s3-dcerpc: fix remaining old auth level constants.
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33
34 extern struct current_user current_user;
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40 {
41         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42
43         if (a) {
44                 auth_ntlmssp_end(&a);
45         }
46         auth->a_u.auth_ntlmssp_state = NULL;
47 }
48
49 static DATA_BLOB generic_session_key(void)
50 {
51         return data_blob("SystemLibraryDTC", 16);
52 }
53
54 /*******************************************************************
55  Generate the next PDU to be returned from the data in p->rdata. 
56  Handle NTLMSSP.
57  ********************************************************************/
58
59 static bool create_next_pdu_ntlmssp(pipes_struct *p)
60 {
61         RPC_HDR_RESP hdr_resp;
62         uint32 ss_padding_len = 0;
63         uint32 data_space_available;
64         uint32 data_len_left;
65         uint32 data_len;
66         NTSTATUS status;
67         DATA_BLOB auth_blob;
68         RPC_HDR_AUTH auth_info;
69         uint8 auth_type, auth_level;
70         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
71
72         /*
73          * If we're in the fault state, keep returning fault PDU's until
74          * the pipe gets closed. JRA.
75          */
76
77         if(p->fault_state) {
78                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79                 return True;
80         }
81
82         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83
84         /* Change the incoming request header to a response. */
85         p->hdr.pkt_type = RPC_RESPONSE;
86
87         /* Set up rpc header flags. */
88         if (p->out_data.data_sent_length == 0) {
89                 p->hdr.flags = RPC_FLG_FIRST;
90         } else {
91                 p->hdr.flags = 0;
92         }
93
94         /*
95          * Work out how much we can fit in a single PDU.
96          */
97
98         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
99
100         /*
101          * Ensure there really is data left to send.
102          */
103
104         if(!data_len_left) {
105                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106                 return False;
107         }
108
109         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
110                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
111
112         /*
113          * The amount we send is the minimum of the available
114          * space and the amount left to send.
115          */
116
117         data_len = MIN(data_len_left, data_space_available);
118
119         /*
120          * Set up the alloc hint. This should be the data left to
121          * send.
122          */
123
124         hdr_resp.alloc_hint = data_len_left;
125
126         /*
127          * Work out if this PDU will be the last.
128          */
129
130         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
131                 p->hdr.flags |= RPC_FLG_LAST;
132                 if (data_len_left % 8) {
133                         ss_padding_len = 8 - (data_len_left % 8);
134                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
135                                 ss_padding_len ));
136                 }
137         }
138
139         /*
140          * Set up the header lengths.
141          */
142
143         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
144                         data_len + ss_padding_len +
145                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
146         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
147
148
149         /*
150          * Init the parse struct to point at the outgoing
151          * data.
152          */
153
154         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
155
156         /* Store the header in the data stream. */
157         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
158                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159                 prs_mem_free(&p->out_data.frag);
160                 return False;
161         }
162
163         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
164                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165                 prs_mem_free(&p->out_data.frag);
166                 return False;
167         }
168
169         /* Copy the data into the PDU. */
170
171         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
172                                      p->out_data.data_sent_length, data_len)) {
173                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
174                 prs_mem_free(&p->out_data.frag);
175                 return False;
176         }
177
178         /* Copy the sign/seal padding data. */
179         if (ss_padding_len) {
180                 char pad[8];
181
182                 memset(pad, '\0', 8);
183                 if (!prs_copy_data_in(&p->out_data.frag, pad,
184                                       ss_padding_len)) {
185                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
186                                         (unsigned int)ss_padding_len));
187                         prs_mem_free(&p->out_data.frag);
188                         return False;
189                 }
190         }
191
192
193         /* Now write out the auth header and null blob. */
194         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
195                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
196         } else {
197                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
198         }
199         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
200                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
201         } else {
202                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
203         }
204
205         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
206         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
207                                 0)) {
208                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
209                 prs_mem_free(&p->out_data.frag);
210                 return False;
211         }
212
213         /* Generate the sign blob. */
214
215         switch (p->auth.auth_level) {
216                 case DCERPC_AUTH_LEVEL_PRIVACY:
217                         /* Data portion is encrypted. */
218                         status = ntlmssp_seal_packet(
219                                 a->ntlmssp_state,
220                                 (uint8_t *)prs_data_p(&p->out_data.frag)
221                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
222                                 data_len + ss_padding_len,
223                                 (unsigned char *)prs_data_p(&p->out_data.frag),
224                                 (size_t)prs_offset(&p->out_data.frag),
225                                 &auth_blob);
226                         if (!NT_STATUS_IS_OK(status)) {
227                                 data_blob_free(&auth_blob);
228                                 prs_mem_free(&p->out_data.frag);
229                                 return False;
230                         }
231                         break;
232                 case DCERPC_AUTH_LEVEL_INTEGRITY:
233                         /* Data is signed. */
234                         status = ntlmssp_sign_packet(
235                                 a->ntlmssp_state,
236                                 (unsigned char *)prs_data_p(&p->out_data.frag)
237                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
238                                 data_len + ss_padding_len,
239                                 (unsigned char *)prs_data_p(&p->out_data.frag),
240                                 (size_t)prs_offset(&p->out_data.frag),
241                                 &auth_blob);
242                         if (!NT_STATUS_IS_OK(status)) {
243                                 data_blob_free(&auth_blob);
244                                 prs_mem_free(&p->out_data.frag);
245                                 return False;
246                         }
247                         break;
248                 default:
249                         prs_mem_free(&p->out_data.frag);
250                         return False;
251         }
252
253         /* Append the auth blob. */
254         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
255                               NTLMSSP_SIG_SIZE)) {
256                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
257                                 (unsigned int)NTLMSSP_SIG_SIZE));
258                 data_blob_free(&auth_blob);
259                 prs_mem_free(&p->out_data.frag);
260                 return False;
261         }
262
263         data_blob_free(&auth_blob);
264
265         /*
266          * Setup the counts for this PDU.
267          */
268
269         p->out_data.data_sent_length += data_len;
270         p->out_data.current_pdu_sent = 0;
271
272         return True;
273 }
274
275 /*******************************************************************
276  Generate the next PDU to be returned from the data in p->rdata. 
277  Return an schannel authenticated fragment.
278  ********************************************************************/
279
280 static bool create_next_pdu_schannel(pipes_struct *p)
281 {
282         RPC_HDR_RESP hdr_resp;
283         uint32 ss_padding_len = 0;
284         uint32 data_len;
285         uint32 data_space_available;
286         uint32 data_len_left;
287         uint32 data_pos;
288
289         /*
290          * If we're in the fault state, keep returning fault PDU's until
291          * the pipe gets closed. JRA.
292          */
293
294         if(p->fault_state) {
295                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
296                 return True;
297         }
298
299         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
300
301         /* Change the incoming request header to a response. */
302         p->hdr.pkt_type = RPC_RESPONSE;
303
304         /* Set up rpc header flags. */
305         if (p->out_data.data_sent_length == 0) {
306                 p->hdr.flags = RPC_FLG_FIRST;
307         } else {
308                 p->hdr.flags = 0;
309         }
310
311         /*
312          * Work out how much we can fit in a single PDU.
313          */
314
315         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
316
317         /*
318          * Ensure there really is data left to send.
319          */
320
321         if(!data_len_left) {
322                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
323                 return False;
324         }
325
326         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
327                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
328                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
329
330         /*
331          * The amount we send is the minimum of the available
332          * space and the amount left to send.
333          */
334
335         data_len = MIN(data_len_left, data_space_available);
336
337         /*
338          * Set up the alloc hint. This should be the data left to
339          * send.
