Revert "s3: Do not reference ndr_table when calling rpc_srv_register"
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/schannel_proto.h"
35 #include "../libcli/auth/spnego.h"
36
37 extern struct current_user current_user;
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
41
42 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
43 {
44         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
45
46         if (a) {
47                 auth_ntlmssp_end(&a);
48         }
49         auth->a_u.auth_ntlmssp_state = NULL;
50 }
51
52 static DATA_BLOB generic_session_key(void)
53 {
54         return data_blob("SystemLibraryDTC", 16);
55 }
56
57 /*******************************************************************
58  Generate the next PDU to be returned from the data in p->rdata. 
59  Handle NTLMSSP.
60  ********************************************************************/
61
62 static bool create_next_pdu_ntlmssp(pipes_struct *p)
63 {
64         RPC_HDR_RESP hdr_resp;
65         uint32 ss_padding_len = 0;
66         uint32 data_space_available;
67         uint32 data_len_left;
68         uint32 data_len;
69         NTSTATUS status;
70         DATA_BLOB auth_blob;
71         RPC_HDR_AUTH auth_info;
72         uint8 auth_type, auth_level;
73         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
74
75         /*
76          * If we're in the fault state, keep returning fault PDU's until
77          * the pipe gets closed. JRA.
78          */
79
80         if(p->fault_state) {
81                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
82                 return True;
83         }
84
85         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
86
87         /* Change the incoming request header to a response. */
88         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
89
90         /* Set up rpc header flags. */
91         if (p->out_data.data_sent_length == 0) {
92                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
93         } else {
94                 p->hdr.flags = 0;
95         }
96
97         /*
98          * Work out how much we can fit in a single PDU.
99          */
100
101         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
102
103         /*
104          * Ensure there really is data left to send.
105          */
106
107         if(!data_len_left) {
108                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
109                 return False;
110         }
111
112         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
113                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114
115         /*
116          * The amount we send is the minimum of the available
117          * space and the amount left to send.
118          */
119
120         data_len = MIN(data_len_left, data_space_available);
121
122         /*
123          * Set up the alloc hint. This should be the data left to
124          * send.
125          */
126
127         hdr_resp.alloc_hint = data_len_left;
128
129         /*
130          * Work out if this PDU will be the last.
131          */
132
133         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
134                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
135                 if (data_len_left % 8) {
136                         ss_padding_len = 8 - (data_len_left % 8);
137                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
138                                 ss_padding_len ));
139                 }
140         }
141
142         /*
143          * Set up the header lengths.
144          */
145
146         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
147                         data_len + ss_padding_len +
148                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
149         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
150
151
152         /*
153          * Init the parse struct to point at the outgoing
154          * data.
155          */
156
157         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
158
159         /* Store the header in the data stream. */
160         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
161                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
162                 prs_mem_free(&p->out_data.frag);
163                 return False;
164         }
165
166         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
167                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
168                 prs_mem_free(&p->out_data.frag);
169                 return False;
170         }
171
172         /* Copy the data into the PDU. */
173
174         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
175                                      p->out_data.data_sent_length, data_len)) {
176                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
177                 prs_mem_free(&p->out_data.frag);
178                 return False;
179         }
180
181         /* Copy the sign/seal padding data. */
182         if (ss_padding_len) {
183                 char pad[8];
184
185                 memset(pad, '\0', 8);
186                 if (!prs_copy_data_in(&p->out_data.frag, pad,
187                                       ss_padding_len)) {
188                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
189                                         (unsigned int)ss_padding_len));
190                         prs_mem_free(&p->out_data.frag);
191                         return False;
192                 }
193         }
194
195
196         /* Now write out the auth header and null blob. */
197         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
198                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
199         } else {
200                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
201         }
202         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
203                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
204         } else {
205                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
206         }
207
208         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
209         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
210                                 0)) {
211                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
212                 prs_mem_free(&p->out_data.frag);
213                 return False;
214         }
215
216         /* Generate the sign blob. */
217
218         switch (p->auth.auth_level) {
219                 case DCERPC_AUTH_LEVEL_PRIVACY:
220                         /* Data portion is encrypted. */
221                         status = ntlmssp_seal_packet(
222                                 a->ntlmssp_state,
223                                 (uint8_t *)prs_data_p(&p->out_data.frag)
224                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
225                                 data_len + ss_padding_len,
226                                 (unsigned char *)prs_data_p(&p->out_data.frag),
227                                 (size_t)prs_offset(&p->out_data.frag),
228                                 &auth_blob);
229                         if (!NT_STATUS_IS_OK(status)) {
230                                 data_blob_free(&auth_blob);
231                                 prs_mem_free(&p->out_data.frag);
232                                 return False;
233                         }
234                         break;
235                 case DCERPC_AUTH_LEVEL_INTEGRITY:
236                         /* Data is signed. */
237                         status = ntlmssp_sign_packet(
238                                 a->ntlmssp_state,
239                                 (unsigned char *)prs_data_p(&p->out_data.frag)
240                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
241                                 data_len + ss_padding_len,
242                                 (unsigned char *)prs_data_p(&p->out_data.frag),
243                                 (size_t)prs_offset(&p->out_data.frag),
244                                 &auth_blob);
245                         if (!NT_STATUS_IS_OK(status)) {
246                                 data_blob_free(&auth_blob);
247                                 prs_mem_free(&p->out_data.frag);
248                                 return False;
249                         }
250                         break;
251                 default:
252                         prs_mem_free(&p->out_data.frag);
253                         return False;
254         }
255
256         /* Append the auth blob. */
257         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
258                               NTLMSSP_SIG_SIZE)) {
259                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
260                                 (unsigned int)NTLMSSP_SIG_SIZE));
261                 data_blob_free(&auth_blob);
262                 prs_mem_free(&p->out_data.frag);
263                 return False;
264         }
265
266         data_blob_free(&auth_blob);
267
268         /*
269          * Setup the counts for this PDU.
270          */
271
272         p->out_data.data_sent_length += data_len;
273         p->out_data.current_pdu_sent = 0;
274
275         return True;
276 }
277
278 /*******************************************************************
279  Generate the next PDU to be returned from the data in p->rdata. 
280  Return an schannel authenticated fragment.
281  ********************************************************************/
282
283 static bool create_next_pdu_schannel(pipes_struct *p)
284 {
285         RPC_HDR_RESP hdr_resp;
286         uint32 ss_padding_len = 0;
287         uint32 data_len;
288         uint32 data_space_available;
289         uint32 data_len_left;
290         uint32 data_pos;
291         NTSTATUS status;
292
293         /*
294          * If we're in the fault state, keep returning fault PDU's until
295          * the pipe gets closed. JRA.
296          */
297
298         if(p->fault_state) {
299                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
300                 return True;
301         }
302
303         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
304
305         /* Change the incoming request header to a response. */
306         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
307
308         /* Set up rpc header flags. */
309         if (p->out_data.data_sent_length == 0) {
310                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
311         } else {
312                 p->hdr.flags = 0;
313         }
314
315         /*
316          * Work out how much we can fit in a single PDU.
317          */
318
319         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
320
321         /*
322          * Ensure there really is data left to send.
323          */
324
325         if(!data_len_left) {
326                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
327                 return False;
328         }
329
330         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
331                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
332                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
333
334         /*
335          * The amount we send is the minimum of the available
336          * space and the amount left to send.
337          */
338
339         data_len = MIN(data_len_left, data_space_available);
340
341         /*
342          * Set up the alloc hint. This should be the data left to
343          * send.
344          */
345
346         hdr_resp.alloc_hint = data_len_left;
347
348         /*
349          * Work out if this PDU will be the last.
