More fixes for bug #7146 - Samba miss-parses authenticated RPC packets.
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../librpc/gen_ndr/ndr_schannel.h"
32 #include "../libcli/auth/schannel.h"
33 #include "../libcli/auth/spnego.h"
34 #include "ntlmssp.h"
35
36 extern struct current_user current_user;
37
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_RPC_SRV
40
41 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
42 {
43         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
44
45         if (a) {
46                 auth_ntlmssp_end(&a);
47         }
48         auth->a_u.auth_ntlmssp_state = NULL;
49 }
50
51 static DATA_BLOB generic_session_key(void)
52 {
53         return data_blob("SystemLibraryDTC", 16);
54 }
55
56 /*******************************************************************
57  Generate the next PDU to be returned from the data in p->rdata. 
58  Handle NTLMSSP.
59  ********************************************************************/
60
61 static bool create_next_pdu_ntlmssp(pipes_struct *p)
62 {
63         RPC_HDR_RESP hdr_resp;
64         uint32 ss_padding_len = 0;
65         uint32 data_space_available;
66         uint32 data_len_left;
67         uint32 data_len;
68         NTSTATUS status;
69         DATA_BLOB auth_blob;
70         RPC_HDR_AUTH auth_info;
71         uint8 auth_type, auth_level;
72         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
73
74         /*
75          * If we're in the fault state, keep returning fault PDU's until
76          * the pipe gets closed. JRA.
77          */
78
79         if(p->fault_state) {
80                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
81                 return True;
82         }
83
84         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
85
86         /* Change the incoming request header to a response. */
87         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
88
89         /* Set up rpc header flags. */
90         if (p->out_data.data_sent_length == 0) {
91                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
92         } else {
93                 p->hdr.flags = 0;
94         }
95
96         /*
97          * Work out how much we can fit in a single PDU.
98          */
99
100         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
101
102         /*
103          * Ensure there really is data left to send.
104          */
105
106         if(!data_len_left) {
107                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
108                 return False;
109         }
110
111         if (data_len_left % SERVER_NDR_PADDING_SIZE) {
112                 ss_padding_len = SERVER_NDR_PADDING_SIZE - (data_len_left % SERVER_NDR_PADDING_SIZE);
113                 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
114                         ss_padding_len ));
115         }
116
117         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN -
118                 RPC_HDR_RESP_LEN - ss_padding_len - RPC_HDR_AUTH_LEN -
119                 NTLMSSP_SIG_SIZE;
120
121         /*
122          * The amount we send is the minimum of the available
123          * space and the amount left to send.
124          */
125
126         data_len = MIN(data_len_left, data_space_available);
127
128         /*
129          * Set up the alloc hint. This should be the data left to
130          * send.
131          */
132
133         hdr_resp.alloc_hint = data_len_left;
134
135         /*
136          * Work out if this PDU will be the last.
137          */
138
139         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
140                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
141         }
142
143         /*
144          * Set up the header lengths.
145          */
146
147         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
148                         data_len + ss_padding_len +
149                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
150         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
151
152
153         /*
154          * Init the parse struct to point at the outgoing
155          * data.
156          */
157
158         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
159
160         /* Store the header in the data stream. */
161         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
162                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
163                 prs_mem_free(&p->out_data.frag);
164                 return False;
165         }
166
167         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
168                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
169                 prs_mem_free(&p->out_data.frag);
170                 return False;
171         }
172
173         /* Copy the data into the PDU. */
174
175         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
176                                      p->out_data.data_sent_length, data_len)) {
177                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
178                 prs_mem_free(&p->out_data.frag);
179                 return False;
180         }
181
182         /* Copy the sign/seal padding data. */
183         if (ss_padding_len) {
184                 char pad[SERVER_NDR_PADDING_SIZE];
185
186                 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
187                 if (!prs_copy_data_in(&p->out_data.frag, pad,
188                                       ss_padding_len)) {
189                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
190                                         (unsigned int)ss_padding_len));
191                         prs_mem_free(&p->out_data.frag);
192                         return False;
193                 }
194         }
195
196
197         /* Now write out the auth header and null blob. */
198         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
199                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
200         } else {
201                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
202         }
203         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
204                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
205         } else {
206                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
207         }
208
209         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
210
211         if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
212                                 &p->out_data.frag, 0)) {
213                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
214                 prs_mem_free(&p->out_data.frag);
215                 return False;
216         }
217
218         /* Generate the sign blob. */
219
220         switch (p->auth.auth_level) {
221                 case DCERPC_AUTH_LEVEL_PRIVACY:
222                         /* Data portion is encrypted. */
223                         status = ntlmssp_seal_packet(
224                                 a->ntlmssp_state,
225                                 (uint8_t *)prs_data_p(&p->out_data.frag)
226                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
227                                 data_len + ss_padding_len,
228                                 (unsigned char *)prs_data_p(&p->out_data.frag),
229                                 (size_t)prs_offset(&p->out_data.frag),
230                                 &auth_blob);
231                         if (!NT_STATUS_IS_OK(status)) {
232                                 data_blob_free(&auth_blob);
233                                 prs_mem_free(&p->out_data.frag);
234                                 return False;
235                         }
236                         break;
237                 case DCERPC_AUTH_LEVEL_INTEGRITY:
238                         /* Data is signed. */
239                         status = ntlmssp_sign_packet(
240                                 a->ntlmssp_state,
241                                 (unsigned char *)prs_data_p(&p->out_data.frag)
242                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
243                                 data_len + ss_padding_len,
244                                 (unsigned char *)prs_data_p(&p->out_data.frag),
245                                 (size_t)prs_offset(&p->out_data.frag),
246                                 &auth_blob);
247                         if (!NT_STATUS_IS_OK(status)) {
248                                 data_blob_free(&auth_blob);
249                                 prs_mem_free(&p->out_data.frag);
250                                 return False;
251                         }
252                         break;
253                 default:
254                         prs_mem_free(&p->out_data.frag);
255                         return False;
256         }
257
258         /* Append the auth blob. */
259         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
260                               NTLMSSP_SIG_SIZE)) {
261                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
262                                 (unsigned int)NTLMSSP_SIG_SIZE));
263                 data_blob_free(&auth_blob);
264                 prs_mem_free(&p->out_data.frag);
265                 return False;
266         }
267
268         data_blob_free(&auth_blob);
269
270         /*
271          * Setup the counts for this PDU.
272          */
273
274         p->out_data.data_sent_length += data_len;
275         p->out_data.current_pdu_sent = 0;
276
277         return True;
278 }
279
280 /*******************************************************************
281  Generate the next PDU to be returned from the data in p->rdata. 
282  Return an schannel authenticated fragment.
283  ********************************************************************/
284
285 static bool create_next_pdu_schannel(pipes_struct *p)
286 {
287         RPC_HDR_RESP hdr_resp;
288         uint32 ss_padding_len = 0;
289         uint32 data_len;
290         uint32 data_space_available;
291         uint32 data_len_left;
292         uint32 data_pos;
293         NTSTATUS status;
294
295         /*
296          * If we're in the fault state, keep returning fault PDU's until
297          * the pipe gets closed. JRA.
298          */
299
300         if(p->fault_state) {
301                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
302                 return True;
303         }
304
305         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
306
307         /* Change the incoming request header to a response. */
308         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
309
310         /* Set up rpc header flags. */
311         if (p->out_data.data_sent_length == 0) {
312                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
313         } else {
314                 p->hdr.flags = 0;
315         }
316
317         /*
318          * Work out how much we can fit in a single PDU.
319          */
320
321         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
322
323         /*
324          * Ensure there really is data left to send.
325          */
326
327         if(!data_len_left) {
328                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
329                 return False;
330         }
331
332         if (data_len_left % SERVER_NDR_PADDING_SIZE) {
333                 ss_padding_len = SERVER_NDR_PADDING_SIZE - (data_len_left % SERVER_NDR_PADDING_SIZE);
334                 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
335                         ss_padding_len ));
336         }
337
338         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
339                 - RPC_HDR_RESP_LEN - ss_padding_len - RPC_HDR_AUTH_LEN
340                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
341
342         /*
343          * The amount we send is the minimum of the available
344          * space and the amount left to send.
345          */
346
347         data_len = MIN(data_len_left, data_space_available);
348
349         /*
350          * Set up the alloc hint. This should be the data left to
351          * send.
352          */
353
354         hdr_resp.alloc_hint = data_len_left;
355
356         /*
357          * Work out if this PDU will be the last.
358          */
359
360         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
361                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
362         }
363
364         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
365                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
366         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
367
368         /*
369          * Init the parse struct to point at the outgoing
370          * data.