340          */
341
342         hdr_resp.alloc_hint = data_len_left;
343
344         /*
345          * Work out if this PDU will be the last.
346          */
347
348         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
349                 p->hdr.flags |= RPC_FLG_LAST;
350                 if (data_len_left % 8) {
351                         ss_padding_len = 8 - (data_len_left % 8);
352                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
353                                 ss_padding_len ));
354                 }
355         }
356
357         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
358                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
359         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
360
361         /*
362          * Init the parse struct to point at the outgoing
363          * data.
364          */
365
366         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
367
368         /* Store the header in the data stream. */
369         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
370                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
371                 prs_mem_free(&p->out_data.frag);
372                 return False;
373         }
374
375         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
376                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
377                 prs_mem_free(&p->out_data.frag);
378                 return False;
379         }
380
381         /* Store the current offset. */
382         data_pos = prs_offset(&p->out_data.frag);
383
384         /* Copy the data into the PDU. */
385
386         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
387                                      p->out_data.data_sent_length, data_len)) {
388                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
389                 prs_mem_free(&p->out_data.frag);
390                 return False;
391         }
392
393         /* Copy the sign/seal padding data. */
394         if (ss_padding_len) {
395                 char pad[8];
396                 memset(pad, '\0', 8);
397                 if (!prs_copy_data_in(&p->out_data.frag, pad,
398                                       ss_padding_len)) {
399                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
400                         prs_mem_free(&p->out_data.frag);
401                         return False;
402                 }
403         }
404
405         {
406                 /*
407                  * Schannel processing.
408                  */
409                 RPC_HDR_AUTH auth_info;
410                 struct NL_AUTH_SIGNATURE verf;
411                 DATA_BLOB blob;
412                 enum ndr_err_code ndr_err;
413
414                 /* Check it's the type of reply we were expecting to decode */
415
416                 init_rpc_hdr_auth(&auth_info,
417                                 DCERPC_AUTH_TYPE_SCHANNEL,
418                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
419                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
420                                 ss_padding_len, 1);
421
422                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
423                                         &p->out_data.frag, 0)) {
424                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
425                         prs_mem_free(&p->out_data.frag);
426                         return False;
427                 }
428
429                 schannel_encode(p->auth.a_u.schannel_auth, 
430                                 p->auth.auth_level, SENDER_IS_ACCEPTOR, &verf,
431                                 prs_data_p(&p->out_data.frag) + data_pos,
432                                 data_len + ss_padding_len);
433
434                 /* Finally marshall the blob. */
435
436                 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &verf,
437                                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_SIGNATURE);
438                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
439                         prs_mem_free(&p->out_data.frag);
440                         return false;
441                 }
442
443                 if (DEBUGLEVEL >= 10) {
444                         NDR_PRINT_DEBUG(NL_AUTH_SIGNATURE, &verf);
445                 }
446
447                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
448                         prs_mem_free(&p->out_data.frag);
449                         return false;
450                 }
451
452                 p->auth.a_u.schannel_auth->seq_num++;
453         }
454
455         /*
456          * Setup the counts for this PDU.
457          */
458
459         p->out_data.data_sent_length += data_len;
460         p->out_data.current_pdu_sent = 0;
461
462         return True;
463 }
464
465 /*******************************************************************
466  Generate the next PDU to be returned from the data in p->rdata. 
467  No authentication done.
468 ********************************************************************/
469
470 static bool create_next_pdu_noauth(pipes_struct *p)
471 {
472         RPC_HDR_RESP hdr_resp;
473         uint32 data_len;
474         uint32 data_space_available;
475         uint32 data_len_left;
476
477         /*
478          * If we're in the fault state, keep returning fault PDU's until
479          * the pipe gets closed. JRA.
480          */
481
482         if(p->fault_state) {
483                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
484                 return True;
485         }
486
487         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
488
489         /* Change the incoming request header to a response. */
490         p->hdr.pkt_type = RPC_RESPONSE;
491
492         /* Set up rpc header flags. */
493         if (p->out_data.data_sent_length == 0) {
494                 p->hdr.flags = RPC_FLG_FIRST;
495         } else {
496                 p->hdr.flags = 0;
497         }
498
499         /*
500          * Work out how much we can fit in a single PDU.
501          */
502
503         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
504
505         /*
506          * Ensure there really is data left to send.
507          */
508
509         if(!data_len_left) {
510                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
511                 return False;
512         }
513
514         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
515                 - RPC_HDR_RESP_LEN;
516
517         /*
518          * The amount we send is the minimum of the available
519          * space and the amount left to send.
520          */
521
522         data_len = MIN(data_len_left, data_space_available);
523
524         /*
525          * Set up the alloc hint. This should be the data left to
526          * send.
527          */
528
529         hdr_resp.alloc_hint = data_len_left;
530
531         /*
532          * Work out if this PDU will be the last.
533          */
534
535         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
536                 p->hdr.flags |= RPC_FLG_LAST;
537         }
538
539         /*
540          * Set up the header lengths.
541          */
542
543         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
544         p->hdr.auth_len = 0;
545
546         /*
547          * Init the parse struct to point at the outgoing
548          * data.
549          */
550
551         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
552
553         /* Store the header in the data stream. */
554         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
555                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
556                 prs_mem_free(&p->out_data.frag);
557                 return False;
558         }
559
560         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
561                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
562                 prs_mem_free(&p->out_data.frag);
563                 return False;
564         }
565
566         /* Copy the data into the PDU. */
567
568         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
569                                      p->out_data.data_sent_length, data_len)) {
570                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
571                 prs_mem_free(&p->out_data.frag);
572                 return False;
573         }
574
575         /*
576          * Setup the counts for this PDU.
577          */
578
579         p->out_data.data_sent_length += data_len;
580         p->out_data.current_pdu_sent = 0;
581
582         return True;
583 }
584
585 /*******************************************************************
586  Generate the next PDU to be returned from the data in p->rdata. 
587 ********************************************************************/
588
589 bool create_next_pdu(pipes_struct *p)
590 {
591         switch(p->auth.auth_level) {
592                 case DCERPC_AUTH_LEVEL_NONE:
593                 case DCERPC_AUTH_LEVEL_CONNECT:
594                         /* This is incorrect for auth level connect. Fixme. JRA */
595                         return create_next_pdu_noauth(p);
596
597                 default:
598                         switch(p->auth.auth_type) {
599                                 case PIPE_AUTH_TYPE_NTLMSSP:
600                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
601                                         return create_next_pdu_ntlmssp(p);
602                                 case PIPE_AUTH_TYPE_SCHANNEL:
603                                         return create_next_pdu_schannel(p);
604                                 default:
605                                         break;
606                         }
607         }
608
609         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
610                         (unsigned int)p->auth.auth_level,
611                         (unsigned int)p->auth.auth_type));
612         return False;
613 }
614
615 /*******************************************************************
616  Process an NTLMSSP authentication response.
617  If this function succeeds, the user has been authenticated
618  and their domain, name and calling workstation stored in
619  the pipe struct.
