1bd170f90135d2c2b5ffaaf035d9d388686051ee
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/schannel_proto.h"
35
36 extern struct current_user current_user;
37
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_RPC_SRV
40
41 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
42 {
43         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
44
45         if (a) {
46                 auth_ntlmssp_end(&a);
47         }
48         auth->a_u.auth_ntlmssp_state = NULL;
49 }
50
51 static DATA_BLOB generic_session_key(void)
52 {
53         return data_blob("SystemLibraryDTC", 16);
54 }
55
56 /*******************************************************************
57  Generate the next PDU to be returned from the data in p->rdata. 
58  Handle NTLMSSP.
59  ********************************************************************/
60
61 static bool create_next_pdu_ntlmssp(pipes_struct *p)
62 {
63         RPC_HDR_RESP hdr_resp;
64         uint32 ss_padding_len = 0;
65         uint32 data_space_available;
66         uint32 data_len_left;
67         uint32 data_len;
68         NTSTATUS status;
69         DATA_BLOB auth_blob;
70         RPC_HDR_AUTH auth_info;
71         uint8 auth_type, auth_level;
72         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
73
74         /*
75          * If we're in the fault state, keep returning fault PDU's until
76          * the pipe gets closed. JRA.
77          */
78
79         if(p->fault_state) {
80                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
81                 return True;
82         }
83
84         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
85
86         /* Change the incoming request header to a response. */
87         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
88
89         /* Set up rpc header flags. */
90         if (p->out_data.data_sent_length == 0) {
91                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
92         } else {
93                 p->hdr.flags = 0;
94         }
95
96         /*
97          * Work out how much we can fit in a single PDU.
98          */
99
100         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
101
102         /*
103          * Ensure there really is data left to send.
104          */
105
106         if(!data_len_left) {
107                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
108                 return False;
109         }
110
111         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
112                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
113
114         /*
115          * The amount we send is the minimum of the available
116          * space and the amount left to send.
117          */
118
119         data_len = MIN(data_len_left, data_space_available);
120
121         /*
122          * Set up the alloc hint. This should be the data left to
123          * send.
124          */
125
126         hdr_resp.alloc_hint = data_len_left;
127
128         /*
129          * Work out if this PDU will be the last.
130          */
131
132         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
133                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
134                 if (data_len_left % 8) {
135                         ss_padding_len = 8 - (data_len_left % 8);
136                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
137                                 ss_padding_len ));
138                 }
139         }
140
141         /*
142          * Set up the header lengths.
143          */
144
145         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
146                         data_len + ss_padding_len +
147                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
148         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
149
150
151         /*
152          * Init the parse struct to point at the outgoing
153          * data.
154          */
155
156         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
157
158         /* Store the header in the data stream. */
159         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
160                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
161                 prs_mem_free(&p->out_data.frag);
162                 return False;
163         }
164
165         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
166                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
167                 prs_mem_free(&p->out_data.frag);
168                 return False;
169         }
170
171         /* Copy the data into the PDU. */
172
173         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
174                                      p->out_data.data_sent_length, data_len)) {
175                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
176                 prs_mem_free(&p->out_data.frag);
177                 return False;
178         }
179
180         /* Copy the sign/seal padding data. */
181         if (ss_padding_len) {
182                 char pad[8];
183
184                 memset(pad, '\0', 8);
185                 if (!prs_copy_data_in(&p->out_data.frag, pad,
186                                       ss_padding_len)) {
187                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
188                                         (unsigned int)ss_padding_len));
189                         prs_mem_free(&p->out_data.frag);
190                         return False;
191                 }
192         }
193
194
195         /* Now write out the auth header and null blob. */
196         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
197                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
198         } else {
199                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
200         }
201         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
202                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
203         } else {
204                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
205         }
206
207         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
208         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
209                                 0)) {
210                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
211                 prs_mem_free(&p->out_data.frag);
212                 return False;
213         }
214
215         /* Generate the sign blob. */
216
217         switch (p->auth.auth_level) {
218                 case DCERPC_AUTH_LEVEL_PRIVACY:
219                         /* Data portion is encrypted. */
220                         status = ntlmssp_seal_packet(
221                                 a->ntlmssp_state,
222                                 (uint8_t *)prs_data_p(&p->out_data.frag)
223                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
224                                 data_len + ss_padding_len,
225                                 (unsigned char *)prs_data_p(&p->out_data.frag),
226                                 (size_t)prs_offset(&p->out_data.frag),
227                                 &auth_blob);
228                         if (!NT_STATUS_IS_OK(status)) {
229                                 data_blob_free(&auth_blob);
230                                 prs_mem_free(&p->out_data.frag);
231                                 return False;
232                         }
233                         break;
234                 case DCERPC_AUTH_LEVEL_INTEGRITY:
235                         /* Data is signed. */
236                         status = ntlmssp_sign_packet(
237                                 a->ntlmssp_state,
238                                 (unsigned char *)prs_data_p(&p->out_data.frag)
239                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
240                                 data_len + ss_padding_len,
241                                 (unsigned char *)prs_data_p(&p->out_data.frag),
242                                 (size_t)prs_offset(&p->out_data.frag),
243                                 &auth_blob);
244                         if (!NT_STATUS_IS_OK(status)) {
245                                 data_blob_free(&auth_blob);
246                                 prs_mem_free(&p->out_data.frag);
247                                 return False;
248                         }
249                         break;
250                 default:
251                         prs_mem_free(&p->out_data.frag);
252                         return False;
253         }
254
255         /* Append the auth blob. */
256         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
257                               NTLMSSP_SIG_SIZE)) {
258                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
259                                 (unsigned int)NTLMSSP_SIG_SIZE));
260                 data_blob_free(&auth_blob);
261                 prs_mem_free(&p->out_data.frag);
262                 return False;
263         }
264
265         data_blob_free(&auth_blob);
266
267         /*
268          * Setup the counts for this PDU.
269          */
270
271         p->out_data.data_sent_length += data_len;
272         p->out_data.current_pdu_sent = 0;
273
274         return True;
275 }
276
277 /*******************************************************************
278  Generate the next PDU to be returned from the data in p->rdata. 
279  Return an schannel authenticated fragment.
280  ********************************************************************/
281
282 static bool create_next_pdu_schannel(pipes_struct *p)
283 {
284         RPC_HDR_RESP hdr_resp;
285         uint32 ss_padding_len = 0;
286         uint32 data_len;
287         uint32 data_space_available;
288         uint32 data_len_left;
289         uint32 data_pos;
290         NTSTATUS status;
291
292         /*
293          * If we're in the fault state, keep returning fault PDU's until
294          * the pipe gets closed. JRA.
295          */
296
297         if(p->fault_state) {
298                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
299                 return True;
300         }
301
302         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
303
304         /* Change the incoming request header to a response. */
305         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
306
307         /* Set up rpc header flags. */
308         if (p->out_data.data_sent_length == 0) {
309                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
310         } else {
311                 p->hdr.flags = 0;
312         }
313
314         /*
315          * Work out how much we can fit in a single PDU.
316          */
317
318         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
319
320         /*
321          * Ensure there really is data left to send.
322          */
323
324         if(!data_len_left) {
325                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
326                 return False;
327         }
328
329         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
330                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
331                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
332
333         /*
334          * The amount we send is the minimum of the available
335          * space and the amount left to send.
336          */
337
338         data_len = MIN(data_len_left, data_space_available);
339
340         /*
341          * Set up the alloc hint. This should be the data left to
342          * send.
