s3:schannel streamline interface
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../librpc/gen_ndr/ndr_schannel.h"
32 #include "../libcli/auth/schannel.h"
33 #include "../libcli/auth/spnego.h"
34 #include "ntlmssp.h"
35
36 extern struct current_user current_user;
37
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_RPC_SRV
40
41 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
42 {
43         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
44
45         if (a) {
46                 auth_ntlmssp_end(&a);
47         }
48         auth->a_u.auth_ntlmssp_state = NULL;
49 }
50
51 static DATA_BLOB generic_session_key(void)
52 {
53         return data_blob("SystemLibraryDTC", 16);
54 }
55
56 /*******************************************************************
57  Generate the next PDU to be returned from the data in p->rdata. 
58  Handle NTLMSSP.
59  ********************************************************************/
60
61 static bool create_next_pdu_ntlmssp(pipes_struct *p)
62 {
63         RPC_HDR_RESP hdr_resp;
64         uint32 ss_padding_len = 0;
65         uint32 data_space_available;
66         uint32 data_len_left;
67         uint32 data_len;
68         NTSTATUS status;
69         DATA_BLOB auth_blob;
70         RPC_HDR_AUTH auth_info;
71         uint8 auth_type, auth_level;
72         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
73
74         /*
75          * If we're in the fault state, keep returning fault PDU's until
76          * the pipe gets closed. JRA.
77          */
78
79         if(p->fault_state) {
80                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
81                 return True;
82         }
83
84         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
85
86         /* Change the incoming request header to a response. */
87         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
88
89         /* Set up rpc header flags. */
90         if (p->out_data.data_sent_length == 0) {
91                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
92         } else {
93                 p->hdr.flags = 0;
94         }
95
96         /*
97          * Work out how much we can fit in a single PDU.
98          */
99
100         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
101
102         /*
103          * Ensure there really is data left to send.
104          */
105
106         if(!data_len_left) {
107                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
108                 return False;
109         }
110
111         /* Space available - not including padding. */
112         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN -
113                 RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114
115         /*
116          * The amount we send is the minimum of the available
117          * space and the amount left to send.
118          */
119
120         data_len = MIN(data_len_left, data_space_available);
121
122         /* Work out any padding alignment requirements. */
123         if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
124                 ss_padding_len = SERVER_NDR_PADDING_SIZE -
125                         ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
126                 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
127                         ss_padding_len ));
128                 /* If we're over filling the packet, we need to make space
129                  * for the padding at the end of the data. */
130                 if (data_len + ss_padding_len > data_space_available) {
131                         data_len -= SERVER_NDR_PADDING_SIZE;
132                 }
133         }
134
135         /*
136          * Set up the alloc hint. This should be the data left to
137          * send.
138          */
139
140         hdr_resp.alloc_hint = data_len_left;
141
142         /*
143          * Work out if this PDU will be the last.
144          */
145
146         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
147                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
148         }
149
150         /*
151          * Set up the header lengths.
152          */
153
154         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
155                         data_len + ss_padding_len +
156                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
157         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
158
159
160         /*
161          * Init the parse struct to point at the outgoing
162          * data.
163          */
164
165         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
166
167         /* Store the header in the data stream. */
168         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
169                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
170                 prs_mem_free(&p->out_data.frag);
171                 return False;
172         }
173
174         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
175                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
176                 prs_mem_free(&p->out_data.frag);
177                 return False;
178         }
179
180         /* Copy the data into the PDU. */
181
182         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
183                                      p->out_data.data_sent_length, data_len)) {
184                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
185                 prs_mem_free(&p->out_data.frag);
186                 return False;
187         }
188
189         /* Copy the sign/seal padding data. */
190         if (ss_padding_len) {
191                 char pad[SERVER_NDR_PADDING_SIZE];
192
193                 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
194                 if (!prs_copy_data_in(&p->out_data.frag, pad,
195                                       ss_padding_len)) {
196                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
197                                         (unsigned int)ss_padding_len));
198                         prs_mem_free(&p->out_data.frag);
199                         return False;
200                 }
201         }
202
203
204         /* Now write out the auth header and null blob. */
205         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
206                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
207         } else {
208                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
209         }
210         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
211                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
212         } else {
213                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
214         }
215
216         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
217
218         if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
219                                 &p->out_data.frag, 0)) {
220                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
221                 prs_mem_free(&p->out_data.frag);
222                 return False;
223         }
224
225         /* Generate the sign blob. */
226
227         switch (p->auth.auth_level) {
228                 case DCERPC_AUTH_LEVEL_PRIVACY:
229                         /* Data portion is encrypted. */
230                         status = ntlmssp_seal_packet(
231                                 a->ntlmssp_state,
232                                 (uint8_t *)prs_data_p(&p->out_data.frag)
233                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
234                                 data_len + ss_padding_len,
235                                 (unsigned char *)prs_data_p(&p->out_data.frag),
236                                 (size_t)prs_offset(&p->out_data.frag),
237                                 &auth_blob);
238                         if (!NT_STATUS_IS_OK(status)) {
239                                 data_blob_free(&auth_blob);
240                                 prs_mem_free(&p->out_data.frag);
241                                 return False;
242                         }
243                         break;
244                 case DCERPC_AUTH_LEVEL_INTEGRITY:
245                         /* Data is signed. */
246                         status = ntlmssp_sign_packet(
247                                 a->ntlmssp_state,
248                                 (unsigned char *)prs_data_p(&p->out_data.frag)
249                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
250                                 data_len + ss_padding_len,
251                                 (unsigned char *)prs_data_p(&p->out_data.frag),
252                                 (size_t)prs_offset(&p->out_data.frag),
253                                 &auth_blob);
254                         if (!NT_STATUS_IS_OK(status)) {
255                                 data_blob_free(&auth_blob);
256                                 prs_mem_free(&p->out_data.frag);
257                                 return False;
258                         }
259                         break;
260                 default:
261                         prs_mem_free(&p->out_data.frag);
262                         return False;
263         }
264
265         /* Append the auth blob. */
266         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
267                               NTLMSSP_SIG_SIZE)) {
268                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
269                                 (unsigned int)NTLMSSP_SIG_SIZE));
270                 data_blob_free(&auth_blob);
271                 prs_mem_free(&p->out_data.frag);
272                 return False;
273         }
274
275         data_blob_free(&auth_blob);
276
277         /*
278          * Setup the counts for this PDU.
279          */
280
281         p->out_data.data_sent_length += data_len;
282         p->out_data.current_pdu_sent = 0;
283
284         return True;
285 }
286
287 /*******************************************************************
288  Generate the next PDU to be returned from the data in p->rdata. 
289  Return an schannel authenticated fragment.
290  ********************************************************************/
291
292 static bool create_next_pdu_schannel(pipes_struct *p)
293 {
294         RPC_HDR_RESP hdr_resp;
295         uint32 ss_padding_len = 0;
296         uint32 data_len;
297         uint32 data_space_available;
298         uint32 data_len_left;
299         uint32 data_pos;
300         NTSTATUS status;
301
302         /*
303          * If we're in the fault state, keep returning fault PDU's until
304          * the pipe gets closed. JRA.
305          */
306
307         if(p->fault_state) {
308                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
309                 return True;
310         }
311
312         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
313
314         /* Change the incoming request header to a response. */
315         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
316
317         /* Set up rpc header flags. */
318         if (p->out_data.data_sent_length == 0) {
319                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
320         } else {
321                 p->hdr.flags = 0;
322         }
323
324         /*
325          * Work out how much we can fit in a single PDU.
326          */
327
328         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
329
330         /*
331          * Ensure there really is data left to send.
332          */
333
334         if(!data_len_left) {
335                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
336                 return False;
337         }
338
339         /* Space available - not including padding. */
340         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
341                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
342                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
343
344         /*
345          * The amount we send is the minimum of the available
346          * space and the amount left to send.
347          */
348
349         data_len = MIN(data_len_left, data_space_available);
350
351         /* Work out any padding alignment requirements. */
352         if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
353                 ss_padding_len = SERVER_NDR_PADDING_SIZE -
354                         ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
355                 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
356                         ss_padding_len ));
357                 /* If we're over filling the packet, we need to make space
358                  * for the padding at the end of the data. */
359                 if (data_len + ss_padding_len > data_space_available) {
360                         data_len -= SERVER_NDR_PADDING_SIZE;
361                 }
362         }
363
364         /*
365          * Set up the alloc hint. This should be the data left to
366          * send.
367          */
368
369         hdr_resp.alloc_hint = data_len_left;
370
371         /*
372          * Work out if this PDU will be the last.
373          */
374
375         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
376                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
377         }
378
379         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
380                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
381         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
382
383         /*
384          * Init the parse struct to point at the outgoing
385          * data.