620 *******************************************************************/
621
622 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
623 {
624         DATA_BLOB session_key, reply;
625         NTSTATUS status;
626         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
627         bool ret;
628
629         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
630                  get_pipe_name_from_iface(&p->syntax)));
631
632         ZERO_STRUCT(reply);
633
634         /* this has to be done as root in order to verify the password */
635         become_root();
636         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
637         unbecome_root();
638
639         /* Don't generate a reply. */
640         data_blob_free(&reply);
641
642         if (!NT_STATUS_IS_OK(status)) {
643                 return False;
644         }
645
646         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
647            ensure the underlying NTLMSSP flags are also set. If not we should
648            refuse the bind. */
649
650         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
651                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
652                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
653                                 "but client declined signing.\n",
654                                 get_pipe_name_from_iface(&p->syntax)));
655                         return False;
656                 }
657         }
658         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
659                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
660                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
661                                 "but client declined sealing.\n",
662                                 get_pipe_name_from_iface(&p->syntax)));
663                         return False;
664                 }
665         }
666
667         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
668                   "workstation: %s\n", a->ntlmssp_state->user,
669                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
670
671         if (a->server_info->ptok == NULL) {
672                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
673                 return False;
674         }
675
676         TALLOC_FREE(p->server_info);
677
678         p->server_info = copy_serverinfo(p, a->server_info);
679         if (p->server_info == NULL) {
680                 DEBUG(0, ("copy_serverinfo failed\n"));
681                 return false;
682         }
683
684         /*
685          * We're an authenticated bind over smb, so the session key needs to
686          * be set to "SystemLibraryDTC". Weird, but this is what Windows
687          * does. See the RPC-SAMBA3SESSIONKEY.
688          */
689
690         session_key = generic_session_key();
691         if (session_key.data == NULL) {
692                 return False;
693         }
694
695         ret = server_info_set_session_key(p->server_info, session_key);
696
697         data_blob_free(&session_key);
698
699         return True;
700 }
701
702 /*******************************************************************
703  The switch table for the pipe names and the functions to handle them.
704 *******************************************************************/
705
706 struct rpc_table {
707         struct {
708                 const char *clnt;
709                 const char *srv;
710         } pipe;
711         struct ndr_syntax_id rpc_interface;
712         const struct api_struct *cmds;
713         int n_cmds;
714 };
715
716 static struct rpc_table *rpc_lookup;
717 static int rpc_lookup_size;
718
719 /*******************************************************************
720  This is the "stage3" NTLMSSP response after a bind request and reply.
721 *******************************************************************/
722
723 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
724 {
725         RPC_HDR_AUTH auth_info;
726         uint32 pad = 0;
727         DATA_BLOB blob;
728
729         ZERO_STRUCT(blob);
730
731         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
732
733         if (p->hdr.auth_len == 0) {
734                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
735                 goto err;
736         }
737
738         /* 4 bytes padding. */
739         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
740                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
741                 goto err;
742         }
743
744         /*
745          * Decode the authentication verifier response.
746          */
747
748         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
749                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
750                 goto err;
751         }
752
753         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
754                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
755                         (unsigned int)auth_info.auth_type ));
756                 return False;
757         }
758
759         blob = data_blob(NULL,p->hdr.auth_len);
760
761         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
762                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
763                         (unsigned int)p->hdr.auth_len ));
764                 goto err;
765         }
766
767         /*
768          * The following call actually checks the challenge/response data.
769          * for correctness against the given DOMAIN\user name.
770          */
771
772         if (!pipe_ntlmssp_verify_final(p, &blob)) {
773                 goto err;
774         }
775
776         data_blob_free(&blob);
777
778         p->pipe_bound = True;
779
780         return True;
781
782  err:
783
784         data_blob_free(&blob);
785         free_pipe_ntlmssp_auth_data(&p->auth);
786         p->auth.a_u.auth_ntlmssp_state = NULL;
787
788         return False;
789 }
790
791 /*******************************************************************
792  Marshall a bind_nak pdu.
793 *******************************************************************/
794
795 static bool setup_bind_nak(pipes_struct *p)
796 {
797         RPC_HDR nak_hdr;
798         uint16 zero = 0;
799
800         /* Free any memory in the current return data buffer. */
801         prs_mem_free(&p->out_data.rdata);
802
803         /*
804          * Marshall directly into the outgoing PDU space. We
805          * must do this as we need to set to the bind response
806          * header and are never sending more than one PDU here.
807          */
808
809         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
810
811         /*
812          * Initialize a bind_nak header.
813          */
814
815         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
816                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
817
818         /*
819          * Marshall the header into the outgoing PDU.
820          */
821
822         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
823                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
824                 prs_mem_free(&p->out_data.frag);
825                 return False;
826         }
827
828         /*
829          * Now add the reject reason.
830          */
831
832         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
833                 prs_mem_free(&p->out_data.frag);
834                 return False;
835         }
836
837         p->out_data.data_sent_length = 0;
838         p->out_data.current_pdu_sent = 0;
839
840         if (p->auth.auth_data_free_func) {
841                 (*p->auth.auth_data_free_func)(&p->auth);
842         }
843         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
844         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
845         p->pipe_bound = False;
846
847         return True;
848 }
849
850 /*******************************************************************
851  Marshall a fault pdu.
852 *******************************************************************/
853
854 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
855 {
856         RPC_HDR fault_hdr;
857         RPC_HDR_RESP hdr_resp;
858         RPC_HDR_FAULT fault_resp;
859
860         /* Free any memory in the current return data buffer. */
861         prs_mem_free(&p->out_data.rdata);
862
863         /*
864          * Marshall directly into the outgoing PDU space. We
865          * must do this as we need to set to the bind response
866          * header and are never sending more than one PDU here.
867          */
868
869         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
870
871         /*
872          * Initialize a fault header.
873          */
874
875         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
876             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
877
878         /*
879          * Initialize the HDR_RESP and FAULT parts of the PDU.
880          */
881
882         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
883
884         fault_resp.status = status;
885         fault_resp.reserved = 0;
886
887         /*
888          * Marshall the header into the outgoing PDU.
889          */
890
891         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
892                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
893                 prs_mem_free(&p->out_data.frag);
894                 return False;
895         }
896
897         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
898                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
899                 prs_mem_free(&p->out_data.frag);
900                 return False;
901         }
902
903         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
904                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
905                 prs_mem_free(&p->out_data.frag);
906                 return False;
907         }
908
909         p->out_data.data_sent_length = 0;
910         p->out_data.current_pdu_sent = 0;
911
912         return True;
913 }
914
915 #if 0
916 /*******************************************************************
917  Marshall a cancel_ack pdu.
918  We should probably check the auth-verifier here.
919 *******************************************************************/
920
921 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
922 {
923         prs_struct outgoing_pdu;
924         RPC_HDR ack_reply_hdr;
925
926         /* Free any memory in the current return data buffer. */
927         prs_mem_free(&p->out_data.rdata);
928
929         /*
930          * Marshall directly into the outgoing PDU space. We
931          * must do this as we need to set to the bind response
932          * header and are never sending more than one PDU here.
933          */
934
935         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
936         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
937
938         /*
939          * Initialize a cancel_ack header.
940          */
941
942         init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
943                         p->hdr.call_id, RPC_HEADER_LEN, 0);
944
945         /*
946          * Marshall the header into the outgoing PDU.
