srv_pipe.c doesn't reference current_user anymore. Remove it.
[ira/wip.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../librpc/gen_ndr/ndr_schannel.h"
32 #include "../libcli/auth/schannel.h"
33 #include "../libcli/auth/spnego.h"
34 #include "ntlmssp.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_RPC_SRV
38
39 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
40 {
41         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
42
43         if (a) {
44                 auth_ntlmssp_end(&a);
45         }
46         auth->a_u.auth_ntlmssp_state = NULL;
47 }
48
49 static DATA_BLOB generic_session_key(void)
50 {
51         return data_blob("SystemLibraryDTC", 16);
52 }
53
54 /*******************************************************************
55  Generate the next PDU to be returned from the data in p->rdata. 
56  Handle NTLMSSP.
57  ********************************************************************/
58
59 static bool create_next_pdu_ntlmssp(pipes_struct *p)
60 {
61         RPC_HDR_RESP hdr_resp;
62         uint32 ss_padding_len = 0;
63         uint32 data_space_available;
64         uint32 data_len_left;
65         uint32 data_len;
66         NTSTATUS status;
67         DATA_BLOB auth_blob;
68         RPC_HDR_AUTH auth_info;
69         uint8 auth_type, auth_level;
70         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
71
72         /*
73          * If we're in the fault state, keep returning fault PDU's until
74          * the pipe gets closed. JRA.
75          */
76
77         if(p->fault_state) {
78                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
79                 return True;
80         }
81
82         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
83
84         /* Change the incoming request header to a response. */
85         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
86
87         /* Set up rpc header flags. */
88         if (p->out_data.data_sent_length == 0) {
89                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
90         } else {
91                 p->hdr.flags = 0;
92         }
93
94         /*
95          * Work out how much we can fit in a single PDU.
96          */
97
98         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
99
100         /*
101          * Ensure there really is data left to send.
102          */
103
104         if(!data_len_left) {
105                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
106                 return False;
107         }
108
109         /* Space available - not including padding. */
110         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN -
111                 RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
112
113         /*
114          * The amount we send is the minimum of the available
115          * space and the amount left to send.
116          */
117
118         data_len = MIN(data_len_left, data_space_available);
119
120         /* Work out any padding alignment requirements. */
121         if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
122                 ss_padding_len = SERVER_NDR_PADDING_SIZE -
123                         ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
124                 DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
125                         ss_padding_len ));
126                 /* If we're over filling the packet, we need to make space
127                  * for the padding at the end of the data. */
128                 if (data_len + ss_padding_len > data_space_available) {
129                         data_len -= SERVER_NDR_PADDING_SIZE;
130                 }
131         }
132
133         /*
134          * Set up the alloc hint. This should be the data left to
135          * send.
136          */
137
138         hdr_resp.alloc_hint = data_len_left;
139
140         /*
141          * Work out if this PDU will be the last.
142          */
143
144         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
145                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
146         }
147
148         /*
149          * Set up the header lengths.
150          */
151
152         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
153                         data_len + ss_padding_len +
154                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
155         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
156
157
158         /*
159          * Init the parse struct to point at the outgoing
160          * data.
161          */
162
163         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
164
165         /* Store the header in the data stream. */
166         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
167                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
168                 prs_mem_free(&p->out_data.frag);
169                 return False;
170         }
171
172         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
173                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
174                 prs_mem_free(&p->out_data.frag);
175                 return False;
176         }
177
178         /* Copy the data into the PDU. */
179
180         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
181                                      p->out_data.data_sent_length, data_len)) {
182                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
183                 prs_mem_free(&p->out_data.frag);
184                 return False;
185         }
186
187         /* Copy the sign/seal padding data. */
188         if (ss_padding_len) {
189                 char pad[SERVER_NDR_PADDING_SIZE];
190
191                 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
192                 if (!prs_copy_data_in(&p->out_data.frag, pad,
193                                       ss_padding_len)) {
194                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
195                                         (unsigned int)ss_padding_len));
196                         prs_mem_free(&p->out_data.frag);
197                         return False;
198                 }
199         }
200
201
202         /* Now write out the auth header and null blob. */
203         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
204                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
205         } else {
206                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
207         }
208         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
209                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
210         } else {
211                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
212         }
213
214         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
215
216         if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
217                                 &p->out_data.frag, 0)) {
218                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
219                 prs_mem_free(&p->out_data.frag);
220                 return False;
221         }
222
223         /* Generate the sign blob. */
224
225         switch (p->auth.auth_level) {
226                 case DCERPC_AUTH_LEVEL_PRIVACY:
227                         /* Data portion is encrypted. */
228                         status = ntlmssp_seal_packet(
229                                 a->ntlmssp_state,
230                                 (uint8_t *)prs_data_p(&p->out_data.frag)
231                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
232                                 data_len + ss_padding_len,
233                                 (unsigned char *)prs_data_p(&p->out_data.frag),
234                                 (size_t)prs_offset(&p->out_data.frag),
235                                 &auth_blob);
236                         if (!NT_STATUS_IS_OK(status)) {
237                                 data_blob_free(&auth_blob);
238                                 prs_mem_free(&p->out_data.frag);
239                                 return False;
240                         }
241                         break;
242                 case DCERPC_AUTH_LEVEL_INTEGRITY:
243                         /* Data is signed. */
244                         status = ntlmssp_sign_packet(
245                                 a->ntlmssp_state,
246                                 (unsigned char *)prs_data_p(&p->out_data.frag)
247                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
248                                 data_len + ss_padding_len,
249                                 (unsigned char *)prs_data_p(&p->out_data.frag),
250                                 (size_t)prs_offset(&p->out_data.frag),
251                                 &auth_blob);
252                         if (!NT_STATUS_IS_OK(status)) {
253                                 data_blob_free(&auth_blob);
254                                 prs_mem_free(&p->out_data.frag);
255                                 return False;
256                         }
257                         break;
258                 default:
259                         prs_mem_free(&p->out_data.frag);
260                         return False;
261         }
262
263         /* Append the auth blob. */
264         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
265                               NTLMSSP_SIG_SIZE)) {
266                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
267                                 (unsigned int)NTLMSSP_SIG_SIZE));
268                 data_blob_free(&auth_blob);
269                 prs_mem_free(&p->out_data.frag);
270                 return False;
271         }
272
273         data_blob_free(&auth_blob);
274
275         /*
276          * Setup the counts for this PDU.
277          */
278
279         p->out_data.data_sent_length += data_len;
280         p->out_data.current_pdu_sent = 0;
281
282         return True;
283 }
284
285 /*******************************************************************
286  Generate the next PDU to be returned from the data in p->rdata. 
287  Return an schannel authenticated fragment.
288  ********************************************************************/
289
290 static bool create_next_pdu_schannel(pipes_struct *p)
291 {
292         RPC_HDR_RESP hdr_resp;
293         uint32 ss_padding_len = 0;
294         uint32 data_len;
295         uint32 data_space_available;
296         uint32 data_len_left;
297         uint32 data_pos;
298         NTSTATUS status;
299
300         /*
301          * If we're in the fault state, keep returning fault PDU's until
302          * the pipe gets closed. JRA.
303          */
304
305         if(p->fault_state) {
306                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
307                 return True;
308         }
309
310         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
311
312         /* Change the incoming request header to a response. */
313         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
314
315         /* Set up rpc header flags. */
316         if (p->out_data.data_sent_length == 0) {
317                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
318         } else {
319                 p->hdr.flags = 0;
320         }
321
322         /*
323          * Work out how much we can fit in a single PDU.
324          */
325
326         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
327
328         /*
329          * Ensure there really is data left to send.
330          */
331
332         if(!data_len_left) {
333                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
334                 return False;
335         }
336
337         /* Space available - not including padding. */
338         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
339                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
340                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
341
342         /*
343          * The amount we send is the minimum of the available
344          * space and the amount left to send.
345          */
346
347         data_len = MIN(data_len_left, data_space_available);
348
349         /* Work out any padding alignment requirements. */
350         if ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE) {
351                 ss_padding_len = SERVER_NDR_PADDING_SIZE -
352                         ((RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len) % SERVER_NDR_PADDING_SIZE);
353                 DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
354                         ss_padding_len ));
355                 /* If we're over filling the packet, we need to make space
356                  * for the padding at the end of the data. */
357                 if (data_len + ss_padding_len > data_space_available) {
358                         data_len -= SERVER_NDR_PADDING_SIZE;
359                 }
360         }
361
362         /*
363          * Set up the alloc hint. This should be the data left to
364          * send.
365          */
366
367         hdr_resp.alloc_hint = data_len_left;
368
369         /*
370          * Work out if this PDU will be the last.
371          */
372
373         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
374                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
375         }
376
377         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
378                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
379         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
380
381         /*
382          * Init the parse struct to point at the outgoing
383          * data.
