s3-rpc_server: use NL_AUTH_MESSAGE in pipe_schannel_auth_bind().
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33
34 extern struct current_user current_user;
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40 {
41         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42
43         if (a) {
44                 auth_ntlmssp_end(&a);
45         }
46         auth->a_u.auth_ntlmssp_state = NULL;
47 }
48
49 static DATA_BLOB generic_session_key(void)
50 {
51         return data_blob("SystemLibraryDTC", 16);
52 }
53
54 /*******************************************************************
55  Generate the next PDU to be returned from the data in p->rdata. 
56  Handle NTLMSSP.
57  ********************************************************************/
58
59 static bool create_next_pdu_ntlmssp(pipes_struct *p)
60 {
61         RPC_HDR_RESP hdr_resp;
62         uint32 ss_padding_len = 0;
63         uint32 data_space_available;
64         uint32 data_len_left;
65         uint32 data_len;
66         NTSTATUS status;
67         DATA_BLOB auth_blob;
68         RPC_HDR_AUTH auth_info;
69         uint8 auth_type, auth_level;
70         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
71
72         /*
73          * If we're in the fault state, keep returning fault PDU's until
74          * the pipe gets closed. JRA.
75          */
76
77         if(p->fault_state) {
78                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79                 return True;
80         }
81
82         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83
84         /* Change the incoming request header to a response. */
85         p->hdr.pkt_type = RPC_RESPONSE;
86
87         /* Set up rpc header flags. */
88         if (p->out_data.data_sent_length == 0) {
89                 p->hdr.flags = RPC_FLG_FIRST;
90         } else {
91                 p->hdr.flags = 0;
92         }
93
94         /*
95          * Work out how much we can fit in a single PDU.
96          */
97
98         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
99
100         /*
101          * Ensure there really is data left to send.
102          */
103
104         if(!data_len_left) {
105                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106                 return False;
107         }
108
109         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
110                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
111
112         /*
113          * The amount we send is the minimum of the available
114          * space and the amount left to send.
115          */
116
117         data_len = MIN(data_len_left, data_space_available);
118
119         /*
120          * Set up the alloc hint. This should be the data left to
121          * send.
122          */
123
124         hdr_resp.alloc_hint = data_len_left;
125
126         /*
127          * Work out if this PDU will be the last.
128          */
129
130         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
131                 p->hdr.flags |= RPC_FLG_LAST;
132                 if (data_len_left % 8) {
133                         ss_padding_len = 8 - (data_len_left % 8);
134                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
135                                 ss_padding_len ));
136                 }
137         }
138
139         /*
140          * Set up the header lengths.
141          */
142
143         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
144                         data_len + ss_padding_len +
145                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
146         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
147
148
149         /*
150          * Init the parse struct to point at the outgoing
151          * data.
152          */
153
154         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
155
156         /* Store the header in the data stream. */
157         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
158                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159                 prs_mem_free(&p->out_data.frag);
160                 return False;
161         }
162
163         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
164                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165                 prs_mem_free(&p->out_data.frag);
166                 return False;
167         }
168
169         /* Copy the data into the PDU. */
170
171         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
172                                      p->out_data.data_sent_length, data_len)) {
173                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
174                 prs_mem_free(&p->out_data.frag);
175                 return False;
176         }
177
178         /* Copy the sign/seal padding data. */
179         if (ss_padding_len) {
180                 char pad[8];
181
182                 memset(pad, '\0', 8);
183                 if (!prs_copy_data_in(&p->out_data.frag, pad,
184                                       ss_padding_len)) {
185                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
186                                         (unsigned int)ss_padding_len));
187                         prs_mem_free(&p->out_data.frag);
188                         return False;
189                 }
190         }
191
192
193         /* Now write out the auth header and null blob. */
194         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
195                 auth_type = RPC_NTLMSSP_AUTH_TYPE;
196         } else {
197                 auth_type = RPC_SPNEGO_AUTH_TYPE;
198         }
199         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
200                 auth_level = RPC_AUTH_LEVEL_PRIVACY;
201         } else {
202                 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
203         }
204
205         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
206         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
207                                 0)) {
208                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
209                 prs_mem_free(&p->out_data.frag);
210                 return False;
211         }
212
213         /* Generate the sign blob. */
214
215         switch (p->auth.auth_level) {
216                 case PIPE_AUTH_LEVEL_PRIVACY:
217                         /* Data portion is encrypted. */
218                         status = ntlmssp_seal_packet(
219                                 a->ntlmssp_state,
220                                 (uint8_t *)prs_data_p(&p->out_data.frag)
221                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
222                                 data_len + ss_padding_len,
223                                 (unsigned char *)prs_data_p(&p->out_data.frag),
224                                 (size_t)prs_offset(&p->out_data.frag),
225                                 &auth_blob);
226                         if (!NT_STATUS_IS_OK(status)) {
227                                 data_blob_free(&auth_blob);
228                                 prs_mem_free(&p->out_data.frag);
229                                 return False;
230                         }
231                         break;
232                 case PIPE_AUTH_LEVEL_INTEGRITY:
233                         /* Data is signed. */
234                         status = ntlmssp_sign_packet(
235                                 a->ntlmssp_state,
236                                 (unsigned char *)prs_data_p(&p->out_data.frag)
237                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
238                                 data_len + ss_padding_len,
239                                 (unsigned char *)prs_data_p(&p->out_data.frag),
240                                 (size_t)prs_offset(&p->out_data.frag),
241                                 &auth_blob);
242                         if (!NT_STATUS_IS_OK(status)) {
243                                 data_blob_free(&auth_blob);
244                                 prs_mem_free(&p->out_data.frag);
245                                 return False;
246                         }
247                         break;
248                 default:
249                         prs_mem_free(&p->out_data.frag);
250                         return False;
251         }
252
253         /* Append the auth blob. */
254         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
255                               NTLMSSP_SIG_SIZE)) {
256                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
257                                 (unsigned int)NTLMSSP_SIG_SIZE));
258                 data_blob_free(&auth_blob);
259                 prs_mem_free(&p->out_data.frag);
260                 return False;
261         }
262
263         data_blob_free(&auth_blob);
264
265         /*
266          * Setup the counts for this PDU.
267          */
268
269         p->out_data.data_sent_length += data_len;
270         p->out_data.current_pdu_sent = 0;
271
272         return True;
273 }
274
275 /*******************************************************************
276  Generate the next PDU to be returned from the data in p->rdata. 
277  Return an schannel authenticated fragment.
278  ********************************************************************/
279
280 static bool create_next_pdu_schannel(pipes_struct *p)
281 {
282         RPC_HDR_RESP hdr_resp;
283         uint32 ss_padding_len = 0;
284         uint32 data_len;
285         uint32 data_space_available;
286         uint32 data_len_left;
287         uint32 data_pos;
288
289         /*
290          * If we're in the fault state, keep returning fault PDU's until
291          * the pipe gets closed. JRA.
292          */
293
294         if(p->fault_state) {
295                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
296                 return True;
297         }
298
299         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
300
301         /* Change the incoming request header to a response. */
302         p->hdr.pkt_type = RPC_RESPONSE;
303
304         /* Set up rpc header flags. */
305         if (p->out_data.data_sent_length == 0) {
306                 p->hdr.flags = RPC_FLG_FIRST;
307         } else {
308                 p->hdr.flags = 0;
309         }
310
311         /*
312          * Work out how much we can fit in a single PDU.
313          */
314
315         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
316
317         /*
318          * Ensure there really is data left to send.
