6b08f1f9b377a91ca6ec3527292237300ac64ef8
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../librpc/gen_ndr/ndr_schannel.h"
32 #include "../libcli/auth/schannel.h"
33 #include "../libcli/auth/spnego.h"
34 #include "ntlmssp.h"
35
36 extern struct current_user current_user;
37
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_RPC_SRV
40
41 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
42 {
43         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
44
45         if (a) {
46                 auth_ntlmssp_end(&a);
47         }
48         auth->a_u.auth_ntlmssp_state = NULL;
49 }
50
51 static DATA_BLOB generic_session_key(void)
52 {
53         return data_blob("SystemLibraryDTC", 16);
54 }
55
56 /*******************************************************************
57  Generate the next PDU to be returned from the data in p->rdata. 
58  Handle NTLMSSP.
59  ********************************************************************/
60
61 static bool create_next_pdu_ntlmssp(pipes_struct *p)
62 {
63         RPC_HDR_RESP hdr_resp;
64         uint32 ss_padding_len = 0;
65         uint32 data_space_available;
66         uint32 data_len_left;
67         uint32 data_len;
68         NTSTATUS status;
69         DATA_BLOB auth_blob;
70         RPC_HDR_AUTH auth_info;
71         uint8 auth_type, auth_level;
72         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
73
74         /*
75          * If we're in the fault state, keep returning fault PDU's until
76          * the pipe gets closed. JRA.
77          */
78
79         if(p->fault_state) {
80                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
81                 return True;
82         }
83
84         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
85
86         /* Change the incoming request header to a response. */
87         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
88
89         /* Set up rpc header flags. */
90         if (p->out_data.data_sent_length == 0) {
91                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
92         } else {
93                 p->hdr.flags = 0;
94         }
95
96         /*
97          * Work out how much we can fit in a single PDU.
98          */
99
100         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
101
102         /*
103          * Ensure there really is data left to send.
104          */
105
106         if(!data_len_left) {
107                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
108                 return False;
109         }
110
111         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
112                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
113
114         /*
115          * The amount we send is the minimum of the available
116          * space and the amount left to send.
117          */
118
119         data_len = MIN(data_len_left, data_space_available);
120
121         /*
122          * Set up the alloc hint. This should be the data left to
123          * send.
124          */
125
126         hdr_resp.alloc_hint = data_len_left;
127
128         /*
129          * Work out if this PDU will be the last.
130          */
131
132         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
133                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
134         }
135
136         if (data_len_left % SERVER_NDR_PADDING_SIZE) {
137                 ss_padding_len = SERVER_NDR_PADDING_SIZE - (data_len_left % SERVER_NDR_PADDING_SIZE);
138                 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
139                         ss_padding_len ));
140         }
141
142         /*
143          * Set up the header lengths.
144          */
145
146         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
147                         data_len + ss_padding_len +
148                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
149         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
150
151
152         /*
153          * Init the parse struct to point at the outgoing
154          * data.
155          */
156
157         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
158
159         /* Store the header in the data stream. */
160         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
161                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
162                 prs_mem_free(&p->out_data.frag);
163                 return False;
164         }
165
166         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
167                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
168                 prs_mem_free(&p->out_data.frag);
169                 return False;
170         }
171
172         /* Copy the data into the PDU. */
173
174         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
175                                      p->out_data.data_sent_length, data_len)) {
176                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
177                 prs_mem_free(&p->out_data.frag);
178                 return False;
179         }
180
181         /* Copy the sign/seal padding data. */
182         if (ss_padding_len) {
183                 char pad[SERVER_NDR_PADDING_SIZE];
184
185                 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
186                 if (!prs_copy_data_in(&p->out_data.frag, pad,
187                                       ss_padding_len)) {
188                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
189                                         (unsigned int)ss_padding_len));
190                         prs_mem_free(&p->out_data.frag);
191                         return False;
192                 }
193         }
194
195
196         /* Now write out the auth header and null blob. */
197         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
198                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
199         } else {
200                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
201         }
202         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
203                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
204         } else {
205                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
206         }
207
208         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
209
210         if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
211                                 &p->out_data.frag, 0)) {
212                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
213                 prs_mem_free(&p->out_data.frag);
214                 return False;
215         }
216
217         /* Generate the sign blob. */
218
219         switch (p->auth.auth_level) {
220                 case DCERPC_AUTH_LEVEL_PRIVACY:
221                         /* Data portion is encrypted. */
222                         status = ntlmssp_seal_packet(
223                                 a->ntlmssp_state,
224                                 (uint8_t *)prs_data_p(&p->out_data.frag)
225                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
226                                 data_len + ss_padding_len,
227                                 (unsigned char *)prs_data_p(&p->out_data.frag),
228                                 (size_t)prs_offset(&p->out_data.frag),
229                                 &auth_blob);
230                         if (!NT_STATUS_IS_OK(status)) {
231                                 data_blob_free(&auth_blob);
232                                 prs_mem_free(&p->out_data.frag);
233                                 return False;
234                         }
235                         break;
236                 case DCERPC_AUTH_LEVEL_INTEGRITY:
237                         /* Data is signed. */
238                         status = ntlmssp_sign_packet(
239                                 a->ntlmssp_state,
240                                 (unsigned char *)prs_data_p(&p->out_data.frag)
241                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
242                                 data_len + ss_padding_len,
243                                 (unsigned char *)prs_data_p(&p->out_data.frag),
244                                 (size_t)prs_offset(&p->out_data.frag),
245                                 &auth_blob);
246                         if (!NT_STATUS_IS_OK(status)) {
247                                 data_blob_free(&auth_blob);
248                                 prs_mem_free(&p->out_data.frag);
249                                 return False;
250                         }
251                         break;
252                 default:
253                         prs_mem_free(&p->out_data.frag);
254                         return False;
255         }
256
257         /* Append the auth blob. */
258         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
259                               NTLMSSP_SIG_SIZE)) {
260                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
261                                 (unsigned int)NTLMSSP_SIG_SIZE));
262                 data_blob_free(&auth_blob);
263                 prs_mem_free(&p->out_data.frag);
264                 return False;
265         }
266
267         data_blob_free(&auth_blob);
268
269         /*
270          * Setup the counts for this PDU.
271          */
272
273         p->out_data.data_sent_length += data_len;
274         p->out_data.current_pdu_sent = 0;
275
276         return True;
277 }
278
279 /*******************************************************************
280  Generate the next PDU to be returned from the data in p->rdata. 
281  Return an schannel authenticated fragment.
282  ********************************************************************/
283
284 static bool create_next_pdu_schannel(pipes_struct *p)
285 {
286         RPC_HDR_RESP hdr_resp;
287         uint32 ss_padding_len = 0;
288         uint32 data_len;
289         uint32 data_space_available;
290         uint32 data_len_left;
291         uint32 data_pos;
292         NTSTATUS status;
293
294         /*
295          * If we're in the fault state, keep returning fault PDU's until
296          * the pipe gets closed. JRA.
297          */
298
299         if(p->fault_state) {
300                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
301                 return True;
302         }
303
304         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
305
306         /* Change the incoming request header to a response. */
307         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
308
309         /* Set up rpc header flags. */
310         if (p->out_data.data_sent_length == 0) {
311                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
312         } else {
313                 p->hdr.flags = 0;
314         }
315
316         /*
317          * Work out how much we can fit in a single PDU.
318          */
319
320         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
321
322         /*
323          * Ensure there really is data left to send.
324          */
325
326         if(!data_len_left) {
327                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
328                 return False;
329         }
330
331         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
332                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
333                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
334
335         /*
336          * The amount we send is the minimum of the available
337          * space and the amount left to send.
338          */
339
340         data_len = MIN(data_len_left, data_space_available);
341
342         /*
343          * Set up the alloc hint. This should be the data left to
344          * send.
345          */
346
347         hdr_resp.alloc_hint = data_len_left;
348
349         /*
350          * Work out if this PDU will be the last.
351          */
352
353         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
354                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
355         }
356         if (data_len_left % SERVER_NDR_PADDING_SIZE) {
357                 ss_padding_len = SERVER_NDR_PADDING_SIZE - (data_len_left % SERVER_NDR_PADDING_SIZE);
358                 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
359                         ss_padding_len ));
360         }
361
362         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
363                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
364         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
365
366         /*
367          * Init the parse struct to point at the outgoing
368          * data.