947          */
948
949         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
950                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
951                 prs_mem_free(&outgoing_pdu);
952                 return False;
953         }
954
955         p->out_data.data_sent_length = 0;
956         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
957         p->out_data.current_pdu_sent = 0;
958
959         prs_mem_free(&outgoing_pdu);
960         return True;
961 }
962 #endif
963
964 /*******************************************************************
965  Ensure a bind request has the correct abstract & transfer interface.
966  Used to reject unknown binds from Win2k.
967 *******************************************************************/
968
969 static bool check_bind_req(struct pipes_struct *p,
970                            struct ndr_syntax_id* abstract,
971                            struct ndr_syntax_id* transfer,
972                            uint32 context_id)
973 {
974         int i=0;
975         struct pipe_rpc_fns *context_fns;
976
977         DEBUG(3,("check_bind_req for %s\n",
978                  get_pipe_name_from_iface(&p->syntax)));
979
980         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
981
982         for (i=0; i<rpc_lookup_size; i++) {
983                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
984                 if (ndr_syntax_id_equal(
985                             abstract, &rpc_lookup[i].rpc_interface)
986                     && ndr_syntax_id_equal(
987                             transfer, &ndr_transfer_syntax)) {
988                         break;
989                 }
990         }
991
992         if (i == rpc_lookup_size) {
993                 return false;
994         }
995
996         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
997         if (context_fns == NULL) {
998                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
999                 return False;
1000         }
1001
1002         context_fns->cmds = rpc_lookup[i].cmds;
1003         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1004         context_fns->context_id = context_id;
1005
1006         /* add to the list of open contexts */
1007
1008         DLIST_ADD( p->contexts, context_fns );
1009
1010         return True;
1011 }
1012
1013 /*******************************************************************
1014  Register commands to an RPC pipe
1015 *******************************************************************/
1016
1017 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1018                           const struct ndr_interface_table *iface,
1019                           const struct api_struct *cmds, int size)
1020 {
1021         struct rpc_table *rpc_entry;
1022
1023         if (!clnt || !srv || !cmds) {
1024                 return NT_STATUS_INVALID_PARAMETER;
1025         }
1026
1027         if (version != SMB_RPC_INTERFACE_VERSION) {
1028                 DEBUG(0,("Can't register rpc commands!\n"
1029                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1030                          ", while this version of samba uses version %d!\n", 
1031                          version,SMB_RPC_INTERFACE_VERSION));
1032                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1033         }
1034
1035         /* TODO: 
1036          *
1037          * we still need to make sure that don't register the same commands twice!!!
1038          * 
1039          * --metze
1040          */
1041
1042         /* We use a temporary variable because this call can fail and 
1043            rpc_lookup will still be valid afterwards.  It could then succeed if
1044            called again later */
1045         rpc_lookup_size++;
1046         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1047         if (NULL == rpc_entry) {
1048                 rpc_lookup_size--;
1049                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1050                 return NT_STATUS_NO_MEMORY;
1051         } else {
1052                 rpc_lookup = rpc_entry;
1053         }
1054
1055         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1056         ZERO_STRUCTP(rpc_entry);
1057         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1058         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1059         rpc_entry->rpc_interface = iface->syntax_id;
1060         rpc_entry->cmds = cmds;
1061         rpc_entry->n_cmds = size;
1062
1063         return NT_STATUS_OK;
1064 }
1065
1066 /**
1067  * Is a named pipe known?
1068  * @param[in] cli_filename      The pipe name requested by the client
1069  * @result                      Do we want to serve this?
1070  */
1071 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1072 {
1073         const char *pipename = cli_filename;
1074         int i;
1075
1076         if (strnequal(pipename, "\\PIPE\\", 6)) {
1077                 pipename += 5;
1078         }
1079
1080         if (*pipename == '\\') {
1081                 pipename += 1;
1082         }
1083
1084         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1085                 DEBUG(10, ("refusing spoolss access\n"));
1086                 return false;
1087         }
1088
1089         for (i=0; i<rpc_lookup_size; i++) {
1090                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1091                         *syntax = rpc_lookup[i].rpc_interface;
1092                         return true;
1093                 }
1094         }
1095
1096         DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1097         return false;
1098 }
1099
1100 /*******************************************************************
1101  Handle a SPNEGO krb5 bind auth.
1102 *******************************************************************/
1103
1104 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1105                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1106 {
1107         return False;
1108 }
1109
1110 /*******************************************************************
1111  Handle the first part of a SPNEGO bind auth.
1112 *******************************************************************/
1113
1114 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1115                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1116 {
1117         DATA_BLOB blob;
1118         DATA_BLOB secblob;
1119         DATA_BLOB response;
1120         DATA_BLOB chal;
1121         char *OIDs[ASN1_MAX_OIDS];
1122         int i;
1123         NTSTATUS status;
1124         bool got_kerberos_mechanism = false;
1125         AUTH_NTLMSSP_STATE *a = NULL;
1126         RPC_HDR_AUTH auth_info;
1127
1128         ZERO_STRUCT(secblob);
1129         ZERO_STRUCT(chal);
1130         ZERO_STRUCT(response);
1131
1132         /* Grab the SPNEGO blob. */
1133         blob = data_blob(NULL,p->hdr.auth_len);
1134
1135         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1136                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1137                         (unsigned int)p->hdr.auth_len ));
1138                 goto err;
1139         }
1140
1141         if (blob.data[0] != ASN1_APPLICATION(0)) {
1142                 goto err;
1143         }
1144
1145         /* parse out the OIDs and the first sec blob */
1146         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1147                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1148                 goto err;
1149         }
1150
1151         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1152                 got_kerberos_mechanism = true;
1153         }
1154
1155         for (i=0;OIDs[i];i++) {
1156                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1157                 TALLOC_FREE(OIDs[i]);
1158         }
1159         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1160
1161         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1162                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1163                 data_blob_free(&secblob);
1164                 data_blob_free(&blob);
1165                 return ret;
1166         }
1167
1168         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1169                 /* Free any previous auth type. */
1170                 free_pipe_ntlmssp_auth_data(&p->auth);
1171         }
1172
1173         if (!got_kerberos_mechanism) {
1174                 /* Initialize the NTLM engine. */
1175                 status = auth_ntlmssp_start(&a);
1176                 if (!NT_STATUS_IS_OK(status)) {
1177                         goto err;
1178                 }
1179
1180                 /*
1181                  * Pass the first security blob of data to it.
1182                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1183                  * which means we need another packet to complete the bind.
1184                  */
1185
1186                 status = auth_ntlmssp_update(a, secblob, &chal);
1187
1188                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1189                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1190                         goto err;
1191                 }
1192
1193                 /* Generate the response blob we need for step 2 of the bind. */
1194                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1195         } else {
1196                 /*
1197                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1198                  * code to process follow-up packets is not complete
1199                  * yet. JRA.
1200                  */
1201                 response = spnego_gen_auth_response(NULL,
1202                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1203                                         OID_NTLMSSP);
1204         }
1205
1206         /* Copy the blob into the pout_auth parse struct */
1207         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1208         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1209                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1210                 goto err;
1211         }
1212
1213         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1214                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1215                 goto err;
1216         }
1217
1218         p->auth.a_u.auth_ntlmssp_state = a;
1219         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1220         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1221
1222         data_blob_free(&blob);
1223         data_blob_free(&secblob);
1224         data_blob_free(&chal);
1225         data_blob_free(&response);
1226
1227         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1228         return True;
1229
1230  err:
1231
1232         data_blob_free(&blob);
1233         data_blob_free(&secblob);
1234         data_blob_free(&chal);
1235         data_blob_free(&response);
1236
1237         p->auth.a_u.auth_ntlmssp_state = NULL;
1238
1239         return False;
1240 }
1241
1242 /*******************************************************************
1243  Handle the second part of a SPNEGO bind auth.
1244 *******************************************************************/
1245
1246 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1247                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1248 {
1249         RPC_HDR_AUTH auth_info;
1250         DATA_BLOB spnego_blob;
1251         DATA_BLOB auth_blob;
1252         DATA_BLOB auth_reply;
1253         DATA_BLOB response;
1254         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1255
1256         ZERO_STRUCT(spnego_blob);
1257         ZERO_STRUCT(auth_blob);
1258         ZERO_STRUCT(auth_reply);
1259         ZERO_STRUCT(response);
1260
1261         /*
1262          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1263          * fail here as 'a' == NULL.
