r16785: BUG 3908: Fix rpc bin authentication failure which broke user password changes
[kai/samba-autobuild/.git] / source / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 2 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, write to the Free Software
18  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19  */
20
21 /*  this module apparently provides an implementation of DCE/RPC over a
22  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
23  *  documentation are available (in on-line form) from the X-Open group.
24  *
25  *  this module should provide a level of abstraction between SMB
26  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
27  *  data copies, and network traffic.
28  *
29  */
30
31 #include "includes.h"
32
33 extern struct pipe_id_info pipe_names[];
34 extern struct current_user current_user;
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40 {
41         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42
43         if (a) {
44                 auth_ntlmssp_end(&a);
45         }
46         auth->a_u.auth_ntlmssp_state = NULL;
47 }
48
49 /*******************************************************************
50  Generate the next PDU to be returned from the data in p->rdata. 
51  Handle NTLMSSP.
52  ********************************************************************/
53
54 static BOOL create_next_pdu_ntlmssp(pipes_struct *p)
55 {
56         RPC_HDR_RESP hdr_resp;
57         uint32 ss_padding_len = 0;
58         uint32 data_space_available;
59         uint32 data_len_left;
60         uint32 data_len;
61         prs_struct outgoing_pdu;
62         NTSTATUS status;
63         DATA_BLOB auth_blob;
64         RPC_HDR_AUTH auth_info;
65         uint8 auth_type, auth_level;
66         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
67
68         /*
69          * If we're in the fault state, keep returning fault PDU's until
70          * the pipe gets closed. JRA.
71          */
72
73         if(p->fault_state) {
74                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
75                 return True;
76         }
77
78         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
79
80         /* Change the incoming request header to a response. */
81         p->hdr.pkt_type = RPC_RESPONSE;
82
83         /* Set up rpc header flags. */
84         if (p->out_data.data_sent_length == 0) {
85                 p->hdr.flags = RPC_FLG_FIRST;
86         } else {
87                 p->hdr.flags = 0;
88         }
89
90         /*
91          * Work out how much we can fit in a single PDU.
92          */
93
94         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
95
96         /*
97          * Ensure there really is data left to send.
98          */
99
100         if(!data_len_left) {
101                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
102                 return False;
103         }
104
105         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
106                                         RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
107
108         /*
109          * The amount we send is the minimum of the available
110          * space and the amount left to send.
111          */
112
113         data_len = MIN(data_len_left, data_space_available);
114
115         /*
116          * Set up the alloc hint. This should be the data left to
117          * send.
118          */
119
120         hdr_resp.alloc_hint = data_len_left;
121
122         /*
123          * Work out if this PDU will be the last.
124          */
125
126         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
127                 p->hdr.flags |= RPC_FLG_LAST;
128                 if (data_len_left % 8) {
129                         ss_padding_len = 8 - (data_len_left % 8);
130                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
131                                 ss_padding_len ));
132                 }
133         }
134
135         /*
136          * Set up the header lengths.
137          */
138
139         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
140                         data_len + ss_padding_len +
141                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
142         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
143
144
145         /*
146          * Init the parse struct to point at the outgoing
147          * data.
148          */
149
150         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
151         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
152
153         /* Store the header in the data stream. */
154         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
155                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
156                 prs_mem_free(&outgoing_pdu);
157                 return False;
158         }
159
160         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
161                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
162                 prs_mem_free(&outgoing_pdu);
163                 return False;
164         }
165
166         /* Copy the data into the PDU. */
167
168         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
169                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
170                 prs_mem_free(&outgoing_pdu);
171                 return False;
172         }
173
174         /* Copy the sign/seal padding data. */
175         if (ss_padding_len) {
176                 char pad[8];
177
178                 memset(pad, '\0', 8);
179                 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
180                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
181                                         (unsigned int)ss_padding_len));
182                         prs_mem_free(&outgoing_pdu);
183                         return False;
184                 }
185         }
186
187
188         /* Now write out the auth header and null blob. */
189         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
190                 auth_type = RPC_NTLMSSP_AUTH_TYPE;
191         } else {
192                 auth_type = RPC_SPNEGO_AUTH_TYPE;
193         }
194         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
195                 auth_level = RPC_AUTH_LEVEL_PRIVACY;
196         } else {
197                 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
198         }
199
200         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
201         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
202                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
203                 prs_mem_free(&outgoing_pdu);
204                 return False;
205         }
206
207         /* Generate the sign blob. */
208
209         switch (p->auth.auth_level) {
210                 case PIPE_AUTH_LEVEL_PRIVACY:
211                         /* Data portion is encrypted. */
212                         status = ntlmssp_seal_packet(a->ntlmssp_state,
213                                                         (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
214                                                         data_len + ss_padding_len,
215                                                         (unsigned char *)prs_data_p(&outgoing_pdu),
216                                                         (size_t)prs_offset(&outgoing_pdu),
217                                                         &auth_blob);
218                         if (!NT_STATUS_IS_OK(status)) {
219                                 data_blob_free(&auth_blob);
220                                 prs_mem_free(&outgoing_pdu);
221                                 return False;
222                         }
223                         break;
224                 case PIPE_AUTH_LEVEL_INTEGRITY:
225                         /* Data is signed. */
226                         status = ntlmssp_sign_packet(a->ntlmssp_state,
227                                                         (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
228                                                         data_len + ss_padding_len,
229                                                         (unsigned char *)prs_data_p(&outgoing_pdu),
230                                                         (size_t)prs_offset(&outgoing_pdu),
231                                                         &auth_blob);
232                         if (!NT_STATUS_IS_OK(status)) {
233                                 data_blob_free(&auth_blob);
234                                 prs_mem_free(&outgoing_pdu);
235                                 return False;
236                         }
237                         break;
238                 default:
239                         prs_mem_free(&outgoing_pdu);
240                         return False;
241         }
242
243         /* Append the auth blob. */
244         if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
245                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
246                                 (unsigned int)NTLMSSP_SIG_SIZE));
247                 data_blob_free(&auth_blob);
248                 prs_mem_free(&outgoing_pdu);
249                 return False;
250         }
251
252         data_blob_free(&auth_blob);
253
254         /*
255          * Setup the counts for this PDU.
256          */
257
258         p->out_data.data_sent_length += data_len;
259         p->out_data.current_pdu_len = p->hdr.frag_len;
260         p->out_data.current_pdu_sent = 0;
261
262         prs_mem_free(&outgoing_pdu);
263         return True;
264 }
265
266 /*******************************************************************
267  Generate the next PDU to be returned from the data in p->rdata. 
268  Return an schannel authenticated fragment.
269  ********************************************************************/
270
271 static BOOL create_next_pdu_schannel(pipes_struct *p)
272 {
273         RPC_HDR_RESP hdr_resp;
274         uint32 ss_padding_len = 0;
275         uint32 data_len;
276         uint32 data_space_available;
277         uint32 data_len_left;
278         prs_struct outgoing_pdu;
279         uint32 data_pos;
280
281         /*
282          * If we're in the fault state, keep returning fault PDU's until
283          * the pipe gets closed. JRA.
284          */
285
286         if(p->fault_state) {
287                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
288                 return True;
289         }
290
291         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
292
293         /* Change the incoming request header to a response. */
294         p->hdr.pkt_type = RPC_RESPONSE;
295
296         /* Set up rpc header flags. */
297         if (p->out_data.data_sent_length == 0) {
298                 p->hdr.flags = RPC_FLG_FIRST;
299         } else {
300                 p->hdr.flags = 0;
301         }
302
303         /*
304          * Work out how much we can fit in a single PDU.
305          */
306
307         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
308
309         /*
310          * Ensure there really is data left to send.