369          */
370
371         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
372
373         /* Store the header in the data stream. */
374         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
375                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
376                 prs_mem_free(&p->out_data.frag);
377                 return False;
378         }
379
380         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
381                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
382                 prs_mem_free(&p->out_data.frag);
383                 return False;
384         }
385
386         /* Store the current offset. */
387         data_pos = prs_offset(&p->out_data.frag);
388
389         /* Copy the data into the PDU. */
390
391         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
392                                      p->out_data.data_sent_length, data_len)) {
393                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
394                 prs_mem_free(&p->out_data.frag);
395                 return False;
396         }
397
398         /* Copy the sign/seal padding data. */
399         if (ss_padding_len) {
400                 char pad[SERVER_NDR_PADDING_SIZE];
401                 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
402                 if (!prs_copy_data_in(&p->out_data.frag, pad,
403                                       ss_padding_len)) {
404                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
405                         prs_mem_free(&p->out_data.frag);
406                         return False;
407                 }
408         }
409
410         {
411                 /*
412                  * Schannel processing.
413                  */
414                 RPC_HDR_AUTH auth_info;
415                 DATA_BLOB blob;
416                 uint8_t *data;
417
418                 /* Check it's the type of reply we were expecting to decode */
419
420                 init_rpc_hdr_auth(&auth_info,
421                                 DCERPC_AUTH_TYPE_SCHANNEL,
422                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
423                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
424                                 ss_padding_len, 1);
425
426                 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
427                                         &p->out_data.frag, 0)) {
428                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
429                         prs_mem_free(&p->out_data.frag);
430                         return False;
431                 }
432
433                 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
434
435                 switch (p->auth.auth_level) {
436                 case DCERPC_AUTH_LEVEL_PRIVACY:
437                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
438                                                         talloc_tos(),
439                                                         true,
440                                                         data,
441                                                         data_len + ss_padding_len,
442                                                         &blob);
443                         break;
444                 case DCERPC_AUTH_LEVEL_INTEGRITY:
445                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
446                                                         talloc_tos(),
447                                                         false,
448                                                         data,
449                                                         data_len + ss_padding_len,
450                                                         &blob);
451                         break;
452                 default:
453                         status = NT_STATUS_INTERNAL_ERROR;
454                         break;
455                 }
456
457                 if (!NT_STATUS_IS_OK(status)) {
458                         DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
459                                 nt_errstr(status)));
460                         prs_mem_free(&p->out_data.frag);
461                         return false;
462                 }
463
464                 /* Finally marshall the blob. */
465
466                 if (DEBUGLEVEL >= 10) {
467                         dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
468                 }
469
470                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
471                         prs_mem_free(&p->out_data.frag);
472                         return false;
473                 }
474         }
475
476         /*
477          * Setup the counts for this PDU.
478          */
479
480         p->out_data.data_sent_length += data_len;
481         p->out_data.current_pdu_sent = 0;
482
483         return True;
484 }
485
486 /*******************************************************************
487  Generate the next PDU to be returned from the data in p->rdata. 
488  No authentication done.
489 ********************************************************************/
490
491 static bool create_next_pdu_noauth(pipes_struct *p)
492 {
493         RPC_HDR_RESP hdr_resp;
494         uint32 data_len;
495         uint32 data_space_available;
496         uint32 data_len_left;
497
498         /*
499          * If we're in the fault state, keep returning fault PDU's until
500          * the pipe gets closed. JRA.
501          */
502
503         if(p->fault_state) {
504                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
505                 return True;
506         }
507
508         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
509
510         /* Change the incoming request header to a response. */
511         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
512
513         /* Set up rpc header flags. */
514         if (p->out_data.data_sent_length == 0) {
515                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
516         } else {
517                 p->hdr.flags = 0;
518         }
519
520         /*
521          * Work out how much we can fit in a single PDU.
522          */
523
524         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
525
526         /*
527          * Ensure there really is data left to send.
528          */
529
530         if(!data_len_left) {
531                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
532                 return False;
533         }
534
535         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
536                 - RPC_HDR_RESP_LEN;
537
538         /*
539          * The amount we send is the minimum of the available
540          * space and the amount left to send.
541          */
542
543         data_len = MIN(data_len_left, data_space_available);
544
545         /*
546          * Set up the alloc hint. This should be the data left to
547          * send.
548          */
549
550         hdr_resp.alloc_hint = data_len_left;
551
552         /*
553          * Work out if this PDU will be the last.
554          */
555
556         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
557                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
558         }
559
560         /*
561          * Set up the header lengths.
562          */
563
564         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
565         p->hdr.auth_len = 0;
566
567         /*
568          * Init the parse struct to point at the outgoing
569          * data.
570          */
571
572         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
573
574         /* Store the header in the data stream. */
575         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
576                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
577                 prs_mem_free(&p->out_data.frag);
578                 return False;
579         }
580
581         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
582                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
583                 prs_mem_free(&p->out_data.frag);
584                 return False;
585         }
586
587         /* Copy the data into the PDU. */
588
589         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
590                                      p->out_data.data_sent_length, data_len)) {
591                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
592                 prs_mem_free(&p->out_data.frag);
593                 return False;
594         }
595
596         /*
597          * Setup the counts for this PDU.
598          */
599
600         p->out_data.data_sent_length += data_len;
601         p->out_data.current_pdu_sent = 0;
602
603         return True;
604 }
605
606 /*******************************************************************
607  Generate the next PDU to be returned from the data in p->rdata. 
608 ********************************************************************/
609
610 bool create_next_pdu(pipes_struct *p)
611 {
612         switch(p->auth.auth_level) {
613                 case DCERPC_AUTH_LEVEL_NONE:
614                 case DCERPC_AUTH_LEVEL_CONNECT:
615                         /* This is incorrect for auth level connect. Fixme. JRA */
616                         return create_next_pdu_noauth(p);
617
618                 default:
619                         switch(p->auth.auth_type) {
620                                 case PIPE_AUTH_TYPE_NTLMSSP:
621                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
622                                         return create_next_pdu_ntlmssp(p);
623                                 case PIPE_AUTH_TYPE_SCHANNEL:
624                                         return create_next_pdu_schannel(p);
625                                 default:
626                                         break;
627                         }
628         }
629
630         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
631                         (unsigned int)p->auth.auth_level,
632                         (unsigned int)p->auth.auth_type));
633         return False;
634 }
635
636 /*******************************************************************
637  Process an NTLMSSP authentication response.
638  If this function succeeds, the user has been authenticated
639  and their domain, name and calling workstation stored in
640  the pipe struct.
641 *******************************************************************/
642
643 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
644 {
645         DATA_BLOB session_key, reply;
646         NTSTATUS status;
647         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
648         bool ret;
649
650         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
651                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
652
653         ZERO_STRUCT(reply);
654
655         /* this has to be done as root in order to verify the password */
656         become_root();
657         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
658         unbecome_root();
659
660         /* Don't generate a reply. */
661         data_blob_free(&reply);
662
663         if (!NT_STATUS_IS_OK(status)) {
664                 return False;
665         }
666
667         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
668            ensure the underlying NTLMSSP flags are also set. If not we should
669            refuse the bind. */
670
671         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
672                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
673                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
674                                 "but client declined signing.\n",
675                                  get_pipe_name_from_syntax(talloc_tos(),
676                                                            &p->syntax)));
677                         return False;
678                 }
679         }
680         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
681                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
682                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
683                                 "but client declined sealing.\n",
684                                  get_pipe_name_from_syntax(talloc_tos(),
685                                                            &p->syntax)));
686                         return False;
687                 }
688         }
689
690         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
691                   "workstation: %s\n", a->ntlmssp_state->user,
692                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
693
694         if (a->server_info->ptok == NULL) {
695                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
696                 return False;
697         }
698
699         TALLOC_FREE(p->server_info);
700
701         p->server_info = copy_serverinfo(p, a->server_info);
702         if (p->server_info == NULL) {
703                 DEBUG(0, ("copy_serverinfo failed\n"));
704                 return false;
705         }
706
707         /*
708          * We're an authenticated bind over smb, so the session key needs to
709          * be set to "SystemLibraryDTC". Weird, but this is what Windows
710          * does. See the RPC-SAMBA3SESSIONKEY.
711          */
712
713         session_key = generic_session_key();
714         if (session_key.data == NULL) {
715                 return False;
716         }
717
718         ret = server_info_set_session_key(p->server_info, session_key);
719
720         data_blob_free(&session_key);
721
722         return True;
723 }
724
725 /*******************************************************************
726  The switch table for the pipe names and the functions to handle them.
727 *******************************************************************/
728
729 struct rpc_table {
730         struct {
731                 const char *clnt;
732                 const char *srv;
733         } pipe;
734         struct ndr_syntax_id rpc_interface;
735         const struct api_struct *cmds;
736         int n_cmds;
737 };
738
739 static struct rpc_table *rpc_lookup;
740 static int rpc_lookup_size;
741
742 /*******************************************************************
743  This is the "stage3" NTLMSSP response after a bind request and reply.
744 *******************************************************************/
745
746 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
747 {
748         RPC_HDR_AUTH auth_info;
749         uint32 pad = 0;
750         DATA_BLOB blob;
751         uint32_t auth_len = p->hdr.auth_len;
752
753         ZERO_STRUCT(blob);
754
755         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
756
757         if (auth_len == 0) {
758                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
759                 goto err;
760         }
761
762         /* 4 bytes padding. */
763         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
764                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
765                 goto err;
766         }
767
768         /* Ensure there's enough data for an authenticated request. */
769         if (RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + auth_len >
770                                 p->hdr.frag_len) {
771                         DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
772                                 "%u is too large.\n",
773                         (unsigned int)auth_len ));
774                 goto err;
775         }
776
777         /*
778          * Decode the authentication verifier response.