319          */
320
321         if(!data_len_left) {
322                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
323                 return False;
324         }
325
326         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
327                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
328                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
329
330         /*
331          * The amount we send is the minimum of the available
332          * space and the amount left to send.
333          */
334
335         data_len = MIN(data_len_left, data_space_available);
336
337         /*
338          * Set up the alloc hint. This should be the data left to
339          * send.
340          */
341
342         hdr_resp.alloc_hint = data_len_left;
343
344         /*
345          * Work out if this PDU will be the last.
346          */
347
348         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
349                 p->hdr.flags |= RPC_FLG_LAST;
350                 if (data_len_left % 8) {
351                         ss_padding_len = 8 - (data_len_left % 8);
352                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
353                                 ss_padding_len ));
354                 }
355         }
356
357         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
358                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
359         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
360
361         /*
362          * Init the parse struct to point at the outgoing
363          * data.
364          */
365
366         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
367
368         /* Store the header in the data stream. */
369         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
370                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
371                 prs_mem_free(&p->out_data.frag);
372                 return False;
373         }
374
375         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
376                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
377                 prs_mem_free(&p->out_data.frag);
378                 return False;
379         }
380
381         /* Store the current offset. */
382         data_pos = prs_offset(&p->out_data.frag);
383
384         /* Copy the data into the PDU. */
385
386         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
387                                      p->out_data.data_sent_length, data_len)) {
388                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
389                 prs_mem_free(&p->out_data.frag);
390                 return False;
391         }
392
393         /* Copy the sign/seal padding data. */
394         if (ss_padding_len) {
395                 char pad[8];
396                 memset(pad, '\0', 8);
397                 if (!prs_copy_data_in(&p->out_data.frag, pad,
398                                       ss_padding_len)) {
399                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
400                         prs_mem_free(&p->out_data.frag);
401                         return False;
402                 }
403         }
404
405         {
406                 /*
407                  * Schannel processing.
408                  */
409                 RPC_HDR_AUTH auth_info;
410                 RPC_AUTH_SCHANNEL_CHK verf;
411
412                 /* Check it's the type of reply we were expecting to decode */
413
414                 init_rpc_hdr_auth(&auth_info,
415                                 RPC_SCHANNEL_AUTH_TYPE,
416                                 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
417                                         RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
418                                 ss_padding_len, 1);
419
420                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
421                                         &p->out_data.frag, 0)) {
422                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
423                         prs_mem_free(&p->out_data.frag);
424                         return False;
425                 }
426
427                 schannel_encode(p->auth.a_u.schannel_auth, 
428                                 p->auth.auth_level, SENDER_IS_ACCEPTOR, &verf,
429                                 prs_data_p(&p->out_data.frag) + data_pos,
430                                 data_len + ss_padding_len);
431
432                 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, 
433                                 &verf, &p->out_data.frag, 0)) {
434                         prs_mem_free(&p->out_data.frag);
435                         return False;
436                 }
437
438                 p->auth.a_u.schannel_auth->seq_num++;
439         }
440
441         /*
442          * Setup the counts for this PDU.
443          */
444
445         p->out_data.data_sent_length += data_len;
446         p->out_data.current_pdu_sent = 0;
447
448         return True;
449 }
450
451 /*******************************************************************
452  Generate the next PDU to be returned from the data in p->rdata. 
453  No authentication done.
454 ********************************************************************/
455
456 static bool create_next_pdu_noauth(pipes_struct *p)
457 {
458         RPC_HDR_RESP hdr_resp;
459         uint32 data_len;
460         uint32 data_space_available;
461         uint32 data_len_left;
462
463         /*
464          * If we're in the fault state, keep returning fault PDU's until
465          * the pipe gets closed. JRA.
466          */
467
468         if(p->fault_state) {
469                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
470                 return True;
471         }
472
473         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
474
475         /* Change the incoming request header to a response. */
476         p->hdr.pkt_type = RPC_RESPONSE;
477
478         /* Set up rpc header flags. */
479         if (p->out_data.data_sent_length == 0) {
480                 p->hdr.flags = RPC_FLG_FIRST;
481         } else {
482                 p->hdr.flags = 0;
483         }
484
485         /*
486          * Work out how much we can fit in a single PDU.
487          */
488
489         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
490
491         /*
492          * Ensure there really is data left to send.
493          */
494
495         if(!data_len_left) {
496                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
497                 return False;
498         }
499
500         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
501                 - RPC_HDR_RESP_LEN;
502
503         /*
504          * The amount we send is the minimum of the available
505          * space and the amount left to send.
506          */
507
508         data_len = MIN(data_len_left, data_space_available);
509
510         /*
511          * Set up the alloc hint. This should be the data left to
512          * send.
513          */
514
515         hdr_resp.alloc_hint = data_len_left;
516
517         /*
518          * Work out if this PDU will be the last.
519          */
520
521         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
522                 p->hdr.flags |= RPC_FLG_LAST;
523         }
524
525         /*
526          * Set up the header lengths.
527          */
528
529         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
530         p->hdr.auth_len = 0;
531
532         /*
533          * Init the parse struct to point at the outgoing
534          * data.
535          */
536
537         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
538
539         /* Store the header in the data stream. */
540         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
541                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
542                 prs_mem_free(&p->out_data.frag);
543                 return False;
544         }
545
546         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
547                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
548                 prs_mem_free(&p->out_data.frag);
549                 return False;
550         }
551
552         /* Copy the data into the PDU. */
553
554         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
555                                      p->out_data.data_sent_length, data_len)) {
556                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
557                 prs_mem_free(&p->out_data.frag);
558                 return False;
559         }
560
561         /*
562          * Setup the counts for this PDU.
563          */
564
565         p->out_data.data_sent_length += data_len;
566         p->out_data.current_pdu_sent = 0;
567
568         return True;
569 }
570
571 /*******************************************************************
572  Generate the next PDU to be returned from the data in p->rdata. 
573 ********************************************************************/
574
575 bool create_next_pdu(pipes_struct *p)
576 {
577         switch(p->auth.auth_level) {
578                 case PIPE_AUTH_LEVEL_NONE:
579                 case PIPE_AUTH_LEVEL_CONNECT:
580                         /* This is incorrect for auth level connect. Fixme. JRA */
581                         return create_next_pdu_noauth(p);
582
583                 default:
584                         switch(p->auth.auth_type) {
585                                 case PIPE_AUTH_TYPE_NTLMSSP:
586                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
587                                         return create_next_pdu_ntlmssp(p);
588                                 case PIPE_AUTH_TYPE_SCHANNEL:
589                                         return create_next_pdu_schannel(p);
590                                 default:
591                                         break;
592                         }
593         }
594
595         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
596                         (unsigned int)p->auth.auth_level,
597                         (unsigned int)p->auth.auth_type));
598         return False;
599 }
600
601 /*******************************************************************
602  Process an NTLMSSP authentication response.
603  If this function succeeds, the user has been authenticated
604  and their domain, name and calling workstation stored in
605  the pipe struct.