1264          */
1265         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1266                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1267                 goto err;
1268         }
1269
1270         /* Grab the SPNEGO blob. */
1271         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1272
1273         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1274                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1275                         (unsigned int)p->hdr.auth_len ));
1276                 goto err;
1277         }
1278
1279         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1280                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1281                 goto err;
1282         }
1283
1284         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1285                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1286                 goto err;
1287         }
1288
1289         /*
1290          * The following call actually checks the challenge/response data.
1291          * for correctness against the given DOMAIN\user name.
1292          */
1293
1294         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1295                 goto err;
1296         }
1297
1298         data_blob_free(&spnego_blob);
1299         data_blob_free(&auth_blob);
1300
1301         /* Generate the spnego "accept completed" blob - no incoming data. */
1302         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1303
1304         /* Copy the blob into the pout_auth parse struct */
1305         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1306         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1307                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1308                 goto err;
1309         }
1310
1311         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1312                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1313                 goto err;
1314         }
1315
1316         data_blob_free(&auth_reply);
1317         data_blob_free(&response);
1318
1319         p->pipe_bound = True;
1320
1321         return True;
1322
1323  err:
1324
1325         data_blob_free(&spnego_blob);
1326         data_blob_free(&auth_blob);
1327         data_blob_free(&auth_reply);
1328         data_blob_free(&response);
1329
1330         free_pipe_ntlmssp_auth_data(&p->auth);
1331         p->auth.a_u.auth_ntlmssp_state = NULL;
1332
1333         return False;
1334 }
1335
1336 /*******************************************************************
1337  Handle an schannel bind auth.
1338 *******************************************************************/
1339
1340 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1341                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1342 {
1343         RPC_HDR_AUTH auth_info;
1344         struct NL_AUTH_MESSAGE neg;
1345         struct NL_AUTH_MESSAGE reply;
1346         bool ret;
1347         NTSTATUS status;
1348         struct netlogon_creds_CredentialState *creds;
1349         DATA_BLOB session_key;
1350         enum ndr_err_code ndr_err;
1351         DATA_BLOB blob;
1352
1353         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1354                                prs_data_size(rpc_in_p));
1355
1356         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1357                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1358         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1359                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1360                 return false;
1361         }
1362
1363         if (DEBUGLEVEL >= 10) {
1364                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1365         }
1366
1367         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1368                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1369                 return false;
1370         }
1371
1372         /*
1373          * The neg.oem_netbios_computer.a key here must match the remote computer name
1374          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1375          * operations that use credentials.
1376          */
1377
1378         become_root();
1379         status = schannel_fetch_session_key(p->mem_ctx,
1380                                             neg.oem_netbios_computer.a,
1381                                             &creds);
1382         unbecome_root();
1383
1384         if (!NT_STATUS_IS_OK(status)) {
1385                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1386                 return False;
1387         }
1388
1389         p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1390         if (!p->auth.a_u.schannel_auth) {
1391                 TALLOC_FREE(creds);
1392                 return False;
1393         }
1394
1395         memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1396         memcpy(p->auth.a_u.schannel_auth->sess_key, creds->session_key,
1397                         sizeof(creds->session_key));
1398
1399         TALLOC_FREE(creds);
1400
1401         p->auth.a_u.schannel_auth->seq_num = 0;
1402
1403         /*
1404          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1405          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1406          * struct of the person who opened the pipe. I need to test this further. JRA.
1407          *
1408          * VL. As we are mapping this to guest set the generic key
1409          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1410          * W2k3, as it does not allow schannel binds against SAMR and LSA
1411          * anymore.
1412          */
1413
1414         session_key = generic_session_key();
1415         if (session_key.data == NULL) {
1416                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1417                           " key\n"));
1418                 return false;
1419         }
1420
1421         ret = server_info_set_session_key(p->server_info, session_key);
1422
1423         data_blob_free(&session_key);
1424
1425         if (!ret) {
1426                 DEBUG(0, ("server_info_set_session_key failed\n"));
1427                 return false;
1428         }
1429
1430         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1431         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1432                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1433                 return False;
1434         }
1435
1436         /*** SCHANNEL verifier ***/
1437
1438         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1439         reply.Flags                             = 0;
1440         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1441                                                       * this has any meaning
1442                                                       * here - gd */
1443
1444         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1445                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1446         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1447                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1448                 return false;
1449         }
1450
1451         if (DEBUGLEVEL >= 10) {
1452                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1453         }
1454
1455         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1456                 return false;
1457         }
1458
1459         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1460                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1461
1462         /* We're finished with this bind - no more packets. */
1463         p->auth.auth_data_free_func = NULL;
1464         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1465
1466         p->pipe_bound = True;
1467
1468         return True;
1469 }
1470
1471 /*******************************************************************
1472  Handle an NTLMSSP bind auth.
1473 *******************************************************************/
1474
1475 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1476                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1477 {
1478         RPC_HDR_AUTH auth_info;
1479         DATA_BLOB blob;
1480         DATA_BLOB response;
1481         NTSTATUS status;
1482         AUTH_NTLMSSP_STATE *a = NULL;
1483
1484         ZERO_STRUCT(blob);
1485         ZERO_STRUCT(response);
1486
1487         /* Grab the NTLMSSP blob. */
1488         blob = data_blob(NULL,p->hdr.auth_len);
1489
1490         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1491                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1492                         (unsigned int)p->hdr.auth_len ));
1493                 goto err;
1494         }
1495
1496         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1497                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1498                 goto err;
1499         }
1500
1501         /* We have an NTLMSSP blob. */
1502         status = auth_ntlmssp_start(&a);
1503         if (!NT_STATUS_IS_OK(status)) {
1504                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1505                         nt_errstr(status) ));
1506                 goto err;
1507         }
1508
1509         status = auth_ntlmssp_update(a, blob, &response);
1510         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1511                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1512                         nt_errstr(status) ));
1513                 goto err;
1514         }
1515
1516         data_blob_free(&blob);
1517
1518         /* Copy the blob into the pout_auth parse struct */
1519         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1520         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1521                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1522                 goto err;
1523         }
1524
1525         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1526                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1527                 goto err;
1528         }
1529
1530         p->auth.a_u.auth_ntlmssp_state = a;
1531         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1532         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1533
1534         data_blob_free(&blob);
1535         data_blob_free(&response);
1536
1537         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1538
1539         /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1540         return True;
1541
1542   err:
1543
1544         data_blob_free(&blob);
1545         data_blob_free(&response);
1546
1547         free_pipe_ntlmssp_auth_data(&p->auth);
1548         p->auth.a_u.auth_ntlmssp_state = NULL;
1549         return False;
1550 }
1551
1552 /*******************************************************************
1553  Respond to a pipe bind request.
1554 *******************************************************************/
1555
1556 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1557 {
1558         RPC_HDR_BA hdr_ba;
1559         RPC_HDR_RB hdr_rb;
1560         RPC_HDR_AUTH auth_info;
1561         uint16 assoc_gid;
1562         fstring ack_pipe_name;
1563         prs_struct out_hdr_ba;
1564         prs_struct out_auth;
1565         int i = 0;
1566         int auth_len = 0;
1567         unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1568
1569         /* No rebinds on a bound pipe - use alter context. */
1570         if (p->pipe_bound) {
1571                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1572                          "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1573                 return setup_bind_nak(p);
1574         }
1575
1576         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1577
1578         /* 
1579          * Marshall directly into the outgoing PDU space. We
1580          * must do this as we need to set to the bind response
1581          * header and are never sending more than one PDU here.
