the bind_ack & set the transfer interface synt to all 0's,
1081                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1082                 unknown to NT4)
1083                 Needed when adding entries to a DACL from NT5 - SK */
1084
1085         if (check_bind_req(p,
1086                         &pkt->u.bind.ctx_list[0].abstract_syntax,
1087                         &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1088                         pkt->u.bind.ctx_list[0].context_id)) {
1089
1090                 bind_ack_ctx.result = 0;
1091                 bind_ack_ctx.reason = 0;
1092                 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1093         } else {
1094                 p->pipe_bound = False;
1095                 /* Rejection reason: abstract syntax not supported */
1096                 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1097                 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1098                 bind_ack_ctx.syntax = null_ndr_syntax_id;
1099         }
1100
1101         /*
1102          * Check if this is an authenticated bind request.
1103          */
1104         if (pkt->auth_length) {
1105                 /* Quick length check. Won't catch a bad auth footer,
1106                  * prevents overrun. */
1107
1108                 if (pkt->frag_length < RPC_HEADER_LEN +
1109                                         DCERPC_AUTH_TRAILER_LENGTH +
1110                                         pkt->auth_length) {
1111                         DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1112                                 "too long for fragment %u.\n",
1113                                 (unsigned int)pkt->auth_length,
1114                                 (unsigned int)pkt->frag_length));
1115                         goto err_exit;
1116                 }
1117
1118                 /*
1119                  * Decode the authentication verifier.
1120                  */
1121                 status = dcerpc_pull_dcerpc_auth(pkt,
1122                                                  &pkt->u.bind.auth_info,
1123                                                  &auth_info, p->endian);
1124                 if (!NT_STATUS_IS_OK(status)) {
1125                         DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1126                         goto err_exit;
1127                 }
1128
1129                 auth_type = auth_info.auth_type;
1130
1131                 /* Work out if we have to sign or seal etc. */
1132                 switch (auth_info.auth_level) {
1133                 case DCERPC_AUTH_LEVEL_INTEGRITY:
1134                         p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1135                         break;
1136                 case DCERPC_AUTH_LEVEL_PRIVACY:
1137                         p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1138                         break;
1139                 default:
1140                         DEBUG(0, ("Unexpected auth level (%u).\n",
1141                                 (unsigned int)auth_info.auth_level ));
1142                         goto err_exit;
1143                 }
1144
1145                 switch (auth_type) {
1146                 case DCERPC_AUTH_TYPE_NTLMSSP:
1147                         if (!pipe_ntlmssp_auth_bind(p, pkt,
1148                                                 &auth_info, &auth_resp)) {
1149                                 goto err_exit;
1150                         }
1151                         assoc_gid = 0x7a77;
1152                         break;
1153
1154                 case DCERPC_AUTH_TYPE_SCHANNEL:
1155                         if (!pipe_schannel_auth_bind(p, pkt,
1156                                                 &auth_info, &auth_resp)) {
1157                                 goto err_exit;
1158                         }
1159                         break;
1160
1161                 case DCERPC_AUTH_TYPE_SPNEGO:
1162                         if (!pipe_spnego_auth_bind(p, pkt,
1163                                                 &auth_info, &auth_resp)) {
1164                                 goto err_exit;
1165                         }
1166                         break;
1167
1168                 case DCERPC_AUTH_TYPE_KRB5:
1169                         if (!pipe_gssapi_auth_bind(p, pkt,
1170                                                 &auth_info, &auth_resp)) {
1171                                 goto err_exit;
1172                         }
1173                         break;
1174
1175                 case DCERPC_AUTH_TYPE_NONE:
1176                         break;
1177
1178                 default:
1179                         DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1180                         goto err_exit;
1181                 }
1182         }
1183
1184         if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1185                 /* Unauthenticated bind request. */
1186                 /* We're finished - no more packets. */
1187                 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1188                 /* We must set the pipe auth_level here also. */
1189                 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1190                 p->pipe_bound = True;
1191                 /* The session key was initialized from the SMB
1192                  * session in make_internal_rpc_pipe_p */
1193         }
1194
1195         ZERO_STRUCT(u.bind_ack);
1196         u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1197         u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1198         u.bind_ack.assoc_group_id = assoc_gid;
1199
1200         /* name has to be \PIPE\xxxxx */
1201         u.bind_ack.secondary_address =
1202                         talloc_asprintf(pkt, "\\PIPE\\%s",
1203                                         rpc_srv_get_pipe_srv_name(&id));
1204         if (!u.bind_ack.secondary_address) {
1205                 DEBUG(0, ("Out of memory!\n"));
1206                 goto err_exit;
1207         }
1208         u.bind_ack.secondary_address_size =
1209                                 strlen(u.bind_ack.secondary_address) + 1;
1210
1211         u.bind_ack.num_results = 1;
1212         u.bind_ack.ctx_list = &bind_ack_ctx;
1213
1214         /* NOTE: We leave the auth_info empty so we can calculate the padding
1215          * later and then append the auth_info --simo */
1216
1217         /*
1218          * Marshall directly into the outgoing PDU space. We
1219          * must do this as we need to set to the bind response
1220          * header and are never sending more than one PDU here.
