Cosmetics: make check_bind_req() debug statements a little nicer.
[gd/samba/.git] / source / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31
32 extern struct pipe_id_info pipe_names[];
33 extern struct current_user current_user;
34
35 #undef DBGC_CLASS
36 #define DBGC_CLASS DBGC_RPC_SRV
37
38 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
39 {
40         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
41
42         if (a) {
43                 auth_ntlmssp_end(&a);
44         }
45         auth->a_u.auth_ntlmssp_state = NULL;
46 }
47
48 static DATA_BLOB generic_session_key(void)
49 {
50         return data_blob("SystemLibraryDTC", 16);
51 }
52
53 /*******************************************************************
54  Generate the next PDU to be returned from the data in p->rdata. 
55  Handle NTLMSSP.
56  ********************************************************************/
57
58 static bool create_next_pdu_ntlmssp(pipes_struct *p)
59 {
60         RPC_HDR_RESP hdr_resp;
61         uint32 ss_padding_len = 0;
62         uint32 data_space_available;
63         uint32 data_len_left;
64         uint32 data_len;
65         prs_struct outgoing_pdu;
66         NTSTATUS status;
67         DATA_BLOB auth_blob;
68         RPC_HDR_AUTH auth_info;
69         uint8 auth_type, auth_level;
70         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
71
72         /*
73          * If we're in the fault state, keep returning fault PDU's until
74          * the pipe gets closed. JRA.
75          */
76
77         if(p->fault_state) {
78                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79                 return True;
80         }
81
82         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83
84         /* Change the incoming request header to a response. */
85         p->hdr.pkt_type = RPC_RESPONSE;
86
87         /* Set up rpc header flags. */
88         if (p->out_data.data_sent_length == 0) {
89                 p->hdr.flags = RPC_FLG_FIRST;
90         } else {
91                 p->hdr.flags = 0;
92         }
93
94         /*
95          * Work out how much we can fit in a single PDU.
96          */
97
98         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
99
100         /*
101          * Ensure there really is data left to send.
102          */
103
104         if(!data_len_left) {
105                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106                 return False;
107         }
108
109         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
110                                         RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
111
112         /*
113          * The amount we send is the minimum of the available
114          * space and the amount left to send.
115          */
116
117         data_len = MIN(data_len_left, data_space_available);
118
119         /*
120          * Set up the alloc hint. This should be the data left to
121          * send.
122          */
123
124         hdr_resp.alloc_hint = data_len_left;
125
126         /*
127          * Work out if this PDU will be the last.
128          */
129
130         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
131                 p->hdr.flags |= RPC_FLG_LAST;
132                 if (data_len_left % 8) {
133                         ss_padding_len = 8 - (data_len_left % 8);
134                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
135                                 ss_padding_len ));
136                 }
137         }
138
139         /*
140          * Set up the header lengths.
141          */
142
143         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
144                         data_len + ss_padding_len +
145                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
146         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
147
148
149         /*
150          * Init the parse struct to point at the outgoing
151          * data.
152          */
153
154         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
155         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
156
157         /* Store the header in the data stream. */
158         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
159                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
160                 prs_mem_free(&outgoing_pdu);
161                 return False;
162         }
163
164         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
165                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
166                 prs_mem_free(&outgoing_pdu);
167                 return False;
168         }
169
170         /* Copy the data into the PDU. */
171
172         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
173                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
174                 prs_mem_free(&outgoing_pdu);
175                 return False;
176         }
177
178         /* Copy the sign/seal padding data. */
179         if (ss_padding_len) {
180                 char pad[8];
181
182                 memset(pad, '\0', 8);
183                 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
184                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
185                                         (unsigned int)ss_padding_len));
186                         prs_mem_free(&outgoing_pdu);
187                         return False;
188                 }
189         }
190
191
192         /* Now write out the auth header and null blob. */
193         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
194                 auth_type = RPC_NTLMSSP_AUTH_TYPE;
195         } else {
196                 auth_type = RPC_SPNEGO_AUTH_TYPE;
197         }
198         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
199                 auth_level = RPC_AUTH_LEVEL_PRIVACY;
200         } else {
201                 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
202         }
203
204         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
205         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
206                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
207                 prs_mem_free(&outgoing_pdu);
208                 return False;
209         }
210
211         /* Generate the sign blob. */
212
213         switch (p->auth.auth_level) {
214                 case PIPE_AUTH_LEVEL_PRIVACY:
215                         /* Data portion is encrypted. */
216                         status = ntlmssp_seal_packet(a->ntlmssp_state,
217                                                         (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
218                                                         data_len + ss_padding_len,
219                                                         (unsigned char *)prs_data_p(&outgoing_pdu),
220                                                         (size_t)prs_offset(&outgoing_pdu),
221                                                         &auth_blob);
222                         if (!NT_STATUS_IS_OK(status)) {
223                                 data_blob_free(&auth_blob);
224                                 prs_mem_free(&outgoing_pdu);
225                                 return False;
226                         }
227                         break;
228                 case PIPE_AUTH_LEVEL_INTEGRITY:
229                         /* Data is signed. */
230                         status = ntlmssp_sign_packet(a->ntlmssp_state,
231                                                         (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
232                                                         data_len + ss_padding_len,
233                                                         (unsigned char *)prs_data_p(&outgoing_pdu),
234                                                         (size_t)prs_offset(&outgoing_pdu),
235                                                         &auth_blob);
236                         if (!NT_STATUS_IS_OK(status)) {
237                                 data_blob_free(&auth_blob);
238                                 prs_mem_free(&outgoing_pdu);
239                                 return False;
240                         }
241                         break;
242                 default:
243                         prs_mem_free(&outgoing_pdu);
244                         return False;
245         }
246
247         /* Append the auth blob. */
248         if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
249                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
250                                 (unsigned int)NTLMSSP_SIG_SIZE));
251                 data_blob_free(&auth_blob);
252                 prs_mem_free(&outgoing_pdu);
253                 return False;
254         }
255
256         data_blob_free(&auth_blob);
257
258         /*
259          * Setup the counts for this PDU.
260          */
261
262         p->out_data.data_sent_length += data_len;
263         p->out_data.current_pdu_len = p->hdr.frag_len;
264         p->out_data.current_pdu_sent = 0;
265
266         prs_mem_free(&outgoing_pdu);
267         return True;
268 }
269
270 /*******************************************************************
271  Generate the next PDU to be returned from the data in p->rdata. 
272  Return an schannel authenticated fragment.
273  ********************************************************************/
274
275 static bool create_next_pdu_schannel(pipes_struct *p)
276 {
277         RPC_HDR_RESP hdr_resp;
278         uint32 ss_padding_len = 0;
279         uint32 data_len;
280         uint32 data_space_available;
281         uint32 data_len_left;
282         prs_struct outgoing_pdu;
283         uint32 data_pos;
284
285         /*
286          * If we're in the fault state, keep returning fault PDU's until
287          * the pipe gets closed. JRA.
288          */
289
290         if(p->fault_state) {
291                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
292                 return True;
293         }
294
295         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
296
297         /* Change the incoming request header to a response. */
298         p->hdr.pkt_type = RPC_RESPONSE;
299
300         /* Set up rpc header flags. */
301         if (p->out_data.data_sent_length == 0) {
302                 p->hdr.flags = RPC_FLG_FIRST;
303         } else {
304                 p->hdr.flags = 0;
305         }
306
307         /*
308          * Work out how much we can fit in a single PDU.
309          */
310
311         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
312
313         /*
314          * Ensure there really is data left to send.
315          */
316
317         if(!data_len_left) {
318                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
319                 return False;
320         }
321
322         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
323                                         RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
324
325         /*
326          * The amount we send is the minimum of the available
327          * space and the amount left to send.