386          */
387
388         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
389
390         /* Store the header in the data stream. */
391         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
392                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
393                 prs_mem_free(&p->out_data.frag);
394                 return False;
395         }
396
397         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
398                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
399                 prs_mem_free(&p->out_data.frag);
400                 return False;
401         }
402
403         /* Store the current offset. */
404         data_pos = prs_offset(&p->out_data.frag);
405
406         /* Copy the data into the PDU. */
407
408         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
409                                      p->out_data.data_sent_length, data_len)) {
410                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
411                 prs_mem_free(&p->out_data.frag);
412                 return False;
413         }
414
415         /* Copy the sign/seal padding data. */
416         if (ss_padding_len) {
417                 char pad[SERVER_NDR_PADDING_SIZE];
418                 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
419                 if (!prs_copy_data_in(&p->out_data.frag, pad,
420                                       ss_padding_len)) {
421                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
422                         prs_mem_free(&p->out_data.frag);
423                         return False;
424                 }
425         }
426
427         {
428                 /*
429                  * Schannel processing.
430                  */
431                 RPC_HDR_AUTH auth_info;
432                 DATA_BLOB blob;
433                 uint8_t *data;
434
435                 /* Check it's the type of reply we were expecting to decode */
436
437                 init_rpc_hdr_auth(&auth_info,
438                                 DCERPC_AUTH_TYPE_SCHANNEL,
439                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
440                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
441                                 ss_padding_len, 1);
442
443                 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
444                                         &p->out_data.frag, 0)) {
445                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
446                         prs_mem_free(&p->out_data.frag);
447                         return False;
448                 }
449
450                 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
451
452                 switch (p->auth.auth_level) {
453                 case DCERPC_AUTH_LEVEL_PRIVACY:
454                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
455                                                         talloc_tos(),
456                                                         true,
457                                                         data,
458                                                         data_len + ss_padding_len,
459                                                         &blob);
460                         break;
461                 case DCERPC_AUTH_LEVEL_INTEGRITY:
462                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
463                                                         talloc_tos(),
464                                                         false,
465                                                         data,
466                                                         data_len + ss_padding_len,
467                                                         &blob);
468                         break;
469                 default:
470                         status = NT_STATUS_INTERNAL_ERROR;
471                         break;
472                 }
473
474                 if (!NT_STATUS_IS_OK(status)) {
475                         DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
476                                 nt_errstr(status)));
477                         prs_mem_free(&p->out_data.frag);
478                         return false;
479                 }
480
481                 /* Finally marshall the blob. */
482
483                 if (DEBUGLEVEL >= 10) {
484                         dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
485                 }
486
487                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
488                         prs_mem_free(&p->out_data.frag);
489                         return false;
490                 }
491         }
492
493         /*
494          * Setup the counts for this PDU.
495          */
496
497         p->out_data.data_sent_length += data_len;
498         p->out_data.current_pdu_sent = 0;
499
500         return True;
501 }
502
503 /*******************************************************************
504  Generate the next PDU to be returned from the data in p->rdata. 
505  No authentication done.
506 ********************************************************************/
507
508 static bool create_next_pdu_noauth(pipes_struct *p)
509 {
510         RPC_HDR_RESP hdr_resp;
511         uint32 data_len;
512         uint32 data_space_available;
513         uint32 data_len_left;
514
515         /*
516          * If we're in the fault state, keep returning fault PDU's until
517          * the pipe gets closed. JRA.
518          */
519
520         if(p->fault_state) {
521                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
522                 return True;
523         }
524
525         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
526
527         /* Change the incoming request header to a response. */
528         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
529
530         /* Set up rpc header flags. */
531         if (p->out_data.data_sent_length == 0) {
532                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
533         } else {
534                 p->hdr.flags = 0;
535         }
536
537         /*
538          * Work out how much we can fit in a single PDU.
539          */
540
541         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
542
543         /*
544          * Ensure there really is data left to send.
545          */
546
547         if(!data_len_left) {
548                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
549                 return False;
550         }
551
552         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
553                 - RPC_HDR_RESP_LEN;
554
555         /*
556          * The amount we send is the minimum of the available
557          * space and the amount left to send.
558          */
559
560         data_len = MIN(data_len_left, data_space_available);
561
562         /*
563          * Set up the alloc hint. This should be the data left to
564          * send.
565          */
566
567         hdr_resp.alloc_hint = data_len_left;
568
569         /*
570          * Work out if this PDU will be the last.
571          */
572
573         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
574                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
575         }
576
577         /*
578          * Set up the header lengths.
579          */
580
581         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
582         p->hdr.auth_len = 0;
583
584         /*
585          * Init the parse struct to point at the outgoing
586          * data.
587          */
588
589         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
590
591         /* Store the header in the data stream. */
592         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
593                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
594                 prs_mem_free(&p->out_data.frag);
595                 return False;
596         }
597
598         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
599                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
600                 prs_mem_free(&p->out_data.frag);
601                 return False;
602         }
603
604         /* Copy the data into the PDU. */
605
606         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
607                                      p->out_data.data_sent_length, data_len)) {
608                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
609                 prs_mem_free(&p->out_data.frag);
610                 return False;
611         }
612
613         /*
614          * Setup the counts for this PDU.
615          */
616
617         p->out_data.data_sent_length += data_len;
618         p->out_data.current_pdu_sent = 0;
619
620         return True;
621 }
622
623 /*******************************************************************
624  Generate the next PDU to be returned from the data in p->rdata. 
625 ********************************************************************/
626
627 bool create_next_pdu(pipes_struct *p)
628 {
629         switch(p->auth.auth_level) {
630                 case DCERPC_AUTH_LEVEL_NONE:
631                 case DCERPC_AUTH_LEVEL_CONNECT:
632                         /* This is incorrect for auth level connect. Fixme. JRA */
633                         return create_next_pdu_noauth(p);
634
635                 default:
636                         switch(p->auth.auth_type) {
637                                 case PIPE_AUTH_TYPE_NTLMSSP:
638                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
639                                         return create_next_pdu_ntlmssp(p);
640                                 case PIPE_AUTH_TYPE_SCHANNEL:
641                                         return create_next_pdu_schannel(p);
642                                 default:
643                                         break;
644                         }
645         }
646
647         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
648                         (unsigned int)p->auth.auth_level,
649                         (unsigned int)p->auth.auth_type));
650         return False;
651 }
652
653 /*******************************************************************
654  Process an NTLMSSP authentication response.
655  If this function succeeds, the user has been authenticated
656  and their domain, name and calling workstation stored in
657  the pipe struct.
658 *******************************************************************/
659
660 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
661 {
662         DATA_BLOB session_key, reply;
663         NTSTATUS status;
664         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
665         bool ret;
666
667         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
668                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
669
670         ZERO_STRUCT(reply);
671
672         /* this has to be done as root in order to verify the password */
673         become_root();
674         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
675         unbecome_root();
676
677         /* Don't generate a reply. */
678         data_blob_free(&reply);
679
680         if (!NT_STATUS_IS_OK(status)) {
681                 return False;
682         }
683
684         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
685            ensure the underlying NTLMSSP flags are also set. If not we should
686            refuse the bind. */
687
688         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
689                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
690                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
691                                 "but client declined signing.\n",
692                                  get_pipe_name_from_syntax(talloc_tos(),
693                                                            &p->syntax)));
694                         return False;
695                 }
696         }
697         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
698                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
699                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
700                                 "but client declined sealing.\n",
701                                  get_pipe_name_from_syntax(talloc_tos(),
702                                                            &p->syntax)));
703                         return False;
704                 }
705         }
706
707         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
708                   "workstation: %s\n", a->ntlmssp_state->user,
709                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
710
711         if (a->server_info->ptok == NULL) {
712                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
713                 return False;
714         }
715
716         TALLOC_FREE(p->server_info);
717
718         p->server_info = copy_serverinfo(p, a->server_info);
719         if (p->server_info == NULL) {
720                 DEBUG(0, ("copy_serverinfo failed\n"));
721                 return false;
722         }
723
724         /*
725          * We're an authenticated bind over smb, so the session key needs to
726          * be set to "SystemLibraryDTC". Weird, but this is what Windows
727          * does. See the RPC-SAMBA3SESSIONKEY.
