Memory leaks and other fixes found by Coverity
[kai/samba.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31
32 extern struct current_user current_user;
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38 {
39         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41         if (a) {
42                 auth_ntlmssp_end(&a);
43         }
44         auth->a_u.auth_ntlmssp_state = NULL;
45 }
46
47 static DATA_BLOB generic_session_key(void)
48 {
49         return data_blob("SystemLibraryDTC", 16);
50 }
51
52 /*******************************************************************
53  Generate the next PDU to be returned from the data in p->rdata. 
54  Handle NTLMSSP.
55  ********************************************************************/
56
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
58 {
59         RPC_HDR_RESP hdr_resp;
60         uint32 ss_padding_len = 0;
61         uint32 data_space_available;
62         uint32 data_len_left;
63         uint32 data_len;
64         prs_struct outgoing_pdu;
65         NTSTATUS status;
66         DATA_BLOB auth_blob;
67         RPC_HDR_AUTH auth_info;
68         uint8 auth_type, auth_level;
69         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
70
71         /*
72          * If we're in the fault state, keep returning fault PDU's until
73          * the pipe gets closed. JRA.
74          */
75
76         if(p->fault_state) {
77                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78                 return True;
79         }
80
81         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
82
83         /* Change the incoming request header to a response. */
84         p->hdr.pkt_type = RPC_RESPONSE;
85
86         /* Set up rpc header flags. */
87         if (p->out_data.data_sent_length == 0) {
88                 p->hdr.flags = RPC_FLG_FIRST;
89         } else {
90                 p->hdr.flags = 0;
91         }
92
93         /*
94          * Work out how much we can fit in a single PDU.
95          */
96
97         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
98
99         /*
100          * Ensure there really is data left to send.
101          */
102
103         if(!data_len_left) {
104                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105                 return False;
106         }
107
108         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109                                         RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
110
111         /*
112          * The amount we send is the minimum of the available
113          * space and the amount left to send.
114          */
115
116         data_len = MIN(data_len_left, data_space_available);
117
118         /*
119          * Set up the alloc hint. This should be the data left to
120          * send.
121          */
122
123         hdr_resp.alloc_hint = data_len_left;
124
125         /*
126          * Work out if this PDU will be the last.
127          */
128
129         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130                 p->hdr.flags |= RPC_FLG_LAST;
131                 if (data_len_left % 8) {
132                         ss_padding_len = 8 - (data_len_left % 8);
133                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134                                 ss_padding_len ));
135                 }
136         }
137
138         /*
139          * Set up the header lengths.
140          */
141
142         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143                         data_len + ss_padding_len +
144                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
146
147
148         /*
149          * Init the parse struct to point at the outgoing
150          * data.
151          */
152
153         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
155
156         /* Store the header in the data stream. */
157         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159                 prs_mem_free(&outgoing_pdu);
160                 return False;
161         }
162
163         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165                 prs_mem_free(&outgoing_pdu);
166                 return False;
167         }
168
169         /* Copy the data into the PDU. */
170
171         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173                 prs_mem_free(&outgoing_pdu);
174                 return False;
175         }
176
177         /* Copy the sign/seal padding data. */
178         if (ss_padding_len) {
179                 char pad[8];
180
181                 memset(pad, '\0', 8);
182                 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184                                         (unsigned int)ss_padding_len));
185                         prs_mem_free(&outgoing_pdu);
186                         return False;
187                 }
188         }
189
190
191         /* Now write out the auth header and null blob. */
192         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193                 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194         } else {
195                 auth_type = RPC_SPNEGO_AUTH_TYPE;
196         }
197         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198                 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199         } else {
200                 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201         }
202
203         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206                 prs_mem_free(&outgoing_pdu);
207                 return False;
208         }
209
210         /* Generate the sign blob. */
211
212         switch (p->auth.auth_level) {
213                 case PIPE_AUTH_LEVEL_PRIVACY:
214                         /* Data portion is encrypted. */
215                         status = ntlmssp_seal_packet(a->ntlmssp_state,
216                                                         (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217                                                         data_len + ss_padding_len,
218                                                         (unsigned char *)prs_data_p(&outgoing_pdu),
219                                                         (size_t)prs_offset(&outgoing_pdu),
220                                                         &auth_blob);
221                         if (!NT_STATUS_IS_OK(status)) {
222                                 data_blob_free(&auth_blob);
223                                 prs_mem_free(&outgoing_pdu);
224                                 return False;
225                         }
226                         break;
227                 case PIPE_AUTH_LEVEL_INTEGRITY:
228                         /* Data is signed. */
229                         status = ntlmssp_sign_packet(a->ntlmssp_state,
230                                                         (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231                                                         data_len + ss_padding_len,
232                                                         (unsigned char *)prs_data_p(&outgoing_pdu),
233                                                         (size_t)prs_offset(&outgoing_pdu),
234                                                         &auth_blob);
235                         if (!NT_STATUS_IS_OK(status)) {
236                                 data_blob_free(&auth_blob);
237                                 prs_mem_free(&outgoing_pdu);
238                                 return False;
239                         }
240                         break;
241                 default:
242                         prs_mem_free(&outgoing_pdu);
243                         return False;
244         }
245
246         /* Append the auth blob. */
247         if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249                                 (unsigned int)NTLMSSP_SIG_SIZE));
250                 data_blob_free(&auth_blob);
251                 prs_mem_free(&outgoing_pdu);
252                 return False;
253         }
254
255         data_blob_free(&auth_blob);
256
257         /*
258          * Setup the counts for this PDU.
259          */
260
261         p->out_data.data_sent_length += data_len;
262         p->out_data.current_pdu_len = p->hdr.frag_len;
263         p->out_data.current_pdu_sent = 0;
264
265         prs_mem_free(&outgoing_pdu);
266         return True;
267 }
268
269 /*******************************************************************
270  Generate the next PDU to be returned from the data in p->rdata. 
271  Return an schannel authenticated fragment.
272  ********************************************************************/
273
274 static bool create_next_pdu_schannel(pipes_struct *p)
275 {
276         RPC_HDR_RESP hdr_resp;
277         uint32 ss_padding_len = 0;
278         uint32 data_len;
279         uint32 data_space_available;
280         uint32 data_len_left;
281         prs_struct outgoing_pdu;
282         uint32 data_pos;
283
284         /*
285          * If we're in the fault state, keep returning fault PDU's until
286          * the pipe gets closed. JRA.
287          */
288
289         if(p->fault_state) {
290                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291                 return True;
292         }
293
294         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
295
296         /* Change the incoming request header to a response. */
297         p->hdr.pkt_type = RPC_RESPONSE;
298
299         /* Set up rpc header flags. */
300         if (p->out_data.data_sent_length == 0) {
301                 p->hdr.flags = RPC_FLG_FIRST;
302         } else {
303                 p->hdr.flags = 0;
304         }
305
306         /*
307          * Work out how much we can fit in a single PDU.
308          */
309
310         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
311
312         /*
313          * Ensure there really is data left to send.
314          */
315
316         if(!data_len_left) {
317                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318                 return False;
319         }
320
321         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322                                         RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
323
324         /*
325          * The amount we send is the minimum of the available
326          * space and the amount left to send.