343          */
344
345         hdr_resp.alloc_hint = data_len_left;
346
347         /*
348          * Work out if this PDU will be the last.
349          */
350
351         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
352                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
353                 if (data_len_left % 8) {
354                         ss_padding_len = 8 - (data_len_left % 8);
355                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
356                                 ss_padding_len ));
357                 }
358         }
359
360         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
361                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
362         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
363
364         /*
365          * Init the parse struct to point at the outgoing
366          * data.
367          */
368
369         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
370
371         /* Store the header in the data stream. */
372         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
373                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
374                 prs_mem_free(&p->out_data.frag);
375                 return False;
376         }
377
378         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
379                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
380                 prs_mem_free(&p->out_data.frag);
381                 return False;
382         }
383
384         /* Store the current offset. */
385         data_pos = prs_offset(&p->out_data.frag);
386
387         /* Copy the data into the PDU. */
388
389         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
390                                      p->out_data.data_sent_length, data_len)) {
391                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
392                 prs_mem_free(&p->out_data.frag);
393                 return False;
394         }
395
396         /* Copy the sign/seal padding data. */
397         if (ss_padding_len) {
398                 char pad[8];
399                 memset(pad, '\0', 8);
400                 if (!prs_copy_data_in(&p->out_data.frag, pad,
401                                       ss_padding_len)) {
402                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
403                         prs_mem_free(&p->out_data.frag);
404                         return False;
405                 }
406         }
407
408         {
409                 /*
410                  * Schannel processing.
411                  */
412                 RPC_HDR_AUTH auth_info;
413                 DATA_BLOB blob;
414
415                 /* Check it's the type of reply we were expecting to decode */
416
417                 init_rpc_hdr_auth(&auth_info,
418                                 DCERPC_AUTH_TYPE_SCHANNEL,
419                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
420                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
421                                 ss_padding_len, 1);
422
423                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
424                                         &p->out_data.frag, 0)) {
425                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
426                         prs_mem_free(&p->out_data.frag);
427                         return False;
428                 }
429
430                 switch (p->auth.auth_level) {
431                 case DCERPC_AUTH_LEVEL_PRIVACY:
432                         status = schannel_seal_packet(p->auth.a_u.schannel_auth,
433                                                       talloc_tos(),
434                                                       (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos,
435                                                       data_len + ss_padding_len,
436                                                       &blob);
437                         break;
438                 case DCERPC_AUTH_LEVEL_INTEGRITY:
439                         status = schannel_sign_packet(p->auth.a_u.schannel_auth,
440                                                       talloc_tos(),
441                                                       (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos,
442                                                       data_len + ss_padding_len,
443                                                       &blob);
444                         break;
445                 default:
446                         status = NT_STATUS_INTERNAL_ERROR;
447                         break;
448                 }
449
450                 if (!NT_STATUS_IS_OK(status)) {
451                         DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
452                                 nt_errstr(status)));
453                         prs_mem_free(&p->out_data.frag);
454                         return false;
455                 }
456
457                 /* Finally marshall the blob. */
458
459                 if (DEBUGLEVEL >= 10) {
460                         dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
461                 }
462
463                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
464                         prs_mem_free(&p->out_data.frag);
465                         return false;
466                 }
467         }
468
469         /*
470          * Setup the counts for this PDU.
471          */
472
473         p->out_data.data_sent_length += data_len;
474         p->out_data.current_pdu_sent = 0;
475
476         return True;
477 }
478
479 /*******************************************************************
480  Generate the next PDU to be returned from the data in p->rdata. 
481  No authentication done.
482 ********************************************************************/
483
484 static bool create_next_pdu_noauth(pipes_struct *p)
485 {
486         RPC_HDR_RESP hdr_resp;
487         uint32 data_len;
488         uint32 data_space_available;
489         uint32 data_len_left;
490
491         /*
492          * If we're in the fault state, keep returning fault PDU's until
493          * the pipe gets closed. JRA.
494          */
495
496         if(p->fault_state) {
497                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
498                 return True;
499         }
500
501         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
502
503         /* Change the incoming request header to a response. */
504         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
505
506         /* Set up rpc header flags. */
507         if (p->out_data.data_sent_length == 0) {
508                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
509         } else {
510                 p->hdr.flags = 0;
511         }
512
513         /*
514          * Work out how much we can fit in a single PDU.
515          */
516
517         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
518
519         /*
520          * Ensure there really is data left to send.
521          */
522
523         if(!data_len_left) {
524                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
525                 return False;
526         }
527
528         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
529                 - RPC_HDR_RESP_LEN;
530
531         /*
532          * The amount we send is the minimum of the available
533          * space and the amount left to send.
534          */
535
536         data_len = MIN(data_len_left, data_space_available);
537
538         /*
539          * Set up the alloc hint. This should be the data left to
540          * send.
541          */
542
543         hdr_resp.alloc_hint = data_len_left;
544
545         /*
546          * Work out if this PDU will be the last.
547          */
548
549         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
550                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
551         }
552
553         /*
554          * Set up the header lengths.
555          */
556
557         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
558         p->hdr.auth_len = 0;
559
560         /*
561          * Init the parse struct to point at the outgoing
562          * data.
563          */
564
565         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
566
567         /* Store the header in the data stream. */
568         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
569                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
570                 prs_mem_free(&p->out_data.frag);
571                 return False;
572         }
573
574         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
575                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
576                 prs_mem_free(&p->out_data.frag);
577                 return False;
578         }
579
580         /* Copy the data into the PDU. */
581
582         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
583                                      p->out_data.data_sent_length, data_len)) {
584                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
585                 prs_mem_free(&p->out_data.frag);
586                 return False;
587         }
588
589         /*
590          * Setup the counts for this PDU.
591          */
592
593         p->out_data.data_sent_length += data_len;
594         p->out_data.current_pdu_sent = 0;
595
596         return True;
597 }
598
599 /*******************************************************************
600  Generate the next PDU to be returned from the data in p->rdata. 
601 ********************************************************************/
602
603 bool create_next_pdu(pipes_struct *p)
604 {
605         switch(p->auth.auth_level) {
606                 case DCERPC_AUTH_LEVEL_NONE:
607                 case DCERPC_AUTH_LEVEL_CONNECT:
608                         /* This is incorrect for auth level connect. Fixme. JRA */
609                         return create_next_pdu_noauth(p);
610
611                 default:
612                         switch(p->auth.auth_type) {
613                                 case PIPE_AUTH_TYPE_NTLMSSP:
614                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
615                                         return create_next_pdu_ntlmssp(p);
616                                 case PIPE_AUTH_TYPE_SCHANNEL:
617                                         return create_next_pdu_schannel(p);
618                                 default:
619                                         break;
620                         }
621         }
622
623         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
624                         (unsigned int)p->auth.auth_level,
625                         (unsigned int)p->auth.auth_type));
626         return False;
627 }
628
629 /*******************************************************************
630  Process an NTLMSSP authentication response.
631  If this function succeeds, the user has been authenticated
632  and their domain, name and calling workstation stored in
633  the pipe struct.