328          */
329
330         data_len = MIN(data_len_left, data_space_available);
331
332         /*
333          * Set up the alloc hint. This should be the data left to
334          * send.
335          */
336
337         hdr_resp.alloc_hint = data_len_left;
338
339         /*
340          * Work out if this PDU will be the last.
341          */
342
343         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
344                 p->hdr.flags |= RPC_FLG_LAST;
345                 if (data_len_left % 8) {
346                         ss_padding_len = 8 - (data_len_left % 8);
347                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
348                                 ss_padding_len ));
349                 }
350         }
351
352         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
353                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
355
356         /*
357          * Init the parse struct to point at the outgoing
358          * data.
359          */
360
361         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
362         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
363
364         /* Store the header in the data stream. */
365         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
366                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
367                 prs_mem_free(&outgoing_pdu);
368                 return False;
369         }
370
371         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
372                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
373                 prs_mem_free(&outgoing_pdu);
374                 return False;
375         }
376
377         /* Store the current offset. */
378         data_pos = prs_offset(&outgoing_pdu);
379
380         /* Copy the data into the PDU. */
381
382         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
383                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
384                 prs_mem_free(&outgoing_pdu);
385                 return False;
386         }
387
388         /* Copy the sign/seal padding data. */
389         if (ss_padding_len) {
390                 char pad[8];
391                 memset(pad, '\0', 8);
392                 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
393                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
394                         prs_mem_free(&outgoing_pdu);
395                         return False;
396                 }
397         }
398
399         {
400                 /*
401                  * Schannel processing.
402                  */
403                 char *data;
404                 RPC_HDR_AUTH auth_info;
405                 RPC_AUTH_SCHANNEL_CHK verf;
406
407                 data = prs_data_p(&outgoing_pdu) + data_pos;
408                 /* Check it's the type of reply we were expecting to decode */
409
410                 init_rpc_hdr_auth(&auth_info,
411                                 RPC_SCHANNEL_AUTH_TYPE,
412                                 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
413                                         RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
414                                 ss_padding_len, 1);
415
416                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
417                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
418                         prs_mem_free(&outgoing_pdu);
419                         return False;
420                 }
421
422                 schannel_encode(p->auth.a_u.schannel_auth, 
423                               p->auth.auth_level,
424                               SENDER_IS_ACCEPTOR,
425                               &verf, data, data_len + ss_padding_len);
426
427                 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, 
428                                 &verf, &outgoing_pdu, 0)) {
429                         prs_mem_free(&outgoing_pdu);
430                         return False;
431                 }
432
433                 p->auth.a_u.schannel_auth->seq_num++;
434         }
435
436         /*
437          * Setup the counts for this PDU.
438          */
439
440         p->out_data.data_sent_length += data_len;
441         p->out_data.current_pdu_len = p->hdr.frag_len;
442         p->out_data.current_pdu_sent = 0;
443
444         prs_mem_free(&outgoing_pdu);
445         return True;
446 }
447
448 /*******************************************************************
449  Generate the next PDU to be returned from the data in p->rdata. 
450  No authentication done.
451 ********************************************************************/
452
453 static bool create_next_pdu_noauth(pipes_struct *p)
454 {
455         RPC_HDR_RESP hdr_resp;
456         uint32 data_len;
457         uint32 data_space_available;
458         uint32 data_len_left;
459         prs_struct outgoing_pdu;
460
461         /*
462          * If we're in the fault state, keep returning fault PDU's until
463          * the pipe gets closed. JRA.
464          */
465
466         if(p->fault_state) {
467                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
468                 return True;
469         }
470
471         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
472
473         /* Change the incoming request header to a response. */
474         p->hdr.pkt_type = RPC_RESPONSE;
475
476         /* Set up rpc header flags. */
477         if (p->out_data.data_sent_length == 0) {
478                 p->hdr.flags = RPC_FLG_FIRST;
479         } else {
480                 p->hdr.flags = 0;
481         }
482
483         /*
484          * Work out how much we can fit in a single PDU.
485          */
486
487         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
488
489         /*
490          * Ensure there really is data left to send.
491          */
492
493         if(!data_len_left) {
494                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
495                 return False;
496         }
497
498         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
499
500         /*
501          * The amount we send is the minimum of the available
502          * space and the amount left to send.
503          */
504
505         data_len = MIN(data_len_left, data_space_available);
506
507         /*
508          * Set up the alloc hint. This should be the data left to
509          * send.
510          */
511
512         hdr_resp.alloc_hint = data_len_left;
513
514         /*
515          * Work out if this PDU will be the last.
516          */
517
518         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
519                 p->hdr.flags |= RPC_FLG_LAST;
520         }
521
522         /*
523          * Set up the header lengths.
524          */
525
526         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
527         p->hdr.auth_len = 0;
528
529         /*
530          * Init the parse struct to point at the outgoing
531          * data.
532          */
533
534         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
535         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
536
537         /* Store the header in the data stream. */
538         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
539                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
540                 prs_mem_free(&outgoing_pdu);
541                 return False;
542         }
543
544         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
545                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
546                 prs_mem_free(&outgoing_pdu);
547                 return False;
548         }
549
550         /* Copy the data into the PDU. */
551
552         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
553                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
554                 prs_mem_free(&outgoing_pdu);
555                 return False;
556         }
557
558         /*
559          * Setup the counts for this PDU.
560          */
561
562         p->out_data.data_sent_length += data_len;
563         p->out_data.current_pdu_len = p->hdr.frag_len;
564         p->out_data.current_pdu_sent = 0;
565
566         prs_mem_free(&outgoing_pdu);
567         return True;
568 }
569
570 /*******************************************************************
571  Generate the next PDU to be returned from the data in p->rdata. 
572 ********************************************************************/
573
574 bool create_next_pdu(pipes_struct *p)
575 {
576         switch(p->auth.auth_level) {
577                 case PIPE_AUTH_LEVEL_NONE:
578                 case PIPE_AUTH_LEVEL_CONNECT:
579                         /* This is incorrect for auth level connect. Fixme. JRA */
580                         return create_next_pdu_noauth(p);
581                 
582                 default:
583                         switch(p->auth.auth_type) {
584                                 case PIPE_AUTH_TYPE_NTLMSSP:
585                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
586                                         return create_next_pdu_ntlmssp(p);
587                                 case PIPE_AUTH_TYPE_SCHANNEL:
588                                         return create_next_pdu_schannel(p);
589                                 default:
590                                         break;
591                         }
592         }
593
594         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
595                         (unsigned int)p->auth.auth_level,
596                         (unsigned int)p->auth.auth_type));
597         return False;
598 }
599
600 /*******************************************************************
601  Process an NTLMSSP authentication response.
602  If this function succeeds, the user has been authenticated
603  and their domain, name and calling workstation stored in
604  the pipe struct.