327          */
328
329         data_len = MIN(data_len_left, data_space_available);
330
331         /*
332          * Set up the alloc hint. This should be the data left to
333          * send.
334          */
335
336         hdr_resp.alloc_hint = data_len_left;
337
338         /*
339          * Work out if this PDU will be the last.
340          */
341
342         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343                 p->hdr.flags |= RPC_FLG_LAST;
344                 if (data_len_left % 8) {
345                         ss_padding_len = 8 - (data_len_left % 8);
346                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347                                 ss_padding_len ));
348                 }
349         }
350
351         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354
355         /*
356          * Init the parse struct to point at the outgoing
357          * data.
358          */
359
360         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
362
363         /* Store the header in the data stream. */
364         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366                 prs_mem_free(&outgoing_pdu);
367                 return False;
368         }
369
370         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372                 prs_mem_free(&outgoing_pdu);
373                 return False;
374         }
375
376         /* Store the current offset. */
377         data_pos = prs_offset(&outgoing_pdu);
378
379         /* Copy the data into the PDU. */
380
381         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383                 prs_mem_free(&outgoing_pdu);
384                 return False;
385         }
386
387         /* Copy the sign/seal padding data. */
388         if (ss_padding_len) {
389                 char pad[8];
390                 memset(pad, '\0', 8);
391                 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393                         prs_mem_free(&outgoing_pdu);
394                         return False;
395                 }
396         }
397
398         {
399                 /*
400                  * Schannel processing.
401                  */
402                 char *data;
403                 RPC_HDR_AUTH auth_info;
404                 RPC_AUTH_SCHANNEL_CHK verf;
405
406                 data = prs_data_p(&outgoing_pdu) + data_pos;
407                 /* Check it's the type of reply we were expecting to decode */
408
409                 init_rpc_hdr_auth(&auth_info,
410                                 RPC_SCHANNEL_AUTH_TYPE,
411                                 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412                                         RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413                                 ss_padding_len, 1);
414
415                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417                         prs_mem_free(&outgoing_pdu);
418                         return False;
419                 }
420
421                 schannel_encode(p->auth.a_u.schannel_auth, 
422                               p->auth.auth_level,
423                               SENDER_IS_ACCEPTOR,
424                               &verf, data, data_len + ss_padding_len);
425
426                 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, 
427                                 &verf, &outgoing_pdu, 0)) {
428                         prs_mem_free(&outgoing_pdu);
429                         return False;
430                 }
431
432                 p->auth.a_u.schannel_auth->seq_num++;
433         }
434
435         /*
436          * Setup the counts for this PDU.
437          */
438
439         p->out_data.data_sent_length += data_len;
440         p->out_data.current_pdu_len = p->hdr.frag_len;
441         p->out_data.current_pdu_sent = 0;
442
443         prs_mem_free(&outgoing_pdu);
444         return True;
445 }
446
447 /*******************************************************************
448  Generate the next PDU to be returned from the data in p->rdata. 
449  No authentication done.
450 ********************************************************************/
451
452 static bool create_next_pdu_noauth(pipes_struct *p)
453 {
454         RPC_HDR_RESP hdr_resp;
455         uint32 data_len;
456         uint32 data_space_available;
457         uint32 data_len_left;
458         prs_struct outgoing_pdu;
459
460         /*
461          * If we're in the fault state, keep returning fault PDU's until
462          * the pipe gets closed. JRA.
463          */
464
465         if(p->fault_state) {
466                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467                 return True;
468         }
469
470         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
471
472         /* Change the incoming request header to a response. */
473         p->hdr.pkt_type = RPC_RESPONSE;
474
475         /* Set up rpc header flags. */
476         if (p->out_data.data_sent_length == 0) {
477                 p->hdr.flags = RPC_FLG_FIRST;
478         } else {
479                 p->hdr.flags = 0;
480         }
481
482         /*
483          * Work out how much we can fit in a single PDU.
484          */
485
486         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
487
488         /*
489          * Ensure there really is data left to send.
490          */
491
492         if(!data_len_left) {
493                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494                 return False;
495         }
496
497         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
498
499         /*
500          * The amount we send is the minimum of the available
501          * space and the amount left to send.
502          */
503
504         data_len = MIN(data_len_left, data_space_available);
505
506         /*
507          * Set up the alloc hint. This should be the data left to
508          * send.
509          */
510
511         hdr_resp.alloc_hint = data_len_left;
512
513         /*
514          * Work out if this PDU will be the last.
515          */
516
517         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518                 p->hdr.flags |= RPC_FLG_LAST;
519         }
520
521         /*
522          * Set up the header lengths.
523          */
524
525         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526         p->hdr.auth_len = 0;
527
528         /*
529          * Init the parse struct to point at the outgoing
530          * data.
531          */
532
533         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
535
536         /* Store the header in the data stream. */
537         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539                 prs_mem_free(&outgoing_pdu);
540                 return False;
541         }
542
543         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545                 prs_mem_free(&outgoing_pdu);
546                 return False;
547         }
548
549         /* Copy the data into the PDU. */
550
551         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553                 prs_mem_free(&outgoing_pdu);
554                 return False;
555         }
556
557         /*
558          * Setup the counts for this PDU.
559          */
560
561         p->out_data.data_sent_length += data_len;
562         p->out_data.current_pdu_len = p->hdr.frag_len;
563         p->out_data.current_pdu_sent = 0;
564
565         prs_mem_free(&outgoing_pdu);
566         return True;
567 }
568
569 /*******************************************************************
570  Generate the next PDU to be returned from the data in p->rdata. 
571 ********************************************************************/
572
573 bool create_next_pdu(pipes_struct *p)
574 {
575         switch(p->auth.auth_level) {
576                 case PIPE_AUTH_LEVEL_NONE:
577                 case PIPE_AUTH_LEVEL_CONNECT:
578                         /* This is incorrect for auth level connect. Fixme. JRA */
579                         return create_next_pdu_noauth(p);
580
581                 default:
582                         switch(p->auth.auth_type) {
583                                 case PIPE_AUTH_TYPE_NTLMSSP:
584                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585                                         return create_next_pdu_ntlmssp(p);
586                                 case PIPE_AUTH_TYPE_SCHANNEL:
587                                         return create_next_pdu_schannel(p);
588                                 default:
589                                         break;
590                         }
591         }
592
593         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594                         (unsigned int)p->auth.auth_level,
595                         (unsigned int)p->auth.auth_type));
596         return False;
597 }
598
599 /*******************************************************************
600  Process an NTLMSSP authentication response.
601  If this function succeeds, the user has been authenticated
602  and their domain, name and calling workstation stored in
603  the pipe struct.