634 *******************************************************************/
635
636 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
637 {
638         DATA_BLOB session_key, reply;
639         NTSTATUS status;
640         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
641         bool ret;
642
643         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
644                  get_pipe_name_from_iface(&p->syntax)));
645
646         ZERO_STRUCT(reply);
647
648         /* this has to be done as root in order to verify the password */
649         become_root();
650         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
651         unbecome_root();
652
653         /* Don't generate a reply. */
654         data_blob_free(&reply);
655
656         if (!NT_STATUS_IS_OK(status)) {
657                 return False;
658         }
659
660         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
661            ensure the underlying NTLMSSP flags are also set. If not we should
662            refuse the bind. */
663
664         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
665                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
666                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
667                                 "but client declined signing.\n",
668                                 get_pipe_name_from_iface(&p->syntax)));
669                         return False;
670                 }
671         }
672         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
673                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
674                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
675                                 "but client declined sealing.\n",
676                                 get_pipe_name_from_iface(&p->syntax)));
677                         return False;
678                 }
679         }
680
681         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
682                   "workstation: %s\n", a->ntlmssp_state->user,
683                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
684
685         if (a->server_info->ptok == NULL) {
686                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
687                 return False;
688         }
689
690         TALLOC_FREE(p->server_info);
691
692         p->server_info = copy_serverinfo(p, a->server_info);
693         if (p->server_info == NULL) {
694                 DEBUG(0, ("copy_serverinfo failed\n"));
695                 return false;
696         }
697
698         /*
699          * We're an authenticated bind over smb, so the session key needs to
700          * be set to "SystemLibraryDTC". Weird, but this is what Windows
701          * does. See the RPC-SAMBA3SESSIONKEY.
702          */
703
704         session_key = generic_session_key();
705         if (session_key.data == NULL) {
706                 return False;
707         }
708
709         ret = server_info_set_session_key(p->server_info, session_key);
710
711         data_blob_free(&session_key);
712
713         return True;
714 }
715
716 /*******************************************************************
717  The switch table for the pipe names and the functions to handle them.
718 *******************************************************************/
719
720 struct rpc_table {
721         struct {
722                 const char *clnt;
723                 const char *srv;
724         } pipe;
725         struct ndr_syntax_id rpc_interface;
726         const struct api_struct *cmds;
727         int n_cmds;
728 };
729
730 static struct rpc_table *rpc_lookup;
731 static int rpc_lookup_size;
732
733 /*******************************************************************
734  This is the "stage3" NTLMSSP response after a bind request and reply.
735 *******************************************************************/
736
737 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
738 {
739         RPC_HDR_AUTH auth_info;
740         uint32 pad = 0;
741         DATA_BLOB blob;
742
743         ZERO_STRUCT(blob);
744
745         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
746
747         if (p->hdr.auth_len == 0) {
748                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
749                 goto err;
750         }
751
752         /* 4 bytes padding. */
753         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
754                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
755                 goto err;
756         }
757
758         /*
759          * Decode the authentication verifier response.
760          */
761
762         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
763                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
764                 goto err;
765         }
766
767         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
768                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
769                         (unsigned int)auth_info.auth_type ));
770                 return False;
771         }
772
773         blob = data_blob(NULL,p->hdr.auth_len);
774
775         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
776                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
777                         (unsigned int)p->hdr.auth_len ));
778                 goto err;
779         }
780
781         /*
782          * The following call actually checks the challenge/response data.
783          * for correctness against the given DOMAIN\user name.
784          */
785
786         if (!pipe_ntlmssp_verify_final(p, &blob)) {
787                 goto err;
788         }
789
790         data_blob_free(&blob);
791
792         p->pipe_bound = True;
793
794         return True;
795
796  err:
797
798         data_blob_free(&blob);
799         free_pipe_ntlmssp_auth_data(&p->auth);
800         p->auth.a_u.auth_ntlmssp_state = NULL;
801
802         return False;
803 }
804
805 /*******************************************************************
806  Marshall a bind_nak pdu.
807 *******************************************************************/
808
809 static bool setup_bind_nak(pipes_struct *p)
810 {
811         RPC_HDR nak_hdr;
812         uint16 zero = 0;
813
814         /* Free any memory in the current return data buffer. */
815         prs_mem_free(&p->out_data.rdata);
816
817         /*
818          * Marshall directly into the outgoing PDU space. We
819          * must do this as we need to set to the bind response
820          * header and are never sending more than one PDU here.
821          */
822
823         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
824
825         /*
826          * Initialize a bind_nak header.
827          */
828
829         init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
830                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
831
832         /*
833          * Marshall the header into the outgoing PDU.
834          */
835
836         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
837                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
838                 prs_mem_free(&p->out_data.frag);
839                 return False;
840         }
841
842         /*
843          * Now add the reject reason.
844          */
845
846         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
847                 prs_mem_free(&p->out_data.frag);
848                 return False;
849         }
850
851         p->out_data.data_sent_length = 0;
852         p->out_data.current_pdu_sent = 0;
853
854         if (p->auth.auth_data_free_func) {
855                 (*p->auth.auth_data_free_func)(&p->auth);
856         }
857         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
858         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
859         p->pipe_bound = False;
860
861         return True;
862 }
863
864 /*******************************************************************
865  Marshall a fault pdu.
866 *******************************************************************/
867
868 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
869 {
870         RPC_HDR fault_hdr;
871         RPC_HDR_RESP hdr_resp;
872         RPC_HDR_FAULT fault_resp;
873
874         /* Free any memory in the current return data buffer. */
875         prs_mem_free(&p->out_data.rdata);
876
877         /*
878          * Marshall directly into the outgoing PDU space. We
879          * must do this as we need to set to the bind response
880          * header and are never sending more than one PDU here.
881          */
882
883         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
884
885         /*
886          * Initialize a fault header.
887          */
888
889         init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
890             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
891
892         /*
893          * Initialize the HDR_RESP and FAULT parts of the PDU.
894          */
895
896         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
897
898         fault_resp.status = status;
899         fault_resp.reserved = 0;
900
901         /*
902          * Marshall the header into the outgoing PDU.
903          */
904
905         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
906                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
907                 prs_mem_free(&p->out_data.frag);
908                 return False;
909         }
910
911         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
912                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
913                 prs_mem_free(&p->out_data.frag);
914                 return False;
915         }
916
917         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
918                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
919                 prs_mem_free(&p->out_data.frag);
920                 return False;
921         }
922
923         p->out_data.data_sent_length = 0;
924         p->out_data.current_pdu_sent = 0;
925
926         return True;
927 }
928
929 #if 0
930 /*******************************************************************
931  Marshall a cancel_ack pdu.
932  We should probably check the auth-verifier here.
933 *******************************************************************/
934
935 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
936 {
937         prs_struct outgoing_pdu;
938         RPC_HDR ack_reply_hdr;
939
940         /* Free any memory in the current return data buffer. */
941         prs_mem_free(&p->out_data.rdata);
942
943         /*
944          * Marshall directly into the outgoing PDU space. We
945          * must do this as we need to set to the bind response
946          * header and are never sending more than one PDU here.
947          */
948
949         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
950         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
951
952         /*
953          * Initialize a cancel_ack header.
954          */
955
956         init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
957                         p->hdr.call_id, RPC_HEADER_LEN, 0);
958
959         /*
960          * Marshall the header into the outgoing PDU.
