a82367776435d4f5ca1ea203d20f9615c6aab03f
[kai/samba.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "system/filesys.h"
32 #include "srv_pipe_internal.h"
33 #include "../librpc/gen_ndr/ndr_schannel.h"
34 #include "../libcli/auth/schannel.h"
35 #include "../libcli/auth/spnego.h"
36 #include "dcesrv_ntlmssp.h"
37 #include "dcesrv_gssapi.h"
38 #include "dcesrv_spnego.h"
39 #include "rpc_server.h"
40 #include "rpc_dce.h"
41 #include "smbd/smbd.h"
42 #include "auth.h"
43
44 #undef DBGC_CLASS
45 #define DBGC_CLASS DBGC_RPC_SRV
46
47 /**
48  * Dump everything from the start of the end up of the provided data
49  * into a file, but only at debug level >= 50
50  **/
51 static void dump_pdu_region(const char *name, int v,
52                             DATA_BLOB *data, size_t start, size_t end)
53 {
54         int fd, i;
55         char *fname = NULL;
56         ssize_t sz;
57
58         if (DEBUGLEVEL < 50) return;
59
60         if (start > data->length || end > data->length || start > end) return;
61
62         for (i = 1; i < 100; i++) {
63                 if (v != -1) {
64                         fname = talloc_asprintf(talloc_tos(),
65                                                 "/tmp/%s_%d.%d.prs",
66                                                 name, v, i);
67                 } else {
68                         fname = talloc_asprintf(talloc_tos(),
69                                                 "/tmp/%s_%d.prs",
70                                                 name, i);
71                 }
72                 if (!fname) {
73                         return;
74                 }
75                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
76                 if (fd != -1 || errno != EEXIST) break;
77         }
78         if (fd != -1) {
79                 sz = write(fd, data->data + start, end - start);
80                 i = close(fd);
81                 if ((sz != end - start) || (i != 0) ) {
82                         DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
83                                   fname, (unsigned long)sz,
84                                   (unsigned long)end - start, i));
85                 } else {
86                         DEBUG(0,("created %s\n", fname));
87                 }
88         }
89         TALLOC_FREE(fname);
90 }
91
92 static DATA_BLOB generic_session_key(void)
93 {
94         return data_blob_const("SystemLibraryDTC", 16);
95 }
96
97 /*******************************************************************
98  Generate the next PDU to be returned from the data.
99 ********************************************************************/
100
101 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
102                                    struct pipe_auth_data *auth,
103                                    uint32_t call_id,
104                                    DATA_BLOB *rdata,
105                                    size_t data_sent_length,
106                                    DATA_BLOB *frag,
107                                    size_t *pdu_size)
108 {
109         union dcerpc_payload u;
110         uint8_t pfc_flags;
111         size_t data_left;
112         size_t data_to_send;
113         size_t frag_len;
114         size_t pad_len = 0;
115         size_t auth_len = 0;
116         NTSTATUS status;
117
118         ZERO_STRUCT(u.response);
119
120         /* Set up rpc packet pfc flags. */
121         if (data_sent_length == 0) {
122                 pfc_flags = DCERPC_PFC_FLAG_FIRST;
123         } else {
124                 pfc_flags = 0;
125         }
126
127         /* Work out how much we can fit in a single PDU. */
128         data_left = rdata->length - data_sent_length;
129
130         /* Ensure there really is data left to send. */
131         if (!data_left) {
132                 DEBUG(0, ("No data left to send !\n"));
133                 return NT_STATUS_BUFFER_TOO_SMALL;
134         }
135
136         status = dcerpc_guess_sizes(auth,
137                                     DCERPC_RESPONSE_LENGTH,
138                                     data_left,
139                                     RPC_MAX_PDU_FRAG_LEN,
140                                     SERVER_NDR_PADDING_SIZE,
141                                     &data_to_send, &frag_len,
142                                     &auth_len, &pad_len);
143         if (!NT_STATUS_IS_OK(status)) {
144                 return status;
145         }
146
147         /* Set up the alloc hint. This should be the data left to send. */
148         u.response.alloc_hint = data_left;
149
150         /* Work out if this PDU will be the last. */
151         if (data_sent_length + data_to_send >= rdata->length) {
152                 pfc_flags |= DCERPC_PFC_FLAG_LAST;
153         }
154
155         /* Prepare data to be NDR encoded. */
156         u.response.stub_and_verifier =
157                 data_blob_const(rdata->data + data_sent_length, data_to_send);
158
159         /* Store the packet in the data stream. */
160         status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
161                                           pfc_flags, auth_len, call_id,
162                                           &u, frag);
163         if (!NT_STATUS_IS_OK(status)) {
164                 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
165                 return status;
166         }
167
168         if (auth_len) {
169                 /* Set the proper length on the pdu, including padding.