728          */
729
730         session_key = generic_session_key();
731         if (session_key.data == NULL) {
732                 return False;
733         }
734
735         ret = server_info_set_session_key(p->server_info, session_key);
736
737         data_blob_free(&session_key);
738
739         return True;
740 }
741
742 /*******************************************************************
743  The switch table for the pipe names and the functions to handle them.
744 *******************************************************************/
745
746 struct rpc_table {
747         struct {
748                 const char *clnt;
749                 const char *srv;
750         } pipe;
751         struct ndr_syntax_id rpc_interface;
752         const struct api_struct *cmds;
753         int n_cmds;
754 };
755
756 static struct rpc_table *rpc_lookup;
757 static int rpc_lookup_size;
758
759 /*******************************************************************
760  This is the "stage3" NTLMSSP response after a bind request and reply.
761 *******************************************************************/
762
763 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
764 {
765         RPC_HDR_AUTH auth_info;
766         uint32 pad = 0;
767         DATA_BLOB blob;
768         uint32_t auth_len = p->hdr.auth_len;
769
770         ZERO_STRUCT(blob);
771
772         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
773
774         if (auth_len == 0) {
775                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
776                 goto err;
777         }
778
779         /* 4 bytes padding. */
780         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
781                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
782                 goto err;
783         }
784
785         /* Ensure there's enough data for an authenticated request. */
786         if (RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + auth_len >
787                                 p->hdr.frag_len) {
788                         DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
789                                 "%u is too large.\n",
790                         (unsigned int)auth_len ));
791                 goto err;
792         }
793
794         /*
795          * Decode the authentication verifier response.
796          */
797
798         /* Pull the auth header and the following data into a blob. */
799         /* NB. The offset of the auth_header is relative to the *end*
800          * of the packet, not the start. Also, the length of the
801          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
802          * as the RPC header isn't included in rpc_in_p. */
803         if(!prs_set_offset(rpc_in_p,
804                         p->hdr.frag_len - RPC_HEADER_LEN -
805                         RPC_HDR_AUTH_LEN - auth_len)) {
806                 DEBUG(0,("api_pipe_bind_auth3: cannot move "
807                         "offset to %u.\n",
808                         (unsigned int)(p->hdr.frag_len -
809                                 RPC_HDR_AUTH_LEN - auth_len) ));
810                 goto err;
811         }
812
813         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in_p, 0)) {
814                 DEBUG(0,("api_pipe_bind_auth3: failed to "
815                         "unmarshall RPC_HDR_AUTH.\n"));
816                 goto err;
817         }
818
819         /* We must NEVER look at auth_info->auth_pad_len here,
820          * as old Samba client code gets it wrong and sends it
821          * as zero. JRA.
822          */
823
824         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
825                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
826                         (unsigned int)auth_info.auth_type ));
827                 return False;
828         }
829
830         blob = data_blob(NULL,p->hdr.auth_len);
831
832         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
833                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
834                         (unsigned int)p->hdr.auth_len ));
835                 goto err;
836         }
837
838         /*
839          * The following call actually checks the challenge/response data.
840          * for correctness against the given DOMAIN\user name.
841          */
842
843         if (!pipe_ntlmssp_verify_final(p, &blob)) {
844                 goto err;
845         }
846
847         data_blob_free(&blob);
848
849         p->pipe_bound = True;
850
851         return True;
852
853  err:
854
855         data_blob_free(&blob);
856         free_pipe_ntlmssp_auth_data(&p->auth);
857         p->auth.a_u.auth_ntlmssp_state = NULL;
858
859         return False;
860 }
861
862 /*******************************************************************
863  Marshall a bind_nak pdu.
864 *******************************************************************/
865
866 static bool setup_bind_nak(pipes_struct *p)
867 {
868         RPC_HDR nak_hdr;
869         uint16 zero = 0;
870
871         /* Free any memory in the current return data buffer. */
872         prs_mem_free(&p->out_data.rdata);
873
874         /*
875          * Marshall directly into the outgoing PDU space. We
876          * must do this as we need to set to the bind response
877          * header and are never sending more than one PDU here.
878          */
879
880         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
881
882         /*
883          * Initialize a bind_nak header.
884          */
885
886         init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
887                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
888
889         /*
890          * Marshall the header into the outgoing PDU.
891          */
892
893         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
894                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
895                 prs_mem_free(&p->out_data.frag);
896                 return False;
897         }
898
899         /*
900          * Now add the reject reason.
901          */
902
903         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
904                 prs_mem_free(&p->out_data.frag);
905                 return False;
906         }
907
908         p->out_data.data_sent_length = 0;
909         p->out_data.current_pdu_sent = 0;
910
911         if (p->auth.auth_data_free_func) {
912                 (*p->auth.auth_data_free_func)(&p->auth);
913         }
914         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
915         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
916         p->pipe_bound = False;
917
918         return True;
919 }
920
921 /*******************************************************************
922  Marshall a fault pdu.
923 *******************************************************************/
924
925 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
926 {
927         RPC_HDR fault_hdr;
928         RPC_HDR_RESP hdr_resp;
929         RPC_HDR_FAULT fault_resp;
930
931         /* Free any memory in the current return data buffer. */
932         prs_mem_free(&p->out_data.rdata);
933
934         /*
935          * Marshall directly into the outgoing PDU space. We
936          * must do this as we need to set to the bind response
937          * header and are never sending more than one PDU here.
938          */
939
940         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
941
942         /*
943          * Initialize a fault header.
944          */
945
946         init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
947             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
948
949         /*
950          * Initialize the HDR_RESP and FAULT parts of the PDU.
951          */
952
953         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
954
955         fault_resp.status = status;
956         fault_resp.reserved = 0;
957
958         /*
959          * Marshall the header into the outgoing PDU.
960          */
961
962         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
963                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
964                 prs_mem_free(&p->out_data.frag);
965                 return False;
966         }
967
968         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
969                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
970                 prs_mem_free(&p->out_data.frag);
971                 return False;
972         }
973
974         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
975                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
976                 prs_mem_free(&p->out_data.frag);
977                 return False;
978         }
979
980         p->out_data.data_sent_length = 0;
981         p->out_data.current_pdu_sent = 0;
982
983         return True;
984 }
985
986 #if 0
987 /*******************************************************************
988  Marshall a cancel_ack pdu.
989  We should probably check the auth-verifier here.
990 *******************************************************************/
991
992 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
993 {
994         prs_struct outgoing_pdu;
995         RPC_HDR ack_reply_hdr;
996
997         /* Free any memory in the current return data buffer. */
998         prs_mem_free(&p->out_data.rdata);
999
1000         /*
1001          * Marshall directly into the outgoing PDU space. We
1002          * must do this as we need to set to the bind response
1003          * header and are never sending more than one PDU here.
1004          */
1005
1006         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
1007         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1008
1009         /*
1010          * Initialize a cancel_ack header.
1011          */
1012
1013         init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1014                         p->hdr.call_id, RPC_HEADER_LEN, 0);
1015
1016         /*
1017          * Marshall the header into the outgoing PDU.
1018          */
1019
1020         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
1021                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
1022                 prs_mem_free(&outgoing_pdu);
1023                 return False;
1024         }
1025
1026         p->out_data.data_sent_length = 0;
1027         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
1028         p->out_data.current_pdu_sent = 0;
1029
1030         prs_mem_free(&outgoing_pdu);
1031         return True;
1032 }
1033 #endif
1034
1035 /*******************************************************************
1036  Ensure a bind request has the correct abstract & transfer interface.
1037  Used to reject unknown binds from Win2k.
1038 *******************************************************************/
1039
1040 static bool check_bind_req(struct pipes_struct *p,
1041                            struct ndr_syntax_id* abstract,
1042                            struct ndr_syntax_id* transfer,
1043                            uint32 context_id)
1044 {
1045         int i=0;
1046         struct pipe_rpc_fns *context_fns;
1047
1048         DEBUG(3,("check_bind_req for %s\n",
1049                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1050
1051         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1052
1053         for (i=0; i<rpc_lookup_size; i++) {
1054                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1055                 if (ndr_syntax_id_equal(
1056                             abstract, &rpc_lookup[i].rpc_interface)
1057                     && ndr_syntax_id_equal(
1058                             transfer, &ndr_transfer_syntax)) {
1059                         break;
1060                 }
1061         }
1062
1063         if (i == rpc_lookup_size) {
1064                 return false;
1065         }
1066
1067         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1068         if (context_fns == NULL) {
1069                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1070                 return False;
1071         }
1072
1073         context_fns->cmds = rpc_lookup[i].cmds;
1074         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1075         context_fns->context_id = context_id;
1076
1077         /* add to the list of open contexts */
1078
1079         DLIST_ADD( p->contexts, context_fns );
1080
1081         return True;
1082 }
1083
1084 /*******************************************************************
1085  Register commands to an RPC pipe
1086 *******************************************************************/
1087
1088 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1089                           const struct ndr_interface_table *iface,
1090                           const struct api_struct *cmds, int size)
1091 {
1092         struct rpc_table *rpc_entry;
1093
1094         if (!clnt || !srv || !cmds) {
1095                 return NT_STATUS_INVALID_PARAMETER;
1096         }
1097
1098         if (version != SMB_RPC_INTERFACE_VERSION) {
1099                 DEBUG(0,("Can't register rpc commands!\n"
1100                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1101                          ", while this version of samba uses version %d!\n", 
1102                          version,SMB_RPC_INTERFACE_VERSION));
1103                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1104         }
1105
1106         /* TODO: 
1107          *
1108          * we still need to make sure that don't register the same commands twice!!!
