4f78d69bcc702fcd82f2aeaa1333d1cd2799a1b0
[kai/samba.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31
32 extern struct current_user current_user;
33
34 #undef DBGC_CLASS
35 #define DBGC_CLASS DBGC_RPC_SRV
36
37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
38 {
39         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
40
41         if (a) {
42                 auth_ntlmssp_end(&a);
43         }
44         auth->a_u.auth_ntlmssp_state = NULL;
45 }
46
47 static DATA_BLOB generic_session_key(void)
48 {
49         return data_blob("SystemLibraryDTC", 16);
50 }
51
52 /*******************************************************************
53  Generate the next PDU to be returned from the data in p->rdata. 
54  Handle NTLMSSP.
55  ********************************************************************/
56
57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
58 {
59         RPC_HDR_RESP hdr_resp;
60         uint32 ss_padding_len = 0;
61         uint32 data_space_available;
62         uint32 data_len_left;
63         uint32 data_len;
64         prs_struct outgoing_pdu;
65         NTSTATUS status;
66         DATA_BLOB auth_blob;
67         RPC_HDR_AUTH auth_info;
68         uint8 auth_type, auth_level;
69         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
70
71         /*
72          * If we're in the fault state, keep returning fault PDU's until
73          * the pipe gets closed. JRA.
74          */
75
76         if(p->fault_state) {
77                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
78                 return True;
79         }
80
81         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
82
83         /* Change the incoming request header to a response. */
84         p->hdr.pkt_type = RPC_RESPONSE;
85
86         /* Set up rpc header flags. */
87         if (p->out_data.data_sent_length == 0) {
88                 p->hdr.flags = RPC_FLG_FIRST;
89         } else {
90                 p->hdr.flags = 0;
91         }
92
93         /*
94          * Work out how much we can fit in a single PDU.
95          */
96
97         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
98
99         /*
100          * Ensure there really is data left to send.
101          */
102
103         if(!data_len_left) {
104                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
105                 return False;
106         }
107
108         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
109                                         RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
110
111         /*
112          * The amount we send is the minimum of the available
113          * space and the amount left to send.
114          */
115
116         data_len = MIN(data_len_left, data_space_available);
117
118         /*
119          * Set up the alloc hint. This should be the data left to
120          * send.
121          */
122
123         hdr_resp.alloc_hint = data_len_left;
124
125         /*
126          * Work out if this PDU will be the last.
127          */
128
129         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
130                 p->hdr.flags |= RPC_FLG_LAST;
131                 if (data_len_left % 8) {
132                         ss_padding_len = 8 - (data_len_left % 8);
133                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
134                                 ss_padding_len ));
135                 }
136         }
137
138         /*
139          * Set up the header lengths.
140          */
141
142         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
143                         data_len + ss_padding_len +
144                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
145         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
146
147
148         /*
149          * Init the parse struct to point at the outgoing
150          * data.
151          */
152
153         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
154         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
155
156         /* Store the header in the data stream. */
157         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
158                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
159                 prs_mem_free(&outgoing_pdu);
160                 return False;
161         }
162
163         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
164                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
165                 prs_mem_free(&outgoing_pdu);
166                 return False;
167         }
168
169         /* Copy the data into the PDU. */
170
171         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
172                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
173                 prs_mem_free(&outgoing_pdu);
174                 return False;
175         }
176
177         /* Copy the sign/seal padding data. */
178         if (ss_padding_len) {
179                 char pad[8];
180
181                 memset(pad, '\0', 8);
182                 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
183                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
184                                         (unsigned int)ss_padding_len));
185                         prs_mem_free(&outgoing_pdu);
186                         return False;
187                 }
188         }
189
190
191         /* Now write out the auth header and null blob. */
192         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
193                 auth_type = RPC_NTLMSSP_AUTH_TYPE;
194         } else {
195                 auth_type = RPC_SPNEGO_AUTH_TYPE;
196         }
197         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
198                 auth_level = RPC_AUTH_LEVEL_PRIVACY;
199         } else {
200                 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
201         }
202
203         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
204         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
205                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
206                 prs_mem_free(&outgoing_pdu);
207                 return False;
208         }
209
210         /* Generate the sign blob. */
211
212         switch (p->auth.auth_level) {
213                 case PIPE_AUTH_LEVEL_PRIVACY:
214                         /* Data portion is encrypted. */
215                         status = ntlmssp_seal_packet(a->ntlmssp_state,
216                                                         (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
217                                                         data_len + ss_padding_len,
218                                                         (unsigned char *)prs_data_p(&outgoing_pdu),
219                                                         (size_t)prs_offset(&outgoing_pdu),
220                                                         &auth_blob);
221                         if (!NT_STATUS_IS_OK(status)) {
222                                 data_blob_free(&auth_blob);
223                                 prs_mem_free(&outgoing_pdu);
224                                 return False;
225                         }
226                         break;
227                 case PIPE_AUTH_LEVEL_INTEGRITY:
228                         /* Data is signed. */
229                         status = ntlmssp_sign_packet(a->ntlmssp_state,
230                                                         (unsigned char *)prs_data_p(&outgoing_pdu) + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
231                                                         data_len + ss_padding_len,
232                                                         (unsigned char *)prs_data_p(&outgoing_pdu),
233                                                         (size_t)prs_offset(&outgoing_pdu),
234                                                         &auth_blob);
235                         if (!NT_STATUS_IS_OK(status)) {
236                                 data_blob_free(&auth_blob);
237                                 prs_mem_free(&outgoing_pdu);
238                                 return False;
239                         }
240                         break;
241                 default:
242                         prs_mem_free(&outgoing_pdu);
243                         return False;
244         }
245
246         /* Append the auth blob. */
247         if (!prs_copy_data_in(&outgoing_pdu, (char *)auth_blob.data, NTLMSSP_SIG_SIZE)) {
248                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
249                                 (unsigned int)NTLMSSP_SIG_SIZE));
250                 data_blob_free(&auth_blob);
251                 prs_mem_free(&outgoing_pdu);
252                 return False;
253         }
254
255         data_blob_free(&auth_blob);
256
257         /*
258          * Setup the counts for this PDU.
259          */
260
261         p->out_data.data_sent_length += data_len;
262         p->out_data.current_pdu_len = p->hdr.frag_len;
263         p->out_data.current_pdu_sent = 0;
264
265         prs_mem_free(&outgoing_pdu);
266         return True;
267 }
268
269 /*******************************************************************
270  Generate the next PDU to be returned from the data in p->rdata. 
271  Return an schannel authenticated fragment.
272  ********************************************************************/
273
274 static bool create_next_pdu_schannel(pipes_struct *p)
275 {
276         RPC_HDR_RESP hdr_resp;
277         uint32 ss_padding_len = 0;
278         uint32 data_len;
279         uint32 data_space_available;
280         uint32 data_len_left;
281         prs_struct outgoing_pdu;
282         uint32 data_pos;
283
284         /*
285          * If we're in the fault state, keep returning fault PDU's until
286          * the pipe gets closed. JRA.
287          */
288
289         if(p->fault_state) {
290                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
291                 return True;
292         }
293
294         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
295
296         /* Change the incoming request header to a response. */
297         p->hdr.pkt_type = RPC_RESPONSE;
298
299         /* Set up rpc header flags. */
300         if (p->out_data.data_sent_length == 0) {
301                 p->hdr.flags = RPC_FLG_FIRST;
302         } else {
303                 p->hdr.flags = 0;
304         }
305
306         /*
307          * Work out how much we can fit in a single PDU.