170                  * Only needed if an auth trailer will be appended. */
171                 dcerpc_set_frag_length(frag, frag->length
172                                                 + pad_len
173                                                 + DCERPC_AUTH_TRAILER_LENGTH
174                                                 + auth_len);
175         }
176
177         if (auth_len) {
178                 status = dcerpc_add_auth_footer(auth, pad_len, frag);
179                 if (!NT_STATUS_IS_OK(status)) {
180                         data_blob_free(frag);
181                         return status;
182                 }
183         }
184
185         *pdu_size = data_to_send;
186         return NT_STATUS_OK;
187 }
188
189 /*******************************************************************
190  Generate the next PDU to be returned from the data in p->rdata. 
191 ********************************************************************/
192
193 bool create_next_pdu(struct pipes_struct *p)
194 {
195         size_t pdu_size = 0;
196         NTSTATUS status;
197
198         /*
199          * If we're in the fault state, keep returning fault PDU's until
200          * the pipe gets closed. JRA.
201          */
202         if (p->fault_state) {
203                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
204                 return true;
205         }
206
207         status = create_next_packet(p->mem_ctx, &p->auth,
208                                     p->call_id, &p->out_data.rdata,
209                                     p->out_data.data_sent_length,
210                                     &p->out_data.frag, &pdu_size);
211         if (!NT_STATUS_IS_OK(status)) {
212                 DEBUG(0, ("Failed to create packet with error %s, "
213                           "(auth level %u / type %u)\n",
214                           nt_errstr(status),
215                           (unsigned int)p->auth.auth_level,
216                           (unsigned int)p->auth.auth_type));
217                 return false;
218         }
219
220         /* Setup the counts for this PDU. */
221         p->out_data.data_sent_length += pdu_size;
222         p->out_data.current_pdu_sent = 0;
223         return true;
224 }
225
226
227 static bool pipe_init_outgoing_data(struct pipes_struct *p);
228
229 /*******************************************************************
230  Marshall a bind_nak pdu.
231 *******************************************************************/
232
233 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
234 {
235         NTSTATUS status;
236         union dcerpc_payload u;
237
238         /* Free any memory in the current return data buffer. */
239         pipe_init_outgoing_data(p);
240
241         /*
242          * Initialize a bind_nak header.
243          */
244
245         ZERO_STRUCT(u);
246
247         u.bind_nak.reject_reason  = 0;
248
249         /*
250          * Marshall directly into the outgoing PDU space. We
251          * must do this as we need to set to the bind response
252          * header and are never sending more than one PDU here.
253          */
254
255         status = dcerpc_push_ncacn_packet(p->mem_ctx,
256                                           DCERPC_PKT_BIND_NAK,
257                                           DCERPC_PFC_FLAG_FIRST |
258                                                 DCERPC_PFC_FLAG_LAST,
259                                           0,
260                                           pkt->call_id,
261                                           &u,
262                                           &p->out_data.frag);
263         if (!NT_STATUS_IS_OK(status)) {
264                 return False;
265         }
266
267         p->out_data.data_sent_length = 0;
268         p->out_data.current_pdu_sent = 0;
269
270         TALLOC_FREE(p->auth.auth_ctx);
271         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
272         p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
273         p->pipe_bound = False;
274
275         return True;
276 }
277
278 /*******************************************************************
279  Marshall a fault pdu.
280 *******************************************************************/
281
282 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
283 {
284         NTSTATUS status;
285         union dcerpc_payload u;
286
287         /* Free any memory in the current return data buffer. */
288         pipe_init_outgoing_data(p);
289
290         /*
291          * Initialize a fault header.