1109          * 
1110          * --metze
1111          */
1112
1113         /* We use a temporary variable because this call can fail and 
1114            rpc_lookup will still be valid afterwards.  It could then succeed if
1115            called again later */
1116         rpc_lookup_size++;
1117         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1118         if (NULL == rpc_entry) {
1119                 rpc_lookup_size--;
1120                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1121                 return NT_STATUS_NO_MEMORY;
1122         } else {
1123                 rpc_lookup = rpc_entry;
1124         }
1125
1126         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1127         ZERO_STRUCTP(rpc_entry);
1128         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1129         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1130         rpc_entry->rpc_interface = iface->syntax_id;
1131         rpc_entry->cmds = cmds;
1132         rpc_entry->n_cmds = size;
1133
1134         return NT_STATUS_OK;
1135 }
1136
1137 /**
1138  * Is a named pipe known?
1139  * @param[in] cli_filename      The pipe name requested by the client
1140  * @result                      Do we want to serve this?
1141  */
1142 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1143 {
1144         const char *pipename = cli_filename;
1145         int i;
1146         NTSTATUS status;
1147
1148         if (strnequal(pipename, "\\PIPE\\", 6)) {
1149                 pipename += 5;
1150         }
1151
1152         if (*pipename == '\\') {
1153                 pipename += 1;
1154         }
1155
1156         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1157                 DEBUG(10, ("refusing spoolss access\n"));
1158                 return false;
1159         }
1160
1161         for (i=0; i<rpc_lookup_size; i++) {
1162                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1163                         *syntax = rpc_lookup[i].rpc_interface;
1164                         return true;
1165                 }
1166         }
1167
1168         status = smb_probe_module("rpc", pipename);
1169         if (!NT_STATUS_IS_OK(status)) {
1170                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1171                 return false;
1172         }
1173         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1174
1175         /*
1176          * Scan the list again for the interface id
1177          */
1178
1179         for (i=0; i<rpc_lookup_size; i++) {
1180                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1181                         *syntax = rpc_lookup[i].rpc_interface;
1182                         return true;
1183                 }
1184         }
1185
1186         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1187                    pipename));
1188
1189         return false;
1190 }
1191
1192 /*******************************************************************
1193  Handle a SPNEGO krb5 bind auth.
1194 *******************************************************************/
1195
1196 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1197                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1198 {
1199         return False;
1200 }
1201
1202 /*******************************************************************
1203  Handle the first part of a SPNEGO bind auth.
1204 *******************************************************************/
1205
1206 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1207                                         uint32_t ss_padding_len,
1208                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1209 {
1210         DATA_BLOB blob;
1211         DATA_BLOB secblob;
1212         DATA_BLOB response;
1213         DATA_BLOB chal;
1214         char *OIDs[ASN1_MAX_OIDS];
1215         int i;
1216         NTSTATUS status;
1217         bool got_kerberos_mechanism = false;
1218         AUTH_NTLMSSP_STATE *a = NULL;
1219         RPC_HDR_AUTH auth_info;
1220
1221         ZERO_STRUCT(secblob);
1222         ZERO_STRUCT(chal);
1223         ZERO_STRUCT(response);
1224
1225         /* Grab the SPNEGO blob. */
1226         blob = data_blob(NULL,p->hdr.auth_len);
1227
1228         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1229                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1230                         (unsigned int)p->hdr.auth_len ));
1231                 goto err;
1232         }
1233
1234         if (blob.data[0] != ASN1_APPLICATION(0)) {
1235                 goto err;
1236         }
1237
1238         /* parse out the OIDs and the first sec blob */
1239         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1240                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1241                 goto err;
1242         }
1243
1244         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1245                 got_kerberos_mechanism = true;
1246         }
1247
1248         for (i=0;OIDs[i];i++) {
1249                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1250                 TALLOC_FREE(OIDs[i]);
1251         }
1252         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1253
1254         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1255                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1256                 data_blob_free(&secblob);
1257                 data_blob_free(&blob);
1258                 return ret;
1259         }
1260
1261         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1262                 /* Free any previous auth type. */
1263                 free_pipe_ntlmssp_auth_data(&p->auth);
1264         }
1265
1266         if (!got_kerberos_mechanism) {
1267                 /* Initialize the NTLM engine. */
1268                 status = auth_ntlmssp_start(&a);
1269                 if (!NT_STATUS_IS_OK(status)) {
1270                         goto err;
1271                 }
1272
1273                 /*
1274                  * Pass the first security blob of data to it.
1275                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1276                  * which means we need another packet to complete the bind.
1277                  */
1278
1279                 status = auth_ntlmssp_update(a, secblob, &chal);
1280
1281                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1282                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1283                         goto err;
1284                 }
1285
1286                 /* Generate the response blob we need for step 2 of the bind. */
1287                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1288         } else {
1289                 /*
1290                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1291                  * code to process follow-up packets is not complete
1292                  * yet. JRA.
1293                  */
1294                 response = spnego_gen_auth_response(NULL,
1295                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1296                                         OID_NTLMSSP);
1297         }
1298
1299         /* auth_pad_len will be handled by the caller */
1300
1301         /* Copy the blob into the pout_auth parse struct */
1302         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1303                         pauth_info->auth_level, ss_padding_len, 1);
1304         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1305                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1306                 goto err;
1307         }
1308
1309         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1310                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1311                 goto err;
1312         }
1313
1314         p->auth.a_u.auth_ntlmssp_state = a;
1315         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1316         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1317
1318         data_blob_free(&blob);
1319         data_blob_free(&secblob);
1320         data_blob_free(&chal);
1321         data_blob_free(&response);
1322
1323         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1324         return True;
1325
1326  err:
1327
1328         data_blob_free(&blob);
1329         data_blob_free(&secblob);
1330         data_blob_free(&chal);
1331         data_blob_free(&response);
1332
1333         p->auth.a_u.auth_ntlmssp_state = NULL;
1334
1335         return False;
1336 }
1337
1338 /*******************************************************************
1339  Handle the second part of a SPNEGO bind auth.
1340 *******************************************************************/
1341
1342 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1343                                 uint32_t ss_padding_len,
1344                                 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1345 {
1346         RPC_HDR_AUTH auth_info;
1347         DATA_BLOB spnego_blob;
1348         DATA_BLOB auth_blob;
1349         DATA_BLOB auth_reply;
1350         DATA_BLOB response;
1351         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1352
1353         ZERO_STRUCT(spnego_blob);
1354         ZERO_STRUCT(auth_blob);
1355         ZERO_STRUCT(auth_reply);
1356         ZERO_STRUCT(response);
1357
1358         /*
1359          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1360          * fail here as 'a' == NULL.
1361          */
1362         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1363                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1364                 goto err;
1365         }
1366
1367         /* Grab the SPNEGO blob. */
1368         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1369
1370         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1371                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1372                         (unsigned int)p->hdr.auth_len ));
1373                 goto err;
1374         }
1375
1376         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1377                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1378                 goto err;
1379         }
1380
1381         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1382                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1383                 goto err;
1384         }
1385
1386         /*
1387          * The following call actually checks the challenge/response data.
1388          * for correctness against the given DOMAIN\user name.
1389          */
1390
1391         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1392                 goto err;
1393         }
1394
1395         data_blob_free(&spnego_blob);
1396         data_blob_free(&auth_blob);
1397
1398         /* Generate the spnego "accept completed" blob - no incoming data. */
1399         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1400
1401         /* FIXME - add auth_pad_len here ! */
1402
1403         /* Copy the blob into the pout_auth parse struct */
1404         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1405                         pauth_info->auth_level, ss_padding_len, 1);
1406         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1407                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1408                 goto err;
1409         }
1410
1411         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1412                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1413                 goto err;
1414         }
1415
1416         data_blob_free(&auth_reply);
1417         data_blob_free(&response);
1418
1419         p->pipe_bound = True;
1420
1421         return True;
1422
1423  err:
1424
1425         data_blob_free(&spnego_blob);
1426         data_blob_free(&auth_blob);
1427         data_blob_free(&auth_reply);
1428         data_blob_free(&response);
1429
1430         free_pipe_ntlmssp_auth_data(&p->auth);
1431         p->auth.a_u.auth_ntlmssp_state = NULL;
1432
1433         return False;
1434 }
1435
1436 /*******************************************************************
1437  Handle an schannel bind auth.
1438 *******************************************************************/
1439
1440 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1441                                         uint32_t ss_padding_len,
1442                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1443 {
1444         RPC_HDR_AUTH auth_info;
1445         struct NL_AUTH_MESSAGE neg;
1446         struct NL_AUTH_MESSAGE reply;
1447         bool ret;
1448         NTSTATUS status;
1449         struct netlogon_creds_CredentialState *creds;
1450         DATA_BLOB session_key;
1451         enum ndr_err_code ndr_err;
1452         DATA_BLOB blob;
1453
1454         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1455                                prs_data_size(rpc_in_p));
1456
1457         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1458                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1459         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1460                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1461                 return false;
1462         }
1463
1464         if (DEBUGLEVEL >= 10) {
1465                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1466         }
1467
1468         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1469                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1470                 return false;
1471         }
1472
1473         /*
1474          * The neg.oem_netbios_computer.a key here must match the remote computer name
1475          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1476          * operations that use credentials.