779          */
780
781         /* Pull the auth header and the following data into a blob. */
782         /* NB. The offset of the auth_header is relative to the *end*
783          * of the packet, not the start. Also, the length of the
784          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
785          * as the RPC header isn't included in rpc_in_p. */
786         if(!prs_set_offset(rpc_in_p,
787                         p->hdr.frag_len - RPC_HEADER_LEN -
788                         RPC_HDR_AUTH_LEN - auth_len)) {
789                 DEBUG(0,("api_pipe_bind_auth3: cannot move "
790                         "offset to %u.\n",
791                         (unsigned int)(p->hdr.frag_len -
792                                 RPC_HDR_AUTH_LEN - auth_len) ));
793                 goto err;
794         }
795
796         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in_p, 0)) {
797                 DEBUG(0,("api_pipe_bind_auth3: failed to "
798                         "unmarshall RPC_HDR_AUTH.\n"));
799                 goto err;
800         }
801
802         /* We must NEVER look at auth_info->auth_pad_len here,
803          * as old Samba client code gets it wrong and sends it
804          * as zero. JRA.
805          */
806
807         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
808                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
809                         (unsigned int)auth_info.auth_type ));
810                 return False;
811         }
812
813         blob = data_blob(NULL,p->hdr.auth_len);
814
815         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
816                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
817                         (unsigned int)p->hdr.auth_len ));
818                 goto err;
819         }
820
821         /*
822          * The following call actually checks the challenge/response data.
823          * for correctness against the given DOMAIN\user name.
824          */
825
826         if (!pipe_ntlmssp_verify_final(p, &blob)) {
827                 goto err;
828         }
829
830         data_blob_free(&blob);
831
832         p->pipe_bound = True;
833
834         return True;
835
836  err:
837
838         data_blob_free(&blob);
839         free_pipe_ntlmssp_auth_data(&p->auth);
840         p->auth.a_u.auth_ntlmssp_state = NULL;
841
842         return False;
843 }
844
845 /*******************************************************************
846  Marshall a bind_nak pdu.
847 *******************************************************************/
848
849 static bool setup_bind_nak(pipes_struct *p)
850 {
851         RPC_HDR nak_hdr;
852         uint16 zero = 0;
853
854         /* Free any memory in the current return data buffer. */
855         prs_mem_free(&p->out_data.rdata);
856
857         /*
858          * Marshall directly into the outgoing PDU space. We
859          * must do this as we need to set to the bind response
860          * header and are never sending more than one PDU here.
861          */
862
863         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
864
865         /*
866          * Initialize a bind_nak header.
867          */
868
869         init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
870                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
871
872         /*
873          * Marshall the header into the outgoing PDU.
874          */
875
876         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
877                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
878                 prs_mem_free(&p->out_data.frag);
879                 return False;
880         }
881
882         /*
883          * Now add the reject reason.
884          */
885
886         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
887                 prs_mem_free(&p->out_data.frag);
888                 return False;
889         }
890
891         p->out_data.data_sent_length = 0;
892         p->out_data.current_pdu_sent = 0;
893
894         if (p->auth.auth_data_free_func) {
895                 (*p->auth.auth_data_free_func)(&p->auth);
896         }
897         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
898         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
899         p->pipe_bound = False;
900
901         return True;
902 }
903
904 /*******************************************************************
905  Marshall a fault pdu.
906 *******************************************************************/
907
908 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
909 {
910         RPC_HDR fault_hdr;
911         RPC_HDR_RESP hdr_resp;
912         RPC_HDR_FAULT fault_resp;
913
914         /* Free any memory in the current return data buffer. */
915         prs_mem_free(&p->out_data.rdata);
916
917         /*
918          * Marshall directly into the outgoing PDU space. We
919          * must do this as we need to set to the bind response
920          * header and are never sending more than one PDU here.
921          */
922
923         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
924
925         /*
926          * Initialize a fault header.
927          */
928
929         init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
930             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
931
932         /*
933          * Initialize the HDR_RESP and FAULT parts of the PDU.
934          */
935
936         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
937
938         fault_resp.status = status;
939         fault_resp.reserved = 0;
940
941         /*
942          * Marshall the header into the outgoing PDU.
943          */
944
945         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
946                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
947                 prs_mem_free(&p->out_data.frag);
948                 return False;
949         }
950
951         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
952                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
953                 prs_mem_free(&p->out_data.frag);
954                 return False;
955         }
956
957         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
958                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
959                 prs_mem_free(&p->out_data.frag);
960                 return False;
961         }
962
963         p->out_data.data_sent_length = 0;
964         p->out_data.current_pdu_sent = 0;
965
966         return True;
967 }
968
969 #if 0
970 /*******************************************************************
971  Marshall a cancel_ack pdu.
972  We should probably check the auth-verifier here.
973 *******************************************************************/
974
975 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
976 {
977         prs_struct outgoing_pdu;
978         RPC_HDR ack_reply_hdr;
979
980         /* Free any memory in the current return data buffer. */
981         prs_mem_free(&p->out_data.rdata);
982
983         /*
984          * Marshall directly into the outgoing PDU space. We
985          * must do this as we need to set to the bind response
986          * header and are never sending more than one PDU here.
987          */
988
989         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
990         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
991
992         /*
993          * Initialize a cancel_ack header.
994          */
995
996         init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
997                         p->hdr.call_id, RPC_HEADER_LEN, 0);
998
999         /*
1000          * Marshall the header into the outgoing PDU.
1001          */
1002
1003         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
1004                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
1005                 prs_mem_free(&outgoing_pdu);
1006                 return False;
1007         }
1008
1009         p->out_data.data_sent_length = 0;
1010         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
1011         p->out_data.current_pdu_sent = 0;
1012
1013         prs_mem_free(&outgoing_pdu);
1014         return True;
1015 }
1016 #endif
1017
1018 /*******************************************************************
1019  Ensure a bind request has the correct abstract & transfer interface.
1020  Used to reject unknown binds from Win2k.
1021 *******************************************************************/
1022
1023 static bool check_bind_req(struct pipes_struct *p,
1024                            struct ndr_syntax_id* abstract,
1025                            struct ndr_syntax_id* transfer,
1026                            uint32 context_id)
1027 {
1028         int i=0;
1029         struct pipe_rpc_fns *context_fns;
1030
1031         DEBUG(3,("check_bind_req for %s\n",
1032                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1033
1034         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1035
1036         for (i=0; i<rpc_lookup_size; i++) {
1037                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1038                 if (ndr_syntax_id_equal(
1039                             abstract, &rpc_lookup[i].rpc_interface)
1040                     && ndr_syntax_id_equal(
1041                             transfer, &ndr_transfer_syntax)) {
1042                         break;
1043                 }
1044         }
1045
1046         if (i == rpc_lookup_size) {
1047                 return false;
1048         }
1049
1050         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1051         if (context_fns == NULL) {
1052                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1053                 return False;
1054         }
1055
1056         context_fns->cmds = rpc_lookup[i].cmds;
1057         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1058         context_fns->context_id = context_id;
1059
1060         /* add to the list of open contexts */
1061
1062         DLIST_ADD( p->contexts, context_fns );
1063
1064         return True;
1065 }
1066
1067 /*******************************************************************
1068  Register commands to an RPC pipe
1069 *******************************************************************/
1070
1071 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1072                           const struct ndr_interface_table *iface,
1073                           const struct api_struct *cmds, int size)
1074 {
1075         struct rpc_table *rpc_entry;
1076
1077         if (!clnt || !srv || !cmds) {
1078                 return NT_STATUS_INVALID_PARAMETER;
1079         }
1080
1081         if (version != SMB_RPC_INTERFACE_VERSION) {
1082                 DEBUG(0,("Can't register rpc commands!\n"
1083                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1084                          ", while this version of samba uses version %d!\n", 
1085                          version,SMB_RPC_INTERFACE_VERSION));
1086                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1087         }
1088
1089         /* TODO: 
1090          *
1091          * we still need to make sure that don't register the same commands twice!!!