604 *******************************************************************/
605
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607 {
608         DATA_BLOB session_key, reply;
609         NTSTATUS status;
610         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611         bool ret;
612
613         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615         ZERO_STRUCT(reply);
616
617         /* this has to be done as root in order to verify the password */
618         become_root();
619         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
620         unbecome_root();
621
622         /* Don't generate a reply. */
623         data_blob_free(&reply);
624
625         if (!NT_STATUS_IS_OK(status)) {
626                 return False;
627         }
628
629         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
630            ensure the underlying NTLMSSP flags are also set. If not we should
631            refuse the bind. */
632
633         if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
634                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
635                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
636                                 "but client declined signing.\n",
637                                         p->name ));
638                         return False;
639                 }
640         }
641         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
642                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
643                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
644                                 "but client declined sealing.\n",
645                                         p->name ));
646                         return False;
647                 }
648         }
649
650         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
651                   "workstation: %s\n", a->ntlmssp_state->user,
652                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
653
654         if (a->server_info->ptok == NULL) {
655                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
656                 return False;
657         }
658
659         TALLOC_FREE(p->server_info);
660
661         p->server_info = copy_serverinfo(p, a->server_info);
662         if (p->server_info == NULL) {
663                 DEBUG(0, ("copy_serverinfo failed\n"));
664                 return false;
665         }
666
667         /*
668          * We're an authenticated bind over smb, so the session key needs to
669          * be set to "SystemLibraryDTC". Weird, but this is what Windows
670          * does. See the RPC-SAMBA3SESSIONKEY.
671          */
672
673         session_key = generic_session_key();
674         if (session_key.data == NULL) {
675                 return False;
676         }
677
678         ret = server_info_set_session_key(p->server_info, session_key);
679
680         data_blob_free(&session_key);
681
682         return True;
683 }
684
685 /*******************************************************************
686  The switch table for the pipe names and the functions to handle them.
687 *******************************************************************/
688
689 struct rpc_table {
690         struct {
691                 const char *clnt;
692                 const char *srv;
693         } pipe;
694         struct ndr_syntax_id rpc_interface;
695         const struct api_struct *cmds;
696         int n_cmds;
697 };
698
699 static struct rpc_table *rpc_lookup;
700 static int rpc_lookup_size;
701
702 /*******************************************************************
703  This is the "stage3" NTLMSSP response after a bind request and reply.
704 *******************************************************************/
705
706 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
707 {
708         RPC_HDR_AUTH auth_info;
709         uint32 pad = 0;
710         DATA_BLOB blob;
711
712         ZERO_STRUCT(blob);
713
714         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
715
716         if (p->hdr.auth_len == 0) {
717                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
718                 goto err;
719         }
720
721         /* 4 bytes padding. */
722         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
723                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
724                 goto err;
725         }
726
727         /*
728          * Decode the authentication verifier response.
729          */
730
731         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
732                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
733                 goto err;
734         }
735
736         if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
737                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
738                         (unsigned int)auth_info.auth_type ));
739                 return False;
740         }
741
742         blob = data_blob(NULL,p->hdr.auth_len);
743
744         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
745                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
746                         (unsigned int)p->hdr.auth_len ));
747                 goto err;
748         }
749
750         /*
751          * The following call actually checks the challenge/response data.
752          * for correctness against the given DOMAIN\user name.
753          */
754
755         if (!pipe_ntlmssp_verify_final(p, &blob)) {
756                 goto err;
757         }
758
759         data_blob_free(&blob);
760
761         p->pipe_bound = True;
762
763         return True;
764
765  err:
766
767         data_blob_free(&blob);
768         free_pipe_ntlmssp_auth_data(&p->auth);
769         p->auth.a_u.auth_ntlmssp_state = NULL;
770
771         return False;
772 }
773
774 /*******************************************************************
775  Marshall a bind_nak pdu.
776 *******************************************************************/
777
778 static bool setup_bind_nak(pipes_struct *p)
779 {
780         prs_struct outgoing_rpc;
781         RPC_HDR nak_hdr;
782         uint16 zero = 0;
783
784         /* Free any memory in the current return data buffer. */
785         prs_mem_free(&p->out_data.rdata);
786
787         /*
788          * Marshall directly into the outgoing PDU space. We
789          * must do this as we need to set to the bind response
790          * header and are never sending more than one PDU here.
791          */
792
793         prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
794         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
795
796         /*
797          * Initialize a bind_nak header.
798          */
799
800         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
801                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
802
803         /*
804          * Marshall the header into the outgoing PDU.
805          */
806
807         if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
808                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
809                 prs_mem_free(&outgoing_rpc);
810                 return False;
811         }
812
813         /*
814          * Now add the reject reason.
815          */
816
817         if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
818                 prs_mem_free(&outgoing_rpc);
819                 return False;
820         }
821
822         p->out_data.data_sent_length = 0;
823         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
824         p->out_data.current_pdu_sent = 0;
825
826         if (p->auth.auth_data_free_func) {
827                 (*p->auth.auth_data_free_func)(&p->auth);
828         }
829         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
830         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
831         p->pipe_bound = False;
832
833         return True;
834 }
835
836 /*******************************************************************
837  Marshall a fault pdu.
838 *******************************************************************/
839
840 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
841 {
842         prs_struct outgoing_pdu;
843         RPC_HDR fault_hdr;
844         RPC_HDR_RESP hdr_resp;
845         RPC_HDR_FAULT fault_resp;
846
847         /* Free any memory in the current return data buffer. */
848         prs_mem_free(&p->out_data.rdata);
849
850         /*
851          * Marshall directly into the outgoing PDU space. We
852          * must do this as we need to set to the bind response
853          * header and are never sending more than one PDU here.
854          */
855
856         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
857         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
858
859         /*
860          * Initialize a fault header.
861          */
862
863         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
864             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
865
866         /*
867          * Initialize the HDR_RESP and FAULT parts of the PDU.
868          */
869
870         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
871
872         fault_resp.status = status;
873         fault_resp.reserved = 0;
874
875         /*
876          * Marshall the header into the outgoing PDU.
877          */
878
879         if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
880                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
881                 prs_mem_free(&outgoing_pdu);
882                 return False;
883         }
884
885         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
886                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
887                 prs_mem_free(&outgoing_pdu);
888                 return False;
889         }
890
891         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
892                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
893                 prs_mem_free(&outgoing_pdu);
894                 return False;
895         }
896
897         p->out_data.data_sent_length = 0;
898         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
899         p->out_data.current_pdu_sent = 0;
900
901         prs_mem_free(&outgoing_pdu);
902         return True;
903 }
904
905 #if 0
906 /*******************************************************************
907  Marshall a cancel_ack pdu.
908  We should probably check the auth-verifier here.
909 *******************************************************************/
910
911 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
912 {
913         prs_struct outgoing_pdu;
914         RPC_HDR ack_reply_hdr;
915
916         /* Free any memory in the current return data buffer. */
917         prs_mem_free(&p->out_data.rdata);
918
919         /*
920          * Marshall directly into the outgoing PDU space. We
921          * must do this as we need to set to the bind response
922          * header and are never sending more than one PDU here.
923          */
924
925         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
926         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
927
928         /*
929          * Initialize a cancel_ack header.
930          */
931
932         init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
933                         p->hdr.call_id, RPC_HEADER_LEN, 0);
934
935         /*
936          * Marshall the header into the outgoing PDU.