961          */
962
963         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
964                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
965                 prs_mem_free(&outgoing_pdu);
966                 return False;
967         }
968
969         p->out_data.data_sent_length = 0;
970         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
971         p->out_data.current_pdu_sent = 0;
972
973         prs_mem_free(&outgoing_pdu);
974         return True;
975 }
976 #endif
977
978 /*******************************************************************
979  Ensure a bind request has the correct abstract & transfer interface.
980  Used to reject unknown binds from Win2k.
981 *******************************************************************/
982
983 static bool check_bind_req(struct pipes_struct *p,
984                            struct ndr_syntax_id* abstract,
985                            struct ndr_syntax_id* transfer,
986                            uint32 context_id)
987 {
988         int i=0;
989         struct pipe_rpc_fns *context_fns;
990
991         DEBUG(3,("check_bind_req for %s\n",
992                  get_pipe_name_from_iface(&p->syntax)));
993
994         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
995
996         for (i=0; i<rpc_lookup_size; i++) {
997                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
998                 if (ndr_syntax_id_equal(
999                             abstract, &rpc_lookup[i].rpc_interface)
1000                     && ndr_syntax_id_equal(
1001                             transfer, &ndr_transfer_syntax)) {
1002                         break;
1003                 }
1004         }
1005
1006         if (i == rpc_lookup_size) {
1007                 return false;
1008         }
1009
1010         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1011         if (context_fns == NULL) {
1012                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1013                 return False;
1014         }
1015
1016         context_fns->cmds = rpc_lookup[i].cmds;
1017         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1018         context_fns->context_id = context_id;
1019
1020         /* add to the list of open contexts */
1021
1022         DLIST_ADD( p->contexts, context_fns );
1023
1024         return True;
1025 }
1026
1027 /*******************************************************************
1028  Register commands to an RPC pipe
1029 *******************************************************************/
1030
1031 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1032                           const struct ndr_interface_table *iface,
1033                           const struct api_struct *cmds, int size)
1034 {
1035         struct rpc_table *rpc_entry;
1036
1037         if (!clnt || !srv || !cmds) {
1038                 return NT_STATUS_INVALID_PARAMETER;
1039         }
1040
1041         if (version != SMB_RPC_INTERFACE_VERSION) {
1042                 DEBUG(0,("Can't register rpc commands!\n"
1043                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1044                          ", while this version of samba uses version %d!\n", 
1045                          version,SMB_RPC_INTERFACE_VERSION));
1046                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1047         }
1048
1049         /* TODO: 
1050          *
1051          * we still need to make sure that don't register the same commands twice!!!
1052          * 
1053          * --metze
1054          */
1055
1056         /* We use a temporary variable because this call can fail and 
1057            rpc_lookup will still be valid afterwards.  It could then succeed if
1058            called again later */
1059         rpc_lookup_size++;
1060         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1061         if (NULL == rpc_entry) {
1062                 rpc_lookup_size--;
1063                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1064                 return NT_STATUS_NO_MEMORY;
1065         } else {
1066                 rpc_lookup = rpc_entry;
1067         }
1068
1069         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1070         ZERO_STRUCTP(rpc_entry);
1071         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1072         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1073         rpc_entry->rpc_interface = iface->syntax_id;
1074         rpc_entry->cmds = cmds;
1075         rpc_entry->n_cmds = size;
1076
1077         return NT_STATUS_OK;
1078 }
1079
1080 /**
1081  * Is a named pipe known?
1082  * @param[in] cli_filename      The pipe name requested by the client
1083  * @result                      Do we want to serve this?
1084  */
1085 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1086 {
1087         const char *pipename = cli_filename;
1088         int i;
1089
1090         if (strnequal(pipename, "\\PIPE\\", 6)) {
1091                 pipename += 5;
1092         }
1093
1094         if (*pipename == '\\') {
1095                 pipename += 1;
1096         }
1097
1098         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1099                 DEBUG(10, ("refusing spoolss access\n"));
1100                 return false;
1101         }
1102
1103         for (i=0; i<rpc_lookup_size; i++) {
1104                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1105                         *syntax = rpc_lookup[i].rpc_interface;
1106                         return true;
1107                 }
1108         }
1109
1110         DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1111         return false;
1112 }
1113
1114 /*******************************************************************
1115  Handle a SPNEGO krb5 bind auth.
1116 *******************************************************************/
1117
1118 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1119                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1120 {
1121         return False;
1122 }
1123
1124 /*******************************************************************
1125  Handle the first part of a SPNEGO bind auth.
1126 *******************************************************************/
1127
1128 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1129                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1130 {
1131         DATA_BLOB blob;
1132         DATA_BLOB secblob;
1133         DATA_BLOB response;
1134         DATA_BLOB chal;
1135         char *OIDs[ASN1_MAX_OIDS];
1136         int i;
1137         NTSTATUS status;
1138         bool got_kerberos_mechanism = false;
1139         AUTH_NTLMSSP_STATE *a = NULL;
1140         RPC_HDR_AUTH auth_info;
1141
1142         ZERO_STRUCT(secblob);
1143         ZERO_STRUCT(chal);
1144         ZERO_STRUCT(response);
1145
1146         /* Grab the SPNEGO blob. */
1147         blob = data_blob(NULL,p->hdr.auth_len);
1148
1149         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1150                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1151                         (unsigned int)p->hdr.auth_len ));
1152                 goto err;
1153         }
1154
1155         if (blob.data[0] != ASN1_APPLICATION(0)) {
1156                 goto err;
1157         }
1158
1159         /* parse out the OIDs and the first sec blob */
1160         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1161                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1162                 goto err;
1163         }
1164
1165         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1166                 got_kerberos_mechanism = true;
1167         }
1168
1169         for (i=0;OIDs[i];i++) {
1170                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1171                 TALLOC_FREE(OIDs[i]);
1172         }
1173         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1174
1175         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1176                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1177                 data_blob_free(&secblob);
1178                 data_blob_free(&blob);
1179                 return ret;
1180         }
1181
1182         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1183                 /* Free any previous auth type. */
1184                 free_pipe_ntlmssp_auth_data(&p->auth);
1185         }
1186
1187         if (!got_kerberos_mechanism) {
1188                 /* Initialize the NTLM engine. */
1189                 status = auth_ntlmssp_start(&a);
1190                 if (!NT_STATUS_IS_OK(status)) {
1191                         goto err;
1192                 }
1193
1194                 /*
1195                  * Pass the first security blob of data to it.
1196                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1197                  * which means we need another packet to complete the bind.
1198                  */
1199
1200                 status = auth_ntlmssp_update(a, secblob, &chal);
1201
1202                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1203                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1204                         goto err;
1205                 }
1206
1207                 /* Generate the response blob we need for step 2 of the bind. */
1208                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1209         } else {
1210                 /*
1211                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1212                  * code to process follow-up packets is not complete
1213                  * yet. JRA.
1214                  */
1215                 response = spnego_gen_auth_response(NULL,
1216                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1217                                         OID_NTLMSSP);
1218         }
1219
1220         /* Copy the blob into the pout_auth parse struct */
1221         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1222         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1223                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1224                 goto err;
1225         }
1226
1227         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1228                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1229                 goto err;
1230         }
1231
1232         p->auth.a_u.auth_ntlmssp_state = a;
1233         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1234         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1235
1236         data_blob_free(&blob);
1237         data_blob_free(&secblob);
1238         data_blob_free(&chal);
1239         data_blob_free(&response);
1240
1241         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1242         return True;
1243
1244  err:
1245
1246         data_blob_free(&blob);
1247         data_blob_free(&secblob);
1248         data_blob_free(&chal);
1249         data_blob_free(&response);
1250
1251         p->auth.a_u.auth_ntlmssp_state = NULL;
1252
1253         return False;
1254 }
1255
1256 /*******************************************************************
1257  Handle the second part of a SPNEGO bind auth.
1258 *******************************************************************/
1259
1260 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1261                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1262 {
1263         RPC_HDR_AUTH auth_info;
1264         DATA_BLOB spnego_blob;
1265         DATA_BLOB auth_blob;
1266         DATA_BLOB auth_reply;
1267         DATA_BLOB response;
1268         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1269
1270         ZERO_STRUCT(spnego_blob);
1271         ZERO_STRUCT(auth_blob);
1272         ZERO_STRUCT(auth_reply);
1273         ZERO_STRUCT(response);
1274
1275         /*
1276          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1277          * fail here as 'a' == NULL.