384          */
385
386         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
387
388         /* Store the header in the data stream. */
389         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
390                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
391                 prs_mem_free(&p->out_data.frag);
392                 return False;
393         }
394
395         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
396                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
397                 prs_mem_free(&p->out_data.frag);
398                 return False;
399         }
400
401         /* Store the current offset. */
402         data_pos = prs_offset(&p->out_data.frag);
403
404         /* Copy the data into the PDU. */
405
406         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
407                                      p->out_data.data_sent_length, data_len)) {
408                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
409                 prs_mem_free(&p->out_data.frag);
410                 return False;
411         }
412
413         /* Copy the sign/seal padding data. */
414         if (ss_padding_len) {
415                 char pad[SERVER_NDR_PADDING_SIZE];
416                 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
417                 if (!prs_copy_data_in(&p->out_data.frag, pad,
418                                       ss_padding_len)) {
419                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
420                         prs_mem_free(&p->out_data.frag);
421                         return False;
422                 }
423         }
424
425         {
426                 /*
427                  * Schannel processing.
428                  */
429                 RPC_HDR_AUTH auth_info;
430                 DATA_BLOB blob;
431                 uint8_t *data;
432
433                 /* Check it's the type of reply we were expecting to decode */
434
435                 init_rpc_hdr_auth(&auth_info,
436                                 DCERPC_AUTH_TYPE_SCHANNEL,
437                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
438                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
439                                 ss_padding_len, 1);
440
441                 if (!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
442                                         &p->out_data.frag, 0)) {
443                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
444                         prs_mem_free(&p->out_data.frag);
445                         return False;
446                 }
447
448                 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
449
450                 switch (p->auth.auth_level) {
451                 case DCERPC_AUTH_LEVEL_PRIVACY:
452                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
453                                                         talloc_tos(),
454                                                         true,
455                                                         data,
456                                                         data_len + ss_padding_len,
457                                                         &blob);
458                         break;
459                 case DCERPC_AUTH_LEVEL_INTEGRITY:
460                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
461                                                         talloc_tos(),
462                                                         false,
463                                                         data,
464                                                         data_len + ss_padding_len,
465                                                         &blob);
466                         break;
467                 default:
468                         status = NT_STATUS_INTERNAL_ERROR;
469                         break;
470                 }
471
472                 if (!NT_STATUS_IS_OK(status)) {
473                         DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
474                                 nt_errstr(status)));
475                         prs_mem_free(&p->out_data.frag);
476                         return false;
477                 }
478
479                 /* Finally marshall the blob. */
480
481                 if (DEBUGLEVEL >= 10) {
482                         dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
483                 }
484
485                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
486                         prs_mem_free(&p->out_data.frag);
487                         return false;
488                 }
489         }
490
491         /*
492          * Setup the counts for this PDU.
493          */
494
495         p->out_data.data_sent_length += data_len;
496         p->out_data.current_pdu_sent = 0;
497
498         return True;
499 }
500
501 /*******************************************************************
502  Generate the next PDU to be returned from the data in p->rdata. 
503  No authentication done.
504 ********************************************************************/
505
506 static bool create_next_pdu_noauth(pipes_struct *p)
507 {
508         RPC_HDR_RESP hdr_resp;
509         uint32 data_len;
510         uint32 data_space_available;
511         uint32 data_len_left;
512
513         /*
514          * If we're in the fault state, keep returning fault PDU's until
515          * the pipe gets closed. JRA.
516          */
517
518         if(p->fault_state) {
519                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
520                 return True;
521         }
522
523         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
524
525         /* Change the incoming request header to a response. */
526         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
527
528         /* Set up rpc header flags. */
529         if (p->out_data.data_sent_length == 0) {
530                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
531         } else {
532                 p->hdr.flags = 0;
533         }
534
535         /*
536          * Work out how much we can fit in a single PDU.
537          */
538
539         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
540
541         /*
542          * Ensure there really is data left to send.
543          */
544
545         if(!data_len_left) {
546                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
547                 return False;
548         }
549
550         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
551                 - RPC_HDR_RESP_LEN;
552
553         /*
554          * The amount we send is the minimum of the available
555          * space and the amount left to send.
556          */
557
558         data_len = MIN(data_len_left, data_space_available);
559
560         /*
561          * Set up the alloc hint. This should be the data left to
562          * send.
563          */
564
565         hdr_resp.alloc_hint = data_len_left;
566
567         /*
568          * Work out if this PDU will be the last.
569          */
570
571         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
572                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
573         }
574
575         /*
576          * Set up the header lengths.
577          */
578
579         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
580         p->hdr.auth_len = 0;
581
582         /*
583          * Init the parse struct to point at the outgoing
584          * data.
585          */
586
587         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
588
589         /* Store the header in the data stream. */
590         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
591                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
592                 prs_mem_free(&p->out_data.frag);
593                 return False;
594         }
595
596         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
597                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
598                 prs_mem_free(&p->out_data.frag);
599                 return False;
600         }
601
602         /* Copy the data into the PDU. */
603
604         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
605                                      p->out_data.data_sent_length, data_len)) {
606                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
607                 prs_mem_free(&p->out_data.frag);
608                 return False;
609         }
610
611         /*
612          * Setup the counts for this PDU.
613          */
614
615         p->out_data.data_sent_length += data_len;
616         p->out_data.current_pdu_sent = 0;
617
618         return True;
619 }
620
621 /*******************************************************************
622  Generate the next PDU to be returned from the data in p->rdata. 
623 ********************************************************************/
624
625 bool create_next_pdu(pipes_struct *p)
626 {
627         switch(p->auth.auth_level) {
628                 case DCERPC_AUTH_LEVEL_NONE:
629                 case DCERPC_AUTH_LEVEL_CONNECT:
630                         /* This is incorrect for auth level connect. Fixme. JRA */
631                         return create_next_pdu_noauth(p);
632
633                 default:
634                         switch(p->auth.auth_type) {
635                                 case PIPE_AUTH_TYPE_NTLMSSP:
636                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
637                                         return create_next_pdu_ntlmssp(p);
638                                 case PIPE_AUTH_TYPE_SCHANNEL:
639                                         return create_next_pdu_schannel(p);
640                                 default:
641                                         break;
642                         }
643         }
644
645         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
646                         (unsigned int)p->auth.auth_level,
647                         (unsigned int)p->auth.auth_type));
648         return False;
649 }
650
651 /*******************************************************************
652  Process an NTLMSSP authentication response.
653  If this function succeeds, the user has been authenticated
654  and their domain, name and calling workstation stored in
655  the pipe struct.
656 *******************************************************************/
657
658 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
659 {
660         DATA_BLOB session_key, reply;
661         NTSTATUS status;
662         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
663         bool ret;
664
665         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
666                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
667
668         ZERO_STRUCT(reply);
669
670         /* this has to be done as root in order to verify the password */
671         become_root();
672         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
673         unbecome_root();
674
675         /* Don't generate a reply. */
676         data_blob_free(&reply);
677
678         if (!NT_STATUS_IS_OK(status)) {
679                 return False;
680         }
681
682         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
683            ensure the underlying NTLMSSP flags are also set. If not we should
684            refuse the bind. */
685
686         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
687                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
688                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
689                                 "but client declined signing.\n",
690                                  get_pipe_name_from_syntax(talloc_tos(),
691                                                            &p->syntax)));
692                         return False;
693                 }
694         }
695         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
696                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
697                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
698                                 "but client declined sealing.\n",
699                                  get_pipe_name_from_syntax(talloc_tos(),
700                                                            &p->syntax)));
701                         return False;
702                 }
703         }
704
705         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
706                   "workstation: %s\n", a->ntlmssp_state->user,
707                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
708
709         if (a->server_info->ptok == NULL) {
710                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
711                 return False;
712         }
713
714         TALLOC_FREE(p->server_info);
715
716         p->server_info = copy_serverinfo(p, a->server_info);
717         if (p->server_info == NULL) {
718                 DEBUG(0, ("copy_serverinfo failed\n"));
719                 return false;
720         }
721
722         /*
723          * We're an authenticated bind over smb, so the session key needs to
724          * be set to "SystemLibraryDTC". Weird, but this is what Windows
725          * does. See the RPC-SAMBA3SESSIONKEY.