311          */
312
313         if(!data_len_left) {
314                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
315                 return False;
316         }
317
318         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
319                                         RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
320
321         /*
322          * The amount we send is the minimum of the available
323          * space and the amount left to send.
324          */
325
326         data_len = MIN(data_len_left, data_space_available);
327
328         /*
329          * Set up the alloc hint. This should be the data left to
330          * send.
331          */
332
333         hdr_resp.alloc_hint = data_len_left;
334
335         /*
336          * Work out if this PDU will be the last.
337          */
338
339         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
340                 p->hdr.flags |= RPC_FLG_LAST;
341                 if (data_len_left % 8) {
342                         ss_padding_len = 8 - (data_len_left % 8);
343                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
344                                 ss_padding_len ));
345                 }
346         }
347
348         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
349                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
350         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
351
352         /*
353          * Init the parse struct to point at the outgoing
354          * data.
355          */
356
357         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
358         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
359
360         /* Store the header in the data stream. */
361         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
362                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
363                 prs_mem_free(&outgoing_pdu);
364                 return False;
365         }
366
367         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
368                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
369                 prs_mem_free(&outgoing_pdu);
370                 return False;
371         }
372
373         /* Store the current offset. */
374         data_pos = prs_offset(&outgoing_pdu);
375
376         /* Copy the data into the PDU. */
377
378         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
379                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
380                 prs_mem_free(&outgoing_pdu);
381                 return False;
382         }
383
384         /* Copy the sign/seal padding data. */
385         if (ss_padding_len) {
386                 char pad[8];
387                 memset(pad, '\0', 8);
388                 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
389                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
390                         prs_mem_free(&outgoing_pdu);
391                         return False;
392                 }
393         }
394
395         {
396                 /*
397                  * Schannel processing.
398                  */
399                 char *data;
400                 RPC_HDR_AUTH auth_info;
401                 RPC_AUTH_SCHANNEL_CHK verf;
402
403                 data = prs_data_p(&outgoing_pdu) + data_pos;
404                 /* Check it's the type of reply we were expecting to decode */
405
406                 init_rpc_hdr_auth(&auth_info,
407                                 RPC_SCHANNEL_AUTH_TYPE,
408                                 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
409                                         RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
410                                 ss_padding_len, 1);
411
412                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
413                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
414                         prs_mem_free(&outgoing_pdu);
415                         return False;
416                 }
417
418                 schannel_encode(p->auth.a_u.schannel_auth, 
419                               p->auth.auth_level,
420                               SENDER_IS_ACCEPTOR,
421                               &verf, data, data_len + ss_padding_len);
422
423                 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, 
424                                 &verf, &outgoing_pdu, 0)) {
425                         prs_mem_free(&outgoing_pdu);
426                         return False;
427                 }
428
429                 p->auth.a_u.schannel_auth->seq_num++;
430         }
431
432         /*
433          * Setup the counts for this PDU.
434          */
435
436         p->out_data.data_sent_length += data_len;
437         p->out_data.current_pdu_len = p->hdr.frag_len;
438         p->out_data.current_pdu_sent = 0;
439
440         prs_mem_free(&outgoing_pdu);
441         return True;
442 }
443
444 /*******************************************************************
445  Generate the next PDU to be returned from the data in p->rdata. 
446  No authentication done.
447 ********************************************************************/
448
449 static BOOL create_next_pdu_noauth(pipes_struct *p)
450 {
451         RPC_HDR_RESP hdr_resp;
452         uint32 data_len;
453         uint32 data_space_available;
454         uint32 data_len_left;
455         prs_struct outgoing_pdu;
456
457         /*
458          * If we're in the fault state, keep returning fault PDU's until
459          * the pipe gets closed. JRA.
460          */
461
462         if(p->fault_state) {
463                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
464                 return True;
465         }
466
467         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
468
469         /* Change the incoming request header to a response. */
470         p->hdr.pkt_type = RPC_RESPONSE;
471
472         /* Set up rpc header flags. */
473         if (p->out_data.data_sent_length == 0) {
474                 p->hdr.flags = RPC_FLG_FIRST;
475         } else {
476                 p->hdr.flags = 0;
477         }
478
479         /*
480          * Work out how much we can fit in a single PDU.
481          */
482
483         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
484
485         /*
486          * Ensure there really is data left to send.
487          */
488
489         if(!data_len_left) {
490                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
491                 return False;
492         }
493
494         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
495
496         /*
497          * The amount we send is the minimum of the available
498          * space and the amount left to send.
499          */
500
501         data_len = MIN(data_len_left, data_space_available);
502
503         /*
504          * Set up the alloc hint. This should be the data left to
505          * send.
506          */
507
508         hdr_resp.alloc_hint = data_len_left;
509
510         /*
511          * Work out if this PDU will be the last.
512          */
513
514         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
515                 p->hdr.flags |= RPC_FLG_LAST;
516         }
517
518         /*
519          * Set up the header lengths.
520          */
521
522         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
523         p->hdr.auth_len = 0;
524
525         /*
526          * Init the parse struct to point at the outgoing
527          * data.
528          */
529
530         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
531         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
532
533         /* Store the header in the data stream. */
534         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
535                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
536                 prs_mem_free(&outgoing_pdu);
537                 return False;
538         }
539
540         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
541                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
542                 prs_mem_free(&outgoing_pdu);
543                 return False;
544         }
545
546         /* Copy the data into the PDU. */
547
548         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
549                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
550                 prs_mem_free(&outgoing_pdu);
551                 return False;
552         }
553
554         /*
555          * Setup the counts for this PDU.
556          */
557
558         p->out_data.data_sent_length += data_len;
559         p->out_data.current_pdu_len = p->hdr.frag_len;
560         p->out_data.current_pdu_sent = 0;
561
562         prs_mem_free(&outgoing_pdu);
563         return True;
564 }
565
566 /*******************************************************************
567  Generate the next PDU to be returned from the data in p->rdata. 
568 ********************************************************************/
569
570 BOOL create_next_pdu(pipes_struct *p)
571 {
572         switch(p->auth.auth_level) {
573                 case PIPE_AUTH_LEVEL_NONE:
574                 case PIPE_AUTH_LEVEL_CONNECT:
575                         /* This is incorrect for auth level connect. Fixme. JRA */
576                         return create_next_pdu_noauth(p);
577                 
578                 default:
579                         switch(p->auth.auth_type) {
580                                 case PIPE_AUTH_TYPE_NTLMSSP:
581                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
582                                         return create_next_pdu_ntlmssp(p);
583                                 case PIPE_AUTH_TYPE_SCHANNEL:
584                                         return create_next_pdu_schannel(p);
585                                 default:
586                                         break;
587                         }
588         }
589
590         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
591                         (unsigned int)p->auth.auth_level,
592                         (unsigned int)p->auth.auth_type));
593         return False;
594 }
595
596 /*******************************************************************
597  Process an NTLMSSP authentication response.
598  If this function succeeds, the user has been authenticated
599  and their domain, name and calling workstation stored in
600  the pipe struct.