1221          */
1222
1223         status = dcerpc_push_ncacn_packet(p->mem_ctx,
1224                                           DCERPC_PKT_BIND_ACK,
1225                                           DCERPC_PFC_FLAG_FIRST |
1226                                                 DCERPC_PFC_FLAG_LAST,
1227                                           auth_resp.length,
1228                                           pkt->call_id,
1229                                           &u,
1230                                           &p->out_data.frag);
1231         if (!NT_STATUS_IS_OK(status)) {
1232                 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1233                           nt_errstr(status)));
1234         }
1235
1236         if (auth_resp.length) {
1237
1238                 status = dcerpc_push_dcerpc_auth(pkt,
1239                                                  auth_type,
1240                                                  auth_info.auth_level,
1241                                                  0,
1242                                                  1, /* auth_context_id */
1243                                                  &auth_resp,
1244                                                  &auth_blob);
1245                 if (!NT_STATUS_IS_OK(status)) {
1246                         DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1247                         goto err_exit;
1248                 }
1249         }
1250
1251         /* Now that we have the auth len store it into the right place in
1252          * the dcerpc header */
1253         dcerpc_set_frag_length(&p->out_data.frag,
1254                                 p->out_data.frag.length + auth_blob.length);
1255
1256         if (auth_blob.length) {
1257
1258                 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1259                                         auth_blob.data, auth_blob.length)) {
1260                         DEBUG(0, ("Append of auth info failed.\n"));
1261                         goto err_exit;
1262                 }
1263         }
1264
1265         /*
1266          * Setup the lengths for the initial reply.
1267          */
1268
1269         p->out_data.data_sent_length = 0;
1270         p->out_data.current_pdu_sent = 0;
1271
1272         TALLOC_FREE(auth_blob.data);
1273         return True;
1274
1275   err_exit:
1276
1277         data_blob_free(&p->out_data.frag);
1278         TALLOC_FREE(auth_blob.data);
1279         return setup_bind_nak(p, pkt);
1280 }
1281
1282 /****************************************************************************
1283  Deal with an alter context call. Can be third part of 3 leg auth request for
1284  SPNEGO calls.
1285 ****************************************************************************/
1286
1287 static bool api_pipe_alter_context(struct pipes_struct *p,
1288                                         struct ncacn_packet *pkt)
1289 {
1290         struct dcerpc_auth auth_info;
1291         uint16 assoc_gid;
1292         NTSTATUS status;
1293         union dcerpc_payload u;
1294         struct dcerpc_ack_ctx bind_ack_ctx;
1295         DATA_BLOB auth_resp = data_blob_null;
1296         DATA_BLOB auth_blob = data_blob_null;
1297         int pad_len = 0;
1298
1299         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1300
1301         if (pkt->u.bind.assoc_group_id != 0) {
1302                 assoc_gid = pkt->u.bind.assoc_group_id;
1303         } else {
1304                 assoc_gid = 0x53f0;
1305         }
1306
1307         /*
1308          * Create the bind response struct.