726          */
727
728         session_key = generic_session_key();
729         if (session_key.data == NULL) {
730                 return False;
731         }
732
733         ret = server_info_set_session_key(p->server_info, session_key);
734
735         data_blob_free(&session_key);
736
737         return True;
738 }
739
740 /*******************************************************************
741  The switch table for the pipe names and the functions to handle them.
742 *******************************************************************/
743
744 struct rpc_table {
745         struct {
746                 const char *clnt;
747                 const char *srv;
748         } pipe;
749         struct ndr_syntax_id rpc_interface;
750         const struct api_struct *cmds;
751         int n_cmds;
752 };
753
754 static struct rpc_table *rpc_lookup;
755 static int rpc_lookup_size;
756
757 /*******************************************************************
758  This is the "stage3" NTLMSSP response after a bind request and reply.
759 *******************************************************************/
760
761 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
762 {
763         RPC_HDR_AUTH auth_info;
764         uint32 pad = 0;
765         DATA_BLOB blob;
766         uint32_t auth_len = p->hdr.auth_len;
767
768         ZERO_STRUCT(blob);
769
770         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
771
772         if (auth_len == 0) {
773                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
774                 goto err;
775         }
776
777         /* 4 bytes padding. */
778         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
779                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
780                 goto err;
781         }
782
783         /* Ensure there's enough data for an authenticated request. */
784         if (RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + auth_len >
785                                 p->hdr.frag_len) {
786                         DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
787                                 "%u is too large.\n",
788                         (unsigned int)auth_len ));
789                 goto err;
790         }
791
792         /*
793          * Decode the authentication verifier response.
794          */
795
796         /* Pull the auth header and the following data into a blob. */
797         /* NB. The offset of the auth_header is relative to the *end*
798          * of the packet, not the start. Also, the length of the
799          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
800          * as the RPC header isn't included in rpc_in_p. */
801         if(!prs_set_offset(rpc_in_p,
802                         p->hdr.frag_len - RPC_HEADER_LEN -
803                         RPC_HDR_AUTH_LEN - auth_len)) {
804                 DEBUG(0,("api_pipe_bind_auth3: cannot move "
805                         "offset to %u.\n",
806                         (unsigned int)(p->hdr.frag_len -
807                                 RPC_HDR_AUTH_LEN - auth_len) ));
808                 goto err;
809         }
810
811         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in_p, 0)) {
812                 DEBUG(0,("api_pipe_bind_auth3: failed to "
813                         "unmarshall RPC_HDR_AUTH.\n"));
814                 goto err;
815         }
816
817         /* We must NEVER look at auth_info->auth_pad_len here,
818          * as old Samba client code gets it wrong and sends it
819          * as zero. JRA.
820          */
821
822         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
823                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
824                         (unsigned int)auth_info.auth_type ));
825                 return False;
826         }
827
828         blob = data_blob(NULL,p->hdr.auth_len);
829
830         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
831                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
832                         (unsigned int)p->hdr.auth_len ));
833                 goto err;
834         }
835
836         /*
837          * The following call actually checks the challenge/response data.
838          * for correctness against the given DOMAIN\user name.
839          */
840
841         if (!pipe_ntlmssp_verify_final(p, &blob)) {
842                 goto err;
843         }
844
845         data_blob_free(&blob);
846
847         p->pipe_bound = True;
848
849         return True;
850
851  err:
852
853         data_blob_free(&blob);
854         free_pipe_ntlmssp_auth_data(&p->auth);
855         p->auth.a_u.auth_ntlmssp_state = NULL;
856
857         return False;
858 }
859
860 /*******************************************************************
861  Marshall a bind_nak pdu.
862 *******************************************************************/
863
864 static bool setup_bind_nak(pipes_struct *p)
865 {
866         RPC_HDR nak_hdr;
867         uint16 zero = 0;
868
869         /* Free any memory in the current return data buffer. */
870         prs_mem_free(&p->out_data.rdata);
871
872         /*
873          * Marshall directly into the outgoing PDU space. We
874          * must do this as we need to set to the bind response
875          * header and are never sending more than one PDU here.
876          */
877
878         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
879
880         /*
881          * Initialize a bind_nak header.
882          */
883
884         init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
885                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
886
887         /*
888          * Marshall the header into the outgoing PDU.
889          */
890
891         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
892                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
893                 prs_mem_free(&p->out_data.frag);
894                 return False;
895         }
896
897         /*
898          * Now add the reject reason.
899          */
900
901         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
902                 prs_mem_free(&p->out_data.frag);
903                 return False;
904         }
905
906         p->out_data.data_sent_length = 0;
907         p->out_data.current_pdu_sent = 0;
908
909         if (p->auth.auth_data_free_func) {
910                 (*p->auth.auth_data_free_func)(&p->auth);
911         }
912         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
913         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
914         p->pipe_bound = False;
915
916         return True;
917 }
918
919 /*******************************************************************
920  Marshall a fault pdu.
921 *******************************************************************/
922
923 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
924 {
925         RPC_HDR fault_hdr;
926         RPC_HDR_RESP hdr_resp;
927         RPC_HDR_FAULT fault_resp;
928
929         /* Free any memory in the current return data buffer. */
930         prs_mem_free(&p->out_data.rdata);
931
932         /*
933          * Marshall directly into the outgoing PDU space. We
934          * must do this as we need to set to the bind response
935          * header and are never sending more than one PDU here.
936          */
937
938         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
939
940         /*
941          * Initialize a fault header.
942          */
943
944         init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
945             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
946
947         /*
948          * Initialize the HDR_RESP and FAULT parts of the PDU.
949          */
950
951         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
952
953         fault_resp.status = status;
954         fault_resp.reserved = 0;
955
956         /*
957          * Marshall the header into the outgoing PDU.
958          */
959
960         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
961                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
962                 prs_mem_free(&p->out_data.frag);
963                 return False;
964         }
965
966         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
967                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
968                 prs_mem_free(&p->out_data.frag);
969                 return False;
970         }
971
972         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
973                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
974                 prs_mem_free(&p->out_data.frag);
975                 return False;
976         }
977
978         p->out_data.data_sent_length = 0;
979         p->out_data.current_pdu_sent = 0;
980
981         return True;
982 }
983
984 #if 0
985 /*******************************************************************
986  Marshall a cancel_ack pdu.
987  We should probably check the auth-verifier here.
988 *******************************************************************/
989
990 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
991 {
992         prs_struct outgoing_pdu;
993         RPC_HDR ack_reply_hdr;
994
995         /* Free any memory in the current return data buffer. */
996         prs_mem_free(&p->out_data.rdata);
997
998         /*
999          * Marshall directly into the outgoing PDU space. We
1000          * must do this as we need to set to the bind response
1001          * header and are never sending more than one PDU here.
1002          */
1003
1004         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
1005         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1006
1007         /*
1008          * Initialize a cancel_ack header.
1009          */
1010
1011         init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1012                         p->hdr.call_id, RPC_HEADER_LEN, 0);
1013
1014         /*
1015          * Marshall the header into the outgoing PDU.
1016          */
1017
1018         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
1019                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
1020                 prs_mem_free(&outgoing_pdu);
1021                 return False;
1022         }
1023
1024         p->out_data.data_sent_length = 0;
1025         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
1026         p->out_data.current_pdu_sent = 0;
1027
1028         prs_mem_free(&outgoing_pdu);
1029         return True;
1030 }
1031 #endif
1032
1033 /*******************************************************************
1034  Ensure a bind request has the correct abstract & transfer interface.
1035  Used to reject unknown binds from Win2k.
1036 *******************************************************************/
1037
1038 static bool check_bind_req(struct pipes_struct *p,
1039                            struct ndr_syntax_id* abstract,
1040                            struct ndr_syntax_id* transfer,
1041                            uint32 context_id)
1042 {
1043         int i=0;
1044         struct pipe_rpc_fns *context_fns;
1045
1046         DEBUG(3,("check_bind_req for %s\n",
1047                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1048
1049         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1050
1051         for (i=0; i<rpc_lookup_size; i++) {
1052                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1053                 if (ndr_syntax_id_equal(
1054                             abstract, &rpc_lookup[i].rpc_interface)
1055                     && ndr_syntax_id_equal(
1056                             transfer, &ndr_transfer_syntax)) {
1057                         break;
1058                 }
1059         }
1060
1061         if (i == rpc_lookup_size) {
1062                 return false;
1063         }
1064
1065         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1066         if (context_fns == NULL) {
1067                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1068                 return False;
1069         }
1070
1071         context_fns->cmds = rpc_lookup[i].cmds;
1072         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1073         context_fns->context_id = context_id;
1074
1075         /* add to the list of open contexts */
1076
1077         DLIST_ADD( p->contexts, context_fns );
1078
1079         return True;
1080 }
1081
1082 /*******************************************************************
1083  Register commands to an RPC pipe
1084 *******************************************************************/
1085
1086 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1087                           const struct ndr_interface_table *iface,
1088                           const struct api_struct *cmds, int size)
1089 {
1090         struct rpc_table *rpc_entry;
1091
1092         if (!clnt || !srv || !cmds) {
1093                 return NT_STATUS_INVALID_PARAMETER;
1094         }
1095
1096         if (version != SMB_RPC_INTERFACE_VERSION) {
1097                 DEBUG(0,("Can't register rpc commands!\n"
1098                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1099                          ", while this version of samba uses version %d!\n", 
1100                          version,SMB_RPC_INTERFACE_VERSION));
1101                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1102         }
1103
1104         /* TODO: 
1105          *
1106          * we still need to make sure that don't register the same commands twice!!!