1092          * 
1093          * --metze
1094          */
1095
1096         /* We use a temporary variable because this call can fail and 
1097            rpc_lookup will still be valid afterwards.  It could then succeed if
1098            called again later */
1099         rpc_lookup_size++;
1100         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1101         if (NULL == rpc_entry) {
1102                 rpc_lookup_size--;
1103                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1104                 return NT_STATUS_NO_MEMORY;
1105         } else {
1106                 rpc_lookup = rpc_entry;
1107         }
1108
1109         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1110         ZERO_STRUCTP(rpc_entry);
1111         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1112         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1113         rpc_entry->rpc_interface = iface->syntax_id;
1114         rpc_entry->cmds = cmds;
1115         rpc_entry->n_cmds = size;
1116
1117         return NT_STATUS_OK;
1118 }
1119
1120 /**
1121  * Is a named pipe known?
1122  * @param[in] cli_filename      The pipe name requested by the client
1123  * @result                      Do we want to serve this?
1124  */
1125 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1126 {
1127         const char *pipename = cli_filename;
1128         int i;
1129         NTSTATUS status;
1130
1131         if (strnequal(pipename, "\\PIPE\\", 6)) {
1132                 pipename += 5;
1133         }
1134
1135         if (*pipename == '\\') {
1136                 pipename += 1;
1137         }
1138
1139         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1140                 DEBUG(10, ("refusing spoolss access\n"));
1141                 return false;
1142         }
1143
1144         for (i=0; i<rpc_lookup_size; i++) {
1145                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1146                         *syntax = rpc_lookup[i].rpc_interface;
1147                         return true;
1148                 }
1149         }
1150
1151         status = smb_probe_module("rpc", pipename);
1152         if (!NT_STATUS_IS_OK(status)) {
1153                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1154                 return false;
1155         }
1156         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1157
1158         /*
1159          * Scan the list again for the interface id
1160          */
1161
1162         for (i=0; i<rpc_lookup_size; i++) {
1163                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1164                         *syntax = rpc_lookup[i].rpc_interface;
1165                         return true;
1166                 }
1167         }
1168
1169         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1170                    pipename));
1171
1172         return false;
1173 }
1174
1175 /*******************************************************************
1176  Handle a SPNEGO krb5 bind auth.
1177 *******************************************************************/
1178
1179 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1180                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1181 {
1182         return False;
1183 }
1184
1185 /*******************************************************************
1186  Handle the first part of a SPNEGO bind auth.
1187 *******************************************************************/
1188
1189 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1190                                         uint32_t ss_padding_len,
1191                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1192 {
1193         DATA_BLOB blob;
1194         DATA_BLOB secblob;
1195         DATA_BLOB response;
1196         DATA_BLOB chal;
1197         char *OIDs[ASN1_MAX_OIDS];
1198         int i;
1199         NTSTATUS status;
1200         bool got_kerberos_mechanism = false;
1201         AUTH_NTLMSSP_STATE *a = NULL;
1202         RPC_HDR_AUTH auth_info;
1203
1204         ZERO_STRUCT(secblob);
1205         ZERO_STRUCT(chal);
1206         ZERO_STRUCT(response);
1207
1208         /* Grab the SPNEGO blob. */
1209         blob = data_blob(NULL,p->hdr.auth_len);
1210
1211         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1212                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1213                         (unsigned int)p->hdr.auth_len ));
1214                 goto err;
1215         }
1216
1217         if (blob.data[0] != ASN1_APPLICATION(0)) {
1218                 goto err;
1219         }
1220
1221         /* parse out the OIDs and the first sec blob */
1222         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1223                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1224                 goto err;
1225         }
1226
1227         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1228                 got_kerberos_mechanism = true;
1229         }
1230
1231         for (i=0;OIDs[i];i++) {
1232                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1233                 TALLOC_FREE(OIDs[i]);
1234         }
1235         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1236
1237         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1238                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1239                 data_blob_free(&secblob);
1240                 data_blob_free(&blob);
1241                 return ret;
1242         }
1243
1244         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1245                 /* Free any previous auth type. */
1246                 free_pipe_ntlmssp_auth_data(&p->auth);
1247         }
1248
1249         if (!got_kerberos_mechanism) {
1250                 /* Initialize the NTLM engine. */
1251                 status = auth_ntlmssp_start(&a);
1252                 if (!NT_STATUS_IS_OK(status)) {
1253                         goto err;
1254                 }
1255
1256                 /*
1257                  * Pass the first security blob of data to it.
1258                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1259                  * which means we need another packet to complete the bind.
1260                  */
1261
1262                 status = auth_ntlmssp_update(a, secblob, &chal);
1263
1264                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1265                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1266                         goto err;
1267                 }
1268
1269                 /* Generate the response blob we need for step 2 of the bind. */
1270                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1271         } else {
1272                 /*
1273                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1274                  * code to process follow-up packets is not complete
1275                  * yet. JRA.
1276                  */
1277                 response = spnego_gen_auth_response(NULL,
1278                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1279                                         OID_NTLMSSP);
1280         }
1281
1282         /* auth_pad_len will be handled by the caller */
1283
1284         /* Copy the blob into the pout_auth parse struct */
1285         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1286                         pauth_info->auth_level, ss_padding_len, 1);
1287         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1288                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1289                 goto err;
1290         }
1291
1292         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1293                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1294                 goto err;
1295         }
1296
1297         p->auth.a_u.auth_ntlmssp_state = a;
1298         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1299         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1300
1301         data_blob_free(&blob);
1302         data_blob_free(&secblob);
1303         data_blob_free(&chal);
1304         data_blob_free(&response);
1305
1306         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1307         return True;
1308
1309  err:
1310
1311         data_blob_free(&blob);
1312         data_blob_free(&secblob);
1313         data_blob_free(&chal);
1314         data_blob_free(&response);
1315
1316         p->auth.a_u.auth_ntlmssp_state = NULL;
1317
1318         return False;
1319 }
1320
1321 /*******************************************************************
1322  Handle the second part of a SPNEGO bind auth.
1323 *******************************************************************/
1324
1325 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1326                                 uint32_t ss_padding_len,
1327                                 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1328 {
1329         RPC_HDR_AUTH auth_info;
1330         DATA_BLOB spnego_blob;
1331         DATA_BLOB auth_blob;
1332         DATA_BLOB auth_reply;
1333         DATA_BLOB response;
1334         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1335
1336         ZERO_STRUCT(spnego_blob);
1337         ZERO_STRUCT(auth_blob);
1338         ZERO_STRUCT(auth_reply);
1339         ZERO_STRUCT(response);
1340
1341         /*
1342          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1343          * fail here as 'a' == NULL.
1344          */
1345         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1346                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1347                 goto err;
1348         }
1349
1350         /* Grab the SPNEGO blob. */
1351         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1352
1353         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1354                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1355                         (unsigned int)p->hdr.auth_len ));
1356                 goto err;
1357         }
1358
1359         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1360                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1361                 goto err;
1362         }
1363
1364         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1365                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1366                 goto err;
1367         }
1368
1369         /*
1370          * The following call actually checks the challenge/response data.
1371          * for correctness against the given DOMAIN\user name.
1372          */
1373
1374         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1375                 goto err;
1376         }
1377
1378         data_blob_free(&spnego_blob);
1379         data_blob_free(&auth_blob);
1380
1381         /* Generate the spnego "accept completed" blob - no incoming data. */
1382         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1383
1384         /* FIXME - add auth_pad_len here ! */
1385
1386         /* Copy the blob into the pout_auth parse struct */
1387         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1388                         pauth_info->auth_level, ss_padding_len, 1);
1389         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1390                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1391                 goto err;
1392         }
1393
1394         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1395                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1396                 goto err;
1397         }
1398
1399         data_blob_free(&auth_reply);
1400         data_blob_free(&response);
1401
1402         p->pipe_bound = True;
1403
1404         return True;
1405
1406  err:
1407
1408         data_blob_free(&spnego_blob);
1409         data_blob_free(&auth_blob);
1410         data_blob_free(&auth_reply);
1411         data_blob_free(&response);
1412
1413         free_pipe_ntlmssp_auth_data(&p->auth);
1414         p->auth.a_u.auth_ntlmssp_state = NULL;
1415
1416         return False;
1417 }
1418
1419 /*******************************************************************
1420  Handle an schannel bind auth.
1421 *******************************************************************/
1422
1423 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1424                                         uint32_t ss_padding_len,
1425                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1426 {
1427         RPC_HDR_AUTH auth_info;
1428         struct NL_AUTH_MESSAGE neg;
1429         struct NL_AUTH_MESSAGE reply;
1430         bool ret;
1431         NTSTATUS status;
1432         struct netlogon_creds_CredentialState *creds;
1433         DATA_BLOB session_key;
1434         enum ndr_err_code ndr_err;
1435         DATA_BLOB blob;
1436
1437         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1438                                prs_data_size(rpc_in_p));
1439
1440         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1441                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1442         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1443                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1444                 return false;
1445         }
1446
1447         if (DEBUGLEVEL >= 10) {
1448                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1449         }
1450
1451         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1452                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1453                 return false;
1454         }
1455
1456         /*
1457          * The neg.oem_netbios_computer.a key here must match the remote computer name
1458          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1459          * operations that use credentials.