1309          */
1310
1311         /* If the requested abstract synt uuid doesn't match our client pipe,
1312                 reject the bind_ack & set the transfer interface synt to all 0's,
1313                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1314                 unknown to NT4)
1315                 Needed when adding entries to a DACL from NT5 - SK */
1316
1317         if (check_bind_req(p,
1318                         &pkt->u.bind.ctx_list[0].abstract_syntax,
1319                         &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1320                         pkt->u.bind.ctx_list[0].context_id)) {
1321
1322                 bind_ack_ctx.result = 0;
1323                 bind_ack_ctx.reason = 0;
1324                 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1325         } else {
1326                 p->pipe_bound = False;
1327                 /* Rejection reason: abstract syntax not supported */
1328                 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1329                 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1330                 bind_ack_ctx.syntax = null_ndr_syntax_id;
1331         }
1332
1333         /*
1334          * Check if this is an authenticated alter context request.
1335          */
1336         if (pkt->auth_length) {
1337                 /* Quick length check. Won't catch a bad auth footer,
1338                  * prevents overrun. */
1339
1340                 if (pkt->frag_length < RPC_HEADER_LEN +
1341                                         DCERPC_AUTH_TRAILER_LENGTH +
1342                                         pkt->auth_length) {
1343                         DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1344                                 "too long for fragment %u.\n",
1345                                 (unsigned int)pkt->auth_length,
1346                                 (unsigned int)pkt->frag_length ));
1347                         goto err_exit;
1348                 }
1349
1350                 status = dcerpc_pull_dcerpc_auth(pkt,
1351                                                  &pkt->u.bind.auth_info,
1352                                                  &auth_info, p->endian);
1353                 if (!NT_STATUS_IS_OK(status)) {
1354                         DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1355                         goto err_exit;
1356                 }
1357
1358                 /* We can only finish if the pipe is unbound for now */
1359                 if (p->pipe_bound) {
1360                         DEBUG(0, (__location__ ": Pipe already bound, "
1361                                   "Altering Context not yet supported!\n"));
1362                         goto err_exit;
1363                 }
1364
1365                 switch (auth_info.auth_type) {
1366                 case DCERPC_AUTH_TYPE_SPNEGO:
1367                         status = spnego_server_step(p->auth.a_u.spnego_state,
1368                                                     pkt,
1369                                                     &auth_info.credentials,
1370                                                     &auth_resp);
1371                         break;
1372
1373                 case DCERPC_AUTH_TYPE_KRB5:
1374                         status = gssapi_server_step(p->auth.a_u.gssapi_state,
1375                                                     pkt,
1376                                                     &auth_info.credentials,
1377                                                     &auth_resp);
1378                         break;
1379
1380                 default:
1381                         DEBUG(3, (__location__ ": Usupported auth type (%d) "
1382                                   "in alter-context call\n",
1383                                   auth_info.auth_type));
1384                         goto err_exit;
1385                 }
1386
1387                 if (NT_STATUS_IS_OK(status)) {
1388                         /* third leg of auth, verify auth info */
1389                         status = pipe_auth_verify_final(p);
1390                         if (!NT_STATUS_IS_OK(status)) {
1391                                 DEBUG(0, ("Auth Verify failed (%s)\n",
1392                                           nt_errstr(status)));
1393                                 goto err_exit;
1394                         }
1395                 } else if (NT_STATUS_EQUAL(status,
1396                                         NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1397                         DEBUG(10, ("More auth legs required.\n"));
1398                 } else {
1399                         DEBUG(0, ("Auth step returned an error (%s)\n",
1400                                   nt_errstr(status)));
1401                         goto err_exit;
1402                 }
1403         }
1404
1405         ZERO_STRUCT(u.alter_resp);
1406         u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1407         u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1408         u.alter_resp.assoc_group_id = assoc_gid;
1409
1410         /* secondary address CAN be NULL
1411          * as the specs say it's ignored.
1412          * It MUST be NULL to have the spoolss working.