350          */
351
352         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
353                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
354                 if (data_len_left % 8) {
355                         ss_padding_len = 8 - (data_len_left % 8);
356                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
357                                 ss_padding_len ));
358                 }
359         }
360
361         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
362                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
363         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
364
365         /*
366          * Init the parse struct to point at the outgoing
367          * data.
368          */
369
370         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
371
372         /* Store the header in the data stream. */
373         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
374                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
375                 prs_mem_free(&p->out_data.frag);
376                 return False;
377         }
378
379         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
380                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
381                 prs_mem_free(&p->out_data.frag);
382                 return False;
383         }
384
385         /* Store the current offset. */
386         data_pos = prs_offset(&p->out_data.frag);
387
388         /* Copy the data into the PDU. */
389
390         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
391                                      p->out_data.data_sent_length, data_len)) {
392                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
393                 prs_mem_free(&p->out_data.frag);
394                 return False;
395         }
396
397         /* Copy the sign/seal padding data. */
398         if (ss_padding_len) {
399                 char pad[8];
400                 memset(pad, '\0', 8);
401                 if (!prs_copy_data_in(&p->out_data.frag, pad,
402                                       ss_padding_len)) {
403                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
404                         prs_mem_free(&p->out_data.frag);
405                         return False;
406                 }
407         }
408
409         {
410                 /*
411                  * Schannel processing.
412                  */
413                 RPC_HDR_AUTH auth_info;
414                 DATA_BLOB blob;
415                 uint8_t *data;
416
417                 /* Check it's the type of reply we were expecting to decode */
418
419                 init_rpc_hdr_auth(&auth_info,
420                                 DCERPC_AUTH_TYPE_SCHANNEL,
421                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
422                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
423                                 ss_padding_len, 1);
424
425                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
426                                         &p->out_data.frag, 0)) {
427                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
428                         prs_mem_free(&p->out_data.frag);
429                         return False;
430                 }
431
432                 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
433
434                 switch (p->auth.auth_level) {
435                 case DCERPC_AUTH_LEVEL_PRIVACY:
436                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
437                                                         talloc_tos(),
438                                                         true,
439                                                         data,
440                                                         data_len + ss_padding_len,
441                                                         &blob);
442                         break;
443                 case DCERPC_AUTH_LEVEL_INTEGRITY:
444                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
445                                                         talloc_tos(),
446                                                         false,
447                                                         data,
448                                                         data_len + ss_padding_len,
449                                                         &blob);
450                         break;
451                 default:
452                         status = NT_STATUS_INTERNAL_ERROR;
453                         break;
454                 }
455
456                 if (!NT_STATUS_IS_OK(status)) {
457                         DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
458                                 nt_errstr(status)));
459                         prs_mem_free(&p->out_data.frag);
460                         return false;
461                 }
462
463                 /* Finally marshall the blob. */
464
465                 if (DEBUGLEVEL >= 10) {
466                         dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
467                 }
468
469                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
470                         prs_mem_free(&p->out_data.frag);
471                         return false;
472                 }
473         }
474
475         /*
476          * Setup the counts for this PDU.
477          */
478
479         p->out_data.data_sent_length += data_len;
480         p->out_data.current_pdu_sent = 0;
481
482         return True;
483 }
484
485 /*******************************************************************
486  Generate the next PDU to be returned from the data in p->rdata. 
487  No authentication done.
488 ********************************************************************/
489
490 static bool create_next_pdu_noauth(pipes_struct *p)
491 {
492         RPC_HDR_RESP hdr_resp;
493         uint32 data_len;
494         uint32 data_space_available;
495         uint32 data_len_left;
496
497         /*
498          * If we're in the fault state, keep returning fault PDU's until
499          * the pipe gets closed. JRA.
500          */
501
502         if(p->fault_state) {
503                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
504                 return True;
505         }
506
507         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
508
509         /* Change the incoming request header to a response. */
510         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
511
512         /* Set up rpc header flags. */
513         if (p->out_data.data_sent_length == 0) {
514                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
515         } else {
516                 p->hdr.flags = 0;
517         }
518
519         /*
520          * Work out how much we can fit in a single PDU.
521          */
522
523         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
524
525         /*
526          * Ensure there really is data left to send.
527          */
528
529         if(!data_len_left) {
530                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
531                 return False;
532         }
533
534         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
535                 - RPC_HDR_RESP_LEN;
536
537         /*
538          * The amount we send is the minimum of the available
539          * space and the amount left to send.
540          */
541
542         data_len = MIN(data_len_left, data_space_available);
543
544         /*
545          * Set up the alloc hint. This should be the data left to
546          * send.
547          */
548
549         hdr_resp.alloc_hint = data_len_left;
550
551         /*
552          * Work out if this PDU will be the last.
553          */
554
555         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
556                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
557         }
558
559         /*
560          * Set up the header lengths.
561          */
562
563         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
564         p->hdr.auth_len = 0;
565
566         /*
567          * Init the parse struct to point at the outgoing
568          * data.
569          */
570
571         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
572
573         /* Store the header in the data stream. */
574         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
575                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
576                 prs_mem_free(&p->out_data.frag);
577                 return False;
578         }
579
580         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
581                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
582                 prs_mem_free(&p->out_data.frag);
583                 return False;
584         }
585
586         /* Copy the data into the PDU. */
587
588         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
589                                      p->out_data.data_sent_length, data_len)) {
590                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
591                 prs_mem_free(&p->out_data.frag);
592                 return False;
593         }
594
595         /*
596          * Setup the counts for this PDU.
597          */
598
599         p->out_data.data_sent_length += data_len;
600         p->out_data.current_pdu_sent = 0;
601
602         return True;
603 }
604
605 /*******************************************************************
606  Generate the next PDU to be returned from the data in p->rdata. 
607 ********************************************************************/
608
609 bool create_next_pdu(pipes_struct *p)
610 {
611         switch(p->auth.auth_level) {
612                 case DCERPC_AUTH_LEVEL_NONE:
613                 case DCERPC_AUTH_LEVEL_CONNECT:
614                         /* This is incorrect for auth level connect. Fixme. JRA */
615                         return create_next_pdu_noauth(p);
616
617                 default:
618                         switch(p->auth.auth_type) {
619                                 case PIPE_AUTH_TYPE_NTLMSSP:
620                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
621                                         return create_next_pdu_ntlmssp(p);
622                                 case PIPE_AUTH_TYPE_SCHANNEL:
623                                         return create_next_pdu_schannel(p);
624                                 default:
625                                         break;
626                         }
627         }
628
629         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
630                         (unsigned int)p->auth.auth_level,
631                         (unsigned int)p->auth.auth_type));
632         return False;
633 }
634
635 /*******************************************************************
636  Process an NTLMSSP authentication response.
637  If this function succeeds, the user has been authenticated
638  and their domain, name and calling workstation stored in
639  the pipe struct.