937          */
938
939         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
940                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
941                 prs_mem_free(&outgoing_pdu);
942                 return False;
943         }
944
945         p->out_data.data_sent_length = 0;
946         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
947         p->out_data.current_pdu_sent = 0;
948
949         prs_mem_free(&outgoing_pdu);
950         return True;
951 }
952 #endif
953
954 /*******************************************************************
955  Ensure a bind request has the correct abstract & transfer interface.
956  Used to reject unknown binds from Win2k.
957 *******************************************************************/
958
959 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
960                     RPC_IFACE* transfer, uint32 context_id)
961 {
962         int i=0;
963         struct pipe_rpc_fns *context_fns;
964
965         DEBUG(3,("check_bind_req for %s\n", p->name));
966
967         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
968
969         for (i=0; i<rpc_lookup_size; i++) {
970                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
971                 if (strequal(rpc_lookup[i].pipe.clnt, p->name)
972                     && ndr_syntax_id_equal(
973                             abstract, &rpc_lookup[i].rpc_interface)
974                     && ndr_syntax_id_equal(
975                             transfer, &ndr_transfer_syntax)) {
976                         break;
977                 }
978         }
979
980         if (i == rpc_lookup_size) {
981                 return false;
982         }
983
984         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
985         if (context_fns == NULL) {
986                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
987                 return False;
988         }
989
990         context_fns->cmds = rpc_lookup[i].cmds;
991         context_fns->n_cmds = rpc_lookup[i].n_cmds;
992         context_fns->context_id = context_id;
993
994         /* add to the list of open contexts */
995
996         DLIST_ADD( p->contexts, context_fns );
997
998         return True;
999 }
1000
1001 /*******************************************************************
1002  Register commands to an RPC pipe
1003 *******************************************************************/
1004
1005 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1006                           const struct ndr_interface_table *iface,
1007                           const struct api_struct *cmds, int size)
1008 {
1009         struct rpc_table *rpc_entry;
1010
1011         if (!clnt || !srv || !cmds) {
1012                 return NT_STATUS_INVALID_PARAMETER;
1013         }
1014
1015         if (version != SMB_RPC_INTERFACE_VERSION) {
1016                 DEBUG(0,("Can't register rpc commands!\n"
1017                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1018                          ", while this version of samba uses version %d!\n", 
1019                          version,SMB_RPC_INTERFACE_VERSION));
1020                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1021         }
1022
1023         /* TODO: 
1024          *
1025          * we still need to make sure that don't register the same commands twice!!!
1026          * 
1027          * --metze
1028          */
1029
1030         /* We use a temporary variable because this call can fail and 
1031            rpc_lookup will still be valid afterwards.  It could then succeed if
1032            called again later */
1033         rpc_lookup_size++;
1034         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1035         if (NULL == rpc_entry) {
1036                 rpc_lookup_size--;
1037                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1038                 return NT_STATUS_NO_MEMORY;
1039         } else {
1040                 rpc_lookup = rpc_entry;
1041         }
1042
1043         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1044         ZERO_STRUCTP(rpc_entry);
1045         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1046         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1047         rpc_entry->rpc_interface = iface->syntax_id;
1048         rpc_entry->cmds = cmds;
1049         rpc_entry->n_cmds = size;
1050
1051         return NT_STATUS_OK;
1052 }
1053
1054 /**
1055  * Is a named pipe known?
1056  * @param[in] cli_filename      The pipe name requested by the client
1057  * @result                      Do we want to serve this?
1058  */
1059 bool is_known_pipename(const char *cli_filename)
1060 {
1061         const char *pipename = cli_filename;
1062         int i;
1063
1064         if (strnequal(pipename, "\\PIPE\\", 6)) {
1065                 pipename += 5;
1066         }
1067
1068         if (*pipename == '\\') {
1069                 pipename += 1;
1070         }
1071
1072         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1073                 DEBUG(10, ("refusing spoolss access\n"));
1074                 return false;
1075         }
1076
1077         for (i=0; i<rpc_lookup_size; i++) {
1078                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1079                         return true;
1080                 }
1081         }
1082
1083         DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1084         return false;
1085 }
1086
1087 /*******************************************************************
1088  Handle a SPNEGO krb5 bind auth.
1089 *******************************************************************/
1090
1091 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1092                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1093 {
1094         return False;
1095 }
1096
1097 /*******************************************************************
1098  Handle the first part of a SPNEGO bind auth.
1099 *******************************************************************/
1100
1101 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1102                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1103 {
1104         DATA_BLOB blob;
1105         DATA_BLOB secblob;
1106         DATA_BLOB response;
1107         DATA_BLOB chal;
1108         char *OIDs[ASN1_MAX_OIDS];
1109         int i;
1110         NTSTATUS status;
1111         bool got_kerberos_mechanism = false;
1112         AUTH_NTLMSSP_STATE *a = NULL;
1113         RPC_HDR_AUTH auth_info;
1114
1115         ZERO_STRUCT(secblob);
1116         ZERO_STRUCT(chal);
1117         ZERO_STRUCT(response);
1118
1119         /* Grab the SPNEGO blob. */
1120         blob = data_blob(NULL,p->hdr.auth_len);
1121
1122         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1123                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1124                         (unsigned int)p->hdr.auth_len ));
1125                 goto err;
1126         }
1127
1128         if (blob.data[0] != ASN1_APPLICATION(0)) {
1129                 goto err;
1130         }
1131
1132         /* parse out the OIDs and the first sec blob */
1133         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1134                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1135                 goto err;
1136         }
1137
1138         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1139                 got_kerberos_mechanism = true;
1140         }
1141
1142         for (i=0;OIDs[i];i++) {
1143                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1144                 TALLOC_FREE(OIDs[i]);
1145         }
1146         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1147
1148         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1149                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1150                 data_blob_free(&secblob);
1151                 data_blob_free(&blob);
1152                 return ret;
1153         }
1154
1155         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1156                 /* Free any previous auth type. */
1157                 free_pipe_ntlmssp_auth_data(&p->auth);
1158         }
1159
1160         if (!got_kerberos_mechanism) {
1161                 /* Initialize the NTLM engine. */
1162                 status = auth_ntlmssp_start(&a);
1163                 if (!NT_STATUS_IS_OK(status)) {
1164                         goto err;
1165                 }
1166
1167                 /*
1168                  * Pass the first security blob of data to it.
1169                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1170                  * which means we need another packet to complete the bind.
1171                  */
1172
1173                 status = auth_ntlmssp_update(a, secblob, &chal);
1174
1175                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1176                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1177                         goto err;
1178                 }
1179
1180                 /* Generate the response blob we need for step 2 of the bind. */
1181                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1182         } else {
1183                 /*
1184                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1185                  * code to process follow-up packets is not complete
1186                  * yet. JRA.
