7e0eda1c54c5bff5eb4fd33773a9c3d860466bcb
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/schannel_proto.h"
35 #include "../libcli/auth/spnego.h"
36
37 extern struct current_user current_user;
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
41
42 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
43 {
44         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
45
46         if (a) {
47                 auth_ntlmssp_end(&a);
48         }
49         auth->a_u.auth_ntlmssp_state = NULL;
50 }
51
52 static DATA_BLOB generic_session_key(void)
53 {
54         return data_blob("SystemLibraryDTC", 16);
55 }
56
57 /*******************************************************************
58  Generate the next PDU to be returned from the data in p->rdata. 
59  Handle NTLMSSP.
60  ********************************************************************/
61
62 static bool create_next_pdu_ntlmssp(pipes_struct *p)
63 {
64         RPC_HDR_RESP hdr_resp;
65         uint32 ss_padding_len = 0;
66         uint32 data_space_available;
67         uint32 data_len_left;
68         uint32 data_len;
69         NTSTATUS status;
70         DATA_BLOB auth_blob;
71         RPC_HDR_AUTH auth_info;
72         uint8 auth_type, auth_level;
73         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
74
75         /*
76          * If we're in the fault state, keep returning fault PDU's until
77          * the pipe gets closed. JRA.
78          */
79
80         if(p->fault_state) {
81                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
82                 return True;
83         }
84
85         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
86
87         /* Change the incoming request header to a response. */
88         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
89
90         /* Set up rpc header flags. */
91         if (p->out_data.data_sent_length == 0) {
92                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
93         } else {
94                 p->hdr.flags = 0;
95         }
96
97         /*
98          * Work out how much we can fit in a single PDU.
99          */
100
101         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
102
103         /*
104          * Ensure there really is data left to send.
105          */
106
107         if(!data_len_left) {
108                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
109                 return False;
110         }
111
112         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
113                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114
115         /*
116          * The amount we send is the minimum of the available
117          * space and the amount left to send.
118          */
119
120         data_len = MIN(data_len_left, data_space_available);
121
122         /*
123          * Set up the alloc hint. This should be the data left to
124          * send.
125          */
126
127         hdr_resp.alloc_hint = data_len_left;
128
129         /*
130          * Work out if this PDU will be the last.
131          */
132
133         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
134                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
135                 if (data_len_left % 8) {
136                         ss_padding_len = 8 - (data_len_left % 8);
137                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
138                                 ss_padding_len ));
139                 }
140         }
141
142         /*
143          * Set up the header lengths.
144          */
145
146         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
147                         data_len + ss_padding_len +
148                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
149         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
150
151
152         /*
153          * Init the parse struct to point at the outgoing
154          * data.
155          */
156
157         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
158
159         /* Store the header in the data stream. */
160         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
161                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
162                 prs_mem_free(&p->out_data.frag);
163                 return False;
164         }
165
166         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
167                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
168                 prs_mem_free(&p->out_data.frag);
169                 return False;
170         }
171
172         /* Copy the data into the PDU. */
173
174         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
175                                      p->out_data.data_sent_length, data_len)) {
176                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
177                 prs_mem_free(&p->out_data.frag);
178                 return False;
179         }
180
181         /* Copy the sign/seal padding data. */
182         if (ss_padding_len) {
183                 char pad[8];
184
185                 memset(pad, '\0', 8);
186                 if (!prs_copy_data_in(&p->out_data.frag, pad,
187                                       ss_padding_len)) {
188                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
189                                         (unsigned int)ss_padding_len));
190                         prs_mem_free(&p->out_data.frag);
191                         return False;
192                 }
193         }
194
195
196         /* Now write out the auth header and null blob. */
197         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
198                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
199         } else {
200                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
201         }
202         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
203                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
204         } else {
205                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
206         }
207
208         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
209         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
210                                 0)) {
211                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
212                 prs_mem_free(&p->out_data.frag);
213                 return False;
214         }
215
216         /* Generate the sign blob. */
217
218         switch (p->auth.auth_level) {
219                 case DCERPC_AUTH_LEVEL_PRIVACY:
220                         /* Data portion is encrypted. */
221                         status = ntlmssp_seal_packet(
222                                 a->ntlmssp_state,
223                                 (uint8_t *)prs_data_p(&p->out_data.frag)
224                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
225                                 data_len + ss_padding_len,
226                                 (unsigned char *)prs_data_p(&p->out_data.frag),
227                                 (size_t)prs_offset(&p->out_data.frag),
228                                 &auth_blob);
229                         if (!NT_STATUS_IS_OK(status)) {
230                                 data_blob_free(&auth_blob);
231                                 prs_mem_free(&p->out_data.frag);
232                                 return False;
233                         }
234                         break;
235                 case DCERPC_AUTH_LEVEL_INTEGRITY:
236                         /* Data is signed. */
237                         status = ntlmssp_sign_packet(
238                                 a->ntlmssp_state,
239                                 (unsigned char *)prs_data_p(&p->out_data.frag)
240                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
241                                 data_len + ss_padding_len,
242                                 (unsigned char *)prs_data_p(&p->out_data.frag),
243                                 (size_t)prs_offset(&p->out_data.frag),
244                                 &auth_blob);
245                         if (!NT_STATUS_IS_OK(status)) {
246                                 data_blob_free(&auth_blob);
247                                 prs_mem_free(&p->out_data.frag);
248                                 return False;
249                         }
250                         break;
251                 default:
252                         prs_mem_free(&p->out_data.frag);
253                         return False;
254         }
255
256         /* Append the auth blob. */
257         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
258                               NTLMSSP_SIG_SIZE)) {
259                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
260                                 (unsigned int)NTLMSSP_SIG_SIZE));
261                 data_blob_free(&auth_blob);
262                 prs_mem_free(&p->out_data.frag);
263                 return False;
264         }
265
266         data_blob_free(&auth_blob);
267
268         /*
269          * Setup the counts for this PDU.
270          */
271
272         p->out_data.data_sent_length += data_len;
273         p->out_data.current_pdu_sent = 0;
274
275         return True;
276 }
277
278 /*******************************************************************
279  Generate the next PDU to be returned from the data in p->rdata. 
280  Return an schannel authenticated fragment.
281  ********************************************************************/
282
283 static bool create_next_pdu_schannel(pipes_struct *p)
284 {
285         RPC_HDR_RESP hdr_resp;
286         uint32 ss_padding_len = 0;
287         uint32 data_len;
288         uint32 data_space_available;
289         uint32 data_len_left;
290         uint32 data_pos;
291         NTSTATUS status;
292
293         /*
294          * If we're in the fault state, keep returning fault PDU's until
295          * the pipe gets closed. JRA.
296          */
297
298         if(p->fault_state) {
299                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
300                 return True;
301         }
302
303         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
304
305         /* Change the incoming request header to a response. */
306         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
307
308         /* Set up rpc header flags. */
309         if (p->out_data.data_sent_length == 0) {
310                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
311         } else {
312                 p->hdr.flags = 0;
313         }
314
315         /*
316          * Work out how much we can fit in a single PDU.
317          */
318
319         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
320
321         /*
322          * Ensure there really is data left to send.
323          */
324
325         if(!data_len_left) {
326                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
327                 return False;
328         }
329
330         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
331                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
332                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
333
334         /*
335          * The amount we send is the minimum of the available
336          * space and the amount left to send.
337          */
338
339         data_len = MIN(data_len_left, data_space_available);
340
341         /*
342          * Set up the alloc hint. This should be the data left to
343          * send.
344          */
345
346         hdr_resp.alloc_hint = data_len_left;
347
348         /*
349          * Work out if this PDU will be the last.