601 *******************************************************************/
602
603 static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
604 {
605         DATA_BLOB reply;
606         NTSTATUS status;
607         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
608
609         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
610
611         ZERO_STRUCT(reply);
612
613         memset(p->user_name, '\0', sizeof(p->user_name));
614         memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
615         memset(p->domain, '\0', sizeof(p->domain));
616         memset(p->wks, '\0', sizeof(p->wks));
617
618         /* Set up for non-authenticated user. */
619         TALLOC_FREE(p->pipe_user.nt_user_token);
620         p->pipe_user.ut.ngroups = 0;
621         SAFE_FREE( p->pipe_user.ut.groups);
622
623         /* this has to be done as root in order to verify the password */
624         become_root();
625         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
626         unbecome_root();
627
628         /* Don't generate a reply. */
629         data_blob_free(&reply);
630
631         if (!NT_STATUS_IS_OK(status)) {
632                 return False;
633         }
634
635         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
636            ensure the underlying NTLMSSP flags are also set. If not we should
637            refuse the bind. */
638
639         if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
640                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
641                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
642                                 "but client declined signing.\n",
643                                         p->name ));
644                         return False;
645                 }
646         }
647         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
648                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
649                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
650                                 "but client declined sealing.\n",
651                                         p->name ));
652                         return False;
653                 }
654         }
655         
656         fstrcpy(p->user_name, a->ntlmssp_state->user);
657         fstrcpy(p->pipe_user_name, a->server_info->unix_name);
658         fstrcpy(p->domain, a->ntlmssp_state->domain);
659         fstrcpy(p->wks, a->ntlmssp_state->workstation);
660
661         DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
662                 p->user_name, p->domain, p->wks));
663
664         /*
665          * Store the UNIX credential data (uid/gid pair) in the pipe structure.
666          */
667
668         p->pipe_user.ut.uid = a->server_info->uid;
669         p->pipe_user.ut.gid = a->server_info->gid;
670         
671         /*
672          * Copy the session key from the ntlmssp state.
673          */
674
675         data_blob_free(&p->session_key);
676         p->session_key = data_blob(a->ntlmssp_state->session_key.data, a->ntlmssp_state->session_key.length);
677         if (!p->session_key.data) {
678                 return False;
679         }
680
681         p->pipe_user.ut.ngroups = a->server_info->n_groups;
682         if (p->pipe_user.ut.ngroups) {
683                 if (!(p->pipe_user.ut.groups = memdup(a->server_info->groups,
684                                                 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
685                         DEBUG(0,("pipe_ntlmssp_verify_final: failed to memdup group list to p->pipe_user.groups\n"));
686                         data_blob_free(&p->session_key);
687                         return False;
688                 }
689         }
690
691         if (a->server_info->ptok) {
692                 p->pipe_user.nt_user_token =
693                         dup_nt_token(NULL, a->server_info->ptok);
694                 if (!p->pipe_user.nt_user_token) {
695                         DEBUG(1,("pipe_ntlmssp_verify_final: dup_nt_token failed.\n"));
696                         data_blob_free(&p->session_key);
697                         SAFE_FREE(p->pipe_user.ut.groups);
698                         return False;
699                 }
700
701         } else {
702                 DEBUG(1,("pipe_ntlmssp_verify_final: Error: Authmodule failed to provide nt_user_token\n"));
703                 data_blob_free(&p->session_key);
704                 SAFE_FREE(p->pipe_user.ut.groups);
705                 return False;
706         }
707
708         return True;
709 }
710
711 /*******************************************************************
712  The switch table for the pipe names and the functions to handle them.
713 *******************************************************************/
714
715 struct rpc_table {
716         struct {
717                 const char *clnt;
718                 const char *srv;
719         } pipe;
720         struct api_struct *cmds;
721         int n_cmds;
722 };
723
724 static struct rpc_table *rpc_lookup;
725 static int rpc_lookup_size;
726
727 /*******************************************************************
728  This is the "stage3" NTLMSSP response after a bind request and reply.
729 *******************************************************************/
730
731 BOOL api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
732 {
733         RPC_HDR_AUTH auth_info;
734         uint32 pad;
735         DATA_BLOB blob;
736
737         ZERO_STRUCT(blob);
738
739         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
740
741         if (p->hdr.auth_len == 0) {
742                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
743                 goto err;
744         }
745
746         /* 4 bytes padding. */
747         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
748                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
749                 goto err;
750         }
751
752         /*
753          * Decode the authentication verifier response.
754          */
755
756         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
757                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
758                 goto err;
759         }
760
761         if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
762                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
763                         (unsigned int)auth_info.auth_type ));
764                 return False;
765         }
766
767         blob = data_blob(NULL,p->hdr.auth_len);
768
769         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
770                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
771                         (unsigned int)p->hdr.auth_len ));
772                 goto err;
773         }
774
775         /*
776          * The following call actually checks the challenge/response data.
777          * for correctness against the given DOMAIN\user name.
778          */
779         
780         if (!pipe_ntlmssp_verify_final(p, &blob)) {
781                 goto err;
782         }
783
784         data_blob_free(&blob);
785
786         p->pipe_bound = True;
787
788         return True;
789
790  err:
791
792         data_blob_free(&blob);
793         free_pipe_ntlmssp_auth_data(&p->auth);
794         p->auth.a_u.auth_ntlmssp_state = NULL;
795
796         return False;
797 }
798
799 /*******************************************************************
800  Marshall a bind_nak pdu.
801 *******************************************************************/
802
803 static BOOL setup_bind_nak(pipes_struct *p)
804 {
805         prs_struct outgoing_rpc;
806         RPC_HDR nak_hdr;
807         uint16 zero = 0;
808
809         /* Free any memory in the current return data buffer. */
810         prs_mem_free(&p->out_data.rdata);
811
812         /*
813          * Marshall directly into the outgoing PDU space. We
814          * must do this as we need to set to the bind response
815          * header and are never sending more than one PDU here.
816          */
817
818         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
819         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
820
821         /*
822          * Initialize a bind_nak header.
823          */
824
825         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
826                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
827
828         /*
829          * Marshall the header into the outgoing PDU.
830          */
831
832         if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
833                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
834                 prs_mem_free(&outgoing_rpc);
835                 return False;
836         }
837
838         /*
839          * Now add the reject reason.
840          */
841
842         if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
843                 prs_mem_free(&outgoing_rpc);
844                 return False;
845         }
846
847         p->out_data.data_sent_length = 0;
848         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
849         p->out_data.current_pdu_sent = 0;
850
851         if (p->auth.auth_data_free_func) {
852                 (*p->auth.auth_data_free_func)(&p->auth);
853         }
854         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
855         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
856         p->pipe_bound = False;
857
858         return True;
859 }
860
861 /*******************************************************************
862  Marshall a fault pdu.
863 *******************************************************************/
864
865 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
866 {
867         prs_struct outgoing_pdu;
868         RPC_HDR fault_hdr;
869         RPC_HDR_RESP hdr_resp;
870         RPC_HDR_FAULT fault_resp;
871
872         /* Free any memory in the current return data buffer. */
873         prs_mem_free(&p->out_data.rdata);
874
875         /*
876          * Marshall directly into the outgoing PDU space. We
877          * must do this as we need to set to the bind response
878          * header and are never sending more than one PDU here.
879          */
880
881         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
882         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
883
884         /*
885          * Initialize a fault header.
886          */
887
888         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
889             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
890
891         /*
892          * Initialize the HDR_RESP and FAULT parts of the PDU.
893          */
894
895         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
896
897         fault_resp.status = status;
898         fault_resp.reserved = 0;
899
900         /*
901          * Marshall the header into the outgoing PDU.
902          */
903
904         if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
905                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
906                 prs_mem_free(&outgoing_pdu);
907                 return False;
908         }
909
910         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
911                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
912                 prs_mem_free(&outgoing_pdu);
913                 return False;
914         }
915
916         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
917                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
918                 prs_mem_free(&outgoing_pdu);
919                 return False;
920         }
921
922         p->out_data.data_sent_length = 0;
923         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
924         p->out_data.current_pdu_sent = 0;
925
926         prs_mem_free(&outgoing_pdu);
927         return True;
928 }
929
930 #if 0
931 /*******************************************************************
932  Marshall a cancel_ack pdu.
933  We should probably check the auth-verifier here.
934 *******************************************************************/
935
936 BOOL setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
937 {
938         prs_struct outgoing_pdu;
939         RPC_HDR ack_reply_hdr;
940
941         /* Free any memory in the current return data buffer. */
942         prs_mem_free(&p->out_data.rdata);
943
944         /*
945          * Marshall directly into the outgoing PDU space. We
946          * must do this as we need to set to the bind response
947          * header and are never sending more than one PDU here.