308          */
309
310         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
311
312         /*
313          * Ensure there really is data left to send.
314          */
315
316         if(!data_len_left) {
317                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
318                 return False;
319         }
320
321         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN -
322                                         RPC_HDR_AUTH_LEN - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
323
324         /*
325          * The amount we send is the minimum of the available
326          * space and the amount left to send.
327          */
328
329         data_len = MIN(data_len_left, data_space_available);
330
331         /*
332          * Set up the alloc hint. This should be the data left to
333          * send.
334          */
335
336         hdr_resp.alloc_hint = data_len_left;
337
338         /*
339          * Work out if this PDU will be the last.
340          */
341
342         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
343                 p->hdr.flags |= RPC_FLG_LAST;
344                 if (data_len_left % 8) {
345                         ss_padding_len = 8 - (data_len_left % 8);
346                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
347                                 ss_padding_len ));
348                 }
349         }
350
351         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
352                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
353         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
354
355         /*
356          * Init the parse struct to point at the outgoing
357          * data.
358          */
359
360         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
361         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
362
363         /* Store the header in the data stream. */
364         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
365                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
366                 prs_mem_free(&outgoing_pdu);
367                 return False;
368         }
369
370         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
371                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
372                 prs_mem_free(&outgoing_pdu);
373                 return False;
374         }
375
376         /* Store the current offset. */
377         data_pos = prs_offset(&outgoing_pdu);
378
379         /* Copy the data into the PDU. */
380
381         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
382                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
383                 prs_mem_free(&outgoing_pdu);
384                 return False;
385         }
386
387         /* Copy the sign/seal padding data. */
388         if (ss_padding_len) {
389                 char pad[8];
390                 memset(pad, '\0', 8);
391                 if (!prs_copy_data_in(&outgoing_pdu, pad, ss_padding_len)) {
392                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
393                         prs_mem_free(&outgoing_pdu);
394                         return False;
395                 }
396         }
397
398         {
399                 /*
400                  * Schannel processing.
401                  */
402                 char *data;
403                 RPC_HDR_AUTH auth_info;
404                 RPC_AUTH_SCHANNEL_CHK verf;
405
406                 data = prs_data_p(&outgoing_pdu) + data_pos;
407                 /* Check it's the type of reply we were expecting to decode */
408
409                 init_rpc_hdr_auth(&auth_info,
410                                 RPC_SCHANNEL_AUTH_TYPE,
411                                 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
412                                         RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
413                                 ss_padding_len, 1);
414
415                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
416                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
417                         prs_mem_free(&outgoing_pdu);
418                         return False;
419                 }
420
421                 schannel_encode(p->auth.a_u.schannel_auth, 
422                               p->auth.auth_level,
423                               SENDER_IS_ACCEPTOR,
424                               &verf, data, data_len + ss_padding_len);
425
426                 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, 
427                                 &verf, &outgoing_pdu, 0)) {
428                         prs_mem_free(&outgoing_pdu);
429                         return False;
430                 }
431
432                 p->auth.a_u.schannel_auth->seq_num++;
433         }
434
435         /*
436          * Setup the counts for this PDU.
437          */
438
439         p->out_data.data_sent_length += data_len;
440         p->out_data.current_pdu_len = p->hdr.frag_len;
441         p->out_data.current_pdu_sent = 0;
442
443         prs_mem_free(&outgoing_pdu);
444         return True;
445 }
446
447 /*******************************************************************
448  Generate the next PDU to be returned from the data in p->rdata. 
449  No authentication done.
450 ********************************************************************/
451
452 static bool create_next_pdu_noauth(pipes_struct *p)
453 {
454         RPC_HDR_RESP hdr_resp;
455         uint32 data_len;
456         uint32 data_space_available;
457         uint32 data_len_left;
458         prs_struct outgoing_pdu;
459
460         /*
461          * If we're in the fault state, keep returning fault PDU's until
462          * the pipe gets closed. JRA.
463          */
464
465         if(p->fault_state) {
466                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
467                 return True;
468         }
469
470         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
471
472         /* Change the incoming request header to a response. */
473         p->hdr.pkt_type = RPC_RESPONSE;
474
475         /* Set up rpc header flags. */
476         if (p->out_data.data_sent_length == 0) {
477                 p->hdr.flags = RPC_FLG_FIRST;
478         } else {
479                 p->hdr.flags = 0;
480         }
481
482         /*
483          * Work out how much we can fit in a single PDU.
484          */
485
486         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
487
488         /*
489          * Ensure there really is data left to send.
490          */
491
492         if(!data_len_left) {
493                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
494                 return False;
495         }
496
497         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
498
499         /*
500          * The amount we send is the minimum of the available
501          * space and the amount left to send.
502          */
503
504         data_len = MIN(data_len_left, data_space_available);
505
506         /*
507          * Set up the alloc hint. This should be the data left to
508          * send.
509          */
510
511         hdr_resp.alloc_hint = data_len_left;
512
513         /*
514          * Work out if this PDU will be the last.
515          */
516
517         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
518                 p->hdr.flags |= RPC_FLG_LAST;
519         }
520
521         /*
522          * Set up the header lengths.
523          */
524
525         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
526         p->hdr.auth_len = 0;
527
528         /*
529          * Init the parse struct to point at the outgoing
530          * data.
531          */
532
533         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
534         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
535
536         /* Store the header in the data stream. */
537         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
538                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
539                 prs_mem_free(&outgoing_pdu);
540                 return False;
541         }
542
543         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
544                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
545                 prs_mem_free(&outgoing_pdu);
546                 return False;
547         }
548
549         /* Copy the data into the PDU. */
550
551         if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
552                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
553                 prs_mem_free(&outgoing_pdu);
554                 return False;
555         }
556
557         /*
558          * Setup the counts for this PDU.
559          */
560
561         p->out_data.data_sent_length += data_len;
562         p->out_data.current_pdu_len = p->hdr.frag_len;
563         p->out_data.current_pdu_sent = 0;
564
565         prs_mem_free(&outgoing_pdu);
566         return True;
567 }
568
569 /*******************************************************************
570  Generate the next PDU to be returned from the data in p->rdata. 
571 ********************************************************************/
572
573 bool create_next_pdu(pipes_struct *p)
574 {
575         switch(p->auth.auth_level) {
576                 case PIPE_AUTH_LEVEL_NONE:
577                 case PIPE_AUTH_LEVEL_CONNECT:
578                         /* This is incorrect for auth level connect. Fixme. JRA */
579                         return create_next_pdu_noauth(p);
580
581                 default:
582                         switch(p->auth.auth_type) {
583                                 case PIPE_AUTH_TYPE_NTLMSSP:
584                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
585                                         return create_next_pdu_ntlmssp(p);
586                                 case PIPE_AUTH_TYPE_SCHANNEL:
587                                         return create_next_pdu_schannel(p);
588                                 default:
589                                         break;
590                         }
591         }
592
593         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
594                         (unsigned int)p->auth.auth_level,
595                         (unsigned int)p->auth.auth_type));
596         return False;
597 }
598
599 /*******************************************************************
600  Process an NTLMSSP authentication response.
601  If this function succeeds, the user has been authenticated
602  and their domain, name and calling workstation stored in
603  the pipe struct.