350          */
351
352         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
353                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
354                 if (data_len_left % 8) {
355                         ss_padding_len = 8 - (data_len_left % 8);
356                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
357                                 ss_padding_len ));
358                 }
359         }
360
361         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
362                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
363         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
364
365         /*
366          * Init the parse struct to point at the outgoing
367          * data.
368          */
369
370         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
371
372         /* Store the header in the data stream. */
373         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
374                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
375                 prs_mem_free(&p->out_data.frag);
376                 return False;
377         }
378
379         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
380                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
381                 prs_mem_free(&p->out_data.frag);
382                 return False;
383         }
384
385         /* Store the current offset. */
386         data_pos = prs_offset(&p->out_data.frag);
387
388         /* Copy the data into the PDU. */
389
390         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
391                                      p->out_data.data_sent_length, data_len)) {
392                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
393                 prs_mem_free(&p->out_data.frag);
394                 return False;
395         }
396
397         /* Copy the sign/seal padding data. */
398         if (ss_padding_len) {
399                 char pad[8];
400                 memset(pad, '\0', 8);
401                 if (!prs_copy_data_in(&p->out_data.frag, pad,
402                                       ss_padding_len)) {
403                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
404                         prs_mem_free(&p->out_data.frag);
405                         return False;
406                 }
407         }
408
409         {
410                 /*
411                  * Schannel processing.
412                  */
413                 RPC_HDR_AUTH auth_info;
414                 DATA_BLOB blob;
415                 uint8_t *data;
416
417                 /* Check it's the type of reply we were expecting to decode */
418
419                 init_rpc_hdr_auth(&auth_info,
420                                 DCERPC_AUTH_TYPE_SCHANNEL,
421                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
422                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
423                                 ss_padding_len, 1);
424
425                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
426                                         &p->out_data.frag, 0)) {
427                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
428                         prs_mem_free(&p->out_data.frag);
429                         return False;
430                 }
431
432                 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
433
434                 switch (p->auth.auth_level) {
435                 case DCERPC_AUTH_LEVEL_PRIVACY:
436                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
437                                                         talloc_tos(),
438                                                         true,
439                                                         data,
440                                                         data_len + ss_padding_len,
441                                                         &blob);
442                         break;
443                 case DCERPC_AUTH_LEVEL_INTEGRITY:
444                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
445                                                         talloc_tos(),
446                                                         false,
447                                                         data,
448                                                         data_len + ss_padding_len,
449                                                         &blob);
450                         break;
451                 default:
452                         status = NT_STATUS_INTERNAL_ERROR;
453                         break;
454                 }
455
456                 if (!NT_STATUS_IS_OK(status)) {
457                         DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
458                                 nt_errstr(status)));
459                         prs_mem_free(&p->out_data.frag);
460                         return false;
461                 }
462
463                 /* Finally marshall the blob. */
464
465                 if (DEBUGLEVEL >= 10) {
466                         dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
467                 }
468
469                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
470                         prs_mem_free(&p->out_data.frag);
471                         return false;
472                 }
473         }
474
475         /*
476          * Setup the counts for this PDU.
477          */
478
479         p->out_data.data_sent_length += data_len;
480         p->out_data.current_pdu_sent = 0;
481
482         return True;
483 }
484
485 /*******************************************************************
486  Generate the next PDU to be returned from the data in p->rdata. 
487  No authentication done.
488 ********************************************************************/
489
490 static bool create_next_pdu_noauth(pipes_struct *p)
491 {
492         RPC_HDR_RESP hdr_resp;
493         uint32 data_len;
494         uint32 data_space_available;
495         uint32 data_len_left;
496
497         /*
498          * If we're in the fault state, keep returning fault PDU's until
499          * the pipe gets closed. JRA.
500          */
501
502         if(p->fault_state) {
503                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
504                 return True;
505         }
506
507         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
508
509         /* Change the incoming request header to a response. */
510         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
511
512         /* Set up rpc header flags. */
513         if (p->out_data.data_sent_length == 0) {
514                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
515         } else {
516                 p->hdr.flags = 0;
517         }
518
519         /*
520          * Work out how much we can fit in a single PDU.
521          */
522
523         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
524
525         /*
526          * Ensure there really is data left to send.
527          */
528
529         if(!data_len_left) {
530                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
531                 return False;
532         }
533
534         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
535                 - RPC_HDR_RESP_LEN;
536
537         /*
538          * The amount we send is the minimum of the available
539          * space and the amount left to send.
540          */
541
542         data_len = MIN(data_len_left, data_space_available);
543
544         /*
545          * Set up the alloc hint. This should be the data left to
546          * send.
547          */
548
549         hdr_resp.alloc_hint = data_len_left;
550
551         /*
552          * Work out if this PDU will be the last.
553          */
554
555         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
556                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
557         }
558
559         /*
560          * Set up the header lengths.
561          */
562
563         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
564         p->hdr.auth_len = 0;
565
566         /*
567          * Init the parse struct to point at the outgoing
568          * data.
569          */
570
571         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
572
573         /* Store the header in the data stream. */
574         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
575                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
576                 prs_mem_free(&p->out_data.frag);
577                 return False;
578         }
579
580         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
581                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
582                 prs_mem_free(&p->out_data.frag);
583                 return False;
584         }
585
586         /* Copy the data into the PDU. */
587
588         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
589                                      p->out_data.data_sent_length, data_len)) {
590                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
591                 prs_mem_free(&p->out_data.frag);
592                 return False;
593         }
594
595         /*
596          * Setup the counts for this PDU.
597          */
598
599         p->out_data.data_sent_length += data_len;
600         p->out_data.current_pdu_sent = 0;
601
602         return True;
603 }
604
605 /*******************************************************************
606  Generate the next PDU to be returned from the data in p->rdata. 
607 ********************************************************************/
608
609 bool create_next_pdu(pipes_struct *p)
610 {
611         switch(p->auth.auth_level) {
612                 case DCERPC_AUTH_LEVEL_NONE:
613                 case DCERPC_AUTH_LEVEL_CONNECT:
614                         /* This is incorrect for auth level connect. Fixme. JRA */
615                         return create_next_pdu_noauth(p);
616
617                 default:
618                         switch(p->auth.auth_type) {
619                                 case PIPE_AUTH_TYPE_NTLMSSP:
620                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
621                                         return create_next_pdu_ntlmssp(p);
622                                 case PIPE_AUTH_TYPE_SCHANNEL:
623                                         return create_next_pdu_schannel(p);
624                                 default:
625                                         break;
626                         }
627         }
628
629         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
630                         (unsigned int)p->auth.auth_level,
631                         (unsigned int)p->auth.auth_type));
632         return False;
633 }
634
635 /*******************************************************************
636  Process an NTLMSSP authentication response.
637  If this function succeeds, the user has been authenticated
638  and their domain, name and calling workstation stored in
639  the pipe struct.