640 *******************************************************************/
641
642 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
643 {
644         DATA_BLOB session_key, reply;
645         NTSTATUS status;
646         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
647         bool ret;
648
649         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
650                  get_pipe_name_tos(p)));
651
652         ZERO_STRUCT(reply);
653
654         /* this has to be done as root in order to verify the password */
655         become_root();
656         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
657         unbecome_root();
658
659         /* Don't generate a reply. */
660         data_blob_free(&reply);
661
662         if (!NT_STATUS_IS_OK(status)) {
663                 return False;
664         }
665
666         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
667            ensure the underlying NTLMSSP flags are also set. If not we should
668            refuse the bind. */
669
670         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
671                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
672                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
673                                 "but client declined signing.\n",
674                                  get_pipe_name_tos(p)));
675                         return False;
676                 }
677         }
678         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
679                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
680                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
681                                 "but client declined sealing.\n",
682                                  get_pipe_name_tos(p)));
683                         return False;
684                 }
685         }
686
687         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
688                   "workstation: %s\n", a->ntlmssp_state->user,
689                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
690
691         if (a->server_info->ptok == NULL) {
692                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
693                 return False;
694         }
695
696         TALLOC_FREE(p->server_info);
697
698         p->server_info = copy_serverinfo(p, a->server_info);
699         if (p->server_info == NULL) {
700                 DEBUG(0, ("copy_serverinfo failed\n"));
701                 return false;
702         }
703
704         /*
705          * We're an authenticated bind over smb, so the session key needs to
706          * be set to "SystemLibraryDTC". Weird, but this is what Windows
707          * does. See the RPC-SAMBA3SESSIONKEY.
708          */
709
710         session_key = generic_session_key();
711         if (session_key.data == NULL) {
712                 return False;
713         }
714
715         ret = server_info_set_session_key(p->server_info, session_key);
716
717         data_blob_free(&session_key);
718
719         return True;
720 }
721
722 /*******************************************************************
723  The switch table for the pipe names and the functions to handle them.
724 *******************************************************************/
725
726 struct rpc_table {
727         struct {
728                 const char *clnt;
729                 const char *srv;
730         } pipe;
731         struct ndr_syntax_id rpc_interface;
732         const struct api_struct *cmds;
733         int n_cmds;
734 };
735
736 static struct rpc_table *rpc_lookup;
737 static int rpc_lookup_size;
738
739 /*******************************************************************
740  This is the "stage3" NTLMSSP response after a bind request and reply.
741 *******************************************************************/
742
743 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
744 {
745         RPC_HDR_AUTH auth_info;
746         uint32 pad = 0;
747         DATA_BLOB blob;
748
749         ZERO_STRUCT(blob);
750
751         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
752
753         if (p->hdr.auth_len == 0) {
754                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
755                 goto err;
756         }
757
758         /* 4 bytes padding. */
759         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
760                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
761                 goto err;
762         }
763
764         /*
765          * Decode the authentication verifier response.
766          */
767
768         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
769                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
770                 goto err;
771         }
772
773         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
774                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
775                         (unsigned int)auth_info.auth_type ));
776                 return False;
777         }
778
779         blob = data_blob(NULL,p->hdr.auth_len);
780
781         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
782                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
783                         (unsigned int)p->hdr.auth_len ));
784                 goto err;
785         }
786
787         /*
788          * The following call actually checks the challenge/response data.
789          * for correctness against the given DOMAIN\user name.
790          */
791
792         if (!pipe_ntlmssp_verify_final(p, &blob)) {
793                 goto err;
794         }
795
796         data_blob_free(&blob);
797
798         p->pipe_bound = True;
799
800         return True;
801
802  err:
803
804         data_blob_free(&blob);
805         free_pipe_ntlmssp_auth_data(&p->auth);
806         p->auth.a_u.auth_ntlmssp_state = NULL;
807
808         return False;
809 }
810
811 /*******************************************************************
812  Marshall a bind_nak pdu.
813 *******************************************************************/
814
815 static bool setup_bind_nak(pipes_struct *p)
816 {
817         RPC_HDR nak_hdr;
818         uint16 zero = 0;
819
820         /* Free any memory in the current return data buffer. */
821         prs_mem_free(&p->out_data.rdata);
822
823         /*
824          * Marshall directly into the outgoing PDU space. We
825          * must do this as we need to set to the bind response
826          * header and are never sending more than one PDU here.
827          */
828
829         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
830
831         /*
832          * Initialize a bind_nak header.
833          */
834
835         init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
836                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
837
838         /*
839          * Marshall the header into the outgoing PDU.
840          */
841
842         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
843                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
844                 prs_mem_free(&p->out_data.frag);
845                 return False;
846         }
847
848         /*
849          * Now add the reject reason.
850          */
851
852         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
853                 prs_mem_free(&p->out_data.frag);
854                 return False;
855         }
856
857         p->out_data.data_sent_length = 0;
858         p->out_data.current_pdu_sent = 0;
859
860         if (p->auth.auth_data_free_func) {
861                 (*p->auth.auth_data_free_func)(&p->auth);
862         }
863         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
864         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
865         p->pipe_bound = False;
866
867         return True;
868 }
869
870 /*******************************************************************
871  Marshall a fault pdu.
872 *******************************************************************/
873
874 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
875 {
876         RPC_HDR fault_hdr;
877         RPC_HDR_RESP hdr_resp;
878         RPC_HDR_FAULT fault_resp;
879
880         /* Free any memory in the current return data buffer. */
881         prs_mem_free(&p->out_data.rdata);
882
883         /*
884          * Marshall directly into the outgoing PDU space. We
885          * must do this as we need to set to the bind response
886          * header and are never sending more than one PDU here.
887          */
888
889         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
890
891         /*
892          * Initialize a fault header.
893          */
894
895         init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
896             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
897
898         /*
899          * Initialize the HDR_RESP and FAULT parts of the PDU.
900          */
901
902         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
903
904         fault_resp.status = status;
905         fault_resp.reserved = 0;
906
907         /*
908          * Marshall the header into the outgoing PDU.
909          */
910
911         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
912                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
913                 prs_mem_free(&p->out_data.frag);
914                 return False;
915         }
916
917         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
918                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
919                 prs_mem_free(&p->out_data.frag);
920                 return False;
921         }
922
923         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
924                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
925                 prs_mem_free(&p->out_data.frag);
926                 return False;
927         }
928
929         p->out_data.data_sent_length = 0;
930         p->out_data.current_pdu_sent = 0;
931
932         return True;
933 }
934
935 #if 0
936 /*******************************************************************
937  Marshall a cancel_ack pdu.
938  We should probably check the auth-verifier here.
939 *******************************************************************/
940
941 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
942 {
943         prs_struct outgoing_pdu;
944         RPC_HDR ack_reply_hdr;
945
946         /* Free any memory in the current return data buffer. */
947         prs_mem_free(&p->out_data.rdata);
948
949         /*
950          * Marshall directly into the outgoing PDU space. We
951          * must do this as we need to set to the bind response
952          * header and are never sending more than one PDU here.
953          */
954
955         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
956         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
957
958         /*
959          * Initialize a cancel_ack header.
960          */
961
962         init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
963                         p->hdr.call_id, RPC_HEADER_LEN, 0);
964
965         /*
966          * Marshall the header into the outgoing PDU.