605 *******************************************************************/
606
607 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
608 {
609         DATA_BLOB reply;
610         NTSTATUS status;
611         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
612
613         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615         ZERO_STRUCT(reply);
616
617         memset(p->user_name, '\0', sizeof(p->user_name));
618         memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
619         memset(p->domain, '\0', sizeof(p->domain));
620         memset(p->wks, '\0', sizeof(p->wks));
621
622         /* Set up for non-authenticated user. */
623         TALLOC_FREE(p->pipe_user.nt_user_token);
624         p->pipe_user.ut.ngroups = 0;
625         SAFE_FREE( p->pipe_user.ut.groups);
626
627         /* this has to be done as root in order to verify the password */
628         become_root();
629         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
630         unbecome_root();
631
632         /* Don't generate a reply. */
633         data_blob_free(&reply);
634
635         if (!NT_STATUS_IS_OK(status)) {
636                 return False;
637         }
638
639         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
640            ensure the underlying NTLMSSP flags are also set. If not we should
641            refuse the bind. */
642
643         if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
644                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
645                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
646                                 "but client declined signing.\n",
647                                         p->name ));
648                         return False;
649                 }
650         }
651         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
652                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
653                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
654                                 "but client declined sealing.\n",
655                                         p->name ));
656                         return False;
657                 }
658         }
659         
660         fstrcpy(p->user_name, a->ntlmssp_state->user);
661         fstrcpy(p->pipe_user_name, a->server_info->unix_name);
662         fstrcpy(p->domain, a->ntlmssp_state->domain);
663         fstrcpy(p->wks, a->ntlmssp_state->workstation);
664
665         DEBUG(5,("pipe_ntlmssp_verify_final: OK: user: %s domain: %s workstation: %s\n",
666                 p->user_name, p->domain, p->wks));
667
668         /*
669          * Store the UNIX credential data (uid/gid pair) in the pipe structure.
670          */
671
672         p->pipe_user.ut.uid = a->server_info->uid;
673         p->pipe_user.ut.gid = a->server_info->gid;
674         
675         /*
676          * We're an authenticated bind over smbd, so the session key needs to
677          * be set to "SystemLibraryDTC". Weird, but this is what Windows
678          * does. See the RPC-SAMBA3SESSIONKEY.
679          */
680
681         data_blob_free(&p->session_key);
682         p->session_key = generic_session_key();
683         if (!p->session_key.data) {
684                 return False;
685         }
686
687         p->pipe_user.ut.ngroups = a->server_info->n_groups;
688         if (p->pipe_user.ut.ngroups) {
689                 if (!(p->pipe_user.ut.groups = (gid_t *)memdup(a->server_info->groups,
690                                                 sizeof(gid_t) * p->pipe_user.ut.ngroups))) {
691                         DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
692                         return False;
693                 }
694         }
695
696         if (a->server_info->ptok) {
697                 p->pipe_user.nt_user_token =
698                         dup_nt_token(NULL, a->server_info->ptok);
699         } else {
700                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
701                 p->pipe_user.nt_user_token = NULL;
702                 return False;
703         }
704
705         return True;
706 }
707
708 /*******************************************************************
709  The switch table for the pipe names and the functions to handle them.
710 *******************************************************************/
711
712 struct rpc_table {
713         struct {
714                 const char *clnt;
715                 const char *srv;
716         } pipe;
717         const struct api_struct *cmds;
718         int n_cmds;
719 };
720
721 static struct rpc_table *rpc_lookup;
722 static int rpc_lookup_size;
723
724 /*******************************************************************
725  This is the "stage3" NTLMSSP response after a bind request and reply.
726 *******************************************************************/
727
728 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
729 {
730         RPC_HDR_AUTH auth_info;
731         uint32 pad;
732         DATA_BLOB blob;
733
734         ZERO_STRUCT(blob);
735
736         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
737
738         if (p->hdr.auth_len == 0) {
739                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
740                 goto err;
741         }
742
743         /* 4 bytes padding. */
744         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
745                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
746                 goto err;
747         }
748
749         /*
750          * Decode the authentication verifier response.
751          */
752
753         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
754                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
755                 goto err;
756         }
757
758         if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
759                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
760                         (unsigned int)auth_info.auth_type ));
761                 return False;
762         }
763
764         blob = data_blob(NULL,p->hdr.auth_len);
765
766         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
767                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
768                         (unsigned int)p->hdr.auth_len ));
769                 goto err;
770         }
771
772         /*
773          * The following call actually checks the challenge/response data.
774          * for correctness against the given DOMAIN\user name.
775          */
776         
777         if (!pipe_ntlmssp_verify_final(p, &blob)) {
778                 goto err;
779         }
780
781         data_blob_free(&blob);
782
783         p->pipe_bound = True;
784
785         return True;
786
787  err:
788
789         data_blob_free(&blob);
790         free_pipe_ntlmssp_auth_data(&p->auth);
791         p->auth.a_u.auth_ntlmssp_state = NULL;
792
793         return False;
794 }
795
796 /*******************************************************************
797  Marshall a bind_nak pdu.
798 *******************************************************************/
799
800 static bool setup_bind_nak(pipes_struct *p)
801 {
802         prs_struct outgoing_rpc;
803         RPC_HDR nak_hdr;
804         uint16 zero = 0;
805
806         /* Free any memory in the current return data buffer. */
807         prs_mem_free(&p->out_data.rdata);
808
809         /*
810          * Marshall directly into the outgoing PDU space. We
811          * must do this as we need to set to the bind response
812          * header and are never sending more than one PDU here.
813          */
814
815         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
816         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
817
818         /*
819          * Initialize a bind_nak header.
820          */
821
822         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
823                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
824
825         /*
826          * Marshall the header into the outgoing PDU.
827          */
828
829         if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
830                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
831                 prs_mem_free(&outgoing_rpc);
832                 return False;
833         }
834
835         /*
836          * Now add the reject reason.
837          */
838
839         if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
840                 prs_mem_free(&outgoing_rpc);
841                 return False;
842         }
843
844         p->out_data.data_sent_length = 0;
845         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
846         p->out_data.current_pdu_sent = 0;
847
848         if (p->auth.auth_data_free_func) {
849                 (*p->auth.auth_data_free_func)(&p->auth);
850         }
851         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
852         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
853         p->pipe_bound = False;
854
855         return True;
856 }
857
858 /*******************************************************************
859  Marshall a fault pdu.
860 *******************************************************************/
861
862 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
863 {
864         prs_struct outgoing_pdu;
865         RPC_HDR fault_hdr;
866         RPC_HDR_RESP hdr_resp;
867         RPC_HDR_FAULT fault_resp;
868
869         /* Free any memory in the current return data buffer. */
870         prs_mem_free(&p->out_data.rdata);
871
872         /*
873          * Marshall directly into the outgoing PDU space. We
874          * must do this as we need to set to the bind response
875          * header and are never sending more than one PDU here.
876          */
877
878         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
879         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
880
881         /*
882          * Initialize a fault header.
883          */
884
885         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
886             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
887
888         /*
889          * Initialize the HDR_RESP and FAULT parts of the PDU.
890          */
891
892         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
893
894         fault_resp.status = status;
895         fault_resp.reserved = 0;
896
897         /*
898          * Marshall the header into the outgoing PDU.
899          */
900
901         if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
902                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
903                 prs_mem_free(&outgoing_pdu);
904                 return False;
905         }
906
907         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
908                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
909                 prs_mem_free(&outgoing_pdu);
910                 return False;
911         }
912
913         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
914                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
915                 prs_mem_free(&outgoing_pdu);
916                 return False;
917         }
918
919         p->out_data.data_sent_length = 0;
920         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
921         p->out_data.current_pdu_sent = 0;
922
923         prs_mem_free(&outgoing_pdu);
924         return True;
925 }
926
927 #if 0
928 /*******************************************************************
929  Marshall a cancel_ack pdu.
930  We should probably check the auth-verifier here.
931 *******************************************************************/
932
933 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
934 {
935         prs_struct outgoing_pdu;
936         RPC_HDR ack_reply_hdr;
937
938         /* Free any memory in the current return data buffer. */
939         prs_mem_free(&p->out_data.rdata);
940
941         /*
942          * Marshall directly into the outgoing PDU space. We
943          * must do this as we need to set to the bind response
944          * header and are never sending more than one PDU here.
945          */
946
947         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
948         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
949
950         /*
951          * Initialize a cancel_ack header.
952          */
953
954         init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
955                         p->hdr.call_id, RPC_HEADER_LEN, 0);
956
957         /*
958          * Marshall the header into the outgoing PDU.