640 *******************************************************************/
641
642 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
643 {
644         DATA_BLOB session_key, reply;
645         NTSTATUS status;
646         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
647         bool ret;
648
649         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
650                  get_pipe_name_tos(p)));
651
652         ZERO_STRUCT(reply);
653
654         /* this has to be done as root in order to verify the password */
655         become_root();
656         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
657         unbecome_root();
658
659         /* Don't generate a reply. */
660         data_blob_free(&reply);
661
662         if (!NT_STATUS_IS_OK(status)) {
663                 return False;
664         }
665
666         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
667            ensure the underlying NTLMSSP flags are also set. If not we should
668            refuse the bind. */
669
670         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
671                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
672                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
673                                 "but client declined signing.\n",
674                                  get_pipe_name_tos(p)));
675                         return False;
676                 }
677         }
678         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
679                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
680                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
681                                 "but client declined sealing.\n",
682                                  get_pipe_name_tos(p)));
683                         return False;
684                 }
685         }
686
687         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
688                   "workstation: %s\n", a->ntlmssp_state->user,
689                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
690
691         if (a->server_info->ptok == NULL) {
692                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
693                 return False;
694         }
695
696         TALLOC_FREE(p->server_info);
697
698         p->server_info = copy_serverinfo(p, a->server_info);
699         if (p->server_info == NULL) {
700                 DEBUG(0, ("copy_serverinfo failed\n"));
701                 return false;
702         }
703
704         /*
705          * We're an authenticated bind over smb, so the session key needs to
706          * be set to "SystemLibraryDTC". Weird, but this is what Windows
707          * does. See the RPC-SAMBA3SESSIONKEY.
708          */
709
710         session_key = generic_session_key();
711         if (session_key.data == NULL) {
712                 return False;
713         }
714
715         ret = server_info_set_session_key(p->server_info, session_key);
716
717         data_blob_free(&session_key);
718
719         return True;
720 }
721
722 /*******************************************************************
723  The switch table for the pipe names and the functions to handle them.
724 *******************************************************************/
725
726 struct rpc_table {
727         struct {
728                 const char *clnt;
729                 const char *srv;
730         } pipe;
731         struct ndr_syntax_id rpc_interface;
732         const struct api_struct *cmds;
733         int n_cmds;
734 };
735
736 static struct rpc_table *rpc_lookup;
737 static int rpc_lookup_size;
738
739 /*******************************************************************
740  This is the "stage3" NTLMSSP response after a bind request and reply.
741 *******************************************************************/
742
743 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
744 {
745         RPC_HDR_AUTH auth_info;
746         uint32 pad = 0;
747         DATA_BLOB blob;
748
749         ZERO_STRUCT(blob);
750
751         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
752
753         if (p->hdr.auth_len == 0) {
754                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
755                 goto err;
756         }
757
758         /* 4 bytes padding. */
759         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
760                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
761                 goto err;
762         }
763
764         /*
765          * Decode the authentication verifier response.
766          */
767
768         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
769                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
770                 goto err;
771         }
772
773         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
774                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
775                         (unsigned int)auth_info.auth_type ));
776                 return False;
777         }
778
779         blob = data_blob(NULL,p->hdr.auth_len);
780
781         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
782                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
783                         (unsigned int)p->hdr.auth_len ));
784                 goto err;
785         }
786
787         /*
788          * The following call actually checks the challenge/response data.
789          * for correctness against the given DOMAIN\user name.
790          */
791
792         if (!pipe_ntlmssp_verify_final(p, &blob)) {
793                 goto err;
794         }
795
796         data_blob_free(&blob);
797
798         p->pipe_bound = True;
799
800         return True;
801
802  err:
803
804         data_blob_free(&blob);
805         free_pipe_ntlmssp_auth_data(&p->auth);
806         p->auth.a_u.auth_ntlmssp_state = NULL;
807
808         return False;
809 }
810
811 /*******************************************************************
812  Marshall a bind_nak pdu.
813 *******************************************************************/
814
815 static bool setup_bind_nak(pipes_struct *p)
816 {
817         RPC_HDR nak_hdr;
818         uint16 zero = 0;
819
820         /* Free any memory in the current return data buffer. */
821         prs_mem_free(&p->out_data.rdata);
822
823         /*
824          * Marshall directly into the outgoing PDU space. We
825          * must do this as we need to set to the bind response
826          * header and are never sending more than one PDU here.
827          */
828
829         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
830
831         /*
832          * Initialize a bind_nak header.
833          */
834
835         init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
836                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
837
838         /*
839          * Marshall the header into the outgoing PDU.
840          */
841
842         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
843                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
844                 prs_mem_free(&p->out_data.frag);
845                 return False;
846         }
847
848         /*
849          * Now add the reject reason.
850          */
851
852         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
853                 prs_mem_free(&p->out_data.frag);
854                 return False;
855         }
856
857         p->out_data.data_sent_length = 0;
858         p->out_data.current_pdu_sent = 0;
859
860         if (p->auth.auth_data_free_func) {
861                 (*p->auth.auth_data_free_func)(&p->auth);
862         }
863         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
864         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
865         p->pipe_bound = False;
866
867         return True;
868 }
869
870 /*******************************************************************
871  Marshall a fault pdu.
872 *******************************************************************/
873
874 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
875 {
876         RPC_HDR fault_hdr;
877         RPC_HDR_RESP hdr_resp;
878         RPC_HDR_FAULT fault_resp;
879
880         /* Free any memory in the current return data buffer. */
881         prs_mem_free(&p->out_data.rdata);
882
883         /*
884          * Marshall directly into the outgoing PDU space. We
885          * must do this as we need to set to the bind response
886          * header and are never sending more than one PDU here.
887          */
888
889         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
890
891         /*
892          * Initialize a fault header.
893          */
894
895         init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
896             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
897
898         /*
899          * Initialize the HDR_RESP and FAULT parts of the PDU.
900          */
901
902         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
903
904         fault_resp.status = status;
905         fault_resp.reserved = 0;
906
907         /*
908          * Marshall the header into the outgoing PDU.
909          */
910
911         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
912                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
913                 prs_mem_free(&p->out_data.frag);
914                 return False;
915         }
916
917         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
918                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
919                 prs_mem_free(&p->out_data.frag);
920                 return False;
921         }
922
923         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
924                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
925                 prs_mem_free(&p->out_data.frag);
926                 return False;
927         }
928
929         p->out_data.data_sent_length = 0;
930         p->out_data.current_pdu_sent = 0;
931
932         return True;
933 }
934
935 #if 0
936 /*******************************************************************
937  Marshall a cancel_ack pdu.
938  We should probably check the auth-verifier here.
939 *******************************************************************/
940
941 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
942 {
943         prs_struct outgoing_pdu;
944         RPC_HDR ack_reply_hdr;
945
946         /* Free any memory in the current return data buffer. */
947         prs_mem_free(&p->out_data.rdata);
948
949         /*
950          * Marshall directly into the outgoing PDU space. We
951          * must do this as we need to set to the bind response
952          * header and are never sending more than one PDU here.
953          */
954
955         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
956         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
957
958         /*
959          * Initialize a cancel_ack header.
960          */
961
962         init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
963                         p->hdr.call_id, RPC_HEADER_LEN, 0);
964
965         /*
966          * Marshall the header into the outgoing PDU.