1477          */
1478
1479         become_root();
1480         status = schannel_get_creds_state(p,
1481                                             neg.oem_netbios_computer.a,
1482                                             &creds);
1483         unbecome_root();
1484
1485         if (!NT_STATUS_IS_OK(status)) {
1486                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1487                 return False;
1488         }
1489
1490         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1491         if (!p->auth.a_u.schannel_auth) {
1492                 TALLOC_FREE(creds);
1493                 return False;
1494         }
1495
1496         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1497         p->auth.a_u.schannel_auth->seq_num = 0;
1498         p->auth.a_u.schannel_auth->initiator = false;
1499         p->auth.a_u.schannel_auth->creds = creds;
1500
1501         /*
1502          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1503          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1504          * struct of the person who opened the pipe. I need to test this further. JRA.
1505          *
1506          * VL. As we are mapping this to guest set the generic key
1507          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1508          * W2k3, as it does not allow schannel binds against SAMR and LSA
1509          * anymore.
1510          */
1511
1512         session_key = generic_session_key();
1513         if (session_key.data == NULL) {
1514                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1515                           " key\n"));
1516                 return false;
1517         }
1518
1519         ret = server_info_set_session_key(p->server_info, session_key);
1520
1521         data_blob_free(&session_key);
1522
1523         if (!ret) {
1524                 DEBUG(0, ("server_info_set_session_key failed\n"));
1525                 return false;
1526         }
1527
1528         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL,
1529                         pauth_info->auth_level, ss_padding_len, 1);
1530         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1531                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1532                 return False;
1533         }
1534
1535         /*** SCHANNEL verifier ***/
1536
1537         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1538         reply.Flags                             = 0;
1539         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1540                                                       * this has any meaning
1541                                                       * here - gd */
1542
1543         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1544                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1545         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1546                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1547                 return false;
1548         }
1549
1550         if (DEBUGLEVEL >= 10) {
1551                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1552         }
1553
1554         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1555                 return false;
1556         }
1557
1558         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1559                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1560
1561         /* We're finished with this bind - no more packets. */
1562         p->auth.auth_data_free_func = NULL;
1563         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1564
1565         p->pipe_bound = True;
1566
1567         return True;
1568 }
1569
1570 /*******************************************************************
1571  Handle an NTLMSSP bind auth.
1572 *******************************************************************/
1573
1574 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1575                                         uint32_t ss_padding_len,
1576                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1577 {
1578         RPC_HDR_AUTH auth_info;
1579         DATA_BLOB blob;
1580         DATA_BLOB response;
1581         NTSTATUS status;
1582         AUTH_NTLMSSP_STATE *a = NULL;
1583
1584         ZERO_STRUCT(blob);
1585         ZERO_STRUCT(response);
1586
1587         /* Grab the NTLMSSP blob. */
1588         blob = data_blob(NULL,p->hdr.auth_len);
1589
1590         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1591                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1592                         (unsigned int)p->hdr.auth_len ));
1593                 goto err;
1594         }
1595
1596         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1597                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1598                 goto err;
1599         }
1600
1601         /* We have an NTLMSSP blob. */
1602         status = auth_ntlmssp_start(&a);
1603         if (!NT_STATUS_IS_OK(status)) {
1604                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1605                         nt_errstr(status) ));
1606                 goto err;
1607         }
1608
1609         status = auth_ntlmssp_update(a, blob, &response);
1610         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1611                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1612                         nt_errstr(status) ));
1613                 goto err;
1614         }
1615
1616         data_blob_free(&blob);
1617
1618         /* Copy the blob into the pout_auth parse struct */
1619         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP,
1620                         pauth_info->auth_level, ss_padding_len, 1);
1621         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1622                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1623                 goto err;
1624         }
1625
1626         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1627                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1628                 goto err;
1629         }
1630
1631         p->auth.a_u.auth_ntlmssp_state = a;
1632         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1633         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1634
1635         data_blob_free(&blob);
1636         data_blob_free(&response);
1637
1638         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1639
1640         /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1641         return True;
1642
1643   err:
1644
1645         data_blob_free(&blob);
1646         data_blob_free(&response);
1647
1648         free_pipe_ntlmssp_auth_data(&p->auth);
1649         p->auth.a_u.auth_ntlmssp_state = NULL;
1650         return False;
1651 }
1652
1653 /*******************************************************************
1654  Respond to a pipe bind request.
1655 *******************************************************************/
1656
1657 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1658 {
1659         RPC_HDR_BA hdr_ba;
1660         RPC_HDR_RB hdr_rb;
1661         RPC_HDR_AUTH auth_info;
1662         uint16 assoc_gid;
1663         fstring ack_pipe_name;
1664         prs_struct out_hdr_ba;
1665         prs_struct out_auth;
1666         int i = 0;
1667         int auth_len = 0;
1668         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1669         uint32_t ss_padding_len = 0;
1670
1671         /* No rebinds on a bound pipe - use alter context. */
1672         if (p->pipe_bound) {
1673                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1674                          "pipe %s.\n",
1675                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1676                 return setup_bind_nak(p);
1677         }
1678
1679         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1680
1681         /* 
1682          * Marshall directly into the outgoing PDU space. We
1683          * must do this as we need to set to the bind response
1684          * header and are never sending more than one PDU here.
1685          */
1686
1687         /*
1688          * Setup the memory to marshall the ba header, and the
1689          * auth footers.
1690          */
1691
1692         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1693                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1694                 prs_mem_free(&p->out_data.frag);
1695                 return False;
1696         }
1697
1698         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1699                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1700                 prs_mem_free(&p->out_data.frag);
1701                 prs_mem_free(&out_hdr_ba);
1702                 return False;
1703         }
1704
1705         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1706
1707         ZERO_STRUCT(hdr_rb);
1708
1709         /* decode the bind request */
1710
1711         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1712                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1713                          "struct.\n"));
1714                 goto err_exit;
1715         }
1716
1717         if (hdr_rb.num_contexts == 0) {
1718                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1719                 goto err_exit;
1720         }
1721
1722         /*
1723          * Try and find the correct pipe name to ensure
1724          * that this is a pipe name we support.
1725          */
1726
1727         for (i = 0; i < rpc_lookup_size; i++) {
1728                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1729                                         &hdr_rb.rpc_context[0].abstract)) {
1730                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1731                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1732                         break;
1733                 }
1734         }
1735
1736         if (i == rpc_lookup_size) {
1737                 NTSTATUS status;
1738
1739                 status = smb_probe_module(
1740                         "rpc", get_pipe_name_from_syntax(
1741                                 talloc_tos(),
1742                                 &hdr_rb.rpc_context[0].abstract));
1743
1744                 if (NT_STATUS_IS_ERR(status)) {
1745                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1746                                 get_pipe_name_from_syntax(
1747                                         talloc_tos(),
1748                                         &hdr_rb.rpc_context[0].abstract)));
1749                         prs_mem_free(&p->out_data.frag);
1750                         prs_mem_free(&out_hdr_ba);
1751                         prs_mem_free(&out_auth);
1752
1753                         return setup_bind_nak(p);
1754                 }
1755
1756                 for (i = 0; i < rpc_lookup_size; i++) {
1757                        if (strequal(rpc_lookup[i].pipe.clnt,
1758                                     get_pipe_name_from_syntax(talloc_tos(),
1759                                                               &p->syntax))) {
1760                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1761                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1762                                break;
1763                        }
1764                 }
1765
1766                 if (i == rpc_lookup_size) {
1767                         DEBUG(0, ("module %s doesn't provide functions for "
1768                                   "pipe %s!\n",
1769                                   get_pipe_name_from_syntax(talloc_tos(),
1770                                                             &p->syntax),
1771                                   get_pipe_name_from_syntax(talloc_tos(),
1772                                                             &p->syntax)));
1773                         goto err_exit;
1774                 }
1775         }
1776
1777         /* name has to be \PIPE\xxxxx */
1778         fstrcpy(ack_pipe_name, "\\PIPE\\");
1779         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1780
1781         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1782
1783         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1784
1785         /*
1786          * Create the bind response struct.