292          */
293
294         ZERO_STRUCT(u);
295
296         u.fault.status          = NT_STATUS_V(fault_status);
297         u.fault._pad            = data_blob_talloc_zero(p->mem_ctx, 4);
298
299         /*
300          * Marshall directly into the outgoing PDU space. We
301          * must do this as we need to set to the bind response
302          * header and are never sending more than one PDU here.
303          */
304
305         status = dcerpc_push_ncacn_packet(p->mem_ctx,
306                                           DCERPC_PKT_FAULT,
307                                           DCERPC_PFC_FLAG_FIRST |
308                                            DCERPC_PFC_FLAG_LAST |
309                                            DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
310                                           0,
311                                           p->call_id,
312                                           &u,
313                                           &p->out_data.frag);
314         if (!NT_STATUS_IS_OK(status)) {
315                 return False;
316         }
317
318         p->out_data.data_sent_length = 0;
319         p->out_data.current_pdu_sent = 0;
320
321         return True;
322 }
323
324 /*******************************************************************
325  Ensure a bind request has the correct abstract & transfer interface.
326  Used to reject unknown binds from Win2k.
327 *******************************************************************/
328
329 static bool check_bind_req(struct pipes_struct *p,
330                            struct ndr_syntax_id* abstract,
331                            struct ndr_syntax_id* transfer,
332                            uint32 context_id)
333 {
334         struct pipe_rpc_fns *context_fns;
335
336         DEBUG(3,("check_bind_req for %s\n",
337                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
338
339         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
340         if (rpc_srv_pipe_exists_by_id(abstract) &&
341            ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
342                 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
343                         rpc_srv_get_pipe_cli_name(abstract),
344                         rpc_srv_get_pipe_srv_name(abstract)));
345         } else {
346                 return false;
347         }
348
349         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
350         if (context_fns == NULL) {
351                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
352                 return False;
353         }
354
355         context_fns->next = context_fns->prev = NULL;
356         context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
357         context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
358         context_fns->context_id = context_id;
359
360         /* add to the list of open contexts */
361
362         DLIST_ADD( p->contexts, context_fns );
363
364         return True;
365 }
366
367 /**
368  * Is a named pipe known?
369  * @param[in] cli_filename      The pipe name requested by the client
370  * @result                      Do we want to serve this?
371  */
372 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
373 {
374         const char *pipename = cli_filename;
375         NTSTATUS status;
376
377         if (strnequal(pipename, "\\PIPE\\", 6)) {
378                 pipename += 5;
379         }
380
381         if (*pipename == '\\') {
382                 pipename += 1;
383         }
384
385         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
386                 DEBUG(10, ("refusing spoolss access\n"));
387                 return false;
388         }
389
390         if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
391                 return true;
392         }
393
394         status = smb_probe_module("rpc", pipename);
395         if (!NT_STATUS_IS_OK(status)) {
396                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
397                 return false;
398         }
399         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
400
401         /*
402          * Scan the list again for the interface id
403          */
404         if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
405                 return true;
406         }
407
408         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
409                    pipename));
410
411         return false;
412 }
413
414 /*******************************************************************
415  Handle the first part of a SPNEGO bind auth.
416 *******************************************************************/
417
418 static bool pipe_spnego_auth_bind(struct pipes_struct *p,
419                                   TALLOC_CTX *mem_ctx,
420                                   struct dcerpc_auth *auth_info,
421                                   DATA_BLOB *response)
422 {
423         struct spnego_context *spnego_ctx;
424         NTSTATUS status;
425
426         status = spnego_server_auth_start(p,
427                                           (auth_info->auth_level ==
428                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
429                                           (auth_info->auth_level ==
430                                                 DCERPC_AUTH_LEVEL_PRIVACY),
431                                           true,
432                                           &auth_info->credentials,
433                                           response,
434                                           &spnego_ctx);
435         if (!NT_STATUS_IS_OK(status)) {
436                 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
437                           nt_errstr(status)));
438                 return false;
439         }
440
441         /* Make sure data is bound to the memctx, to be freed the caller */
442         talloc_steal(mem_ctx, response->data);
443
444         p->auth.auth_ctx = spnego_ctx;
445         p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
446
447         DEBUG(10, ("SPNEGO auth started\n"));
448
449         return true;