606 *******************************************************************/
607
608 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
609 {
610         DATA_BLOB session_key, reply;
611         NTSTATUS status;
612         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
613         bool ret;
614
615         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
616                  get_pipe_name_from_iface(&p->syntax)));
617
618         ZERO_STRUCT(reply);
619
620         /* this has to be done as root in order to verify the password */
621         become_root();
622         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
623         unbecome_root();
624
625         /* Don't generate a reply. */
626         data_blob_free(&reply);
627
628         if (!NT_STATUS_IS_OK(status)) {
629                 return False;
630         }
631
632         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
633            ensure the underlying NTLMSSP flags are also set. If not we should
634            refuse the bind. */
635
636         if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
637                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
638                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
639                                 "but client declined signing.\n",
640                                 get_pipe_name_from_iface(&p->syntax)));
641                         return False;
642                 }
643         }
644         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
645                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
646                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
647                                 "but client declined sealing.\n",
648                                 get_pipe_name_from_iface(&p->syntax)));
649                         return False;
650                 }
651         }
652
653         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
654                   "workstation: %s\n", a->ntlmssp_state->user,
655                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
656
657         if (a->server_info->ptok == NULL) {
658                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
659                 return False;
660         }
661
662         TALLOC_FREE(p->server_info);
663
664         p->server_info = copy_serverinfo(p, a->server_info);
665         if (p->server_info == NULL) {
666                 DEBUG(0, ("copy_serverinfo failed\n"));
667                 return false;
668         }
669
670         /*
671          * We're an authenticated bind over smb, so the session key needs to
672          * be set to "SystemLibraryDTC". Weird, but this is what Windows
673          * does. See the RPC-SAMBA3SESSIONKEY.
674          */
675
676         session_key = generic_session_key();
677         if (session_key.data == NULL) {
678                 return False;
679         }
680
681         ret = server_info_set_session_key(p->server_info, session_key);
682
683         data_blob_free(&session_key);
684
685         return True;
686 }
687
688 /*******************************************************************
689  The switch table for the pipe names and the functions to handle them.
690 *******************************************************************/
691
692 struct rpc_table {
693         struct {
694                 const char *clnt;
695                 const char *srv;
696         } pipe;
697         struct ndr_syntax_id rpc_interface;
698         const struct api_struct *cmds;
699         int n_cmds;
700 };
701
702 static struct rpc_table *rpc_lookup;
703 static int rpc_lookup_size;
704
705 /*******************************************************************
706  This is the "stage3" NTLMSSP response after a bind request and reply.
707 *******************************************************************/
708
709 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
710 {
711         RPC_HDR_AUTH auth_info;
712         uint32 pad = 0;
713         DATA_BLOB blob;
714
715         ZERO_STRUCT(blob);
716
717         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
718
719         if (p->hdr.auth_len == 0) {
720                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
721                 goto err;
722         }
723
724         /* 4 bytes padding. */
725         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
726                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
727                 goto err;
728         }
729
730         /*
731          * Decode the authentication verifier response.
732          */
733
734         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
735                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
736                 goto err;
737         }
738
739         if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
740                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
741                         (unsigned int)auth_info.auth_type ));
742                 return False;
743         }
744
745         blob = data_blob(NULL,p->hdr.auth_len);
746
747         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
748                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
749                         (unsigned int)p->hdr.auth_len ));
750                 goto err;
751         }
752
753         /*
754          * The following call actually checks the challenge/response data.
755          * for correctness against the given DOMAIN\user name.
756          */
757
758         if (!pipe_ntlmssp_verify_final(p, &blob)) {
759                 goto err;
760         }
761
762         data_blob_free(&blob);
763
764         p->pipe_bound = True;
765
766         return True;
767
768  err:
769
770         data_blob_free(&blob);
771         free_pipe_ntlmssp_auth_data(&p->auth);
772         p->auth.a_u.auth_ntlmssp_state = NULL;
773
774         return False;
775 }
776
777 /*******************************************************************
778  Marshall a bind_nak pdu.
779 *******************************************************************/
780
781 static bool setup_bind_nak(pipes_struct *p)
782 {
783         RPC_HDR nak_hdr;
784         uint16 zero = 0;
785
786         /* Free any memory in the current return data buffer. */
787         prs_mem_free(&p->out_data.rdata);
788
789         /*
790          * Marshall directly into the outgoing PDU space. We
791          * must do this as we need to set to the bind response
792          * header and are never sending more than one PDU here.
793          */
794
795         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
796
797         /*
798          * Initialize a bind_nak header.
799          */
800
801         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
802                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
803
804         /*
805          * Marshall the header into the outgoing PDU.
806          */
807
808         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
809                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
810                 prs_mem_free(&p->out_data.frag);
811                 return False;
812         }
813
814         /*
815          * Now add the reject reason.
816          */
817
818         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
819                 prs_mem_free(&p->out_data.frag);
820                 return False;
821         }
822
823         p->out_data.data_sent_length = 0;
824         p->out_data.current_pdu_sent = 0;
825
826         if (p->auth.auth_data_free_func) {
827                 (*p->auth.auth_data_free_func)(&p->auth);
828         }
829         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
830         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
831         p->pipe_bound = False;
832
833         return True;
834 }
835
836 /*******************************************************************
837  Marshall a fault pdu.
838 *******************************************************************/
839
840 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
841 {
842         RPC_HDR fault_hdr;
843         RPC_HDR_RESP hdr_resp;
844         RPC_HDR_FAULT fault_resp;
845
846         /* Free any memory in the current return data buffer. */
847         prs_mem_free(&p->out_data.rdata);
848
849         /*
850          * Marshall directly into the outgoing PDU space. We
851          * must do this as we need to set to the bind response
852          * header and are never sending more than one PDU here.
853          */
854
855         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
856
857         /*
858          * Initialize a fault header.
859          */
860
861         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
862             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
863
864         /*
865          * Initialize the HDR_RESP and FAULT parts of the PDU.
866          */
867
868         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
869
870         fault_resp.status = status;
871         fault_resp.reserved = 0;
872
873         /*
874          * Marshall the header into the outgoing PDU.
875          */
876
877         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
878                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
879                 prs_mem_free(&p->out_data.frag);
880                 return False;
881         }
882
883         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
884                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
885                 prs_mem_free(&p->out_data.frag);
886                 return False;
887         }
888
889         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
890                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
891                 prs_mem_free(&p->out_data.frag);
892                 return False;
893         }
894
895         p->out_data.data_sent_length = 0;
896         p->out_data.current_pdu_sent = 0;
897
898         return True;
899 }
900
901 #if 0
902 /*******************************************************************
903  Marshall a cancel_ack pdu.
904  We should probably check the auth-verifier here.
905 *******************************************************************/
906
907 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
908 {
909         prs_struct outgoing_pdu;
910         RPC_HDR ack_reply_hdr;
911
912         /* Free any memory in the current return data buffer. */
913         prs_mem_free(&p->out_data.rdata);
914
915         /*
916          * Marshall directly into the outgoing PDU space. We
917          * must do this as we need to set to the bind response
918          * header and are never sending more than one PDU here.
919          */
920
921         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
922         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
923
924         /*
925          * Initialize a cancel_ack header.
926          */
927
928         init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
929                         p->hdr.call_id, RPC_HEADER_LEN, 0);
930
931         /*
932          * Marshall the header into the outgoing PDU.