371          */
372
373         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
374
375         /* Store the header in the data stream. */
376         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
377                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
378                 prs_mem_free(&p->out_data.frag);
379                 return False;
380         }
381
382         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
383                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
384                 prs_mem_free(&p->out_data.frag);
385                 return False;
386         }
387
388         /* Store the current offset. */
389         data_pos = prs_offset(&p->out_data.frag);
390
391         /* Copy the data into the PDU. */
392
393         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
394                                      p->out_data.data_sent_length, data_len)) {
395                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
396                 prs_mem_free(&p->out_data.frag);
397                 return False;
398         }
399
400         /* Copy the sign/seal padding data. */
401         if (ss_padding_len) {
402                 char pad[SERVER_NDR_PADDING_SIZE];
403                 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
404                 if (!prs_copy_data_in(&p->out_data.frag, pad,
405                                       ss_padding_len)) {
406                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
407                         prs_mem_free(&p->out_data.frag);
408                         return False;
409                 }
410         }
411
412         {
413                 /*
414                  * Schannel processing.
415                  */
416                 RPC_HDR_AUTH auth_info;
417                 DATA_BLOB blob;
418                 uint8_t *data;
419
420                 /* Check it's the type of reply we were expecting to decode */
421
422                 init_rpc_hdr_auth(&auth_info,
423                                 DCERPC_AUTH_TYPE_SCHANNEL,
424                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
425                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
426                                 ss_padding_len, 1);
427
428                 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
429                                         &p->out_data.frag, 0)) {
430                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
431                         prs_mem_free(&p->out_data.frag);
432                         return False;
433                 }
434
435                 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
436
437                 switch (p->auth.auth_level) {
438                 case DCERPC_AUTH_LEVEL_PRIVACY:
439                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
440                                                         talloc_tos(),
441                                                         true,
442                                                         data,
443                                                         data_len + ss_padding_len,
444                                                         &blob);
445                         break;
446                 case DCERPC_AUTH_LEVEL_INTEGRITY:
447                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
448                                                         talloc_tos(),
449                                                         false,
450                                                         data,
451                                                         data_len + ss_padding_len,
452                                                         &blob);
453                         break;
454                 default:
455                         status = NT_STATUS_INTERNAL_ERROR;
456                         break;
457                 }
458
459                 if (!NT_STATUS_IS_OK(status)) {
460                         DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
461                                 nt_errstr(status)));
462                         prs_mem_free(&p->out_data.frag);
463                         return false;
464                 }
465
466                 /* Finally marshall the blob. */
467
468                 if (DEBUGLEVEL >= 10) {
469                         dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
470                 }
471
472                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
473                         prs_mem_free(&p->out_data.frag);
474                         return false;
475                 }
476         }
477
478         /*
479          * Setup the counts for this PDU.
480          */
481
482         p->out_data.data_sent_length += data_len;
483         p->out_data.current_pdu_sent = 0;
484
485         return True;
486 }
487
488 /*******************************************************************
489  Generate the next PDU to be returned from the data in p->rdata. 
490  No authentication done.
491 ********************************************************************/
492
493 static bool create_next_pdu_noauth(pipes_struct *p)
494 {
495         RPC_HDR_RESP hdr_resp;
496         uint32 data_len;
497         uint32 data_space_available;
498         uint32 data_len_left;
499
500         /*
501          * If we're in the fault state, keep returning fault PDU's until
502          * the pipe gets closed. JRA.
503          */
504
505         if(p->fault_state) {
506                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
507                 return True;
508         }
509
510         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
511
512         /* Change the incoming request header to a response. */
513         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
514
515         /* Set up rpc header flags. */
516         if (p->out_data.data_sent_length == 0) {
517                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
518         } else {
519                 p->hdr.flags = 0;
520         }
521
522         /*
523          * Work out how much we can fit in a single PDU.
524          */
525
526         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
527
528         /*
529          * Ensure there really is data left to send.
530          */
531
532         if(!data_len_left) {
533                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
534                 return False;
535         }
536
537         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
538                 - RPC_HDR_RESP_LEN;
539
540         /*
541          * The amount we send is the minimum of the available
542          * space and the amount left to send.
543          */
544
545         data_len = MIN(data_len_left, data_space_available);
546
547         /*
548          * Set up the alloc hint. This should be the data left to
549          * send.
550          */
551
552         hdr_resp.alloc_hint = data_len_left;
553
554         /*
555          * Work out if this PDU will be the last.
556          */
557
558         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
559                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
560         }
561
562         /*
563          * Set up the header lengths.
564          */
565
566         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
567         p->hdr.auth_len = 0;
568
569         /*
570          * Init the parse struct to point at the outgoing
571          * data.
572          */
573
574         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
575
576         /* Store the header in the data stream. */
577         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
578                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
579                 prs_mem_free(&p->out_data.frag);
580                 return False;
581         }
582
583         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
584                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
585                 prs_mem_free(&p->out_data.frag);
586                 return False;
587         }
588
589         /* Copy the data into the PDU. */
590
591         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
592                                      p->out_data.data_sent_length, data_len)) {
593                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
594                 prs_mem_free(&p->out_data.frag);
595                 return False;
596         }
597
598         /*
599          * Setup the counts for this PDU.
600          */
601
602         p->out_data.data_sent_length += data_len;
603         p->out_data.current_pdu_sent = 0;
604
605         return True;
606 }
607
608 /*******************************************************************
609  Generate the next PDU to be returned from the data in p->rdata. 
610 ********************************************************************/
611
612 bool create_next_pdu(pipes_struct *p)
613 {
614         switch(p->auth.auth_level) {
615                 case DCERPC_AUTH_LEVEL_NONE:
616                 case DCERPC_AUTH_LEVEL_CONNECT:
617                         /* This is incorrect for auth level connect. Fixme. JRA */
618                         return create_next_pdu_noauth(p);
619
620                 default:
621                         switch(p->auth.auth_type) {
622                                 case PIPE_AUTH_TYPE_NTLMSSP:
623                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
624                                         return create_next_pdu_ntlmssp(p);
625                                 case PIPE_AUTH_TYPE_SCHANNEL:
626                                         return create_next_pdu_schannel(p);
627                                 default:
628                                         break;
629                         }
630         }
631
632         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
633                         (unsigned int)p->auth.auth_level,
634                         (unsigned int)p->auth.auth_type));
635         return False;
636 }
637
638 /*******************************************************************
639  Process an NTLMSSP authentication response.
640  If this function succeeds, the user has been authenticated
641  and their domain, name and calling workstation stored in
642  the pipe struct.
643 *******************************************************************/
644
645 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
646 {
647         DATA_BLOB session_key, reply;
648         NTSTATUS status;
649         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
650         bool ret;
651
652         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
653                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
654
655         ZERO_STRUCT(reply);
656
657         /* this has to be done as root in order to verify the password */
658         become_root();
659         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
660         unbecome_root();
661
662         /* Don't generate a reply. */
663         data_blob_free(&reply);
664
665         if (!NT_STATUS_IS_OK(status)) {
666                 return False;
667         }
668
669         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
670            ensure the underlying NTLMSSP flags are also set. If not we should
671            refuse the bind. */
672
673         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
674                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
675                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
676                                 "but client declined signing.\n",
677                                  get_pipe_name_from_syntax(talloc_tos(),
678                                                            &p->syntax)));
679                         return False;
680                 }
681         }
682         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
683                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
684                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
685                                 "but client declined sealing.\n",
686                                  get_pipe_name_from_syntax(talloc_tos(),
687                                                            &p->syntax)));
688                         return False;
689                 }
690         }
691
692         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
693                   "workstation: %s\n", a->ntlmssp_state->user,
694                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
695
696         if (a->server_info->ptok == NULL) {
697                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
698                 return False;
699         }
700
701         TALLOC_FREE(p->server_info);
702
703         p->server_info = copy_serverinfo(p, a->server_info);
704         if (p->server_info == NULL) {
705                 DEBUG(0, ("copy_serverinfo failed\n"));
706                 return false;
707         }
708
709         /*
710          * We're an authenticated bind over smb, so the session key needs to
711          * be set to "SystemLibraryDTC". Weird, but this is what Windows
712          * does. See the RPC-SAMBA3SESSIONKEY.