967          */
968
969         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
970                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
971                 prs_mem_free(&outgoing_pdu);
972                 return False;
973         }
974
975         p->out_data.data_sent_length = 0;
976         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
977         p->out_data.current_pdu_sent = 0;
978
979         prs_mem_free(&outgoing_pdu);
980         return True;
981 }
982 #endif
983
984 /*******************************************************************
985  Ensure a bind request has the correct abstract & transfer interface.
986  Used to reject unknown binds from Win2k.
987 *******************************************************************/
988
989 static bool check_bind_req(struct pipes_struct *p,
990                            struct ndr_syntax_id* abstract,
991                            struct ndr_syntax_id* transfer,
992                            uint32 context_id)
993 {
994         int i=0;
995         struct pipe_rpc_fns *context_fns;
996
997         DEBUG(3,("check_bind_req for %s\n", get_pipe_name_tos(p)));
998
999         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1000
1001         for (i=0; i<rpc_lookup_size; i++) {
1002                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1003                 if (ndr_syntax_id_equal(
1004                             abstract, &rpc_lookup[i].rpc_interface)
1005                     && ndr_syntax_id_equal(
1006                             transfer, &ndr_transfer_syntax)) {
1007                         break;
1008                 }
1009         }
1010
1011         if (i == rpc_lookup_size) {
1012                 return false;
1013         }
1014
1015         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1016         if (context_fns == NULL) {
1017                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1018                 return False;
1019         }
1020
1021         context_fns->cmds = rpc_lookup[i].cmds;
1022         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1023         context_fns->context_id = context_id;
1024
1025         /* add to the list of open contexts */
1026
1027         DLIST_ADD( p->contexts, context_fns );
1028
1029         return True;
1030 }
1031
1032 /*******************************************************************
1033  Register commands to an RPC pipe
1034 *******************************************************************/
1035
1036 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1037                           const struct ndr_interface_table *iface,
1038                           const struct api_struct *cmds, int size)
1039 {
1040         struct rpc_table *rpc_entry;
1041
1042         if (!clnt || !srv || !cmds) {
1043                 return NT_STATUS_INVALID_PARAMETER;
1044         }
1045
1046         if (version != SMB_RPC_INTERFACE_VERSION) {
1047                 DEBUG(0,("Can't register rpc commands!\n"
1048                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1049                          ", while this version of samba uses version %d!\n", 
1050                          version,SMB_RPC_INTERFACE_VERSION));
1051                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1052         }
1053
1054         /* TODO: 
1055          *
1056          * we still need to make sure that don't register the same commands twice!!!
1057          * 
1058          * --metze
1059          */
1060
1061         /* We use a temporary variable because this call can fail and 
1062            rpc_lookup will still be valid afterwards.  It could then succeed if
1063            called again later */
1064         rpc_lookup_size++;
1065         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1066         if (NULL == rpc_entry) {
1067                 rpc_lookup_size--;
1068                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1069                 return NT_STATUS_NO_MEMORY;
1070         } else {
1071                 rpc_lookup = rpc_entry;
1072         }
1073
1074         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1075         ZERO_STRUCTP(rpc_entry);
1076         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1077         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1078         rpc_entry->rpc_interface = iface->syntax_id;
1079         rpc_entry->cmds = cmds;
1080         rpc_entry->n_cmds = size;
1081
1082         return NT_STATUS_OK;
1083 }
1084
1085 /**
1086  * Is a named pipe known?
1087  * @param[in] cli_filename      The pipe name requested by the client
1088  * @result                      Do we want to serve this?
1089  */
1090 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1091 {
1092         const char *pipename = cli_filename;
1093         int i;
1094         NTSTATUS status;
1095
1096         if (strnequal(pipename, "\\PIPE\\", 6)) {
1097                 pipename += 5;
1098         }
1099
1100         if (*pipename == '\\') {
1101                 pipename += 1;
1102         }
1103
1104         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1105                 DEBUG(10, ("refusing spoolss access\n"));
1106                 return false;
1107         }
1108
1109         for (i=0; i<rpc_lookup_size; i++) {
1110                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1111                         *syntax = rpc_lookup[i].rpc_interface;
1112                         return true;
1113                 }
1114         }
1115
1116         status = smb_probe_module("rpc", pipename);
1117         if (!NT_STATUS_IS_OK(status)) {
1118                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1119                 return false;
1120         }
1121         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1122
1123         /*
1124          * Scan the list again for the interface id
1125          */
1126
1127         for (i=0; i<rpc_lookup_size; i++) {
1128                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1129                         *syntax = rpc_lookup[i].rpc_interface;
1130                         return true;
1131                 }
1132         }
1133
1134         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1135                    pipename));
1136
1137         return false;
1138 }
1139
1140 /*******************************************************************
1141  Handle a SPNEGO krb5 bind auth.
1142 *******************************************************************/
1143
1144 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1145                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1146 {
1147         return False;
1148 }
1149
1150 /*******************************************************************
1151  Handle the first part of a SPNEGO bind auth.
1152 *******************************************************************/
1153
1154 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1155                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1156 {
1157         DATA_BLOB blob;
1158         DATA_BLOB secblob;
1159         DATA_BLOB response;
1160         DATA_BLOB chal;
1161         char *OIDs[ASN1_MAX_OIDS];
1162         int i;
1163         NTSTATUS status;
1164         bool got_kerberos_mechanism = false;
1165         AUTH_NTLMSSP_STATE *a = NULL;
1166         RPC_HDR_AUTH auth_info;
1167
1168         ZERO_STRUCT(secblob);
1169         ZERO_STRUCT(chal);
1170         ZERO_STRUCT(response);
1171
1172         /* Grab the SPNEGO blob. */
1173         blob = data_blob(NULL,p->hdr.auth_len);
1174
1175         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1176                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1177                         (unsigned int)p->hdr.auth_len ));
1178                 goto err;
1179         }
1180
1181         if (blob.data[0] != ASN1_APPLICATION(0)) {
1182                 goto err;
1183         }
1184
1185         /* parse out the OIDs and the first sec blob */
1186         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1187                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1188                 goto err;
1189         }
1190
1191         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1192                 got_kerberos_mechanism = true;
1193         }
1194
1195         for (i=0;OIDs[i];i++) {
1196                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1197                 TALLOC_FREE(OIDs[i]);
1198         }
1199         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1200
1201         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1202                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1203                 data_blob_free(&secblob);
1204                 data_blob_free(&blob);
1205                 return ret;
1206         }
1207
1208         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1209                 /* Free any previous auth type. */
1210                 free_pipe_ntlmssp_auth_data(&p->auth);
1211         }
1212
1213         if (!got_kerberos_mechanism) {
1214                 /* Initialize the NTLM engine. */
1215                 status = auth_ntlmssp_start(&a);
1216                 if (!NT_STATUS_IS_OK(status)) {
1217                         goto err;
1218                 }
1219
1220                 /*
1221                  * Pass the first security blob of data to it.
1222                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1223                  * which means we need another packet to complete the bind.
1224                  */
1225
1226                 status = auth_ntlmssp_update(a, secblob, &chal);
1227
1228                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1229                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1230                         goto err;
1231                 }
1232
1233                 /* Generate the response blob we need for step 2 of the bind. */
1234                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1235         } else {
1236                 /*
1237                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1238                  * code to process follow-up packets is not complete
1239                  * yet. JRA.
1240                  */
1241                 response = spnego_gen_auth_response(NULL,
1242                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1243                                         OID_NTLMSSP);
1244         }
1245
1246         /* Copy the blob into the pout_auth parse struct */
1247         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1248         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1249                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1250                 goto err;
1251         }
1252
1253         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1254                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1255                 goto err;
1256         }
1257
1258         p->auth.a_u.auth_ntlmssp_state = a;
1259         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1260         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1261
1262         data_blob_free(&blob);
1263         data_blob_free(&secblob);
1264         data_blob_free(&chal);
1265         data_blob_free(&response);
1266
1267         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1268         return True;
1269
1270  err:
1271
1272         data_blob_free(&blob);
1273         data_blob_free(&secblob);
1274         data_blob_free(&chal);
1275         data_blob_free(&response);
1276
1277         p->auth.a_u.auth_ntlmssp_state = NULL;
1278
1279         return False;
1280 }
1281
1282 /*******************************************************************
1283  Handle the second part of a SPNEGO bind auth.
1284 *******************************************************************/
1285
1286 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1287                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1288 {
1289         RPC_HDR_AUTH auth_info;
1290         DATA_BLOB spnego_blob;
1291         DATA_BLOB auth_blob;
1292         DATA_BLOB auth_reply;
1293         DATA_BLOB response;
1294         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1295
1296         ZERO_STRUCT(spnego_blob);
1297         ZERO_STRUCT(auth_blob);
1298         ZERO_STRUCT(auth_reply);
1299         ZERO_STRUCT(response);
1300
1301         /*
1302          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1303          * fail here as 'a' == NULL.