1187                  */
1188                 response = spnego_gen_auth_response(NULL,
1189                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1190                                         OID_NTLMSSP);
1191         }
1192
1193         /* Copy the blob into the pout_auth parse struct */
1194         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1195         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1196                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1197                 goto err;
1198         }
1199
1200         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1201                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1202                 goto err;
1203         }
1204
1205         p->auth.a_u.auth_ntlmssp_state = a;
1206         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1207         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1208
1209         data_blob_free(&blob);
1210         data_blob_free(&secblob);
1211         data_blob_free(&chal);
1212         data_blob_free(&response);
1213
1214         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1215         return True;
1216
1217  err:
1218
1219         data_blob_free(&blob);
1220         data_blob_free(&secblob);
1221         data_blob_free(&chal);
1222         data_blob_free(&response);
1223
1224         p->auth.a_u.auth_ntlmssp_state = NULL;
1225
1226         return False;
1227 }
1228
1229 /*******************************************************************
1230  Handle the second part of a SPNEGO bind auth.
1231 *******************************************************************/
1232
1233 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1234                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1235 {
1236         RPC_HDR_AUTH auth_info;
1237         DATA_BLOB spnego_blob;
1238         DATA_BLOB auth_blob;
1239         DATA_BLOB auth_reply;
1240         DATA_BLOB response;
1241         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1242
1243         ZERO_STRUCT(spnego_blob);
1244         ZERO_STRUCT(auth_blob);
1245         ZERO_STRUCT(auth_reply);
1246         ZERO_STRUCT(response);
1247
1248         /*
1249          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1250          * fail here as 'a' == NULL.
1251          */
1252         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1253                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1254                 goto err;
1255         }
1256
1257         /* Grab the SPNEGO blob. */
1258         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1259
1260         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1261                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1262                         (unsigned int)p->hdr.auth_len ));
1263                 goto err;
1264         }
1265
1266         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1267                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1268                 goto err;
1269         }
1270
1271         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1272                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1273                 goto err;
1274         }
1275
1276         /*
1277          * The following call actually checks the challenge/response data.
1278          * for correctness against the given DOMAIN\user name.
1279          */
1280
1281         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1282                 goto err;
1283         }
1284
1285         data_blob_free(&spnego_blob);
1286         data_blob_free(&auth_blob);
1287
1288         /* Generate the spnego "accept completed" blob - no incoming data. */
1289         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1290
1291         /* Copy the blob into the pout_auth parse struct */
1292         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1293         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1294                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1295                 goto err;
1296         }
1297
1298         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1299                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1300                 goto err;
1301         }
1302
1303         data_blob_free(&auth_reply);
1304         data_blob_free(&response);
1305
1306         p->pipe_bound = True;
1307
1308         return True;
1309
1310  err:
1311
1312         data_blob_free(&spnego_blob);
1313         data_blob_free(&auth_blob);
1314         data_blob_free(&auth_reply);
1315         data_blob_free(&response);
1316
1317         free_pipe_ntlmssp_auth_data(&p->auth);
1318         p->auth.a_u.auth_ntlmssp_state = NULL;
1319
1320         return False;
1321 }
1322
1323 /*******************************************************************
1324  Handle an schannel bind auth.
1325 *******************************************************************/
1326
1327 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1328                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1329 {
1330         RPC_HDR_AUTH auth_info;
1331         RPC_AUTH_SCHANNEL_NEG neg;
1332         RPC_AUTH_VERIFIER auth_verifier;
1333         bool ret;
1334         struct dcinfo *pdcinfo;
1335         uint32 flags;
1336         DATA_BLOB session_key;
1337
1338         if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1339                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1340                 return False;
1341         }
1342
1343         /*
1344          * The neg.myname key here must match the remote computer name
1345          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1346          * operations that use credentials.
1347          */
1348
1349         become_root();
1350         ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1351         unbecome_root();
1352
1353         if (!ret) {
1354                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1355                 return False;
1356         }
1357
1358         p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1359         if (!p->auth.a_u.schannel_auth) {
1360                 TALLOC_FREE(pdcinfo);
1361                 return False;
1362         }
1363
1364         memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1365         memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1366                         sizeof(pdcinfo->sess_key));
1367
1368         TALLOC_FREE(pdcinfo);
1369
1370         p->auth.a_u.schannel_auth->seq_num = 0;
1371
1372         /*
1373          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1374          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1375          * struct of the person who opened the pipe. I need to test this further. JRA.
1376          *
1377          * VL. As we are mapping this to guest set the generic key
1378          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1379          * W2k3, as it does not allow schannel binds against SAMR and LSA
1380          * anymore.
1381          */
1382
1383         session_key = generic_session_key();
1384         if (session_key.data == NULL) {
1385                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1386                           " key\n"));
1387                 return false;
1388         }
1389
1390         ret = server_info_set_session_key(p->server_info, session_key);
1391
1392         data_blob_free(&session_key);
1393
1394         if (!ret) {
1395                 DEBUG(0, ("server_info_set_session_key failed\n"));
1396                 return false;
1397         }
1398
1399         init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1400         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1401                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1402                 return False;
1403         }
1404
1405         /*** SCHANNEL verifier ***/
1406
1407         init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1408         if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1409                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1410                 return False;
1411         }
1412
1413         prs_align(pout_auth);
1414
1415         flags = 5;
1416         if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1417                 return False;
1418         }
1419
1420         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1421                 neg.domain, neg.myname));
1422
1423         /* We're finished with this bind - no more packets. */
1424         p->auth.auth_data_free_func = NULL;
1425         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1426
1427         p->pipe_bound = True;
1428
1429         return True;
1430 }
1431
1432 /*******************************************************************
1433  Handle an NTLMSSP bind auth.
1434 *******************************************************************/
1435
1436 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1437                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1438 {
1439         RPC_HDR_AUTH auth_info;
1440         DATA_BLOB blob;
1441         DATA_BLOB response;
1442         NTSTATUS status;
1443         AUTH_NTLMSSP_STATE *a = NULL;
1444
1445         ZERO_STRUCT(blob);
1446         ZERO_STRUCT(response);
1447
1448         /* Grab the NTLMSSP blob. */
1449         blob = data_blob(NULL,p->hdr.auth_len);
1450
1451         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1452                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1453                         (unsigned int)p->hdr.auth_len ));
1454                 goto err;
1455         }
1456
1457         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1458                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1459                 goto err;
1460         }
1461
1462         /* We have an NTLMSSP blob. */
1463         status = auth_ntlmssp_start(&a);
1464         if (!NT_STATUS_IS_OK(status)) {
1465                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1466                         nt_errstr(status) ));
1467                 goto err;
1468         }
1469
1470         status = auth_ntlmssp_update(a, blob, &response);
1471         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1472                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1473                         nt_errstr(status) ));
1474                 goto err;
1475         }
1476
1477         data_blob_free(&blob);
1478
1479         /* Copy the blob into the pout_auth parse struct */
1480         init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1481         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1482                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1483                 goto err;
1484         }
1485
1486         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1487                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1488                 goto err;
1489         }
1490
1491         p->auth.a_u.auth_ntlmssp_state = a;
1492         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1493         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1494
1495         data_blob_free(&blob);
1496         data_blob_free(&response);
1497
1498         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1499
1500         /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1501         return True;
1502
1503   err:
1504
1505         data_blob_free(&blob);
1506         data_blob_free(&response);
1507
1508         free_pipe_ntlmssp_auth_data(&p->auth);
1509         p->auth.a_u.auth_ntlmssp_state = NULL;
1510         return False;
1511 }
1512
1513 /*******************************************************************
1514  Respond to a pipe bind request.
1515 *******************************************************************/
1516
1517 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1518 {
1519         RPC_HDR_BA hdr_ba;
1520         RPC_HDR_RB hdr_rb;
1521         RPC_HDR_AUTH auth_info;
1522         uint16 assoc_gid;
1523         fstring ack_pipe_name;
1524         prs_struct out_hdr_ba;
1525         prs_struct out_auth;
1526         prs_struct outgoing_rpc;
1527         int i = 0;
1528         int auth_len = 0;
1529         unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1530
1531         /* No rebinds on a bound pipe - use alter context. */
1532         if (p->pipe_bound) {
1533                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1534                 return setup_bind_nak(p);
1535         }
1536
1537         prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1538
1539         /* 
1540          * Marshall directly into the outgoing PDU space. We
1541          * must do this as we need to set to the bind response
1542          * header and are never sending more than one PDU here.