713          */
714
715         session_key = generic_session_key();
716         if (session_key.data == NULL) {
717                 return False;
718         }
719
720         ret = server_info_set_session_key(p->server_info, session_key);
721
722         data_blob_free(&session_key);
723
724         return True;
725 }
726
727 /*******************************************************************
728  The switch table for the pipe names and the functions to handle them.
729 *******************************************************************/
730
731 struct rpc_table {
732         struct {
733                 const char *clnt;
734                 const char *srv;
735         } pipe;
736         struct ndr_syntax_id rpc_interface;
737         const struct api_struct *cmds;
738         int n_cmds;
739 };
740
741 static struct rpc_table *rpc_lookup;
742 static int rpc_lookup_size;
743
744 /*******************************************************************
745  This is the "stage3" NTLMSSP response after a bind request and reply.
746 *******************************************************************/
747
748 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
749 {
750         RPC_HDR_AUTH auth_info;
751         uint32 pad = 0;
752         DATA_BLOB blob;
753         uint32_t auth_len = p->hdr.auth_len;
754
755         ZERO_STRUCT(blob);
756
757         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
758
759         if (auth_len == 0) {
760                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
761                 goto err;
762         }
763
764         /* 4 bytes padding. */
765         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
766                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
767                 goto err;
768         }
769
770         /* Ensure there's enough data for an authenticated request. */
771         if (RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + auth_len >
772                                 p->hdr.frag_len) {
773                         DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
774                                 "%u is too large.\n",
775                         (unsigned int)auth_len ));
776                 goto err;
777         }
778
779         /*
780          * Decode the authentication verifier response.
781          */
782
783         /* Pull the auth header and the following data into a blob. */
784         /* NB. The offset of the auth_header is relative to the *end*
785          * of the packet, not the start. Also, the length of the
786          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
787          * as the RPC header isn't included in rpc_in_p. */
788         if(!prs_set_offset(rpc_in_p,
789                         p->hdr.frag_len - RPC_HEADER_LEN -
790                         RPC_HDR_AUTH_LEN - auth_len)) {
791                 DEBUG(0,("api_pipe_bind_auth3: cannot move "
792                         "offset to %u.\n",
793                         (unsigned int)(p->hdr.frag_len -
794                                 RPC_HDR_AUTH_LEN - auth_len) ));
795                 goto err;
796         }
797
798         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in_p, 0)) {
799                 DEBUG(0,("api_pipe_bind_auth3: failed to "
800                         "unmarshall RPC_HDR_AUTH.\n"));
801                 goto err;
802         }
803
804         /* We must NEVER look at auth_info->auth_pad_len here,
805          * as old Samba client code gets it wrong and sends it
806          * as zero. JRA.
807          */
808
809         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
810                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
811                         (unsigned int)auth_info.auth_type ));
812                 return False;
813         }
814
815         blob = data_blob(NULL,p->hdr.auth_len);
816
817         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
818                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
819                         (unsigned int)p->hdr.auth_len ));
820                 goto err;
821         }
822
823         /*
824          * The following call actually checks the challenge/response data.
825          * for correctness against the given DOMAIN\user name.
826          */
827
828         if (!pipe_ntlmssp_verify_final(p, &blob)) {
829                 goto err;
830         }
831
832         data_blob_free(&blob);
833
834         p->pipe_bound = True;
835
836         return True;
837
838  err:
839
840         data_blob_free(&blob);
841         free_pipe_ntlmssp_auth_data(&p->auth);
842         p->auth.a_u.auth_ntlmssp_state = NULL;
843
844         return False;
845 }
846
847 /*******************************************************************
848  Marshall a bind_nak pdu.
849 *******************************************************************/
850
851 static bool setup_bind_nak(pipes_struct *p)
852 {
853         RPC_HDR nak_hdr;
854         uint16 zero = 0;
855
856         /* Free any memory in the current return data buffer. */
857         prs_mem_free(&p->out_data.rdata);
858
859         /*
860          * Marshall directly into the outgoing PDU space. We
861          * must do this as we need to set to the bind response
862          * header and are never sending more than one PDU here.
863          */
864
865         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
866
867         /*
868          * Initialize a bind_nak header.
869          */
870
871         init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
872                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
873
874         /*
875          * Marshall the header into the outgoing PDU.
876          */
877
878         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
879                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
880                 prs_mem_free(&p->out_data.frag);
881                 return False;
882         }
883
884         /*
885          * Now add the reject reason.
886          */
887
888         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
889                 prs_mem_free(&p->out_data.frag);
890                 return False;
891         }
892
893         p->out_data.data_sent_length = 0;
894         p->out_data.current_pdu_sent = 0;
895
896         if (p->auth.auth_data_free_func) {
897                 (*p->auth.auth_data_free_func)(&p->auth);
898         }
899         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
900         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
901         p->pipe_bound = False;
902
903         return True;
904 }
905
906 /*******************************************************************
907  Marshall a fault pdu.
908 *******************************************************************/
909
910 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
911 {
912         RPC_HDR fault_hdr;
913         RPC_HDR_RESP hdr_resp;
914         RPC_HDR_FAULT fault_resp;
915
916         /* Free any memory in the current return data buffer. */
917         prs_mem_free(&p->out_data.rdata);
918
919         /*
920          * Marshall directly into the outgoing PDU space. We
921          * must do this as we need to set to the bind response
922          * header and are never sending more than one PDU here.
923          */
924
925         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
926
927         /*
928          * Initialize a fault header.
929          */
930
931         init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
932             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
933
934         /*
935          * Initialize the HDR_RESP and FAULT parts of the PDU.
936          */
937
938         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
939
940         fault_resp.status = status;
941         fault_resp.reserved = 0;
942
943         /*
944          * Marshall the header into the outgoing PDU.
945          */
946
947         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
948                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
949                 prs_mem_free(&p->out_data.frag);
950                 return False;
951         }
952
953         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
954                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
955                 prs_mem_free(&p->out_data.frag);
956                 return False;
957         }
958
959         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
960                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
961                 prs_mem_free(&p->out_data.frag);
962                 return False;
963         }
964
965         p->out_data.data_sent_length = 0;
966         p->out_data.current_pdu_sent = 0;
967
968         return True;
969 }
970
971 #if 0
972 /*******************************************************************
973  Marshall a cancel_ack pdu.
974  We should probably check the auth-verifier here.
975 *******************************************************************/
976
977 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
978 {
979         prs_struct outgoing_pdu;
980         RPC_HDR ack_reply_hdr;
981
982         /* Free any memory in the current return data buffer. */
983         prs_mem_free(&p->out_data.rdata);
984
985         /*
986          * Marshall directly into the outgoing PDU space. We
987          * must do this as we need to set to the bind response
988          * header and are never sending more than one PDU here.
989          */
990
991         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
992         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
993
994         /*
995          * Initialize a cancel_ack header.
996          */
997
998         init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
999                         p->hdr.call_id, RPC_HEADER_LEN, 0);
1000
1001         /*
1002          * Marshall the header into the outgoing PDU.
1003          */
1004
1005         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
1006                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
1007                 prs_mem_free(&outgoing_pdu);
1008                 return False;
1009         }
1010
1011         p->out_data.data_sent_length = 0;
1012         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
1013         p->out_data.current_pdu_sent = 0;
1014
1015         prs_mem_free(&outgoing_pdu);
1016         return True;
1017 }
1018 #endif
1019
1020 /*******************************************************************
1021  Ensure a bind request has the correct abstract & transfer interface.
1022  Used to reject unknown binds from Win2k.
1023 *******************************************************************/
1024
1025 static bool check_bind_req(struct pipes_struct *p,
1026                            struct ndr_syntax_id* abstract,
1027                            struct ndr_syntax_id* transfer,
1028                            uint32 context_id)
1029 {
1030         int i=0;
1031         struct pipe_rpc_fns *context_fns;
1032
1033         DEBUG(3,("check_bind_req for %s\n",
1034                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1035
1036         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1037
1038         for (i=0; i<rpc_lookup_size; i++) {
1039                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1040                 if (ndr_syntax_id_equal(
1041                             abstract, &rpc_lookup[i].rpc_interface)
1042                     && ndr_syntax_id_equal(
1043                             transfer, &ndr_transfer_syntax)) {
1044                         break;
1045                 }
1046         }
1047
1048         if (i == rpc_lookup_size) {
1049                 return false;
1050         }
1051
1052         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1053         if (context_fns == NULL) {
1054                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1055                 return False;
1056         }
1057
1058         context_fns->cmds = rpc_lookup[i].cmds;
1059         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1060         context_fns->context_id = context_id;
1061
1062         /* add to the list of open contexts */
1063
1064         DLIST_ADD( p->contexts, context_fns );
1065
1066         return True;
1067 }
1068
1069 /*******************************************************************
1070  Register commands to an RPC pipe
1071 *******************************************************************/
1072
1073 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1074                           const struct ndr_interface_table *iface,
1075                           const struct api_struct *cmds, int size)
1076 {
1077         struct rpc_table *rpc_entry;
1078
1079         if (!clnt || !srv || !cmds) {
1080                 return NT_STATUS_INVALID_PARAMETER;
1081         }
1082
1083         if (version != SMB_RPC_INTERFACE_VERSION) {
1084                 DEBUG(0,("Can't register rpc commands!\n"
1085                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1086                          ", while this version of samba uses version %d!\n", 
1087                          version,SMB_RPC_INTERFACE_VERSION));
1088                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1089         }
1090
1091         /* TODO: 
1092          *
1093          * we still need to make sure that don't register the same commands twice!!!