604 *******************************************************************/
605
606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
607 {
608         DATA_BLOB session_key, reply;
609         NTSTATUS status;
610         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
611         bool ret;
612
613         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
614
615         ZERO_STRUCT(reply);
616
617         /* this has to be done as root in order to verify the password */
618         become_root();
619         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
620         unbecome_root();
621
622         /* Don't generate a reply. */
623         data_blob_free(&reply);
624
625         if (!NT_STATUS_IS_OK(status)) {
626                 return False;
627         }
628
629         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
630            ensure the underlying NTLMSSP flags are also set. If not we should
631            refuse the bind. */
632
633         if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
634                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
635                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
636                                 "but client declined signing.\n",
637                                         p->name ));
638                         return False;
639                 }
640         }
641         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
642                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
643                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
644                                 "but client declined sealing.\n",
645                                         p->name ));
646                         return False;
647                 }
648         }
649
650         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
651                   "workstation: %s\n", a->ntlmssp_state->user,
652                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
653
654         if (a->server_info->ptok == NULL) {
655                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
656                 return False;
657         }
658
659         TALLOC_FREE(p->server_info);
660
661         p->server_info = copy_serverinfo(p, a->server_info);
662         if (p->server_info == NULL) {
663                 DEBUG(0, ("copy_serverinfo failed\n"));
664                 return false;
665         }
666
667         /*
668          * We're an authenticated bind over smb, so the session key needs to
669          * be set to "SystemLibraryDTC". Weird, but this is what Windows
670          * does. See the RPC-SAMBA3SESSIONKEY.
671          */
672
673         session_key = generic_session_key();
674         if (session_key.data == NULL) {
675                 return False;
676         }
677
678         ret = server_info_set_session_key(p->server_info, session_key);
679
680         data_blob_free(&session_key);
681
682         return True;
683 }
684
685 /*******************************************************************
686  The switch table for the pipe names and the functions to handle them.
687 *******************************************************************/
688
689 struct rpc_table {
690         struct {
691                 const char *clnt;
692                 const char *srv;
693         } pipe;
694         struct ndr_syntax_id rpc_interface;
695         const struct api_struct *cmds;
696         int n_cmds;
697 };
698
699 static struct rpc_table *rpc_lookup;
700 static int rpc_lookup_size;
701
702 /*******************************************************************
703  This is the "stage3" NTLMSSP response after a bind request and reply.
704 *******************************************************************/
705
706 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
707 {
708         RPC_HDR_AUTH auth_info;
709         uint32 pad;
710         DATA_BLOB blob;
711
712         ZERO_STRUCT(blob);
713
714         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
715
716         if (p->hdr.auth_len == 0) {
717                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
718                 goto err;
719         }
720
721         /* 4 bytes padding. */
722         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
723                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
724                 goto err;
725         }
726
727         /*
728          * Decode the authentication verifier response.
729          */
730
731         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
732                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
733                 goto err;
734         }
735
736         if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
737                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
738                         (unsigned int)auth_info.auth_type ));
739                 return False;
740         }
741
742         blob = data_blob(NULL,p->hdr.auth_len);
743
744         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
745                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
746                         (unsigned int)p->hdr.auth_len ));
747                 goto err;
748         }
749
750         /*
751          * The following call actually checks the challenge/response data.
752          * for correctness against the given DOMAIN\user name.
753          */
754
755         if (!pipe_ntlmssp_verify_final(p, &blob)) {
756                 goto err;
757         }
758
759         data_blob_free(&blob);
760
761         p->pipe_bound = True;
762
763         return True;
764
765  err:
766
767         data_blob_free(&blob);
768         free_pipe_ntlmssp_auth_data(&p->auth);
769         p->auth.a_u.auth_ntlmssp_state = NULL;
770
771         return False;
772 }
773
774 /*******************************************************************
775  Marshall a bind_nak pdu.
776 *******************************************************************/
777
778 static bool setup_bind_nak(pipes_struct *p)
779 {
780         prs_struct outgoing_rpc;
781         RPC_HDR nak_hdr;
782         uint16 zero = 0;
783
784         /* Free any memory in the current return data buffer. */
785         prs_mem_free(&p->out_data.rdata);
786
787         /*
788          * Marshall directly into the outgoing PDU space. We
789          * must do this as we need to set to the bind response
790          * header and are never sending more than one PDU here.
791          */
792
793         prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
794         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
795
796         /*
797          * Initialize a bind_nak header.
798          */
799
800         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
801                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
802
803         /*
804          * Marshall the header into the outgoing PDU.
805          */
806
807         if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
808                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
809                 prs_mem_free(&outgoing_rpc);
810                 return False;
811         }
812
813         /*
814          * Now add the reject reason.
815          */
816
817         if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
818                 prs_mem_free(&outgoing_rpc);
819                 return False;
820         }
821
822         p->out_data.data_sent_length = 0;
823         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
824         p->out_data.current_pdu_sent = 0;
825
826         if (p->auth.auth_data_free_func) {
827                 (*p->auth.auth_data_free_func)(&p->auth);
828         }
829         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
830         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
831         p->pipe_bound = False;
832
833         return True;
834 }
835
836 /*******************************************************************
837  Marshall a fault pdu.
838 *******************************************************************/
839
840 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
841 {
842         prs_struct outgoing_pdu;
843         RPC_HDR fault_hdr;
844         RPC_HDR_RESP hdr_resp;
845         RPC_HDR_FAULT fault_resp;
846
847         /* Free any memory in the current return data buffer. */
848         prs_mem_free(&p->out_data.rdata);
849
850         /*
851          * Marshall directly into the outgoing PDU space. We
852          * must do this as we need to set to the bind response
853          * header and are never sending more than one PDU here.
854          */
855
856         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
857         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
858
859         /*
860          * Initialize a fault header.
861          */
862
863         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
864             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
865
866         /*
867          * Initialize the HDR_RESP and FAULT parts of the PDU.
868          */
869
870         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
871
872         fault_resp.status = status;
873         fault_resp.reserved = 0;
874
875         /*
876          * Marshall the header into the outgoing PDU.
877          */
878
879         if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
880                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
881                 prs_mem_free(&outgoing_pdu);
882                 return False;
883         }
884
885         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
886                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
887                 prs_mem_free(&outgoing_pdu);
888                 return False;
889         }
890
891         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
892                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
893                 prs_mem_free(&outgoing_pdu);
894                 return False;
895         }
896
897         p->out_data.data_sent_length = 0;
898         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
899         p->out_data.current_pdu_sent = 0;
900
901         prs_mem_free(&outgoing_pdu);
902         return True;
903 }
904
905 #if 0
906 /*******************************************************************
907  Marshall a cancel_ack pdu.
908  We should probably check the auth-verifier here.
909 *******************************************************************/
910
911 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
912 {
913         prs_struct outgoing_pdu;
914         RPC_HDR ack_reply_hdr;
915
916         /* Free any memory in the current return data buffer. */
917         prs_mem_free(&p->out_data.rdata);
918
919         /*
920          * Marshall directly into the outgoing PDU space. We
921          * must do this as we need to set to the bind response
922          * header and are never sending more than one PDU here.
923          */
924
925         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
926         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
927
928         /*
929          * Initialize a cancel_ack header.