1413          */
1414         u.alter_resp.secondary_address = "";
1415         u.alter_resp.secondary_address_size = 1;
1416
1417         u.alter_resp.num_results = 1;
1418         u.alter_resp.ctx_list = &bind_ack_ctx;
1419
1420         /* NOTE: We leave the auth_info empty so we can calculate the padding
1421          * later and then append the auth_info --simo */
1422
1423         /*
1424          * Marshall directly into the outgoing PDU space. We
1425          * must do this as we need to set to the bind response
1426          * header and are never sending more than one PDU here.
1427          */
1428
1429         status = dcerpc_push_ncacn_packet(p->mem_ctx,
1430                                           DCERPC_PKT_ALTER_RESP,
1431                                           DCERPC_PFC_FLAG_FIRST |
1432                                                 DCERPC_PFC_FLAG_LAST,
1433                                           auth_resp.length,
1434                                           pkt->call_id,
1435                                           &u,
1436                                           &p->out_data.frag);
1437         if (!NT_STATUS_IS_OK(status)) {
1438                 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1439                           nt_errstr(status)));
1440         }
1441
1442         if (auth_resp.length) {
1443
1444                 /* Work out any padding needed before the auth footer. */
1445                 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1446                 if (pad_len) {
1447                         pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1448                         DEBUG(10, ("auth pad_len = %u\n",
1449                                    (unsigned int)pad_len));
1450                 }
1451
1452                 status = dcerpc_push_dcerpc_auth(pkt,
1453                                                  auth_info.auth_type,
1454                                                  auth_info.auth_level,
1455                                                  pad_len,
1456                                                  1, /* auth_context_id */
1457                                                  &auth_resp,
1458                                                  &auth_blob);
1459                 if (!NT_STATUS_IS_OK(status)) {
1460                         DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1461                         goto err_exit;
1462                 }
1463         }
1464
1465         /* Now that we have the auth len store it into the right place in
1466          * the dcerpc header */
1467         dcerpc_set_frag_length(&p->out_data.frag,
1468                                 p->out_data.frag.length +
1469                                         pad_len + auth_blob.length);
1470
1471         if (auth_resp.length) {
1472                 if (pad_len) {
1473                         char pad[SERVER_NDR_PADDING_SIZE];
1474                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1475                         if (!data_blob_append(p->mem_ctx,
1476                                                 &p->out_data.frag,
1477                                                 pad, pad_len)) {
1478                                 DEBUG(0, ("api_pipe_bind_req: failed to add "
1479                                           "%u bytes of pad data.\n",
1480                                           (unsigned int)pad_len));
1481                                 goto err_exit;
1482                         }
1483                 }
1484
1485                 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1486                                         auth_blob.data, auth_blob.length)) {
1487                         DEBUG(0, ("Append of auth info failed.\n"));
1488                         goto err_exit;
1489                 }
1490         }
1491
1492         /*
1493          * Setup the lengths for the initial reply.
1494          */
1495
1496         p->out_data.data_sent_length = 0;
1497         p->out_data.current_pdu_sent = 0;
1498
1499         TALLOC_FREE(auth_blob.data);
1500         return True;
1501
1502   err_exit:
1503
1504         data_blob_free(&p->out_data.frag);
1505         TALLOC_FREE(auth_blob.data);
1506         return setup_bind_nak(p, pkt);
1507 }
1508
1509 /****************************************************************************
1510  Find the set of RPC functions associated with this context_id
1511 ****************************************************************************/
1512
1513 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1514 {
1515         PIPE_RPC_FNS *fns = NULL;
1516
1517         if ( !list ) {
1518                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
1519                 return NULL;
1520         }
1521
1522         for (fns=list; fns; fns=fns->next ) {
1523                 if ( fns->context_id == context_id )
1524                         return fns;
1525         }
1526         return NULL;
1527 }
1528
1529 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1530                        const struct api_struct *api_rpc_cmds, int n_cmds);
1531
1532 /****************************************************************************
1533  Find the correct RPC function to call for this request.
1534  If the pipe is authenticated then become the correct UNIX user
1535  before doing the call.