1094          * 
1095          * --metze
1096          */
1097
1098         /* We use a temporary variable because this call can fail and 
1099            rpc_lookup will still be valid afterwards.  It could then succeed if
1100            called again later */
1101         rpc_lookup_size++;
1102         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1103         if (NULL == rpc_entry) {
1104                 rpc_lookup_size--;
1105                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1106                 return NT_STATUS_NO_MEMORY;
1107         } else {
1108                 rpc_lookup = rpc_entry;
1109         }
1110
1111         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1112         ZERO_STRUCTP(rpc_entry);
1113         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1114         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1115         rpc_entry->rpc_interface = iface->syntax_id;
1116         rpc_entry->cmds = cmds;
1117         rpc_entry->n_cmds = size;
1118
1119         return NT_STATUS_OK;
1120 }
1121
1122 /**
1123  * Is a named pipe known?
1124  * @param[in] cli_filename      The pipe name requested by the client
1125  * @result                      Do we want to serve this?
1126  */
1127 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1128 {
1129         const char *pipename = cli_filename;
1130         int i;
1131         NTSTATUS status;
1132
1133         if (strnequal(pipename, "\\PIPE\\", 6)) {
1134                 pipename += 5;
1135         }
1136
1137         if (*pipename == '\\') {
1138                 pipename += 1;
1139         }
1140
1141         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1142                 DEBUG(10, ("refusing spoolss access\n"));
1143                 return false;
1144         }
1145
1146         for (i=0; i<rpc_lookup_size; i++) {
1147                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1148                         *syntax = rpc_lookup[i].rpc_interface;
1149                         return true;
1150                 }
1151         }
1152
1153         status = smb_probe_module("rpc", pipename);
1154         if (!NT_STATUS_IS_OK(status)) {
1155                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1156                 return false;
1157         }
1158         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1159
1160         /*
1161          * Scan the list again for the interface id
1162          */
1163
1164         for (i=0; i<rpc_lookup_size; i++) {
1165                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1166                         *syntax = rpc_lookup[i].rpc_interface;
1167                         return true;
1168                 }
1169         }
1170
1171         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1172                    pipename));
1173
1174         return false;
1175 }
1176
1177 /*******************************************************************
1178  Handle a SPNEGO krb5 bind auth.
1179 *******************************************************************/
1180
1181 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1182                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1183 {
1184         return False;
1185 }
1186
1187 /*******************************************************************
1188  Handle the first part of a SPNEGO bind auth.
1189 *******************************************************************/
1190
1191 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1192                                         uint32_t ss_padding_len,
1193                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1194 {
1195         DATA_BLOB blob;
1196         DATA_BLOB secblob;
1197         DATA_BLOB response;
1198         DATA_BLOB chal;
1199         char *OIDs[ASN1_MAX_OIDS];
1200         int i;
1201         NTSTATUS status;
1202         bool got_kerberos_mechanism = false;
1203         AUTH_NTLMSSP_STATE *a = NULL;
1204         RPC_HDR_AUTH auth_info;
1205
1206         ZERO_STRUCT(secblob);
1207         ZERO_STRUCT(chal);
1208         ZERO_STRUCT(response);
1209
1210         /* Grab the SPNEGO blob. */
1211         blob = data_blob(NULL,p->hdr.auth_len);
1212
1213         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1214                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1215                         (unsigned int)p->hdr.auth_len ));
1216                 goto err;
1217         }
1218
1219         if (blob.data[0] != ASN1_APPLICATION(0)) {
1220                 goto err;
1221         }
1222
1223         /* parse out the OIDs and the first sec blob */
1224         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1225                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1226                 goto err;
1227         }
1228
1229         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1230                 got_kerberos_mechanism = true;
1231         }
1232
1233         for (i=0;OIDs[i];i++) {
1234                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1235                 TALLOC_FREE(OIDs[i]);
1236         }
1237         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1238
1239         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1240                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1241                 data_blob_free(&secblob);
1242                 data_blob_free(&blob);
1243                 return ret;
1244         }
1245
1246         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1247                 /* Free any previous auth type. */
1248                 free_pipe_ntlmssp_auth_data(&p->auth);
1249         }
1250
1251         if (!got_kerberos_mechanism) {
1252                 /* Initialize the NTLM engine. */
1253                 status = auth_ntlmssp_start(&a);
1254                 if (!NT_STATUS_IS_OK(status)) {
1255                         goto err;
1256                 }
1257
1258                 /*
1259                  * Pass the first security blob of data to it.
1260                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1261                  * which means we need another packet to complete the bind.
1262                  */
1263
1264                 status = auth_ntlmssp_update(a, secblob, &chal);
1265
1266                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1267                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1268                         goto err;
1269                 }
1270
1271                 /* Generate the response blob we need for step 2 of the bind. */
1272                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1273         } else {
1274                 /*
1275                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1276                  * code to process follow-up packets is not complete
1277                  * yet. JRA.
1278                  */
1279                 response = spnego_gen_auth_response(NULL,
1280                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1281                                         OID_NTLMSSP);
1282         }
1283
1284         /* auth_pad_len will be handled by the caller */
1285
1286         /* Copy the blob into the pout_auth parse struct */
1287         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1288                         pauth_info->auth_level, ss_padding_len, 1);
1289         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1290                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1291                 goto err;
1292         }
1293
1294         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1295                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1296                 goto err;
1297         }
1298
1299         p->auth.a_u.auth_ntlmssp_state = a;
1300         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1301         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1302
1303         data_blob_free(&blob);
1304         data_blob_free(&secblob);
1305         data_blob_free(&chal);
1306         data_blob_free(&response);
1307
1308         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1309         return True;
1310
1311  err:
1312
1313         data_blob_free(&blob);
1314         data_blob_free(&secblob);
1315         data_blob_free(&chal);
1316         data_blob_free(&response);
1317
1318         p->auth.a_u.auth_ntlmssp_state = NULL;
1319
1320         return False;
1321 }
1322
1323 /*******************************************************************
1324  Handle the second part of a SPNEGO bind auth.
1325 *******************************************************************/
1326
1327 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1328                                 uint32_t ss_padding_len,
1329                                 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1330 {
1331         RPC_HDR_AUTH auth_info;
1332         DATA_BLOB spnego_blob;
1333         DATA_BLOB auth_blob;
1334         DATA_BLOB auth_reply;
1335         DATA_BLOB response;
1336         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1337
1338         ZERO_STRUCT(spnego_blob);
1339         ZERO_STRUCT(auth_blob);
1340         ZERO_STRUCT(auth_reply);
1341         ZERO_STRUCT(response);
1342
1343         /*
1344          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1345          * fail here as 'a' == NULL.
1346          */
1347         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1348                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1349                 goto err;
1350         }
1351
1352         /* Grab the SPNEGO blob. */
1353         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1354
1355         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1356                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1357                         (unsigned int)p->hdr.auth_len ));
1358                 goto err;
1359         }
1360
1361         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1362                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1363                 goto err;
1364         }
1365
1366         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1367                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1368                 goto err;
1369         }
1370
1371         /*
1372          * The following call actually checks the challenge/response data.
1373          * for correctness against the given DOMAIN\user name.
1374          */
1375
1376         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1377                 goto err;
1378         }
1379
1380         data_blob_free(&spnego_blob);
1381         data_blob_free(&auth_blob);
1382
1383         /* Generate the spnego "accept completed" blob - no incoming data. */
1384         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1385
1386         /* FIXME - add auth_pad_len here ! */
1387
1388         /* Copy the blob into the pout_auth parse struct */
1389         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1390                         pauth_info->auth_level, ss_padding_len, 1);
1391         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1392                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1393                 goto err;
1394         }
1395
1396         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1397                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1398                 goto err;
1399         }
1400
1401         data_blob_free(&auth_reply);
1402         data_blob_free(&response);
1403
1404         p->pipe_bound = True;
1405
1406         return True;
1407
1408  err:
1409
1410         data_blob_free(&spnego_blob);
1411         data_blob_free(&auth_blob);
1412         data_blob_free(&auth_reply);
1413         data_blob_free(&response);
1414
1415         free_pipe_ntlmssp_auth_data(&p->auth);
1416         p->auth.a_u.auth_ntlmssp_state = NULL;
1417
1418         return False;
1419 }
1420
1421 /*******************************************************************
1422  Handle an schannel bind auth.
1423 *******************************************************************/
1424
1425 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1426                                         uint32_t ss_padding_len,
1427                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1428 {
1429         RPC_HDR_AUTH auth_info;
1430         struct NL_AUTH_MESSAGE neg;
1431         struct NL_AUTH_MESSAGE reply;
1432         bool ret;
1433         NTSTATUS status;
1434         struct netlogon_creds_CredentialState *creds;
1435         DATA_BLOB session_key;
1436         enum ndr_err_code ndr_err;
1437         DATA_BLOB blob;
1438
1439         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1440                                prs_data_size(rpc_in_p));
1441
1442         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1443                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1444         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1445                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1446                 return false;
1447         }
1448
1449         if (DEBUGLEVEL >= 10) {
1450                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1451         }
1452
1453         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1454                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1455                 return false;
1456         }
1457
1458         /*
1459          * The neg.oem_netbios_computer.a key here must match the remote computer name
1460          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1461          * operations that use credentials.