967          */
968
969         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
970                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
971                 prs_mem_free(&outgoing_pdu);
972                 return False;
973         }
974
975         p->out_data.data_sent_length = 0;
976         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
977         p->out_data.current_pdu_sent = 0;
978
979         prs_mem_free(&outgoing_pdu);
980         return True;
981 }
982 #endif
983
984 /*******************************************************************
985  Ensure a bind request has the correct abstract & transfer interface.
986  Used to reject unknown binds from Win2k.
987 *******************************************************************/
988
989 static bool check_bind_req(struct pipes_struct *p,
990                            struct ndr_syntax_id* abstract,
991                            struct ndr_syntax_id* transfer,
992                            uint32 context_id)
993 {
994         int i=0;
995         struct pipe_rpc_fns *context_fns;
996
997         DEBUG(3,("check_bind_req for %s\n", get_pipe_name_tos(p)));
998
999         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1000
1001         for (i=0; i<rpc_lookup_size; i++) {
1002                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1003                 if (ndr_syntax_id_equal(
1004                             abstract, &rpc_lookup[i].rpc_interface)
1005                     && ndr_syntax_id_equal(
1006                             transfer, &ndr_transfer_syntax)) {
1007                         break;
1008                 }
1009         }
1010
1011         if (i == rpc_lookup_size) {
1012                 return false;
1013         }
1014
1015         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1016         if (context_fns == NULL) {
1017                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1018                 return False;
1019         }
1020
1021         context_fns->cmds = rpc_lookup[i].cmds;
1022         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1023         context_fns->context_id = context_id;
1024
1025         /* add to the list of open contexts */
1026
1027         DLIST_ADD( p->contexts, context_fns );
1028
1029         return True;
1030 }
1031
1032 /*******************************************************************
1033  Register commands to an RPC pipe
1034 *******************************************************************/
1035
1036 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1037                           const char *interface, uint32_t interface_version,
1038                           const struct api_struct *cmds, int size)
1039 {
1040         struct rpc_table *rpc_entry;
1041         struct ndr_syntax_id syntax;
1042
1043         if (!clnt || !srv || !cmds) {
1044                 return NT_STATUS_INVALID_PARAMETER;
1045         }
1046
1047         if (!ndr_syntax_from_string(interface, interface_version, &syntax)) {
1048                 return NT_STATUS_INVALID_PARAMETER;
1049         }
1050
1051         if (version != SMB_RPC_INTERFACE_VERSION) {
1052                 DEBUG(0,("Can't register rpc commands!\n"
1053                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1054                          ", while this version of samba uses version %d!\n", 
1055                          version,SMB_RPC_INTERFACE_VERSION));
1056                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1057         }
1058
1059         /* TODO: 
1060          *
1061          * we still need to make sure that don't register the same commands twice!!!
1062          * 
1063          * --metze
1064          */
1065
1066         /* We use a temporary variable because this call can fail and 
1067            rpc_lookup will still be valid afterwards.  It could then succeed if
1068            called again later */
1069         rpc_lookup_size++;
1070         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1071         if (NULL == rpc_entry) {
1072                 rpc_lookup_size--;
1073                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1074                 return NT_STATUS_NO_MEMORY;
1075         } else {
1076                 rpc_lookup = rpc_entry;
1077         }
1078
1079         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1080         ZERO_STRUCTP(rpc_entry);
1081         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1082         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1083         rpc_entry->rpc_interface = syntax;
1084         rpc_entry->cmds = cmds;
1085         rpc_entry->n_cmds = size;
1086
1087         return NT_STATUS_OK;
1088 }
1089
1090 /**
1091  * Is a named pipe known?
1092  * @param[in] cli_filename      The pipe name requested by the client
1093  * @result                      Do we want to serve this?
1094  */
1095 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1096 {
1097         const char *pipename = cli_filename;
1098         int i;
1099         NTSTATUS status;
1100
1101         if (strnequal(pipename, "\\PIPE\\", 6)) {
1102                 pipename += 5;
1103         }
1104
1105         if (*pipename == '\\') {
1106                 pipename += 1;
1107         }
1108
1109         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1110                 DEBUG(10, ("refusing spoolss access\n"));
1111                 return false;
1112         }
1113
1114         for (i=0; i<rpc_lookup_size; i++) {
1115                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1116                         *syntax = rpc_lookup[i].rpc_interface;
1117                         return true;
1118                 }
1119         }
1120
1121         status = smb_probe_module("rpc", pipename);
1122         if (!NT_STATUS_IS_OK(status)) {
1123                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1124                 return false;
1125         }
1126         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1127
1128         /*
1129          * Scan the list again for the interface id
1130          */
1131
1132         for (i=0; i<rpc_lookup_size; i++) {
1133                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1134                         *syntax = rpc_lookup[i].rpc_interface;
1135                         return true;
1136                 }
1137         }
1138
1139         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1140                    pipename));
1141
1142         return false;
1143 }
1144
1145 /*******************************************************************
1146  Handle a SPNEGO krb5 bind auth.
1147 *******************************************************************/
1148
1149 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1150                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1151 {
1152         return False;
1153 }
1154
1155 /*******************************************************************
1156  Handle the first part of a SPNEGO bind auth.
1157 *******************************************************************/
1158
1159 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1160                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1161 {
1162         DATA_BLOB blob;
1163         DATA_BLOB secblob;
1164         DATA_BLOB response;
1165         DATA_BLOB chal;
1166         char *OIDs[ASN1_MAX_OIDS];
1167         int i;
1168         NTSTATUS status;
1169         bool got_kerberos_mechanism = false;
1170         AUTH_NTLMSSP_STATE *a = NULL;
1171         RPC_HDR_AUTH auth_info;
1172
1173         ZERO_STRUCT(secblob);
1174         ZERO_STRUCT(chal);
1175         ZERO_STRUCT(response);
1176
1177         /* Grab the SPNEGO blob. */
1178         blob = data_blob(NULL,p->hdr.auth_len);
1179
1180         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1181                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1182                         (unsigned int)p->hdr.auth_len ));
1183                 goto err;
1184         }
1185
1186         if (blob.data[0] != ASN1_APPLICATION(0)) {
1187                 goto err;
1188         }
1189
1190         /* parse out the OIDs and the first sec blob */
1191         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1192                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1193                 goto err;
1194         }
1195
1196         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1197                 got_kerberos_mechanism = true;
1198         }
1199
1200         for (i=0;OIDs[i];i++) {
1201                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1202                 TALLOC_FREE(OIDs[i]);
1203         }
1204         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1205
1206         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1207                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1208                 data_blob_free(&secblob);
1209                 data_blob_free(&blob);
1210                 return ret;
1211         }
1212
1213         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1214                 /* Free any previous auth type. */
1215                 free_pipe_ntlmssp_auth_data(&p->auth);
1216         }
1217
1218         if (!got_kerberos_mechanism) {
1219                 /* Initialize the NTLM engine. */
1220                 status = auth_ntlmssp_start(&a);
1221                 if (!NT_STATUS_IS_OK(status)) {
1222                         goto err;
1223                 }
1224
1225                 /*
1226                  * Pass the first security blob of data to it.
1227                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1228                  * which means we need another packet to complete the bind.
1229                  */
1230
1231                 status = auth_ntlmssp_update(a, secblob, &chal);
1232
1233                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1234                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1235                         goto err;
1236                 }
1237
1238                 /* Generate the response blob we need for step 2 of the bind. */
1239                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1240         } else {
1241                 /*
1242                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1243                  * code to process follow-up packets is not complete
1244                  * yet. JRA.
1245                  */
1246                 response = spnego_gen_auth_response(NULL,
1247                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1248                                         OID_NTLMSSP);
1249         }
1250
1251         /* Copy the blob into the pout_auth parse struct */
1252         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1253         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1254                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1255                 goto err;
1256         }
1257
1258         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1259                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1260                 goto err;
1261         }
1262
1263         p->auth.a_u.auth_ntlmssp_state = a;
1264         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1265         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1266
1267         data_blob_free(&blob);
1268         data_blob_free(&secblob);
1269         data_blob_free(&chal);
1270         data_blob_free(&response);
1271
1272         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1273         return True;
1274
1275  err:
1276
1277         data_blob_free(&blob);
1278         data_blob_free(&secblob);
1279         data_blob_free(&chal);
1280         data_blob_free(&response);
1281
1282         p->auth.a_u.auth_ntlmssp_state = NULL;
1283
1284         return False;
1285 }
1286
1287 /*******************************************************************
1288  Handle the second part of a SPNEGO bind auth.
1289 *******************************************************************/
1290
1291 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1292                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1293 {
1294         RPC_HDR_AUTH auth_info;
1295         DATA_BLOB spnego_blob;
1296         DATA_BLOB auth_blob;
1297         DATA_BLOB auth_reply;
1298         DATA_BLOB response;
1299         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1300
1301         ZERO_STRUCT(spnego_blob);
1302         ZERO_STRUCT(auth_blob);
1303         ZERO_STRUCT(auth_reply);
1304         ZERO_STRUCT(response);
1305
1306         /*
1307          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1308          * fail here as 'a' == NULL.