1543          */
1544
1545         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1546
1547         /*
1548          * Setup the memory to marshall the ba header, and the
1549          * auth footers.
1550          */
1551
1552         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1553                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1554                 prs_mem_free(&outgoing_rpc);
1555                 return False;
1556         }
1557
1558         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1559                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1560                 prs_mem_free(&outgoing_rpc);
1561                 prs_mem_free(&out_hdr_ba);
1562                 return False;
1563         }
1564
1565         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1566
1567         ZERO_STRUCT(hdr_rb);
1568
1569         /* decode the bind request */
1570
1571         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1572                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1573                          "struct.\n"));
1574                 goto err_exit;
1575         }
1576
1577         if (hdr_rb.num_contexts == 0) {
1578                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1579                 goto err_exit;
1580         }
1581
1582         /*
1583          * Try and find the correct pipe name to ensure
1584          * that this is a pipe name we support.
1585          */
1586
1587         for (i = 0; i < rpc_lookup_size; i++) {
1588                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1589                                         &hdr_rb.rpc_context[0].abstract)) {
1590                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1591                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1592                         fstrcpy(p->name, rpc_lookup[i].pipe.clnt);
1593                         fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1594                         break;
1595                 }
1596         }
1597
1598         if (i == rpc_lookup_size) {
1599                 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1600                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1601                                 p->name ));
1602                         prs_mem_free(&outgoing_rpc);
1603                         prs_mem_free(&out_hdr_ba);
1604                         prs_mem_free(&out_auth);
1605
1606                         return setup_bind_nak(p);
1607                 }
1608
1609                 for (i = 0; i < rpc_lookup_size; i++) {
1610                        if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1611                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1612                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1613                                fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1614                                break;
1615                        }
1616                 }
1617
1618                 if (i == rpc_lookup_size) {
1619                         DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1620                         goto err_exit;
1621                 }
1622         }
1623
1624         /* name has to be \PIPE\xxxxx */
1625         fstrcpy(ack_pipe_name, "\\PIPE\\");
1626         fstrcat(ack_pipe_name, p->pipe_srv_name);
1627
1628         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1629
1630         /*
1631          * Check if this is an authenticated bind request.
1632          */
1633
1634         if (p->hdr.auth_len) {
1635                 /* 
1636                  * Decode the authentication verifier.
1637                  */
1638
1639                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1640                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1641                         goto err_exit;
1642                 }
1643
1644                 auth_type = auth_info.auth_type;
1645
1646                 /* Work out if we have to sign or seal etc. */
1647                 switch (auth_info.auth_level) {
1648                         case RPC_AUTH_LEVEL_INTEGRITY:
1649                                 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1650                                 break;
1651                         case RPC_AUTH_LEVEL_PRIVACY:
1652                                 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1653                                 break;
1654                         default:
1655                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1656                                         (unsigned int)auth_info.auth_level ));
1657                                 goto err_exit;
1658                 }
1659         } else {
1660                 ZERO_STRUCT(auth_info);
1661         }
1662
1663         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1664
1665         switch(auth_type) {
1666                 case RPC_NTLMSSP_AUTH_TYPE:
1667                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1668                                 goto err_exit;
1669                         }
1670                         assoc_gid = 0x7a77;
1671                         break;
1672
1673                 case RPC_SCHANNEL_AUTH_TYPE:
1674                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1675                                 goto err_exit;
1676                         }
1677                         break;
1678
1679                 case RPC_SPNEGO_AUTH_TYPE:
1680                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1681                                 goto err_exit;
1682                         }
1683                         break;
1684
1685                 case RPC_ANONYMOUS_AUTH_TYPE:
1686                         /* Unauthenticated bind request. */
1687                         /* We're finished - no more packets. */
1688                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1689                         /* We must set the pipe auth_level here also. */
1690                         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1691                         p->pipe_bound = True;
1692                         /* The session key was initialized from the SMB
1693                          * session in make_internal_rpc_pipe_p */
1694                         break;
1695
1696                 default:
1697                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1698                         goto err_exit;
1699         }
1700
1701         /*
1702          * Create the bind response struct.
1703          */
1704
1705         /* If the requested abstract synt uuid doesn't match our client pipe,
1706                 reject the bind_ack & set the transfer interface synt to all 0's,
1707                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1708                 unknown to NT4)
1709                 Needed when adding entries to a DACL from NT5 - SK */
1710
1711         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1712                                 hdr_rb.rpc_context[0].context_id )) {
1713                 init_rpc_hdr_ba(&hdr_ba,
1714                         RPC_MAX_PDU_FRAG_LEN,
1715                         RPC_MAX_PDU_FRAG_LEN,
1716                         assoc_gid,
1717                         ack_pipe_name,
1718                         0x1, 0x0, 0x0,
1719                         &hdr_rb.rpc_context[0].transfer[0]);
1720         } else {
1721                 RPC_IFACE null_interface;
1722                 ZERO_STRUCT(null_interface);
1723                 /* Rejection reason: abstract syntax not supported */
1724                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1725                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1726                                         ack_pipe_name, 0x1, 0x2, 0x1,
1727                                         &null_interface);
1728                 p->pipe_bound = False;
1729         }
1730
1731         /*
1732          * and marshall it.
1733          */
1734
1735         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1736                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1737                 goto err_exit;
1738         }
1739
1740         /*
1741          * Create the header, now we know the length.
1742          */
1743
1744         if (prs_offset(&out_auth)) {
1745                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1746         }
1747
1748         init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1749                         p->hdr.call_id,
1750                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1751                         auth_len);
1752
1753         /*
1754          * Marshall the header into the outgoing PDU.
1755          */
1756
1757         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1758                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1759                 goto err_exit;
1760         }
1761
1762         /*
1763          * Now add the RPC_HDR_BA and any auth needed.
1764          */
1765
1766         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1767                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1768                 goto err_exit;
1769         }
1770
1771         if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1772                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1773                 goto err_exit;
1774         }
1775
1776         /*
1777          * Setup the lengths for the initial reply.
1778          */
1779
1780         p->out_data.data_sent_length = 0;
1781         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1782         p->out_data.current_pdu_sent = 0;
1783
1784         prs_mem_free(&out_hdr_ba);
1785         prs_mem_free(&out_auth);
1786
1787         return True;
1788
1789   err_exit:
1790
1791         prs_mem_free(&outgoing_rpc);
1792         prs_mem_free(&out_hdr_ba);
1793         prs_mem_free(&out_auth);
1794         return setup_bind_nak(p);
1795 }
1796
1797 /****************************************************************************
1798  Deal with an alter context call. Can be third part of 3 leg auth request for
1799  SPNEGO calls.
1800 ****************************************************************************/
1801
1802 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1803 {
1804         RPC_HDR_BA hdr_ba;
1805         RPC_HDR_RB hdr_rb;
1806         RPC_HDR_AUTH auth_info;
1807         uint16 assoc_gid;
1808         fstring ack_pipe_name;
1809         prs_struct out_hdr_ba;
1810         prs_struct out_auth;
1811         prs_struct outgoing_rpc;
1812         int auth_len = 0;
1813
1814         prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1815
1816         /* 
1817          * Marshall directly into the outgoing PDU space. We
1818          * must do this as we need to set to the bind response
1819          * header and are never sending more than one PDU here.