1462          */
1463
1464         become_root();
1465         status = schannel_fetch_session_key(p,
1466                                             neg.oem_netbios_computer.a,
1467                                             &creds);
1468         unbecome_root();
1469
1470         if (!NT_STATUS_IS_OK(status)) {
1471                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1472                 return False;
1473         }
1474
1475         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1476         if (!p->auth.a_u.schannel_auth) {
1477                 TALLOC_FREE(creds);
1478                 return False;
1479         }
1480
1481         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1482         p->auth.a_u.schannel_auth->seq_num = 0;
1483         p->auth.a_u.schannel_auth->initiator = false;
1484         p->auth.a_u.schannel_auth->creds = creds;
1485
1486         /*
1487          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1488          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1489          * struct of the person who opened the pipe. I need to test this further. JRA.
1490          *
1491          * VL. As we are mapping this to guest set the generic key
1492          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1493          * W2k3, as it does not allow schannel binds against SAMR and LSA
1494          * anymore.
1495          */
1496
1497         session_key = generic_session_key();
1498         if (session_key.data == NULL) {
1499                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1500                           " key\n"));
1501                 return false;
1502         }
1503
1504         ret = server_info_set_session_key(p->server_info, session_key);
1505
1506         data_blob_free(&session_key);
1507
1508         if (!ret) {
1509                 DEBUG(0, ("server_info_set_session_key failed\n"));
1510                 return false;
1511         }
1512
1513         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL,
1514                         pauth_info->auth_level, ss_padding_len, 1);
1515         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1516                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1517                 return False;
1518         }
1519
1520         /*** SCHANNEL verifier ***/
1521
1522         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1523         reply.Flags                             = 0;
1524         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1525                                                       * this has any meaning
1526                                                       * here - gd */
1527
1528         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1529                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1530         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1531                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1532                 return false;
1533         }
1534
1535         if (DEBUGLEVEL >= 10) {
1536                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1537         }
1538
1539         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1540                 return false;
1541         }
1542
1543         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1544                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1545
1546         /* We're finished with this bind - no more packets. */
1547         p->auth.auth_data_free_func = NULL;
1548         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1549
1550         p->pipe_bound = True;
1551
1552         return True;
1553 }
1554
1555 /*******************************************************************
1556  Handle an NTLMSSP bind auth.
1557 *******************************************************************/
1558
1559 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1560                                         uint32_t ss_padding_len,
1561                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1562 {
1563         RPC_HDR_AUTH auth_info;
1564         DATA_BLOB blob;
1565         DATA_BLOB response;
1566         NTSTATUS status;
1567         AUTH_NTLMSSP_STATE *a = NULL;
1568
1569         ZERO_STRUCT(blob);
1570         ZERO_STRUCT(response);
1571
1572         /* Grab the NTLMSSP blob. */
1573         blob = data_blob(NULL,p->hdr.auth_len);
1574
1575         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1576                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1577                         (unsigned int)p->hdr.auth_len ));
1578                 goto err;
1579         }
1580
1581         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1582                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1583                 goto err;
1584         }
1585
1586         /* We have an NTLMSSP blob. */
1587         status = auth_ntlmssp_start(&a);
1588         if (!NT_STATUS_IS_OK(status)) {
1589                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1590                         nt_errstr(status) ));
1591                 goto err;
1592         }
1593
1594         status = auth_ntlmssp_update(a, blob, &response);
1595         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1596                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1597                         nt_errstr(status) ));
1598                 goto err;
1599         }
1600
1601         data_blob_free(&blob);
1602
1603         /* Copy the blob into the pout_auth parse struct */
1604         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP,
1605                         pauth_info->auth_level, ss_padding_len, 1);
1606         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1607                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1608                 goto err;
1609         }
1610
1611         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1612                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1613                 goto err;
1614         }
1615
1616         p->auth.a_u.auth_ntlmssp_state = a;
1617         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1618         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1619
1620         data_blob_free(&blob);
1621         data_blob_free(&response);
1622
1623         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1624
1625         /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1626         return True;
1627
1628   err:
1629
1630         data_blob_free(&blob);
1631         data_blob_free(&response);
1632
1633         free_pipe_ntlmssp_auth_data(&p->auth);
1634         p->auth.a_u.auth_ntlmssp_state = NULL;
1635         return False;
1636 }
1637
1638 /*******************************************************************
1639  Respond to a pipe bind request.
1640 *******************************************************************/
1641
1642 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1643 {
1644         RPC_HDR_BA hdr_ba;
1645         RPC_HDR_RB hdr_rb;
1646         RPC_HDR_AUTH auth_info;
1647         uint16 assoc_gid;
1648         fstring ack_pipe_name;
1649         prs_struct out_hdr_ba;
1650         prs_struct out_auth;
1651         int i = 0;
1652         int auth_len = 0;
1653         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1654         uint32_t ss_padding_len = 0;
1655
1656         /* No rebinds on a bound pipe - use alter context. */
1657         if (p->pipe_bound) {
1658                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1659                          "pipe %s.\n",
1660                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1661                 return setup_bind_nak(p);
1662         }
1663
1664         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1665
1666         /* 
1667          * Marshall directly into the outgoing PDU space. We
1668          * must do this as we need to set to the bind response
1669          * header and are never sending more than one PDU here.
1670          */
1671
1672         /*
1673          * Setup the memory to marshall the ba header, and the
1674          * auth footers.
1675          */
1676
1677         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1678                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1679                 prs_mem_free(&p->out_data.frag);
1680                 return False;
1681         }
1682
1683         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1684                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1685                 prs_mem_free(&p->out_data.frag);
1686                 prs_mem_free(&out_hdr_ba);
1687                 return False;
1688         }
1689
1690         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1691
1692         ZERO_STRUCT(hdr_rb);
1693
1694         /* decode the bind request */
1695
1696         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1697                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1698                          "struct.\n"));
1699                 goto err_exit;
1700         }
1701
1702         if (hdr_rb.num_contexts == 0) {
1703                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1704                 goto err_exit;
1705         }
1706
1707         /*
1708          * Try and find the correct pipe name to ensure
1709          * that this is a pipe name we support.
1710          */
1711
1712         for (i = 0; i < rpc_lookup_size; i++) {
1713                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1714                                         &hdr_rb.rpc_context[0].abstract)) {
1715                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1716                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1717                         break;
1718                 }
1719         }
1720
1721         if (i == rpc_lookup_size) {
1722                 NTSTATUS status;
1723
1724                 status = smb_probe_module(
1725                         "rpc", get_pipe_name_from_syntax(
1726                                 talloc_tos(),
1727                                 &hdr_rb.rpc_context[0].abstract));
1728
1729                 if (NT_STATUS_IS_ERR(status)) {
1730                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1731                                 get_pipe_name_from_syntax(
1732                                         talloc_tos(),
1733                                         &hdr_rb.rpc_context[0].abstract)));
1734                         prs_mem_free(&p->out_data.frag);
1735                         prs_mem_free(&out_hdr_ba);
1736                         prs_mem_free(&out_auth);
1737
1738                         return setup_bind_nak(p);
1739                 }
1740
1741                 for (i = 0; i < rpc_lookup_size; i++) {
1742                        if (strequal(rpc_lookup[i].pipe.clnt,
1743                                     get_pipe_name_from_syntax(talloc_tos(),
1744                                                               &p->syntax))) {
1745                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1746                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1747                                break;
1748                        }
1749                 }
1750
1751                 if (i == rpc_lookup_size) {
1752                         DEBUG(0, ("module %s doesn't provide functions for "
1753                                   "pipe %s!\n",
1754                                   get_pipe_name_from_syntax(talloc_tos(),
1755                                                             &p->syntax),
1756                                   get_pipe_name_from_syntax(talloc_tos(),
1757                                                             &p->syntax)));
1758                         goto err_exit;
1759                 }
1760         }
1761
1762         /* name has to be \PIPE\xxxxx */
1763         fstrcpy(ack_pipe_name, "\\PIPE\\");
1764         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1765
1766         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1767
1768         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1769
1770         /*
1771          * Create the bind response struct.