933          */
934
935         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
936                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
937                 prs_mem_free(&outgoing_pdu);
938                 return False;
939         }
940
941         p->out_data.data_sent_length = 0;
942         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
943         p->out_data.current_pdu_sent = 0;
944
945         prs_mem_free(&outgoing_pdu);
946         return True;
947 }
948 #endif
949
950 /*******************************************************************
951  Ensure a bind request has the correct abstract & transfer interface.
952  Used to reject unknown binds from Win2k.
953 *******************************************************************/
954
955 static bool check_bind_req(struct pipes_struct *p,
956                            struct ndr_syntax_id* abstract,
957                            struct ndr_syntax_id* transfer,
958                            uint32 context_id)
959 {
960         int i=0;
961         struct pipe_rpc_fns *context_fns;
962
963         DEBUG(3,("check_bind_req for %s\n",
964                  get_pipe_name_from_iface(&p->syntax)));
965
966         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
967
968         for (i=0; i<rpc_lookup_size; i++) {
969                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
970                 if (ndr_syntax_id_equal(
971                             abstract, &rpc_lookup[i].rpc_interface)
972                     && ndr_syntax_id_equal(
973                             transfer, &ndr_transfer_syntax)) {
974                         break;
975                 }
976         }
977
978         if (i == rpc_lookup_size) {
979                 return false;
980         }
981
982         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
983         if (context_fns == NULL) {
984                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
985                 return False;
986         }
987
988         context_fns->cmds = rpc_lookup[i].cmds;
989         context_fns->n_cmds = rpc_lookup[i].n_cmds;
990         context_fns->context_id = context_id;
991
992         /* add to the list of open contexts */
993
994         DLIST_ADD( p->contexts, context_fns );
995
996         return True;
997 }
998
999 /*******************************************************************
1000  Register commands to an RPC pipe
1001 *******************************************************************/
1002
1003 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1004                           const struct ndr_interface_table *iface,
1005                           const struct api_struct *cmds, int size)
1006 {
1007         struct rpc_table *rpc_entry;
1008
1009         if (!clnt || !srv || !cmds) {
1010                 return NT_STATUS_INVALID_PARAMETER;
1011         }
1012
1013         if (version != SMB_RPC_INTERFACE_VERSION) {
1014                 DEBUG(0,("Can't register rpc commands!\n"
1015                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1016                          ", while this version of samba uses version %d!\n", 
1017                          version,SMB_RPC_INTERFACE_VERSION));
1018                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1019         }
1020
1021         /* TODO: 
1022          *
1023          * we still need to make sure that don't register the same commands twice!!!
1024          * 
1025          * --metze
1026          */
1027
1028         /* We use a temporary variable because this call can fail and 
1029            rpc_lookup will still be valid afterwards.  It could then succeed if
1030            called again later */
1031         rpc_lookup_size++;
1032         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1033         if (NULL == rpc_entry) {
1034                 rpc_lookup_size--;
1035                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1036                 return NT_STATUS_NO_MEMORY;
1037         } else {
1038                 rpc_lookup = rpc_entry;
1039         }
1040
1041         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1042         ZERO_STRUCTP(rpc_entry);
1043         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1044         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1045         rpc_entry->rpc_interface = iface->syntax_id;
1046         rpc_entry->cmds = cmds;
1047         rpc_entry->n_cmds = size;
1048
1049         return NT_STATUS_OK;
1050 }
1051
1052 /**
1053  * Is a named pipe known?
1054  * @param[in] cli_filename      The pipe name requested by the client
1055  * @result                      Do we want to serve this?
1056  */
1057 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1058 {
1059         const char *pipename = cli_filename;
1060         int i;
1061
1062         if (strnequal(pipename, "\\PIPE\\", 6)) {
1063                 pipename += 5;
1064         }
1065
1066         if (*pipename == '\\') {
1067                 pipename += 1;
1068         }
1069
1070         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1071                 DEBUG(10, ("refusing spoolss access\n"));
1072                 return false;
1073         }
1074
1075         for (i=0; i<rpc_lookup_size; i++) {
1076                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1077                         *syntax = rpc_lookup[i].rpc_interface;
1078                         return true;
1079                 }
1080         }
1081
1082         DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1083         return false;
1084 }
1085
1086 /*******************************************************************
1087  Handle a SPNEGO krb5 bind auth.
1088 *******************************************************************/
1089
1090 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1091                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1092 {
1093         return False;
1094 }
1095
1096 /*******************************************************************
1097  Handle the first part of a SPNEGO bind auth.
1098 *******************************************************************/
1099
1100 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1101                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1102 {
1103         DATA_BLOB blob;
1104         DATA_BLOB secblob;
1105         DATA_BLOB response;
1106         DATA_BLOB chal;
1107         char *OIDs[ASN1_MAX_OIDS];
1108         int i;
1109         NTSTATUS status;
1110         bool got_kerberos_mechanism = false;
1111         AUTH_NTLMSSP_STATE *a = NULL;
1112         RPC_HDR_AUTH auth_info;
1113
1114         ZERO_STRUCT(secblob);
1115         ZERO_STRUCT(chal);
1116         ZERO_STRUCT(response);
1117
1118         /* Grab the SPNEGO blob. */
1119         blob = data_blob(NULL,p->hdr.auth_len);
1120
1121         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1122                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1123                         (unsigned int)p->hdr.auth_len ));
1124                 goto err;
1125         }
1126
1127         if (blob.data[0] != ASN1_APPLICATION(0)) {
1128                 goto err;
1129         }
1130
1131         /* parse out the OIDs and the first sec blob */
1132         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1133                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1134                 goto err;
1135         }
1136
1137         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1138                 got_kerberos_mechanism = true;
1139         }
1140
1141         for (i=0;OIDs[i];i++) {
1142                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1143                 TALLOC_FREE(OIDs[i]);
1144         }
1145         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1146
1147         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1148                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1149                 data_blob_free(&secblob);
1150                 data_blob_free(&blob);
1151                 return ret;
1152         }
1153
1154         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1155                 /* Free any previous auth type. */
1156                 free_pipe_ntlmssp_auth_data(&p->auth);
1157         }
1158
1159         if (!got_kerberos_mechanism) {
1160                 /* Initialize the NTLM engine. */
1161                 status = auth_ntlmssp_start(&a);
1162                 if (!NT_STATUS_IS_OK(status)) {
1163                         goto err;
1164                 }
1165
1166                 /*
1167                  * Pass the first security blob of data to it.
1168                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1169                  * which means we need another packet to complete the bind.
1170                  */
1171
1172                 status = auth_ntlmssp_update(a, secblob, &chal);
1173
1174                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1175                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1176                         goto err;
1177                 }
1178
1179                 /* Generate the response blob we need for step 2 of the bind. */
1180                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1181         } else {
1182                 /*
1183                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1184                  * code to process follow-up packets is not complete
1185                  * yet. JRA.
1186                  */
1187                 response = spnego_gen_auth_response(NULL,
1188                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1189                                         OID_NTLMSSP);
1190         }
1191
1192         /* Copy the blob into the pout_auth parse struct */
1193         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1194         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1195                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1196                 goto err;
1197         }
1198
1199         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1200                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1201                 goto err;
1202         }
1203
1204         p->auth.a_u.auth_ntlmssp_state = a;
1205         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1206         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1207
1208         data_blob_free(&blob);
1209         data_blob_free(&secblob);
1210         data_blob_free(&chal);
1211         data_blob_free(&response);
1212
1213         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1214         return True;
1215
1216  err:
1217
1218         data_blob_free(&blob);
1219         data_blob_free(&secblob);
1220         data_blob_free(&chal);
1221         data_blob_free(&response);
1222
1223         p->auth.a_u.auth_ntlmssp_state = NULL;
1224
1225         return False;
1226 }
1227
1228 /*******************************************************************
1229  Handle the second part of a SPNEGO bind auth.
1230 *******************************************************************/
1231
1232 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1233                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1234 {
1235         RPC_HDR_AUTH auth_info;
1236         DATA_BLOB spnego_blob;
1237         DATA_BLOB auth_blob;
1238         DATA_BLOB auth_reply;
1239         DATA_BLOB response;
1240         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1241
1242         ZERO_STRUCT(spnego_blob);
1243         ZERO_STRUCT(auth_blob);
1244         ZERO_STRUCT(auth_reply);
1245         ZERO_STRUCT(response);
1246
1247         /*
1248          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1249          * fail here as 'a' == NULL.