1107          * 
1108          * --metze
1109          */
1110
1111         /* We use a temporary variable because this call can fail and 
1112            rpc_lookup will still be valid afterwards.  It could then succeed if
1113            called again later */
1114         rpc_lookup_size++;
1115         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1116         if (NULL == rpc_entry) {
1117                 rpc_lookup_size--;
1118                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1119                 return NT_STATUS_NO_MEMORY;
1120         } else {
1121                 rpc_lookup = rpc_entry;
1122         }
1123
1124         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1125         ZERO_STRUCTP(rpc_entry);
1126         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1127         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1128         rpc_entry->rpc_interface = iface->syntax_id;
1129         rpc_entry->cmds = cmds;
1130         rpc_entry->n_cmds = size;
1131
1132         return NT_STATUS_OK;
1133 }
1134
1135 /**
1136  * Is a named pipe known?
1137  * @param[in] cli_filename      The pipe name requested by the client
1138  * @result                      Do we want to serve this?
1139  */
1140 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1141 {
1142         const char *pipename = cli_filename;
1143         int i;
1144         NTSTATUS status;
1145
1146         if (strnequal(pipename, "\\PIPE\\", 6)) {
1147                 pipename += 5;
1148         }
1149
1150         if (*pipename == '\\') {
1151                 pipename += 1;
1152         }
1153
1154         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1155                 DEBUG(10, ("refusing spoolss access\n"));
1156                 return false;
1157         }
1158
1159         for (i=0; i<rpc_lookup_size; i++) {
1160                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1161                         *syntax = rpc_lookup[i].rpc_interface;
1162                         return true;
1163                 }
1164         }
1165
1166         status = smb_probe_module("rpc", pipename);
1167         if (!NT_STATUS_IS_OK(status)) {
1168                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1169                 return false;
1170         }
1171         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1172
1173         /*
1174          * Scan the list again for the interface id
1175          */
1176
1177         for (i=0; i<rpc_lookup_size; i++) {
1178                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1179                         *syntax = rpc_lookup[i].rpc_interface;
1180                         return true;
1181                 }
1182         }
1183
1184         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1185                    pipename));
1186
1187         return false;
1188 }
1189
1190 /*******************************************************************
1191  Handle a SPNEGO krb5 bind auth.
1192 *******************************************************************/
1193
1194 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1195                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1196 {
1197         return False;
1198 }
1199
1200 /*******************************************************************
1201  Handle the first part of a SPNEGO bind auth.
1202 *******************************************************************/
1203
1204 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1205                                         uint32_t ss_padding_len,
1206                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1207 {
1208         DATA_BLOB blob;
1209         DATA_BLOB secblob;
1210         DATA_BLOB response;
1211         DATA_BLOB chal;
1212         char *OIDs[ASN1_MAX_OIDS];
1213         int i;
1214         NTSTATUS status;
1215         bool got_kerberos_mechanism = false;
1216         AUTH_NTLMSSP_STATE *a = NULL;
1217         RPC_HDR_AUTH auth_info;
1218
1219         ZERO_STRUCT(secblob);
1220         ZERO_STRUCT(chal);
1221         ZERO_STRUCT(response);
1222
1223         /* Grab the SPNEGO blob. */
1224         blob = data_blob(NULL,p->hdr.auth_len);
1225
1226         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1227                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1228                         (unsigned int)p->hdr.auth_len ));
1229                 goto err;
1230         }
1231
1232         if (blob.data[0] != ASN1_APPLICATION(0)) {
1233                 goto err;
1234         }
1235
1236         /* parse out the OIDs and the first sec blob */
1237         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1238                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1239                 goto err;
1240         }
1241
1242         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1243                 got_kerberos_mechanism = true;
1244         }
1245
1246         for (i=0;OIDs[i];i++) {
1247                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1248                 TALLOC_FREE(OIDs[i]);
1249         }
1250         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1251
1252         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1253                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1254                 data_blob_free(&secblob);
1255                 data_blob_free(&blob);
1256                 return ret;
1257         }
1258
1259         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1260                 /* Free any previous auth type. */
1261                 free_pipe_ntlmssp_auth_data(&p->auth);
1262         }
1263
1264         if (!got_kerberos_mechanism) {
1265                 /* Initialize the NTLM engine. */
1266                 status = auth_ntlmssp_start(&a);
1267                 if (!NT_STATUS_IS_OK(status)) {
1268                         goto err;
1269                 }
1270
1271                 /*
1272                  * Pass the first security blob of data to it.
1273                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1274                  * which means we need another packet to complete the bind.
1275                  */
1276
1277                 status = auth_ntlmssp_update(a, secblob, &chal);
1278
1279                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1280                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1281                         goto err;
1282                 }
1283
1284                 /* Generate the response blob we need for step 2 of the bind. */
1285                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1286         } else {
1287                 /*
1288                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1289                  * code to process follow-up packets is not complete
1290                  * yet. JRA.
1291                  */
1292                 response = spnego_gen_auth_response(NULL,
1293                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1294                                         OID_NTLMSSP);
1295         }
1296
1297         /* auth_pad_len will be handled by the caller */
1298
1299         /* Copy the blob into the pout_auth parse struct */
1300         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1301                         pauth_info->auth_level, ss_padding_len, 1);
1302         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1303                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1304                 goto err;
1305         }
1306
1307         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1308                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1309                 goto err;
1310         }
1311
1312         p->auth.a_u.auth_ntlmssp_state = a;
1313         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1314         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1315
1316         data_blob_free(&blob);
1317         data_blob_free(&secblob);
1318         data_blob_free(&chal);
1319         data_blob_free(&response);
1320
1321         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1322         return True;
1323
1324  err:
1325
1326         data_blob_free(&blob);
1327         data_blob_free(&secblob);
1328         data_blob_free(&chal);
1329         data_blob_free(&response);
1330
1331         p->auth.a_u.auth_ntlmssp_state = NULL;
1332
1333         return False;
1334 }
1335
1336 /*******************************************************************
1337  Handle the second part of a SPNEGO bind auth.
1338 *******************************************************************/
1339
1340 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1341                                 uint32_t ss_padding_len,
1342                                 RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1343 {
1344         RPC_HDR_AUTH auth_info;
1345         DATA_BLOB spnego_blob;
1346         DATA_BLOB auth_blob;
1347         DATA_BLOB auth_reply;
1348         DATA_BLOB response;
1349         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1350
1351         ZERO_STRUCT(spnego_blob);
1352         ZERO_STRUCT(auth_blob);
1353         ZERO_STRUCT(auth_reply);
1354         ZERO_STRUCT(response);
1355
1356         /*
1357          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1358          * fail here as 'a' == NULL.
1359          */
1360         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1361                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1362                 goto err;
1363         }
1364
1365         /* Grab the SPNEGO blob. */
1366         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1367
1368         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1369                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1370                         (unsigned int)p->hdr.auth_len ));
1371                 goto err;
1372         }
1373
1374         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1375                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1376                 goto err;
1377         }
1378
1379         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1380                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1381                 goto err;
1382         }
1383
1384         /*
1385          * The following call actually checks the challenge/response data.
1386          * for correctness against the given DOMAIN\user name.
1387          */
1388
1389         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1390                 goto err;
1391         }
1392
1393         data_blob_free(&spnego_blob);
1394         data_blob_free(&auth_blob);
1395
1396         /* Generate the spnego "accept completed" blob - no incoming data. */
1397         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1398
1399         /* FIXME - add auth_pad_len here ! */
1400
1401         /* Copy the blob into the pout_auth parse struct */
1402         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO,
1403                         pauth_info->auth_level, ss_padding_len, 1);
1404         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1405                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1406                 goto err;
1407         }
1408
1409         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1410                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1411                 goto err;
1412         }
1413
1414         data_blob_free(&auth_reply);
1415         data_blob_free(&response);
1416
1417         p->pipe_bound = True;
1418
1419         return True;
1420
1421  err:
1422
1423         data_blob_free(&spnego_blob);
1424         data_blob_free(&auth_blob);
1425         data_blob_free(&auth_reply);
1426         data_blob_free(&response);
1427
1428         free_pipe_ntlmssp_auth_data(&p->auth);
1429         p->auth.a_u.auth_ntlmssp_state = NULL;
1430
1431         return False;
1432 }
1433
1434 /*******************************************************************
1435  Handle an schannel bind auth.
1436 *******************************************************************/
1437
1438 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1439                                         uint32_t ss_padding_len,
1440                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1441 {
1442         RPC_HDR_AUTH auth_info;
1443         struct NL_AUTH_MESSAGE neg;
1444         struct NL_AUTH_MESSAGE reply;
1445         bool ret;
1446         NTSTATUS status;
1447         struct netlogon_creds_CredentialState *creds;
1448         DATA_BLOB session_key;
1449         enum ndr_err_code ndr_err;
1450         DATA_BLOB blob;
1451
1452         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1453                                prs_data_size(rpc_in_p));
1454
1455         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1456                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1457         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1458                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1459                 return false;
1460         }
1461
1462         if (DEBUGLEVEL >= 10) {
1463                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1464         }
1465
1466         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1467                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1468                 return false;
1469         }
1470
1471         /*
1472          * The neg.oem_netbios_computer.a key here must match the remote computer name
1473          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1474          * operations that use credentials.