1772          */
1773
1774         /* If the requested abstract synt uuid doesn't match our client pipe,
1775                 reject the bind_ack & set the transfer interface synt to all 0's,
1776                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1777                 unknown to NT4)
1778                 Needed when adding entries to a DACL from NT5 - SK */
1779
1780         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1781                                 hdr_rb.rpc_context[0].context_id )) {
1782                 init_rpc_hdr_ba(&hdr_ba,
1783                         RPC_MAX_PDU_FRAG_LEN,
1784                         RPC_MAX_PDU_FRAG_LEN,
1785                         assoc_gid,
1786                         ack_pipe_name,
1787                         0x1, 0x0, 0x0,
1788                         &hdr_rb.rpc_context[0].transfer[0]);
1789         } else {
1790                 /* Rejection reason: abstract syntax not supported */
1791                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1792                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1793                                         ack_pipe_name, 0x1, 0x2, 0x1,
1794                                         &null_ndr_syntax_id);
1795                 p->pipe_bound = False;
1796         }
1797
1798         /*
1799          * and marshall it.
1800          */
1801
1802         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1803                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1804                 goto err_exit;
1805         }
1806
1807         /*
1808          * Check if this is an authenticated bind request.
1809          */
1810
1811         if (p->hdr.auth_len) {
1812                 /* 
1813                  * Decode the authentication verifier.
1814                  */
1815
1816                 /* Work out any padding needed before the auth footer. */
1817                 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1818                         ss_padding_len = SERVER_NDR_PADDING_SIZE -
1819                                 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1820                         DEBUG(10,("api_pipe_bind_req: auth pad_len = %u\n",
1821                                 (unsigned int)ss_padding_len ));
1822                 }
1823
1824                 /* Quick length check. Won't catch a bad auth footer,
1825                  * prevents overrun. */
1826
1827                 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
1828                         DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1829                                 "too long for fragment %u.\n",
1830                                 (unsigned int)p->hdr.auth_len,
1831                                 (unsigned int)p->hdr.frag_len ));
1832                         goto err_exit;
1833                 }
1834
1835                 /* Pull the auth header and the following data into a blob. */
1836                 /* NB. The offset of the auth_header is relative to the *end*
1837                  * of the packet, not the start. Also, the length of the
1838                  * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
1839                  * as the RPC header isn't included in rpc_in_p. */
1840                 if(!prs_set_offset(rpc_in_p,
1841                                 p->hdr.frag_len - RPC_HEADER_LEN -
1842                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
1843                         DEBUG(0,("api_pipe_bind_req: cannot move "
1844                                 "offset to %u.\n",
1845                                 (unsigned int)(p->hdr.frag_len -
1846                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
1847                         goto err_exit;
1848                 }
1849
1850                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1851                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1852                         goto err_exit;
1853                 }
1854
1855                 auth_type = auth_info.auth_type;
1856
1857                 /* Work out if we have to sign or seal etc. */
1858                 switch (auth_info.auth_level) {
1859                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1860                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1861                                 break;
1862                         case DCERPC_AUTH_LEVEL_PRIVACY:
1863                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1864                                 break;
1865                         default:
1866                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1867                                         (unsigned int)auth_info.auth_level ));
1868                                 goto err_exit;
1869                 }
1870         } else {
1871                 ZERO_STRUCT(auth_info);
1872         }
1873
1874         switch(auth_type) {
1875                 case DCERPC_AUTH_TYPE_NTLMSSP:
1876                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p,
1877                                         ss_padding_len, &auth_info, &out_auth)) {
1878                                 goto err_exit;
1879                         }
1880                         assoc_gid = 0x7a77;
1881                         break;
1882
1883                 case DCERPC_AUTH_TYPE_SCHANNEL:
1884                         if (!pipe_schannel_auth_bind(p, rpc_in_p,
1885                                         ss_padding_len, &auth_info, &out_auth)) {
1886                                 goto err_exit;
1887                         }
1888                         break;
1889
1890                 case DCERPC_AUTH_TYPE_SPNEGO:
1891                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p,
1892                                         ss_padding_len, &auth_info, &out_auth)) {
1893                                 goto err_exit;
1894                         }
1895                         break;
1896
1897                 case DCERPC_AUTH_TYPE_NONE:
1898                         /* Unauthenticated bind request. */
1899                         /* We're finished - no more packets. */
1900                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1901                         /* We must set the pipe auth_level here also. */
1902                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1903                         p->pipe_bound = True;
1904                         /* The session key was initialized from the SMB
1905                          * session in make_internal_rpc_pipe_p */
1906                         ss_padding_len = 0;
1907                         break;
1908
1909                 default:
1910                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1911                         goto err_exit;
1912         }
1913         /*
1914          * Create the header, now we know the length.
1915          */
1916
1917         if (prs_offset(&out_auth)) {
1918                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1919         }
1920
1921         init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1922                         p->hdr.call_id,
1923                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) +
1924                                 ss_padding_len + prs_offset(&out_auth),
1925                         auth_len);
1926
1927         /*
1928          * Marshall the header into the outgoing PDU.
1929          */
1930
1931         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1932                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1933                 goto err_exit;
1934         }
1935
1936         /*
1937          * Now add the RPC_HDR_BA and any auth needed.
1938          */
1939
1940         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1941                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1942                 goto err_exit;
1943         }
1944
1945         if (auth_len) {
1946                 if (ss_padding_len) {
1947                         char pad[SERVER_NDR_PADDING_SIZE];
1948                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1949                         if (!prs_copy_data_in(&p->out_data.frag, pad,
1950                                         ss_padding_len)) {
1951                                 DEBUG(0,("api_pipe_bind_req: failed to add %u "
1952                                         "bytes of pad data.\n",
1953                                         (unsigned int)ss_padding_len));
1954                                 goto err_exit;
1955                         }
1956                 }
1957
1958                 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1959                         DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1960                         goto err_exit;
1961                 }
1962         }
1963
1964         /*
1965          * Setup the lengths for the initial reply.
1966          */
1967
1968         p->out_data.data_sent_length = 0;
1969         p->out_data.current_pdu_sent = 0;
1970
1971         prs_mem_free(&out_hdr_ba);
1972         prs_mem_free(&out_auth);
1973
1974         return True;
1975
1976   err_exit:
1977
1978         prs_mem_free(&p->out_data.frag);
1979         prs_mem_free(&out_hdr_ba);
1980         prs_mem_free(&out_auth);
1981         return setup_bind_nak(p);
1982 }
1983
1984 /****************************************************************************
1985  Deal with an alter context call. Can be third part of 3 leg auth request for
1986  SPNEGO calls.
1987 ****************************************************************************/
1988
1989 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1990 {
1991         RPC_HDR_BA hdr_ba;
1992         RPC_HDR_RB hdr_rb;
1993         RPC_HDR_AUTH auth_info;
1994         uint16 assoc_gid;
1995         fstring ack_pipe_name;
1996         prs_struct out_hdr_ba;
1997         prs_struct out_auth;
1998         int auth_len = 0;
1999         uint32_t ss_padding_len = 0;
2000
2001         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
2002
2003         /* 
2004          * Marshall directly into the outgoing PDU space. We
2005          * must do this as we need to set to the bind response
2006          * header and are never sending more than one PDU here.
2007          */
2008
2009         /*
2010          * Setup the memory to marshall the ba header, and the
2011          * auth footers.
2012          */
2013
2014         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
2015                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
2016                 prs_mem_free(&p->out_data.frag);
2017                 return False;
2018         }
2019
2020         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
2021                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
2022                 prs_mem_free(&p->out_data.frag);
2023                 prs_mem_free(&out_hdr_ba);
2024                 return False;
2025         }
2026
2027         ZERO_STRUCT(hdr_rb);
2028
2029         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
2030
2031         /* decode the alter context request */
2032         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
2033                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
2034                 goto err_exit;
2035         }
2036
2037         /* secondary address CAN be NULL
2038          * as the specs say it's ignored.
2039          * It MUST be NULL to have the spoolss working.
2040          */
2041         fstrcpy(ack_pipe_name,"");
2042
2043         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
2044
2045         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
2046
2047         /*
2048          * Create the bind response struct.
2049          */
2050
2051         /* If the requested abstract synt uuid doesn't match our client pipe,
2052                 reject the bind_ack & set the transfer interface synt to all 0's,
2053                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
2054                 unknown to NT4)
2055                 Needed when adding entries to a DACL from NT5 - SK */
2056
2057         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
2058                                 hdr_rb.rpc_context[0].context_id )) {
2059                 init_rpc_hdr_ba(&hdr_ba,
2060                         RPC_MAX_PDU_FRAG_LEN,
2061                         RPC_MAX_PDU_FRAG_LEN,
2062                         assoc_gid,
2063                         ack_pipe_name,
2064                         0x1, 0x0, 0x0,
2065                         &hdr_rb.rpc_context[0].transfer[0]);
2066         } else {
2067                 /* Rejection reason: abstract syntax not supported */
2068                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
2069                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
2070                                         ack_pipe_name, 0x1, 0x2, 0x1,
2071                                         &null_ndr_syntax_id);
2072                 p->pipe_bound = False;
2073         }
2074
2075         /*
2076          * and marshall it.