450 }
451
452 /*******************************************************************
453  Handle an schannel bind auth.
454 *******************************************************************/
455
456 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
457                                     TALLOC_CTX *mem_ctx,
458                                     struct dcerpc_auth *auth_info,
459                                     DATA_BLOB *response)
460 {
461         struct NL_AUTH_MESSAGE neg;
462         struct NL_AUTH_MESSAGE reply;
463         bool ret;
464         NTSTATUS status;
465         struct netlogon_creds_CredentialState *creds;
466         enum ndr_err_code ndr_err;
467         struct schannel_state *schannel_auth;
468
469         ndr_err = ndr_pull_struct_blob(
470                         &auth_info->credentials, mem_ctx, &neg,
471                         (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
472         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
473                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
474                 return false;
475         }
476
477         if (DEBUGLEVEL >= 10) {
478                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
479         }
480
481         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
482                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
483                 return false;
484         }
485
486         /*
487          * The neg.oem_netbios_computer.a key here must match the remote computer name
488          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
489          * operations that use credentials.
490          */
491
492         become_root();
493         status = schannel_get_creds_state(p, lp_private_dir(),
494                                             neg.oem_netbios_computer.a, &creds);
495         unbecome_root();
496
497         if (!NT_STATUS_IS_OK(status)) {
498                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
499                 return False;
500         }
501
502         schannel_auth = talloc(p, struct schannel_state);
503         if (!schannel_auth) {
504                 TALLOC_FREE(creds);
505                 return False;
506         }
507
508         schannel_auth->state = SCHANNEL_STATE_START;
509         schannel_auth->seq_num = 0;
510         schannel_auth->initiator = false;
511         schannel_auth->creds = creds;
512
513         /*
514          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
515          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
516          * struct of the person who opened the pipe. I need to test this further. JRA.
517          *
518          * VL. As we are mapping this to guest set the generic key
519          * "SystemLibraryDTC" key here. It's a bit difficult to test against
520          * W2k3, as it does not allow schannel binds against SAMR and LSA
521          * anymore.
522          */
523
524         ret = session_info_set_session_key(p->session_info, generic_session_key());
525
526         if (!ret) {
527                 DEBUG(0, ("session_info_set_session_key failed\n"));
528                 return false;
529         }
530
531         /*** SCHANNEL verifier ***/
532
533         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
534         reply.Flags                             = 0;
535         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
536                                                       * this has any meaning
537                                                       * here - gd */
538
539         ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
540                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
541         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
542                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
543                 return false;
544         }
545
546         if (DEBUGLEVEL >= 10) {
547                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
548         }
549
550         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
551                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
552
553         /* We're finished with this bind - no more packets. */
554         p->auth.auth_ctx = schannel_auth;
555         p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
556
557         p->pipe_bound = True;
558
559         return True;
560 }
561
562 /*******************************************************************
563  Handle an NTLMSSP bind auth.
564 *******************************************************************/
565
566 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
567                                    TALLOC_CTX *mem_ctx,
568                                    struct dcerpc_auth *auth_info,
569                                    DATA_BLOB *response)
570 {
571         struct auth_ntlmssp_state *ntlmssp_state = NULL;
572         NTSTATUS status;
573
574         if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
575                 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
576                 return false;
577         }
578
579         /* We have an NTLMSSP blob. */
580         status = ntlmssp_server_auth_start(p,
581                                            (auth_info->auth_level ==
582                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
583                                            (auth_info->auth_level ==
584                                                 DCERPC_AUTH_LEVEL_PRIVACY),
585                                            true,
586                                            &auth_info->credentials,
587                                            response,
588                                            &ntlmssp_state);
589         if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
590                 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
591                           nt_errstr(status)));
592                 return false;
593         }
594
595         /* Make sure data is bound to the memctx, to be freed the caller */
596         talloc_steal(mem_ctx, response->data);
597
598         p->auth.auth_ctx = ntlmssp_state;
599         p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
600
601         DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
602
603         return true;
604 }
605
606 /*******************************************************************
607  Process an NTLMSSP authentication response.
608  If this function succeeds, the user has been authenticated
609  and their domain, name and calling workstation stored in
610  the pipe struct.