1475          */
1476
1477         become_root();
1478         status = schannel_get_creds_state(p, NULL, lp_private_dir(),
1479                                             neg.oem_netbios_computer.a,
1480                                             &creds);
1481         unbecome_root();
1482
1483         if (!NT_STATUS_IS_OK(status)) {
1484                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1485                 return False;
1486         }
1487
1488         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1489         if (!p->auth.a_u.schannel_auth) {
1490                 TALLOC_FREE(creds);
1491                 return False;
1492         }
1493
1494         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1495         p->auth.a_u.schannel_auth->seq_num = 0;
1496         p->auth.a_u.schannel_auth->initiator = false;
1497         p->auth.a_u.schannel_auth->creds = creds;
1498
1499         /*
1500          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1501          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1502          * struct of the person who opened the pipe. I need to test this further. JRA.
1503          *
1504          * VL. As we are mapping this to guest set the generic key
1505          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1506          * W2k3, as it does not allow schannel binds against SAMR and LSA
1507          * anymore.
1508          */
1509
1510         session_key = generic_session_key();
1511         if (session_key.data == NULL) {
1512                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1513                           " key\n"));
1514                 return false;
1515         }
1516
1517         ret = server_info_set_session_key(p->server_info, session_key);
1518
1519         data_blob_free(&session_key);
1520
1521         if (!ret) {
1522                 DEBUG(0, ("server_info_set_session_key failed\n"));
1523                 return false;
1524         }
1525
1526         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL,
1527                         pauth_info->auth_level, ss_padding_len, 1);
1528         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1529                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1530                 return False;
1531         }
1532
1533         /*** SCHANNEL verifier ***/
1534
1535         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1536         reply.Flags                             = 0;
1537         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1538                                                       * this has any meaning
1539                                                       * here - gd */
1540
1541         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1542                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1543         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1544                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1545                 return false;
1546         }
1547
1548         if (DEBUGLEVEL >= 10) {
1549                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1550         }
1551
1552         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1553                 return false;
1554         }
1555
1556         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1557                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1558
1559         /* We're finished with this bind - no more packets. */
1560         p->auth.auth_data_free_func = NULL;
1561         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1562
1563         p->pipe_bound = True;
1564
1565         return True;
1566 }
1567
1568 /*******************************************************************
1569  Handle an NTLMSSP bind auth.
1570 *******************************************************************/
1571
1572 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1573                                         uint32_t ss_padding_len,
1574                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1575 {
1576         RPC_HDR_AUTH auth_info;
1577         DATA_BLOB blob;
1578         DATA_BLOB response;
1579         NTSTATUS status;
1580         AUTH_NTLMSSP_STATE *a = NULL;
1581
1582         ZERO_STRUCT(blob);
1583         ZERO_STRUCT(response);
1584
1585         /* Grab the NTLMSSP blob. */
1586         blob = data_blob(NULL,p->hdr.auth_len);
1587
1588         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1589                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1590                         (unsigned int)p->hdr.auth_len ));
1591                 goto err;
1592         }
1593
1594         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1595                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1596                 goto err;
1597         }
1598
1599         /* We have an NTLMSSP blob. */
1600         status = auth_ntlmssp_start(&a);
1601         if (!NT_STATUS_IS_OK(status)) {
1602                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1603                         nt_errstr(status) ));
1604                 goto err;
1605         }
1606
1607         status = auth_ntlmssp_update(a, blob, &response);
1608         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1609                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1610                         nt_errstr(status) ));
1611                 goto err;
1612         }
1613
1614         data_blob_free(&blob);
1615
1616         /* Copy the blob into the pout_auth parse struct */
1617         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP,
1618                         pauth_info->auth_level, ss_padding_len, 1);
1619         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1620                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1621                 goto err;
1622         }
1623
1624         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1625                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1626                 goto err;
1627         }
1628
1629         p->auth.a_u.auth_ntlmssp_state = a;
1630         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1631         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1632
1633         data_blob_free(&blob);
1634         data_blob_free(&response);
1635
1636         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1637
1638         /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1639         return True;
1640
1641   err:
1642
1643         data_blob_free(&blob);
1644         data_blob_free(&response);
1645
1646         free_pipe_ntlmssp_auth_data(&p->auth);
1647         p->auth.a_u.auth_ntlmssp_state = NULL;
1648         return False;
1649 }
1650
1651 /*******************************************************************
1652  Respond to a pipe bind request.
1653 *******************************************************************/
1654
1655 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1656 {
1657         RPC_HDR_BA hdr_ba;
1658         RPC_HDR_RB hdr_rb;
1659         RPC_HDR_AUTH auth_info;
1660         uint16 assoc_gid;
1661         fstring ack_pipe_name;
1662         prs_struct out_hdr_ba;
1663         prs_struct out_auth;
1664         int i = 0;
1665         int auth_len = 0;
1666         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1667         uint32_t ss_padding_len = 0;
1668
1669         /* No rebinds on a bound pipe - use alter context. */
1670         if (p->pipe_bound) {
1671                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1672                          "pipe %s.\n",
1673                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1674                 return setup_bind_nak(p);
1675         }
1676
1677         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1678
1679         /* 
1680          * Marshall directly into the outgoing PDU space. We
1681          * must do this as we need to set to the bind response
1682          * header and are never sending more than one PDU here.
1683          */
1684
1685         /*
1686          * Setup the memory to marshall the ba header, and the
1687          * auth footers.
1688          */
1689
1690         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1691                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1692                 prs_mem_free(&p->out_data.frag);
1693                 return False;
1694         }
1695
1696         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1697                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1698                 prs_mem_free(&p->out_data.frag);
1699                 prs_mem_free(&out_hdr_ba);
1700                 return False;
1701         }
1702
1703         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1704
1705         ZERO_STRUCT(hdr_rb);
1706
1707         /* decode the bind request */
1708
1709         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1710                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1711                          "struct.\n"));
1712                 goto err_exit;
1713         }
1714
1715         if (hdr_rb.num_contexts == 0) {
1716                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1717                 goto err_exit;
1718         }
1719
1720         /*
1721          * Try and find the correct pipe name to ensure
1722          * that this is a pipe name we support.
1723          */
1724
1725         for (i = 0; i < rpc_lookup_size; i++) {
1726                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1727                                         &hdr_rb.rpc_context[0].abstract)) {
1728                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1729                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1730                         break;
1731                 }
1732         }
1733
1734         if (i == rpc_lookup_size) {
1735                 NTSTATUS status;
1736
1737                 status = smb_probe_module(
1738                         "rpc", get_pipe_name_from_syntax(
1739                                 talloc_tos(),
1740                                 &hdr_rb.rpc_context[0].abstract));
1741
1742                 if (NT_STATUS_IS_ERR(status)) {
1743                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1744                                 get_pipe_name_from_syntax(
1745                                         talloc_tos(),
1746                                         &hdr_rb.rpc_context[0].abstract)));
1747                         prs_mem_free(&p->out_data.frag);
1748                         prs_mem_free(&out_hdr_ba);
1749                         prs_mem_free(&out_auth);
1750
1751                         return setup_bind_nak(p);
1752                 }
1753
1754                 for (i = 0; i < rpc_lookup_size; i++) {
1755                        if (strequal(rpc_lookup[i].pipe.clnt,
1756                                     get_pipe_name_from_syntax(talloc_tos(),
1757                                                               &p->syntax))) {
1758                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1759                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1760                                break;
1761                        }
1762                 }
1763
1764                 if (i == rpc_lookup_size) {
1765                         DEBUG(0, ("module %s doesn't provide functions for "
1766                                   "pipe %s!\n",
1767                                   get_pipe_name_from_syntax(talloc_tos(),
1768                                                             &p->syntax),
1769                                   get_pipe_name_from_syntax(talloc_tos(),
1770                                                             &p->syntax)));
1771                         goto err_exit;
1772                 }
1773         }
1774
1775         /* name has to be \PIPE\xxxxx */
1776         fstrcpy(ack_pipe_name, "\\PIPE\\");
1777         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1778
1779         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1780
1781         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1782
1783         /*
1784          * Create the bind response struct.