948          */
949
950         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
951         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
952
953         /*
954          * Initialize a cancel_ack header.
955          */
956
957         init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
958                         p->hdr.call_id, RPC_HEADER_LEN, 0);
959
960         /*
961          * Marshall the header into the outgoing PDU.
962          */
963
964         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
965                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
966                 prs_mem_free(&outgoing_pdu);
967                 return False;
968         }
969
970         p->out_data.data_sent_length = 0;
971         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
972         p->out_data.current_pdu_sent = 0;
973
974         prs_mem_free(&outgoing_pdu);
975         return True;
976 }
977 #endif
978
979 /*******************************************************************
980  Ensure a bind request has the correct abstract & transfer interface.
981  Used to reject unknown binds from Win2k.
982 *******************************************************************/
983
984 BOOL check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
985                     RPC_IFACE* transfer, uint32 context_id)
986 {
987         char *pipe_name = p->name;
988         int i=0;
989         fstring pname;
990         
991         fstrcpy(pname,"\\PIPE\\");
992         fstrcat(pname,pipe_name);
993
994         DEBUG(3,("check_bind_req for %s\n", pname));
995
996         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
997                 
998         for ( i=0; pipe_names[i].client_pipe; i++ ) {
999                 DEBUG(10,("checking %s\n", pipe_names[i].client_pipe));
1000                 if ( strequal(pipe_names[i].client_pipe, pname)
1001                         && (abstract->version == pipe_names[i].abstr_syntax.version) 
1002                         && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct uuid)) == 0)
1003                         && (transfer->version == pipe_names[i].trans_syntax.version)
1004                         && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct uuid)) == 0) ) {
1005                         struct api_struct       *fns = NULL;
1006                         int                     n_fns = 0;
1007                         PIPE_RPC_FNS            *context_fns;
1008                         
1009                         if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
1010                                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1011                                 return False;
1012                         }
1013                         
1014                         /* save the RPC function table associated with this bind */
1015                         
1016                         get_pipe_fns(i, &fns, &n_fns);
1017                         
1018                         context_fns->cmds = fns;
1019                         context_fns->n_cmds = n_fns;
1020                         context_fns->context_id = context_id;
1021                         
1022                         /* add to the list of open contexts */
1023                         
1024                         DLIST_ADD( p->contexts, context_fns );
1025                         
1026                         break;
1027                 }
1028         }
1029
1030         if(pipe_names[i].client_pipe == NULL) {
1031                 return False;
1032         }
1033
1034         return True;
1035 }
1036
1037 /*******************************************************************
1038  Register commands to an RPC pipe
1039 *******************************************************************/
1040
1041 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1042 {
1043         struct rpc_table *rpc_entry;
1044
1045         if (!clnt || !srv || !cmds) {
1046                 return NT_STATUS_INVALID_PARAMETER;
1047         }
1048
1049         if (version != SMB_RPC_INTERFACE_VERSION) {
1050                 DEBUG(0,("Can't register rpc commands!\n"
1051                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1052                          ", while this version of samba uses version %d!\n", 
1053                          version,SMB_RPC_INTERFACE_VERSION));
1054                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1055         }
1056
1057         /* TODO: 
1058          *
1059          * we still need to make sure that don't register the same commands twice!!!
1060          * 
1061          * --metze
1062          */
1063
1064         /* We use a temporary variable because this call can fail and 
1065            rpc_lookup will still be valid afterwards.  It could then succeed if
1066            called again later */
1067         rpc_lookup_size++;
1068         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1069         if (NULL == rpc_entry) {
1070                 rpc_lookup_size--;
1071                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1072                 return NT_STATUS_NO_MEMORY;
1073         } else {
1074                 rpc_lookup = rpc_entry;
1075         }
1076         
1077         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1078         ZERO_STRUCTP(rpc_entry);
1079         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1080         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1081         rpc_entry->cmds = SMB_REALLOC_ARRAY(rpc_entry->cmds, struct api_struct, rpc_entry->n_cmds + size);
1082         if (!rpc_entry->cmds) {
1083                 return NT_STATUS_NO_MEMORY;
1084         }
1085         memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds, size * sizeof(struct api_struct));
1086         rpc_entry->n_cmds += size;
1087         
1088         return NT_STATUS_OK;
1089 }
1090
1091 /*******************************************************************
1092  Handle a SPNEGO krb5 bind auth.
1093 *******************************************************************/
1094
1095 static BOOL pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1096                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1097 {
1098         return False;
1099 }
1100
1101 /*******************************************************************
1102  Handle the first part of a SPNEGO bind auth.
1103 *******************************************************************/
1104
1105 static BOOL pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1106                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1107 {
1108         DATA_BLOB blob;
1109         DATA_BLOB secblob;
1110         DATA_BLOB response;
1111         DATA_BLOB chal;
1112         char *OIDs[ASN1_MAX_OIDS];
1113         int i;
1114         NTSTATUS status;
1115         BOOL got_kerberos_mechanism = False;
1116         AUTH_NTLMSSP_STATE *a = NULL;
1117         RPC_HDR_AUTH auth_info;
1118
1119         ZERO_STRUCT(secblob);
1120         ZERO_STRUCT(chal);
1121         ZERO_STRUCT(response);
1122
1123         /* Grab the SPNEGO blob. */
1124         blob = data_blob(NULL,p->hdr.auth_len);
1125
1126         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1127                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1128                         (unsigned int)p->hdr.auth_len ));
1129                 goto err;
1130         }
1131
1132         if (blob.data[0] != ASN1_APPLICATION(0)) {
1133                 goto err;
1134         }
1135
1136         /* parse out the OIDs and the first sec blob */
1137         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1138                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1139                 goto err;
1140         }
1141
1142         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1143                 got_kerberos_mechanism = True;
1144         }
1145
1146         for (i=0;OIDs[i];i++) {
1147                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1148                 SAFE_FREE(OIDs[i]);
1149         }
1150         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1151
1152         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1153                 BOOL ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1154                 data_blob_free(&secblob);
1155                 data_blob_free(&blob);
1156                 return ret;
1157         }
1158
1159         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1160                 /* Free any previous auth type. */
1161                 free_pipe_ntlmssp_auth_data(&p->auth);
1162         }
1163
1164         /* Initialize the NTLM engine. */
1165         status = auth_ntlmssp_start(&a);
1166         if (!NT_STATUS_IS_OK(status)) {
1167                 goto err;
1168         }
1169
1170         /*
1171          * Pass the first security blob of data to it.
1172          * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1173          * which means we need another packet to complete the bind.