1250          */
1251         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1252                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1253                 goto err;
1254         }
1255
1256         /* Grab the SPNEGO blob. */
1257         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1258
1259         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1260                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1261                         (unsigned int)p->hdr.auth_len ));
1262                 goto err;
1263         }
1264
1265         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1266                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1267                 goto err;
1268         }
1269
1270         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1271                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1272                 goto err;
1273         }
1274
1275         /*
1276          * The following call actually checks the challenge/response data.
1277          * for correctness against the given DOMAIN\user name.
1278          */
1279
1280         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1281                 goto err;
1282         }
1283
1284         data_blob_free(&spnego_blob);
1285         data_blob_free(&auth_blob);
1286
1287         /* Generate the spnego "accept completed" blob - no incoming data. */
1288         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1289
1290         /* Copy the blob into the pout_auth parse struct */
1291         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1292         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1293                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1294                 goto err;
1295         }
1296
1297         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1298                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1299                 goto err;
1300         }
1301
1302         data_blob_free(&auth_reply);
1303         data_blob_free(&response);
1304
1305         p->pipe_bound = True;
1306
1307         return True;
1308
1309  err:
1310
1311         data_blob_free(&spnego_blob);
1312         data_blob_free(&auth_blob);
1313         data_blob_free(&auth_reply);
1314         data_blob_free(&response);
1315
1316         free_pipe_ntlmssp_auth_data(&p->auth);
1317         p->auth.a_u.auth_ntlmssp_state = NULL;
1318
1319         return False;
1320 }
1321
1322 /*******************************************************************
1323  Handle an schannel bind auth.
1324 *******************************************************************/
1325
1326 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1327                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1328 {
1329         RPC_HDR_AUTH auth_info;
1330         struct NL_AUTH_MESSAGE neg;
1331         RPC_AUTH_VERIFIER auth_verifier;
1332         bool ret;
1333         NTSTATUS status;
1334         struct netlogon_creds_CredentialState *creds;
1335         uint32 flags;
1336         DATA_BLOB session_key;
1337         enum ndr_err_code ndr_err;
1338         DATA_BLOB blob;
1339
1340         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1341                                prs_data_size(rpc_in_p));
1342
1343         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1344                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1345         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1346                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1347                 return false;
1348         }
1349
1350         if (DEBUGLEVEL >= 10) {
1351                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1352         }
1353
1354         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1355                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1356                 return false;
1357         }
1358
1359         /*
1360          * The neg.oem_netbios_computer.a key here must match the remote computer name
1361          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1362          * operations that use credentials.
1363          */
1364
1365         become_root();
1366         status = schannel_fetch_session_key(p->mem_ctx,
1367                                             neg.oem_netbios_computer.a,
1368                                             &creds);
1369         unbecome_root();
1370
1371         if (!NT_STATUS_IS_OK(status)) {
1372                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1373                 return False;
1374         }
1375
1376         p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1377         if (!p->auth.a_u.schannel_auth) {
1378                 TALLOC_FREE(creds);
1379                 return False;
1380         }
1381
1382         memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1383         memcpy(p->auth.a_u.schannel_auth->sess_key, creds->session_key,
1384                         sizeof(creds->session_key));
1385
1386         TALLOC_FREE(creds);
1387
1388         p->auth.a_u.schannel_auth->seq_num = 0;
1389
1390         /*
1391          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1392          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1393          * struct of the person who opened the pipe. I need to test this further. JRA.
1394          *
1395          * VL. As we are mapping this to guest set the generic key
1396          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1397          * W2k3, as it does not allow schannel binds against SAMR and LSA
1398          * anymore.
1399          */
1400
1401         session_key = generic_session_key();
1402         if (session_key.data == NULL) {
1403                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1404                           " key\n"));
1405                 return false;
1406         }
1407
1408         ret = server_info_set_session_key(p->server_info, session_key);
1409
1410         data_blob_free(&session_key);
1411
1412         if (!ret) {
1413                 DEBUG(0, ("server_info_set_session_key failed\n"));
1414                 return false;
1415         }
1416
1417         init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1418         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1419                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1420                 return False;
1421         }
1422
1423         /*** SCHANNEL verifier ***/
1424
1425         init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1426         if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1427                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1428                 return False;
1429         }
1430
1431         prs_align(pout_auth);
1432
1433         flags = 5;
1434         if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1435                 return False;
1436         }
1437
1438         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1439                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1440
1441         /* We're finished with this bind - no more packets. */
1442         p->auth.auth_data_free_func = NULL;
1443         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1444
1445         p->pipe_bound = True;
1446
1447         return True;
1448 }
1449
1450 /*******************************************************************
1451  Handle an NTLMSSP bind auth.
1452 *******************************************************************/
1453
1454 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1455                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1456 {
1457         RPC_HDR_AUTH auth_info;
1458         DATA_BLOB blob;
1459         DATA_BLOB response;
1460         NTSTATUS status;
1461         AUTH_NTLMSSP_STATE *a = NULL;
1462
1463         ZERO_STRUCT(blob);
1464         ZERO_STRUCT(response);
1465
1466         /* Grab the NTLMSSP blob. */
1467         blob = data_blob(NULL,p->hdr.auth_len);
1468
1469         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1470                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1471                         (unsigned int)p->hdr.auth_len ));
1472                 goto err;
1473         }
1474
1475         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1476                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1477                 goto err;
1478         }
1479
1480         /* We have an NTLMSSP blob. */
1481         status = auth_ntlmssp_start(&a);
1482         if (!NT_STATUS_IS_OK(status)) {
1483                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1484                         nt_errstr(status) ));
1485                 goto err;
1486         }
1487
1488         status = auth_ntlmssp_update(a, blob, &response);
1489         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1490                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1491                         nt_errstr(status) ));
1492                 goto err;
1493         }
1494
1495         data_blob_free(&blob);
1496
1497         /* Copy the blob into the pout_auth parse struct */
1498         init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1499         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1500                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1501                 goto err;
1502         }
1503
1504         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1505                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1506                 goto err;
1507         }
1508
1509         p->auth.a_u.auth_ntlmssp_state = a;
1510         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1511         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1512
1513         data_blob_free(&blob);
1514         data_blob_free(&response);
1515
1516         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1517
1518         /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1519         return True;
1520
1521   err:
1522
1523         data_blob_free(&blob);
1524         data_blob_free(&response);
1525
1526         free_pipe_ntlmssp_auth_data(&p->auth);
1527         p->auth.a_u.auth_ntlmssp_state = NULL;
1528         return False;
1529 }
1530
1531 /*******************************************************************
1532  Respond to a pipe bind request.
1533 *******************************************************************/
1534
1535 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1536 {
1537         RPC_HDR_BA hdr_ba;
1538         RPC_HDR_RB hdr_rb;
1539         RPC_HDR_AUTH auth_info;
1540         uint16 assoc_gid;
1541         fstring ack_pipe_name;
1542         prs_struct out_hdr_ba;
1543         prs_struct out_auth;
1544         int i = 0;
1545         int auth_len = 0;
1546         unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1547
1548         /* No rebinds on a bound pipe - use alter context. */
1549         if (p->pipe_bound) {
1550                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1551                          "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1552                 return setup_bind_nak(p);
1553         }
1554
1555         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1556
1557         /* 
1558          * Marshall directly into the outgoing PDU space. We
1559          * must do this as we need to set to the bind response
1560          * header and are never sending more than one PDU here.