1460          */
1461
1462         become_root();
1463         status = schannel_fetch_session_key(p,
1464                                             neg.oem_netbios_computer.a,
1465                                             &creds);
1466         unbecome_root();
1467
1468         if (!NT_STATUS_IS_OK(status)) {
1469                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1470                 return False;
1471         }
1472
1473         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1474         if (!p->auth.a_u.schannel_auth) {
1475                 TALLOC_FREE(creds);
1476                 return False;
1477         }
1478
1479         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1480         p->auth.a_u.schannel_auth->seq_num = 0;
1481         p->auth.a_u.schannel_auth->initiator = false;
1482         p->auth.a_u.schannel_auth->creds = creds;
1483
1484         /*
1485          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1486          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1487          * struct of the person who opened the pipe. I need to test this further. JRA.
1488          *
1489          * VL. As we are mapping this to guest set the generic key
1490          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1491          * W2k3, as it does not allow schannel binds against SAMR and LSA
1492          * anymore.
1493          */
1494
1495         session_key = generic_session_key();
1496         if (session_key.data == NULL) {
1497                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1498                           " key\n"));
1499                 return false;
1500         }
1501
1502         ret = server_info_set_session_key(p->server_info, session_key);
1503
1504         data_blob_free(&session_key);
1505
1506         if (!ret) {
1507                 DEBUG(0, ("server_info_set_session_key failed\n"));
1508                 return false;
1509         }
1510
1511         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL,
1512                         pauth_info->auth_level, ss_padding_len, 1);
1513         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1514                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1515                 return False;
1516         }
1517
1518         /*** SCHANNEL verifier ***/
1519
1520         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1521         reply.Flags                             = 0;
1522         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1523                                                       * this has any meaning
1524                                                       * here - gd */
1525
1526         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1527                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1528         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1529                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1530                 return false;
1531         }
1532
1533         if (DEBUGLEVEL >= 10) {
1534                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1535         }
1536
1537         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1538                 return false;
1539         }
1540
1541         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1542                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1543
1544         /* We're finished with this bind - no more packets. */
1545         p->auth.auth_data_free_func = NULL;
1546         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1547
1548         p->pipe_bound = True;
1549
1550         return True;
1551 }
1552
1553 /*******************************************************************
1554  Handle an NTLMSSP bind auth.
1555 *******************************************************************/
1556
1557 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1558                                         uint32_t ss_padding_len,
1559                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1560 {
1561         RPC_HDR_AUTH auth_info;
1562         DATA_BLOB blob;
1563         DATA_BLOB response;
1564         NTSTATUS status;
1565         AUTH_NTLMSSP_STATE *a = NULL;
1566
1567         ZERO_STRUCT(blob);
1568         ZERO_STRUCT(response);
1569
1570         /* Grab the NTLMSSP blob. */
1571         blob = data_blob(NULL,p->hdr.auth_len);
1572
1573         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1574                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1575                         (unsigned int)p->hdr.auth_len ));
1576                 goto err;
1577         }
1578
1579         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1580                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1581                 goto err;
1582         }
1583
1584         /* We have an NTLMSSP blob. */
1585         status = auth_ntlmssp_start(&a);
1586         if (!NT_STATUS_IS_OK(status)) {
1587                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1588                         nt_errstr(status) ));
1589                 goto err;
1590         }
1591
1592         status = auth_ntlmssp_update(a, blob, &response);
1593         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1594                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1595                         nt_errstr(status) ));
1596                 goto err;
1597         }
1598
1599         data_blob_free(&blob);
1600
1601         /* Copy the blob into the pout_auth parse struct */
1602         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP,
1603                         pauth_info->auth_level, ss_padding_len, 1);
1604         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1605                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1606                 goto err;
1607         }
1608
1609         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1610                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1611                 goto err;
1612         }
1613
1614         p->auth.a_u.auth_ntlmssp_state = a;
1615         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1616         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1617
1618         data_blob_free(&blob);
1619         data_blob_free(&response);
1620
1621         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1622
1623         /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1624         return True;
1625
1626   err:
1627
1628         data_blob_free(&blob);
1629         data_blob_free(&response);
1630
1631         free_pipe_ntlmssp_auth_data(&p->auth);
1632         p->auth.a_u.auth_ntlmssp_state = NULL;
1633         return False;
1634 }
1635
1636 /*******************************************************************
1637  Respond to a pipe bind request.
1638 *******************************************************************/
1639
1640 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1641 {
1642         RPC_HDR_BA hdr_ba;
1643         RPC_HDR_RB hdr_rb;
1644         RPC_HDR_AUTH auth_info;
1645         uint16 assoc_gid;
1646         fstring ack_pipe_name;
1647         prs_struct out_hdr_ba;
1648         prs_struct out_auth;
1649         int i = 0;
1650         int auth_len = 0;
1651         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1652         uint32_t ss_padding_len = 0;
1653
1654         /* No rebinds on a bound pipe - use alter context. */
1655         if (p->pipe_bound) {
1656                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1657                          "pipe %s.\n",
1658                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1659                 return setup_bind_nak(p);
1660         }
1661
1662         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1663
1664         /* 
1665          * Marshall directly into the outgoing PDU space. We
1666          * must do this as we need to set to the bind response
1667          * header and are never sending more than one PDU here.
1668          */
1669
1670         /*
1671          * Setup the memory to marshall the ba header, and the
1672          * auth footers.
1673          */
1674
1675         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1676                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1677                 prs_mem_free(&p->out_data.frag);
1678                 return False;
1679         }
1680
1681         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1682                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1683                 prs_mem_free(&p->out_data.frag);
1684                 prs_mem_free(&out_hdr_ba);
1685                 return False;
1686         }
1687
1688         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1689
1690         ZERO_STRUCT(hdr_rb);
1691
1692         /* decode the bind request */
1693
1694         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1695                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1696                          "struct.\n"));
1697                 goto err_exit;
1698         }
1699
1700         if (hdr_rb.num_contexts == 0) {
1701                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1702                 goto err_exit;
1703         }
1704
1705         /*
1706          * Try and find the correct pipe name to ensure
1707          * that this is a pipe name we support.
1708          */
1709
1710         for (i = 0; i < rpc_lookup_size; i++) {
1711                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1712                                         &hdr_rb.rpc_context[0].abstract)) {
1713                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1714                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1715                         break;
1716                 }
1717         }
1718
1719         if (i == rpc_lookup_size) {
1720                 NTSTATUS status;
1721
1722                 status = smb_probe_module(
1723                         "rpc", get_pipe_name_from_syntax(
1724                                 talloc_tos(),
1725                                 &hdr_rb.rpc_context[0].abstract));
1726
1727                 if (NT_STATUS_IS_ERR(status)) {
1728                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1729                                 get_pipe_name_from_syntax(
1730                                         talloc_tos(),
1731                                         &hdr_rb.rpc_context[0].abstract)));
1732                         prs_mem_free(&p->out_data.frag);
1733                         prs_mem_free(&out_hdr_ba);
1734                         prs_mem_free(&out_auth);
1735
1736                         return setup_bind_nak(p);
1737                 }
1738
1739                 for (i = 0; i < rpc_lookup_size; i++) {
1740                        if (strequal(rpc_lookup[i].pipe.clnt,
1741                                     get_pipe_name_from_syntax(talloc_tos(),
1742                                                               &p->syntax))) {
1743                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1744                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1745                                break;
1746                        }
1747                 }
1748
1749                 if (i == rpc_lookup_size) {
1750                         DEBUG(0, ("module %s doesn't provide functions for "
1751                                   "pipe %s!\n",
1752                                   get_pipe_name_from_syntax(talloc_tos(),
1753                                                             &p->syntax),
1754                                   get_pipe_name_from_syntax(talloc_tos(),
1755                                                             &p->syntax)));
1756                         goto err_exit;
1757                 }
1758         }
1759
1760         /* name has to be \PIPE\xxxxx */
1761         fstrcpy(ack_pipe_name, "\\PIPE\\");
1762         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1763
1764         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1765
1766         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1767
1768         /*
1769          * Create the bind response struct.