1174          */
1175
1176         status = auth_ntlmssp_update(a, secblob, &chal);
1177
1178         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1179                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1180                 goto err;
1181         }
1182
1183         /* Generate the response blob we need for step 2 of the bind. */
1184         response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1185
1186         /* Copy the blob into the pout_auth parse struct */
1187         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1188         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1189                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1190                 goto err;
1191         }
1192
1193         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1194                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1195                 goto err;
1196         }
1197
1198         p->auth.a_u.auth_ntlmssp_state = a;
1199         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1200         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1201
1202         data_blob_free(&blob);
1203         data_blob_free(&secblob);
1204         data_blob_free(&chal);
1205         data_blob_free(&response);
1206
1207         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1208         return True;
1209
1210  err:
1211
1212         data_blob_free(&blob);
1213         data_blob_free(&secblob);
1214         data_blob_free(&chal);
1215         data_blob_free(&response);
1216
1217         p->auth.a_u.auth_ntlmssp_state = NULL;
1218
1219         return False;
1220 }
1221
1222 /*******************************************************************
1223  Handle the second part of a SPNEGO bind auth.
1224 *******************************************************************/
1225
1226 static BOOL pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1227                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1228 {
1229         RPC_HDR_AUTH auth_info;
1230         DATA_BLOB spnego_blob;
1231         DATA_BLOB auth_blob;
1232         DATA_BLOB auth_reply;
1233         DATA_BLOB response;
1234         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1235
1236         ZERO_STRUCT(spnego_blob);
1237         ZERO_STRUCT(auth_blob);
1238         ZERO_STRUCT(auth_reply);
1239         ZERO_STRUCT(response);
1240
1241         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1242                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1243                 goto err;
1244         }
1245
1246         /* Grab the SPNEGO blob. */
1247         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1248
1249         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1250                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1251                         (unsigned int)p->hdr.auth_len ));
1252                 goto err;
1253         }
1254
1255         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1256                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1257                 goto err;
1258         }
1259
1260         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1261                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1262                 goto err;
1263         }
1264
1265         /*
1266          * The following call actually checks the challenge/response data.
1267          * for correctness against the given DOMAIN\user name.
1268          */
1269         
1270         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1271                 goto err;
1272         }
1273
1274         data_blob_free(&spnego_blob);
1275         data_blob_free(&auth_blob);
1276
1277         /* Generate the spnego "accept completed" blob - no incoming data. */
1278         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1279
1280         /* Copy the blob into the pout_auth parse struct */
1281         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1282         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1283                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1284                 goto err;
1285         }
1286
1287         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1288                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1289                 goto err;
1290         }
1291
1292         data_blob_free(&auth_reply);
1293         data_blob_free(&response);
1294
1295         p->pipe_bound = True;
1296
1297         return True;
1298
1299  err:
1300
1301         data_blob_free(&spnego_blob);
1302         data_blob_free(&auth_blob);
1303         data_blob_free(&auth_reply);
1304         data_blob_free(&response);
1305
1306         free_pipe_ntlmssp_auth_data(&p->auth);
1307         p->auth.a_u.auth_ntlmssp_state = NULL;
1308
1309         return False;
1310 }
1311
1312 /*******************************************************************
1313  Handle an schannel bind auth.
1314 *******************************************************************/
1315
1316 static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1317                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1318 {
1319         RPC_HDR_AUTH auth_info;
1320         RPC_AUTH_SCHANNEL_NEG neg;
1321         RPC_AUTH_VERIFIER auth_verifier;
1322         BOOL ret;
1323         struct dcinfo *pdcinfo;
1324         uint32 flags;
1325
1326         if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1327                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1328                 return False;
1329         }
1330
1331         /*
1332          * The neg.myname key here must match the remote computer name
1333          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1334          * operations that use credentials.
1335          */
1336
1337         become_root();
1338         ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1339         unbecome_root();
1340
1341         if (!ret) {
1342                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1343                 return False;
1344         }
1345
1346         p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1347         if (!p->auth.a_u.schannel_auth) {
1348                 TALLOC_FREE(pdcinfo);
1349                 return False;
1350         }
1351
1352         memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1353         memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1354                         sizeof(pdcinfo->sess_key));
1355
1356         TALLOC_FREE(pdcinfo);
1357
1358         p->auth.a_u.schannel_auth->seq_num = 0;
1359
1360         /*
1361          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1362          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1363          * struct of the person who opened the pipe. I need to test this further. JRA.
1364          */
1365
1366         init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1367         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1368                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1369                 return False;
1370         }
1371
1372         /*** SCHANNEL verifier ***/
1373
1374         init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1375         if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1376                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1377                 return False;
1378         }
1379
1380         prs_align(pout_auth);
1381
1382         flags = 5;
1383         if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1384                 return False;
1385         }
1386
1387         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1388                 neg.domain, neg.myname));
1389
1390         /* We're finished with this bind - no more packets. */
1391         p->auth.auth_data_free_func = NULL;
1392         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1393
1394         p->pipe_bound = True;
1395
1396         return True;
1397 }
1398
1399 /*******************************************************************
1400  Handle an NTLMSSP bind auth.
1401 *******************************************************************/
1402
1403 static BOOL pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1404                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1405 {
1406         RPC_HDR_AUTH auth_info;
1407         DATA_BLOB blob;
1408         DATA_BLOB response;
1409         NTSTATUS status;
1410         AUTH_NTLMSSP_STATE *a = NULL;
1411
1412         ZERO_STRUCT(blob);
1413         ZERO_STRUCT(response);
1414
1415         /* Grab the NTLMSSP blob. */
1416         blob = data_blob(NULL,p->hdr.auth_len);
1417
1418         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1419                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1420                         (unsigned int)p->hdr.auth_len ));
1421                 goto err;
1422         }
1423
1424         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1425                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1426                 goto err;
1427         }
1428
1429         /* We have an NTLMSSP blob. */
1430         status = auth_ntlmssp_start(&a);
1431         if (!NT_STATUS_IS_OK(status)) {
1432                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1433                         nt_errstr(status) ));
1434                 goto err;
1435         }
1436
1437         status = auth_ntlmssp_update(a, blob, &response);
1438         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1439                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1440                         nt_errstr(status) ));
1441                 goto err;
1442         }
1443
1444         data_blob_free(&blob);
1445
1446         /* Copy the blob into the pout_auth parse struct */
1447         init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1448         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1449                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1450                 goto err;
1451         }
1452
1453         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1454                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1455                 goto err;
1456         }
1457
1458         p->auth.a_u.auth_ntlmssp_state = a;
1459         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1460         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1461
1462         data_blob_free(&blob);
1463         data_blob_free(&response);
1464
1465         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1466
1467         /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1468         return True;
1469
1470   err:
1471
1472         data_blob_free(&blob);
1473         data_blob_free(&response);
1474
1475         free_pipe_ntlmssp_auth_data(&p->auth);
1476         p->auth.a_u.auth_ntlmssp_state = NULL;
1477         return False;
1478 }
1479
1480 /*******************************************************************
1481  Respond to a pipe bind request.
1482 *******************************************************************/
1483
1484 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1485 {
1486         RPC_HDR_BA hdr_ba;
1487         RPC_HDR_RB hdr_rb;
1488         RPC_HDR_AUTH auth_info;
1489         uint16 assoc_gid;
1490         fstring ack_pipe_name;
1491         prs_struct out_hdr_ba;
1492         prs_struct out_auth;
1493         prs_struct outgoing_rpc;
1494         int i = 0;
1495         int auth_len = 0;
1496         unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1497
1498         /* No rebinds on a bound pipe - use alter context. */
1499         if (p->pipe_bound) {
1500                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1501                 return setup_bind_nak(p);
1502         }
1503
1504         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1505
1506         /* 
1507          * Marshall directly into the outgoing PDU space. We
1508          * must do this as we need to set to the bind response
1509          * header and are never sending more than one PDU here.
1510          */
1511
1512         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1513
1514         /*
1515          * Setup the memory to marshall the ba header, and the
1516          * auth footers.