1309          */
1310         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1311                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1312                 goto err;
1313         }
1314
1315         /* Grab the SPNEGO blob. */
1316         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1317
1318         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1319                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1320                         (unsigned int)p->hdr.auth_len ));
1321                 goto err;
1322         }
1323
1324         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1325                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1326                 goto err;
1327         }
1328
1329         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1330                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1331                 goto err;
1332         }
1333
1334         /*
1335          * The following call actually checks the challenge/response data.
1336          * for correctness against the given DOMAIN\user name.
1337          */
1338
1339         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1340                 goto err;
1341         }
1342
1343         data_blob_free(&spnego_blob);
1344         data_blob_free(&auth_blob);
1345
1346         /* Generate the spnego "accept completed" blob - no incoming data. */
1347         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1348
1349         /* Copy the blob into the pout_auth parse struct */
1350         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1351         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1352                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1353                 goto err;
1354         }
1355
1356         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1357                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1358                 goto err;
1359         }
1360
1361         data_blob_free(&auth_reply);
1362         data_blob_free(&response);
1363
1364         p->pipe_bound = True;
1365
1366         return True;
1367
1368  err:
1369
1370         data_blob_free(&spnego_blob);
1371         data_blob_free(&auth_blob);
1372         data_blob_free(&auth_reply);
1373         data_blob_free(&response);
1374
1375         free_pipe_ntlmssp_auth_data(&p->auth);
1376         p->auth.a_u.auth_ntlmssp_state = NULL;
1377
1378         return False;
1379 }
1380
1381 /*******************************************************************
1382  Handle an schannel bind auth.
1383 *******************************************************************/
1384
1385 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1386                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1387 {
1388         RPC_HDR_AUTH auth_info;
1389         struct NL_AUTH_MESSAGE neg;
1390         struct NL_AUTH_MESSAGE reply;
1391         bool ret;
1392         NTSTATUS status;
1393         struct netlogon_creds_CredentialState *creds;
1394         DATA_BLOB session_key;
1395         enum ndr_err_code ndr_err;
1396         DATA_BLOB blob;
1397
1398         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1399                                prs_data_size(rpc_in_p));
1400
1401         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1402                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1403         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1404                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1405                 return false;
1406         }
1407
1408         if (DEBUGLEVEL >= 10) {
1409                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1410         }
1411
1412         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1413                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1414                 return false;
1415         }
1416
1417         /*
1418          * The neg.oem_netbios_computer.a key here must match the remote computer name
1419          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1420          * operations that use credentials.
1421          */
1422
1423         become_root();
1424         status = schannel_fetch_session_key(p,
1425                                             neg.oem_netbios_computer.a,
1426                                             &creds);
1427         unbecome_root();
1428
1429         if (!NT_STATUS_IS_OK(status)) {
1430                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1431                 return False;
1432         }
1433
1434         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1435         if (!p->auth.a_u.schannel_auth) {
1436                 TALLOC_FREE(creds);
1437                 return False;
1438         }
1439
1440         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1441         p->auth.a_u.schannel_auth->seq_num = 0;
1442         p->auth.a_u.schannel_auth->initiator = false;
1443         p->auth.a_u.schannel_auth->creds = creds;
1444
1445         /*
1446          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1447          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1448          * struct of the person who opened the pipe. I need to test this further. JRA.
1449          *
1450          * VL. As we are mapping this to guest set the generic key
1451          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1452          * W2k3, as it does not allow schannel binds against SAMR and LSA
1453          * anymore.
1454          */
1455
1456         session_key = generic_session_key();
1457         if (session_key.data == NULL) {
1458                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1459                           " key\n"));
1460                 return false;
1461         }
1462
1463         ret = server_info_set_session_key(p->server_info, session_key);
1464
1465         data_blob_free(&session_key);
1466
1467         if (!ret) {
1468                 DEBUG(0, ("server_info_set_session_key failed\n"));
1469                 return false;
1470         }
1471
1472         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1473         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1474                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1475                 return False;
1476         }
1477
1478         /*** SCHANNEL verifier ***/
1479
1480         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1481         reply.Flags                             = 0;
1482         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1483                                                       * this has any meaning
1484                                                       * here - gd */
1485
1486         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1487                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1488         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1489                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1490                 return false;
1491         }
1492
1493         if (DEBUGLEVEL >= 10) {
1494                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1495         }
1496
1497         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1498                 return false;
1499         }
1500
1501         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1502                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1503
1504         /* We're finished with this bind - no more packets. */
1505         p->auth.auth_data_free_func = NULL;
1506         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1507
1508         p->pipe_bound = True;
1509
1510         return True;
1511 }
1512
1513 /*******************************************************************
1514  Handle an NTLMSSP bind auth.
1515 *******************************************************************/
1516
1517 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1518                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1519 {
1520         RPC_HDR_AUTH auth_info;
1521         DATA_BLOB blob;
1522         DATA_BLOB response;
1523         NTSTATUS status;
1524         AUTH_NTLMSSP_STATE *a = NULL;
1525
1526         ZERO_STRUCT(blob);
1527         ZERO_STRUCT(response);
1528
1529         /* Grab the NTLMSSP blob. */
1530         blob = data_blob(NULL,p->hdr.auth_len);
1531
1532         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1533                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1534                         (unsigned int)p->hdr.auth_len ));
1535                 goto err;
1536         }
1537
1538         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1539                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1540                 goto err;
1541         }
1542
1543         /* We have an NTLMSSP blob. */
1544         status = auth_ntlmssp_start(&a);
1545         if (!NT_STATUS_IS_OK(status)) {
1546                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1547                         nt_errstr(status) ));
1548                 goto err;
1549         }
1550
1551         status = auth_ntlmssp_update(a, blob, &response);
1552         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1553                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1554                         nt_errstr(status) ));
1555                 goto err;
1556         }
1557
1558         data_blob_free(&blob);
1559
1560         /* Copy the blob into the pout_auth parse struct */
1561         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1562         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1563                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1564                 goto err;
1565         }
1566
1567         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1568                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1569                 goto err;
1570         }
1571
1572         p->auth.a_u.auth_ntlmssp_state = a;
1573         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1574         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1575
1576         data_blob_free(&blob);
1577         data_blob_free(&response);
1578
1579         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1580
1581         /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1582         return True;
1583
1584   err:
1585
1586         data_blob_free(&blob);
1587         data_blob_free(&response);
1588
1589         free_pipe_ntlmssp_auth_data(&p->auth);
1590         p->auth.a_u.auth_ntlmssp_state = NULL;
1591         return False;
1592 }
1593
1594 /*******************************************************************
1595  Respond to a pipe bind request.
1596 *******************************************************************/
1597
1598 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1599 {
1600         RPC_HDR_BA hdr_ba;
1601         RPC_HDR_RB hdr_rb;
1602         RPC_HDR_AUTH auth_info;
1603         uint16 assoc_gid;
1604         fstring ack_pipe_name;
1605         prs_struct out_hdr_ba;
1606         prs_struct out_auth;
1607         int i = 0;
1608         int auth_len = 0;
1609         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1610
1611         /* No rebinds on a bound pipe - use alter context. */
1612         if (p->pipe_bound) {
1613                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1614                          "pipe %s.\n", get_pipe_name_tos(p)));
1615                 return setup_bind_nak(p);
1616         }
1617
1618         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1619
1620         /* 
1621          * Marshall directly into the outgoing PDU space. We
1622          * must do this as we need to set to the bind response
1623          * header and are never sending more than one PDU here.