1582          */
1583
1584         /*
1585          * Setup the memory to marshall the ba header, and the
1586          * auth footers.
1587          */
1588
1589         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1590                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1591                 prs_mem_free(&p->out_data.frag);
1592                 return False;
1593         }
1594
1595         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1596                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1597                 prs_mem_free(&p->out_data.frag);
1598                 prs_mem_free(&out_hdr_ba);
1599                 return False;
1600         }
1601
1602         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1603
1604         ZERO_STRUCT(hdr_rb);
1605
1606         /* decode the bind request */
1607
1608         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1609                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1610                          "struct.\n"));
1611                 goto err_exit;
1612         }
1613
1614         if (hdr_rb.num_contexts == 0) {
1615                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1616                 goto err_exit;
1617         }
1618
1619         /*
1620          * Try and find the correct pipe name to ensure
1621          * that this is a pipe name we support.
1622          */
1623
1624         for (i = 0; i < rpc_lookup_size; i++) {
1625                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1626                                         &hdr_rb.rpc_context[0].abstract)) {
1627                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1628                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1629                         break;
1630                 }
1631         }
1632
1633         if (i == rpc_lookup_size) {
1634                 NTSTATUS status;
1635
1636                 status = smb_probe_module(
1637                         "rpc", get_pipe_name_from_iface(
1638                                 &hdr_rb.rpc_context[0].abstract));
1639
1640                 if (NT_STATUS_IS_ERR(status)) {
1641                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1642                                 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1643                         prs_mem_free(&p->out_data.frag);
1644                         prs_mem_free(&out_hdr_ba);
1645                         prs_mem_free(&out_auth);
1646
1647                         return setup_bind_nak(p);
1648                 }
1649
1650                 for (i = 0; i < rpc_lookup_size; i++) {
1651                        if (strequal(rpc_lookup[i].pipe.clnt,
1652                                     get_pipe_name_from_iface(&p->syntax))) {
1653                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1654                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1655                                break;
1656                        }
1657                 }
1658
1659                 if (i == rpc_lookup_size) {
1660                         DEBUG(0, ("module %s doesn't provide functions for "
1661                                   "pipe %s!\n",
1662                                   get_pipe_name_from_iface(&p->syntax),
1663                                   get_pipe_name_from_iface(&p->syntax)));
1664                         goto err_exit;
1665                 }
1666         }
1667
1668         /* name has to be \PIPE\xxxxx */
1669         fstrcpy(ack_pipe_name, "\\PIPE\\");
1670         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1671
1672         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1673
1674         /*
1675          * Check if this is an authenticated bind request.
1676          */
1677
1678         if (p->hdr.auth_len) {
1679                 /* 
1680                  * Decode the authentication verifier.
1681                  */
1682
1683                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1684                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1685                         goto err_exit;
1686                 }
1687
1688                 auth_type = auth_info.auth_type;
1689
1690                 /* Work out if we have to sign or seal etc. */
1691                 switch (auth_info.auth_level) {
1692                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1693                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1694                                 break;
1695                         case DCERPC_AUTH_LEVEL_PRIVACY:
1696                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1697                                 break;
1698                         default:
1699                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1700                                         (unsigned int)auth_info.auth_level ));
1701                                 goto err_exit;
1702                 }
1703         } else {
1704                 ZERO_STRUCT(auth_info);
1705         }
1706
1707         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1708
1709         switch(auth_type) {
1710                 case DCERPC_AUTH_TYPE_NTLMSSP:
1711                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1712                                 goto err_exit;
1713                         }
1714                         assoc_gid = 0x7a77;
1715                         break;
1716
1717                 case DCERPC_AUTH_TYPE_SCHANNEL:
1718                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1719                                 goto err_exit;
1720                         }
1721                         break;
1722
1723                 case DCERPC_AUTH_TYPE_SPNEGO:
1724                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1725                                 goto err_exit;
1726                         }
1727                         break;
1728
1729                 case RPC_ANONYMOUS_AUTH_TYPE:
1730                         /* Unauthenticated bind request. */
1731                         /* We're finished - no more packets. */
1732                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1733                         /* We must set the pipe auth_level here also. */
1734                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1735                         p->pipe_bound = True;
1736                         /* The session key was initialized from the SMB
1737                          * session in make_internal_rpc_pipe_p */
1738                         break;
1739
1740                 default:
1741                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1742                         goto err_exit;
1743         }
1744
1745         /*
1746          * Create the bind response struct.
1747          */
1748
1749         /* If the requested abstract synt uuid doesn't match our client pipe,
1750                 reject the bind_ack & set the transfer interface synt to all 0's,
1751                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1752                 unknown to NT4)
1753                 Needed when adding entries to a DACL from NT5 - SK */
1754
1755         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1756                                 hdr_rb.rpc_context[0].context_id )) {
1757                 init_rpc_hdr_ba(&hdr_ba,
1758                         RPC_MAX_PDU_FRAG_LEN,
1759                         RPC_MAX_PDU_FRAG_LEN,
1760                         assoc_gid,
1761                         ack_pipe_name,
1762                         0x1, 0x0, 0x0,
1763                         &hdr_rb.rpc_context[0].transfer[0]);
1764         } else {
1765                 /* Rejection reason: abstract syntax not supported */
1766                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1767                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1768                                         ack_pipe_name, 0x1, 0x2, 0x1,
1769                                         &null_ndr_syntax_id);
1770                 p->pipe_bound = False;
1771         }
1772
1773         /*
1774          * and marshall it.
1775          */
1776
1777         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1778                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1779                 goto err_exit;
1780         }
1781
1782         /*
1783          * Create the header, now we know the length.
1784          */
1785
1786         if (prs_offset(&out_auth)) {
1787                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1788         }
1789
1790         init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1791                         p->hdr.call_id,
1792                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1793                         auth_len);
1794
1795         /*
1796          * Marshall the header into the outgoing PDU.
1797          */
1798
1799         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1800                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1801                 goto err_exit;
1802         }
1803
1804         /*
1805          * Now add the RPC_HDR_BA and any auth needed.
1806          */
1807
1808         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1809                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1810                 goto err_exit;
1811         }
1812
1813         if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1814                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1815                 goto err_exit;
1816         }
1817
1818         /*
1819          * Setup the lengths for the initial reply.
1820          */
1821
1822         p->out_data.data_sent_length = 0;
1823         p->out_data.current_pdu_sent = 0;
1824
1825         prs_mem_free(&out_hdr_ba);
1826         prs_mem_free(&out_auth);
1827
1828         return True;
1829
1830   err_exit:
1831
1832         prs_mem_free(&p->out_data.frag);
1833         prs_mem_free(&out_hdr_ba);
1834         prs_mem_free(&out_auth);
1835         return setup_bind_nak(p);
1836 }
1837
1838 /****************************************************************************
1839  Deal with an alter context call. Can be third part of 3 leg auth request for
1840  SPNEGO calls.
1841 ****************************************************************************/
1842
1843 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1844 {
1845         RPC_HDR_BA hdr_ba;
1846         RPC_HDR_RB hdr_rb;
1847         RPC_HDR_AUTH auth_info;
1848         uint16 assoc_gid;
1849         fstring ack_pipe_name;
1850         prs_struct out_hdr_ba;
1851         prs_struct out_auth;
1852         int auth_len = 0;
1853
1854         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1855
1856         /* 
1857          * Marshall directly into the outgoing PDU space. We
1858          * must do this as we need to set to the bind response
1859          * header and are never sending more than one PDU here.