1770          */
1771
1772         /* If the requested abstract synt uuid doesn't match our client pipe,
1773                 reject the bind_ack & set the transfer interface synt to all 0's,
1774                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1775                 unknown to NT4)
1776                 Needed when adding entries to a DACL from NT5 - SK */
1777
1778         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1779                                 hdr_rb.rpc_context[0].context_id )) {
1780                 init_rpc_hdr_ba(&hdr_ba,
1781                         RPC_MAX_PDU_FRAG_LEN,
1782                         RPC_MAX_PDU_FRAG_LEN,
1783                         assoc_gid,
1784                         ack_pipe_name,
1785                         0x1, 0x0, 0x0,
1786                         &hdr_rb.rpc_context[0].transfer[0]);
1787         } else {
1788                 /* Rejection reason: abstract syntax not supported */
1789                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1790                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1791                                         ack_pipe_name, 0x1, 0x2, 0x1,
1792                                         &null_ndr_syntax_id);
1793                 p->pipe_bound = False;
1794         }
1795
1796         /*
1797          * and marshall it.
1798          */
1799
1800         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1801                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1802                 goto err_exit;
1803         }
1804
1805         /*
1806          * Check if this is an authenticated bind request.
1807          */
1808
1809         if (p->hdr.auth_len) {
1810                 /* 
1811                  * Decode the authentication verifier.
1812                  */
1813
1814                 /* Work out any padding needed before the auth footer. */
1815                 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1816                         ss_padding_len = SERVER_NDR_PADDING_SIZE -
1817                                 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1818                         DEBUG(10,("api_pipe_bind_req: auth pad_len = %u\n",
1819                                 (unsigned int)ss_padding_len ));
1820                 }
1821
1822                 /* Quick length check. Won't catch a bad auth footer,
1823                  * prevents overrun. */
1824
1825                 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
1826                         DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1827                                 "too long for fragment %u.\n",
1828                                 (unsigned int)p->hdr.auth_len,
1829                                 (unsigned int)p->hdr.frag_len ));
1830                         goto err_exit;
1831                 }
1832
1833                 /* Pull the auth header and the following data into a blob. */
1834                 /* NB. The offset of the auth_header is relative to the *end*
1835                  * of the packet, not the start. Also, the length of the
1836                  * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
1837                  * as the RPC header isn't included in rpc_in_p. */
1838                 if(!prs_set_offset(rpc_in_p,
1839                                 p->hdr.frag_len - RPC_HEADER_LEN -
1840                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
1841                         DEBUG(0,("api_pipe_bind_req: cannot move "
1842                                 "offset to %u.\n",
1843                                 (unsigned int)(p->hdr.frag_len -
1844                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
1845                         goto err_exit;
1846                 }
1847
1848                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1849                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1850                         goto err_exit;
1851                 }
1852
1853                 auth_type = auth_info.auth_type;
1854
1855                 /* Work out if we have to sign or seal etc. */
1856                 switch (auth_info.auth_level) {
1857                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1858                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1859                                 break;
1860                         case DCERPC_AUTH_LEVEL_PRIVACY:
1861                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1862                                 break;
1863                         default:
1864                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1865                                         (unsigned int)auth_info.auth_level ));
1866                                 goto err_exit;
1867                 }
1868         } else {
1869                 ZERO_STRUCT(auth_info);
1870         }
1871
1872         switch(auth_type) {
1873                 case DCERPC_AUTH_TYPE_NTLMSSP:
1874                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p,
1875                                         ss_padding_len, &auth_info, &out_auth)) {
1876                                 goto err_exit;
1877                         }
1878                         assoc_gid = 0x7a77;
1879                         break;
1880
1881                 case DCERPC_AUTH_TYPE_SCHANNEL:
1882                         if (!pipe_schannel_auth_bind(p, rpc_in_p,
1883                                         ss_padding_len, &auth_info, &out_auth)) {
1884                                 goto err_exit;
1885                         }
1886                         break;
1887
1888                 case DCERPC_AUTH_TYPE_SPNEGO:
1889                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p,
1890                                         ss_padding_len, &auth_info, &out_auth)) {
1891                                 goto err_exit;
1892                         }
1893                         break;
1894
1895                 case DCERPC_AUTH_TYPE_NONE:
1896                         /* Unauthenticated bind request. */
1897                         /* We're finished - no more packets. */
1898                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1899                         /* We must set the pipe auth_level here also. */
1900                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1901                         p->pipe_bound = True;
1902                         /* The session key was initialized from the SMB
1903                          * session in make_internal_rpc_pipe_p */
1904                         ss_padding_len = 0;
1905                         break;
1906
1907                 default:
1908                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1909                         goto err_exit;
1910         }
1911         /*
1912          * Create the header, now we know the length.
1913          */
1914
1915         if (prs_offset(&out_auth)) {
1916                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1917         }
1918
1919         init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1920                         p->hdr.call_id,
1921                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) +
1922                                 ss_padding_len + prs_offset(&out_auth),
1923                         auth_len);
1924
1925         /*
1926          * Marshall the header into the outgoing PDU.
1927          */
1928
1929         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1930                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1931                 goto err_exit;
1932         }
1933
1934         /*
1935          * Now add the RPC_HDR_BA and any auth needed.
1936          */
1937
1938         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1939                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1940                 goto err_exit;
1941         }
1942
1943         if (auth_len) {
1944                 if (ss_padding_len) {
1945                         char pad[SERVER_NDR_PADDING_SIZE];
1946                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1947                         if (!prs_copy_data_in(&p->out_data.frag, pad,
1948                                         ss_padding_len)) {
1949                                 DEBUG(0,("api_pipe_bind_req: failed to add %u "
1950                                         "bytes of pad data.\n",
1951                                         (unsigned int)ss_padding_len));
1952                                 goto err_exit;
1953                         }
1954                 }
1955
1956                 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1957                         DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1958                         goto err_exit;
1959                 }
1960         }
1961
1962         /*
1963          * Setup the lengths for the initial reply.
1964          */
1965
1966         p->out_data.data_sent_length = 0;
1967         p->out_data.current_pdu_sent = 0;
1968
1969         prs_mem_free(&out_hdr_ba);
1970         prs_mem_free(&out_auth);
1971
1972         return True;
1973
1974   err_exit:
1975
1976         prs_mem_free(&p->out_data.frag);
1977         prs_mem_free(&out_hdr_ba);
1978         prs_mem_free(&out_auth);
1979         return setup_bind_nak(p);
1980 }
1981
1982 /****************************************************************************
1983  Deal with an alter context call. Can be third part of 3 leg auth request for
1984  SPNEGO calls.
1985 ****************************************************************************/
1986
1987 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1988 {
1989         RPC_HDR_BA hdr_ba;
1990         RPC_HDR_RB hdr_rb;
1991         RPC_HDR_AUTH auth_info;
1992         uint16 assoc_gid;
1993         fstring ack_pipe_name;
1994         prs_struct out_hdr_ba;
1995         prs_struct out_auth;
1996         int auth_len = 0;
1997         uint32_t ss_padding_len = 0;
1998
1999         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
2000
2001         /* 
2002          * Marshall directly into the outgoing PDU space. We
2003          * must do this as we need to set to the bind response
2004          * header and are never sending more than one PDU here.
2005          */
2006
2007         /*
2008          * Setup the memory to marshall the ba header, and the
2009          * auth footers.
2010          */
2011
2012         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
2013                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
2014                 prs_mem_free(&p->out_data.frag);
2015                 return False;
2016         }
2017
2018         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
2019                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
2020                 prs_mem_free(&p->out_data.frag);
2021                 prs_mem_free(&out_hdr_ba);
2022                 return False;
2023         }
2024
2025         ZERO_STRUCT(hdr_rb);
2026
2027         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
2028
2029         /* decode the alter context request */
2030         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
2031                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
2032                 goto err_exit;
2033         }
2034
2035         /* secondary address CAN be NULL
2036          * as the specs say it's ignored.
2037          * It MUST be NULL to have the spoolss working.
2038          */
2039         fstrcpy(ack_pipe_name,"");
2040
2041         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
2042
2043         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
2044
2045         /*
2046          * Create the bind response struct.
2047          */
2048
2049         /* If the requested abstract synt uuid doesn't match our client pipe,
2050                 reject the bind_ack & set the transfer interface synt to all 0's,
2051                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
2052                 unknown to NT4)
2053                 Needed when adding entries to a DACL from NT5 - SK */
2054
2055         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
2056                                 hdr_rb.rpc_context[0].context_id )) {
2057                 init_rpc_hdr_ba(&hdr_ba,
2058                         RPC_MAX_PDU_FRAG_LEN,
2059                         RPC_MAX_PDU_FRAG_LEN,
2060                         assoc_gid,
2061                         ack_pipe_name,
2062                         0x1, 0x0, 0x0,
2063                         &hdr_rb.rpc_context[0].transfer[0]);
2064         } else {
2065                 /* Rejection reason: abstract syntax not supported */
2066                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
2067                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
2068                                         ack_pipe_name, 0x1, 0x2, 0x1,
2069                                         &null_ndr_syntax_id);
2070                 p->pipe_bound = False;
2071         }
2072
2073         /*
2074          * and marshall it.