1787          */
1788
1789         /* If the requested abstract synt uuid doesn't match our client pipe,
1790                 reject the bind_ack & set the transfer interface synt to all 0's,
1791                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1792                 unknown to NT4)
1793                 Needed when adding entries to a DACL from NT5 - SK */
1794
1795         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1796                                 hdr_rb.rpc_context[0].context_id )) {
1797                 init_rpc_hdr_ba(&hdr_ba,
1798                         RPC_MAX_PDU_FRAG_LEN,
1799                         RPC_MAX_PDU_FRAG_LEN,
1800                         assoc_gid,
1801                         ack_pipe_name,
1802                         0x1, 0x0, 0x0,
1803                         &hdr_rb.rpc_context[0].transfer[0]);
1804         } else {
1805                 /* Rejection reason: abstract syntax not supported */
1806                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1807                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1808                                         ack_pipe_name, 0x1, 0x2, 0x1,
1809                                         &null_ndr_syntax_id);
1810                 p->pipe_bound = False;
1811         }
1812
1813         /*
1814          * and marshall it.
1815          */
1816
1817         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1818                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1819                 goto err_exit;
1820         }
1821
1822         /*
1823          * Check if this is an authenticated bind request.
1824          */
1825
1826         if (p->hdr.auth_len) {
1827                 /* 
1828                  * Decode the authentication verifier.
1829                  */
1830
1831                 /* Work out any padding needed before the auth footer. */
1832                 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1833                         ss_padding_len = SERVER_NDR_PADDING_SIZE -
1834                                 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1835                         DEBUG(10,("api_pipe_bind_req: auth pad_len = %u\n",
1836                                 (unsigned int)ss_padding_len ));
1837                 }
1838
1839                 /* Quick length check. Won't catch a bad auth footer,
1840                  * prevents overrun. */
1841
1842                 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
1843                         DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1844                                 "too long for fragment %u.\n",
1845                                 (unsigned int)p->hdr.auth_len,
1846                                 (unsigned int)p->hdr.frag_len ));
1847                         goto err_exit;
1848                 }
1849
1850                 /* Pull the auth header and the following data into a blob. */
1851                 /* NB. The offset of the auth_header is relative to the *end*
1852                  * of the packet, not the start. Also, the length of the
1853                  * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
1854                  * as the RPC header isn't included in rpc_in_p. */
1855                 if(!prs_set_offset(rpc_in_p,
1856                                 p->hdr.frag_len - RPC_HEADER_LEN -
1857                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
1858                         DEBUG(0,("api_pipe_bind_req: cannot move "
1859                                 "offset to %u.\n",
1860                                 (unsigned int)(p->hdr.frag_len -
1861                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
1862                         goto err_exit;
1863                 }
1864
1865                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1866                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1867                         goto err_exit;
1868                 }
1869
1870                 auth_type = auth_info.auth_type;
1871
1872                 /* Work out if we have to sign or seal etc. */
1873                 switch (auth_info.auth_level) {
1874                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1875                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1876                                 break;
1877                         case DCERPC_AUTH_LEVEL_PRIVACY:
1878                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1879                                 break;
1880                         default:
1881                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1882                                         (unsigned int)auth_info.auth_level ));
1883                                 goto err_exit;
1884                 }
1885         } else {
1886                 ZERO_STRUCT(auth_info);
1887         }
1888
1889         switch(auth_type) {
1890                 case DCERPC_AUTH_TYPE_NTLMSSP:
1891                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p,
1892                                         ss_padding_len, &auth_info, &out_auth)) {
1893                                 goto err_exit;
1894                         }
1895                         assoc_gid = 0x7a77;
1896                         break;
1897
1898                 case DCERPC_AUTH_TYPE_SCHANNEL:
1899                         if (!pipe_schannel_auth_bind(p, rpc_in_p,
1900                                         ss_padding_len, &auth_info, &out_auth)) {
1901                                 goto err_exit;
1902                         }
1903                         break;
1904
1905                 case DCERPC_AUTH_TYPE_SPNEGO:
1906                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p,
1907                                         ss_padding_len, &auth_info, &out_auth)) {
1908                                 goto err_exit;
1909                         }
1910                         break;
1911
1912                 case DCERPC_AUTH_TYPE_NONE:
1913                         /* Unauthenticated bind request. */
1914                         /* We're finished - no more packets. */
1915                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1916                         /* We must set the pipe auth_level here also. */
1917                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1918                         p->pipe_bound = True;
1919                         /* The session key was initialized from the SMB
1920                          * session in make_internal_rpc_pipe_p */
1921                         ss_padding_len = 0;
1922                         break;
1923
1924                 default:
1925                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1926                         goto err_exit;
1927         }
1928         /*
1929          * Create the header, now we know the length.
1930          */
1931
1932         if (prs_offset(&out_auth)) {
1933                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1934         }
1935
1936         init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1937                         p->hdr.call_id,
1938                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) +
1939                                 ss_padding_len + prs_offset(&out_auth),
1940                         auth_len);
1941
1942         /*
1943          * Marshall the header into the outgoing PDU.
1944          */
1945
1946         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1947                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1948                 goto err_exit;
1949         }
1950
1951         /*
1952          * Now add the RPC_HDR_BA and any auth needed.
1953          */
1954
1955         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1956                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1957                 goto err_exit;
1958         }
1959
1960         if (auth_len) {
1961                 if (ss_padding_len) {
1962                         char pad[SERVER_NDR_PADDING_SIZE];
1963                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1964                         if (!prs_copy_data_in(&p->out_data.frag, pad,
1965                                         ss_padding_len)) {
1966                                 DEBUG(0,("api_pipe_bind_req: failed to add %u "
1967                                         "bytes of pad data.\n",
1968                                         (unsigned int)ss_padding_len));
1969                                 goto err_exit;
1970                         }
1971                 }
1972
1973                 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1974                         DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1975                         goto err_exit;
1976                 }
1977         }
1978
1979         /*
1980          * Setup the lengths for the initial reply.
1981          */
1982
1983         p->out_data.data_sent_length = 0;
1984         p->out_data.current_pdu_sent = 0;
1985
1986         prs_mem_free(&out_hdr_ba);
1987         prs_mem_free(&out_auth);
1988
1989         return True;
1990
1991   err_exit:
1992
1993         prs_mem_free(&p->out_data.frag);
1994         prs_mem_free(&out_hdr_ba);
1995         prs_mem_free(&out_auth);
1996         return setup_bind_nak(p);
1997 }
1998
1999 /****************************************************************************
2000  Deal with an alter context call. Can be third part of 3 leg auth request for
2001  SPNEGO calls.
2002 ****************************************************************************/
2003
2004 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
2005 {
2006         RPC_HDR_BA hdr_ba;
2007         RPC_HDR_RB hdr_rb;
2008         RPC_HDR_AUTH auth_info;
2009         uint16 assoc_gid;
2010         fstring ack_pipe_name;
2011         prs_struct out_hdr_ba;
2012         prs_struct out_auth;
2013         int auth_len = 0;
2014         uint32_t ss_padding_len = 0;
2015
2016         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
2017
2018         /* 
2019          * Marshall directly into the outgoing PDU space. We
2020          * must do this as we need to set to the bind response
2021          * header and are never sending more than one PDU here.
2022          */
2023
2024         /*
2025          * Setup the memory to marshall the ba header, and the
2026          * auth footers.
2027          */
2028
2029         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
2030                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
2031                 prs_mem_free(&p->out_data.frag);
2032                 return False;
2033         }
2034
2035         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
2036                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
2037                 prs_mem_free(&p->out_data.frag);
2038                 prs_mem_free(&out_hdr_ba);
2039                 return False;
2040         }
2041
2042         ZERO_STRUCT(hdr_rb);
2043
2044         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
2045
2046         /* decode the alter context request */
2047         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
2048                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
2049                 goto err_exit;
2050         }
2051
2052         /* secondary address CAN be NULL
2053          * as the specs say it's ignored.
2054          * It MUST be NULL to have the spoolss working.
2055          */
2056         fstrcpy(ack_pipe_name,"");
2057
2058         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
2059
2060         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
2061
2062         /*
2063          * Create the bind response struct.
2064          */
2065
2066         /* If the requested abstract synt uuid doesn't match our client pipe,
2067                 reject the bind_ack & set the transfer interface synt to all 0's,
2068                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
2069                 unknown to NT4)
2070                 Needed when adding entries to a DACL from NT5 - SK */
2071
2072         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
2073                                 hdr_rb.rpc_context[0].context_id )) {
2074                 init_rpc_hdr_ba(&hdr_ba,
2075                         RPC_MAX_PDU_FRAG_LEN,
2076                         RPC_MAX_PDU_FRAG_LEN,
2077                         assoc_gid,
2078                         ack_pipe_name,
2079                         0x1, 0x0, 0x0,
2080                         &hdr_rb.rpc_context[0].transfer[0]);
2081         } else {
2082                 /* Rejection reason: abstract syntax not supported */
2083                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
2084                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
2085                                         ack_pipe_name, 0x1, 0x2, 0x1,
2086                                         &null_ndr_syntax_id);
2087                 p->pipe_bound = False;
2088         }
2089
2090         /*
2091          * and marshall it.