1561          */
1562
1563         /*
1564          * Setup the memory to marshall the ba header, and the
1565          * auth footers.
1566          */
1567
1568         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1569                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1570                 prs_mem_free(&p->out_data.frag);
1571                 return False;
1572         }
1573
1574         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1575                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1576                 prs_mem_free(&p->out_data.frag);
1577                 prs_mem_free(&out_hdr_ba);
1578                 return False;
1579         }
1580
1581         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1582
1583         ZERO_STRUCT(hdr_rb);
1584
1585         /* decode the bind request */
1586
1587         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1588                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1589                          "struct.\n"));
1590                 goto err_exit;
1591         }
1592
1593         if (hdr_rb.num_contexts == 0) {
1594                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1595                 goto err_exit;
1596         }
1597
1598         /*
1599          * Try and find the correct pipe name to ensure
1600          * that this is a pipe name we support.
1601          */
1602
1603         for (i = 0; i < rpc_lookup_size; i++) {
1604                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1605                                         &hdr_rb.rpc_context[0].abstract)) {
1606                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1607                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1608                         break;
1609                 }
1610         }
1611
1612         if (i == rpc_lookup_size) {
1613                 NTSTATUS status;
1614
1615                 status = smb_probe_module(
1616                         "rpc", get_pipe_name_from_iface(
1617                                 &hdr_rb.rpc_context[0].abstract));
1618
1619                 if (NT_STATUS_IS_ERR(status)) {
1620                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1621                                 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1622                         prs_mem_free(&p->out_data.frag);
1623                         prs_mem_free(&out_hdr_ba);
1624                         prs_mem_free(&out_auth);
1625
1626                         return setup_bind_nak(p);
1627                 }
1628
1629                 for (i = 0; i < rpc_lookup_size; i++) {
1630                        if (strequal(rpc_lookup[i].pipe.clnt,
1631                                     get_pipe_name_from_iface(&p->syntax))) {
1632                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1633                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1634                                break;
1635                        }
1636                 }
1637
1638                 if (i == rpc_lookup_size) {
1639                         DEBUG(0, ("module %s doesn't provide functions for "
1640                                   "pipe %s!\n",
1641                                   get_pipe_name_from_iface(&p->syntax),
1642                                   get_pipe_name_from_iface(&p->syntax)));
1643                         goto err_exit;
1644                 }
1645         }
1646
1647         /* name has to be \PIPE\xxxxx */
1648         fstrcpy(ack_pipe_name, "\\PIPE\\");
1649         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1650
1651         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1652
1653         /*
1654          * Check if this is an authenticated bind request.
1655          */
1656
1657         if (p->hdr.auth_len) {
1658                 /* 
1659                  * Decode the authentication verifier.
1660                  */
1661
1662                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1663                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1664                         goto err_exit;
1665                 }
1666
1667                 auth_type = auth_info.auth_type;
1668
1669                 /* Work out if we have to sign or seal etc. */
1670                 switch (auth_info.auth_level) {
1671                         case RPC_AUTH_LEVEL_INTEGRITY:
1672                                 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1673                                 break;
1674                         case RPC_AUTH_LEVEL_PRIVACY:
1675                                 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1676                                 break;
1677                         default:
1678                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1679                                         (unsigned int)auth_info.auth_level ));
1680                                 goto err_exit;
1681                 }
1682         } else {
1683                 ZERO_STRUCT(auth_info);
1684         }
1685
1686         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1687
1688         switch(auth_type) {
1689                 case RPC_NTLMSSP_AUTH_TYPE:
1690                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1691                                 goto err_exit;
1692                         }
1693                         assoc_gid = 0x7a77;
1694                         break;
1695
1696                 case RPC_SCHANNEL_AUTH_TYPE:
1697                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1698                                 goto err_exit;
1699                         }
1700                         break;
1701
1702                 case RPC_SPNEGO_AUTH_TYPE:
1703                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1704                                 goto err_exit;
1705                         }
1706                         break;
1707
1708                 case RPC_ANONYMOUS_AUTH_TYPE:
1709                         /* Unauthenticated bind request. */
1710                         /* We're finished - no more packets. */
1711                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1712                         /* We must set the pipe auth_level here also. */
1713                         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1714                         p->pipe_bound = True;
1715                         /* The session key was initialized from the SMB
1716                          * session in make_internal_rpc_pipe_p */
1717                         break;
1718
1719                 default:
1720                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1721                         goto err_exit;
1722         }
1723
1724         /*
1725          * Create the bind response struct.
1726          */
1727
1728         /* If the requested abstract synt uuid doesn't match our client pipe,
1729                 reject the bind_ack & set the transfer interface synt to all 0's,
1730                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1731                 unknown to NT4)
1732                 Needed when adding entries to a DACL from NT5 - SK */
1733
1734         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1735                                 hdr_rb.rpc_context[0].context_id )) {
1736                 init_rpc_hdr_ba(&hdr_ba,
1737                         RPC_MAX_PDU_FRAG_LEN,
1738                         RPC_MAX_PDU_FRAG_LEN,
1739                         assoc_gid,
1740                         ack_pipe_name,
1741                         0x1, 0x0, 0x0,
1742                         &hdr_rb.rpc_context[0].transfer[0]);
1743         } else {
1744                 /* Rejection reason: abstract syntax not supported */
1745                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1746                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1747                                         ack_pipe_name, 0x1, 0x2, 0x1,
1748                                         &null_ndr_syntax_id);
1749                 p->pipe_bound = False;
1750         }
1751
1752         /*
1753          * and marshall it.
1754          */
1755
1756         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1757                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1758                 goto err_exit;
1759         }
1760
1761         /*
1762          * Create the header, now we know the length.
1763          */
1764
1765         if (prs_offset(&out_auth)) {
1766                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1767         }
1768
1769         init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1770                         p->hdr.call_id,
1771                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1772                         auth_len);
1773
1774         /*
1775          * Marshall the header into the outgoing PDU.
1776          */
1777
1778         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1779                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1780                 goto err_exit;
1781         }
1782
1783         /*
1784          * Now add the RPC_HDR_BA and any auth needed.
1785          */
1786
1787         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1788                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1789                 goto err_exit;
1790         }
1791
1792         if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1793                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1794                 goto err_exit;
1795         }
1796
1797         /*
1798          * Setup the lengths for the initial reply.
1799          */
1800
1801         p->out_data.data_sent_length = 0;
1802         p->out_data.current_pdu_sent = 0;
1803
1804         prs_mem_free(&out_hdr_ba);
1805         prs_mem_free(&out_auth);
1806
1807         return True;
1808
1809   err_exit:
1810
1811         prs_mem_free(&p->out_data.frag);
1812         prs_mem_free(&out_hdr_ba);
1813         prs_mem_free(&out_auth);
1814         return setup_bind_nak(p);
1815 }
1816
1817 /****************************************************************************
1818  Deal with an alter context call. Can be third part of 3 leg auth request for
1819  SPNEGO calls.
1820 ****************************************************************************/
1821
1822 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1823 {
1824         RPC_HDR_BA hdr_ba;
1825         RPC_HDR_RB hdr_rb;
1826         RPC_HDR_AUTH auth_info;
1827         uint16 assoc_gid;
1828         fstring ack_pipe_name;
1829         prs_struct out_hdr_ba;
1830         prs_struct out_auth;
1831         int auth_len = 0;
1832
1833         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1834
1835         /* 
1836          * Marshall directly into the outgoing PDU space. We
1837          * must do this as we need to set to the bind response
1838          * header and are never sending more than one PDU here.