1517          */
1518
1519         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1520                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1521                 prs_mem_free(&outgoing_rpc);
1522                 return False;
1523         }
1524
1525         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1526                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1527                 prs_mem_free(&outgoing_rpc);
1528                 prs_mem_free(&out_hdr_ba);
1529                 return False;
1530         }
1531
1532         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1533
1534         /*
1535          * Try and find the correct pipe name to ensure
1536          * that this is a pipe name we support.
1537          */
1538
1539
1540         for (i = 0; i < rpc_lookup_size; i++) {
1541                 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1542                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1543                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1544                         fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1545                         break;
1546                 }
1547         }
1548
1549         if (i == rpc_lookup_size) {
1550                 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1551                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1552                                 p->name ));
1553                         prs_mem_free(&outgoing_rpc);
1554                         prs_mem_free(&out_hdr_ba);
1555                         prs_mem_free(&out_auth);
1556
1557                         return setup_bind_nak(p);
1558                 }
1559
1560                 for (i = 0; i < rpc_lookup_size; i++) {
1561                        if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1562                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1563                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1564                                fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1565                                break;
1566                        }
1567                 }
1568
1569                 if (i == rpc_lookup_size) {
1570                         DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1571                         goto err_exit;
1572                 }
1573         }
1574
1575         /* decode the bind request */
1576         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1577                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1578                 goto err_exit;
1579         }
1580
1581         /* name has to be \PIPE\xxxxx */
1582         fstrcpy(ack_pipe_name, "\\PIPE\\");
1583         fstrcat(ack_pipe_name, p->pipe_srv_name);
1584
1585         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1586
1587         /*
1588          * Check if this is an authenticated bind request.
1589          */
1590
1591         if (p->hdr.auth_len) {
1592                 /* 
1593                  * Decode the authentication verifier.
1594                  */
1595
1596                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1597                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1598                         goto err_exit;
1599                 }
1600
1601                 auth_type = auth_info.auth_type;
1602
1603                 /* Work out if we have to sign or seal etc. */
1604                 switch (auth_info.auth_level) {
1605                         case RPC_AUTH_LEVEL_INTEGRITY:
1606                                 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1607                                 break;
1608                         case RPC_AUTH_LEVEL_PRIVACY:
1609                                 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1610                                 break;
1611                         default:
1612                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1613                                         (unsigned int)auth_info.auth_level ));
1614                                 goto err_exit;
1615                 }
1616         } else {
1617                 ZERO_STRUCT(auth_info);
1618         }
1619
1620         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1621
1622         switch(auth_type) {
1623                 case RPC_NTLMSSP_AUTH_TYPE:
1624                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1625                                 goto err_exit;
1626                         }
1627                         assoc_gid = 0x7a77;
1628                         break;
1629
1630                 case RPC_SCHANNEL_AUTH_TYPE:
1631                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1632                                 goto err_exit;
1633                         }
1634                         break;
1635
1636                 case RPC_SPNEGO_AUTH_TYPE:
1637                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1638                                 goto err_exit;
1639                         }
1640                         break;
1641
1642                 case RPC_ANONYMOUS_AUTH_TYPE:
1643                         /* Unauthenticated bind request. */
1644                         /* We're finished - no more packets. */
1645                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1646                         /* We must set the pipe auth_level here also. */
1647                         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1648                         p->pipe_bound = True;
1649                         break;
1650
1651                 default:
1652                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1653                         goto err_exit;
1654         }
1655
1656         /*
1657          * Create the bind response struct.
1658          */
1659
1660         /* If the requested abstract synt uuid doesn't match our client pipe,
1661                 reject the bind_ack & set the transfer interface synt to all 0's,
1662                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1663                 unknown to NT4)
1664                 Needed when adding entries to a DACL from NT5 - SK */
1665
1666         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1667                                 hdr_rb.rpc_context[0].context_id )) {
1668                 init_rpc_hdr_ba(&hdr_ba,
1669                         RPC_MAX_PDU_FRAG_LEN,
1670                         RPC_MAX_PDU_FRAG_LEN,
1671                         assoc_gid,
1672                         ack_pipe_name,
1673                         0x1, 0x0, 0x0,
1674                         &hdr_rb.rpc_context[0].transfer[0]);
1675         } else {
1676                 RPC_IFACE null_interface;
1677                 ZERO_STRUCT(null_interface);
1678                 /* Rejection reason: abstract syntax not supported */
1679                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1680                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1681                                         ack_pipe_name, 0x1, 0x2, 0x1,
1682                                         &null_interface);
1683                 p->pipe_bound = False;
1684         }
1685
1686         /*
1687          * and marshall it.
1688          */
1689
1690         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1691                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1692                 goto err_exit;
1693         }
1694
1695         /*
1696          * Create the header, now we know the length.
1697          */
1698
1699         if (prs_offset(&out_auth)) {
1700                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1701         }
1702
1703         init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1704                         p->hdr.call_id,
1705                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1706                         auth_len);
1707
1708         /*
1709          * Marshall the header into the outgoing PDU.
1710          */
1711
1712         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1713                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1714                 goto err_exit;
1715         }
1716
1717         /*
1718          * Now add the RPC_HDR_BA and any auth needed.
1719          */
1720
1721         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1722                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1723                 goto err_exit;
1724         }
1725
1726         if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1727                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1728                 goto err_exit;
1729         }
1730
1731         /*
1732          * Setup the lengths for the initial reply.
1733          */
1734
1735         p->out_data.data_sent_length = 0;
1736         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1737         p->out_data.current_pdu_sent = 0;
1738
1739         prs_mem_free(&out_hdr_ba);
1740         prs_mem_free(&out_auth);
1741
1742         return True;
1743
1744   err_exit:
1745
1746         prs_mem_free(&outgoing_rpc);
1747         prs_mem_free(&out_hdr_ba);
1748         prs_mem_free(&out_auth);
1749         return setup_bind_nak(p);
1750 }
1751
1752 /****************************************************************************
1753  Deal with an alter context call. Can be third part of 3 leg auth request for
1754  SPNEGO calls.
1755 ****************************************************************************/
1756
1757 BOOL api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1758 {
1759         RPC_HDR_BA hdr_ba;
1760         RPC_HDR_RB hdr_rb;
1761         RPC_HDR_AUTH auth_info;
1762         uint16 assoc_gid;
1763         fstring ack_pipe_name;
1764         prs_struct out_hdr_ba;
1765         prs_struct out_auth;
1766         prs_struct outgoing_rpc;
1767         int auth_len = 0;
1768
1769         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1770
1771         /* 
1772          * Marshall directly into the outgoing PDU space. We
1773          * must do this as we need to set to the bind response
1774          * header and are never sending more than one PDU here.
1775          */
1776
1777         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1778
1779         /*
1780          * Setup the memory to marshall the ba header, and the
1781          * auth footers.
1782          */
1783
1784         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1785                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1786                 prs_mem_free(&outgoing_rpc);
1787                 return False;
1788         }
1789
1790         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1791                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1792                 prs_mem_free(&outgoing_rpc);
1793                 prs_mem_free(&out_hdr_ba);
1794                 return False;
1795         }
1796
1797         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1798
1799         /* decode the alter context request */
1800         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1801                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1802                 goto err_exit;
1803         }
1804
1805         /* secondary address CAN be NULL
1806          * as the specs say it's ignored.
1807          * It MUST be NULL to have the spoolss working.
1808          */
1809         fstrcpy(ack_pipe_name,"");
1810
1811         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1812
1813         /*
1814          * Check if this is an authenticated alter context request.
1815          */
1816
1817         if (p->hdr.auth_len != 0) {
1818                 /* 
1819                  * Decode the authentication verifier.