1536 ****************************************************************************/
1537
1538 static bool api_pipe_request(struct pipes_struct *p,
1539                                 struct ncacn_packet *pkt)
1540 {
1541         bool ret = False;
1542         bool changed_user = False;
1543         PIPE_RPC_FNS *pipe_fns;
1544
1545         if (p->pipe_bound &&
1546             ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
1547              (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) ||
1548              (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) {
1549                 if(!become_authenticated_pipe_user(p)) {
1550                         data_blob_free(&p->out_data.rdata);
1551                         return False;
1552                 }
1553                 changed_user = True;
1554         }
1555
1556         DEBUG(5, ("Requested \\PIPE\\%s\n",
1557                   get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1558
1559         /* get the set of RPC functions for this context */
1560
1561         pipe_fns = find_pipe_fns_by_context(p->contexts,
1562                                             pkt->u.request.context_id);
1563
1564         if ( pipe_fns ) {
1565                 TALLOC_CTX *frame = talloc_stackframe();
1566                 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds);
1567                 TALLOC_FREE(frame);
1568         }
1569         else {
1570                 DEBUG(0, ("No rpc function table associated with context "
1571                           "[%d] on pipe [%s]\n",
1572                           pkt->u.request.context_id,
1573                           get_pipe_name_from_syntax(talloc_tos(),
1574                                                     &p->syntax)));
1575         }
1576
1577         if (changed_user) {
1578                 unbecome_authenticated_pipe_user();
1579         }
1580
1581         return ret;
1582 }
1583
1584 /*******************************************************************
1585  Calls the underlying RPC function for a named pipe.
1586  ********************************************************************/
1587
1588 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1589                        const struct api_struct *api_rpc_cmds, int n_cmds)
1590 {
1591         int fn_num;
1592         uint32_t offset1;
1593
1594         /* interpret the command */
1595         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1596                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1597                  pkt->u.request.opnum));
1598
1599         if (DEBUGLEVEL >= 50) {
1600                 fstring name;
1601                 slprintf(name, sizeof(name)-1, "in_%s",
1602                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1603                 dump_pdu_region(name, pkt->u.request.opnum,
1604                                 &p->in_data.data, 0,
1605                                 p->in_data.data.length);
1606         }
1607
1608         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1609                 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1610                     api_rpc_cmds[fn_num].fn != NULL) {
1611                         DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1612                                   api_rpc_cmds[fn_num].name));
1613                         break;
1614                 }
1615         }
1616
1617         if (fn_num == n_cmds) {
1618                 /*
1619                  * For an unknown RPC just return a fault PDU but
1620                  * return True to allow RPC's on the pipe to continue
1621                  * and not put the pipe into fault state. JRA.
1622                  */
1623                 DEBUG(4, ("unknown\n"));
1624                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1625                 return True;
1626         }
1627
1628         offset1 = p->out_data.rdata.length;
1629
1630         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
1631                 fn_num, api_rpc_cmds[fn_num].fn));
1632         /* do the actual command */
1633         if(!api_rpc_cmds[fn_num].fn(p)) {
1634                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1635                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1636                          api_rpc_cmds[fn_num].name));
1637                 data_blob_free(&p->out_data.rdata);
1638                 return False;
1639         }
1640
1641         if (p->bad_handle_fault_state) {
1642                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1643                 p->bad_handle_fault_state = False;
1644                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1645                 return True;
1646         }
1647
1648         if (p->rng_fault_state) {
1649                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1650                 p->rng_fault_state = False;
1651                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1652                 return True;
1653         }
1654
1655         if (DEBUGLEVEL >= 50) {
1656                 fstring name;
1657                 slprintf(name, sizeof(name)-1, "out_%s",
1658                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1659                 dump_pdu_region(name, pkt->u.request.opnum,
1660                                 &p->out_data.rdata, offset1,
1661                                 p->out_data.rdata.length);
1662         }
1663
1664         DEBUG(5,("api_rpcTNP: called %s successfully\n",
1665                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1666
1667         /* Check for buffer underflow in rpc parsing */
1668         if ((DEBUGLEVEL >= 10) &&
1669             (pkt->frag_length < p->in_data.data.length)) {
1670                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1671                 dump_data(10, p->in_data.data.data + pkt->frag_length,
1672                               p->in_data.data.length - pkt->frag_length);
1673         }
1674
1675         return True;
1676 }
1677
1678 /****************************************************************************