1820          */
1821
1822         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1823
1824         /*
1825          * Setup the memory to marshall the ba header, and the
1826          * auth footers.
1827          */
1828
1829         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1830                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1831                 prs_mem_free(&outgoing_rpc);
1832                 return False;
1833         }
1834
1835         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1836                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1837                 prs_mem_free(&outgoing_rpc);
1838                 prs_mem_free(&out_hdr_ba);
1839                 return False;
1840         }
1841
1842         ZERO_STRUCT(hdr_rb);
1843
1844         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1845
1846         /* decode the alter context request */
1847         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1848                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1849                 goto err_exit;
1850         }
1851
1852         /* secondary address CAN be NULL
1853          * as the specs say it's ignored.
1854          * It MUST be NULL to have the spoolss working.
1855          */
1856         fstrcpy(ack_pipe_name,"");
1857
1858         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1859
1860         /*
1861          * Check if this is an authenticated alter context request.
1862          */
1863
1864         if (p->hdr.auth_len != 0) {
1865                 /* 
1866                  * Decode the authentication verifier.
1867                  */
1868
1869                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1870                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1871                         goto err_exit;
1872                 }
1873
1874                 /*
1875                  * Currently only the SPNEGO auth type uses the alter ctx
1876                  * response in place of the NTLMSSP auth3 type.
1877                  */
1878
1879                 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1880                         /* We can only finish if the pipe is unbound. */
1881                         if (!p->pipe_bound) {
1882                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1883                                         goto err_exit;
1884                                 }
1885                         } else {
1886                                 goto err_exit;
1887                         }
1888                 }
1889         } else {
1890                 ZERO_STRUCT(auth_info);
1891         }
1892
1893         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1894
1895         /*
1896          * Create the bind response struct.
1897          */
1898
1899         /* If the requested abstract synt uuid doesn't match our client pipe,
1900                 reject the bind_ack & set the transfer interface synt to all 0's,
1901                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1902                 unknown to NT4)
1903                 Needed when adding entries to a DACL from NT5 - SK */
1904
1905         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1906                                 hdr_rb.rpc_context[0].context_id )) {
1907                 init_rpc_hdr_ba(&hdr_ba,
1908                         RPC_MAX_PDU_FRAG_LEN,
1909                         RPC_MAX_PDU_FRAG_LEN,
1910                         assoc_gid,
1911                         ack_pipe_name,
1912                         0x1, 0x0, 0x0,
1913                         &hdr_rb.rpc_context[0].transfer[0]);
1914         } else {
1915                 RPC_IFACE null_interface;
1916                 ZERO_STRUCT(null_interface);
1917                 /* Rejection reason: abstract syntax not supported */
1918                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1919                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1920                                         ack_pipe_name, 0x1, 0x2, 0x1,
1921                                         &null_interface);
1922                 p->pipe_bound = False;
1923         }
1924
1925         /*
1926          * and marshall it.
1927          */
1928
1929         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1930                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1931                 goto err_exit;
1932         }
1933
1934         /*
1935          * Create the header, now we know the length.
1936          */
1937
1938         if (prs_offset(&out_auth)) {
1939                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1940         }
1941
1942         init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1943                         p->hdr.call_id,
1944                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1945                         auth_len);
1946
1947         /*
1948          * Marshall the header into the outgoing PDU.
1949          */
1950
1951         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1952                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1953                 goto err_exit;
1954         }
1955
1956         /*
1957          * Now add the RPC_HDR_BA and any auth needed.
1958          */
1959
1960         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1961                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1962                 goto err_exit;
1963         }
1964
1965         if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1966                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1967                 goto err_exit;
1968         }
1969
1970         /*
1971          * Setup the lengths for the initial reply.
1972          */
1973
1974         p->out_data.data_sent_length = 0;
1975         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1976         p->out_data.current_pdu_sent = 0;
1977
1978         prs_mem_free(&out_hdr_ba);
1979         prs_mem_free(&out_auth);
1980
1981         return True;
1982
1983   err_exit:
1984
1985         prs_mem_free(&outgoing_rpc);
1986         prs_mem_free(&out_hdr_ba);
1987         prs_mem_free(&out_auth);
1988         return setup_bind_nak(p);
1989 }
1990
1991 /****************************************************************************
1992  Deal with NTLMSSP sign & seal processing on an RPC request.
1993 ****************************************************************************/
1994
1995 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1996                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1997 {
1998         RPC_HDR_AUTH auth_info;
1999         uint32 auth_len = p->hdr.auth_len;
2000         uint32 save_offset = prs_offset(rpc_in);
2001         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2002         unsigned char *data = NULL;
2003         size_t data_len;
2004         unsigned char *full_packet_data = NULL;
2005         size_t full_packet_data_len;
2006         DATA_BLOB auth_blob;
2007
2008         *pstatus = NT_STATUS_OK;
2009
2010         if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2011                 return True;
2012         }
2013
2014         if (!a) {
2015                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2016                 return False;
2017         }
2018
2019         /* Ensure there's enough data for an authenticated request. */
2020         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2021                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2022                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2023                         (unsigned int)auth_len ));
2024                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2025                 return False;
2026         }
2027
2028         /*
2029          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2030          * after the RPC header. 
2031          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2032          * functions as NTLMv2 checks the rpc headers also.
2033          */
2034
2035         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2036         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2037
2038         full_packet_data = p->in_data.current_in_pdu;
2039         full_packet_data_len = p->hdr.frag_len - auth_len;
2040
2041         /* Pull the auth header and the following data into a blob. */
2042         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2043                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2044                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2045                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2046                 return False;
2047         }
2048
2049         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2050                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2051                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2052                 return False;
2053         }
2054
2055         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2056         auth_blob.length = auth_len;
2057
2058         switch (p->auth.auth_level) {
2059                 case PIPE_AUTH_LEVEL_PRIVACY:
2060                         /* Data is encrypted. */
2061                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2062                                                         data, data_len,
2063                                                         full_packet_data,
2064                                                         full_packet_data_len,
2065                                                         &auth_blob);
2066                         if (!NT_STATUS_IS_OK(*pstatus)) {
2067                                 return False;
2068                         }
2069                         break;
2070                 case PIPE_AUTH_LEVEL_INTEGRITY:
2071                         /* Data is signed. */
2072                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2073                                                         data, data_len,
2074                                                         full_packet_data,
2075                                                         full_packet_data_len,
2076                                                         &auth_blob);
2077                         if (!NT_STATUS_IS_OK(*pstatus)) {
2078                                 return False;
2079                         }
2080                         break;
2081                 default:
2082                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2083                         return False;
2084         }
2085
2086         /*
2087          * Return the current pointer to the data offset.