1304          */
1305         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1306                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1307                 goto err;
1308         }
1309
1310         /* Grab the SPNEGO blob. */
1311         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1312
1313         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1314                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1315                         (unsigned int)p->hdr.auth_len ));
1316                 goto err;
1317         }
1318
1319         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1320                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1321                 goto err;
1322         }
1323
1324         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1325                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1326                 goto err;
1327         }
1328
1329         /*
1330          * The following call actually checks the challenge/response data.
1331          * for correctness against the given DOMAIN\user name.
1332          */
1333
1334         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1335                 goto err;
1336         }
1337
1338         data_blob_free(&spnego_blob);
1339         data_blob_free(&auth_blob);
1340
1341         /* Generate the spnego "accept completed" blob - no incoming data. */
1342         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1343
1344         /* Copy the blob into the pout_auth parse struct */
1345         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1346         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1347                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1348                 goto err;
1349         }
1350
1351         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1352                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1353                 goto err;
1354         }
1355
1356         data_blob_free(&auth_reply);
1357         data_blob_free(&response);
1358
1359         p->pipe_bound = True;
1360
1361         return True;
1362
1363  err:
1364
1365         data_blob_free(&spnego_blob);
1366         data_blob_free(&auth_blob);
1367         data_blob_free(&auth_reply);
1368         data_blob_free(&response);
1369
1370         free_pipe_ntlmssp_auth_data(&p->auth);
1371         p->auth.a_u.auth_ntlmssp_state = NULL;
1372
1373         return False;
1374 }
1375
1376 /*******************************************************************
1377  Handle an schannel bind auth.
1378 *******************************************************************/
1379
1380 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1381                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1382 {
1383         RPC_HDR_AUTH auth_info;
1384         struct NL_AUTH_MESSAGE neg;
1385         struct NL_AUTH_MESSAGE reply;
1386         bool ret;
1387         NTSTATUS status;
1388         struct netlogon_creds_CredentialState *creds;
1389         DATA_BLOB session_key;
1390         enum ndr_err_code ndr_err;
1391         DATA_BLOB blob;
1392
1393         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1394                                prs_data_size(rpc_in_p));
1395
1396         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1397                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1398         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1399                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1400                 return false;
1401         }
1402
1403         if (DEBUGLEVEL >= 10) {
1404                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1405         }
1406
1407         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1408                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1409                 return false;
1410         }
1411
1412         /*
1413          * The neg.oem_netbios_computer.a key here must match the remote computer name
1414          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1415          * operations that use credentials.
1416          */
1417
1418         become_root();
1419         status = schannel_fetch_session_key(p,
1420                                             neg.oem_netbios_computer.a,
1421                                             &creds);
1422         unbecome_root();
1423
1424         if (!NT_STATUS_IS_OK(status)) {
1425                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1426                 return False;
1427         }
1428
1429         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1430         if (!p->auth.a_u.schannel_auth) {
1431                 TALLOC_FREE(creds);
1432                 return False;
1433         }
1434
1435         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1436         p->auth.a_u.schannel_auth->seq_num = 0;
1437         p->auth.a_u.schannel_auth->initiator = false;
1438         p->auth.a_u.schannel_auth->creds = creds;
1439
1440         /*
1441          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1442          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1443          * struct of the person who opened the pipe. I need to test this further. JRA.
1444          *
1445          * VL. As we are mapping this to guest set the generic key
1446          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1447          * W2k3, as it does not allow schannel binds against SAMR and LSA
1448          * anymore.
1449          */
1450
1451         session_key = generic_session_key();
1452         if (session_key.data == NULL) {
1453                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1454                           " key\n"));
1455                 return false;
1456         }
1457
1458         ret = server_info_set_session_key(p->server_info, session_key);
1459
1460         data_blob_free(&session_key);
1461
1462         if (!ret) {
1463                 DEBUG(0, ("server_info_set_session_key failed\n"));
1464                 return false;
1465         }
1466
1467         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1468         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1469                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1470                 return False;
1471         }
1472
1473         /*** SCHANNEL verifier ***/
1474
1475         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1476         reply.Flags                             = 0;
1477         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1478                                                       * this has any meaning
1479                                                       * here - gd */
1480
1481         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1482                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1483         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1484                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1485                 return false;
1486         }
1487
1488         if (DEBUGLEVEL >= 10) {
1489                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1490         }
1491
1492         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1493                 return false;
1494         }
1495
1496         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1497                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1498
1499         /* We're finished with this bind - no more packets. */
1500         p->auth.auth_data_free_func = NULL;
1501         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1502
1503         p->pipe_bound = True;
1504
1505         return True;
1506 }
1507
1508 /*******************************************************************
1509  Handle an NTLMSSP bind auth.
1510 *******************************************************************/
1511
1512 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1513                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1514 {
1515         RPC_HDR_AUTH auth_info;
1516         DATA_BLOB blob;
1517         DATA_BLOB response;
1518         NTSTATUS status;
1519         AUTH_NTLMSSP_STATE *a = NULL;
1520
1521         ZERO_STRUCT(blob);
1522         ZERO_STRUCT(response);
1523
1524         /* Grab the NTLMSSP blob. */
1525         blob = data_blob(NULL,p->hdr.auth_len);
1526
1527         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1528                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1529                         (unsigned int)p->hdr.auth_len ));
1530                 goto err;
1531         }
1532
1533         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1534                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1535                 goto err;
1536         }
1537
1538         /* We have an NTLMSSP blob. */
1539         status = auth_ntlmssp_start(&a);
1540         if (!NT_STATUS_IS_OK(status)) {
1541                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1542                         nt_errstr(status) ));
1543                 goto err;
1544         }
1545
1546         status = auth_ntlmssp_update(a, blob, &response);
1547         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1548                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1549                         nt_errstr(status) ));
1550                 goto err;
1551         }
1552
1553         data_blob_free(&blob);
1554
1555         /* Copy the blob into the pout_auth parse struct */
1556         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1557         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1558                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1559                 goto err;
1560         }
1561
1562         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1563                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1564                 goto err;
1565         }
1566
1567         p->auth.a_u.auth_ntlmssp_state = a;
1568         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1569         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1570
1571         data_blob_free(&blob);
1572         data_blob_free(&response);
1573
1574         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1575
1576         /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1577         return True;
1578
1579   err:
1580
1581         data_blob_free(&blob);
1582         data_blob_free(&response);
1583
1584         free_pipe_ntlmssp_auth_data(&p->auth);
1585         p->auth.a_u.auth_ntlmssp_state = NULL;
1586         return False;
1587 }
1588
1589 /*******************************************************************
1590  Respond to a pipe bind request.
1591 *******************************************************************/
1592
1593 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1594 {
1595         RPC_HDR_BA hdr_ba;
1596         RPC_HDR_RB hdr_rb;
1597         RPC_HDR_AUTH auth_info;
1598         uint16 assoc_gid;
1599         fstring ack_pipe_name;
1600         prs_struct out_hdr_ba;
1601         prs_struct out_auth;
1602         int i = 0;
1603         int auth_len = 0;
1604         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1605
1606         /* No rebinds on a bound pipe - use alter context. */
1607         if (p->pipe_bound) {
1608                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1609                          "pipe %s.\n", get_pipe_name_tos(p)));
1610                 return setup_bind_nak(p);
1611         }
1612
1613         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1614
1615         /* 
1616          * Marshall directly into the outgoing PDU space. We
1617          * must do this as we need to set to the bind response
1618          * header and are never sending more than one PDU here.