2092          */
2093
2094         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2095                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2096                 goto err_exit;
2097         }
2098
2099
2100         /*
2101          * Check if this is an authenticated alter context request.
2102          */
2103
2104         if (p->hdr.auth_len != 0) {
2105                 /* 
2106                  * Decode the authentication verifier.
2107                  */
2108
2109                 /* Work out any padding needed before the auth footer. */
2110                 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
2111                         ss_padding_len = SERVER_NDR_PADDING_SIZE -
2112                                 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
2113                         DEBUG(10,("api_pipe_alter_context: auth pad_len = %u\n",
2114                                 (unsigned int)ss_padding_len ));
2115                 }
2116
2117                 /* Quick length check. Won't catch a bad auth footer,
2118                  * prevents overrun. */
2119
2120                 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
2121                         DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
2122                                 "too long for fragment %u.\n",
2123                                 (unsigned int)p->hdr.auth_len,
2124                                 (unsigned int)p->hdr.frag_len ));
2125                         goto err_exit;
2126                 }
2127
2128                 /* Pull the auth header and the following data into a blob. */
2129                 /* NB. The offset of the auth_header is relative to the *end*
2130                  * of the packet, not the start. Also, the length of the
2131                  * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2132                  * as the RPC header isn't included in rpc_in_p. */
2133                 if(!prs_set_offset(rpc_in_p,
2134                                 p->hdr.frag_len - RPC_HEADER_LEN -
2135                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
2136                         DEBUG(0,("api_alter_context: cannot move "
2137                                 "offset to %u.\n",
2138                                 (unsigned int)(p->hdr.frag_len -
2139                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
2140                         goto err_exit;
2141                 }
2142
2143                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
2144                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
2145                         goto err_exit;
2146                 }
2147
2148                 /*
2149                  * Currently only the SPNEGO auth type uses the alter ctx
2150                  * response in place of the NTLMSSP auth3 type.
2151                  */
2152
2153                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2154                         /* We can only finish if the pipe is unbound. */
2155                         if (!p->pipe_bound) {
2156                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p,
2157                                                 ss_padding_len, &auth_info, &out_auth)) {
2158                                         goto err_exit;
2159                                 }
2160                         } else {
2161                                 goto err_exit;
2162                         }
2163                 }
2164         } else {
2165                 ZERO_STRUCT(auth_info);
2166         }
2167         /*
2168          * Create the header, now we know the length.
2169          */
2170
2171         if (prs_offset(&out_auth)) {
2172                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2173         }
2174
2175         init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2176                         p->hdr.call_id,
2177                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2178                         auth_len);
2179
2180         /*
2181          * Marshall the header into the outgoing PDU.
2182          */
2183
2184         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2185                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2186                 goto err_exit;
2187         }
2188
2189         /*
2190          * Now add the RPC_HDR_BA and any auth needed.
2191          */
2192
2193         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2194                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2195                 goto err_exit;
2196         }
2197
2198         if (auth_len) {
2199                 if (ss_padding_len) {
2200                         char pad[SERVER_NDR_PADDING_SIZE];
2201                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
2202                         if (!prs_copy_data_in(&p->out_data.frag, pad,
2203                                         ss_padding_len)) {
2204                                 DEBUG(0,("api_pipe_alter_context: failed to add %u "
2205                                         "bytes of pad data.\n",
2206                                         (unsigned int)ss_padding_len));
2207                                 goto err_exit;
2208                         }
2209                 }
2210
2211                 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
2212                         DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2213                         goto err_exit;
2214                 }
2215         }
2216
2217         /*
2218          * Setup the lengths for the initial reply.
2219          */
2220
2221         p->out_data.data_sent_length = 0;
2222         p->out_data.current_pdu_sent = 0;
2223
2224         prs_mem_free(&out_hdr_ba);
2225         prs_mem_free(&out_auth);
2226
2227         return True;
2228
2229   err_exit:
2230
2231         prs_mem_free(&p->out_data.frag);
2232         prs_mem_free(&out_hdr_ba);
2233         prs_mem_free(&out_auth);
2234         return setup_bind_nak(p);
2235 }
2236
2237 /****************************************************************************
2238  Deal with NTLMSSP sign & seal processing on an RPC request.
2239 ****************************************************************************/
2240
2241 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2242                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2243 {
2244         RPC_HDR_AUTH auth_info;
2245         uint32 auth_len = p->hdr.auth_len;
2246         uint32 save_offset = prs_offset(rpc_in);
2247         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2248         unsigned char *data = NULL;
2249         size_t data_len;
2250         unsigned char *full_packet_data = NULL;
2251         size_t full_packet_data_len;
2252         DATA_BLOB auth_blob;
2253
2254         *pstatus = NT_STATUS_OK;
2255
2256         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2257                 return True;
2258         }
2259
2260         if (!a) {
2261                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2262                 return False;
2263         }
2264
2265         /* Ensure there's enough data for an authenticated request. */
2266         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN
2267                         + auth_len > p->hdr.frag_len) {
2268                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2269                         (unsigned int)auth_len ));
2270                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2271                 return False;
2272         }
2273
2274         /*
2275          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2276          * after the RPC header.
2277          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2278          * functions as NTLMv2 checks the rpc headers also.
2279          * Both of these values include any auth_pad_len bytes.
2280          */
2281
2282         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2283         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2284
2285         full_packet_data = p->in_data.current_in_pdu;
2286         full_packet_data_len = p->hdr.frag_len - auth_len;
2287
2288         /* Pull the auth header and the following data into a blob. */
2289         /* NB. The offset of the auth_header is relative to the *end*
2290          * of the packet, not the start. Also, the length of the
2291          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2292          * as the RPC header isn't included in rpc_in_p. */
2293         if(!prs_set_offset(rpc_in,
2294                         p->hdr.frag_len - RPC_HEADER_LEN -
2295                         RPC_HDR_AUTH_LEN - auth_len)) {
2296                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move "
2297                         "offset to %u.\n",
2298                         (unsigned int)(p->hdr.frag_len -
2299                                 RPC_HDR_AUTH_LEN - auth_len) ));
2300                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2301                 return False;
2302         }
2303
2304         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2305                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to "
2306                         "unmarshall RPC_HDR_AUTH.\n"));
2307                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2308                 return False;
2309         }
2310
2311         /* Ensure auth_pad_len fits into the packet. */
2312         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2313                         RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2314                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_info.auth_pad_len "
2315                         "too large (%u), auth_len (%u), frag_len = (%u).\n",
2316                         (unsigned int)auth_info.auth_pad_len,
2317                         (unsigned int)auth_len,
2318                         (unsigned int)p->hdr.frag_len ));
2319                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2320                 return False;
2321         }
2322
2323         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2324         auth_blob.length = auth_len;
2325
2326         switch (p->auth.auth_level) {
2327                 case DCERPC_AUTH_LEVEL_PRIVACY:
2328                         /* Data is encrypted. */
2329                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2330                                                         data, data_len,
2331                                                         full_packet_data,
2332                                                         full_packet_data_len,
2333                                                         &auth_blob);
2334                         if (!NT_STATUS_IS_OK(*pstatus)) {
2335                                 return False;
2336                         }
2337                         break;
2338                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2339                         /* Data is signed. */
2340                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2341                                                         data, data_len,
2342                                                         full_packet_data,
2343                                                         full_packet_data_len,
2344                                                         &auth_blob);
2345                         if (!NT_STATUS_IS_OK(*pstatus)) {
2346                                 return False;
2347                         }
2348                         break;
2349                 default:
2350                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2351                         return False;
2352         }
2353
2354         /*
2355          * Return the current pointer to the data offset.
2356          */
2357
2358         if(!prs_set_offset(rpc_in, save_offset)) {
2359                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2360                         (unsigned int)save_offset ));
2361                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2362                 return False;
2363         }
2364
2365         /*
2366          * Remember the padding length. We must remove it from the real data
2367          * stream once the sign/seal is done.