611 *******************************************************************/
612
613 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
614                                 struct auth_ntlmssp_state *ntlmssp_ctx,
615                                 enum dcerpc_AuthLevel auth_level,
616                                 struct client_address *client_id,
617                                 struct ndr_syntax_id *syntax,
618                                 struct auth_serversupplied_info **session_info)
619 {
620         NTSTATUS status;
621         bool ret;
622
623         DEBUG(5, (__location__ ": pipe %s checking user details\n",
624                  get_pipe_name_from_syntax(talloc_tos(), syntax)));
625
626         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
627            ensure the underlying NTLMSSP flags are also set. If not we should
628            refuse the bind. */
629
630         status = ntlmssp_server_check_flags(ntlmssp_ctx,
631                                             (auth_level ==
632                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
633                                             (auth_level ==
634                                                 DCERPC_AUTH_LEVEL_PRIVACY));
635         if (!NT_STATUS_IS_OK(status)) {
636                 DEBUG(0, (__location__ ": Client failed to negotatie proper "
637                           "security for pipe %s\n",
638                           get_pipe_name_from_syntax(talloc_tos(), syntax)));
639                 return false;
640         }
641
642         TALLOC_FREE(*session_info);
643
644         status = ntlmssp_server_get_user_info(ntlmssp_ctx,
645                                                 mem_ctx, session_info);
646         if (!NT_STATUS_IS_OK(status)) {
647                 DEBUG(0, (__location__ ": failed to obtain the server info "
648                           "for authenticated user: %s\n", nt_errstr(status)));
649                 return false;
650         }
651
652         if ((*session_info)->security_token == NULL) {
653                 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
654                 return false;
655         }
656
657         /*
658          * We're an authenticated bind over smb, so the session key needs to
659          * be set to "SystemLibraryDTC". Weird, but this is what Windows
660          * does. See the RPC-SAMBA3SESSIONKEY.
661          */
662
663         ret = session_info_set_session_key((*session_info), generic_session_key());
664         if (!ret) {
665                 DEBUG(0, ("Failed to set session key!\n"));
666                 return false;
667         }
668
669         return true;
670 }
671
672 /*******************************************************************
673  Handle a GSSAPI bind auth.
674 *******************************************************************/
675
676 static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
677                                   TALLOC_CTX *mem_ctx,
678                                   struct dcerpc_auth *auth_info,
679                                   DATA_BLOB *response)
680 {
681         NTSTATUS status;
682         struct gse_context *gse_ctx = NULL;
683
684         status = gssapi_server_auth_start(p,
685                                           (auth_info->auth_level ==
686                                                 DCERPC_AUTH_LEVEL_INTEGRITY),
687                                           (auth_info->auth_level ==
688                                                 DCERPC_AUTH_LEVEL_PRIVACY),
689                                           true,
690                                           &auth_info->credentials,
691                                           response,
692                                           &gse_ctx);
693         if (!NT_STATUS_IS_OK(status)) {
694                 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
695                           nt_errstr(status)));
696                 goto err;
697         }
698
699         /* Make sure data is bound to the memctx, to be freed the caller */
700         talloc_steal(mem_ctx, response->data);
701
702         p->auth.auth_ctx = gse_ctx;
703         p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
704
705         DEBUG(10, ("KRB5 auth started\n"));
706
707         return true;
708
709 err:
710         TALLOC_FREE(gse_ctx);
711         return false;
712 }
713
714 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
715                                          struct gse_context *gse_ctx,
716                                          struct client_address *client_id,
717                                          struct auth_serversupplied_info **session_info)
718 {
719         NTSTATUS status;
720         bool bret;
721
722         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
723            ensure the underlying flags are also set. If not we should
724            refuse the bind. */
725
726         status = gssapi_server_check_flags(gse_ctx);
727         if (!NT_STATUS_IS_OK(status)) {
728                 DEBUG(0, ("Requested Security Layers not honored!\n"));
729                 return status;
730         }
731
732         status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
733                                              client_id, session_info);
734         if (!NT_STATUS_IS_OK(status)) {
735                 DEBUG(0, (__location__ ": failed to obtain the server info "