1619          */
1620
1621         /*
1622          * Setup the memory to marshall the ba header, and the
1623          * auth footers.
1624          */
1625
1626         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1627                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1628                 prs_mem_free(&p->out_data.frag);
1629                 return False;
1630         }
1631
1632         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1633                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1634                 prs_mem_free(&p->out_data.frag);
1635                 prs_mem_free(&out_hdr_ba);
1636                 return False;
1637         }
1638
1639         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1640
1641         ZERO_STRUCT(hdr_rb);
1642
1643         /* decode the bind request */
1644
1645         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1646                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1647                          "struct.\n"));
1648                 goto err_exit;
1649         }
1650
1651         if (hdr_rb.num_contexts == 0) {
1652                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1653                 goto err_exit;
1654         }
1655
1656         /*
1657          * Try and find the correct pipe name to ensure
1658          * that this is a pipe name we support.
1659          */
1660
1661         for (i = 0; i < rpc_lookup_size; i++) {
1662                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1663                                         &hdr_rb.rpc_context[0].abstract)) {
1664                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1665                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1666                         break;
1667                 }
1668         }
1669
1670         if (i == rpc_lookup_size) {
1671                 NTSTATUS status;
1672
1673                 status = smb_probe_module(
1674                         "rpc", get_pipe_name_from_syntax(
1675                                 talloc_tos(),
1676                                 &hdr_rb.rpc_context[0].abstract));
1677
1678                 if (NT_STATUS_IS_ERR(status)) {
1679                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1680                                 get_pipe_name_from_syntax(
1681                                         talloc_tos(),
1682                                         &hdr_rb.rpc_context[0].abstract)));
1683                         prs_mem_free(&p->out_data.frag);
1684                         prs_mem_free(&out_hdr_ba);
1685                         prs_mem_free(&out_auth);
1686
1687                         return setup_bind_nak(p);
1688                 }
1689
1690                 for (i = 0; i < rpc_lookup_size; i++) {
1691                        if (strequal(rpc_lookup[i].pipe.clnt,
1692                                     get_pipe_name_tos(p))) {
1693                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1694                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1695                                break;
1696                        }
1697                 }
1698
1699                 if (i == rpc_lookup_size) {
1700                         DEBUG(0, ("module %s doesn't provide functions for "
1701                                   "pipe %s!\n", get_pipe_name_tos(p),
1702                                   get_pipe_name_tos(p)));
1703                         goto err_exit;
1704                 }
1705         }
1706
1707         /* name has to be \PIPE\xxxxx */
1708         fstrcpy(ack_pipe_name, "\\PIPE\\");
1709         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1710
1711         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1712
1713         /*
1714          * Check if this is an authenticated bind request.
1715          */
1716
1717         if (p->hdr.auth_len) {
1718                 /* 
1719                  * Decode the authentication verifier.
1720                  */
1721
1722                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1723                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1724                         goto err_exit;
1725                 }
1726
1727                 auth_type = auth_info.auth_type;
1728
1729                 /* Work out if we have to sign or seal etc. */
1730                 switch (auth_info.auth_level) {
1731                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1732                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1733                                 break;
1734                         case DCERPC_AUTH_LEVEL_PRIVACY:
1735                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1736                                 break;
1737                         default:
1738                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1739                                         (unsigned int)auth_info.auth_level ));
1740                                 goto err_exit;
1741                 }
1742         } else {
1743                 ZERO_STRUCT(auth_info);
1744         }
1745
1746         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1747
1748         switch(auth_type) {
1749                 case DCERPC_AUTH_TYPE_NTLMSSP:
1750                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1751                                 goto err_exit;
1752                         }
1753                         assoc_gid = 0x7a77;
1754                         break;
1755
1756                 case DCERPC_AUTH_TYPE_SCHANNEL:
1757                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1758                                 goto err_exit;
1759                         }
1760                         break;
1761
1762                 case DCERPC_AUTH_TYPE_SPNEGO:
1763                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1764                                 goto err_exit;
1765                         }
1766                         break;
1767
1768                 case DCERPC_AUTH_TYPE_NONE:
1769                         /* Unauthenticated bind request. */
1770                         /* We're finished - no more packets. */
1771                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1772                         /* We must set the pipe auth_level here also. */
1773                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1774                         p->pipe_bound = True;
1775                         /* The session key was initialized from the SMB
1776                          * session in make_internal_rpc_pipe_p */
1777                         break;
1778
1779                 default:
1780                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1781                         goto err_exit;
1782         }
1783
1784         /*
1785          * Create the bind response struct.
1786          */
1787
1788         /* If the requested abstract synt uuid doesn't match our client pipe,
1789                 reject the bind_ack & set the transfer interface synt to all 0's,
1790                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1791                 unknown to NT4)
1792                 Needed when adding entries to a DACL from NT5 - SK */
1793
1794         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1795                                 hdr_rb.rpc_context[0].context_id )) {
1796                 init_rpc_hdr_ba(&hdr_ba,
1797                         RPC_MAX_PDU_FRAG_LEN,
1798                         RPC_MAX_PDU_FRAG_LEN,
1799                         assoc_gid,
1800                         ack_pipe_name,
1801                         0x1, 0x0, 0x0,
1802                         &hdr_rb.rpc_context[0].transfer[0]);
1803         } else {
1804                 /* Rejection reason: abstract syntax not supported */
1805                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1806                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1807                                         ack_pipe_name, 0x1, 0x2, 0x1,
1808                                         &null_ndr_syntax_id);
1809                 p->pipe_bound = False;
1810         }
1811
1812         /*
1813          * and marshall it.
1814          */
1815
1816         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1817                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1818                 goto err_exit;
1819         }
1820
1821         /*
1822          * Create the header, now we know the length.
1823          */
1824
1825         if (prs_offset(&out_auth)) {
1826                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1827         }
1828
1829         init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1830                         p->hdr.call_id,
1831                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1832                         auth_len);
1833
1834         /*
1835          * Marshall the header into the outgoing PDU.
1836          */
1837
1838         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1839                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1840                 goto err_exit;
1841         }
1842
1843         /*
1844          * Now add the RPC_HDR_BA and any auth needed.
1845          */
1846
1847         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1848                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1849                 goto err_exit;
1850         }
1851
1852         if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1853                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1854                 goto err_exit;
1855         }
1856
1857         /*
1858          * Setup the lengths for the initial reply.
1859          */
1860
1861         p->out_data.data_sent_length = 0;
1862         p->out_data.current_pdu_sent = 0;
1863
1864         prs_mem_free(&out_hdr_ba);
1865         prs_mem_free(&out_auth);
1866
1867         return True;
1868
1869   err_exit:
1870
1871         prs_mem_free(&p->out_data.frag);
1872         prs_mem_free(&out_hdr_ba);
1873         prs_mem_free(&out_auth);
1874         return setup_bind_nak(p);
1875 }
1876
1877 /****************************************************************************
1878  Deal with an alter context call. Can be third part of 3 leg auth request for
1879  SPNEGO calls.
1880 ****************************************************************************/
1881
1882 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1883 {
1884         RPC_HDR_BA hdr_ba;
1885         RPC_HDR_RB hdr_rb;
1886         RPC_HDR_AUTH auth_info;
1887         uint16 assoc_gid;
1888         fstring ack_pipe_name;
1889         prs_struct out_hdr_ba;
1890         prs_struct out_auth;
1891         int auth_len = 0;
1892
1893         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1894
1895         /* 
1896          * Marshall directly into the outgoing PDU space. We
1897          * must do this as we need to set to the bind response
1898          * header and are never sending more than one PDU here.