959          */
960
961         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
962                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
963                 prs_mem_free(&outgoing_pdu);
964                 return False;
965         }
966
967         p->out_data.data_sent_length = 0;
968         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
969         p->out_data.current_pdu_sent = 0;
970
971         prs_mem_free(&outgoing_pdu);
972         return True;
973 }
974 #endif
975
976 /*******************************************************************
977  Ensure a bind request has the correct abstract & transfer interface.
978  Used to reject unknown binds from Win2k.
979 *******************************************************************/
980
981 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
982                     RPC_IFACE* transfer, uint32 context_id)
983 {
984         char *pipe_name = p->name;
985         int i=0;
986         fstring pname;
987         
988         fstrcpy(pname,"\\PIPE\\");
989         fstrcat(pname,pipe_name);
990
991         DEBUG(3,("check_bind_req for %s\n", pname));
992
993         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
994                 
995         for ( i=0; pipe_names[i].client_pipe; i++ ) {
996                 DEBUGADD(10,("checking %s\n", pipe_names[i].client_pipe));
997                 if ( strequal(pipe_names[i].client_pipe, pname)
998                         && (abstract->version == pipe_names[i].abstr_syntax.version) 
999                         && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(struct GUID)) == 0)
1000                         && (transfer->version == pipe_names[i].trans_syntax.version)
1001                         && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(struct GUID)) == 0) ) {
1002                         struct api_struct       *fns = NULL;
1003                         int                     n_fns = 0;
1004                         PIPE_RPC_FNS            *context_fns;
1005                         
1006                         if ( !(context_fns = SMB_MALLOC_P(PIPE_RPC_FNS)) ) {
1007                                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1008                                 return False;
1009                         }
1010                         
1011                         /* save the RPC function table associated with this bind */
1012                         
1013                         get_pipe_fns(i, &fns, &n_fns);
1014                         
1015                         context_fns->cmds = fns;
1016                         context_fns->n_cmds = n_fns;
1017                         context_fns->context_id = context_id;
1018                         
1019                         /* add to the list of open contexts */
1020                         
1021                         DLIST_ADD( p->contexts, context_fns );
1022                         
1023                         break;
1024                 }
1025         }
1026
1027         if(pipe_names[i].client_pipe == NULL) {
1028                 return False;
1029         }
1030
1031         return True;
1032 }
1033
1034 /*******************************************************************
1035  Register commands to an RPC pipe
1036 *******************************************************************/
1037
1038 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
1039 {
1040         struct rpc_table *rpc_entry;
1041
1042         if (!clnt || !srv || !cmds) {
1043                 return NT_STATUS_INVALID_PARAMETER;
1044         }
1045
1046         if (version != SMB_RPC_INTERFACE_VERSION) {
1047                 DEBUG(0,("Can't register rpc commands!\n"
1048                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1049                          ", while this version of samba uses version %d!\n", 
1050                          version,SMB_RPC_INTERFACE_VERSION));
1051                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1052         }
1053
1054         /* TODO: 
1055          *
1056          * we still need to make sure that don't register the same commands twice!!!
1057          * 
1058          * --metze
1059          */
1060
1061         /* We use a temporary variable because this call can fail and 
1062            rpc_lookup will still be valid afterwards.  It could then succeed if
1063            called again later */
1064         rpc_lookup_size++;
1065         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1066         if (NULL == rpc_entry) {
1067                 rpc_lookup_size--;
1068                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1069                 return NT_STATUS_NO_MEMORY;
1070         } else {
1071                 rpc_lookup = rpc_entry;
1072         }
1073         
1074         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1075         ZERO_STRUCTP(rpc_entry);
1076         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1077         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1078         rpc_entry->cmds = cmds;
1079         rpc_entry->n_cmds = size;
1080         
1081         return NT_STATUS_OK;
1082 }
1083
1084 /*******************************************************************
1085  Handle a SPNEGO krb5 bind auth.
1086 *******************************************************************/
1087
1088 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1089                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1090 {
1091         return False;
1092 }
1093
1094 /*******************************************************************
1095  Handle the first part of a SPNEGO bind auth.
1096 *******************************************************************/
1097
1098 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1099                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1100 {
1101         DATA_BLOB blob;
1102         DATA_BLOB secblob;
1103         DATA_BLOB response;
1104         DATA_BLOB chal;
1105         char *OIDs[ASN1_MAX_OIDS];
1106         int i;
1107         NTSTATUS status;
1108         bool got_kerberos_mechanism = false;
1109         AUTH_NTLMSSP_STATE *a = NULL;
1110         RPC_HDR_AUTH auth_info;
1111
1112         ZERO_STRUCT(secblob);
1113         ZERO_STRUCT(chal);
1114         ZERO_STRUCT(response);
1115
1116         /* Grab the SPNEGO blob. */
1117         blob = data_blob(NULL,p->hdr.auth_len);
1118
1119         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1120                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1121                         (unsigned int)p->hdr.auth_len ));
1122                 goto err;
1123         }
1124
1125         if (blob.data[0] != ASN1_APPLICATION(0)) {
1126                 goto err;
1127         }
1128
1129         /* parse out the OIDs and the first sec blob */
1130         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1131                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1132                 goto err;
1133         }
1134
1135         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1136                 got_kerberos_mechanism = true;
1137         }
1138
1139         for (i=0;OIDs[i];i++) {
1140                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1141                 SAFE_FREE(OIDs[i]);
1142         }
1143         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1144
1145         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1146                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1147                 data_blob_free(&secblob);
1148                 data_blob_free(&blob);
1149                 return ret;
1150         }
1151
1152         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1153                 /* Free any previous auth type. */
1154                 free_pipe_ntlmssp_auth_data(&p->auth);
1155         }
1156
1157         if (!got_kerberos_mechanism) {
1158                 /* Initialize the NTLM engine. */
1159                 status = auth_ntlmssp_start(&a);
1160                 if (!NT_STATUS_IS_OK(status)) {
1161                         goto err;
1162                 }
1163
1164                 /*
1165                  * Pass the first security blob of data to it.
1166                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1167                  * which means we need another packet to complete the bind.
1168                  */
1169
1170                 status = auth_ntlmssp_update(a, secblob, &chal);
1171
1172                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1173                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1174                         goto err;
1175                 }
1176
1177                 /* Generate the response blob we need for step 2 of the bind. */
1178                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1179         } else {
1180                 /*
1181                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1182                  * code to process follow-up packets is not complete
1183                  * yet. JRA.
1184                  */
1185                 response = spnego_gen_auth_response(NULL,
1186                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1187                                         OID_NTLMSSP);
1188         }
1189
1190         /* Copy the blob into the pout_auth parse struct */
1191         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1192         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1193                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1194                 goto err;
1195         }
1196
1197         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1198                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1199                 goto err;
1200         }
1201
1202         p->auth.a_u.auth_ntlmssp_state = a;
1203         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1204         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1205
1206         data_blob_free(&blob);
1207         data_blob_free(&secblob);
1208         data_blob_free(&chal);
1209         data_blob_free(&response);
1210
1211         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1212         return True;
1213
1214  err:
1215
1216         data_blob_free(&blob);
1217         data_blob_free(&secblob);
1218         data_blob_free(&chal);
1219         data_blob_free(&response);
1220
1221         p->auth.a_u.auth_ntlmssp_state = NULL;
1222
1223         return False;
1224 }
1225
1226 /*******************************************************************
1227  Handle the second part of a SPNEGO bind auth.
1228 *******************************************************************/
1229
1230 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1231                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1232 {
1233         RPC_HDR_AUTH auth_info;
1234         DATA_BLOB spnego_blob;
1235         DATA_BLOB auth_blob;
1236         DATA_BLOB auth_reply;
1237         DATA_BLOB response;
1238         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1239
1240         ZERO_STRUCT(spnego_blob);
1241         ZERO_STRUCT(auth_blob);
1242         ZERO_STRUCT(auth_reply);
1243         ZERO_STRUCT(response);
1244
1245         /*
1246          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1247          * fail here as 'a' == NULL.