736                           "for authenticated user: %s\n", nt_errstr(status)));
737                 return status;
738         }
739
740         if ((*session_info)->security_token == NULL) {
741                 status = create_local_token(*session_info);
742                 if (!NT_STATUS_IS_OK(status)) {
743                         DEBUG(1, ("Failed to create local user token (%s)\n",
744                                   nt_errstr(status)));
745                         status = NT_STATUS_ACCESS_DENIED;
746                         return status;
747                 }
748         }
749
750         /* TODO: this is what the ntlmssp code does with the session_key, check
751          * it is ok with gssapi too */
752         /*
753          * We're an authenticated bind over smb, so the session key needs to
754          * be set to "SystemLibraryDTC". Weird, but this is what Windows
755          * does. See the RPC-SAMBA3SESSIONKEY.
756          */
757
758         bret = session_info_set_session_key((*session_info), generic_session_key());
759         if (!bret) {
760                 return NT_STATUS_ACCESS_DENIED;
761         }
762
763         return NT_STATUS_OK;
764 }
765
766 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
767 {
768         enum spnego_mech auth_type;
769         struct auth_ntlmssp_state *ntlmssp_ctx;
770         struct spnego_context *spnego_ctx;
771         struct gse_context *gse_ctx;
772         void *mech_ctx;
773         NTSTATUS status;
774
775         switch (p->auth.auth_type) {
776         case DCERPC_AUTH_TYPE_NTLMSSP:
777                 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
778                                                     struct auth_ntlmssp_state);
779                 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
780                                                 p->auth.auth_level,
781                                                 p->client_id, &p->syntax,
782                                                 &p->session_info)) {
783                         return NT_STATUS_ACCESS_DENIED;
784                 }
785                 break;
786         case DCERPC_AUTH_TYPE_KRB5:
787                 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
788                                                 struct gse_context);
789                 status = pipe_gssapi_verify_final(p, gse_ctx,
790                                                   p->client_id,
791                                                   &p->session_info);
792                 if (!NT_STATUS_IS_OK(status)) {
793                         DEBUG(1, ("gssapi bind failed with: %s",
794                                   nt_errstr(status)));
795                         return status;
796                 }
797                 break;
798         case DCERPC_AUTH_TYPE_SPNEGO:
799                 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
800                                                    struct spnego_context);
801                 status = spnego_get_negotiated_mech(spnego_ctx,
802                                                     &auth_type, &mech_ctx);
803                 if (!NT_STATUS_IS_OK(status)) {
804                         DEBUG(0, ("Bad SPNEGO state (%s)\n",
805                                   nt_errstr(status)));
806                         return status;
807                 }
808                 switch(auth_type) {
809                 case SPNEGO_KRB5:
810                         gse_ctx = talloc_get_type_abort(mech_ctx,
811                                                         struct gse_context);
812                         status = pipe_gssapi_verify_final(p, gse_ctx,
813                                                           p->client_id,
814                                                           &p->session_info);
815                         if (!NT_STATUS_IS_OK(status)) {
816                                 DEBUG(1, ("gssapi bind failed with: %s",
817                                           nt_errstr(status)));
818                                 return status;
819                         }
820                         break;
821                 case SPNEGO_NTLMSSP:
822                         ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
823                                                 struct auth_ntlmssp_state);
824                         if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
825                                                         p->auth.auth_level,
826                                                         p->client_id,
827                                                         &p->syntax,
828                                                         &p->session_info)) {
829                                 return NT_STATUS_ACCESS_DENIED;
830                         }
831                         break;
832                 default:
833                         DEBUG(0, (__location__ ": incorrect spnego type "
834                                   "(%d).\n", auth_type));
835                         return NT_STATUS_ACCESS_DENIED;
836                 }
837                 break;
838         default:
839                 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
840                           (unsigned int)p->auth.auth_type));
841                 return NT_STATUS_ACCESS_DENIED;
842         }
843
844         p->pipe_bound = true;
845
846         return NT_STATUS_OK;