1679  Initialise an outgoing packet.
1680 ****************************************************************************/
1681
1682 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1683 {
1684         output_data *o_data = &p->out_data;
1685
1686         /* Reset the offset counters. */
1687         o_data->data_sent_length = 0;
1688         o_data->current_pdu_sent = 0;
1689
1690         data_blob_free(&o_data->frag);
1691
1692         /* Free any memory in the current return data buffer. */
1693         data_blob_free(&o_data->rdata);
1694
1695         return True;
1696 }
1697
1698 /****************************************************************************
1699  Sets the fault state on incoming packets.
1700 ****************************************************************************/
1701
1702 void set_incoming_fault(struct pipes_struct *p)
1703 {
1704         data_blob_free(&p->in_data.data);
1705         p->in_data.pdu_needed_len = 0;
1706         p->in_data.pdu.length = 0;
1707         p->fault_state = True;
1708         DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",
1709                    get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1710 }
1711
1712 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1713                                     struct ncacn_packet *pkt,
1714                                     DATA_BLOB *raw_pkt)
1715 {
1716         NTSTATUS status;
1717         size_t hdr_size = DCERPC_REQUEST_LENGTH;
1718         size_t pad_len;
1719
1720         DEBUG(10, ("Checking request auth.\n"));
1721
1722         if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1723                 hdr_size += 16;
1724         }
1725
1726         /* in case of sealing this function will unseal the data in place */
1727         status = dcerpc_check_auth(auth, pkt,
1728                                    &pkt->u.request.stub_and_verifier,
1729                                    hdr_size, raw_pkt,
1730                                    &pad_len);
1731         if (!NT_STATUS_IS_OK(status)) {
1732                 return status;
1733         }
1734
1735
1736         /* remove padding and auth trailer,
1737          * this way the caller will get just the data */
1738         if (pkt->auth_length) {
1739                 size_t trail_len = pad_len
1740                                         + DCERPC_AUTH_TRAILER_LENGTH
1741                                         + pkt->auth_length;
1742                 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1743                         return NT_STATUS_INFO_LENGTH_MISMATCH;
1744                 }
1745                 pkt->u.request.stub_and_verifier.length -= trail_len;
1746         }
1747
1748         return NT_STATUS_OK;
1749 }
1750
1751 /****************************************************************************
1752  Processes a request pdu. This will do auth processing if needed, and
1753  appends the data into the complete stream if the LAST flag is not set.
1754 ****************************************************************************/
1755
1756 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1757 {
1758         NTSTATUS status;
1759         DATA_BLOB data;
1760
1761         if (!p->pipe_bound) {
1762                 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1763                 set_incoming_fault(p);
1764                 return False;
1765         }
1766
1767         /* Store the opnum */
1768         p->opnum = pkt->u.request.opnum;
1769
1770         status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1771         if (!NT_STATUS_IS_OK(status)) {
1772                 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1773                           nt_errstr(status)));
1774                 set_incoming_fault(p);
1775                 return false;
1776         }
1777
1778         data = pkt->u.request.stub_and_verifier;
1779
1780         /*
1781          * Check the data length doesn't go over the 15Mb limit.
1782          * increased after observing a bug in the Windows NT 4.0 SP6a
1783          * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1784          * will not fit in the initial buffer of size 0x1068   --jerry 22/01/2002
1785          */
1786
1787         if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1788                 DEBUG(0, ("process_request_pdu: "
1789                           "rpc data buffer too large (%u) + (%u)\n",
1790                           (unsigned int)p->in_data.data.length,
1791                           (unsigned int)data.length));
1792                 set_incoming_fault(p);
1793                 return False;
1794         }
1795
1796         /*
1797          * Append the data portion into the buffer and return.