930          */
931
932         init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
933                         p->hdr.call_id, RPC_HEADER_LEN, 0);
934
935         /*
936          * Marshall the header into the outgoing PDU.
937          */
938
939         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
940                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
941                 prs_mem_free(&outgoing_pdu);
942                 return False;
943         }
944
945         p->out_data.data_sent_length = 0;
946         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
947         p->out_data.current_pdu_sent = 0;
948
949         prs_mem_free(&outgoing_pdu);
950         return True;
951 }
952 #endif
953
954 /*******************************************************************
955  Ensure a bind request has the correct abstract & transfer interface.
956  Used to reject unknown binds from Win2k.
957 *******************************************************************/
958
959 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
960                     RPC_IFACE* transfer, uint32 context_id)
961 {
962         int i=0;
963         struct pipe_rpc_fns *context_fns;
964
965         DEBUG(3,("check_bind_req for %s\n", p->name));
966
967         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
968
969         for (i=0; i<rpc_lookup_size; i++) {
970                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
971                 if (strequal(rpc_lookup[i].pipe.clnt, p->name)
972                     && ndr_syntax_id_equal(
973                             abstract, &rpc_lookup[i].rpc_interface)
974                     && ndr_syntax_id_equal(
975                             transfer, &ndr_transfer_syntax)) {
976                         break;
977                 }
978         }
979
980         if (i == rpc_lookup_size) {
981                 return false;
982         }
983
984         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
985         if (context_fns == NULL) {
986                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
987                 return False;
988         }
989
990         context_fns->cmds = rpc_lookup[i].cmds;
991         context_fns->n_cmds = rpc_lookup[i].n_cmds;
992         context_fns->context_id = context_id;
993
994         /* add to the list of open contexts */
995
996         DLIST_ADD( p->contexts, context_fns );
997
998         return True;
999 }
1000
1001 /*******************************************************************
1002  Register commands to an RPC pipe
1003 *******************************************************************/
1004
1005 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1006                           const struct ndr_interface_table *iface,
1007                           const struct api_struct *cmds, int size)
1008 {
1009         struct rpc_table *rpc_entry;
1010
1011         if (!clnt || !srv || !cmds) {
1012                 return NT_STATUS_INVALID_PARAMETER;
1013         }
1014
1015         if (version != SMB_RPC_INTERFACE_VERSION) {
1016                 DEBUG(0,("Can't register rpc commands!\n"
1017                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1018                          ", while this version of samba uses version %d!\n", 
1019                          version,SMB_RPC_INTERFACE_VERSION));
1020                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1021         }
1022
1023         /* TODO: 
1024          *
1025          * we still need to make sure that don't register the same commands twice!!!
1026          * 
1027          * --metze
1028          */
1029
1030         /* We use a temporary variable because this call can fail and 
1031            rpc_lookup will still be valid afterwards.  It could then succeed if
1032            called again later */
1033         rpc_lookup_size++;
1034         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1035         if (NULL == rpc_entry) {
1036                 rpc_lookup_size--;
1037                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1038                 return NT_STATUS_NO_MEMORY;
1039         } else {
1040                 rpc_lookup = rpc_entry;
1041         }
1042
1043         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1044         ZERO_STRUCTP(rpc_entry);
1045         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1046         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1047         rpc_entry->rpc_interface = iface->syntax_id;
1048         rpc_entry->cmds = cmds;
1049         rpc_entry->n_cmds = size;
1050
1051         return NT_STATUS_OK;
1052 }
1053
1054 /**
1055  * Is a named pipe known?
1056  * @param[in] cli_filename      The pipe name requested by the client
1057  * @result                      Do we want to serve this?
1058  */
1059 bool is_known_pipename(const char *cli_filename)
1060 {
1061         const char *pipename = cli_filename;
1062         int i;
1063
1064         if (strnequal(pipename, "\\PIPE\\", 6)) {
1065                 pipename += 5;
1066         }
1067
1068         if (*pipename == '\\') {
1069                 pipename += 1;
1070         }
1071
1072         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1073                 DEBUG(10, ("refusing spoolss access\n"));
1074                 return false;
1075         }
1076
1077         for (i=0; i<rpc_lookup_size; i++) {
1078                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1079                         return true;
1080                 }
1081         }
1082
1083         DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1084         return false;
1085 }
1086
1087 /*******************************************************************
1088  Handle a SPNEGO krb5 bind auth.
1089 *******************************************************************/
1090
1091 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1092                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1093 {
1094         return False;
1095 }
1096
1097 /*******************************************************************
1098  Handle the first part of a SPNEGO bind auth.
1099 *******************************************************************/
1100
1101 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1102                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1103 {
1104         DATA_BLOB blob;
1105         DATA_BLOB secblob;
1106         DATA_BLOB response;
1107         DATA_BLOB chal;
1108         char *OIDs[ASN1_MAX_OIDS];
1109         int i;
1110         NTSTATUS status;
1111         bool got_kerberos_mechanism = false;
1112         AUTH_NTLMSSP_STATE *a = NULL;
1113         RPC_HDR_AUTH auth_info;
1114
1115         ZERO_STRUCT(secblob);
1116         ZERO_STRUCT(chal);
1117         ZERO_STRUCT(response);
1118
1119         /* Grab the SPNEGO blob. */
1120         blob = data_blob(NULL,p->hdr.auth_len);
1121
1122         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1123                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1124                         (unsigned int)p->hdr.auth_len ));
1125                 goto err;
1126         }
1127
1128         if (blob.data[0] != ASN1_APPLICATION(0)) {
1129                 goto err;
1130         }
1131
1132         /* parse out the OIDs and the first sec blob */
1133         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1134                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1135                 goto err;
1136         }
1137
1138         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1139                 got_kerberos_mechanism = true;
1140         }
1141
1142         for (i=0;OIDs[i];i++) {
1143                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1144                 TALLOC_FREE(OIDs[i]);
1145         }
1146         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1147
1148         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || lp_use_kerberos_keytab()) ) {
1149                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1150                 data_blob_free(&secblob);
1151                 data_blob_free(&blob);
1152                 return ret;
1153         }
1154
1155         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1156                 /* Free any previous auth type. */
1157                 free_pipe_ntlmssp_auth_data(&p->auth);
1158         }
1159
1160         if (!got_kerberos_mechanism) {
1161                 /* Initialize the NTLM engine. */
1162                 status = auth_ntlmssp_start(&a);
1163                 if (!NT_STATUS_IS_OK(status)) {
1164                         goto err;
1165                 }
1166
1167                 /*
1168                  * Pass the first security blob of data to it.
1169                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1170                  * which means we need another packet to complete the bind.
1171                  */
1172
1173                 status = auth_ntlmssp_update(a, secblob, &chal);
1174
1175                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1176                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1177                         goto err;
1178                 }
1179
1180                 /* Generate the response blob we need for step 2 of the bind. */
1181                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1182         } else {
1183                 /*
1184                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1185                  * code to process follow-up packets is not complete
1186                  * yet. JRA.