847 }
848
849 /*******************************************************************
850  Respond to a pipe bind request.
851 *******************************************************************/
852
853 static bool api_pipe_bind_req(struct pipes_struct *p,
854                                 struct ncacn_packet *pkt)
855 {
856         struct dcerpc_auth auth_info;
857         uint16 assoc_gid;
858         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
859         NTSTATUS status;
860         struct ndr_syntax_id id;
861         union dcerpc_payload u;
862         struct dcerpc_ack_ctx bind_ack_ctx;
863         DATA_BLOB auth_resp = data_blob_null;
864         DATA_BLOB auth_blob = data_blob_null;
865
866         /* No rebinds on a bound pipe - use alter context. */
867         if (p->pipe_bound) {
868                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
869                          "pipe %s.\n",
870                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
871                 return setup_bind_nak(p, pkt);
872         }
873
874         if (pkt->u.bind.num_contexts == 0) {
875                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
876                 goto err_exit;
877         }
878
879         /*
880          * Try and find the correct pipe name to ensure
881          * that this is a pipe name we support.
882          */
883         id = pkt->u.bind.ctx_list[0].abstract_syntax;
884         if (rpc_srv_pipe_exists_by_id(&id)) {
885                 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
886                         rpc_srv_get_pipe_cli_name(&id),
887                         rpc_srv_get_pipe_srv_name(&id)));
888         } else {
889                 status = smb_probe_module(
890                         "rpc", get_pipe_name_from_syntax(
891                                 talloc_tos(),
892                                 &pkt->u.bind.ctx_list[0].abstract_syntax));
893
894                 if (NT_STATUS_IS_ERR(status)) {
895                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
896                                 get_pipe_name_from_syntax(
897                                         talloc_tos(),
898                                         &pkt->u.bind.ctx_list[0].abstract_syntax)));
899
900                         return setup_bind_nak(p, pkt);
901                 }
902
903                 if (rpc_srv_get_pipe_interface_by_cli_name(
904                                 get_pipe_name_from_syntax(talloc_tos(),
905                                                           &p->syntax),
906                                 &id)) {
907                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
908                                 rpc_srv_get_pipe_cli_name(&id),
909                                 rpc_srv_get_pipe_srv_name(&id)));
910                 } else {
911                         DEBUG(0, ("module %s doesn't provide functions for "
912                                   "pipe %s!\n",
913                                   get_pipe_name_from_syntax(talloc_tos(),
914                                                             &p->syntax),
915                                   get_pipe_name_from_syntax(talloc_tos(),
916                                                             &p->syntax)));
917                         return setup_bind_nak(p, pkt);
918                 }
919         }
920
921         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
922
923         if (pkt->u.bind.assoc_group_id != 0) {
924                 assoc_gid = pkt->u.bind.assoc_group_id;
925         } else {
926                 assoc_gid = 0x53f0;
927         }
928
929         /*
930          * Create the bind response struct.
931          */
932
933         /* If the requested abstract synt uuid doesn't match our client pipe,
934                 reject the bind_ack & set the transfer interface synt to all 0's,
935                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
936                 unknown to NT4)
937                 Needed when adding entries to a DACL from NT5 - SK */
938
939         if (check_bind_req(p,
940                         &pkt->u.bind.ctx_list[0].abstract_syntax,
941                         &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
942                         pkt->u.bind.ctx_list[0].context_id)) {
943
944                 bind_ack_ctx.result = 0;
945                 bind_ack_ctx.reason = 0;
946                 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
947         } else {
948                 p->pipe_bound = False;
949                 /* Rejection reason: abstract syntax not supported */
950                 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
951                 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
952                 bind_ack_ctx.syntax = null_ndr_syntax_id;
953         }
954
955         /*
956          * Check if this is an authenticated bind request.