1899          */
1900
1901         /*
1902          * Setup the memory to marshall the ba header, and the
1903          * auth footers.
1904          */
1905
1906         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1907                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1908                 prs_mem_free(&p->out_data.frag);
1909                 return False;
1910         }
1911
1912         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1913                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1914                 prs_mem_free(&p->out_data.frag);
1915                 prs_mem_free(&out_hdr_ba);
1916                 return False;
1917         }
1918
1919         ZERO_STRUCT(hdr_rb);
1920
1921         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1922
1923         /* decode the alter context request */
1924         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1925                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1926                 goto err_exit;
1927         }
1928
1929         /* secondary address CAN be NULL
1930          * as the specs say it's ignored.
1931          * It MUST be NULL to have the spoolss working.
1932          */
1933         fstrcpy(ack_pipe_name,"");
1934
1935         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1936
1937         /*
1938          * Check if this is an authenticated alter context request.
1939          */
1940
1941         if (p->hdr.auth_len != 0) {
1942                 /* 
1943                  * Decode the authentication verifier.
1944                  */
1945
1946                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1947                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1948                         goto err_exit;
1949                 }
1950
1951                 /*
1952                  * Currently only the SPNEGO auth type uses the alter ctx
1953                  * response in place of the NTLMSSP auth3 type.
1954                  */
1955
1956                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1957                         /* We can only finish if the pipe is unbound. */
1958                         if (!p->pipe_bound) {
1959                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1960                                         goto err_exit;
1961                                 }
1962                         } else {
1963                                 goto err_exit;
1964                         }
1965                 }
1966         } else {
1967                 ZERO_STRUCT(auth_info);
1968         }
1969
1970         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1971
1972         /*
1973          * Create the bind response struct.
1974          */
1975
1976         /* If the requested abstract synt uuid doesn't match our client pipe,
1977                 reject the bind_ack & set the transfer interface synt to all 0's,
1978                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1979                 unknown to NT4)
1980                 Needed when adding entries to a DACL from NT5 - SK */
1981
1982         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1983                                 hdr_rb.rpc_context[0].context_id )) {
1984                 init_rpc_hdr_ba(&hdr_ba,
1985                         RPC_MAX_PDU_FRAG_LEN,
1986                         RPC_MAX_PDU_FRAG_LEN,
1987                         assoc_gid,
1988                         ack_pipe_name,
1989                         0x1, 0x0, 0x0,
1990                         &hdr_rb.rpc_context[0].transfer[0]);
1991         } else {
1992                 /* Rejection reason: abstract syntax not supported */
1993                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1994                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1995                                         ack_pipe_name, 0x1, 0x2, 0x1,
1996                                         &null_ndr_syntax_id);
1997                 p->pipe_bound = False;
1998         }
1999
2000         /*
2001          * and marshall it.
2002          */
2003
2004         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2005                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2006                 goto err_exit;
2007         }
2008
2009         /*
2010          * Create the header, now we know the length.
2011          */
2012
2013         if (prs_offset(&out_auth)) {
2014                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2015         }
2016
2017         init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2018                         p->hdr.call_id,
2019                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2020                         auth_len);
2021
2022         /*
2023          * Marshall the header into the outgoing PDU.
2024          */
2025
2026         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2027                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2028                 goto err_exit;
2029         }
2030
2031         /*
2032          * Now add the RPC_HDR_BA and any auth needed.
2033          */
2034
2035         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2036                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2037                 goto err_exit;
2038         }
2039
2040         if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2041                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2042                 goto err_exit;
2043         }
2044
2045         /*
2046          * Setup the lengths for the initial reply.
2047          */
2048
2049         p->out_data.data_sent_length = 0;
2050         p->out_data.current_pdu_sent = 0;
2051
2052         prs_mem_free(&out_hdr_ba);
2053         prs_mem_free(&out_auth);
2054
2055         return True;
2056
2057   err_exit:
2058
2059         prs_mem_free(&p->out_data.frag);
2060         prs_mem_free(&out_hdr_ba);
2061         prs_mem_free(&out_auth);
2062         return setup_bind_nak(p);
2063 }
2064
2065 /****************************************************************************
2066  Deal with NTLMSSP sign & seal processing on an RPC request.
2067 ****************************************************************************/
2068
2069 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2070                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2071 {
2072         RPC_HDR_AUTH auth_info;
2073         uint32 auth_len = p->hdr.auth_len;
2074         uint32 save_offset = prs_offset(rpc_in);
2075         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2076         unsigned char *data = NULL;
2077         size_t data_len;
2078         unsigned char *full_packet_data = NULL;
2079         size_t full_packet_data_len;
2080         DATA_BLOB auth_blob;
2081
2082         *pstatus = NT_STATUS_OK;
2083
2084         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2085                 return True;
2086         }
2087
2088         if (!a) {
2089                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2090                 return False;
2091         }
2092
2093         /* Ensure there's enough data for an authenticated request. */
2094         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2095                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2096                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2097                         (unsigned int)auth_len ));
2098                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2099                 return False;
2100         }
2101
2102         /*
2103          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2104          * after the RPC header. 
2105          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2106          * functions as NTLMv2 checks the rpc headers also.
2107          */
2108
2109         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2110         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2111
2112         full_packet_data = p->in_data.current_in_pdu;
2113         full_packet_data_len = p->hdr.frag_len - auth_len;
2114
2115         /* Pull the auth header and the following data into a blob. */
2116         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2117                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2118                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2119                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2120                 return False;
2121         }
2122
2123         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2124                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2125                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2126                 return False;
2127         }
2128
2129         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2130         auth_blob.length = auth_len;
2131
2132         switch (p->auth.auth_level) {
2133                 case DCERPC_AUTH_LEVEL_PRIVACY:
2134                         /* Data is encrypted. */
2135                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2136                                                         data, data_len,
2137                                                         full_packet_data,
2138                                                         full_packet_data_len,
2139                                                         &auth_blob);
2140                         if (!NT_STATUS_IS_OK(*pstatus)) {
2141                                 return False;
2142                         }
2143                         break;
2144                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2145                         /* Data is signed. */
2146                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2147                                                         data, data_len,
2148                                                         full_packet_data,
2149                                                         full_packet_data_len,
2150                                                         &auth_blob);
2151                         if (!NT_STATUS_IS_OK(*pstatus)) {
2152                                 return False;
2153                         }
2154                         break;
2155                 default:
2156                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2157                         return False;
2158         }
2159
2160         /*
2161          * Return the current pointer to the data offset.
2162          */
2163
2164         if(!prs_set_offset(rpc_in, save_offset)) {
2165                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2166                         (unsigned int)save_offset ));
2167                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2168                 return False;
2169         }
2170
2171         /*
2172          * Remember the padding length. We must remove it from the real data
2173          * stream once the sign/seal is done.
2174          */
2175
2176         *p_ss_padding_len = auth_info.auth_pad_len;
2177
2178         return True;
2179 }
2180
2181 /****************************************************************************
2182  Deal with schannel processing on an RPC request.
2183 ****************************************************************************/
2184
2185 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2186 {
2187         uint32 data_len;
2188         uint32 auth_len;
2189         uint32 save_offset = prs_offset(rpc_in);
2190         RPC_HDR_AUTH auth_info;
2191         DATA_BLOB blob;
2192         NTSTATUS status;
2193         uint8_t *data;
2194
2195         auth_len = p->hdr.auth_len;
2196
2197         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2198                         auth_len > RPC_HEADER_LEN +
2199                                         RPC_HDR_REQ_LEN +
2200                                         RPC_HDR_AUTH_LEN +
2201                                         auth_len) {
2202                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2203                 return False;
2204         }
2205
2206         /*
2207          * The following is that length of the data we must verify or unseal.