1785          */
1786
1787         /* If the requested abstract synt uuid doesn't match our client pipe,
1788                 reject the bind_ack & set the transfer interface synt to all 0's,
1789                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1790                 unknown to NT4)
1791                 Needed when adding entries to a DACL from NT5 - SK */
1792
1793         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1794                                 hdr_rb.rpc_context[0].context_id )) {
1795                 init_rpc_hdr_ba(&hdr_ba,
1796                         RPC_MAX_PDU_FRAG_LEN,
1797                         RPC_MAX_PDU_FRAG_LEN,
1798                         assoc_gid,
1799                         ack_pipe_name,
1800                         0x1, 0x0, 0x0,
1801                         &hdr_rb.rpc_context[0].transfer[0]);
1802         } else {
1803                 /* Rejection reason: abstract syntax not supported */
1804                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1805                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1806                                         ack_pipe_name, 0x1, 0x2, 0x1,
1807                                         &null_ndr_syntax_id);
1808                 p->pipe_bound = False;
1809         }
1810
1811         /*
1812          * and marshall it.
1813          */
1814
1815         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1816                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1817                 goto err_exit;
1818         }
1819
1820         /*
1821          * Check if this is an authenticated bind request.
1822          */
1823
1824         if (p->hdr.auth_len) {
1825                 /* 
1826                  * Decode the authentication verifier.
1827                  */
1828
1829                 /* Work out any padding needed before the auth footer. */
1830                 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
1831                         ss_padding_len = SERVER_NDR_PADDING_SIZE -
1832                                 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
1833                         DEBUG(10,("api_pipe_bind_req: auth pad_len = %u\n",
1834                                 (unsigned int)ss_padding_len ));
1835                 }
1836
1837                 /* Quick length check. Won't catch a bad auth footer,
1838                  * prevents overrun. */
1839
1840                 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
1841                         DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
1842                                 "too long for fragment %u.\n",
1843                                 (unsigned int)p->hdr.auth_len,
1844                                 (unsigned int)p->hdr.frag_len ));
1845                         goto err_exit;
1846                 }
1847
1848                 /* Pull the auth header and the following data into a blob. */
1849                 /* NB. The offset of the auth_header is relative to the *end*
1850                  * of the packet, not the start. Also, the length of the
1851                  * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
1852                  * as the RPC header isn't included in rpc_in_p. */
1853                 if(!prs_set_offset(rpc_in_p,
1854                                 p->hdr.frag_len - RPC_HEADER_LEN -
1855                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
1856                         DEBUG(0,("api_pipe_bind_req: cannot move "
1857                                 "offset to %u.\n",
1858                                 (unsigned int)(p->hdr.frag_len -
1859                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
1860                         goto err_exit;
1861                 }
1862
1863                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1864                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1865                         goto err_exit;
1866                 }
1867
1868                 auth_type = auth_info.auth_type;
1869
1870                 /* Work out if we have to sign or seal etc. */
1871                 switch (auth_info.auth_level) {
1872                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1873                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1874                                 break;
1875                         case DCERPC_AUTH_LEVEL_PRIVACY:
1876                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1877                                 break;
1878                         default:
1879                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1880                                         (unsigned int)auth_info.auth_level ));
1881                                 goto err_exit;
1882                 }
1883         } else {
1884                 ZERO_STRUCT(auth_info);
1885         }
1886
1887         switch(auth_type) {
1888                 case DCERPC_AUTH_TYPE_NTLMSSP:
1889                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p,
1890                                         ss_padding_len, &auth_info, &out_auth)) {
1891                                 goto err_exit;
1892                         }
1893                         assoc_gid = 0x7a77;
1894                         break;
1895
1896                 case DCERPC_AUTH_TYPE_SCHANNEL:
1897                         if (!pipe_schannel_auth_bind(p, rpc_in_p,
1898                                         ss_padding_len, &auth_info, &out_auth)) {
1899                                 goto err_exit;
1900                         }
1901                         break;
1902
1903                 case DCERPC_AUTH_TYPE_SPNEGO:
1904                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p,
1905                                         ss_padding_len, &auth_info, &out_auth)) {
1906                                 goto err_exit;
1907                         }
1908                         break;
1909
1910                 case DCERPC_AUTH_TYPE_NONE:
1911                         /* Unauthenticated bind request. */
1912                         /* We're finished - no more packets. */
1913                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1914                         /* We must set the pipe auth_level here also. */
1915                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1916                         p->pipe_bound = True;
1917                         /* The session key was initialized from the SMB
1918                          * session in make_internal_rpc_pipe_p */
1919                         ss_padding_len = 0;
1920                         break;
1921
1922                 default:
1923                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1924                         goto err_exit;
1925         }
1926         /*
1927          * Create the header, now we know the length.
1928          */
1929
1930         if (prs_offset(&out_auth)) {
1931                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1932         }
1933
1934         init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1935                         p->hdr.call_id,
1936                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) +
1937                                 ss_padding_len + prs_offset(&out_auth),
1938                         auth_len);
1939
1940         /*
1941          * Marshall the header into the outgoing PDU.
1942          */
1943
1944         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1945                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1946                 goto err_exit;
1947         }
1948
1949         /*
1950          * Now add the RPC_HDR_BA and any auth needed.
1951          */
1952
1953         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1954                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1955                 goto err_exit;
1956         }
1957
1958         if (auth_len) {
1959                 if (ss_padding_len) {
1960                         char pad[SERVER_NDR_PADDING_SIZE];
1961                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1962                         if (!prs_copy_data_in(&p->out_data.frag, pad,
1963                                         ss_padding_len)) {
1964                                 DEBUG(0,("api_pipe_bind_req: failed to add %u "
1965                                         "bytes of pad data.\n",
1966                                         (unsigned int)ss_padding_len));
1967                                 goto err_exit;
1968                         }
1969                 }
1970
1971                 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1972                         DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1973                         goto err_exit;
1974                 }
1975         }
1976
1977         /*
1978          * Setup the lengths for the initial reply.
1979          */
1980
1981         p->out_data.data_sent_length = 0;
1982         p->out_data.current_pdu_sent = 0;
1983
1984         prs_mem_free(&out_hdr_ba);
1985         prs_mem_free(&out_auth);
1986
1987         return True;
1988
1989   err_exit:
1990
1991         prs_mem_free(&p->out_data.frag);
1992         prs_mem_free(&out_hdr_ba);
1993         prs_mem_free(&out_auth);
1994         return setup_bind_nak(p);
1995 }
1996
1997 /****************************************************************************
1998  Deal with an alter context call. Can be third part of 3 leg auth request for
1999  SPNEGO calls.
2000 ****************************************************************************/
2001
2002 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
2003 {
2004         RPC_HDR_BA hdr_ba;
2005         RPC_HDR_RB hdr_rb;
2006         RPC_HDR_AUTH auth_info;
2007         uint16 assoc_gid;
2008         fstring ack_pipe_name;
2009         prs_struct out_hdr_ba;
2010         prs_struct out_auth;
2011         int auth_len = 0;
2012         uint32_t ss_padding_len = 0;
2013
2014         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
2015
2016         /* 
2017          * Marshall directly into the outgoing PDU space. We
2018          * must do this as we need to set to the bind response
2019          * header and are never sending more than one PDU here.
2020          */
2021
2022         /*
2023          * Setup the memory to marshall the ba header, and the
2024          * auth footers.
2025          */
2026
2027         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
2028                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
2029                 prs_mem_free(&p->out_data.frag);
2030                 return False;
2031         }
2032
2033         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
2034                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
2035                 prs_mem_free(&p->out_data.frag);
2036                 prs_mem_free(&out_hdr_ba);
2037                 return False;
2038         }
2039
2040         ZERO_STRUCT(hdr_rb);
2041
2042         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
2043
2044         /* decode the alter context request */
2045         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
2046                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
2047                 goto err_exit;
2048         }
2049
2050         /* secondary address CAN be NULL
2051          * as the specs say it's ignored.
2052          * It MUST be NULL to have the spoolss working.
2053          */
2054         fstrcpy(ack_pipe_name,"");
2055
2056         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
2057
2058         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
2059
2060         /*
2061          * Create the bind response struct.
2062          */
2063
2064         /* If the requested abstract synt uuid doesn't match our client pipe,
2065                 reject the bind_ack & set the transfer interface synt to all 0's,
2066                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
2067                 unknown to NT4)
2068                 Needed when adding entries to a DACL from NT5 - SK */
2069
2070         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
2071                                 hdr_rb.rpc_context[0].context_id )) {
2072                 init_rpc_hdr_ba(&hdr_ba,
2073                         RPC_MAX_PDU_FRAG_LEN,
2074                         RPC_MAX_PDU_FRAG_LEN,
2075                         assoc_gid,
2076                         ack_pipe_name,
2077                         0x1, 0x0, 0x0,
2078                         &hdr_rb.rpc_context[0].transfer[0]);
2079         } else {
2080                 /* Rejection reason: abstract syntax not supported */
2081                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
2082                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
2083                                         ack_pipe_name, 0x1, 0x2, 0x1,
2084                                         &null_ndr_syntax_id);
2085                 p->pipe_bound = False;
2086         }
2087
2088         /*
2089          * and marshall it.