1624          */
1625
1626         /*
1627          * Setup the memory to marshall the ba header, and the
1628          * auth footers.
1629          */
1630
1631         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1632                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1633                 prs_mem_free(&p->out_data.frag);
1634                 return False;
1635         }
1636
1637         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1638                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1639                 prs_mem_free(&p->out_data.frag);
1640                 prs_mem_free(&out_hdr_ba);
1641                 return False;
1642         }
1643
1644         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1645
1646         ZERO_STRUCT(hdr_rb);
1647
1648         /* decode the bind request */
1649
1650         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1651                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1652                          "struct.\n"));
1653                 goto err_exit;
1654         }
1655
1656         if (hdr_rb.num_contexts == 0) {
1657                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1658                 goto err_exit;
1659         }
1660
1661         /*
1662          * Try and find the correct pipe name to ensure
1663          * that this is a pipe name we support.
1664          */
1665
1666         for (i = 0; i < rpc_lookup_size; i++) {
1667                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1668                                         &hdr_rb.rpc_context[0].abstract)) {
1669                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1670                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1671                         break;
1672                 }
1673         }
1674
1675         if (i == rpc_lookup_size) {
1676                 NTSTATUS status;
1677
1678                 status = smb_probe_module(
1679                         "rpc", get_pipe_name_from_syntax(
1680                                 talloc_tos(),
1681                                 &hdr_rb.rpc_context[0].abstract));
1682
1683                 if (NT_STATUS_IS_ERR(status)) {
1684                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1685                                 get_pipe_name_from_syntax(
1686                                         talloc_tos(),
1687                                         &hdr_rb.rpc_context[0].abstract)));
1688                         prs_mem_free(&p->out_data.frag);
1689                         prs_mem_free(&out_hdr_ba);
1690                         prs_mem_free(&out_auth);
1691
1692                         return setup_bind_nak(p);
1693                 }
1694
1695                 for (i = 0; i < rpc_lookup_size; i++) {
1696                        if (strequal(rpc_lookup[i].pipe.clnt,
1697                                     get_pipe_name_tos(p))) {
1698                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1699                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1700                                break;
1701                        }
1702                 }
1703
1704                 if (i == rpc_lookup_size) {
1705                         DEBUG(0, ("module %s doesn't provide functions for "
1706                                   "pipe %s!\n", get_pipe_name_tos(p),
1707                                   get_pipe_name_tos(p)));
1708                         goto err_exit;
1709                 }
1710         }
1711
1712         /* name has to be \PIPE\xxxxx */
1713         fstrcpy(ack_pipe_name, "\\PIPE\\");
1714         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1715
1716         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1717
1718         /*
1719          * Check if this is an authenticated bind request.
1720          */
1721
1722         if (p->hdr.auth_len) {
1723                 /* 
1724                  * Decode the authentication verifier.
1725                  */
1726
1727                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1728                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1729                         goto err_exit;
1730                 }
1731
1732                 auth_type = auth_info.auth_type;
1733
1734                 /* Work out if we have to sign or seal etc. */
1735                 switch (auth_info.auth_level) {
1736                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1737                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1738                                 break;
1739                         case DCERPC_AUTH_LEVEL_PRIVACY:
1740                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1741                                 break;
1742                         default:
1743                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1744                                         (unsigned int)auth_info.auth_level ));
1745                                 goto err_exit;
1746                 }
1747         } else {
1748                 ZERO_STRUCT(auth_info);
1749         }
1750
1751         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1752
1753         switch(auth_type) {
1754                 case DCERPC_AUTH_TYPE_NTLMSSP:
1755                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1756                                 goto err_exit;
1757                         }
1758                         assoc_gid = 0x7a77;
1759                         break;
1760
1761                 case DCERPC_AUTH_TYPE_SCHANNEL:
1762                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1763                                 goto err_exit;
1764                         }
1765                         break;
1766
1767                 case DCERPC_AUTH_TYPE_SPNEGO:
1768                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1769                                 goto err_exit;
1770                         }
1771                         break;
1772
1773                 case DCERPC_AUTH_TYPE_NONE:
1774                         /* Unauthenticated bind request. */
1775                         /* We're finished - no more packets. */
1776                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1777                         /* We must set the pipe auth_level here also. */
1778                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1779                         p->pipe_bound = True;
1780                         /* The session key was initialized from the SMB
1781                          * session in make_internal_rpc_pipe_p */
1782                         break;
1783
1784                 default:
1785                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1786                         goto err_exit;
1787         }
1788
1789         /*
1790          * Create the bind response struct.
1791          */
1792
1793         /* If the requested abstract synt uuid doesn't match our client pipe,
1794                 reject the bind_ack & set the transfer interface synt to all 0's,
1795                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1796                 unknown to NT4)
1797                 Needed when adding entries to a DACL from NT5 - SK */
1798
1799         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1800                                 hdr_rb.rpc_context[0].context_id )) {
1801                 init_rpc_hdr_ba(&hdr_ba,
1802                         RPC_MAX_PDU_FRAG_LEN,
1803                         RPC_MAX_PDU_FRAG_LEN,
1804                         assoc_gid,
1805                         ack_pipe_name,
1806                         0x1, 0x0, 0x0,
1807                         &hdr_rb.rpc_context[0].transfer[0]);
1808         } else {
1809                 /* Rejection reason: abstract syntax not supported */
1810                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1811                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1812                                         ack_pipe_name, 0x1, 0x2, 0x1,
1813                                         &null_ndr_syntax_id);
1814                 p->pipe_bound = False;
1815         }
1816
1817         /*
1818          * and marshall it.
1819          */
1820
1821         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1822                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1823                 goto err_exit;
1824         }
1825
1826         /*
1827          * Create the header, now we know the length.
1828          */
1829
1830         if (prs_offset(&out_auth)) {
1831                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1832         }
1833
1834         init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1835                         p->hdr.call_id,
1836                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1837                         auth_len);
1838
1839         /*
1840          * Marshall the header into the outgoing PDU.
1841          */
1842
1843         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1844                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1845                 goto err_exit;
1846         }
1847
1848         /*
1849          * Now add the RPC_HDR_BA and any auth needed.
1850          */
1851
1852         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1853                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1854                 goto err_exit;
1855         }
1856
1857         if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1858                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1859                 goto err_exit;
1860         }
1861
1862         /*
1863          * Setup the lengths for the initial reply.
1864          */
1865
1866         p->out_data.data_sent_length = 0;
1867         p->out_data.current_pdu_sent = 0;
1868
1869         prs_mem_free(&out_hdr_ba);
1870         prs_mem_free(&out_auth);
1871
1872         return True;
1873
1874   err_exit:
1875
1876         prs_mem_free(&p->out_data.frag);
1877         prs_mem_free(&out_hdr_ba);
1878         prs_mem_free(&out_auth);
1879         return setup_bind_nak(p);
1880 }
1881
1882 /****************************************************************************
1883  Deal with an alter context call. Can be third part of 3 leg auth request for
1884  SPNEGO calls.
1885 ****************************************************************************/
1886
1887 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1888 {
1889         RPC_HDR_BA hdr_ba;
1890         RPC_HDR_RB hdr_rb;
1891         RPC_HDR_AUTH auth_info;
1892         uint16 assoc_gid;
1893         fstring ack_pipe_name;
1894         prs_struct out_hdr_ba;
1895         prs_struct out_auth;
1896         int auth_len = 0;
1897
1898         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1899
1900         /* 
1901          * Marshall directly into the outgoing PDU space. We
1902          * must do this as we need to set to the bind response
1903          * header and are never sending more than one PDU here.