1860          */
1861
1862         /*
1863          * Setup the memory to marshall the ba header, and the
1864          * auth footers.
1865          */
1866
1867         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1868                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1869                 prs_mem_free(&p->out_data.frag);
1870                 return False;
1871         }
1872
1873         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1874                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1875                 prs_mem_free(&p->out_data.frag);
1876                 prs_mem_free(&out_hdr_ba);
1877                 return False;
1878         }
1879
1880         ZERO_STRUCT(hdr_rb);
1881
1882         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1883
1884         /* decode the alter context request */
1885         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1886                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1887                 goto err_exit;
1888         }
1889
1890         /* secondary address CAN be NULL
1891          * as the specs say it's ignored.
1892          * It MUST be NULL to have the spoolss working.
1893          */
1894         fstrcpy(ack_pipe_name,"");
1895
1896         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1897
1898         /*
1899          * Check if this is an authenticated alter context request.
1900          */
1901
1902         if (p->hdr.auth_len != 0) {
1903                 /* 
1904                  * Decode the authentication verifier.
1905                  */
1906
1907                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1908                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1909                         goto err_exit;
1910                 }
1911
1912                 /*
1913                  * Currently only the SPNEGO auth type uses the alter ctx
1914                  * response in place of the NTLMSSP auth3 type.
1915                  */
1916
1917                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1918                         /* We can only finish if the pipe is unbound. */
1919                         if (!p->pipe_bound) {
1920                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1921                                         goto err_exit;
1922                                 }
1923                         } else {
1924                                 goto err_exit;
1925                         }
1926                 }
1927         } else {
1928                 ZERO_STRUCT(auth_info);
1929         }
1930
1931         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1932
1933         /*
1934          * Create the bind response struct.
1935          */
1936
1937         /* If the requested abstract synt uuid doesn't match our client pipe,
1938                 reject the bind_ack & set the transfer interface synt to all 0's,
1939                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1940                 unknown to NT4)
1941                 Needed when adding entries to a DACL from NT5 - SK */
1942
1943         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1944                                 hdr_rb.rpc_context[0].context_id )) {
1945                 init_rpc_hdr_ba(&hdr_ba,
1946                         RPC_MAX_PDU_FRAG_LEN,
1947                         RPC_MAX_PDU_FRAG_LEN,
1948                         assoc_gid,
1949                         ack_pipe_name,
1950                         0x1, 0x0, 0x0,
1951                         &hdr_rb.rpc_context[0].transfer[0]);
1952         } else {
1953                 /* Rejection reason: abstract syntax not supported */
1954                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1955                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1956                                         ack_pipe_name, 0x1, 0x2, 0x1,
1957                                         &null_ndr_syntax_id);
1958                 p->pipe_bound = False;
1959         }
1960
1961         /*
1962          * and marshall it.
1963          */
1964
1965         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1966                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1967                 goto err_exit;
1968         }
1969
1970         /*
1971          * Create the header, now we know the length.
1972          */
1973
1974         if (prs_offset(&out_auth)) {
1975                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1976         }
1977
1978         init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1979                         p->hdr.call_id,
1980                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1981                         auth_len);
1982
1983         /*
1984          * Marshall the header into the outgoing PDU.
1985          */
1986
1987         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1988                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1989                 goto err_exit;
1990         }
1991
1992         /*
1993          * Now add the RPC_HDR_BA and any auth needed.
1994          */
1995
1996         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1997                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1998                 goto err_exit;
1999         }
2000
2001         if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2002                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2003                 goto err_exit;
2004         }
2005
2006         /*
2007          * Setup the lengths for the initial reply.
2008          */
2009
2010         p->out_data.data_sent_length = 0;
2011         p->out_data.current_pdu_sent = 0;
2012
2013         prs_mem_free(&out_hdr_ba);
2014         prs_mem_free(&out_auth);
2015
2016         return True;
2017
2018   err_exit:
2019
2020         prs_mem_free(&p->out_data.frag);
2021         prs_mem_free(&out_hdr_ba);
2022         prs_mem_free(&out_auth);
2023         return setup_bind_nak(p);
2024 }
2025
2026 /****************************************************************************
2027  Deal with NTLMSSP sign & seal processing on an RPC request.
2028 ****************************************************************************/
2029
2030 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2031                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2032 {
2033         RPC_HDR_AUTH auth_info;
2034         uint32 auth_len = p->hdr.auth_len;
2035         uint32 save_offset = prs_offset(rpc_in);
2036         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2037         unsigned char *data = NULL;
2038         size_t data_len;
2039         unsigned char *full_packet_data = NULL;
2040         size_t full_packet_data_len;
2041         DATA_BLOB auth_blob;
2042
2043         *pstatus = NT_STATUS_OK;
2044
2045         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2046                 return True;
2047         }
2048
2049         if (!a) {
2050                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2051                 return False;
2052         }
2053
2054         /* Ensure there's enough data for an authenticated request. */
2055         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2056                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2057                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2058                         (unsigned int)auth_len ));
2059                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2060                 return False;
2061         }
2062
2063         /*
2064          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2065          * after the RPC header. 
2066          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2067          * functions as NTLMv2 checks the rpc headers also.
2068          */
2069
2070         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2071         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2072
2073         full_packet_data = p->in_data.current_in_pdu;
2074         full_packet_data_len = p->hdr.frag_len - auth_len;
2075
2076         /* Pull the auth header and the following data into a blob. */
2077         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2078                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2079                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2080                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2081                 return False;
2082         }
2083
2084         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2085                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2086                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2087                 return False;
2088         }
2089
2090         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2091         auth_blob.length = auth_len;
2092
2093         switch (p->auth.auth_level) {
2094                 case DCERPC_AUTH_LEVEL_PRIVACY:
2095                         /* Data is encrypted. */
2096                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2097                                                         data, data_len,
2098                                                         full_packet_data,
2099                                                         full_packet_data_len,
2100                                                         &auth_blob);
2101                         if (!NT_STATUS_IS_OK(*pstatus)) {
2102                                 return False;
2103                         }
2104                         break;
2105                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2106                         /* Data is signed. */
2107                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2108                                                         data, data_len,
2109                                                         full_packet_data,
2110                                                         full_packet_data_len,
2111                                                         &auth_blob);
2112                         if (!NT_STATUS_IS_OK(*pstatus)) {
2113                                 return False;
2114                         }
2115                         break;
2116                 default:
2117                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2118                         return False;
2119         }
2120
2121         /*
2122          * Return the current pointer to the data offset.
2123          */
2124
2125         if(!prs_set_offset(rpc_in, save_offset)) {
2126                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2127                         (unsigned int)save_offset ));
2128                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2129                 return False;
2130         }
2131
2132         /*
2133          * Remember the padding length. We must remove it from the real data
2134          * stream once the sign/seal is done.
2135          */
2136
2137         *p_ss_padding_len = auth_info.auth_pad_len;
2138
2139         return True;
2140 }
2141
2142 /****************************************************************************
2143  Deal with schannel processing on an RPC request.
2144 ****************************************************************************/
2145
2146 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2147 {
2148         uint32 data_len;
2149         uint32 auth_len;
2150         uint32 save_offset = prs_offset(rpc_in);
2151         RPC_HDR_AUTH auth_info;
2152         struct NL_AUTH_SIGNATURE schannel_chk;
2153         enum ndr_err_code ndr_err;
2154         DATA_BLOB blob;
2155
2156         auth_len = p->hdr.auth_len;
2157
2158         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2159                         auth_len > RPC_HEADER_LEN +
2160                                         RPC_HDR_REQ_LEN +
2161                                         RPC_HDR_AUTH_LEN +
2162                                         auth_len) {
2163                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2164                 return False;
2165         }
2166
2167         /*
2168          * The following is that length of the data we must verify or unseal.