2090          */
2091
2092         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2093                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2094                 goto err_exit;
2095         }
2096
2097
2098         /*
2099          * Check if this is an authenticated alter context request.
2100          */
2101
2102         if (p->hdr.auth_len != 0) {
2103                 /* 
2104                  * Decode the authentication verifier.
2105                  */
2106
2107                 /* Work out any padding needed before the auth footer. */
2108                 if ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE) {
2109                         ss_padding_len = SERVER_NDR_PADDING_SIZE -
2110                                 ((RPC_HEADER_LEN + prs_offset(&out_hdr_ba)) % SERVER_NDR_PADDING_SIZE);
2111                         DEBUG(10,("api_pipe_alter_context: auth pad_len = %u\n",
2112                                 (unsigned int)ss_padding_len ));
2113                 }
2114
2115                 /* Quick length check. Won't catch a bad auth footer,
2116                  * prevents overrun. */
2117
2118                 if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_AUTH_LEN + p->hdr.auth_len) {
2119                         DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
2120                                 "too long for fragment %u.\n",
2121                                 (unsigned int)p->hdr.auth_len,
2122                                 (unsigned int)p->hdr.frag_len ));
2123                         goto err_exit;
2124                 }
2125
2126                 /* Pull the auth header and the following data into a blob. */
2127                 /* NB. The offset of the auth_header is relative to the *end*
2128                  * of the packet, not the start. Also, the length of the
2129                  * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2130                  * as the RPC header isn't included in rpc_in_p. */
2131                 if(!prs_set_offset(rpc_in_p,
2132                                 p->hdr.frag_len - RPC_HEADER_LEN -
2133                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len)) {
2134                         DEBUG(0,("api_alter_context: cannot move "
2135                                 "offset to %u.\n",
2136                                 (unsigned int)(p->hdr.frag_len -
2137                                 RPC_HDR_AUTH_LEN - p->hdr.auth_len) ));
2138                         goto err_exit;
2139                 }
2140
2141                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
2142                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
2143                         goto err_exit;
2144                 }
2145
2146                 /*
2147                  * Currently only the SPNEGO auth type uses the alter ctx
2148                  * response in place of the NTLMSSP auth3 type.
2149                  */
2150
2151                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
2152                         /* We can only finish if the pipe is unbound. */
2153                         if (!p->pipe_bound) {
2154                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p,
2155                                                 ss_padding_len, &auth_info, &out_auth)) {
2156                                         goto err_exit;
2157                                 }
2158                         } else {
2159                                 goto err_exit;
2160                         }
2161                 }
2162         } else {
2163                 ZERO_STRUCT(auth_info);
2164         }
2165         /*
2166          * Create the header, now we know the length.
2167          */
2168
2169         if (prs_offset(&out_auth)) {
2170                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2171         }
2172
2173         init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2174                         p->hdr.call_id,
2175                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2176                         auth_len);
2177
2178         /*
2179          * Marshall the header into the outgoing PDU.
2180          */
2181
2182         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2183                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2184                 goto err_exit;
2185         }
2186
2187         /*
2188          * Now add the RPC_HDR_BA and any auth needed.
2189          */
2190
2191         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2192                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2193                 goto err_exit;
2194         }
2195
2196         if (auth_len) {
2197                 if (ss_padding_len) {
2198                         char pad[SERVER_NDR_PADDING_SIZE];
2199                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
2200                         if (!prs_copy_data_in(&p->out_data.frag, pad,
2201                                         ss_padding_len)) {
2202                                 DEBUG(0,("api_pipe_alter_context: failed to add %u "
2203                                         "bytes of pad data.\n",
2204                                         (unsigned int)ss_padding_len));
2205                                 goto err_exit;
2206                         }
2207                 }
2208
2209                 if (!prs_append_prs_data( &p->out_data.frag, &out_auth)) {
2210                         DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2211                         goto err_exit;
2212                 }
2213         }
2214
2215         /*
2216          * Setup the lengths for the initial reply.
2217          */
2218
2219         p->out_data.data_sent_length = 0;
2220         p->out_data.current_pdu_sent = 0;
2221
2222         prs_mem_free(&out_hdr_ba);
2223         prs_mem_free(&out_auth);
2224
2225         return True;
2226
2227   err_exit:
2228
2229         prs_mem_free(&p->out_data.frag);
2230         prs_mem_free(&out_hdr_ba);
2231         prs_mem_free(&out_auth);
2232         return setup_bind_nak(p);
2233 }
2234
2235 /****************************************************************************
2236  Deal with NTLMSSP sign & seal processing on an RPC request.
2237 ****************************************************************************/
2238
2239 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2240                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2241 {
2242         RPC_HDR_AUTH auth_info;
2243         uint32 auth_len = p->hdr.auth_len;
2244         uint32 save_offset = prs_offset(rpc_in);
2245         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2246         unsigned char *data = NULL;
2247         size_t data_len;
2248         unsigned char *full_packet_data = NULL;
2249         size_t full_packet_data_len;
2250         DATA_BLOB auth_blob;
2251
2252         *pstatus = NT_STATUS_OK;
2253
2254         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2255                 return True;
2256         }
2257
2258         if (!a) {
2259                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2260                 return False;
2261         }
2262
2263         /* Ensure there's enough data for an authenticated request. */
2264         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN
2265                         + auth_len > p->hdr.frag_len) {
2266                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2267                         (unsigned int)auth_len ));
2268                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2269                 return False;
2270         }
2271
2272         /*
2273          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2274          * after the RPC header.
2275          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2276          * functions as NTLMv2 checks the rpc headers also.
2277          * Both of these values include any auth_pad_len bytes.
2278          */
2279
2280         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2281         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2282
2283         full_packet_data = p->in_data.current_in_pdu;
2284         full_packet_data_len = p->hdr.frag_len - auth_len;
2285
2286         /* Pull the auth header and the following data into a blob. */
2287         /* NB. The offset of the auth_header is relative to the *end*
2288          * of the packet, not the start. Also, the length of the
2289          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2290          * as the RPC header isn't included in rpc_in_p. */
2291         if(!prs_set_offset(rpc_in,
2292                         p->hdr.frag_len - RPC_HEADER_LEN -
2293                         RPC_HDR_AUTH_LEN - auth_len)) {
2294                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move "
2295                         "offset to %u.\n",
2296                         (unsigned int)(p->hdr.frag_len -
2297                                 RPC_HDR_AUTH_LEN - auth_len) ));
2298                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2299                 return False;
2300         }
2301
2302         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2303                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to "
2304                         "unmarshall RPC_HDR_AUTH.\n"));
2305                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2306                 return False;
2307         }
2308
2309         /* Ensure auth_pad_len fits into the packet. */
2310         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2311                         RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2312                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_info.auth_pad_len "
2313                         "too large (%u), auth_len (%u), frag_len = (%u).\n",
2314                         (unsigned int)auth_info.auth_pad_len,
2315                         (unsigned int)auth_len,
2316                         (unsigned int)p->hdr.frag_len ));
2317                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2318                 return False;
2319         }
2320
2321         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2322         auth_blob.length = auth_len;
2323
2324         switch (p->auth.auth_level) {
2325                 case DCERPC_AUTH_LEVEL_PRIVACY:
2326                         /* Data is encrypted. */
2327                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2328                                                         data, data_len,
2329                                                         full_packet_data,
2330                                                         full_packet_data_len,
2331                                                         &auth_blob);
2332                         if (!NT_STATUS_IS_OK(*pstatus)) {
2333                                 return False;
2334                         }
2335                         break;
2336                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2337                         /* Data is signed. */
2338                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2339                                                         data, data_len,
2340                                                         full_packet_data,
2341                                                         full_packet_data_len,
2342                                                         &auth_blob);
2343                         if (!NT_STATUS_IS_OK(*pstatus)) {
2344                                 return False;
2345                         }
2346                         break;
2347                 default:
2348                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2349                         return False;
2350         }
2351
2352         /*
2353          * Return the current pointer to the data offset.
2354          */
2355
2356         if(!prs_set_offset(rpc_in, save_offset)) {
2357                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2358                         (unsigned int)save_offset ));
2359                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2360                 return False;
2361         }
2362
2363         /*
2364          * Remember the padding length. We must remove it from the real data
2365          * stream once the sign/seal is done.