1904          */
1905
1906         /*
1907          * Setup the memory to marshall the ba header, and the
1908          * auth footers.
1909          */
1910
1911         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1912                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1913                 prs_mem_free(&p->out_data.frag);
1914                 return False;
1915         }
1916
1917         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1918                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1919                 prs_mem_free(&p->out_data.frag);
1920                 prs_mem_free(&out_hdr_ba);
1921                 return False;
1922         }
1923
1924         ZERO_STRUCT(hdr_rb);
1925
1926         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1927
1928         /* decode the alter context request */
1929         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1930                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1931                 goto err_exit;
1932         }
1933
1934         /* secondary address CAN be NULL
1935          * as the specs say it's ignored.
1936          * It MUST be NULL to have the spoolss working.
1937          */
1938         fstrcpy(ack_pipe_name,"");
1939
1940         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1941
1942         /*
1943          * Check if this is an authenticated alter context request.
1944          */
1945
1946         if (p->hdr.auth_len != 0) {
1947                 /* 
1948                  * Decode the authentication verifier.
1949                  */
1950
1951                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1952                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1953                         goto err_exit;
1954                 }
1955
1956                 /*
1957                  * Currently only the SPNEGO auth type uses the alter ctx
1958                  * response in place of the NTLMSSP auth3 type.
1959                  */
1960
1961                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1962                         /* We can only finish if the pipe is unbound. */
1963                         if (!p->pipe_bound) {
1964                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1965                                         goto err_exit;
1966                                 }
1967                         } else {
1968                                 goto err_exit;
1969                         }
1970                 }
1971         } else {
1972                 ZERO_STRUCT(auth_info);
1973         }
1974
1975         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1976
1977         /*
1978          * Create the bind response struct.
1979          */
1980
1981         /* If the requested abstract synt uuid doesn't match our client pipe,
1982                 reject the bind_ack & set the transfer interface synt to all 0's,
1983                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1984                 unknown to NT4)
1985                 Needed when adding entries to a DACL from NT5 - SK */
1986
1987         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1988                                 hdr_rb.rpc_context[0].context_id )) {
1989                 init_rpc_hdr_ba(&hdr_ba,
1990                         RPC_MAX_PDU_FRAG_LEN,
1991                         RPC_MAX_PDU_FRAG_LEN,
1992                         assoc_gid,
1993                         ack_pipe_name,
1994                         0x1, 0x0, 0x0,
1995                         &hdr_rb.rpc_context[0].transfer[0]);
1996         } else {
1997                 /* Rejection reason: abstract syntax not supported */
1998                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1999                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
2000                                         ack_pipe_name, 0x1, 0x2, 0x1,
2001                                         &null_ndr_syntax_id);
2002                 p->pipe_bound = False;
2003         }
2004
2005         /*
2006          * and marshall it.
2007          */
2008
2009         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2010                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2011                 goto err_exit;
2012         }
2013
2014         /*
2015          * Create the header, now we know the length.
2016          */
2017
2018         if (prs_offset(&out_auth)) {
2019                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2020         }
2021
2022         init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2023                         p->hdr.call_id,
2024                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2025                         auth_len);
2026
2027         /*
2028          * Marshall the header into the outgoing PDU.
2029          */
2030
2031         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2032                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2033                 goto err_exit;
2034         }
2035
2036         /*
2037          * Now add the RPC_HDR_BA and any auth needed.
2038          */
2039
2040         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2041                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2042                 goto err_exit;
2043         }
2044
2045         if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2046                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2047                 goto err_exit;
2048         }
2049
2050         /*
2051          * Setup the lengths for the initial reply.
2052          */
2053
2054         p->out_data.data_sent_length = 0;
2055         p->out_data.current_pdu_sent = 0;
2056
2057         prs_mem_free(&out_hdr_ba);
2058         prs_mem_free(&out_auth);
2059
2060         return True;
2061
2062   err_exit:
2063
2064         prs_mem_free(&p->out_data.frag);
2065         prs_mem_free(&out_hdr_ba);
2066         prs_mem_free(&out_auth);
2067         return setup_bind_nak(p);
2068 }
2069
2070 /****************************************************************************
2071  Deal with NTLMSSP sign & seal processing on an RPC request.
2072 ****************************************************************************/
2073
2074 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2075                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2076 {
2077         RPC_HDR_AUTH auth_info;
2078         uint32 auth_len = p->hdr.auth_len;
2079         uint32 save_offset = prs_offset(rpc_in);
2080         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2081         unsigned char *data = NULL;
2082         size_t data_len;
2083         unsigned char *full_packet_data = NULL;
2084         size_t full_packet_data_len;
2085         DATA_BLOB auth_blob;
2086
2087         *pstatus = NT_STATUS_OK;
2088
2089         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2090                 return True;
2091         }
2092
2093         if (!a) {
2094                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2095                 return False;
2096         }
2097
2098         /* Ensure there's enough data for an authenticated request. */
2099         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2100                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2101                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2102                         (unsigned int)auth_len ));
2103                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2104                 return False;
2105         }
2106
2107         /*
2108          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2109          * after the RPC header. 
2110          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2111          * functions as NTLMv2 checks the rpc headers also.
2112          */
2113
2114         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2115         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2116
2117         full_packet_data = p->in_data.current_in_pdu;
2118         full_packet_data_len = p->hdr.frag_len - auth_len;
2119
2120         /* Pull the auth header and the following data into a blob. */
2121         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2122                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2123                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2124                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2125                 return False;
2126         }
2127
2128         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2129                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2130                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2131                 return False;
2132         }
2133
2134         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2135         auth_blob.length = auth_len;
2136
2137         switch (p->auth.auth_level) {
2138                 case DCERPC_AUTH_LEVEL_PRIVACY:
2139                         /* Data is encrypted. */
2140                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2141                                                         data, data_len,
2142                                                         full_packet_data,
2143                                                         full_packet_data_len,
2144                                                         &auth_blob);
2145                         if (!NT_STATUS_IS_OK(*pstatus)) {
2146                                 return False;
2147                         }
2148                         break;
2149                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2150                         /* Data is signed. */
2151                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2152                                                         data, data_len,
2153                                                         full_packet_data,
2154                                                         full_packet_data_len,
2155                                                         &auth_blob);
2156                         if (!NT_STATUS_IS_OK(*pstatus)) {
2157                                 return False;
2158                         }
2159                         break;
2160                 default:
2161                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2162                         return False;
2163         }
2164
2165         /*
2166          * Return the current pointer to the data offset.
2167          */
2168
2169         if(!prs_set_offset(rpc_in, save_offset)) {
2170                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2171                         (unsigned int)save_offset ));
2172                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2173                 return False;
2174         }
2175
2176         /*
2177          * Remember the padding length. We must remove it from the real data
2178          * stream once the sign/seal is done.
2179          */
2180
2181         *p_ss_padding_len = auth_info.auth_pad_len;
2182
2183         return True;
2184 }
2185
2186 /****************************************************************************
2187  Deal with schannel processing on an RPC request.
2188 ****************************************************************************/
2189
2190 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2191 {
2192         uint32 data_len;
2193         uint32 auth_len;
2194         uint32 save_offset = prs_offset(rpc_in);
2195         RPC_HDR_AUTH auth_info;
2196         DATA_BLOB blob;
2197         NTSTATUS status;
2198         uint8_t *data;
2199
2200         auth_len = p->hdr.auth_len;
2201
2202         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2203                         auth_len > RPC_HEADER_LEN +
2204                                         RPC_HDR_REQ_LEN +
2205                                         RPC_HDR_AUTH_LEN +
2206                                         auth_len) {
2207                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2208                 return False;
2209         }
2210
2211         /*
2212          * The following is that length of the data we must verify or unseal.