1820                  */
1821
1822                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1823                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1824                         goto err_exit;
1825                 }
1826
1827                 /*
1828                  * Currently only the SPNEGO auth type uses the alter ctx
1829                  * response in place of the NTLMSSP auth3 type.
1830                  */
1831
1832                 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1833                         /* We can only finish if the pipe is unbound. */
1834                         if (!p->pipe_bound) {
1835                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1836                                         goto err_exit;
1837                                 }
1838                         } else {
1839                                 goto err_exit;
1840                         }
1841                 }
1842         } else {
1843                 ZERO_STRUCT(auth_info);
1844         }
1845
1846         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1847
1848         /*
1849          * Create the bind response struct.
1850          */
1851
1852         /* If the requested abstract synt uuid doesn't match our client pipe,
1853                 reject the bind_ack & set the transfer interface synt to all 0's,
1854                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1855                 unknown to NT4)
1856                 Needed when adding entries to a DACL from NT5 - SK */
1857
1858         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1859                                 hdr_rb.rpc_context[0].context_id )) {
1860                 init_rpc_hdr_ba(&hdr_ba,
1861                         RPC_MAX_PDU_FRAG_LEN,
1862                         RPC_MAX_PDU_FRAG_LEN,
1863                         assoc_gid,
1864                         ack_pipe_name,
1865                         0x1, 0x0, 0x0,
1866                         &hdr_rb.rpc_context[0].transfer[0]);
1867         } else {
1868                 RPC_IFACE null_interface;
1869                 ZERO_STRUCT(null_interface);
1870                 /* Rejection reason: abstract syntax not supported */
1871                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1872                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1873                                         ack_pipe_name, 0x1, 0x2, 0x1,
1874                                         &null_interface);
1875                 p->pipe_bound = False;
1876         }
1877
1878         /*
1879          * and marshall it.
1880          */
1881
1882         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1883                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1884                 goto err_exit;
1885         }
1886
1887         /*
1888          * Create the header, now we know the length.
1889          */
1890
1891         if (prs_offset(&out_auth)) {
1892                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1893         }
1894
1895         init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1896                         p->hdr.call_id,
1897                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1898                         auth_len);
1899
1900         /*
1901          * Marshall the header into the outgoing PDU.
1902          */
1903
1904         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1905                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1906                 goto err_exit;
1907         }
1908
1909         /*
1910          * Now add the RPC_HDR_BA and any auth needed.
1911          */
1912
1913         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1914                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1915                 goto err_exit;
1916         }
1917
1918         if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1919                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1920                 goto err_exit;
1921         }
1922
1923         /*
1924          * Setup the lengths for the initial reply.
1925          */
1926
1927         p->out_data.data_sent_length = 0;
1928         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1929         p->out_data.current_pdu_sent = 0;
1930
1931         prs_mem_free(&out_hdr_ba);
1932         prs_mem_free(&out_auth);
1933
1934         return True;
1935
1936   err_exit:
1937
1938         prs_mem_free(&outgoing_rpc);
1939         prs_mem_free(&out_hdr_ba);
1940         prs_mem_free(&out_auth);
1941         return setup_bind_nak(p);
1942 }
1943
1944 /****************************************************************************
1945  Deal with NTLMSSP sign & seal processing on an RPC request.
1946 ****************************************************************************/
1947
1948 BOOL api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1949                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1950 {
1951         RPC_HDR_AUTH auth_info;
1952         uint32 auth_len = p->hdr.auth_len;
1953         uint32 save_offset = prs_offset(rpc_in);
1954         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1955         unsigned char *data = NULL;
1956         size_t data_len;
1957         unsigned char *full_packet_data = NULL;
1958         size_t full_packet_data_len;
1959         DATA_BLOB auth_blob;
1960         
1961         *pstatus = NT_STATUS_OK;
1962
1963         if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1964                 return True;
1965         }
1966
1967         if (!a) {
1968                 *pstatus = NT_STATUS_INVALID_PARAMETER;
1969                 return False;
1970         }
1971
1972         /* Ensure there's enough data for an authenticated request. */
1973         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
1974                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
1975                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
1976                         (unsigned int)auth_len ));
1977                 *pstatus = NT_STATUS_INVALID_PARAMETER;
1978                 return False;
1979         }
1980
1981         /*
1982          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
1983          * after the RPC header. 
1984          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
1985          * functions as NTLMv2 checks the rpc headers also.
1986          */
1987
1988         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
1989         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
1990
1991         full_packet_data = p->in_data.current_in_pdu;
1992         full_packet_data_len = p->hdr.frag_len - auth_len;
1993
1994         /* Pull the auth header and the following data into a blob. */
1995         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
1996                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
1997                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
1998                 *pstatus = NT_STATUS_INVALID_PARAMETER;
1999                 return False;
2000         }
2001
2002         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2003                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2004                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2005                 return False;
2006         }
2007
2008         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2009         auth_blob.length = auth_len;
2010         
2011         switch (p->auth.auth_level) {
2012                 case PIPE_AUTH_LEVEL_PRIVACY:
2013                         /* Data is encrypted. */
2014                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2015                                                         data, data_len,
2016                                                         full_packet_data,
2017                                                         full_packet_data_len,
2018                                                         &auth_blob);
2019                         if (!NT_STATUS_IS_OK(*pstatus)) {
2020                                 return False;
2021                         }
2022                         break;
2023                 case PIPE_AUTH_LEVEL_INTEGRITY:
2024                         /* Data is signed. */
2025                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2026                                                         data, data_len,
2027                                                         full_packet_data,
2028                                                         full_packet_data_len,
2029                                                         &auth_blob);
2030                         if (!NT_STATUS_IS_OK(*pstatus)) {
2031                                 return False;
2032                         }
2033                         break;
2034                 default:
2035                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2036                         return False;
2037         }
2038
2039         /*
2040          * Return the current pointer to the data offset.
2041          */
2042
2043         if(!prs_set_offset(rpc_in, save_offset)) {
2044                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2045                         (unsigned int)save_offset ));
2046                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2047                 return False;
2048         }
2049
2050         /*
2051          * Remember the padding length. We must remove it from the real data
2052          * stream once the sign/seal is done.
2053          */
2054
2055         *p_ss_padding_len = auth_info.auth_pad_len;
2056
2057         return True;
2058 }
2059
2060 /****************************************************************************
2061  Deal with schannel processing on an RPC request.
2062 ****************************************************************************/
2063
2064 BOOL api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2065 {
2066         uint32 data_len;
2067         uint32 auth_len;
2068         uint32 save_offset = prs_offset(rpc_in);
2069         RPC_HDR_AUTH auth_info;
2070         RPC_AUTH_SCHANNEL_CHK schannel_chk;
2071
2072         auth_len = p->hdr.auth_len;
2073
2074         if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2075                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2076                 return False;
2077         }
2078
2079         /*
2080          * The following is that length of the data we must verify or unseal.
2081          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2082          * preceeding the auth_data.
2083          */
2084
2085         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2086                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2087                         (unsigned int)p->hdr.frag_len,
2088                         (unsigned int)auth_len ));
2089                 return False;
2090         }
2091
2092         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2093                 RPC_HDR_AUTH_LEN - auth_len;
2094         
2095         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2096
2097         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2098                 DEBUG(0,("cannot move offset to %u.\n",
2099                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2100                 return False;
2101         }
2102
2103         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2104                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2105                 return False;
2106         }
2107
2108         if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2109                 DEBUG(0,("Invalid auth info %d on schannel\n",
2110                          auth_info.auth_type));
2111                 return False;
2112         }
2113
2114         if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2115                 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2116                 return False;
2117         }
2118
2119         if (!schannel_decode(p->auth.a_u.schannel_auth,
2120                            p->auth.auth_level,
2121                            SENDER_IS_INITIATOR,
2122                            &schannel_chk,
2123                            prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2124                 DEBUG(3,("failed to decode PDU\n"));
2125                 return False;
2126         }
2127
2128         /*
2129          * Return the current pointer to the data offset.