2075          */
2076
2077         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2078                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2079                 goto err_exit;
2080         }
2081
2082
2083         /*
2084          * Check if this is an authenticated alter context request.
2085          */
2086
2087         if (p->hdr.auth_len != 0) {
2088                 /* 
2089                  * Decode the authentication verifier.
2090                  */
2091
2092                 /* Work out any padding needed before the auth footer. */
2093                 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
2094                         ss_padding_len = SERVER_NDR_PADDING_SIZE -
2095                                 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
2096                         DEBUG(10,("api_pipe_alter_context: auth pad_len = %u\n",
2097                                 (unsigned int)ss_padding_len ));
2098                 }
2099
2100                 /* Quick length check. Won't catch a bad auth footer,
2101                  * prevents overrun. */
2102
2103                 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
2104                         DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
2105                                 "too long for fragment %u.\n",
2106                                 (unsigned int)p->hdr.auth_len,
2107                                 (unsigned int)p->hdr.frag_len ));
2108                         goto err_exit;
2109                 }
2110
2111                 /* Pull the auth header and the following data into a blob. */
2112                 /* NB. The offset of the auth_header is relative to the *end*
2113                  * of the packet, not the start. Also, the length of the
2114                  * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2115                  * as the RPC header isn't included in rpc_in_p. */
2116                 if(!prs_set_offset(rpc_in_p,
2117                                 p->hdr.frag_len - RPC_HEADER_LEN -
2118                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
2119                         DEBUG(0,("api_alter_context: cannot move "
2120                                 "offset to %u.\n",
2121                                 (unsigned int)(p->hdr.frag_len -
2122                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
2123                         goto err_exit;
2124                 }
2125
2126                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
2127                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
2128                         goto err_exit;
2129                 }
2130
2131                 /*
2132                  * Currently only the SPNEGO auth type uses the alter ctx
2133                  * response in place of the NTLMSSP auth3 type.
2134                  */
2135
2136                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2137                         /* We can only finish if the pipe is unbound. */
2138                         if (!p->pipe_bound) {
2139                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p,
2140                                                 ss_padding_len, &auth_info, &out_auth)) {
2141                                         goto err_exit;
2142                                 }
2143                         } else {
2144                                 goto err_exit;
2145                         }
2146                 }
2147         } else {
2148                 ZERO_STRUCT(auth_info);
2149         }
2150         /*
2151          * Create the header, now we know the length.
2152          */
2153
2154         if (prs_offset(&out_auth)) {
2155                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2156         }
2157
2158         init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2159                         p->hdr.call_id,
2160                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2161                         auth_len);
2162
2163         /*
2164          * Marshall the header into the outgoing PDU.
2165          */
2166
2167         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2168                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2169                 goto err_exit;
2170         }
2171
2172         /*
2173          * Now add the RPC_HDR_BA and any auth needed.
2174          */
2175
2176         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2177                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2178                 goto err_exit;
2179         }
2180
2181         if (auth_len) {
2182                 if (ss_padding_len) {
2183                         char pad[SERVER_NDR_PADDING_SIZE];
2184                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
2185                         if (!prs_copy_data_in(&p->out_data.frag, pad,
2186                                         ss_padding_len)) {
2187                                 DEBUG(0,("api_pipe_alter_context: failed to add %u "
2188                                         "bytes of pad data.\n",
2189                                         (unsigned int)ss_padding_len));
2190                                 goto err_exit;
2191                         }
2192                 }
2193
2194                 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
2195                         DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2196                         goto err_exit;
2197                 }
2198         }
2199
2200         /*
2201          * Setup the lengths for the initial reply.
2202          */
2203
2204         p->out_data.data_sent_length = 0;
2205         p->out_data.current_pdu_sent = 0;
2206
2207         prs_mem_free(&out_hdr_ba);
2208         prs_mem_free(&out_auth);
2209
2210         return True;
2211
2212   err_exit:
2213
2214         prs_mem_free(&p->out_data.frag);
2215         prs_mem_free(&out_hdr_ba);
2216         prs_mem_free(&out_auth);
2217         return setup_bind_nak(p);
2218 }
2219
2220 /****************************************************************************
2221  Deal with NTLMSSP sign & seal processing on an RPC request.
2222 ****************************************************************************/
2223
2224 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2225                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2226 {
2227         RPC_HDR_AUTH auth_info;
2228         uint32 auth_len = p->hdr.auth_len;
2229         uint32 save_offset = prs_offset(rpc_in);
2230         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2231         unsigned char *data = NULL;
2232         size_t data_len;
2233         unsigned char *full_packet_data = NULL;
2234         size_t full_packet_data_len;
2235         DATA_BLOB auth_blob;
2236
2237         *pstatus = NT_STATUS_OK;
2238
2239         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2240                 return True;
2241         }
2242
2243         if (!a) {
2244                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2245                 return False;
2246         }
2247
2248         /* Ensure there's enough data for an authenticated request. */
2249         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN
2250                         + auth_len > p->hdr.frag_len) {
2251                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2252                         (unsigned int)auth_len ));
2253                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2254                 return False;
2255         }
2256
2257         /*
2258          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2259          * after the RPC header.
2260          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2261          * functions as NTLMv2 checks the rpc headers also.
2262          * Both of these values include any auth_pad_len bytes.
2263          */
2264
2265         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2266         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2267
2268         full_packet_data = p->in_data.current_in_pdu;
2269         full_packet_data_len = p->hdr.frag_len - auth_len;
2270
2271         /* Pull the auth header and the following data into a blob. */
2272         /* NB. The offset of the auth_header is relative to the *end*
2273          * of the packet, not the start. Also, the length of the
2274          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2275          * as the RPC header isn't included in rpc_in_p. */
2276         if(!prs_set_offset(rpc_in,
2277                         p->hdr.frag_len - RPC_HEADER_LEN -
2278                         RPC_HDR_AUTH_LEN - auth_len)) {
2279                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move "
2280                         "offset to %u.\n",
2281                         (unsigned int)(p->hdr.frag_len -
2282                                 RPC_HDR_AUTH_LEN - auth_len) ));
2283                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2284                 return False;
2285         }
2286
2287         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2288                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to "
2289                         "unmarshall RPC_HDR_AUTH.\n"));
2290                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2291                 return False;
2292         }
2293
2294         /* Ensure auth_pad_len fits into the packet. */
2295         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2296                         RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2297                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_info.auth_pad_len "
2298                         "too large (%u), auth_len (%u), frag_len = (%u).\n",
2299                         (unsigned int)auth_info.auth_pad_len,
2300                         (unsigned int)auth_len,
2301                         (unsigned int)p->hdr.frag_len ));
2302                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2303                 return False;
2304         }
2305
2306         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2307         auth_blob.length = auth_len;
2308
2309         switch (p->auth.auth_level) {
2310                 case DCERPC_AUTH_LEVEL_PRIVACY:
2311                         /* Data is encrypted. */
2312                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2313                                                         data, data_len,
2314                                                         full_packet_data,
2315                                                         full_packet_data_len,
2316                                                         &auth_blob);
2317                         if (!NT_STATUS_IS_OK(*pstatus)) {
2318                                 return False;
2319                         }
2320                         break;
2321                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2322                         /* Data is signed. */
2323                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2324                                                         data, data_len,
2325                                                         full_packet_data,
2326                                                         full_packet_data_len,
2327                                                         &auth_blob);
2328                         if (!NT_STATUS_IS_OK(*pstatus)) {
2329                                 return False;
2330                         }
2331                         break;
2332                 default:
2333                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2334                         return False;
2335         }
2336
2337         /*
2338          * Return the current pointer to the data offset.
2339          */
2340
2341         if(!prs_set_offset(rpc_in, save_offset)) {
2342                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2343                         (unsigned int)save_offset ));
2344                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2345                 return False;
2346         }
2347
2348         /*
2349          * Remember the padding length. We must remove it from the real data
2350          * stream once the sign/seal is done.