2077          */
2078
2079         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2080                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2081                 goto err_exit;
2082         }
2083
2084
2085         /*
2086          * Check if this is an authenticated alter context request.
2087          */
2088
2089         if (p->hdr.auth_len != 0) {
2090                 /* 
2091                  * Decode the authentication verifier.
2092                  */
2093
2094                 /* Work out any padding needed before the auth footer. */
2095                 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
2096                         ss_padding_len = SERVER_NDR_PADDING_SIZE -
2097                                 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
2098                         DEBUG(10,("api_pipe_alter_context: auth pad_len = %u\n",
2099                                 (unsigned int)ss_padding_len ));
2100                 }
2101
2102                 /* Quick length check. Won't catch a bad auth footer,
2103                  * prevents overrun. */
2104
2105                 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
2106                         DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
2107                                 "too long for fragment %u.\n",
2108                                 (unsigned int)p->hdr.auth_len,
2109                                 (unsigned int)p->hdr.frag_len ));
2110                         goto err_exit;
2111                 }
2112
2113                 /* Pull the auth header and the following data into a blob. */
2114                 /* NB. The offset of the auth_header is relative to the *end*
2115                  * of the packet, not the start. Also, the length of the
2116                  * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2117                  * as the RPC header isn't included in rpc_in_p. */
2118                 if(!prs_set_offset(rpc_in_p,
2119                                 p->hdr.frag_len - RPC_HEADER_LEN -
2120                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
2121                         DEBUG(0,("api_alter_context: cannot move "
2122                                 "offset to %u.\n",
2123                                 (unsigned int)(p->hdr.frag_len -
2124                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
2125                         goto err_exit;
2126                 }
2127
2128                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
2129                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
2130                         goto err_exit;
2131                 }
2132
2133                 /*
2134                  * Currently only the SPNEGO auth type uses the alter ctx
2135                  * response in place of the NTLMSSP auth3 type.
2136                  */
2137
2138                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2139                         /* We can only finish if the pipe is unbound. */
2140                         if (!p->pipe_bound) {
2141                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p,
2142                                                 ss_padding_len, &auth_info, &out_auth)) {
2143                                         goto err_exit;
2144                                 }
2145                         } else {
2146                                 goto err_exit;
2147                         }
2148                 }
2149         } else {
2150                 ZERO_STRUCT(auth_info);
2151         }
2152         /*
2153          * Create the header, now we know the length.
2154          */
2155
2156         if (prs_offset(&out_auth)) {
2157                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2158         }
2159
2160         init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2161                         p->hdr.call_id,
2162                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2163                         auth_len);
2164
2165         /*
2166          * Marshall the header into the outgoing PDU.
2167          */
2168
2169         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2170                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2171                 goto err_exit;
2172         }
2173
2174         /*
2175          * Now add the RPC_HDR_BA and any auth needed.
2176          */
2177
2178         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2179                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2180                 goto err_exit;
2181         }
2182
2183         if (auth_len) {
2184                 if (ss_padding_len) {
2185                         char pad[SERVER_NDR_PADDING_SIZE];
2186                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
2187                         if (!prs_copy_data_in(&p->out_data.frag, pad,
2188                                         ss_padding_len)) {
2189                                 DEBUG(0,("api_pipe_alter_context: failed to add %u "
2190                                         "bytes of pad data.\n",
2191                                         (unsigned int)ss_padding_len));
2192                                 goto err_exit;
2193                         }
2194                 }
2195
2196                 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
2197                         DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2198                         goto err_exit;
2199                 }
2200         }
2201
2202         /*
2203          * Setup the lengths for the initial reply.
2204          */
2205
2206         p->out_data.data_sent_length = 0;
2207         p->out_data.current_pdu_sent = 0;
2208
2209         prs_mem_free(&out_hdr_ba);
2210         prs_mem_free(&out_auth);
2211
2212         return True;
2213
2214   err_exit:
2215
2216         prs_mem_free(&p->out_data.frag);
2217         prs_mem_free(&out_hdr_ba);
2218         prs_mem_free(&out_auth);
2219         return setup_bind_nak(p);
2220 }
2221
2222 /****************************************************************************
2223  Deal with NTLMSSP sign & seal processing on an RPC request.
2224 ****************************************************************************/
2225
2226 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2227                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2228 {
2229         RPC_HDR_AUTH auth_info;
2230         uint32 auth_len = p->hdr.auth_len;
2231         uint32 save_offset = prs_offset(rpc_in);
2232         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2233         unsigned char *data = NULL;
2234         size_t data_len;
2235         unsigned char *full_packet_data = NULL;
2236         size_t full_packet_data_len;
2237         DATA_BLOB auth_blob;
2238
2239         *pstatus = NT_STATUS_OK;
2240
2241         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2242                 return True;
2243         }
2244
2245         if (!a) {
2246                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2247                 return False;
2248         }
2249
2250         /* Ensure there's enough data for an authenticated request. */
2251         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN
2252                         + auth_len > p->hdr.frag_len) {
2253                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2254                         (unsigned int)auth_len ));
2255                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2256                 return False;
2257         }
2258
2259         /*
2260          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2261          * after the RPC header.
2262          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2263          * functions as NTLMv2 checks the rpc headers also.
2264          * Both of these values include any auth_pad_len bytes.
2265          */
2266
2267         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2268         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2269
2270         full_packet_data = p->in_data.current_in_pdu;
2271         full_packet_data_len = p->hdr.frag_len - auth_len;
2272
2273         /* Pull the auth header and the following data into a blob. */
2274         /* NB. The offset of the auth_header is relative to the *end*
2275          * of the packet, not the start. Also, the length of the
2276          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2277          * as the RPC header isn't included in rpc_in_p. */
2278         if(!prs_set_offset(rpc_in,
2279                         p->hdr.frag_len - RPC_HEADER_LEN -
2280                         RPC_HDR_AUTH_LEN - auth_len)) {
2281                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move "
2282                         "offset to %u.\n",
2283                         (unsigned int)(p->hdr.frag_len -
2284                                 RPC_HDR_AUTH_LEN - auth_len) ));
2285                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2286                 return False;
2287         }
2288
2289         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2290                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to "
2291                         "unmarshall RPC_HDR_AUTH.\n"));
2292                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2293                 return False;
2294         }
2295
2296         /* Ensure auth_pad_len fits into the packet. */
2297         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2298                         RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2299                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_info.auth_pad_len "
2300                         "too large (%u), auth_len (%u), frag_len = (%u).\n",
2301                         (unsigned int)auth_info.auth_pad_len,
2302                         (unsigned int)auth_len,
2303                         (unsigned int)p->hdr.frag_len ));
2304                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2305                 return False;
2306         }
2307
2308         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2309         auth_blob.length = auth_len;
2310
2311         switch (p->auth.auth_level) {
2312                 case DCERPC_AUTH_LEVEL_PRIVACY:
2313                         /* Data is encrypted. */
2314                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2315                                                         data, data_len,
2316                                                         full_packet_data,
2317                                                         full_packet_data_len,
2318                                                         &auth_blob);
2319                         if (!NT_STATUS_IS_OK(*pstatus)) {
2320                                 return False;
2321                         }
2322                         break;
2323                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2324                         /* Data is signed. */
2325                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2326                                                         data, data_len,
2327                                                         full_packet_data,
2328                                                         full_packet_data_len,
2329                                                         &auth_blob);
2330                         if (!NT_STATUS_IS_OK(*pstatus)) {
2331                                 return False;
2332                         }
2333                         break;
2334                 default:
2335                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2336                         return False;
2337         }
2338
2339         /*
2340          * Return the current pointer to the data offset.
2341          */
2342
2343         if(!prs_set_offset(rpc_in, save_offset)) {
2344                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2345                         (unsigned int)save_offset ));
2346                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2347                 return False;
2348         }
2349
2350         /*
2351          * Remember the padding length. We must remove it from the real data
2352          * stream once the sign/seal is done.