2130          */
2131
2132         if(!prs_set_offset(rpc_in, save_offset)) {
2133                 DEBUG(0,("failed to set offset back to %u\n",
2134                          (unsigned int)save_offset ));
2135                 return False;
2136         }
2137
2138         /* The sequence number gets incremented on both send and receive. */
2139         p->auth.a_u.schannel_auth->seq_num++;
2140
2141         /*
2142          * Remember the padding length. We must remove it from the real data
2143          * stream once the sign/seal is done.
2144          */
2145
2146         *p_ss_padding_len = auth_info.auth_pad_len;
2147
2148         return True;
2149 }
2150
2151 /****************************************************************************
2152  Return a user struct for a pipe user.
2153 ****************************************************************************/
2154
2155 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2156 {
2157         if (p->pipe_bound &&
2158                         (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2159                         (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2160                 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2161         } else {
2162                 memcpy(user, &current_user, sizeof(struct current_user));
2163         }
2164
2165         return user;
2166 }
2167
2168 /****************************************************************************
2169  Find the set of RPC functions associated with this context_id
2170 ****************************************************************************/
2171
2172 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2173 {
2174         PIPE_RPC_FNS *fns = NULL;
2175         PIPE_RPC_FNS *tmp = NULL;
2176         
2177         if ( !list ) {
2178                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2179                 return NULL;
2180         }
2181         
2182         for (tmp=list; tmp; tmp=tmp->next ) {
2183                 if ( tmp->context_id == context_id )
2184                         break;
2185         }
2186         
2187         fns = tmp;
2188         
2189         return fns;
2190 }
2191
2192 /****************************************************************************
2193  Memory cleanup.
2194 ****************************************************************************/
2195
2196 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2197 {
2198         PIPE_RPC_FNS *tmp = list;
2199         PIPE_RPC_FNS *tmp2;
2200                 
2201         while (tmp) {
2202                 tmp2 = tmp->next;
2203                 SAFE_FREE(tmp);
2204                 tmp = tmp2;
2205         }
2206
2207         return; 
2208 }
2209
2210 /****************************************************************************
2211  Find the correct RPC function to call for this request.
2212  If the pipe is authenticated then become the correct UNIX user
2213  before doing the call.
2214 ****************************************************************************/
2215
2216 BOOL api_pipe_request(pipes_struct *p)
2217 {
2218         BOOL ret = False;
2219         BOOL changed_user = False;
2220         PIPE_RPC_FNS *pipe_fns;
2221         
2222         if (p->pipe_bound &&
2223                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2224                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2225                 if(!become_authenticated_pipe_user(p)) {
2226                         prs_mem_free(&p->out_data.rdata);
2227                         return False;
2228                 }
2229                 changed_user = True;
2230         }
2231
2232         DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2233         
2234         /* get the set of RPC functions for this context */
2235         
2236         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2237         
2238         if ( pipe_fns ) {
2239                 set_current_rpc_talloc(p->mem_ctx);
2240                 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2241                 set_current_rpc_talloc(NULL);   
2242         }
2243         else {
2244                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2245                         p->hdr_req.context_id, p->name));
2246         }
2247
2248         if (changed_user) {
2249                 unbecome_authenticated_pipe_user();
2250         }
2251
2252         return ret;
2253 }
2254
2255 /*******************************************************************
2256  Calls the underlying RPC function for a named pipe.
2257  ********************************************************************/
2258
2259 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name, 
2260                 const struct api_struct *api_rpc_cmds, int n_cmds)
2261 {
2262         int fn_num;
2263         fstring name;
2264         uint32 offset1, offset2;
2265  
2266         /* interpret the command */
2267         DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2268
2269         slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2270         prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2271
2272         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2273                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2274                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2275                         break;
2276                 }
2277         }
2278
2279         if (fn_num == n_cmds) {
2280                 /*
2281                  * For an unknown RPC just return a fault PDU but
2282                  * return True to allow RPC's on the pipe to continue
2283                  * and not put the pipe into fault state. JRA.
2284                  */
2285                 DEBUG(4, ("unknown\n"));
2286                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2287                 return True;
2288         }
2289
2290         offset1 = prs_offset(&p->out_data.rdata);
2291
2292         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2293                 fn_num, api_rpc_cmds[fn_num].fn));
2294         /* do the actual command */
2295         if(!api_rpc_cmds[fn_num].fn(p)) {
2296                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2297                 prs_mem_free(&p->out_data.rdata);
2298                 return False;
2299         }
2300
2301         if (p->bad_handle_fault_state) {
2302                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2303                 p->bad_handle_fault_state = False;
2304                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2305                 return True;
2306         }
2307
2308         slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2309         offset2 = prs_offset(&p->out_data.rdata);
2310         prs_set_offset(&p->out_data.rdata, offset1);
2311         prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2312         prs_set_offset(&p->out_data.rdata, offset2);
2313
2314         DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2315
2316         /* Check for buffer underflow in rpc parsing */
2317
2318         if ((DEBUGLEVEL >= 10) && 
2319             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2320                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2321                 char *data = SMB_MALLOC(data_len);
2322
2323                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2324                 if (data) {
2325                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2326                         SAFE_FREE(data);
2327                 }
2328
2329         }
2330
2331         return True;
2332 }
2333
2334 /*******************************************************************
2335 *******************************************************************/
2336
2337 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2338 {
2339         struct api_struct *cmds = NULL;
2340         int               n_cmds = 0;
2341
2342         switch ( idx ) {
2343                 case PI_LSARPC:
2344                         lsa_get_pipe_fns( &cmds, &n_cmds );
2345                         break;
2346                 case PI_LSARPC_DS:
2347                         lsa_ds_get_pipe_fns( &cmds, &n_cmds );
2348                         break;
2349                 case PI_SAMR:
2350                         samr_get_pipe_fns( &cmds, &n_cmds );
2351                         break;
2352                 case PI_NETLOGON:
2353                         netlog_get_pipe_fns( &cmds, &n_cmds );
2354                         break;
2355                 case PI_SRVSVC:
2356                         srvsvc_get_pipe_fns( &cmds, &n_cmds );
2357                         break;
2358                 case PI_WKSSVC:
2359                         wkssvc_get_pipe_fns( &cmds, &n_cmds );
2360                         break;
2361                 case PI_WINREG:
2362                         reg_get_pipe_fns( &cmds, &n_cmds );
2363                         break;
2364                 case PI_SPOOLSS:
2365                         spoolss_get_pipe_fns( &cmds, &n_cmds );
2366                         break;
2367                 case PI_NETDFS:
2368                         netdfs_get_pipe_fns( &cmds, &n_cmds );
2369                         break;
2370                 case PI_SVCCTL:
2371                         svcctl_get_pipe_fns( &cmds, &n_cmds );
2372                         break;
2373                 case PI_EVENTLOG:
2374                         eventlog_get_pipe_fns( &cmds, &n_cmds );
2375                         break;
2376                 case PI_NTSVCS:
2377                         ntsvcs_get_pipe_fns( &cmds, &n_cmds );
2378                         break;
2379 #ifdef DEVELOPER
2380                 case PI_ECHO:
2381                         echo_get_pipe_fns( &cmds, &n_cmds );
2382                         break;
2383 #endif
2384                 default:
2385                         DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2386         }
2387
2388         *fns = cmds;
2389         *n_fns = n_cmds;
2390
2391         return;
2392 }