2169          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2170          * preceeding the auth_data.
2171          */
2172
2173         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2174                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2175                         (unsigned int)p->hdr.frag_len,
2176                         (unsigned int)auth_len ));
2177                 return False;
2178         }
2179
2180         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2181                 RPC_HDR_AUTH_LEN - auth_len;
2182
2183         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2184
2185         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2186                 DEBUG(0,("cannot move offset to %u.\n",
2187                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2188                 return False;
2189         }
2190
2191         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2192                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2193                 return False;
2194         }
2195
2196         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2197                 DEBUG(0,("Invalid auth info %d on schannel\n",
2198                          auth_info.auth_type));
2199                 return False;
2200         }
2201
2202         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2203
2204         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &schannel_chk,
2205                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_SIGNATURE);
2206         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2207                 DEBUG(0,("failed to pull NL_AUTH_SIGNATURE\n"));
2208                 dump_data(2, blob.data, blob.length);
2209                 return false;
2210         }
2211
2212         if (DEBUGLEVEL >= 10) {
2213                 NDR_PRINT_DEBUG(NL_AUTH_SIGNATURE, &schannel_chk);
2214         }
2215
2216         if (!schannel_decode(p->auth.a_u.schannel_auth,
2217                            p->auth.auth_level,
2218                            SENDER_IS_INITIATOR,
2219                            &schannel_chk,
2220                            prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2221                 DEBUG(3,("failed to decode PDU\n"));
2222                 return False;
2223         }
2224
2225         /*
2226          * Return the current pointer to the data offset.
2227          */
2228
2229         if(!prs_set_offset(rpc_in, save_offset)) {
2230                 DEBUG(0,("failed to set offset back to %u\n",
2231                          (unsigned int)save_offset ));
2232                 return False;
2233         }
2234
2235         /* The sequence number gets incremented on both send and receive. */
2236         p->auth.a_u.schannel_auth->seq_num++;
2237
2238         /*
2239          * Remember the padding length. We must remove it from the real data
2240          * stream once the sign/seal is done.
2241          */
2242
2243         *p_ss_padding_len = auth_info.auth_pad_len;
2244
2245         return True;
2246 }
2247
2248 /****************************************************************************
2249  Find the set of RPC functions associated with this context_id
2250 ****************************************************************************/
2251
2252 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2253 {
2254         PIPE_RPC_FNS *fns = NULL;
2255
2256         if ( !list ) {
2257                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2258                 return NULL;
2259         }
2260
2261         for (fns=list; fns; fns=fns->next ) {
2262                 if ( fns->context_id == context_id )
2263                         return fns;
2264         }
2265         return NULL;
2266 }
2267
2268 /****************************************************************************
2269  Memory cleanup.
2270 ****************************************************************************/
2271
2272 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2273 {
2274         PIPE_RPC_FNS *tmp = list;
2275         PIPE_RPC_FNS *tmp2;
2276
2277         while (tmp) {
2278                 tmp2 = tmp->next;
2279                 SAFE_FREE(tmp);
2280                 tmp = tmp2;
2281         }
2282
2283         return; 
2284 }
2285
2286 static bool api_rpcTNP(pipes_struct *p,
2287                        const struct api_struct *api_rpc_cmds, int n_cmds);
2288
2289 /****************************************************************************
2290  Find the correct RPC function to call for this request.
2291  If the pipe is authenticated then become the correct UNIX user
2292  before doing the call.
2293 ****************************************************************************/
2294
2295 bool api_pipe_request(pipes_struct *p)
2296 {
2297         bool ret = False;
2298         bool changed_user = False;
2299         PIPE_RPC_FNS *pipe_fns;
2300
2301         if (p->pipe_bound &&
2302                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2303                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2304                 if(!become_authenticated_pipe_user(p)) {
2305                         prs_mem_free(&p->out_data.rdata);
2306                         return False;
2307                 }
2308                 changed_user = True;
2309         }
2310
2311         DEBUG(5, ("Requested \\PIPE\\%s\n",
2312                   get_pipe_name_from_iface(&p->syntax)));
2313
2314         /* get the set of RPC functions for this context */
2315
2316         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2317
2318         if ( pipe_fns ) {
2319                 TALLOC_CTX *frame = talloc_stackframe();
2320                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2321                 TALLOC_FREE(frame);
2322         }
2323         else {
2324                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2325                         p->hdr_req.context_id,
2326                         get_pipe_name_from_iface(&p->syntax)));
2327         }
2328
2329         if (changed_user) {
2330                 unbecome_authenticated_pipe_user();
2331         }
2332
2333         return ret;
2334 }
2335
2336 /*******************************************************************
2337  Calls the underlying RPC function for a named pipe.
2338  ********************************************************************/
2339
2340 static bool api_rpcTNP(pipes_struct *p,
2341                        const struct api_struct *api_rpc_cmds, int n_cmds)
2342 {
2343         int fn_num;
2344         uint32 offset1, offset2;
2345
2346         /* interpret the command */
2347         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2348                  get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2349
2350         if (DEBUGLEVEL >= 50) {
2351                 fstring name;
2352                 slprintf(name, sizeof(name)-1, "in_%s",
2353                          get_pipe_name_from_iface(&p->syntax));
2354                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2355         }
2356
2357         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2358                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2359                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2360                         break;
2361                 }
2362         }
2363
2364         if (fn_num == n_cmds) {
2365                 /*
2366                  * For an unknown RPC just return a fault PDU but
2367                  * return True to allow RPC's on the pipe to continue
2368                  * and not put the pipe into fault state. JRA.
2369                  */
2370                 DEBUG(4, ("unknown\n"));
2371                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2372                 return True;
2373         }
2374
2375         offset1 = prs_offset(&p->out_data.rdata);
2376
2377         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2378                 fn_num, api_rpc_cmds[fn_num].fn));
2379         /* do the actual command */
2380         if(!api_rpc_cmds[fn_num].fn(p)) {
2381                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2382                          get_pipe_name_from_iface(&p->syntax),
2383                          api_rpc_cmds[fn_num].name));
2384                 prs_mem_free(&p->out_data.rdata);
2385                 return False;
2386         }
2387
2388         if (p->bad_handle_fault_state) {
2389                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2390                 p->bad_handle_fault_state = False;
2391                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2392                 return True;
2393         }
2394
2395         if (p->rng_fault_state) {
2396                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2397                 p->rng_fault_state = False;
2398                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2399                 return True;
2400         }
2401
2402         offset2 = prs_offset(&p->out_data.rdata);
2403         prs_set_offset(&p->out_data.rdata, offset1);
2404         if (DEBUGLEVEL >= 50) {
2405                 fstring name;
2406                 slprintf(name, sizeof(name)-1, "out_%s",
2407                          get_pipe_name_from_iface(&p->syntax));
2408                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2409         }
2410         prs_set_offset(&p->out_data.rdata, offset2);
2411
2412         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2413                  get_pipe_name_from_iface(&p->syntax)));
2414
2415         /* Check for buffer underflow in rpc parsing */
2416
2417         if ((DEBUGLEVEL >= 10) && 
2418             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2419                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2420                 char *data = (char *)SMB_MALLOC(data_len);
2421
2422                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2423                 if (data) {
2424                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2425                         SAFE_FREE(data);
2426                 }
2427
2428         }
2429
2430         return True;
2431 }