1187                  */
1188                 response = spnego_gen_auth_response(NULL,
1189                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1190                                         OID_NTLMSSP);
1191         }
1192
1193         /* Copy the blob into the pout_auth parse struct */
1194         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1195         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1196                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1197                 goto err;
1198         }
1199
1200         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1201                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1202                 goto err;
1203         }
1204
1205         p->auth.a_u.auth_ntlmssp_state = a;
1206         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1207         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1208
1209         data_blob_free(&blob);
1210         data_blob_free(&secblob);
1211         data_blob_free(&chal);
1212         data_blob_free(&response);
1213
1214         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1215         return True;
1216
1217  err:
1218
1219         data_blob_free(&blob);
1220         data_blob_free(&secblob);
1221         data_blob_free(&chal);
1222         data_blob_free(&response);
1223
1224         p->auth.a_u.auth_ntlmssp_state = NULL;
1225
1226         return False;
1227 }
1228
1229 /*******************************************************************
1230  Handle the second part of a SPNEGO bind auth.
1231 *******************************************************************/
1232
1233 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1234                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1235 {
1236         RPC_HDR_AUTH auth_info;
1237         DATA_BLOB spnego_blob;
1238         DATA_BLOB auth_blob;
1239         DATA_BLOB auth_reply;
1240         DATA_BLOB response;
1241         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1242
1243         ZERO_STRUCT(spnego_blob);
1244         ZERO_STRUCT(auth_blob);
1245         ZERO_STRUCT(auth_reply);
1246         ZERO_STRUCT(response);
1247
1248         /*
1249          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1250          * fail here as 'a' == NULL.
1251          */
1252         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1253                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1254                 goto err;
1255         }
1256
1257         /* Grab the SPNEGO blob. */
1258         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1259
1260         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1261                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1262                         (unsigned int)p->hdr.auth_len ));
1263                 goto err;
1264         }
1265
1266         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1267                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1268                 goto err;
1269         }
1270
1271         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1272                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1273                 goto err;
1274         }
1275
1276         /*
1277          * The following call actually checks the challenge/response data.
1278          * for correctness against the given DOMAIN\user name.
1279          */
1280
1281         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1282                 goto err;
1283         }
1284
1285         data_blob_free(&spnego_blob);
1286         data_blob_free(&auth_blob);
1287
1288         /* Generate the spnego "accept completed" blob - no incoming data. */
1289         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1290
1291         /* Copy the blob into the pout_auth parse struct */
1292         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1293         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1294                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1295                 goto err;
1296         }
1297
1298         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1299                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1300                 goto err;
1301         }
1302
1303         data_blob_free(&auth_reply);
1304         data_blob_free(&response);
1305
1306         p->pipe_bound = True;
1307
1308         return True;
1309
1310  err:
1311
1312         data_blob_free(&spnego_blob);
1313         data_blob_free(&auth_blob);
1314         data_blob_free(&auth_reply);
1315         data_blob_free(&response);
1316
1317         free_pipe_ntlmssp_auth_data(&p->auth);
1318         p->auth.a_u.auth_ntlmssp_state = NULL;
1319
1320         return False;
1321 }
1322
1323 /*******************************************************************
1324  Handle an schannel bind auth.
1325 *******************************************************************/
1326
1327 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1328                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1329 {
1330         RPC_HDR_AUTH auth_info;
1331         RPC_AUTH_SCHANNEL_NEG neg;
1332         RPC_AUTH_VERIFIER auth_verifier;
1333         bool ret;
1334         struct dcinfo *pdcinfo;
1335         uint32 flags;
1336         DATA_BLOB session_key;
1337
1338         if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1339                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1340                 return False;
1341         }
1342
1343         /*
1344          * The neg.myname key here must match the remote computer name
1345          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1346          * operations that use credentials.
1347          */
1348
1349         become_root();
1350         ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1351         unbecome_root();
1352
1353         if (!ret) {
1354                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1355                 return False;
1356         }
1357
1358         p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1359         if (!p->auth.a_u.schannel_auth) {
1360                 TALLOC_FREE(pdcinfo);
1361                 return False;
1362         }
1363
1364         memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1365         memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1366                         sizeof(pdcinfo->sess_key));
1367
1368         TALLOC_FREE(pdcinfo);
1369
1370         p->auth.a_u.schannel_auth->seq_num = 0;
1371
1372         /*
1373          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1374          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1375          * struct of the person who opened the pipe. I need to test this further. JRA.
1376          *
1377          * VL. As we are mapping this to guest set the generic key
1378          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1379          * W2k3, as it does not allow schannel binds against SAMR and LSA
1380          * anymore.
1381          */
1382
1383         session_key = generic_session_key();
1384         if (session_key.data == NULL) {
1385                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1386                           " key\n"));
1387                 return false;
1388         }
1389
1390         ret = server_info_set_session_key(p->server_info, session_key);
1391
1392         data_blob_free(&session_key);
1393
1394         if (!ret) {
1395                 DEBUG(0, ("server_info_set_session_key failed\n"));
1396                 return false;
1397         }
1398
1399         init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1400         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1401                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1402                 return False;
1403         }
1404
1405         /*** SCHANNEL verifier ***/
1406
1407         init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1408         if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1409                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1410                 return False;
1411         }
1412
1413         prs_align(pout_auth);
1414
1415         flags = 5;
1416         if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1417                 return False;
1418         }
1419
1420         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1421                 neg.domain, neg.myname));
1422
1423         /* We're finished with this bind - no more packets. */
1424         p->auth.auth_data_free_func = NULL;
1425         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1426
1427         p->pipe_bound = True;
1428
1429         return True;
1430 }
1431
1432 /*******************************************************************
1433  Handle an NTLMSSP bind auth.
1434 *******************************************************************/
1435
1436 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1437                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1438 {
1439         RPC_HDR_AUTH auth_info;
1440         DATA_BLOB blob;
1441         DATA_BLOB response;
1442         NTSTATUS status;
1443         AUTH_NTLMSSP_STATE *a = NULL;
1444
1445         ZERO_STRUCT(blob);
1446         ZERO_STRUCT(response);
1447
1448         /* Grab the NTLMSSP blob. */
1449         blob = data_blob(NULL,p->hdr.auth_len);
1450
1451         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1452                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1453                         (unsigned int)p->hdr.auth_len ));
1454                 goto err;
1455         }
1456
1457         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1458                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1459                 goto err;
1460         }
1461
1462         /* We have an NTLMSSP blob. */
1463         status = auth_ntlmssp_start(&a);
1464         if (!NT_STATUS_IS_OK(status)) {
1465                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1466                         nt_errstr(status) ));
1467                 goto err;
1468         }
1469
1470         status = auth_ntlmssp_update(a, blob, &response);
1471         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1472                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1473                         nt_errstr(status) ));
1474                 goto err;
1475         }
1476
1477         data_blob_free(&blob);
1478
1479         /* Copy the blob into the pout_auth parse struct */
1480         init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1481         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1482                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1483                 goto err;
1484         }
1485
1486         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1487                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1488                 goto err;
1489         }
1490
1491         p->auth.a_u.auth_ntlmssp_state = a;
1492         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1493         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1494
1495         data_blob_free(&blob);
1496         data_blob_free(&response);
1497
1498         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1499
1500         /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1501         return True;
1502
1503   err:
1504
1505         data_blob_free(&blob);
1506         data_blob_free(&response);
1507
1508         free_pipe_ntlmssp_auth_data(&p->auth);
1509         p->auth.a_u.auth_ntlmssp_state = NULL;
1510         return False;
1511 }
1512
1513 /*******************************************************************
1514  Respond to a pipe bind request.
1515 *******************************************************************/
1516
1517 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1518 {
1519         RPC_HDR_BA hdr_ba;
1520         RPC_HDR_RB hdr_rb;
1521         RPC_HDR_AUTH auth_info;
1522         uint16 assoc_gid;
1523         fstring ack_pipe_name;
1524         prs_struct out_hdr_ba;
1525         prs_struct out_auth;
1526         prs_struct outgoing_rpc;
1527         int i = 0;
1528         int auth_len = 0;
1529         unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1530
1531         /* No rebinds on a bound pipe - use alter context. */
1532         if (p->pipe_bound) {
1533                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound pipe %s.\n", p->pipe_srv_name));
1534                 return setup_bind_nak(p);
1535         }
1536
1537         prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1538
1539         /* 
1540          * Marshall directly into the outgoing PDU space. We
1541          * must do this as we need to set to the bind response
1542          * header and are never sending more than one PDU here.