1278          */
1279         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1280                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1281                 goto err;
1282         }
1283
1284         /* Grab the SPNEGO blob. */
1285         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1286
1287         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1288                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1289                         (unsigned int)p->hdr.auth_len ));
1290                 goto err;
1291         }
1292
1293         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1294                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1295                 goto err;
1296         }
1297
1298         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1299                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1300                 goto err;
1301         }
1302
1303         /*
1304          * The following call actually checks the challenge/response data.
1305          * for correctness against the given DOMAIN\user name.
1306          */
1307
1308         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1309                 goto err;
1310         }
1311
1312         data_blob_free(&spnego_blob);
1313         data_blob_free(&auth_blob);
1314
1315         /* Generate the spnego "accept completed" blob - no incoming data. */
1316         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1317
1318         /* Copy the blob into the pout_auth parse struct */
1319         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1320         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1321                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1322                 goto err;
1323         }
1324
1325         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1326                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1327                 goto err;
1328         }
1329
1330         data_blob_free(&auth_reply);
1331         data_blob_free(&response);
1332
1333         p->pipe_bound = True;
1334
1335         return True;
1336
1337  err:
1338
1339         data_blob_free(&spnego_blob);
1340         data_blob_free(&auth_blob);
1341         data_blob_free(&auth_reply);
1342         data_blob_free(&response);
1343
1344         free_pipe_ntlmssp_auth_data(&p->auth);
1345         p->auth.a_u.auth_ntlmssp_state = NULL;
1346
1347         return False;
1348 }
1349
1350 /*******************************************************************
1351  Handle an schannel bind auth.
1352 *******************************************************************/
1353
1354 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1355                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1356 {
1357         RPC_HDR_AUTH auth_info;
1358         struct NL_AUTH_MESSAGE neg;
1359         struct NL_AUTH_MESSAGE reply;
1360         bool ret;
1361         NTSTATUS status;
1362         struct netlogon_creds_CredentialState *creds;
1363         DATA_BLOB session_key;
1364         enum ndr_err_code ndr_err;
1365         DATA_BLOB blob;
1366
1367         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1368                                prs_data_size(rpc_in_p));
1369
1370         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1371                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1372         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1373                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1374                 return false;
1375         }
1376
1377         if (DEBUGLEVEL >= 10) {
1378                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1379         }
1380
1381         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1382                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1383                 return false;
1384         }
1385
1386         /*
1387          * The neg.oem_netbios_computer.a key here must match the remote computer name
1388          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1389          * operations that use credentials.
1390          */
1391
1392         become_root();
1393         status = schannel_fetch_session_key(p,
1394                                             neg.oem_netbios_computer.a,
1395                                             &creds);
1396         unbecome_root();
1397
1398         if (!NT_STATUS_IS_OK(status)) {
1399                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1400                 return False;
1401         }
1402
1403         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1404         if (!p->auth.a_u.schannel_auth) {
1405                 TALLOC_FREE(creds);
1406                 return False;
1407         }
1408
1409         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1410         p->auth.a_u.schannel_auth->seq_num = 0;
1411         p->auth.a_u.schannel_auth->initiator = false;
1412         p->auth.a_u.schannel_auth->creds = creds;
1413
1414         /*
1415          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1416          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1417          * struct of the person who opened the pipe. I need to test this further. JRA.
1418          *
1419          * VL. As we are mapping this to guest set the generic key
1420          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1421          * W2k3, as it does not allow schannel binds against SAMR and LSA
1422          * anymore.
1423          */
1424
1425         session_key = generic_session_key();
1426         if (session_key.data == NULL) {
1427                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1428                           " key\n"));
1429                 return false;
1430         }
1431
1432         ret = server_info_set_session_key(p->server_info, session_key);
1433
1434         data_blob_free(&session_key);
1435
1436         if (!ret) {
1437                 DEBUG(0, ("server_info_set_session_key failed\n"));
1438                 return false;
1439         }
1440
1441         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1442         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1443                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1444                 return False;
1445         }
1446
1447         /*** SCHANNEL verifier ***/
1448
1449         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1450         reply.Flags                             = 0;
1451         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1452                                                       * this has any meaning
1453                                                       * here - gd */
1454
1455         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1456                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1457         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1458                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1459                 return false;
1460         }
1461
1462         if (DEBUGLEVEL >= 10) {
1463                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1464         }
1465
1466         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1467                 return false;
1468         }
1469
1470         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1471                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1472
1473         /* We're finished with this bind - no more packets. */
1474         p->auth.auth_data_free_func = NULL;
1475         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1476
1477         p->pipe_bound = True;
1478
1479         return True;
1480 }
1481
1482 /*******************************************************************
1483  Handle an NTLMSSP bind auth.
1484 *******************************************************************/
1485
1486 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1487                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1488 {
1489         RPC_HDR_AUTH auth_info;
1490         DATA_BLOB blob;
1491         DATA_BLOB response;
1492         NTSTATUS status;
1493         AUTH_NTLMSSP_STATE *a = NULL;
1494
1495         ZERO_STRUCT(blob);
1496         ZERO_STRUCT(response);
1497
1498         /* Grab the NTLMSSP blob. */
1499         blob = data_blob(NULL,p->hdr.auth_len);
1500
1501         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1502                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1503                         (unsigned int)p->hdr.auth_len ));
1504                 goto err;
1505         }
1506
1507         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1508                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1509                 goto err;
1510         }
1511
1512         /* We have an NTLMSSP blob. */
1513         status = auth_ntlmssp_start(&a);
1514         if (!NT_STATUS_IS_OK(status)) {
1515                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1516                         nt_errstr(status) ));
1517                 goto err;
1518         }
1519
1520         status = auth_ntlmssp_update(a, blob, &response);
1521         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1522                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1523                         nt_errstr(status) ));
1524                 goto err;
1525         }
1526
1527         data_blob_free(&blob);
1528
1529         /* Copy the blob into the pout_auth parse struct */
1530         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1531         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1532                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1533                 goto err;
1534         }
1535
1536         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1537                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1538                 goto err;
1539         }
1540
1541         p->auth.a_u.auth_ntlmssp_state = a;
1542         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1543         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1544
1545         data_blob_free(&blob);
1546         data_blob_free(&response);
1547
1548         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1549
1550         /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1551         return True;
1552
1553   err:
1554
1555         data_blob_free(&blob);
1556         data_blob_free(&response);
1557
1558         free_pipe_ntlmssp_auth_data(&p->auth);
1559         p->auth.a_u.auth_ntlmssp_state = NULL;
1560         return False;
1561 }
1562
1563 /*******************************************************************
1564  Respond to a pipe bind request.
1565 *******************************************************************/
1566
1567 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1568 {
1569         RPC_HDR_BA hdr_ba;
1570         RPC_HDR_RB hdr_rb;
1571         RPC_HDR_AUTH auth_info;
1572         uint16 assoc_gid;
1573         fstring ack_pipe_name;
1574         prs_struct out_hdr_ba;
1575         prs_struct out_auth;
1576         int i = 0;
1577         int auth_len = 0;
1578         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1579
1580         /* No rebinds on a bound pipe - use alter context. */
1581         if (p->pipe_bound) {
1582                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1583                          "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1584                 return setup_bind_nak(p);
1585         }
1586
1587         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1588
1589         /* 
1590          * Marshall directly into the outgoing PDU space. We
1591          * must do this as we need to set to the bind response
1592          * header and are never sending more than one PDU here.