1248          */
1249         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1250                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1251                 goto err;
1252         }
1253
1254         /* Grab the SPNEGO blob. */
1255         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1256
1257         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1258                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1259                         (unsigned int)p->hdr.auth_len ));
1260                 goto err;
1261         }
1262
1263         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1264                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1265                 goto err;
1266         }
1267
1268         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1269                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1270                 goto err;
1271         }
1272
1273         /*
1274          * The following call actually checks the challenge/response data.
1275          * for correctness against the given DOMAIN\user name.
1276          */
1277
1278         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1279                 goto err;
1280         }
1281
1282         data_blob_free(&spnego_blob);
1283         data_blob_free(&auth_blob);
1284
1285         /* Generate the spnego "accept completed" blob - no incoming data. */
1286         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1287
1288         /* Copy the blob into the pout_auth parse struct */
1289         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1290         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1291                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1292                 goto err;
1293         }
1294
1295         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1296                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1297                 goto err;
1298         }
1299
1300         data_blob_free(&auth_reply);
1301         data_blob_free(&response);
1302
1303         p->pipe_bound = True;
1304
1305         return True;
1306
1307  err:
1308
1309         data_blob_free(&spnego_blob);
1310         data_blob_free(&auth_blob);
1311         data_blob_free(&auth_reply);
1312         data_blob_free(&response);
1313
1314         free_pipe_ntlmssp_auth_data(&p->auth);
1315         p->auth.a_u.auth_ntlmssp_state = NULL;
1316
1317         return False;
1318 }
1319
1320 /*******************************************************************
1321  Handle an schannel bind auth.
1322 *******************************************************************/
1323
1324 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1325                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1326 {
1327         RPC_HDR_AUTH auth_info;
1328         RPC_AUTH_SCHANNEL_NEG neg;
1329         RPC_AUTH_VERIFIER auth_verifier;
1330         bool ret;
1331         struct dcinfo *pdcinfo;
1332         uint32 flags;
1333
1334         if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1335                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1336                 return False;
1337         }
1338
1339         /*
1340          * The neg.myname key here must match the remote computer name
1341          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1342          * operations that use credentials.
1343          */
1344
1345         become_root();
1346         ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1347         unbecome_root();
1348
1349         if (!ret) {
1350                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1351                 return False;
1352         }
1353
1354         p->auth.a_u.schannel_auth = TALLOC_P(p->pipe_state_mem_ctx, struct schannel_auth_struct);
1355         if (!p->auth.a_u.schannel_auth) {
1356                 TALLOC_FREE(pdcinfo);
1357                 return False;
1358         }
1359
1360         memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1361         memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1362                         sizeof(pdcinfo->sess_key));
1363
1364         TALLOC_FREE(pdcinfo);
1365
1366         p->auth.a_u.schannel_auth->seq_num = 0;
1367
1368         /*
1369          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1370          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1371          * struct of the person who opened the pipe. I need to test this further. JRA.
1372          *
1373          * VL. As we are mapping this to guest set the generic key
1374          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1375          * W2k3, as it does not allow schannel binds against SAMR and LSA
1376          * anymore.
1377          */
1378
1379         data_blob_free(&p->session_key);
1380         p->session_key = generic_session_key();
1381         if (p->session_key.data == NULL) {
1382                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1383                           " key\n"));
1384                 return False;
1385         }
1386
1387         init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1388         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1389                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1390                 return False;
1391         }
1392
1393         /*** SCHANNEL verifier ***/
1394
1395         init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1396         if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1397                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1398                 return False;
1399         }
1400
1401         prs_align(pout_auth);
1402
1403         flags = 5;
1404         if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1405                 return False;
1406         }
1407
1408         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1409                 neg.domain, neg.myname));
1410
1411         /* We're finished with this bind - no more packets. */
1412         p->auth.auth_data_free_func = NULL;
1413         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1414
1415         p->pipe_bound = True;
1416
1417         return True;
1418 }
1419
1420 /*******************************************************************
1421  Handle an NTLMSSP bind auth.
1422 *******************************************************************/
1423
1424 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1425                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1426 {
1427         RPC_HDR_AUTH auth_info;
1428         DATA_BLOB blob;
1429         DATA_BLOB response;
1430         NTSTATUS status;
1431         AUTH_NTLMSSP_STATE *a = NULL;
1432
1433         ZERO_STRUCT(blob);
1434         ZERO_STRUCT(response);
1435
1436         /* Grab the NTLMSSP blob. */
1437         blob = data_blob(NULL,p->hdr.auth_len);
1438
1439         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1440                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1441                         (unsigned int)p->hdr.auth_len ));
1442                 goto err;
1443         }
1444
1445         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1446                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1447                 goto err;
1448         }
1449
1450         /* We have an NTLMSSP blob. */
1451         status = auth_ntlmssp_start(&a);
1452         if (!NT_STATUS_IS_OK(status)) {
1453                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1454                         nt_errstr(status) ));
1455                 goto err;
1456         }
1457
1458         status = auth_ntlmssp_update(a, blob, &response);
1459         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1460                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1461                         nt_errstr(status) ));
1462                 goto err;
1463         }
1464
1465         data_blob_free(&blob);
1466
1467         /* Copy the blob into the pout_auth parse struct */
1468         init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1469         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1470                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1471                 goto err;
1472         }
1473
1474         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1475                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1476                 goto err;
1477         }
1478
1479         p->auth.a_u.auth_ntlmssp_state = a;
1480         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1481         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1482
1483         data_blob_free(&blob);
1484         data_blob_free(&response);
1485
1486         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1487
1488         /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1489         return True;
1490
1491   err:
1492
1493         data_blob_free(&blob);
1494         data_blob_free(&response);
1495
1496         free_pipe_ntlmssp_auth_data(&p->auth);
1497         p->auth.a_u.auth_ntlmssp_state = NULL;
1498         return False;
1499 }
1500
1501 /*******************************************************************
1502  Respond to a pipe bind request.
1503 *******************************************************************/
1504
1505 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1506 {
1507         RPC_HDR_BA hdr_ba;
1508         RPC_HDR_RB hdr_rb;
1509         RPC_HDR_AUTH auth_info;
1510         uint16 assoc_gid;
1511         fstring ack_pipe_name;
1512         prs_struct out_hdr_ba;
1513         prs_struct out_auth;
1514         prs_struct outgoing_rpc;
1515         int i = 0;
1516         int auth_len = 0;
1517         unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1518
1519         /* No rebinds on a bound pipe - use alter context. */
1520         if (p->pipe_bound) {
1521                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1522                 return setup_bind_nak(p);
1523         }
1524
1525         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1526
1527         /* 
1528          * Marshall directly into the outgoing PDU space. We
1529          * must do this as we need to set to the bind response
1530          * header and are never sending more than one PDU here.
1531          */
1532
1533         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1534
1535         /*
1536          * Setup the memory to marshall the ba header, and the
1537          * auth footers.
1538          */
1539
1540         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1541                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1542                 prs_mem_free(&outgoing_rpc);
1543                 return False;
1544         }
1545
1546         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1547                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1548                 prs_mem_free(&outgoing_rpc);
1549                 prs_mem_free(&out_hdr_ba);
1550                 return False;
1551         }
1552
1553         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1554
1555         /*
1556          * Try and find the correct pipe name to ensure
1557          * that this is a pipe name we support.