1543          */
1544
1545         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1546
1547         /*
1548          * Setup the memory to marshall the ba header, and the
1549          * auth footers.
1550          */
1551
1552         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1553                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1554                 prs_mem_free(&outgoing_rpc);
1555                 return False;
1556         }
1557
1558         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1559                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1560                 prs_mem_free(&outgoing_rpc);
1561                 prs_mem_free(&out_hdr_ba);
1562                 return False;
1563         }
1564
1565         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1566
1567         ZERO_STRUCT(hdr_rb);
1568
1569         /* decode the bind request */
1570
1571         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1572                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1573                          "struct.\n"));
1574                 goto err_exit;
1575         }
1576
1577         if (hdr_rb.num_contexts == 0) {
1578                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1579                 goto err_exit;
1580         }
1581
1582         /*
1583          * Try and find the correct pipe name to ensure
1584          * that this is a pipe name we support.
1585          */
1586
1587         for (i = 0; i < rpc_lookup_size; i++) {
1588                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1589                                         &hdr_rb.rpc_context[0].abstract)) {
1590                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1591                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1592                         fstrcpy(p->name, rpc_lookup[i].pipe.clnt);
1593                         fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1594                         break;
1595                 }
1596         }
1597
1598         if (i == rpc_lookup_size) {
1599                 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
1600                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1601                                 p->name ));
1602                         prs_mem_free(&outgoing_rpc);
1603                         prs_mem_free(&out_hdr_ba);
1604                         prs_mem_free(&out_auth);
1605
1606                         return setup_bind_nak(p);
1607                 }
1608
1609                 for (i = 0; i < rpc_lookup_size; i++) {
1610                        if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1611                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1612                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1613                                fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
1614                                break;
1615                        }
1616                 }
1617
1618                 if (i == rpc_lookup_size) {
1619                         DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
1620                         goto err_exit;
1621                 }
1622         }
1623
1624         /* name has to be \PIPE\xxxxx */
1625         fstrcpy(ack_pipe_name, "\\PIPE\\");
1626         fstrcat(ack_pipe_name, p->pipe_srv_name);
1627
1628         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1629
1630         /*
1631          * Check if this is an authenticated bind request.
1632          */
1633
1634         if (p->hdr.auth_len) {
1635                 /* 
1636                  * Decode the authentication verifier.
1637                  */
1638
1639                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1640                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1641                         goto err_exit;
1642                 }
1643
1644                 auth_type = auth_info.auth_type;
1645
1646                 /* Work out if we have to sign or seal etc. */
1647                 switch (auth_info.auth_level) {
1648                         case RPC_AUTH_LEVEL_INTEGRITY:
1649                                 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1650                                 break;
1651                         case RPC_AUTH_LEVEL_PRIVACY:
1652                                 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1653                                 break;
1654                         default:
1655                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1656                                         (unsigned int)auth_info.auth_level ));
1657                                 goto err_exit;
1658                 }
1659         } else {
1660                 ZERO_STRUCT(auth_info);
1661         }
1662
1663         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1664
1665         switch(auth_type) {
1666                 case RPC_NTLMSSP_AUTH_TYPE:
1667                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1668                                 goto err_exit;
1669                         }
1670                         assoc_gid = 0x7a77;
1671                         break;
1672
1673                 case RPC_SCHANNEL_AUTH_TYPE:
1674                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1675                                 goto err_exit;
1676                         }
1677                         break;
1678
1679                 case RPC_SPNEGO_AUTH_TYPE:
1680                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1681                                 goto err_exit;
1682                         }
1683                         break;
1684
1685                 case RPC_ANONYMOUS_AUTH_TYPE:
1686                         /* Unauthenticated bind request. */
1687                         /* We're finished - no more packets. */
1688                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1689                         /* We must set the pipe auth_level here also. */
1690                         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1691                         p->pipe_bound = True;
1692                         /* The session key was initialized from the SMB
1693                          * session in make_internal_rpc_pipe_p */
1694                         break;
1695
1696                 default:
1697                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1698                         goto err_exit;
1699         }
1700
1701         /*
1702          * Create the bind response struct.
1703          */
1704
1705         /* If the requested abstract synt uuid doesn't match our client pipe,
1706                 reject the bind_ack & set the transfer interface synt to all 0's,
1707                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1708                 unknown to NT4)
1709                 Needed when adding entries to a DACL from NT5 - SK */
1710
1711         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1712                                 hdr_rb.rpc_context[0].context_id )) {
1713                 init_rpc_hdr_ba(&hdr_ba,
1714                         RPC_MAX_PDU_FRAG_LEN,
1715                         RPC_MAX_PDU_FRAG_LEN,
1716                         assoc_gid,
1717                         ack_pipe_name,
1718                         0x1, 0x0, 0x0,
1719                         &hdr_rb.rpc_context[0].transfer[0]);
1720         } else {
1721                 RPC_IFACE null_interface;
1722                 ZERO_STRUCT(null_interface);
1723                 /* Rejection reason: abstract syntax not supported */
1724                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1725                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1726                                         ack_pipe_name, 0x1, 0x2, 0x1,
1727                                         &null_interface);
1728                 p->pipe_bound = False;
1729         }
1730
1731         /*
1732          * and marshall it.
1733          */
1734
1735         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1736                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1737                 goto err_exit;
1738         }
1739
1740         /*
1741          * Create the header, now we know the length.
1742          */
1743
1744         if (prs_offset(&out_auth)) {
1745                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1746         }
1747
1748         init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1749                         p->hdr.call_id,
1750                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1751                         auth_len);
1752
1753         /*
1754          * Marshall the header into the outgoing PDU.
1755          */
1756
1757         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1758                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1759                 goto err_exit;
1760         }
1761
1762         /*
1763          * Now add the RPC_HDR_BA and any auth needed.
1764          */
1765
1766         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1767                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1768                 goto err_exit;
1769         }
1770
1771         if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1772                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1773                 goto err_exit;
1774         }
1775
1776         /*
1777          * Setup the lengths for the initial reply.