1593          */
1594
1595         /*
1596          * Setup the memory to marshall the ba header, and the
1597          * auth footers.
1598          */
1599
1600         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1601                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1602                 prs_mem_free(&p->out_data.frag);
1603                 return False;
1604         }
1605
1606         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1607                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1608                 prs_mem_free(&p->out_data.frag);
1609                 prs_mem_free(&out_hdr_ba);
1610                 return False;
1611         }
1612
1613         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1614
1615         ZERO_STRUCT(hdr_rb);
1616
1617         /* decode the bind request */
1618
1619         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1620                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1621                          "struct.\n"));
1622                 goto err_exit;
1623         }
1624
1625         if (hdr_rb.num_contexts == 0) {
1626                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1627                 goto err_exit;
1628         }
1629
1630         /*
1631          * Try and find the correct pipe name to ensure
1632          * that this is a pipe name we support.
1633          */
1634
1635         for (i = 0; i < rpc_lookup_size; i++) {
1636                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1637                                         &hdr_rb.rpc_context[0].abstract)) {
1638                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1639                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1640                         break;
1641                 }
1642         }
1643
1644         if (i == rpc_lookup_size) {
1645                 NTSTATUS status;
1646
1647                 status = smb_probe_module(
1648                         "rpc", get_pipe_name_from_iface(
1649                                 &hdr_rb.rpc_context[0].abstract));
1650
1651                 if (NT_STATUS_IS_ERR(status)) {
1652                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1653                                 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1654                         prs_mem_free(&p->out_data.frag);
1655                         prs_mem_free(&out_hdr_ba);
1656                         prs_mem_free(&out_auth);
1657
1658                         return setup_bind_nak(p);
1659                 }
1660
1661                 for (i = 0; i < rpc_lookup_size; i++) {
1662                        if (strequal(rpc_lookup[i].pipe.clnt,
1663                                     get_pipe_name_from_iface(&p->syntax))) {
1664                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1665                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1666                                break;
1667                        }
1668                 }
1669
1670                 if (i == rpc_lookup_size) {
1671                         DEBUG(0, ("module %s doesn't provide functions for "
1672                                   "pipe %s!\n",
1673                                   get_pipe_name_from_iface(&p->syntax),
1674                                   get_pipe_name_from_iface(&p->syntax)));
1675                         goto err_exit;
1676                 }
1677         }
1678
1679         /* name has to be \PIPE\xxxxx */
1680         fstrcpy(ack_pipe_name, "\\PIPE\\");
1681         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1682
1683         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1684
1685         /*
1686          * Check if this is an authenticated bind request.
1687          */
1688
1689         if (p->hdr.auth_len) {
1690                 /* 
1691                  * Decode the authentication verifier.
1692                  */
1693
1694                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1695                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1696                         goto err_exit;
1697                 }
1698
1699                 auth_type = auth_info.auth_type;
1700
1701                 /* Work out if we have to sign or seal etc. */
1702                 switch (auth_info.auth_level) {
1703                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1704                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1705                                 break;
1706                         case DCERPC_AUTH_LEVEL_PRIVACY:
1707                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1708                                 break;
1709                         default:
1710                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1711                                         (unsigned int)auth_info.auth_level ));
1712                                 goto err_exit;
1713                 }
1714         } else {
1715                 ZERO_STRUCT(auth_info);
1716         }
1717
1718         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1719
1720         switch(auth_type) {
1721                 case DCERPC_AUTH_TYPE_NTLMSSP:
1722                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1723                                 goto err_exit;
1724                         }
1725                         assoc_gid = 0x7a77;
1726                         break;
1727
1728                 case DCERPC_AUTH_TYPE_SCHANNEL:
1729                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1730                                 goto err_exit;
1731                         }
1732                         break;
1733
1734                 case DCERPC_AUTH_TYPE_SPNEGO:
1735                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1736                                 goto err_exit;
1737                         }
1738                         break;
1739
1740                 case DCERPC_AUTH_TYPE_NONE:
1741                         /* Unauthenticated bind request. */
1742                         /* We're finished - no more packets. */
1743                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1744                         /* We must set the pipe auth_level here also. */
1745                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1746                         p->pipe_bound = True;
1747                         /* The session key was initialized from the SMB
1748                          * session in make_internal_rpc_pipe_p */
1749                         break;
1750
1751                 default:
1752                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1753                         goto err_exit;
1754         }
1755
1756         /*
1757          * Create the bind response struct.
1758          */
1759
1760         /* If the requested abstract synt uuid doesn't match our client pipe,
1761                 reject the bind_ack & set the transfer interface synt to all 0's,
1762                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1763                 unknown to NT4)
1764                 Needed when adding entries to a DACL from NT5 - SK */
1765
1766         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1767                                 hdr_rb.rpc_context[0].context_id )) {
1768                 init_rpc_hdr_ba(&hdr_ba,
1769                         RPC_MAX_PDU_FRAG_LEN,
1770                         RPC_MAX_PDU_FRAG_LEN,
1771                         assoc_gid,
1772                         ack_pipe_name,
1773                         0x1, 0x0, 0x0,
1774                         &hdr_rb.rpc_context[0].transfer[0]);
1775         } else {
1776                 /* Rejection reason: abstract syntax not supported */
1777                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1778                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1779                                         ack_pipe_name, 0x1, 0x2, 0x1,
1780                                         &null_ndr_syntax_id);
1781                 p->pipe_bound = False;
1782         }
1783
1784         /*
1785          * and marshall it.
1786          */
1787
1788         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1789                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1790                 goto err_exit;
1791         }
1792
1793         /*
1794          * Create the header, now we know the length.
1795          */
1796
1797         if (prs_offset(&out_auth)) {
1798                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1799         }
1800
1801         init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1802                         p->hdr.call_id,
1803                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1804                         auth_len);
1805
1806         /*
1807          * Marshall the header into the outgoing PDU.
1808          */
1809
1810         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1811                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1812                 goto err_exit;
1813         }
1814
1815         /*
1816          * Now add the RPC_HDR_BA and any auth needed.
1817          */
1818
1819         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1820                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1821                 goto err_exit;
1822         }
1823
1824         if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1825                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1826                 goto err_exit;
1827         }
1828
1829         /*
1830          * Setup the lengths for the initial reply.
1831          */
1832
1833         p->out_data.data_sent_length = 0;
1834         p->out_data.current_pdu_sent = 0;
1835
1836         prs_mem_free(&out_hdr_ba);
1837         prs_mem_free(&out_auth);
1838
1839         return True;
1840
1841   err_exit:
1842
1843         prs_mem_free(&p->out_data.frag);
1844         prs_mem_free(&out_hdr_ba);
1845         prs_mem_free(&out_auth);
1846         return setup_bind_nak(p);
1847 }
1848
1849 /****************************************************************************
1850  Deal with an alter context call. Can be third part of 3 leg auth request for
1851  SPNEGO calls.
1852 ****************************************************************************/
1853
1854 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1855 {
1856         RPC_HDR_BA hdr_ba;
1857         RPC_HDR_RB hdr_rb;
1858         RPC_HDR_AUTH auth_info;
1859         uint16 assoc_gid;
1860         fstring ack_pipe_name;
1861         prs_struct out_hdr_ba;
1862         prs_struct out_auth;
1863         int auth_len = 0;
1864
1865         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1866
1867         /* 
1868          * Marshall directly into the outgoing PDU space. We
1869          * must do this as we need to set to the bind response
1870          * header and are never sending more than one PDU here.