2353          */
2354
2355         *p_ss_padding_len = auth_info.auth_pad_len;
2356
2357         return True;
2358 }
2359
2360 /****************************************************************************
2361  Deal with schannel processing on an RPC request.
2362 ****************************************************************************/
2363
2364 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2365 {
2366         uint32 data_len;
2367         uint32 auth_len;
2368         uint32 save_offset = prs_offset(rpc_in);
2369         RPC_HDR_AUTH auth_info;
2370         DATA_BLOB blob;
2371         NTSTATUS status;
2372         uint8_t *data;
2373
2374         auth_len = p->hdr.auth_len;
2375
2376         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2377                         auth_len > RPC_HEADER_LEN +
2378                                         RPC_HDR_REQ_LEN +
2379                                         RPC_HDR_AUTH_LEN +
2380                                         auth_len) {
2381                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2382                 return False;
2383         }
2384
2385         /*
2386          * The following is that length of the data we must verify or unseal.
2387          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2388          * preceeding the auth_data, but does include the auth_pad_len bytes.
2389          */
2390
2391         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2392                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2393                         (unsigned int)p->hdr.frag_len,
2394                         (unsigned int)auth_len ));
2395                 return False;
2396         }
2397
2398         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2399                 RPC_HDR_AUTH_LEN - auth_len;
2400
2401         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2402
2403         /* Pull the auth header and the following data into a blob. */
2404         /* NB. The offset of the auth_header is relative to the *end*
2405          * of the packet, not the start. Also, the length of the
2406          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2407          * as the RPC header isn't included in rpc_in_p. */
2408         if(!prs_set_offset(rpc_in,
2409                         p->hdr.frag_len - RPC_HEADER_LEN -
2410                         RPC_HDR_AUTH_LEN - auth_len)) {
2411                 DEBUG(0,("api_pipe_schannel_process: cannot move "
2412                         "offset to %u.\n",
2413                         (unsigned int)(p->hdr.frag_len -
2414                                 RPC_HDR_AUTH_LEN - auth_len) ));
2415                 return False;
2416         }
2417
2418         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2419                 DEBUG(0,("api_pipe_schannel_process: failed to "
2420                         "unmarshall RPC_HDR_AUTH.\n"));
2421                 return False;
2422         }
2423
2424         /* Ensure auth_pad_len fits into the packet. */
2425         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2426                         RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2427                 DEBUG(0,("api_pipe_schannel_process: auth_info.auth_pad_len "
2428                         "too large (%u), auth_len (%u), frag_len = (%u).\n",
2429                         (unsigned int)auth_info.auth_pad_len,
2430                         (unsigned int)auth_len,
2431                         (unsigned int)p->hdr.frag_len ));
2432                 return False;
2433         }
2434
2435         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2436                 DEBUG(0,("Invalid auth info %d on schannel\n",
2437                          auth_info.auth_type));
2438                 return False;
2439         }
2440
2441         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2442
2443         if (DEBUGLEVEL >= 10) {
2444                 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2445         }
2446
2447         data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2448
2449         switch (auth_info.auth_level) {
2450         case DCERPC_AUTH_LEVEL_PRIVACY:
2451                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2452                                                 talloc_tos(),
2453                                                 true,
2454                                                 data,
2455                                                 data_len,
2456                                                 &blob);
2457                 break;
2458         case DCERPC_AUTH_LEVEL_INTEGRITY:
2459                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2460                                                 talloc_tos(),
2461                                                 false,
2462                                                 data,
2463                                                 data_len,
2464                                                 &blob);
2465                 break;
2466         default:
2467                 status = NT_STATUS_INTERNAL_ERROR;
2468                 break;
2469         }
2470
2471         if (!NT_STATUS_IS_OK(status)) {
2472                 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2473                 return false;
2474         }
2475
2476         /*
2477          * Return the current pointer to the data offset.
2478          */
2479
2480         if(!prs_set_offset(rpc_in, save_offset)) {
2481                 DEBUG(0,("failed to set offset back to %u\n",
2482                          (unsigned int)save_offset ));
2483                 return False;
2484         }
2485
2486         /*
2487          * Remember the padding length. We must remove it from the real data
2488          * stream once the sign/seal is done.
2489          */
2490
2491         *p_ss_padding_len = auth_info.auth_pad_len;
2492
2493         return True;
2494 }
2495
2496 /****************************************************************************
2497  Find the set of RPC functions associated with this context_id
2498 ****************************************************************************/
2499
2500 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2501 {
2502         PIPE_RPC_FNS *fns = NULL;
2503
2504         if ( !list ) {
2505                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2506                 return NULL;
2507         }
2508
2509         for (fns=list; fns; fns=fns->next ) {
2510                 if ( fns->context_id == context_id )
2511                         return fns;
2512         }
2513         return NULL;
2514 }
2515
2516 /****************************************************************************
2517  Memory cleanup.
2518 ****************************************************************************/
2519
2520 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2521 {
2522         PIPE_RPC_FNS *tmp = list;
2523         PIPE_RPC_FNS *tmp2;
2524
2525         while (tmp) {
2526                 tmp2 = tmp->next;
2527                 SAFE_FREE(tmp);
2528                 tmp = tmp2;
2529         }
2530
2531         return; 
2532 }
2533
2534 static bool api_rpcTNP(pipes_struct *p,
2535                        const struct api_struct *api_rpc_cmds, int n_cmds);
2536
2537 /****************************************************************************
2538  Find the correct RPC function to call for this request.
2539  If the pipe is authenticated then become the correct UNIX user
2540  before doing the call.
2541 ****************************************************************************/
2542
2543 bool api_pipe_request(pipes_struct *p)
2544 {
2545         bool ret = False;
2546         bool changed_user = False;
2547         PIPE_RPC_FNS *pipe_fns;
2548
2549         if (p->pipe_bound &&
2550                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2551                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2552                 if(!become_authenticated_pipe_user(p)) {
2553                         prs_mem_free(&p->out_data.rdata);
2554                         return False;
2555                 }
2556                 changed_user = True;
2557         }
2558
2559         DEBUG(5, ("Requested \\PIPE\\%s\n",
2560                   get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2561
2562         /* get the set of RPC functions for this context */
2563
2564         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2565
2566         if ( pipe_fns ) {
2567                 TALLOC_CTX *frame = talloc_stackframe();
2568                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2569                 TALLOC_FREE(frame);
2570         }
2571         else {
2572                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2573                         p->hdr_req.context_id,
2574                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2575         }
2576
2577         if (changed_user) {
2578                 unbecome_authenticated_pipe_user();
2579         }
2580
2581         return ret;
2582 }
2583
2584 /*******************************************************************
2585  Calls the underlying RPC function for a named pipe.
2586  ********************************************************************/
2587
2588 static bool api_rpcTNP(pipes_struct *p,
2589                        const struct api_struct *api_rpc_cmds, int n_cmds)
2590 {
2591         int fn_num;
2592         uint32 offset1, offset2;
2593
2594         /* interpret the command */
2595         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2596                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2597                  p->hdr_req.opnum));
2598
2599         if (DEBUGLEVEL >= 50) {
2600                 fstring name;
2601                 slprintf(name, sizeof(name)-1, "in_%s",
2602                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2603                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2604         }
2605
2606         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2607                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2608                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2609                         break;
2610                 }
2611         }
2612
2613         if (fn_num == n_cmds) {
2614                 /*
2615                  * For an unknown RPC just return a fault PDU but
2616                  * return True to allow RPC's on the pipe to continue
2617                  * and not put the pipe into fault state. JRA.
2618                  */
2619                 DEBUG(4, ("unknown\n"));
2620                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2621                 return True;
2622         }
2623
2624         offset1 = prs_offset(&p->out_data.rdata);
2625
2626         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2627                 fn_num, api_rpc_cmds[fn_num].fn));
2628         /* do the actual command */
2629         if(!api_rpc_cmds[fn_num].fn(p)) {
2630                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2631                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2632                          api_rpc_cmds[fn_num].name));
2633                 prs_mem_free(&p->out_data.rdata);
2634                 return False;
2635         }
2636
2637         if (p->bad_handle_fault_state) {
2638                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2639                 p->bad_handle_fault_state = False;
2640                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2641                 return True;
2642         }
2643
2644         if (p->rng_fault_state) {
2645                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2646                 p->rng_fault_state = False;
2647                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2648                 return True;
2649         }
2650
2651         offset2 = prs_offset(&p->out_data.rdata);
2652         prs_set_offset(&p->out_data.rdata, offset1);
2653         if (DEBUGLEVEL >= 50) {
2654                 fstring name;
2655                 slprintf(name, sizeof(name)-1, "out_%s",
2656                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2657                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2658         }
2659         prs_set_offset(&p->out_data.rdata, offset2);
2660
2661         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2662                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2663
2664         /* Check for buffer underflow in rpc parsing */
2665
2666         if ((DEBUGLEVEL >= 10) && 
2667             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2668                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2669                 char *data = (char *)SMB_MALLOC(data_len);
2670
2671                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2672                 if (data) {
2673                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2674                         SAFE_FREE(data);
2675                 }
2676
2677         }
2678
2679         return True;
2680 }