1778          */
1779
1780         p->out_data.data_sent_length = 0;
1781         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1782         p->out_data.current_pdu_sent = 0;
1783
1784         prs_mem_free(&out_hdr_ba);
1785         prs_mem_free(&out_auth);
1786
1787         return True;
1788
1789   err_exit:
1790
1791         prs_mem_free(&outgoing_rpc);
1792         prs_mem_free(&out_hdr_ba);
1793         prs_mem_free(&out_auth);
1794         return setup_bind_nak(p);
1795 }
1796
1797 /****************************************************************************
1798  Deal with an alter context call. Can be third part of 3 leg auth request for
1799  SPNEGO calls.
1800 ****************************************************************************/
1801
1802 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1803 {
1804         RPC_HDR_BA hdr_ba;
1805         RPC_HDR_RB hdr_rb;
1806         RPC_HDR_AUTH auth_info;
1807         uint16 assoc_gid;
1808         fstring ack_pipe_name;
1809         prs_struct out_hdr_ba;
1810         prs_struct out_auth;
1811         prs_struct outgoing_rpc;
1812         int auth_len = 0;
1813
1814         prs_init_empty( &outgoing_rpc, p->mem_ctx, MARSHALL);
1815
1816         /* 
1817          * Marshall directly into the outgoing PDU space. We
1818          * must do this as we need to set to the bind response
1819          * header and are never sending more than one PDU here.
1820          */
1821
1822         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1823
1824         /*
1825          * Setup the memory to marshall the ba header, and the
1826          * auth footers.
1827          */
1828
1829         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1830                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1831                 prs_mem_free(&outgoing_rpc);
1832                 return False;
1833         }
1834
1835         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1836                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1837                 prs_mem_free(&outgoing_rpc);
1838                 prs_mem_free(&out_hdr_ba);
1839                 return False;
1840         }
1841
1842         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1843
1844         /* decode the alter context request */
1845         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1846                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1847                 goto err_exit;
1848         }
1849
1850         /* secondary address CAN be NULL
1851          * as the specs say it's ignored.
1852          * It MUST be NULL to have the spoolss working.
1853          */
1854         fstrcpy(ack_pipe_name,"");
1855
1856         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1857
1858         /*
1859          * Check if this is an authenticated alter context request.
1860          */
1861
1862         if (p->hdr.auth_len != 0) {
1863                 /* 
1864                  * Decode the authentication verifier.
1865                  */
1866
1867                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1868                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1869                         goto err_exit;
1870                 }
1871
1872                 /*
1873                  * Currently only the SPNEGO auth type uses the alter ctx
1874                  * response in place of the NTLMSSP auth3 type.
1875                  */
1876
1877                 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1878                         /* We can only finish if the pipe is unbound. */
1879                         if (!p->pipe_bound) {
1880                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1881                                         goto err_exit;
1882                                 }
1883                         } else {
1884                                 goto err_exit;
1885                         }
1886                 }
1887         } else {
1888                 ZERO_STRUCT(auth_info);
1889         }
1890
1891         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1892
1893         /*
1894          * Create the bind response struct.
1895          */
1896
1897         /* If the requested abstract synt uuid doesn't match our client pipe,
1898                 reject the bind_ack & set the transfer interface synt to all 0's,
1899                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1900                 unknown to NT4)
1901                 Needed when adding entries to a DACL from NT5 - SK */
1902
1903         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1904                                 hdr_rb.rpc_context[0].context_id )) {
1905                 init_rpc_hdr_ba(&hdr_ba,
1906                         RPC_MAX_PDU_FRAG_LEN,
1907                         RPC_MAX_PDU_FRAG_LEN,
1908                         assoc_gid,
1909                         ack_pipe_name,
1910                         0x1, 0x0, 0x0,
1911                         &hdr_rb.rpc_context[0].transfer[0]);
1912         } else {
1913                 RPC_IFACE null_interface;
1914                 ZERO_STRUCT(null_interface);
1915                 /* Rejection reason: abstract syntax not supported */
1916                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1917                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1918                                         ack_pipe_name, 0x1, 0x2, 0x1,
1919                                         &null_interface);
1920                 p->pipe_bound = False;
1921         }
1922
1923         /*
1924          * and marshall it.
1925          */
1926
1927         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1928                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1929                 goto err_exit;
1930         }
1931
1932         /*
1933          * Create the header, now we know the length.
1934          */
1935
1936         if (prs_offset(&out_auth)) {
1937                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1938         }
1939
1940         init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1941                         p->hdr.call_id,
1942                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1943                         auth_len);
1944
1945         /*
1946          * Marshall the header into the outgoing PDU.
1947          */
1948
1949         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1950                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1951                 goto err_exit;
1952         }
1953
1954         /*
1955          * Now add the RPC_HDR_BA and any auth needed.
1956          */
1957
1958         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1959                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1960                 goto err_exit;
1961         }
1962
1963         if (auth_len && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1964                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1965                 goto err_exit;
1966         }
1967
1968         /*
1969          * Setup the lengths for the initial reply.
1970          */
1971
1972         p->out_data.data_sent_length = 0;
1973         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1974         p->out_data.current_pdu_sent = 0;
1975
1976         prs_mem_free(&out_hdr_ba);
1977         prs_mem_free(&out_auth);
1978
1979         return True;
1980
1981   err_exit:
1982
1983         prs_mem_free(&outgoing_rpc);
1984         prs_mem_free(&out_hdr_ba);
1985         prs_mem_free(&out_auth);
1986         return setup_bind_nak(p);
1987 }
1988
1989 /****************************************************************************
1990  Deal with NTLMSSP sign & seal processing on an RPC request.
1991 ****************************************************************************/
1992
1993 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
1994                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1995 {
1996         RPC_HDR_AUTH auth_info;
1997         uint32 auth_len = p->hdr.auth_len;
1998         uint32 save_offset = prs_offset(rpc_in);
1999         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2000         unsigned char *data = NULL;
2001         size_t data_len;
2002         unsigned char *full_packet_data = NULL;
2003         size_t full_packet_data_len;
2004         DATA_BLOB auth_blob;
2005
2006         *pstatus = NT_STATUS_OK;
2007
2008         if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2009                 return True;
2010         }
2011
2012         if (!a) {
2013                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2014                 return False;
2015         }
2016
2017         /* Ensure there's enough data for an authenticated request. */
2018         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2019                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2020                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2021                         (unsigned int)auth_len ));
2022                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2023                 return False;
2024         }
2025
2026         /*
2027          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2028          * after the RPC header. 
2029          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2030          * functions as NTLMv2 checks the rpc headers also.
2031          */
2032
2033         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2034         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2035
2036         full_packet_data = p->in_data.current_in_pdu;
2037         full_packet_data_len = p->hdr.frag_len - auth_len;
2038
2039         /* Pull the auth header and the following data into a blob. */
2040         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2041                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2042                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2043                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2044                 return False;
2045         }
2046
2047         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2048                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2049                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2050                 return False;
2051         }
2052
2053         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2054         auth_blob.length = auth_len;
2055
2056         switch (p->auth.auth_level) {
2057                 case PIPE_AUTH_LEVEL_PRIVACY:
2058                         /* Data is encrypted. */
2059                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2060                                                         data, data_len,
2061                                                         full_packet_data,
2062                                                         full_packet_data_len,
2063                                                         &auth_blob);
2064                         if (!NT_STATUS_IS_OK(*pstatus)) {
2065                                 return False;
2066                         }
2067                         break;
2068                 case PIPE_AUTH_LEVEL_INTEGRITY:
2069                         /* Data is signed. */
2070                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2071                                                         data, data_len,
2072                                                         full_packet_data,
2073                                                         full_packet_data_len,
2074                                                         &auth_blob);
2075                         if (!NT_STATUS_IS_OK(*pstatus)) {
2076                                 return False;
2077                         }
2078                         break;
2079                 default:
2080                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2081                         return False;
2082         }
2083
2084         /*
2085          * Return the current pointer to the data offset.