1558          */
1559
1560
1561         for (i = 0; i < rpc_lookup_size; i++) {
1562                 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1563                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1564                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1565                         fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1566                         break;
1567                 }
1568         }
1569
1570         if (i == rpc_lookup_size) {
1571                 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1572                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1573                                 p->name ));
1574                         prs_mem_free(&outgoing_rpc);
1575                         prs_mem_free(&out_hdr_ba);
1576                         prs_mem_free(&out_auth);
1577
1578                         return setup_bind_nak(p);
1579                 }
1580
1581                 for (i = 0; i < rpc_lookup_size; i++) {
1582                        if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1583                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1584                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1585                                fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1586                                break;
1587                        }
1588                 }
1589
1590                 if (i == rpc_lookup_size) {
1591                         DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1592                         goto err_exit;
1593                 }
1594         }
1595
1596         /* decode the bind request */
1597         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1598                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
1599                 goto err_exit;
1600         }
1601
1602         /* name has to be \PIPE\xxxxx */
1603         fstrcpy(ack_pipe_name, "\\PIPE\\");
1604         fstrcat(ack_pipe_name, p->pipe_srv_name);
1605
1606         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1607
1608         /*
1609          * Check if this is an authenticated bind request.
1610          */
1611
1612         if (p->hdr.auth_len) {
1613                 /* 
1614                  * Decode the authentication verifier.
1615                  */
1616
1617                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1618                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1619                         goto err_exit;
1620                 }
1621
1622                 auth_type = auth_info.auth_type;
1623
1624                 /* Work out if we have to sign or seal etc. */
1625                 switch (auth_info.auth_level) {
1626                         case RPC_AUTH_LEVEL_INTEGRITY:
1627                                 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1628                                 break;
1629                         case RPC_AUTH_LEVEL_PRIVACY:
1630                                 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1631                                 break;
1632                         default:
1633                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1634                                         (unsigned int)auth_info.auth_level ));
1635                                 goto err_exit;
1636                 }
1637         } else {
1638                 ZERO_STRUCT(auth_info);
1639         }
1640
1641         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1642
1643         switch(auth_type) {
1644                 case RPC_NTLMSSP_AUTH_TYPE:
1645                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1646                                 goto err_exit;
1647                         }
1648                         assoc_gid = 0x7a77;
1649                         break;
1650
1651                 case RPC_SCHANNEL_AUTH_TYPE:
1652                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1653                                 goto err_exit;
1654                         }
1655                         break;
1656
1657                 case RPC_SPNEGO_AUTH_TYPE:
1658                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1659                                 goto err_exit;
1660                         }
1661                         break;
1662
1663                 case RPC_ANONYMOUS_AUTH_TYPE:
1664                         /* Unauthenticated bind request. */
1665                         /* Get the authenticated pipe user from current_user */
1666                         if (!copy_current_user(&p->pipe_user, &current_user)) {
1667                                 DEBUG(10, ("Could not copy current user\n"));
1668                                 goto err_exit;
1669                         }
1670                         /* We're finished - no more packets. */
1671                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1672                         /* We must set the pipe auth_level here also. */
1673                         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1674                         p->pipe_bound = True;
1675                         /* The session key was initialized from the SMB
1676                          * session in make_internal_rpc_pipe_p */
1677                         break;
1678
1679                 default:
1680                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1681                         goto err_exit;
1682         }
1683
1684         /*
1685          * Create the bind response struct.
1686          */
1687
1688         /* If the requested abstract synt uuid doesn't match our client pipe,
1689                 reject the bind_ack & set the transfer interface synt to all 0's,
1690                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1691                 unknown to NT4)
1692                 Needed when adding entries to a DACL from NT5 - SK */
1693
1694         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1695                                 hdr_rb.rpc_context[0].context_id )) {
1696                 init_rpc_hdr_ba(&hdr_ba,
1697                         RPC_MAX_PDU_FRAG_LEN,
1698                         RPC_MAX_PDU_FRAG_LEN,
1699                         assoc_gid,
1700                         ack_pipe_name,
1701                         0x1, 0x0, 0x0,
1702                         &hdr_rb.rpc_context[0].transfer[0]);
1703         } else {
1704                 RPC_IFACE null_interface;
1705                 ZERO_STRUCT(null_interface);
1706                 /* Rejection reason: abstract syntax not supported */
1707                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1708                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1709                                         ack_pipe_name, 0x1, 0x2, 0x1,
1710                                         &null_interface);
1711                 p->pipe_bound = False;
1712         }
1713
1714         /*
1715          * and marshall it.
1716          */
1717
1718         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1719                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1720                 goto err_exit;
1721         }
1722
1723         /*
1724          * Create the header, now we know the length.
1725          */
1726
1727         if (prs_offset(&out_auth)) {
1728                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1729         }
1730
1731         init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1732                         p->hdr.call_id,
1733                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1734                         auth_len);
1735
1736         /*
1737          * Marshall the header into the outgoing PDU.
1738          */
1739
1740         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1741                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1742                 goto err_exit;
1743         }
1744
1745         /*
1746          * Now add the RPC_HDR_BA and any auth needed.
1747          */
1748
1749         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1750                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1751                 goto err_exit;
1752         }
1753
1754         if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1755                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1756                 goto err_exit;
1757         }
1758
1759         /*
1760          * Setup the lengths for the initial reply.
1761          */
1762
1763         p->out_data.data_sent_length = 0;
1764         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1765         p->out_data.current_pdu_sent = 0;
1766
1767         prs_mem_free(&out_hdr_ba);
1768         prs_mem_free(&out_auth);
1769
1770         return True;
1771
1772   err_exit:
1773
1774         prs_mem_free(&outgoing_rpc);
1775         prs_mem_free(&out_hdr_ba);
1776         prs_mem_free(&out_auth);
1777         return setup_bind_nak(p);
1778 }
1779
1780 /****************************************************************************
1781  Deal with an alter context call. Can be third part of 3 leg auth request for
1782  SPNEGO calls.
1783 ****************************************************************************/
1784
1785 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1786 {
1787         RPC_HDR_BA hdr_ba;
1788         RPC_HDR_RB hdr_rb;
1789         RPC_HDR_AUTH auth_info;
1790         uint16 assoc_gid;
1791         fstring ack_pipe_name;
1792         prs_struct out_hdr_ba;
1793         prs_struct out_auth;
1794         prs_struct outgoing_rpc;
1795         int auth_len = 0;
1796
1797         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1798
1799         /* 
1800          * Marshall directly into the outgoing PDU space. We
1801          * must do this as we need to set to the bind response
1802          * header and are never sending more than one PDU here.
1803          */
1804
1805         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1806
1807         /*
1808          * Setup the memory to marshall the ba header, and the
1809          * auth footers.
1810          */
1811
1812         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1813                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1814                 prs_mem_free(&outgoing_rpc);
1815                 return False;
1816         }
1817
1818         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1819                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1820                 prs_mem_free(&outgoing_rpc);
1821                 prs_mem_free(&out_hdr_ba);
1822                 return False;
1823         }
1824
1825         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1826
1827         /* decode the alter context request */
1828         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1829                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1830                 goto err_exit;
1831         }
1832
1833         /* secondary address CAN be NULL
1834          * as the specs say it's ignored.
1835          * It MUST be NULL to have the spoolss working.
1836          */
1837         fstrcpy(ack_pipe_name,"");
1838
1839         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1840
1841         /*
1842          * Check if this is an authenticated alter context request.
1843          */
1844
1845         if (p->hdr.auth_len != 0) {
1846                 /* 
1847                  * Decode the authentication verifier.
1848                  */
1849
1850                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1851                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1852                         goto err_exit;
1853                 }
1854
1855                 /*
1856                  * Currently only the SPNEGO auth type uses the alter ctx
1857                  * response in place of the NTLMSSP auth3 type.