2351          */
2352
2353         *p_ss_padding_len = auth_info.auth_pad_len;
2354
2355         return True;
2356 }
2357
2358 /****************************************************************************
2359  Deal with schannel processing on an RPC request.
2360 ****************************************************************************/
2361
2362 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2363 {
2364         uint32 data_len;
2365         uint32 auth_len;
2366         uint32 save_offset = prs_offset(rpc_in);
2367         RPC_HDR_AUTH auth_info;
2368         DATA_BLOB blob;
2369         NTSTATUS status;
2370         uint8_t *data;
2371
2372         auth_len = p->hdr.auth_len;
2373
2374         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2375                         auth_len > RPC_HEADER_LEN +
2376                                         RPC_HDR_REQ_LEN +
2377                                         RPC_HDR_AUTH_LEN +
2378                                         auth_len) {
2379                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2380                 return False;
2381         }
2382
2383         /*
2384          * The following is that length of the data we must verify or unseal.
2385          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2386          * preceeding the auth_data, but does include the auth_pad_len bytes.
2387          */
2388
2389         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2390                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2391                         (unsigned int)p->hdr.frag_len,
2392                         (unsigned int)auth_len ));
2393                 return False;
2394         }
2395
2396         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2397                 RPC_HDR_AUTH_LEN - auth_len;
2398
2399         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2400
2401         /* Pull the auth header and the following data into a blob. */
2402         /* NB. The offset of the auth_header is relative to the *end*
2403          * of the packet, not the start. Also, the length of the
2404          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2405          * as the RPC header isn't included in rpc_in_p. */
2406         if(!prs_set_offset(rpc_in,
2407                         p->hdr.frag_len - RPC_HEADER_LEN -
2408                         RPC_HDR_AUTH_LEN - auth_len)) {
2409                 DEBUG(0,("api_pipe_schannel_process: cannot move "
2410                         "offset to %u.\n",
2411                         (unsigned int)(p->hdr.frag_len -
2412                                 RPC_HDR_AUTH_LEN - auth_len) ));
2413                 return False;
2414         }
2415
2416         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2417                 DEBUG(0,("api_pipe_schannel_process: failed to "
2418                         "unmarshall RPC_HDR_AUTH.\n"));
2419                 return False;
2420         }
2421
2422         /* Ensure auth_pad_len fits into the packet. */
2423         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2424                         RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2425                 DEBUG(0,("api_pipe_schannel_process: auth_info.auth_pad_len "
2426                         "too large (%u), auth_len (%u), frag_len = (%u).\n",
2427                         (unsigned int)auth_info.auth_pad_len,
2428                         (unsigned int)auth_len,
2429                         (unsigned int)p->hdr.frag_len ));
2430                 return False;
2431         }
2432
2433         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2434                 DEBUG(0,("Invalid auth info %d on schannel\n",
2435                          auth_info.auth_type));
2436                 return False;
2437         }
2438
2439         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2440
2441         if (DEBUGLEVEL >= 10) {
2442                 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2443         }
2444
2445         data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2446
2447         switch (auth_info.auth_level) {
2448         case DCERPC_AUTH_LEVEL_PRIVACY:
2449                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2450                                                 talloc_tos(),
2451                                                 true,
2452                                                 data,
2453                                                 data_len,
2454                                                 &blob);
2455                 break;
2456         case DCERPC_AUTH_LEVEL_INTEGRITY:
2457                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2458                                                 talloc_tos(),
2459                                                 false,
2460                                                 data,
2461                                                 data_len,
2462                                                 &blob);
2463                 break;
2464         default:
2465                 status = NT_STATUS_INTERNAL_ERROR;
2466                 break;
2467         }
2468
2469         if (!NT_STATUS_IS_OK(status)) {
2470                 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2471                 return false;
2472         }
2473
2474         /*
2475          * Return the current pointer to the data offset.
2476          */
2477
2478         if(!prs_set_offset(rpc_in, save_offset)) {
2479                 DEBUG(0,("failed to set offset back to %u\n",
2480                          (unsigned int)save_offset ));
2481                 return False;
2482         }
2483
2484         /*
2485          * Remember the padding length. We must remove it from the real data
2486          * stream once the sign/seal is done.
2487          */
2488
2489         *p_ss_padding_len = auth_info.auth_pad_len;
2490
2491         return True;
2492 }
2493
2494 /****************************************************************************
2495  Find the set of RPC functions associated with this context_id
2496 ****************************************************************************/
2497
2498 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2499 {
2500         PIPE_RPC_FNS *fns = NULL;
2501
2502         if ( !list ) {
2503                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2504                 return NULL;
2505         }
2506
2507         for (fns=list; fns; fns=fns->next ) {
2508                 if ( fns->context_id == context_id )
2509                         return fns;
2510         }
2511         return NULL;
2512 }
2513
2514 /****************************************************************************
2515  Memory cleanup.
2516 ****************************************************************************/
2517
2518 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2519 {
2520         PIPE_RPC_FNS *tmp = list;
2521         PIPE_RPC_FNS *tmp2;
2522
2523         while (tmp) {
2524                 tmp2 = tmp->next;
2525                 SAFE_FREE(tmp);
2526                 tmp = tmp2;
2527         }
2528
2529         return; 
2530 }
2531
2532 static bool api_rpcTNP(pipes_struct *p,
2533                        const struct api_struct *api_rpc_cmds, int n_cmds);
2534
2535 /****************************************************************************
2536  Find the correct RPC function to call for this request.
2537  If the pipe is authenticated then become the correct UNIX user
2538  before doing the call.
2539 ****************************************************************************/
2540
2541 bool api_pipe_request(pipes_struct *p)
2542 {
2543         bool ret = False;
2544         bool changed_user = False;
2545         PIPE_RPC_FNS *pipe_fns;
2546
2547         if (p->pipe_bound &&
2548                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2549                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2550                 if(!become_authenticated_pipe_user(p)) {
2551                         prs_mem_free(&p->out_data.rdata);
2552                         return False;
2553                 }
2554                 changed_user = True;
2555         }
2556
2557         DEBUG(5, ("Requested \\PIPE\\%s\n",
2558                   get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2559
2560         /* get the set of RPC functions for this context */
2561
2562         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2563
2564         if ( pipe_fns ) {
2565                 TALLOC_CTX *frame = talloc_stackframe();
2566                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2567                 TALLOC_FREE(frame);
2568         }
2569         else {
2570                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2571                         p->hdr_req.context_id,
2572                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2573         }
2574
2575         if (changed_user) {
2576                 unbecome_authenticated_pipe_user();
2577         }
2578
2579         return ret;
2580 }
2581
2582 /*******************************************************************
2583  Calls the underlying RPC function for a named pipe.
2584  ********************************************************************/
2585
2586 static bool api_rpcTNP(pipes_struct *p,
2587                        const struct api_struct *api_rpc_cmds, int n_cmds)
2588 {
2589         int fn_num;
2590         uint32 offset1, offset2;
2591
2592         /* interpret the command */
2593         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2594                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2595                  p->hdr_req.opnum));
2596
2597         if (DEBUGLEVEL >= 50) {
2598                 fstring name;
2599                 slprintf(name, sizeof(name)-1, "in_%s",
2600                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2601                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2602         }
2603
2604         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2605                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2606                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2607                         break;
2608                 }
2609         }
2610
2611         if (fn_num == n_cmds) {
2612                 /*
2613                  * For an unknown RPC just return a fault PDU but
2614                  * return True to allow RPC's on the pipe to continue
2615                  * and not put the pipe into fault state. JRA.
2616                  */
2617                 DEBUG(4, ("unknown\n"));
2618                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2619                 return True;
2620         }
2621
2622         offset1 = prs_offset(&p->out_data.rdata);
2623
2624         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2625                 fn_num, api_rpc_cmds[fn_num].fn));
2626         /* do the actual command */
2627         if(!api_rpc_cmds[fn_num].fn(p)) {
2628                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2629                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2630                          api_rpc_cmds[fn_num].name));
2631                 prs_mem_free(&p->out_data.rdata);
2632                 return False;
2633         }
2634
2635         if (p->bad_handle_fault_state) {
2636                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2637                 p->bad_handle_fault_state = False;
2638                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2639                 return True;
2640         }
2641
2642         if (p->rng_fault_state) {
2643                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2644                 p->rng_fault_state = False;
2645                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2646                 return True;
2647         }
2648
2649         offset2 = prs_offset(&p->out_data.rdata);
2650         prs_set_offset(&p->out_data.rdata, offset1);
2651         if (DEBUGLEVEL >= 50) {
2652                 fstring name;
2653                 slprintf(name, sizeof(name)-1, "out_%s",
2654                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2655                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2656         }
2657         prs_set_offset(&p->out_data.rdata, offset2);
2658
2659         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2660                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2661
2662         /* Check for buffer underflow in rpc parsing */
2663
2664         if ((DEBUGLEVEL >= 10) && 
2665             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2666                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2667                 char *data = (char *)SMB_MALLOC(data_len);
2668
2669                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2670                 if (data) {
2671                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2672                         SAFE_FREE(data);
2673                 }
2674
2675         }
2676
2677         return True;
2678 }