1839          */
1840
1841         /*
1842          * Setup the memory to marshall the ba header, and the
1843          * auth footers.
1844          */
1845
1846         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1847                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1848                 prs_mem_free(&p->out_data.frag);
1849                 return False;
1850         }
1851
1852         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1853                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1854                 prs_mem_free(&p->out_data.frag);
1855                 prs_mem_free(&out_hdr_ba);
1856                 return False;
1857         }
1858
1859         ZERO_STRUCT(hdr_rb);
1860
1861         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1862
1863         /* decode the alter context request */
1864         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1865                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1866                 goto err_exit;
1867         }
1868
1869         /* secondary address CAN be NULL
1870          * as the specs say it's ignored.
1871          * It MUST be NULL to have the spoolss working.
1872          */
1873         fstrcpy(ack_pipe_name,"");
1874
1875         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1876
1877         /*
1878          * Check if this is an authenticated alter context request.
1879          */
1880
1881         if (p->hdr.auth_len != 0) {
1882                 /* 
1883                  * Decode the authentication verifier.
1884                  */
1885
1886                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1887                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1888                         goto err_exit;
1889                 }
1890
1891                 /*
1892                  * Currently only the SPNEGO auth type uses the alter ctx
1893                  * response in place of the NTLMSSP auth3 type.
1894                  */
1895
1896                 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1897                         /* We can only finish if the pipe is unbound. */
1898                         if (!p->pipe_bound) {
1899                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1900                                         goto err_exit;
1901                                 }
1902                         } else {
1903                                 goto err_exit;
1904                         }
1905                 }
1906         } else {
1907                 ZERO_STRUCT(auth_info);
1908         }
1909
1910         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1911
1912         /*
1913          * Create the bind response struct.
1914          */
1915
1916         /* If the requested abstract synt uuid doesn't match our client pipe,
1917                 reject the bind_ack & set the transfer interface synt to all 0's,
1918                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1919                 unknown to NT4)
1920                 Needed when adding entries to a DACL from NT5 - SK */
1921
1922         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1923                                 hdr_rb.rpc_context[0].context_id )) {
1924                 init_rpc_hdr_ba(&hdr_ba,
1925                         RPC_MAX_PDU_FRAG_LEN,
1926                         RPC_MAX_PDU_FRAG_LEN,
1927                         assoc_gid,
1928                         ack_pipe_name,
1929                         0x1, 0x0, 0x0,
1930                         &hdr_rb.rpc_context[0].transfer[0]);
1931         } else {
1932                 /* Rejection reason: abstract syntax not supported */
1933                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1934                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1935                                         ack_pipe_name, 0x1, 0x2, 0x1,
1936                                         &null_ndr_syntax_id);
1937                 p->pipe_bound = False;
1938         }
1939
1940         /*
1941          * and marshall it.
1942          */
1943
1944         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1945                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1946                 goto err_exit;
1947         }
1948
1949         /*
1950          * Create the header, now we know the length.
1951          */
1952
1953         if (prs_offset(&out_auth)) {
1954                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1955         }
1956
1957         init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1958                         p->hdr.call_id,
1959                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1960                         auth_len);
1961
1962         /*
1963          * Marshall the header into the outgoing PDU.
1964          */
1965
1966         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1967                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1968                 goto err_exit;
1969         }
1970
1971         /*
1972          * Now add the RPC_HDR_BA and any auth needed.
1973          */
1974
1975         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1976                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1977                 goto err_exit;
1978         }
1979
1980         if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
1981                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1982                 goto err_exit;
1983         }
1984
1985         /*
1986          * Setup the lengths for the initial reply.
1987          */
1988
1989         p->out_data.data_sent_length = 0;
1990         p->out_data.current_pdu_sent = 0;
1991
1992         prs_mem_free(&out_hdr_ba);
1993         prs_mem_free(&out_auth);
1994
1995         return True;
1996
1997   err_exit:
1998
1999         prs_mem_free(&p->out_data.frag);
2000         prs_mem_free(&out_hdr_ba);
2001         prs_mem_free(&out_auth);
2002         return setup_bind_nak(p);
2003 }
2004
2005 /****************************************************************************
2006  Deal with NTLMSSP sign & seal processing on an RPC request.
2007 ****************************************************************************/
2008
2009 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2010                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2011 {
2012         RPC_HDR_AUTH auth_info;
2013         uint32 auth_len = p->hdr.auth_len;
2014         uint32 save_offset = prs_offset(rpc_in);
2015         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2016         unsigned char *data = NULL;
2017         size_t data_len;
2018         unsigned char *full_packet_data = NULL;
2019         size_t full_packet_data_len;
2020         DATA_BLOB auth_blob;
2021
2022         *pstatus = NT_STATUS_OK;
2023
2024         if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2025                 return True;
2026         }
2027
2028         if (!a) {
2029                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2030                 return False;
2031         }
2032
2033         /* Ensure there's enough data for an authenticated request. */
2034         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2035                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2036                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2037                         (unsigned int)auth_len ));
2038                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2039                 return False;
2040         }
2041
2042         /*
2043          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2044          * after the RPC header. 
2045          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2046          * functions as NTLMv2 checks the rpc headers also.
2047          */
2048
2049         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2050         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2051
2052         full_packet_data = p->in_data.current_in_pdu;
2053         full_packet_data_len = p->hdr.frag_len - auth_len;
2054
2055         /* Pull the auth header and the following data into a blob. */
2056         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2057                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2058                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2059                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2060                 return False;
2061         }
2062
2063         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2064                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2065                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2066                 return False;
2067         }
2068
2069         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2070         auth_blob.length = auth_len;
2071
2072         switch (p->auth.auth_level) {
2073                 case PIPE_AUTH_LEVEL_PRIVACY:
2074                         /* Data is encrypted. */
2075                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2076                                                         data, data_len,
2077                                                         full_packet_data,
2078                                                         full_packet_data_len,
2079                                                         &auth_blob);
2080                         if (!NT_STATUS_IS_OK(*pstatus)) {
2081                                 return False;
2082                         }
2083                         break;
2084                 case PIPE_AUTH_LEVEL_INTEGRITY:
2085                         /* Data is signed. */
2086                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2087                                                         data, data_len,
2088                                                         full_packet_data,
2089                                                         full_packet_data_len,
2090                                                         &auth_blob);
2091                         if (!NT_STATUS_IS_OK(*pstatus)) {
2092                                 return False;
2093                         }
2094                         break;
2095                 default:
2096                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2097                         return False;
2098         }
2099
2100         /*
2101          * Return the current pointer to the data offset.
2102          */
2103
2104         if(!prs_set_offset(rpc_in, save_offset)) {
2105                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2106                         (unsigned int)save_offset ));
2107                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2108                 return False;
2109         }
2110
2111         /*
2112          * Remember the padding length. We must remove it from the real data
2113          * stream once the sign/seal is done.