2366          */
2367
2368         *p_ss_padding_len = auth_info.auth_pad_len;
2369
2370         return True;
2371 }
2372
2373 /****************************************************************************
2374  Deal with schannel processing on an RPC request.
2375 ****************************************************************************/
2376
2377 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2378 {
2379         uint32 data_len;
2380         uint32 auth_len;
2381         uint32 save_offset = prs_offset(rpc_in);
2382         RPC_HDR_AUTH auth_info;
2383         DATA_BLOB blob;
2384         NTSTATUS status;
2385         uint8_t *data;
2386
2387         auth_len = p->hdr.auth_len;
2388
2389         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2390                         auth_len > RPC_HEADER_LEN +
2391                                         RPC_HDR_REQ_LEN +
2392                                         RPC_HDR_AUTH_LEN +
2393                                         auth_len) {
2394                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2395                 return False;
2396         }
2397
2398         /*
2399          * The following is that length of the data we must verify or unseal.
2400          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2401          * preceeding the auth_data, but does include the auth_pad_len bytes.
2402          */
2403
2404         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2405                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2406                         (unsigned int)p->hdr.frag_len,
2407                         (unsigned int)auth_len ));
2408                 return False;
2409         }
2410
2411         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2412                 RPC_HDR_AUTH_LEN - auth_len;
2413
2414         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2415
2416         /* Pull the auth header and the following data into a blob. */
2417         /* NB. The offset of the auth_header is relative to the *end*
2418          * of the packet, not the start. Also, the length of the
2419          * data in rpc_in_p is p->hdr.frag_len - RPC_HEADER_LEN,
2420          * as the RPC header isn't included in rpc_in_p. */
2421         if(!prs_set_offset(rpc_in,
2422                         p->hdr.frag_len - RPC_HEADER_LEN -
2423                         RPC_HDR_AUTH_LEN - auth_len)) {
2424                 DEBUG(0,("api_pipe_schannel_process: cannot move "
2425                         "offset to %u.\n",
2426                         (unsigned int)(p->hdr.frag_len -
2427                                 RPC_HDR_AUTH_LEN - auth_len) ));
2428                 return False;
2429         }
2430
2431         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2432                 DEBUG(0,("api_pipe_schannel_process: failed to "
2433                         "unmarshall RPC_HDR_AUTH.\n"));
2434                 return False;
2435         }
2436
2437         /* Ensure auth_pad_len fits into the packet. */
2438         if (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + auth_info.auth_pad_len +
2439                         RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len) {
2440                 DEBUG(0,("api_pipe_schannel_process: auth_info.auth_pad_len "
2441                         "too large (%u), auth_len (%u), frag_len = (%u).\n",
2442                         (unsigned int)auth_info.auth_pad_len,
2443                         (unsigned int)auth_len,
2444                         (unsigned int)p->hdr.frag_len ));
2445                 return False;
2446         }
2447
2448         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2449                 DEBUG(0,("Invalid auth info %d on schannel\n",
2450                          auth_info.auth_type));
2451                 return False;
2452         }
2453
2454         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2455
2456         if (DEBUGLEVEL >= 10) {
2457                 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2458         }
2459
2460         data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2461
2462         switch (auth_info.auth_level) {
2463         case DCERPC_AUTH_LEVEL_PRIVACY:
2464                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2465                                                 talloc_tos(),
2466                                                 true,
2467                                                 data,
2468                                                 data_len,
2469                                                 &blob);
2470                 break;
2471         case DCERPC_AUTH_LEVEL_INTEGRITY:
2472                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2473                                                 talloc_tos(),
2474                                                 false,
2475                                                 data,
2476                                                 data_len,
2477                                                 &blob);
2478                 break;
2479         default:
2480                 status = NT_STATUS_INTERNAL_ERROR;
2481                 break;
2482         }
2483
2484         if (!NT_STATUS_IS_OK(status)) {
2485                 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2486                 return false;
2487         }
2488
2489         /*
2490          * Return the current pointer to the data offset.
2491          */
2492
2493         if(!prs_set_offset(rpc_in, save_offset)) {
2494                 DEBUG(0,("failed to set offset back to %u\n",
2495                          (unsigned int)save_offset ));
2496                 return False;
2497         }
2498
2499         /*
2500          * Remember the padding length. We must remove it from the real data
2501          * stream once the sign/seal is done.
2502          */
2503
2504         *p_ss_padding_len = auth_info.auth_pad_len;
2505
2506         return True;
2507 }
2508
2509 /****************************************************************************
2510  Find the set of RPC functions associated with this context_id
2511 ****************************************************************************/
2512
2513 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2514 {
2515         PIPE_RPC_FNS *fns = NULL;
2516
2517         if ( !list ) {
2518                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2519                 return NULL;
2520         }
2521
2522         for (fns=list; fns; fns=fns->next ) {
2523                 if ( fns->context_id == context_id )
2524                         return fns;
2525         }
2526         return NULL;
2527 }
2528
2529 /****************************************************************************
2530  Memory cleanup.
2531 ****************************************************************************/
2532
2533 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2534 {
2535         PIPE_RPC_FNS *tmp = list;
2536         PIPE_RPC_FNS *tmp2;
2537
2538         while (tmp) {
2539                 tmp2 = tmp->next;
2540                 SAFE_FREE(tmp);
2541                 tmp = tmp2;
2542         }
2543
2544         return; 
2545 }
2546
2547 static bool api_rpcTNP(pipes_struct *p,
2548                        const struct api_struct *api_rpc_cmds, int n_cmds);
2549
2550 /****************************************************************************
2551  Find the correct RPC function to call for this request.
2552  If the pipe is authenticated then become the correct UNIX user
2553  before doing the call.
2554 ****************************************************************************/
2555
2556 bool api_pipe_request(pipes_struct *p)
2557 {
2558         bool ret = False;
2559         bool changed_user = False;
2560         PIPE_RPC_FNS *pipe_fns;
2561
2562         if (p->pipe_bound &&
2563                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2564                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2565                 if(!become_authenticated_pipe_user(p)) {
2566                         prs_mem_free(&p->out_data.rdata);
2567                         return False;
2568                 }
2569                 changed_user = True;
2570         }
2571
2572         DEBUG(5, ("Requested \\PIPE\\%s\n",
2573                   get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2574
2575         /* get the set of RPC functions for this context */
2576
2577         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2578
2579         if ( pipe_fns ) {
2580                 TALLOC_CTX *frame = talloc_stackframe();
2581                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2582                 TALLOC_FREE(frame);
2583         }
2584         else {
2585                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2586                         p->hdr_req.context_id,
2587                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2588         }
2589
2590         if (changed_user) {
2591                 unbecome_authenticated_pipe_user();
2592         }
2593
2594         return ret;
2595 }
2596
2597 /*******************************************************************
2598  Calls the underlying RPC function for a named pipe.
2599  ********************************************************************/
2600
2601 static bool api_rpcTNP(pipes_struct *p,
2602                        const struct api_struct *api_rpc_cmds, int n_cmds)
2603 {
2604         int fn_num;
2605         uint32 offset1, offset2;
2606
2607         /* interpret the command */
2608         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2609                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2610                  p->hdr_req.opnum));
2611
2612         if (DEBUGLEVEL >= 50) {
2613                 fstring name;
2614                 slprintf(name, sizeof(name)-1, "in_%s",
2615                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2616                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2617         }
2618
2619         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2620                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2621                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2622                         break;
2623                 }
2624         }
2625
2626         if (fn_num == n_cmds) {
2627                 /*
2628                  * For an unknown RPC just return a fault PDU but
2629                  * return True to allow RPC's on the pipe to continue
2630                  * and not put the pipe into fault state. JRA.
2631                  */
2632                 DEBUG(4, ("unknown\n"));
2633                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2634                 return True;
2635         }
2636
2637         offset1 = prs_offset(&p->out_data.rdata);
2638
2639         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2640                 fn_num, api_rpc_cmds[fn_num].fn));
2641         /* do the actual command */
2642         if(!api_rpc_cmds[fn_num].fn(p)) {
2643                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2644                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
2645                          api_rpc_cmds[fn_num].name));
2646                 prs_mem_free(&p->out_data.rdata);
2647                 return False;
2648         }
2649
2650         if (p->bad_handle_fault_state) {
2651                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2652                 p->bad_handle_fault_state = False;
2653                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2654                 return True;
2655         }
2656
2657         if (p->rng_fault_state) {
2658                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2659                 p->rng_fault_state = False;
2660                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2661                 return True;
2662         }
2663
2664         offset2 = prs_offset(&p->out_data.rdata);
2665         prs_set_offset(&p->out_data.rdata, offset1);
2666         if (DEBUGLEVEL >= 50) {
2667                 fstring name;
2668                 slprintf(name, sizeof(name)-1, "out_%s",
2669                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
2670                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2671         }
2672         prs_set_offset(&p->out_data.rdata, offset2);
2673
2674         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2675                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
2676
2677         /* Check for buffer underflow in rpc parsing */
2678
2679         if ((DEBUGLEVEL >= 10) && 
2680             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2681                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2682                 char *data = (char *)SMB_MALLOC(data_len);
2683
2684                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2685                 if (data) {
2686                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2687                         SAFE_FREE(data);
2688                 }
2689
2690         }
2691
2692         return True;
2693 }