2213          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2214          * preceeding the auth_data.
2215          */
2216
2217         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2218                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2219                         (unsigned int)p->hdr.frag_len,
2220                         (unsigned int)auth_len ));
2221                 return False;
2222         }
2223
2224         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2225                 RPC_HDR_AUTH_LEN - auth_len;
2226
2227         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2228
2229         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2230                 DEBUG(0,("cannot move offset to %u.\n",
2231                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2232                 return False;
2233         }
2234
2235         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2236                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2237                 return False;
2238         }
2239
2240         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2241                 DEBUG(0,("Invalid auth info %d on schannel\n",
2242                          auth_info.auth_type));
2243                 return False;
2244         }
2245
2246         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2247
2248         if (DEBUGLEVEL >= 10) {
2249                 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2250         }
2251
2252         data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2253
2254         switch (auth_info.auth_level) {
2255         case DCERPC_AUTH_LEVEL_PRIVACY:
2256                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2257                                                 talloc_tos(),
2258                                                 true,
2259                                                 data,
2260                                                 data_len,
2261                                                 &blob);
2262                 break;
2263         case DCERPC_AUTH_LEVEL_INTEGRITY:
2264                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2265                                                 talloc_tos(),
2266                                                 false,
2267                                                 data,
2268                                                 data_len,
2269                                                 &blob);
2270                 break;
2271         default:
2272                 status = NT_STATUS_INTERNAL_ERROR;
2273                 break;
2274         }
2275
2276         if (!NT_STATUS_IS_OK(status)) {
2277                 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2278                 return false;
2279         }
2280
2281         /*
2282          * Return the current pointer to the data offset.
2283          */
2284
2285         if(!prs_set_offset(rpc_in, save_offset)) {
2286                 DEBUG(0,("failed to set offset back to %u\n",
2287                          (unsigned int)save_offset ));
2288                 return False;
2289         }
2290
2291         /*
2292          * Remember the padding length. We must remove it from the real data
2293          * stream once the sign/seal is done.
2294          */
2295
2296         *p_ss_padding_len = auth_info.auth_pad_len;
2297
2298         return True;
2299 }
2300
2301 /****************************************************************************
2302  Find the set of RPC functions associated with this context_id
2303 ****************************************************************************/
2304
2305 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2306 {
2307         PIPE_RPC_FNS *fns = NULL;
2308
2309         if ( !list ) {
2310                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2311                 return NULL;
2312         }
2313
2314         for (fns=list; fns; fns=fns->next ) {
2315                 if ( fns->context_id == context_id )
2316                         return fns;
2317         }
2318         return NULL;
2319 }
2320
2321 /****************************************************************************
2322  Memory cleanup.
2323 ****************************************************************************/
2324
2325 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2326 {
2327         PIPE_RPC_FNS *tmp = list;
2328         PIPE_RPC_FNS *tmp2;
2329
2330         while (tmp) {
2331                 tmp2 = tmp->next;
2332                 SAFE_FREE(tmp);
2333                 tmp = tmp2;
2334         }
2335
2336         return; 
2337 }
2338
2339 static bool api_rpcTNP(pipes_struct *p,
2340                        const struct api_struct *api_rpc_cmds, int n_cmds);
2341
2342 /****************************************************************************
2343  Find the correct RPC function to call for this request.
2344  If the pipe is authenticated then become the correct UNIX user
2345  before doing the call.
2346 ****************************************************************************/
2347
2348 bool api_pipe_request(pipes_struct *p)
2349 {
2350         bool ret = False;
2351         bool changed_user = False;
2352         PIPE_RPC_FNS *pipe_fns;
2353
2354         if (p->pipe_bound &&
2355                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2356                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2357                 if(!become_authenticated_pipe_user(p)) {
2358                         prs_mem_free(&p->out_data.rdata);
2359                         return False;
2360                 }
2361                 changed_user = True;
2362         }
2363
2364         DEBUG(5, ("Requested \\PIPE\\%s\n", get_pipe_name_tos(p)));
2365
2366         /* get the set of RPC functions for this context */
2367
2368         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2369
2370         if ( pipe_fns ) {
2371                 TALLOC_CTX *frame = talloc_stackframe();
2372                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2373                 TALLOC_FREE(frame);
2374         }
2375         else {
2376                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2377                          p->hdr_req.context_id, get_pipe_name_tos(p)));
2378         }
2379
2380         if (changed_user) {
2381                 unbecome_authenticated_pipe_user();
2382         }
2383
2384         return ret;
2385 }
2386
2387 /*******************************************************************
2388  Calls the underlying RPC function for a named pipe.
2389  ********************************************************************/
2390
2391 static bool api_rpcTNP(pipes_struct *p,
2392                        const struct api_struct *api_rpc_cmds, int n_cmds)
2393 {
2394         int fn_num;
2395         uint32 offset1, offset2;
2396
2397         /* interpret the command */
2398         DEBUG(4,("api_rpcTNP: %s op 0x%x - ", get_pipe_name_tos(p),
2399                  p->hdr_req.opnum));
2400
2401         if (DEBUGLEVEL >= 50) {
2402                 fstring name;
2403                 slprintf(name, sizeof(name)-1, "in_%s", get_pipe_name_tos(p));
2404                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2405         }
2406
2407         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2408                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2409                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2410                         break;
2411                 }
2412         }
2413
2414         if (fn_num == n_cmds) {
2415                 /*
2416                  * For an unknown RPC just return a fault PDU but
2417                  * return True to allow RPC's on the pipe to continue
2418                  * and not put the pipe into fault state. JRA.
2419                  */
2420                 DEBUG(4, ("unknown\n"));
2421                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2422                 return True;
2423         }
2424
2425         offset1 = prs_offset(&p->out_data.rdata);
2426
2427         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2428                 fn_num, api_rpc_cmds[fn_num].fn));
2429         /* do the actual command */
2430         if(!api_rpc_cmds[fn_num].fn(p)) {
2431                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", get_pipe_name_tos(p),
2432                          api_rpc_cmds[fn_num].name));
2433                 prs_mem_free(&p->out_data.rdata);
2434                 return False;
2435         }
2436
2437         if (p->bad_handle_fault_state) {
2438                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2439                 p->bad_handle_fault_state = False;
2440                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2441                 return True;
2442         }
2443
2444         if (p->rng_fault_state) {
2445                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2446                 p->rng_fault_state = False;
2447                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2448                 return True;
2449         }
2450
2451         offset2 = prs_offset(&p->out_data.rdata);
2452         prs_set_offset(&p->out_data.rdata, offset1);
2453         if (DEBUGLEVEL >= 50) {
2454                 fstring name;
2455                 slprintf(name, sizeof(name)-1, "out_%s", get_pipe_name_tos(p));
2456                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2457         }
2458         prs_set_offset(&p->out_data.rdata, offset2);
2459
2460         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2461                  get_pipe_name_tos(p)));
2462
2463         /* Check for buffer underflow in rpc parsing */
2464
2465         if ((DEBUGLEVEL >= 10) && 
2466             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2467                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2468                 char *data = (char *)SMB_MALLOC(data_len);
2469
2470                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2471                 if (data) {
2472                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2473                         SAFE_FREE(data);
2474                 }
2475
2476         }
2477
2478         return True;
2479 }