1858                  */
1859
1860                 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1861                         /* We can only finish if the pipe is unbound. */
1862                         if (!p->pipe_bound) {
1863                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1864                                         goto err_exit;
1865                                 }
1866                         } else {
1867                                 goto err_exit;
1868                         }
1869                 }
1870         } else {
1871                 ZERO_STRUCT(auth_info);
1872         }
1873
1874         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1875
1876         /*
1877          * Create the bind response struct.
1878          */
1879
1880         /* If the requested abstract synt uuid doesn't match our client pipe,
1881                 reject the bind_ack & set the transfer interface synt to all 0's,
1882                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1883                 unknown to NT4)
1884                 Needed when adding entries to a DACL from NT5 - SK */
1885
1886         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1887                                 hdr_rb.rpc_context[0].context_id )) {
1888                 init_rpc_hdr_ba(&hdr_ba,
1889                         RPC_MAX_PDU_FRAG_LEN,
1890                         RPC_MAX_PDU_FRAG_LEN,
1891                         assoc_gid,
1892                         ack_pipe_name,
1893                         0x1, 0x0, 0x0,
1894                         &hdr_rb.rpc_context[0].transfer[0]);
1895         } else {
1896                 RPC_IFACE null_interface;
1897                 ZERO_STRUCT(null_interface);
1898                 /* Rejection reason: abstract syntax not supported */
1899                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1900                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1901                                         ack_pipe_name, 0x1, 0x2, 0x1,
1902                                         &null_interface);
1903                 p->pipe_bound = False;
1904         }
1905
1906         /*
1907          * and marshall it.
1908          */
1909
1910         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1911                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1912                 goto err_exit;
1913         }
1914
1915         /*
1916          * Create the header, now we know the length.
1917          */
1918
1919         if (prs_offset(&out_auth)) {
1920                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1921         }
1922
1923         init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1924                         p->hdr.call_id,
1925                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1926                         auth_len);
1927
1928         /*
1929          * Marshall the header into the outgoing PDU.
1930          */
1931
1932         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1933                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1934                 goto err_exit;
1935         }
1936
1937         /*
1938          * Now add the RPC_HDR_BA and any auth needed.
1939          */
1940
1941         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1942                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1943                 goto err_exit;
1944         }
1945
1946         if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1947                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1948                 goto err_exit;
1949         }
1950
1951         /*
1952          * Setup the lengths for the initial reply.
1953          */
1954
1955         p->out_data.data_sent_length = 0;
1956         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1957         p->out_data.current_pdu_sent = 0;
1958
1959         prs_mem_free(&out_hdr_ba);
1960         prs_mem_free(&out_auth);
1961
1962         return True;
1963
1964   err_exit:
1965
1966         prs_mem_free(&outgoing_rpc);
1967         prs_mem_free(&out_hdr_ba);
1968         prs_mem_free(&out_auth);
1969         return setup_bind_nak(p);
1970 }
1971
1972 /****************************************************************************
1973  Deal with NTLMSSP sign & seal processing on an RPC request.
1974 ****************************************************************************/
1975
1976 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1977                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1978 {
1979         RPC_HDR_AUTH auth_info;
1980         uint32 auth_len = p->hdr.auth_len;
1981         uint32 save_offset = prs_offset(rpc_in);
1982         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1983         unsigned char *data = NULL;
1984         size_t data_len;
1985         unsigned char *full_packet_data = NULL;
1986         size_t full_packet_data_len;
1987         DATA_BLOB auth_blob;
1988         
1989         *pstatus = NT_STATUS_OK;
1990
1991         if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
1992                 return True;
1993         }
1994
1995         if (!a) {
1996                 *pstatus = NT_STATUS_INVALID_PARAMETER;
1997                 return False;
1998         }
1999
2000         /* Ensure there's enough data for an authenticated request. */
2001         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2002                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2003                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2004                         (unsigned int)auth_len ));
2005                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2006                 return False;
2007         }
2008
2009         /*
2010          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2011          * after the RPC header. 
2012          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2013          * functions as NTLMv2 checks the rpc headers also.
2014          */
2015
2016         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2017         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2018
2019         full_packet_data = p->in_data.current_in_pdu;
2020         full_packet_data_len = p->hdr.frag_len - auth_len;
2021
2022         /* Pull the auth header and the following data into a blob. */
2023         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2024                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2025                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2026                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2027                 return False;
2028         }
2029
2030         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2031                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2032                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2033                 return False;
2034         }
2035
2036         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2037         auth_blob.length = auth_len;
2038         
2039         switch (p->auth.auth_level) {
2040                 case PIPE_AUTH_LEVEL_PRIVACY:
2041                         /* Data is encrypted. */
2042                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2043                                                         data, data_len,
2044                                                         full_packet_data,
2045                                                         full_packet_data_len,
2046                                                         &auth_blob);
2047                         if (!NT_STATUS_IS_OK(*pstatus)) {
2048                                 return False;
2049                         }
2050                         break;
2051                 case PIPE_AUTH_LEVEL_INTEGRITY:
2052                         /* Data is signed. */
2053                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2054                                                         data, data_len,
2055                                                         full_packet_data,
2056                                                         full_packet_data_len,
2057                                                         &auth_blob);
2058                         if (!NT_STATUS_IS_OK(*pstatus)) {
2059                                 return False;
2060                         }
2061                         break;
2062                 default:
2063                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2064                         return False;
2065         }
2066
2067         /*
2068          * Return the current pointer to the data offset.
2069          */
2070
2071         if(!prs_set_offset(rpc_in, save_offset)) {
2072                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2073                         (unsigned int)save_offset ));
2074                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2075                 return False;
2076         }
2077
2078         /*
2079          * Remember the padding length. We must remove it from the real data
2080          * stream once the sign/seal is done.
2081          */
2082
2083         *p_ss_padding_len = auth_info.auth_pad_len;
2084
2085         return True;
2086 }
2087
2088 /****************************************************************************
2089  Deal with schannel processing on an RPC request.
2090 ****************************************************************************/
2091
2092 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2093 {
2094         uint32 data_len;
2095         uint32 auth_len;
2096         uint32 save_offset = prs_offset(rpc_in);
2097         RPC_HDR_AUTH auth_info;
2098         RPC_AUTH_SCHANNEL_CHK schannel_chk;
2099
2100         auth_len = p->hdr.auth_len;
2101
2102         if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2103                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2104                 return False;
2105         }
2106
2107         /*
2108          * The following is that length of the data we must verify or unseal.
2109          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2110          * preceeding the auth_data.
2111          */
2112
2113         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2114                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2115                         (unsigned int)p->hdr.frag_len,
2116                         (unsigned int)auth_len ));
2117                 return False;
2118         }
2119
2120         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2121                 RPC_HDR_AUTH_LEN - auth_len;
2122         
2123         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2124
2125         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2126                 DEBUG(0,("cannot move offset to %u.\n",
2127                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2128                 return False;
2129         }
2130
2131         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2132                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2133                 return False;
2134         }
2135
2136         if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2137                 DEBUG(0,("Invalid auth info %d on schannel\n",
2138                          auth_info.auth_type));
2139                 return False;
2140         }
2141
2142         if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2143                 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2144                 return False;
2145         }
2146
2147         if (!schannel_decode(p->auth.a_u.schannel_auth,
2148                            p->auth.auth_level,
2149                            SENDER_IS_INITIATOR,
2150                            &schannel_chk,
2151                            prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2152                 DEBUG(3,("failed to decode PDU\n"));
2153                 return False;
2154         }
2155
2156         /*
2157          * Return the current pointer to the data offset.