1798          */
1799
1800         if (data.length) {
1801                 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1802                                           data.data, data.length)) {
1803                         DEBUG(0, ("Unable to append data size %u "
1804                                   "to parse buffer of size %u.\n",
1805                                   (unsigned int)data.length,
1806                                   (unsigned int)p->in_data.data.length));
1807                         set_incoming_fault(p);
1808                         return False;
1809                 }
1810         }
1811
1812         if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1813                 bool ret = False;
1814                 /*
1815                  * Ok - we finally have a complete RPC stream.
1816                  * Call the rpc command to process it.
1817                  */
1818
1819                 /*
1820                  * Process the complete data stream here.
1821                  */
1822                 if (pipe_init_outgoing_data(p)) {
1823                         ret = api_pipe_request(p, pkt);
1824                 }
1825
1826                 return ret;
1827         }
1828
1829         return True;
1830 }
1831
1832 /****************************************************************************
1833  Processes a finished PDU stored in p->in_data.pdu.
1834 ****************************************************************************/
1835
1836 void process_complete_pdu(struct pipes_struct *p)
1837 {
1838         struct ncacn_packet *pkt = NULL;
1839         NTSTATUS status;
1840         bool reply = False;
1841
1842         if(p->fault_state) {
1843                 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
1844                           get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1845                 goto done;
1846         }
1847
1848         pkt = talloc(p->mem_ctx, struct ncacn_packet);
1849         if (!pkt) {
1850                 DEBUG(0, ("Out of memory!\n"));
1851                 goto done;
1852         }
1853
1854         /*
1855          * Ensure we're using the corrent endianness for both the
1856          * RPC header flags and the raw data we will be reading from.
1857          */
1858         if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1859                 p->endian = RPC_LITTLE_ENDIAN;
1860         } else {
1861                 p->endian = RPC_BIG_ENDIAN;
1862         }
1863         DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1864
1865         status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1866                                           pkt, p->endian);
1867         if (!NT_STATUS_IS_OK(status)) {
1868                 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1869                           nt_errstr(status)));
1870                 goto done;
1871         }
1872
1873         /* Store the call_id */
1874         p->call_id = pkt->call_id;
1875
1876         DEBUG(10, ("Processing packet type %d\n", (int)pkt->ptype));
1877
1878         switch (pkt->ptype) {
1879         case DCERPC_PKT_REQUEST:
1880                 reply = process_request_pdu(p, pkt);
1881                 break;
1882
1883         case DCERPC_PKT_PING: /* CL request - ignore... */
1884                 DEBUG(0, ("process_complete_pdu: Error. "
1885                           "Connectionless packet type %d received on "
1886                           "pipe %s.\n", (int)pkt->ptype,
1887                          get_pipe_name_from_syntax(talloc_tos(),
1888                                                    &p->syntax)));
1889                 break;
1890
1891         case DCERPC_PKT_RESPONSE: /* No responses here. */
1892                 DEBUG(0, ("process_complete_pdu: Error. "
1893                           "DCERPC_PKT_RESPONSE received from client "
1894                           "on pipe %s.\n",
1895                          get_pipe_name_from_syntax(talloc_tos(),
1896                                                    &p->syntax)));
1897                 break;
1898
1899         case DCERPC_PKT_FAULT:
1900         case DCERPC_PKT_WORKING:
1901                 /* CL request - reply to a ping when a call in process. */
1902         case DCERPC_PKT_NOCALL:
1903                 /* CL - server reply to a ping call. */
1904         case DCERPC_PKT_REJECT:
1905         case DCERPC_PKT_ACK:
1906         case DCERPC_PKT_CL_CANCEL:
1907         case DCERPC_PKT_FACK:
1908         case DCERPC_PKT_CANCEL_ACK:
1909                 DEBUG(0, ("process_complete_pdu: Error. "
1910                           "Connectionless packet type %u received on "
1911                           "pipe %s.\n", (unsigned int)pkt->ptype,
1912                          get_pipe_name_from_syntax(talloc_tos(),
1913                                                    &p->syntax)));
1914                 break;
1915
1916         case DCERPC_PKT_BIND:
1917                 /*
1918                  * We assume that a pipe bind is only in one pdu.