2086          */
2087
2088         if(!prs_set_offset(rpc_in, save_offset)) {
2089                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2090                         (unsigned int)save_offset ));
2091                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2092                 return False;
2093         }
2094
2095         /*
2096          * Remember the padding length. We must remove it from the real data
2097          * stream once the sign/seal is done.
2098          */
2099
2100         *p_ss_padding_len = auth_info.auth_pad_len;
2101
2102         return True;
2103 }
2104
2105 /****************************************************************************
2106  Deal with schannel processing on an RPC request.
2107 ****************************************************************************/
2108
2109 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2110 {
2111         uint32 data_len;
2112         uint32 auth_len;
2113         uint32 save_offset = prs_offset(rpc_in);
2114         RPC_HDR_AUTH auth_info;
2115         RPC_AUTH_SCHANNEL_CHK schannel_chk;
2116
2117         auth_len = p->hdr.auth_len;
2118
2119         if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
2120                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2121                 return False;
2122         }
2123
2124         /*
2125          * The following is that length of the data we must verify or unseal.
2126          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2127          * preceeding the auth_data.
2128          */
2129
2130         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2131                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2132                         (unsigned int)p->hdr.frag_len,
2133                         (unsigned int)auth_len ));
2134                 return False;
2135         }
2136
2137         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2138                 RPC_HDR_AUTH_LEN - auth_len;
2139
2140         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2141
2142         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2143                 DEBUG(0,("cannot move offset to %u.\n",
2144                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2145                 return False;
2146         }
2147
2148         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2149                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2150                 return False;
2151         }
2152
2153         if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2154                 DEBUG(0,("Invalid auth info %d on schannel\n",
2155                          auth_info.auth_type));
2156                 return False;
2157         }
2158
2159         if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2160                 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2161                 return False;
2162         }
2163
2164         if (!schannel_decode(p->auth.a_u.schannel_auth,
2165                            p->auth.auth_level,
2166                            SENDER_IS_INITIATOR,
2167                            &schannel_chk,
2168                            prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2169                 DEBUG(3,("failed to decode PDU\n"));
2170                 return False;
2171         }
2172
2173         /*
2174          * Return the current pointer to the data offset.
2175          */
2176
2177         if(!prs_set_offset(rpc_in, save_offset)) {
2178                 DEBUG(0,("failed to set offset back to %u\n",
2179                          (unsigned int)save_offset ));
2180                 return False;
2181         }
2182
2183         /* The sequence number gets incremented on both send and receive. */
2184         p->auth.a_u.schannel_auth->seq_num++;
2185
2186         /*
2187          * Remember the padding length. We must remove it from the real data
2188          * stream once the sign/seal is done.
2189          */
2190
2191         *p_ss_padding_len = auth_info.auth_pad_len;
2192
2193         return True;
2194 }
2195
2196 /****************************************************************************
2197  Find the set of RPC functions associated with this context_id
2198 ****************************************************************************/
2199
2200 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2201 {
2202         PIPE_RPC_FNS *fns = NULL;
2203
2204         if ( !list ) {
2205                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2206                 return NULL;
2207         }
2208
2209         for (fns=list; fns; fns=fns->next ) {
2210                 if ( fns->context_id == context_id )
2211                         return fns;
2212         }
2213         return NULL;
2214 }
2215
2216 /****************************************************************************
2217  Memory cleanup.
2218 ****************************************************************************/
2219
2220 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2221 {
2222         PIPE_RPC_FNS *tmp = list;
2223         PIPE_RPC_FNS *tmp2;
2224
2225         while (tmp) {
2226                 tmp2 = tmp->next;
2227                 SAFE_FREE(tmp);
2228                 tmp = tmp2;
2229         }
2230
2231         return; 
2232 }
2233
2234 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name, 
2235                        const struct api_struct *api_rpc_cmds, int n_cmds);
2236
2237 /****************************************************************************
2238  Find the correct RPC function to call for this request.
2239  If the pipe is authenticated then become the correct UNIX user
2240  before doing the call.
2241 ****************************************************************************/
2242
2243 bool api_pipe_request(pipes_struct *p)
2244 {
2245         bool ret = False;
2246         bool changed_user = False;
2247         PIPE_RPC_FNS *pipe_fns;
2248
2249         if (p->pipe_bound &&
2250                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2251                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2252                 if(!become_authenticated_pipe_user(p)) {
2253                         prs_mem_free(&p->out_data.rdata);
2254                         return False;
2255                 }
2256                 changed_user = True;
2257         }
2258
2259         DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
2260
2261         /* get the set of RPC functions for this context */
2262
2263         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2264
2265         if ( pipe_fns ) {
2266                 TALLOC_CTX *frame = talloc_stackframe();
2267                 ret = api_rpcTNP(p, p->name, pipe_fns->cmds, pipe_fns->n_cmds);
2268                 TALLOC_FREE(frame);
2269         }
2270         else {
2271                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2272                         p->hdr_req.context_id, p->name));
2273         }
2274
2275         if (changed_user) {
2276                 unbecome_authenticated_pipe_user();
2277         }
2278
2279         return ret;
2280 }
2281
2282 /*******************************************************************
2283  Calls the underlying RPC function for a named pipe.
2284  ********************************************************************/
2285
2286 static bool api_rpcTNP(pipes_struct *p, const char *rpc_name, 
2287                        const struct api_struct *api_rpc_cmds, int n_cmds)
2288 {
2289         int fn_num;
2290         fstring name;
2291         uint32 offset1, offset2;
2292
2293         /* interpret the command */
2294         DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
2295
2296         slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
2297         prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2298
2299         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2300                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2301                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2302                         break;
2303                 }
2304         }
2305
2306         if (fn_num == n_cmds) {
2307                 /*
2308                  * For an unknown RPC just return a fault PDU but
2309                  * return True to allow RPC's on the pipe to continue
2310                  * and not put the pipe into fault state. JRA.
2311                  */
2312                 DEBUG(4, ("unknown\n"));
2313                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2314                 return True;
2315         }
2316
2317         offset1 = prs_offset(&p->out_data.rdata);
2318
2319         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2320                 fn_num, api_rpc_cmds[fn_num].fn));
2321         /* do the actual command */
2322         if(!api_rpc_cmds[fn_num].fn(p)) {
2323                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
2324                 prs_mem_free(&p->out_data.rdata);
2325                 return False;
2326         }
2327
2328         if (p->bad_handle_fault_state) {
2329                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2330                 p->bad_handle_fault_state = False;
2331                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2332                 return True;
2333         }
2334
2335         if (p->rng_fault_state) {
2336                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2337                 p->rng_fault_state = False;
2338                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2339                 return True;
2340         }
2341
2342         slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
2343         offset2 = prs_offset(&p->out_data.rdata);
2344         prs_set_offset(&p->out_data.rdata, offset1);
2345         prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2346         prs_set_offset(&p->out_data.rdata, offset2);
2347
2348         DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
2349
2350         /* Check for buffer underflow in rpc parsing */
2351
2352         if ((DEBUGLEVEL >= 10) && 
2353             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2354                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2355                 char *data = (char *)SMB_MALLOC(data_len);
2356
2357                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2358                 if (data) {
2359                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2360                         SAFE_FREE(data);
2361                 }
2362
2363         }
2364
2365         return True;
2366 }