2158          */
2159
2160         if(!prs_set_offset(rpc_in, save_offset)) {
2161                 DEBUG(0,("failed to set offset back to %u\n",
2162                          (unsigned int)save_offset ));
2163                 return False;
2164         }
2165
2166         /* The sequence number gets incremented on both send and receive. */
2167         p->auth.a_u.schannel_auth->seq_num++;
2168
2169         /*
2170          * Remember the padding length. We must remove it from the real data
2171          * stream once the sign/seal is done.
2172          */
2173
2174         *p_ss_padding_len = auth_info.auth_pad_len;
2175
2176         return True;
2177 }
2178
2179 /****************************************************************************
2180  Return a user struct for a pipe user.
2181 ****************************************************************************/
2182
2183 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
2184 {
2185         if (p->pipe_bound &&
2186                         (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP ||
2187                         (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2188                 memcpy(user, &p->pipe_user, sizeof(struct current_user));
2189         } else {
2190                 memcpy(user, &current_user, sizeof(struct current_user));
2191         }
2192
2193         return user;
2194 }
2195
2196 /****************************************************************************
2197  Find the set of RPC functions associated with this context_id
2198 ****************************************************************************/
2199
2200 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2201 {
2202         PIPE_RPC_FNS *fns = NULL;
2203         PIPE_RPC_FNS *tmp = NULL;
2204         
2205         if ( !list ) {
2206                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2207                 return NULL;
2208         }
2209         
2210         for (tmp=list; tmp; tmp=tmp->next ) {
2211                 if ( tmp->context_id == context_id )
2212                         break;
2213         }
2214         
2215         fns = tmp;
2216         
2217         return fns;
2218 }
2219
2220 /****************************************************************************
2221  Memory cleanup.
2222 ****************************************************************************/
2223
2224 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2225 {
2226         PIPE_RPC_FNS *tmp = list;
2227         PIPE_RPC_FNS *tmp2;
2228                 
2229         while (tmp) {
2230                 tmp2 = tmp->next;
2231                 SAFE_FREE(tmp);
2232                 tmp = tmp2;
2233         }
2234
2235         return; 
2236 }
2237
2238 /****************************************************************************
2239  Find the correct RPC function to call for this request.
2240  If the pipe is authenticated then become the correct UNIX user
2241  before doing the call.
2242 ****************************************************************************/
2243
2244 bool api_pipe_request(pipes_struct *p)
2245 {
2246         bool ret = False;
2247         bool changed_user = False;
2248         PIPE_RPC_FNS *pipe_fns;
2249         
2250         if (p->pipe_bound &&
2251                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2252                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2253                 if(!become_authenticated_pipe_user(p)) {
2254                         prs_mem_free(&p->out_data.rdata);
2255                         return False;
2256                 }
2257                 changed_user = True;
2258         }
2259
2260         DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2261         
2262         /* get the set of RPC functions for this context */
2263         
2264         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2265         
2266         if ( pipe_fns ) {
2267                 TALLOC_CTX *frame = talloc_stackframe();
2268                 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2269                 TALLOC_FREE(frame);
2270         }
2271         else {
2272                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2273                         p->hdr_req.context_id, p->name));
2274         }
2275
2276         if (changed_user) {
2277                 unbecome_authenticated_pipe_user();
2278         }
2279
2280         return ret;
2281 }
2282
2283 /*******************************************************************
2284  Calls the underlying RPC function for a named pipe.
2285  ********************************************************************/
2286
2287 bool api_rpcTNP(pipes_struct *p, const char *rpc_name, 
2288                 const struct api_struct *api_rpc_cmds, int n_cmds)
2289 {
2290         int fn_num;
2291         fstring name;
2292         uint32 offset1, offset2;
2293  
2294         /* interpret the command */
2295         DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2296
2297         slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2298         prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2299
2300         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2301                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2302                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2303                         break;
2304                 }
2305         }
2306
2307         if (fn_num == n_cmds) {
2308                 /*
2309                  * For an unknown RPC just return a fault PDU but
2310                  * return True to allow RPC's on the pipe to continue
2311                  * and not put the pipe into fault state. JRA.
2312                  */
2313                 DEBUG(4, ("unknown\n"));
2314                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2315                 return True;
2316         }
2317
2318         offset1 = prs_offset(&p->out_data.rdata);
2319
2320         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2321                 fn_num, api_rpc_cmds[fn_num].fn));
2322         /* do the actual command */
2323         if(!api_rpc_cmds[fn_num].fn(p)) {
2324                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2325                 prs_mem_free(&p->out_data.rdata);
2326                 return False;
2327         }
2328
2329         if (p->bad_handle_fault_state) {
2330                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2331                 p->bad_handle_fault_state = False;
2332                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2333                 return True;
2334         }
2335
2336         if (p->rng_fault_state) {
2337                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2338                 p->rng_fault_state = False;
2339                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2340                 return True;
2341         }
2342
2343         slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2344         offset2 = prs_offset(&p->out_data.rdata);
2345         prs_set_offset(&p->out_data.rdata, offset1);
2346         prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2347         prs_set_offset(&p->out_data.rdata, offset2);
2348
2349         DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2350
2351         /* Check for buffer underflow in rpc parsing */
2352
2353         if ((DEBUGLEVEL >= 10) && 
2354             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2355                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2356                 char *data = (char *)SMB_MALLOC(data_len);
2357
2358                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2359                 if (data) {
2360                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2361                         SAFE_FREE(data);
2362                 }
2363
2364         }
2365
2366         return True;
2367 }
2368
2369 /*******************************************************************
2370 *******************************************************************/
2371
2372 void get_pipe_fns( int idx, struct api_struct **fns, int *n_fns )
2373 {
2374         struct api_struct *cmds = NULL;
2375         int               n_cmds = 0;
2376
2377         switch ( idx ) {
2378                 case PI_LSARPC:
2379                         lsarpc_get_pipe_fns( &cmds, &n_cmds );
2380                         break;
2381                 case PI_DSSETUP:
2382                         dssetup_get_pipe_fns( &cmds, &n_cmds );
2383                         break;
2384                 case PI_SAMR:
2385                         samr_get_pipe_fns( &cmds, &n_cmds );
2386                         break;
2387                 case PI_NETLOGON:
2388                         netlogon_get_pipe_fns( &cmds, &n_cmds );
2389                         break;
2390                 case PI_SRVSVC:
2391                         srvsvc2_get_pipe_fns( &cmds, &n_cmds );
2392                         break;
2393                 case PI_WKSSVC:
2394                         wkssvc_get_pipe_fns( &cmds, &n_cmds );
2395                         break;
2396                 case PI_WINREG:
2397                         winreg_get_pipe_fns( &cmds, &n_cmds );
2398                         break;
2399                 case PI_SPOOLSS:
2400                         spoolss_get_pipe_fns( &cmds, &n_cmds );
2401                         break;
2402                 case PI_NETDFS:
2403                         netdfs_get_pipe_fns( &cmds, &n_cmds );
2404                         break;
2405                 case PI_SVCCTL:
2406                         svcctl2_get_pipe_fns( &cmds, &n_cmds );
2407                         break;
2408                 case PI_EVENTLOG:
2409                         eventlog2_get_pipe_fns( &cmds, &n_cmds );
2410                         break;
2411                 case PI_NTSVCS:
2412                         ntsvcs2_get_pipe_fns( &cmds, &n_cmds );
2413                         break;
2414 #ifdef DEVELOPER
2415                 case PI_RPCECHO:
2416                         rpcecho_get_pipe_fns( &cmds, &n_cmds );
2417                         break;
2418 #endif
2419                 default:
2420                         DEBUG(0,("get_pipe_fns: Unknown pipe index! [%d]\n", idx));
2421         }
2422
2423         *fns = cmds;
2424         *n_fns = n_cmds;
2425
2426         return;
2427 }