2208          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2209          * preceeding the auth_data.
2210          */
2211
2212         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2213                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2214                         (unsigned int)p->hdr.frag_len,
2215                         (unsigned int)auth_len ));
2216                 return False;
2217         }
2218
2219         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2220                 RPC_HDR_AUTH_LEN - auth_len;
2221
2222         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2223
2224         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2225                 DEBUG(0,("cannot move offset to %u.\n",
2226                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2227                 return False;
2228         }
2229
2230         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2231                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2232                 return False;
2233         }
2234
2235         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2236                 DEBUG(0,("Invalid auth info %d on schannel\n",
2237                          auth_info.auth_type));
2238                 return False;
2239         }
2240
2241         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2242
2243         if (DEBUGLEVEL >= 10) {
2244                 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2245         }
2246
2247         data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2248
2249         switch (auth_info.auth_level) {
2250         case DCERPC_AUTH_LEVEL_PRIVACY:
2251                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2252                                                 talloc_tos(),
2253                                                 true,
2254                                                 data,
2255                                                 data_len,
2256                                                 &blob);
2257                 break;
2258         case DCERPC_AUTH_LEVEL_INTEGRITY:
2259                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2260                                                 talloc_tos(),
2261                                                 false,
2262                                                 data,
2263                                                 data_len,
2264                                                 &blob);
2265                 break;
2266         default:
2267                 status = NT_STATUS_INTERNAL_ERROR;
2268                 break;
2269         }
2270
2271         if (!NT_STATUS_IS_OK(status)) {
2272                 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2273                 return false;
2274         }
2275
2276         /*
2277          * Return the current pointer to the data offset.
2278          */
2279
2280         if(!prs_set_offset(rpc_in, save_offset)) {
2281                 DEBUG(0,("failed to set offset back to %u\n",
2282                          (unsigned int)save_offset ));
2283                 return False;
2284         }
2285
2286         /*
2287          * Remember the padding length. We must remove it from the real data
2288          * stream once the sign/seal is done.
2289          */
2290
2291         *p_ss_padding_len = auth_info.auth_pad_len;
2292
2293         return True;
2294 }
2295
2296 /****************************************************************************
2297  Find the set of RPC functions associated with this context_id
2298 ****************************************************************************/
2299
2300 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2301 {
2302         PIPE_RPC_FNS *fns = NULL;
2303
2304         if ( !list ) {
2305                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2306                 return NULL;
2307         }
2308
2309         for (fns=list; fns; fns=fns->next ) {
2310                 if ( fns->context_id == context_id )
2311                         return fns;
2312         }
2313         return NULL;
2314 }
2315
2316 /****************************************************************************
2317  Memory cleanup.
2318 ****************************************************************************/
2319
2320 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2321 {
2322         PIPE_RPC_FNS *tmp = list;
2323         PIPE_RPC_FNS *tmp2;
2324
2325         while (tmp) {
2326                 tmp2 = tmp->next;
2327                 SAFE_FREE(tmp);
2328                 tmp = tmp2;
2329         }
2330
2331         return; 
2332 }
2333
2334 static bool api_rpcTNP(pipes_struct *p,
2335                        const struct api_struct *api_rpc_cmds, int n_cmds);
2336
2337 /****************************************************************************
2338  Find the correct RPC function to call for this request.
2339  If the pipe is authenticated then become the correct UNIX user
2340  before doing the call.
2341 ****************************************************************************/
2342
2343 bool api_pipe_request(pipes_struct *p)
2344 {
2345         bool ret = False;
2346         bool changed_user = False;
2347         PIPE_RPC_FNS *pipe_fns;
2348
2349         if (p->pipe_bound &&
2350                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2351                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2352                 if(!become_authenticated_pipe_user(p)) {
2353                         prs_mem_free(&p->out_data.rdata);
2354                         return False;
2355                 }
2356                 changed_user = True;
2357         }
2358
2359         DEBUG(5, ("Requested \\PIPE\\%s\n", get_pipe_name_tos(p)));
2360
2361         /* get the set of RPC functions for this context */
2362
2363         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2364
2365         if ( pipe_fns ) {
2366                 TALLOC_CTX *frame = talloc_stackframe();
2367                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2368                 TALLOC_FREE(frame);
2369         }
2370         else {
2371                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2372                          p->hdr_req.context_id, get_pipe_name_tos(p)));
2373         }
2374
2375         if (changed_user) {
2376                 unbecome_authenticated_pipe_user();
2377         }
2378
2379         return ret;
2380 }
2381
2382 /*******************************************************************
2383  Calls the underlying RPC function for a named pipe.
2384  ********************************************************************/
2385
2386 static bool api_rpcTNP(pipes_struct *p,
2387                        const struct api_struct *api_rpc_cmds, int n_cmds)
2388 {
2389         int fn_num;
2390         uint32 offset1, offset2;
2391
2392         /* interpret the command */
2393         DEBUG(4,("api_rpcTNP: %s op 0x%x - ", get_pipe_name_tos(p),
2394                  p->hdr_req.opnum));
2395
2396         if (DEBUGLEVEL >= 50) {
2397                 fstring name;
2398                 slprintf(name, sizeof(name)-1, "in_%s", get_pipe_name_tos(p));
2399                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2400         }
2401
2402         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2403                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2404                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2405                         break;
2406                 }
2407         }
2408
2409         if (fn_num == n_cmds) {
2410                 /*
2411                  * For an unknown RPC just return a fault PDU but
2412                  * return True to allow RPC's on the pipe to continue
2413                  * and not put the pipe into fault state. JRA.
2414                  */
2415                 DEBUG(4, ("unknown\n"));
2416                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2417                 return True;
2418         }
2419
2420         offset1 = prs_offset(&p->out_data.rdata);
2421
2422         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2423                 fn_num, api_rpc_cmds[fn_num].fn));
2424         /* do the actual command */
2425         if(!api_rpc_cmds[fn_num].fn(p)) {
2426                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", get_pipe_name_tos(p),
2427                          api_rpc_cmds[fn_num].name));
2428                 prs_mem_free(&p->out_data.rdata);
2429                 return False;
2430         }
2431
2432         if (p->bad_handle_fault_state) {
2433                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2434                 p->bad_handle_fault_state = False;
2435                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2436                 return True;
2437         }
2438
2439         if (p->rng_fault_state) {
2440                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2441                 p->rng_fault_state = False;
2442                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2443                 return True;
2444         }
2445
2446         offset2 = prs_offset(&p->out_data.rdata);
2447         prs_set_offset(&p->out_data.rdata, offset1);
2448         if (DEBUGLEVEL >= 50) {
2449                 fstring name;
2450                 slprintf(name, sizeof(name)-1, "out_%s", get_pipe_name_tos(p));
2451                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2452         }
2453         prs_set_offset(&p->out_data.rdata, offset2);
2454
2455         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2456                  get_pipe_name_tos(p)));
2457
2458         /* Check for buffer underflow in rpc parsing */
2459
2460         if ((DEBUGLEVEL >= 10) && 
2461             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2462                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2463                 char *data = (char *)SMB_MALLOC(data_len);
2464
2465                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2466                 if (data) {
2467                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2468                         SAFE_FREE(data);
2469                 }
2470
2471         }
2472
2473         return True;
2474 }