2368          */
2369
2370         *p_ss_padding_len = auth_info.auth_pad_len;
2371
2372         return True;
2373 }
2374
2375 /****************************************************************************
2376  Deal with schannel processing on an RPC request.
2377 ****************************************************************************/
2378
2379 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2380 {
2381         uint32 data_len;
2382         uint32 auth_len;
2383         uint32 save_offset = prs_offset(rpc_in);
2384         RPC_HDR_AUTH auth_info;
2385         DATA_BLOB blob;
2386         NTSTATUS status;
2387         uint8_t *data;
2388
2389         auth_len = p->hdr.auth_len;
2390
2391         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2392                         auth_len > RPC_HEADER_LEN +
2393                                         RPC_HDR_REQ_LEN +
2394                                         RPC_HDR_AUTH_LEN +
2395                                         auth_len) {
2396                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2397                 return False;
2398         }
2399
2400         /*
2401          * The following is that length of the data we must verify or unseal.
2402          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2403          * preceeding the auth_data, but does include the auth_pad_len bytes.
2404          */
2405
2406         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2407                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2408                         (unsigned int)p->hdr.frag_len,
2409                         (unsigned int)auth_len ));
2410                 return False;
2411         }
2412
2413         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2414                 RPC_HDR_AUTH_LEN - auth_len;
2415
2416         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2417
2418         /* Pull the auth header and the following data into a blob. */
2419         /* NB. The offset of the auth_header is relative to the *end*
2420          * of the packet, not the start. Also, the length of the
2421          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2422          * as the RPC header isn't included in rpc_in_p. */
2423         if(!prs_set_offset(rpc_in,
2424                         p->hdr.frag_len - RPC_HEADER_LEN -
2425                         RPC_HDR_AUTH_LEN - auth_len)) {
2426                 DEBUG(0,("api_pipe_schannel_process: cannot move "
2427                         "offset to %u.\n",
2428                         (unsigned int)(p->hdr.frag_len -
2429                                 RPC_HDR_AUTH_LEN - auth_len) ));
2430                 return False;
2431         }
2432
2433         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2434                 DEBUG(0,("api_pipe_schannel_process: failed to "
2435                         "unmarshall RPC_HDR_AUTH.\n"));
2436                 return False;
2437         }
2438
2439         /* Ensure auth_pad_len fits into the packet. */
2440         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2441                         RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2442                 DEBUG(0,("api_pipe_schannel_process: auth_info.auth_pad_len "
2443                         "too large (%u), auth_len (%u), frag_len = (%u).\n",
2444                         (unsigned int)auth_info.auth_pad_len,
2445                         (unsigned int)auth_len,
2446                         (unsigned int)p->hdr.frag_len ));
2447                 return False;
2448         }
2449
2450         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2451                 DEBUG(0,("Invalid auth info %d on schannel\n",
2452                          auth_info.auth_type));
2453                 return False;
2454         }
2455
2456         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2457
2458         if (DEBUGLEVEL >= 10) {
2459                 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2460         }
2461
2462         data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2463
2464         switch (auth_info.auth_level) {
2465         case DCERPC_AUTH_LEVEL_PRIVACY:
2466                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2467                                                 talloc_tos(),
2468                                                 true,
2469                                                 data,
2470                                                 data_len,
2471                                                 &blob);
2472                 break;
2473         case DCERPC_AUTH_LEVEL_INTEGRITY:
2474                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2475                                                 talloc_tos(),
2476                                                 false,
2477                                                 data,
2478                                                 data_len,
2479                                                 &blob);
2480                 break;
2481         default:
2482                 status = NT_STATUS_INTERNAL_ERROR;
2483                 break;
2484         }
2485
2486         if (!NT_STATUS_IS_OK(status)) {
2487                 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2488                 return false;
2489         }
2490
2491         /*
2492          * Return the current pointer to the data offset.
2493          */
2494
2495         if(!prs_set_offset(rpc_in, save_offset)) {
2496                 DEBUG(0,("failed to set offset back to %u\n",
2497                          (unsigned int)save_offset ));
2498                 return False;
2499         }
2500
2501         /*
2502          * Remember the padding length. We must remove it from the real data
2503          * stream once the sign/seal is done.
2504          */
2505
2506         *p_ss_padding_len = auth_info.auth_pad_len;
2507
2508         return True;
2509 }
2510
2511 /****************************************************************************
2512  Find the set of RPC functions associated with this context_id
2513 ****************************************************************************/
2514
2515 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2516 {
2517         PIPE_RPC_FNS *fns = NULL;
2518
2519         if ( !list ) {
2520                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2521                 return NULL;
2522         }
2523
2524         for (fns=list; fns; fns=fns->next ) {
2525                 if ( fns->context_id == context_id )
2526                         return fns;
2527         }
2528         return NULL;
2529 }
2530
2531 /****************************************************************************
2532  Memory cleanup.
2533 ****************************************************************************/
2534
2535 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2536 {
2537         PIPE_RPC_FNS *tmp = list;
2538         PIPE_RPC_FNS *tmp2;
2539
2540         while (tmp) {
2541                 tmp2 = tmp->next;
2542                 SAFE_FREE(tmp);
2543                 tmp = tmp2;
2544         }
2545
2546         return; 
2547 }
2548
2549 static bool api_rpcTNP(pipes_struct *p,
2550                        const struct api_struct *api_rpc_cmds, int n_cmds);
2551
2552 /****************************************************************************
2553  Find the correct RPC function to call for this request.
2554  If the pipe is authenticated then become the correct UNIX user
2555  before doing the call.
2556 ****************************************************************************/
2557
2558 bool api_pipe_request(pipes_struct *p)
2559 {
2560         bool ret = False;
2561         bool changed_user = False;
2562         PIPE_RPC_FNS *pipe_fns;
2563
2564         if (p->pipe_bound &&
2565                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2566                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2567                 if(!become_authenticated_pipe_user(p)) {
2568                         prs_mem_free(&p->out_data.rdata);
2569                         return False;
2570                 }
2571                 changed_user = True;
2572         }
2573
2574         DEBUG(5, ("Requested \\PIPE\\%s\n",
2575                   get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2576
2577         /* get the set of RPC functions for this context */
2578
2579         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2580
2581         if ( pipe_fns ) {
2582                 TALLOC_CTX *frame = talloc_stackframe();
2583                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2584                 TALLOC_FREE(frame);
2585         }
2586         else {
2587                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2588                         p->hdr_req.context_id,
2589                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2590         }
2591
2592         if (changed_user) {
2593                 unbecome_authenticated_pipe_user();
2594         }
2595
2596         return ret;
2597 }
2598
2599 /*******************************************************************
2600  Calls the underlying RPC function for a named pipe.
2601  ********************************************************************/
2602
2603 static bool api_rpcTNP(pipes_struct *p,
2604                        const struct api_struct *api_rpc_cmds, int n_cmds)
2605 {
2606         int fn_num;
2607         uint32 offset1, offset2;
2608
2609         /* interpret the command */
2610         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2611                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2612                  p->hdr_req.opnum));
2613
2614         if (DEBUGLEVEL >= 50) {
2615                 fstring name;
2616                 slprintf(name, sizeof(name)-1, "in_%s",
2617                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2618                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2619         }
2620
2621         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2622                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2623                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2624                         break;
2625                 }
2626         }
2627
2628         if (fn_num == n_cmds) {
2629                 /*
2630                  * For an unknown RPC just return a fault PDU but
2631                  * return True to allow RPC's on the pipe to continue
2632                  * and not put the pipe into fault state. JRA.
2633                  */
2634                 DEBUG(4, ("unknown\n"));
2635                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2636                 return True;
2637         }
2638
2639         offset1 = prs_offset(&p->out_data.rdata);
2640
2641         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2642                 fn_num, api_rpc_cmds[fn_num].fn));
2643         /* do the actual command */
2644         if(!api_rpc_cmds[fn_num].fn(p)) {
2645                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2646                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2647                          api_rpc_cmds[fn_num].name));
2648                 prs_mem_free(&p->out_data.rdata);
2649                 return False;
2650         }
2651
2652         if (p->bad_handle_fault_state) {
2653                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2654                 p->bad_handle_fault_state = False;
2655                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2656                 return True;
2657         }
2658
2659         if (p->rng_fault_state) {
2660                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2661                 p->rng_fault_state = False;
2662                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2663                 return True;
2664         }
2665
2666         offset2 = prs_offset(&p->out_data.rdata);
2667         prs_set_offset(&p->out_data.rdata, offset1);
2668         if (DEBUGLEVEL >= 50) {
2669                 fstring name;
2670                 slprintf(name, sizeof(name)-1, "out_%s",
2671                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2672                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2673         }
2674         prs_set_offset(&p->out_data.rdata, offset2);
2675
2676         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2677                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2678
2679         /* Check for buffer underflow in rpc parsing */
2680
2681         if ((DEBUGLEVEL >= 10) && 
2682             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2683                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2684                 char *data = (char *)SMB_MALLOC(data_len);
2685
2686                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2687                 if (data) {
2688                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2689                         SAFE_FREE(data);
2690                 }
2691
2692         }
2693
2694         return True;
2695 }