1871          */
1872
1873         /*
1874          * Setup the memory to marshall the ba header, and the
1875          * auth footers.
1876          */
1877
1878         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1879                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1880                 prs_mem_free(&p->out_data.frag);
1881                 return False;
1882         }
1883
1884         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1885                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1886                 prs_mem_free(&p->out_data.frag);
1887                 prs_mem_free(&out_hdr_ba);
1888                 return False;
1889         }
1890
1891         ZERO_STRUCT(hdr_rb);
1892
1893         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1894
1895         /* decode the alter context request */
1896         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1897                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1898                 goto err_exit;
1899         }
1900
1901         /* secondary address CAN be NULL
1902          * as the specs say it's ignored.
1903          * It MUST be NULL to have the spoolss working.
1904          */
1905         fstrcpy(ack_pipe_name,"");
1906
1907         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1908
1909         /*
1910          * Check if this is an authenticated alter context request.
1911          */
1912
1913         if (p->hdr.auth_len != 0) {
1914                 /* 
1915                  * Decode the authentication verifier.
1916                  */
1917
1918                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1919                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1920                         goto err_exit;
1921                 }
1922
1923                 /*
1924                  * Currently only the SPNEGO auth type uses the alter ctx
1925                  * response in place of the NTLMSSP auth3 type.
1926                  */
1927
1928                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1929                         /* We can only finish if the pipe is unbound. */
1930                         if (!p->pipe_bound) {
1931                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1932                                         goto err_exit;
1933                                 }
1934                         } else {
1935                                 goto err_exit;
1936                         }
1937                 }
1938         } else {
1939                 ZERO_STRUCT(auth_info);
1940         }
1941
1942         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1943
1944         /*
1945          * Create the bind response struct.
1946          */
1947
1948         /* If the requested abstract synt uuid doesn't match our client pipe,
1949                 reject the bind_ack & set the transfer interface synt to all 0's,
1950                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1951                 unknown to NT4)
1952                 Needed when adding entries to a DACL from NT5 - SK */
1953
1954         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1955                                 hdr_rb.rpc_context[0].context_id )) {
1956                 init_rpc_hdr_ba(&hdr_ba,
1957                         RPC_MAX_PDU_FRAG_LEN,
1958                         RPC_MAX_PDU_FRAG_LEN,
1959                         assoc_gid,
1960                         ack_pipe_name,
1961                         0x1, 0x0, 0x0,
1962                         &hdr_rb.rpc_context[0].transfer[0]);
1963         } else {
1964                 /* Rejection reason: abstract syntax not supported */
1965                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1966                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1967                                         ack_pipe_name, 0x1, 0x2, 0x1,
1968                                         &null_ndr_syntax_id);
1969                 p->pipe_bound = False;
1970         }
1971
1972         /*
1973          * and marshall it.
1974          */
1975
1976         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1977                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1978                 goto err_exit;
1979         }
1980
1981         /*
1982          * Create the header, now we know the length.
1983          */
1984
1985         if (prs_offset(&out_auth)) {
1986                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1987         }
1988
1989         init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1990                         p->hdr.call_id,
1991                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1992                         auth_len);
1993
1994         /*
1995          * Marshall the header into the outgoing PDU.
1996          */
1997
1998         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1999                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2000                 goto err_exit;
2001         }
2002
2003         /*
2004          * Now add the RPC_HDR_BA and any auth needed.
2005          */
2006
2007         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2008                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2009                 goto err_exit;
2010         }
2011
2012         if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2013                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2014                 goto err_exit;
2015         }
2016
2017         /*
2018          * Setup the lengths for the initial reply.
2019          */
2020
2021         p->out_data.data_sent_length = 0;
2022         p->out_data.current_pdu_sent = 0;
2023
2024         prs_mem_free(&out_hdr_ba);
2025         prs_mem_free(&out_auth);
2026
2027         return True;
2028
2029   err_exit:
2030
2031         prs_mem_free(&p->out_data.frag);
2032         prs_mem_free(&out_hdr_ba);
2033         prs_mem_free(&out_auth);
2034         return setup_bind_nak(p);
2035 }
2036
2037 /****************************************************************************
2038  Deal with NTLMSSP sign & seal processing on an RPC request.
2039 ****************************************************************************/
2040
2041 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2042                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2043 {
2044         RPC_HDR_AUTH auth_info;
2045         uint32 auth_len = p->hdr.auth_len;
2046         uint32 save_offset = prs_offset(rpc_in);
2047         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2048         unsigned char *data = NULL;
2049         size_t data_len;
2050         unsigned char *full_packet_data = NULL;
2051         size_t full_packet_data_len;
2052         DATA_BLOB auth_blob;
2053
2054         *pstatus = NT_STATUS_OK;
2055
2056         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2057                 return True;
2058         }
2059
2060         if (!a) {
2061                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2062                 return False;
2063         }
2064
2065         /* Ensure there's enough data for an authenticated request. */
2066         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2067                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2068                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2069                         (unsigned int)auth_len ));
2070                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2071                 return False;
2072         }
2073
2074         /*
2075          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2076          * after the RPC header. 
2077          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2078          * functions as NTLMv2 checks the rpc headers also.
2079          */
2080
2081         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2082         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2083
2084         full_packet_data = p->in_data.current_in_pdu;
2085         full_packet_data_len = p->hdr.frag_len - auth_len;
2086
2087         /* Pull the auth header and the following data into a blob. */
2088         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2089                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2090                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2091                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2092                 return False;
2093         }
2094
2095         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2096                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2097                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2098                 return False;
2099         }
2100
2101         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2102         auth_blob.length = auth_len;
2103
2104         switch (p->auth.auth_level) {
2105                 case DCERPC_AUTH_LEVEL_PRIVACY:
2106                         /* Data is encrypted. */
2107                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2108                                                         data, data_len,
2109                                                         full_packet_data,
2110                                                         full_packet_data_len,
2111                                                         &auth_blob);
2112                         if (!NT_STATUS_IS_OK(*pstatus)) {
2113                                 return False;
2114                         }
2115                         break;
2116                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2117                         /* Data is signed. */
2118                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2119                                                         data, data_len,
2120                                                         full_packet_data,
2121                                                         full_packet_data_len,
2122                                                         &auth_blob);
2123                         if (!NT_STATUS_IS_OK(*pstatus)) {
2124                                 return False;
2125                         }
2126                         break;
2127                 default:
2128                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2129                         return False;
2130         }
2131
2132         /*
2133          * Return the current pointer to the data offset.
2134          */
2135
2136         if(!prs_set_offset(rpc_in, save_offset)) {
2137                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2138                         (unsigned int)save_offset ));
2139                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2140                 return False;
2141         }
2142
2143         /*
2144          * Remember the padding length. We must remove it from the real data
2145          * stream once the sign/seal is done.
2146          */
2147
2148         *p_ss_padding_len = auth_info.auth_pad_len;
2149
2150         return True;
2151 }
2152
2153 /****************************************************************************
2154  Deal with schannel processing on an RPC request.
2155 ****************************************************************************/
2156
2157 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2158 {
2159         uint32 data_len;
2160         uint32 auth_len;
2161         uint32 save_offset = prs_offset(rpc_in);
2162         RPC_HDR_AUTH auth_info;
2163         DATA_BLOB blob;
2164         NTSTATUS status;
2165
2166         auth_len = p->hdr.auth_len;
2167
2168         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2169                         auth_len > RPC_HEADER_LEN +
2170                                         RPC_HDR_REQ_LEN +
2171                                         RPC_HDR_AUTH_LEN +
2172                                         auth_len) {
2173                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2174                 return False;
2175         }
2176
2177         /*
2178          * The following is that length of the data we must verify or unseal.