2088          */
2089
2090         if(!prs_set_offset(rpc_in, save_offset)) {
2091                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2092                         (unsigned int)save_offset ));
2093                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2094                 return False;
2095         }
2096
2097         /*
2098          * Remember the padding length. We must remove it from the real data
2099          * stream once the sign/seal is done.
2100          */
2101
2102         *p_ss_padding_len = auth_info.auth_pad_len;
2103
2104         return True;
2105 }
2106
2107 /****************************************************************************
2108  Deal with schannel processing on an RPC request.
2109 ****************************************************************************/
2110
2111 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2112 {
2113         uint32 data_len;
2114         uint32 auth_len;
2115         uint32 save_offset = prs_offset(rpc_in);
2116         RPC_HDR_AUTH auth_info;
2117         RPC_AUTH_SCHANNEL_CHK schannel_chk;
2118
2119         auth_len = p->hdr.auth_len;
2120
2121         if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2122                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2123                 return False;
2124         }
2125
2126         /*
2127          * The following is that length of the data we must verify or unseal.
2128          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2129          * preceeding the auth_data.
2130          */
2131
2132         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2133                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2134                         (unsigned int)p->hdr.frag_len,
2135                         (unsigned int)auth_len ));
2136                 return False;
2137         }
2138
2139         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2140                 RPC_HDR_AUTH_LEN - auth_len;
2141
2142         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2143
2144         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2145                 DEBUG(0,("cannot move offset to %u.\n",
2146                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2147                 return False;
2148         }
2149
2150         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2151                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2152                 return False;
2153         }
2154
2155         if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2156                 DEBUG(0,("Invalid auth info %d on schannel\n",
2157                          auth_info.auth_type));
2158                 return False;
2159         }
2160
2161         if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2162                 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2163                 return False;
2164         }
2165
2166         if (!schannel_decode(p->auth.a_u.schannel_auth,
2167                            p->auth.auth_level,
2168                            SENDER_IS_INITIATOR,
2169                            &schannel_chk,
2170                            prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2171                 DEBUG(3,("failed to decode PDU\n"));
2172                 return False;
2173         }
2174
2175         /*
2176          * Return the current pointer to the data offset.
2177          */
2178
2179         if(!prs_set_offset(rpc_in, save_offset)) {
2180                 DEBUG(0,("failed to set offset back to %u\n",
2181                          (unsigned int)save_offset ));
2182                 return False;
2183         }
2184
2185         /* The sequence number gets incremented on both send and receive. */
2186         p->auth.a_u.schannel_auth->seq_num++;
2187
2188         /*
2189          * Remember the padding length. We must remove it from the real data
2190          * stream once the sign/seal is done.
2191          */
2192
2193         *p_ss_padding_len = auth_info.auth_pad_len;
2194
2195         return True;
2196 }
2197
2198 /****************************************************************************
2199  Find the set of RPC functions associated with this context_id
2200 ****************************************************************************/
2201
2202 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2203 {
2204         PIPE_RPC_FNS *fns = NULL;
2205
2206         if ( !list ) {
2207                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2208                 return NULL;
2209         }
2210
2211         for (fns=list; fns; fns=fns->next ) {
2212                 if ( fns->context_id == context_id )
2213                         return fns;
2214         }
2215         return NULL;
2216 }
2217
2218 /****************************************************************************
2219  Memory cleanup.
2220 ****************************************************************************/
2221
2222 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2223 {
2224         PIPE_RPC_FNS *tmp = list;
2225         PIPE_RPC_FNS *tmp2;
2226
2227         while (tmp) {
2228                 tmp2 = tmp->next;
2229                 SAFE_FREE(tmp);
2230                 tmp = tmp2;
2231         }
2232
2233         return; 
2234 }
2235
2236 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name, 
2237                        const struct api_struct *api_rpc_cmds, int n_cmds);
2238
2239 /****************************************************************************
2240  Find the correct RPC function to call for this request.
2241  If the pipe is authenticated then become the correct UNIX user
2242  before doing the call.
2243 ****************************************************************************/
2244
2245 bool api_pipe_request(pipes_struct *p)
2246 {
2247         bool ret = False;
2248         bool changed_user = False;
2249         PIPE_RPC_FNS *pipe_fns;
2250
2251         if (p->pipe_bound &&
2252                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2253                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2254                 if(!become_authenticated_pipe_user(p)) {
2255                         prs_mem_free(&p->out_data.rdata);
2256                         return False;
2257                 }
2258                 changed_user = True;
2259         }
2260
2261         DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2262
2263         /* get the set of RPC functions for this context */
2264
2265         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2266
2267         if ( pipe_fns ) {
2268                 TALLOC_CTX *frame = talloc_stackframe();
2269                 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2270                 TALLOC_FREE(frame);
2271         }
2272         else {
2273                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2274                         p->hdr_req.context_id, p->name));
2275         }
2276
2277         if (changed_user) {
2278                 unbecome_authenticated_pipe_user();
2279         }
2280
2281         return ret;
2282 }
2283
2284 /*******************************************************************
2285  Calls the underlying RPC function for a named pipe.
2286  ********************************************************************/
2287
2288 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name, 
2289                        const struct api_struct *api_rpc_cmds, int n_cmds)
2290 {
2291         int fn_num;
2292         fstring name;
2293         uint32 offset1, offset2;
2294
2295         /* interpret the command */
2296         DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2297
2298         slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2299         prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2300
2301         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2302                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2303                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2304                         break;
2305                 }
2306         }
2307
2308         if (fn_num == n_cmds) {
2309                 /*
2310                  * For an unknown RPC just return a fault PDU but
2311                  * return True to allow RPC's on the pipe to continue
2312                  * and not put the pipe into fault state. JRA.
2313                  */
2314                 DEBUG(4, ("unknown\n"));
2315                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2316                 return True;
2317         }
2318
2319         offset1 = prs_offset(&p->out_data.rdata);
2320
2321         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2322                 fn_num, api_rpc_cmds[fn_num].fn));
2323         /* do the actual command */
2324         if(!api_rpc_cmds[fn_num].fn(p)) {
2325                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2326                 prs_mem_free(&p->out_data.rdata);
2327                 return False;
2328         }
2329
2330         if (p->bad_handle_fault_state) {
2331                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2332                 p->bad_handle_fault_state = False;
2333                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2334                 return True;
2335         }
2336
2337         if (p->rng_fault_state) {
2338                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2339                 p->rng_fault_state = False;
2340                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2341                 return True;
2342         }
2343
2344         slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2345         offset2 = prs_offset(&p->out_data.rdata);
2346         prs_set_offset(&p->out_data.rdata, offset1);
2347         prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2348         prs_set_offset(&p->out_data.rdata, offset2);
2349
2350         DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2351
2352         /* Check for buffer underflow in rpc parsing */
2353
2354         if ((DEBUGLEVEL >= 10) && 
2355             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2356                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2357                 char *data = (char *)SMB_MALLOC(data_len);
2358
2359                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2360                 if (data) {
2361                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2362                         SAFE_FREE(data);
2363                 }
2364
2365         }
2366
2367         return True;
2368 }