1919                  */
1920                 if (pipe_init_outgoing_data(p)) {
1921                         reply = api_pipe_bind_req(p, pkt);
1922                 }
1923                 break;
1924
1925         case DCERPC_PKT_BIND_ACK:
1926         case DCERPC_PKT_BIND_NAK:
1927                 DEBUG(0, ("process_complete_pdu: Error. "
1928                           "DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1929                           "packet type %u received on pipe %s.\n",
1930                           (unsigned int)pkt->ptype,
1931                          get_pipe_name_from_syntax(talloc_tos(),
1932                                                    &p->syntax)));
1933                 break;
1934
1935
1936         case DCERPC_PKT_ALTER:
1937                 /*
1938                  * We assume that a pipe bind is only in one pdu.
1939                  */
1940                 if (pipe_init_outgoing_data(p)) {
1941                         reply = api_pipe_alter_context(p, pkt);
1942                 }
1943                 break;
1944
1945         case DCERPC_PKT_ALTER_RESP:
1946                 DEBUG(0, ("process_complete_pdu: Error. "
1947                           "DCERPC_PKT_ALTER_RESP on pipe %s: "
1948                           "Should only be server -> client.\n",
1949                          get_pipe_name_from_syntax(talloc_tos(),
1950                                                    &p->syntax)));
1951                 break;
1952
1953         case DCERPC_PKT_AUTH3:
1954                 /*
1955                  * The third packet in an auth exchange.
1956                  */
1957                 if (pipe_init_outgoing_data(p)) {
1958                         reply = api_pipe_bind_auth3(p, pkt);
1959                 }
1960                 break;
1961
1962         case DCERPC_PKT_SHUTDOWN:
1963                 DEBUG(0, ("process_complete_pdu: Error. "
1964                           "DCERPC_PKT_SHUTDOWN on pipe %s: "
1965                           "Should only be server -> client.\n",
1966                          get_pipe_name_from_syntax(talloc_tos(),
1967                                                    &p->syntax)));
1968                 break;
1969
1970         case DCERPC_PKT_CO_CANCEL:
1971                 /* For now just free all client data and continue
1972                  * processing. */
1973                 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1974                          " Abandoning rpc call.\n"));
1975                 /* As we never do asynchronous RPC serving, we can
1976                  * never cancel a call (as far as I know).
1977                  * If we ever did we'd have to send a cancel_ack reply.
1978                  * For now, just free all client data and continue
1979                  * processing. */
1980                 reply = True;
1981                 break;
1982
1983 #if 0
1984                 /* Enable this if we're doing async rpc. */
1985                 /* We must check the outstanding callid matches. */
1986                 if (pipe_init_outgoing_data(p)) {
1987                         /* Send a cancel_ack PDU reply. */
1988                         /* We should probably check the auth-verifier here. */
1989                         reply = setup_cancel_ack_reply(p, pkt);
1990                 }
1991                 break;
1992 #endif
1993
1994         case DCERPC_PKT_ORPHANED:
1995                 /* We should probably check the auth-verifier here.
1996                  * For now just free all client data and continue
1997                  * processing. */
1998                 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
1999                           " Abandoning rpc call.\n"));
2000                 reply = True;
2001                 break;
2002
2003         default:
2004                 DEBUG(0, ("process_complete_pdu: "
2005                           "Unknown rpc type = %u received.\n",
2006                           (unsigned int)pkt->ptype));
2007                 break;
2008         }
2009
2010 done:
2011         if (!reply) {
2012                 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on "
2013                          "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
2014                                                                 &p->syntax)));
2015                 set_incoming_fault(p);
2016                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2017                 TALLOC_FREE(pkt);
2018         } else {
2019                 /*
2020                  * Reset the lengths. We're ready for a new pdu.
2021                  */
2022                 TALLOC_FREE(p->in_data.pdu.data);
2023                 p->in_data.pdu_needed_len = 0;
2024                 p->in_data.pdu.length = 0;
2025         }
2026
2027         TALLOC_FREE(pkt);
2028 }
2029