2179          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2180          * preceeding the auth_data.
2181          */
2182
2183         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2184                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2185                         (unsigned int)p->hdr.frag_len,
2186                         (unsigned int)auth_len ));
2187                 return False;
2188         }
2189
2190         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2191                 RPC_HDR_AUTH_LEN - auth_len;
2192
2193         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2194
2195         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2196                 DEBUG(0,("cannot move offset to %u.\n",
2197                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2198                 return False;
2199         }
2200
2201         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2202                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2203                 return False;
2204         }
2205
2206         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2207                 DEBUG(0,("Invalid auth info %d on schannel\n",
2208                          auth_info.auth_type));
2209                 return False;
2210         }
2211
2212         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2213
2214         if (DEBUGLEVEL >= 10) {
2215                 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2216         }
2217
2218         switch (auth_info.auth_level) {
2219         case DCERPC_AUTH_LEVEL_PRIVACY:
2220                 status = schannel_unseal_packet(p->auth.a_u.schannel_auth,
2221                                                 talloc_tos(),
2222                                                 (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN,
2223                                                 data_len,
2224                                                 &blob);
2225                 break;
2226         case DCERPC_AUTH_LEVEL_INTEGRITY:
2227                 status = schannel_check_packet(p->auth.a_u.schannel_auth,
2228                                                talloc_tos(),
2229                                                (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN,
2230                                                data_len,
2231                                                &blob);
2232                 break;
2233         default:
2234                 status = NT_STATUS_INTERNAL_ERROR;
2235                 break;
2236         }
2237
2238         if (!NT_STATUS_IS_OK(status)) {
2239                 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2240                 return false;
2241         }
2242
2243         /*
2244          * Return the current pointer to the data offset.
2245          */
2246
2247         if(!prs_set_offset(rpc_in, save_offset)) {
2248                 DEBUG(0,("failed to set offset back to %u\n",
2249                          (unsigned int)save_offset ));
2250                 return False;
2251         }
2252
2253         /*
2254          * Remember the padding length. We must remove it from the real data
2255          * stream once the sign/seal is done.
2256          */
2257
2258         *p_ss_padding_len = auth_info.auth_pad_len;
2259
2260         return True;
2261 }
2262
2263 /****************************************************************************
2264  Find the set of RPC functions associated with this context_id
2265 ****************************************************************************/
2266
2267 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2268 {
2269         PIPE_RPC_FNS *fns = NULL;
2270
2271         if ( !list ) {
2272                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2273                 return NULL;
2274         }
2275
2276         for (fns=list; fns; fns=fns->next ) {
2277                 if ( fns->context_id == context_id )
2278                         return fns;
2279         }
2280         return NULL;
2281 }
2282
2283 /****************************************************************************
2284  Memory cleanup.
2285 ****************************************************************************/
2286
2287 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2288 {
2289         PIPE_RPC_FNS *tmp = list;
2290         PIPE_RPC_FNS *tmp2;
2291
2292         while (tmp) {
2293                 tmp2 = tmp->next;
2294                 SAFE_FREE(tmp);
2295                 tmp = tmp2;
2296         }
2297
2298         return; 
2299 }
2300
2301 static bool api_rpcTNP(pipes_struct *p,
2302                        const struct api_struct *api_rpc_cmds, int n_cmds);
2303
2304 /****************************************************************************
2305  Find the correct RPC function to call for this request.
2306  If the pipe is authenticated then become the correct UNIX user
2307  before doing the call.
2308 ****************************************************************************/
2309
2310 bool api_pipe_request(pipes_struct *p)
2311 {
2312         bool ret = False;
2313         bool changed_user = False;
2314         PIPE_RPC_FNS *pipe_fns;
2315
2316         if (p->pipe_bound &&
2317                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2318                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2319                 if(!become_authenticated_pipe_user(p)) {
2320                         prs_mem_free(&p->out_data.rdata);
2321                         return False;
2322                 }
2323                 changed_user = True;
2324         }
2325
2326         DEBUG(5, ("Requested \\PIPE\\%s\n",
2327                   get_pipe_name_from_iface(&p->syntax)));
2328
2329         /* get the set of RPC functions for this context */
2330
2331         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2332
2333         if ( pipe_fns ) {
2334                 TALLOC_CTX *frame = talloc_stackframe();
2335                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2336                 TALLOC_FREE(frame);
2337         }
2338         else {
2339                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2340                         p->hdr_req.context_id,
2341                         get_pipe_name_from_iface(&p->syntax)));
2342         }
2343
2344         if (changed_user) {
2345                 unbecome_authenticated_pipe_user();
2346         }
2347
2348         return ret;
2349 }
2350
2351 /*******************************************************************
2352  Calls the underlying RPC function for a named pipe.
2353  ********************************************************************/
2354
2355 static bool api_rpcTNP(pipes_struct *p,
2356                        const struct api_struct *api_rpc_cmds, int n_cmds)
2357 {
2358         int fn_num;
2359         uint32 offset1, offset2;
2360
2361         /* interpret the command */
2362         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2363                  get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2364
2365         if (DEBUGLEVEL >= 50) {
2366                 fstring name;
2367                 slprintf(name, sizeof(name)-1, "in_%s",
2368                          get_pipe_name_from_iface(&p->syntax));
2369                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2370         }
2371
2372         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2373                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2374                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2375                         break;
2376                 }
2377         }
2378
2379         if (fn_num == n_cmds) {
2380                 /*
2381                  * For an unknown RPC just return a fault PDU but
2382                  * return True to allow RPC's on the pipe to continue
2383                  * and not put the pipe into fault state. JRA.
2384                  */
2385                 DEBUG(4, ("unknown\n"));
2386                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2387                 return True;
2388         }
2389
2390         offset1 = prs_offset(&p->out_data.rdata);
2391
2392         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2393                 fn_num, api_rpc_cmds[fn_num].fn));
2394         /* do the actual command */
2395         if(!api_rpc_cmds[fn_num].fn(p)) {
2396                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2397                          get_pipe_name_from_iface(&p->syntax),
2398                          api_rpc_cmds[fn_num].name));
2399                 prs_mem_free(&p->out_data.rdata);
2400                 return False;
2401         }
2402
2403         if (p->bad_handle_fault_state) {
2404                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2405                 p->bad_handle_fault_state = False;
2406                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2407                 return True;
2408         }
2409
2410         if (p->rng_fault_state) {
2411                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2412                 p->rng_fault_state = False;
2413                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2414                 return True;
2415         }
2416
2417         offset2 = prs_offset(&p->out_data.rdata);
2418         prs_set_offset(&p->out_data.rdata, offset1);
2419         if (DEBUGLEVEL >= 50) {
2420                 fstring name;
2421                 slprintf(name, sizeof(name)-1, "out_%s",
2422                          get_pipe_name_from_iface(&p->syntax));
2423                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2424         }
2425         prs_set_offset(&p->out_data.rdata, offset2);
2426
2427         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2428                  get_pipe_name_from_iface(&p->syntax)));
2429
2430         /* Check for buffer underflow in rpc parsing */
2431
2432         if ((DEBUGLEVEL >= 10) && 
2433             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2434                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2435                 char *data = (char *)SMB_MALLOC(data_len);
2436
2437                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2438                 if (data) {
2439                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2440                         SAFE_FREE(data);
2441                 }
2442
2443         }
2444
2445         return True;
2446 }