2114          */
2115
2116         *p_ss_padding_len = auth_info.auth_pad_len;
2117
2118         return True;
2119 }
2120
2121 /****************************************************************************
2122  Deal with schannel processing on an RPC request.
2123 ****************************************************************************/
2124
2125 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2126 {
2127         uint32 data_len;
2128         uint32 auth_len;
2129         uint32 save_offset = prs_offset(rpc_in);
2130         RPC_HDR_AUTH auth_info;
2131         RPC_AUTH_SCHANNEL_CHK schannel_chk;
2132
2133         auth_len = p->hdr.auth_len;
2134
2135         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2136                         auth_len > RPC_HEADER_LEN +
2137                                         RPC_HDR_REQ_LEN +
2138                                         RPC_HDR_AUTH_LEN +
2139                                         auth_len) {
2140                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2141                 return False;
2142         }
2143
2144         /*
2145          * The following is that length of the data we must verify or unseal.
2146          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2147          * preceeding the auth_data.
2148          */
2149
2150         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2151                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2152                         (unsigned int)p->hdr.frag_len,
2153                         (unsigned int)auth_len ));
2154                 return False;
2155         }
2156
2157         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2158                 RPC_HDR_AUTH_LEN - auth_len;
2159
2160         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2161
2162         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2163                 DEBUG(0,("cannot move offset to %u.\n",
2164                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2165                 return False;
2166         }
2167
2168         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2169                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2170                 return False;
2171         }
2172
2173         if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2174                 DEBUG(0,("Invalid auth info %d on schannel\n",
2175                          auth_info.auth_type));
2176                 return False;
2177         }
2178
2179         if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2180                 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2181                 return False;
2182         }
2183
2184         if (!schannel_decode(p->auth.a_u.schannel_auth,
2185                            p->auth.auth_level,
2186                            SENDER_IS_INITIATOR,
2187                            &schannel_chk,
2188                            prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2189                 DEBUG(3,("failed to decode PDU\n"));
2190                 return False;
2191         }
2192
2193         /*
2194          * Return the current pointer to the data offset.
2195          */
2196
2197         if(!prs_set_offset(rpc_in, save_offset)) {
2198                 DEBUG(0,("failed to set offset back to %u\n",
2199                          (unsigned int)save_offset ));
2200                 return False;
2201         }
2202
2203         /* The sequence number gets incremented on both send and receive. */
2204         p->auth.a_u.schannel_auth->seq_num++;
2205
2206         /*
2207          * Remember the padding length. We must remove it from the real data
2208          * stream once the sign/seal is done.
2209          */
2210
2211         *p_ss_padding_len = auth_info.auth_pad_len;
2212
2213         return True;
2214 }
2215
2216 /****************************************************************************
2217  Find the set of RPC functions associated with this context_id
2218 ****************************************************************************/
2219
2220 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2221 {
2222         PIPE_RPC_FNS *fns = NULL;
2223
2224         if ( !list ) {
2225                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2226                 return NULL;
2227         }
2228
2229         for (fns=list; fns; fns=fns->next ) {
2230                 if ( fns->context_id == context_id )
2231                         return fns;
2232         }
2233         return NULL;
2234 }
2235
2236 /****************************************************************************
2237  Memory cleanup.
2238 ****************************************************************************/
2239
2240 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2241 {
2242         PIPE_RPC_FNS *tmp = list;
2243         PIPE_RPC_FNS *tmp2;
2244
2245         while (tmp) {
2246                 tmp2 = tmp->next;
2247                 SAFE_FREE(tmp);
2248                 tmp = tmp2;
2249         }
2250
2251         return; 
2252 }
2253
2254 static bool api_rpcTNP(pipes_struct *p,
2255                        const struct api_struct *api_rpc_cmds, int n_cmds);
2256
2257 /****************************************************************************
2258  Find the correct RPC function to call for this request.
2259  If the pipe is authenticated then become the correct UNIX user
2260  before doing the call.
2261 ****************************************************************************/
2262
2263 bool api_pipe_request(pipes_struct *p)
2264 {
2265         bool ret = False;
2266         bool changed_user = False;
2267         PIPE_RPC_FNS *pipe_fns;
2268
2269         if (p->pipe_bound &&
2270                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2271                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2272                 if(!become_authenticated_pipe_user(p)) {
2273                         prs_mem_free(&p->out_data.rdata);
2274                         return False;
2275                 }
2276                 changed_user = True;
2277         }
2278
2279         DEBUG(5, ("Requested \\PIPE\\%s\n",
2280                   get_pipe_name_from_iface(&p->syntax)));
2281
2282         /* get the set of RPC functions for this context */
2283
2284         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2285
2286         if ( pipe_fns ) {
2287                 TALLOC_CTX *frame = talloc_stackframe();
2288                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2289                 TALLOC_FREE(frame);
2290         }
2291         else {
2292                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2293                         p->hdr_req.context_id,
2294                         get_pipe_name_from_iface(&p->syntax)));
2295         }
2296
2297         if (changed_user) {
2298                 unbecome_authenticated_pipe_user();
2299         }
2300
2301         return ret;
2302 }
2303
2304 /*******************************************************************
2305  Calls the underlying RPC function for a named pipe.
2306  ********************************************************************/
2307
2308 static bool api_rpcTNP(pipes_struct *p,
2309                        const struct api_struct *api_rpc_cmds, int n_cmds)
2310 {
2311         int fn_num;
2312         uint32 offset1, offset2;
2313
2314         /* interpret the command */
2315         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2316                  get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2317
2318         if (DEBUGLEVEL >= 50) {
2319                 fstring name;
2320                 slprintf(name, sizeof(name)-1, "in_%s",
2321                          get_pipe_name_from_iface(&p->syntax));
2322                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2323         }
2324
2325         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2326                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2327                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2328                         break;
2329                 }
2330         }
2331
2332         if (fn_num == n_cmds) {
2333                 /*
2334                  * For an unknown RPC just return a fault PDU but
2335                  * return True to allow RPC's on the pipe to continue
2336                  * and not put the pipe into fault state. JRA.
2337                  */
2338                 DEBUG(4, ("unknown\n"));
2339                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2340                 return True;
2341         }
2342
2343         offset1 = prs_offset(&p->out_data.rdata);
2344
2345         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2346                 fn_num, api_rpc_cmds[fn_num].fn));
2347         /* do the actual command */
2348         if(!api_rpc_cmds[fn_num].fn(p)) {
2349                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2350                          get_pipe_name_from_iface(&p->syntax),
2351                          api_rpc_cmds[fn_num].name));
2352                 prs_mem_free(&p->out_data.rdata);
2353                 return False;
2354         }
2355
2356         if (p->bad_handle_fault_state) {
2357                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2358                 p->bad_handle_fault_state = False;
2359                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2360                 return True;
2361         }
2362
2363         if (p->rng_fault_state) {
2364                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2365                 p->rng_fault_state = False;
2366                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2367                 return True;
2368         }
2369
2370         offset2 = prs_offset(&p->out_data.rdata);
2371         prs_set_offset(&p->out_data.rdata, offset1);
2372         if (DEBUGLEVEL >= 50) {
2373                 fstring name;
2374                 slprintf(name, sizeof(name)-1, "out_%s",
2375                          get_pipe_name_from_iface(&p->syntax));
2376                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2377         }
2378         prs_set_offset(&p->out_data.rdata, offset2);
2379
2380         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2381                  get_pipe_name_from_iface(&p->syntax)));
2382
2383         /* Check for buffer underflow in rpc parsing */
2384
2385         if ((DEBUGLEVEL >= 10) && 
2386             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2387                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2388                 char *data = (char *)SMB_MALLOC(data_len);
2389
2390                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2391                 if (data) {
2392                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2393                         SAFE_FREE(data);
2394                 }
2395
2396         }
2397
2398         return True;
2399 }