957          */
958         if (pkt->auth_length) {
959                 /* Quick length check. Won't catch a bad auth footer,
960                  * prevents overrun. */
961
962                 if (pkt->frag_length < RPC_HEADER_LEN +
963                                         DCERPC_AUTH_TRAILER_LENGTH +
964                                         pkt->auth_length) {
965                         DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
966                                 "too long for fragment %u.\n",
967                                 (unsigned int)pkt->auth_length,
968                                 (unsigned int)pkt->frag_length));
969                         goto err_exit;
970                 }
971
972                 /*
973                  * Decode the authentication verifier.
974                  */
975                 status = dcerpc_pull_dcerpc_auth(pkt,
976                                                  &pkt->u.bind.auth_info,
977                                                  &auth_info, p->endian);
978                 if (!NT_STATUS_IS_OK(status)) {
979                         DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
980                         goto err_exit;
981                 }
982
983                 auth_type = auth_info.auth_type;
984
985                 /* Work out if we have to sign or seal etc. */
986                 switch (auth_info.auth_level) {
987                 case DCERPC_AUTH_LEVEL_INTEGRITY:
988                         p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
989                         break;
990                 case DCERPC_AUTH_LEVEL_PRIVACY:
991                         p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
992                         break;
993                 case DCERPC_AUTH_LEVEL_CONNECT:
994                         p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT;
995                         break;
996                 default:
997                         DEBUG(0, ("Unexpected auth level (%u).\n",
998                                 (unsigned int)auth_info.auth_level ));
999                         goto err_exit;
1000                 }
1001
1002                 switch (auth_type) {
1003                 case DCERPC_AUTH_TYPE_NTLMSSP:
1004                         if (!pipe_ntlmssp_auth_bind(p, pkt,
1005                                                 &auth_info, &auth_resp)) {
1006                                 goto err_exit;
1007                         }
1008                         assoc_gid = 0x7a77;
1009                         break;
1010
1011                 case DCERPC_AUTH_TYPE_SCHANNEL:
1012                         if (!pipe_schannel_auth_bind(p, pkt,
1013                                                 &auth_info, &auth_resp)) {
1014                                 goto err_exit;
1015                         }
1016                         break;
1017
1018                 case DCERPC_AUTH_TYPE_SPNEGO:
1019                         if (!pipe_spnego_auth_bind(p, pkt,
1020                                                 &auth_info, &auth_resp)) {
1021                                 goto err_exit;
1022                         }
1023                         break;
1024
1025                 case DCERPC_AUTH_TYPE_KRB5:
1026                         if (!pipe_gssapi_auth_bind(p, pkt,
1027                                                 &auth_info, &auth_resp)) {
1028                                 goto err_exit;
1029                         }
1030                         break;
1031
1032                 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1033                         if (p->transport == NCALRPC && p->ncalrpc_as_system) {
1034                                 TALLOC_FREE(p->session_info);
1035
1036                                 status = make_session_info_system(p,
1037                                                                   &p->session_info);
1038                                 if (!NT_STATUS_IS_OK(status)) {
1039                                         goto err_exit;
1040                                 }
1041
1042                                 auth_resp = data_blob_talloc(pkt,
1043                                                              "NCALRPC_AUTH_OK",
1044                                                              15);
1045
1046                                 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
1047                                 p->pipe_bound = true;
1048                         } else {
1049                                 goto err_exit;
1050                         }
1051                         break;
1052
1053                 case DCERPC_AUTH_TYPE_NONE:
1054                         break;
1055
1056                 default:
1057                         DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1058                         goto err_exit;
1059                 }
1060         }
1061
1062         if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1063                 /* Unauthenticated bind request. */
1064                 /* We're finished - no more packets. */
1065                 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1066                 /* We must set the pipe auth_level here also. */
1067                 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1068                 p->pipe_bound = True;
1069                 /* The session key was initialized from the SMB
1070                  * session in make_internal_rpc_pipe_p */
1071         }
1072
1073         ZERO_STRUCT(u.bind_ack);
1074         u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1075         u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1076         u.bind_ack.assoc_group_id = assoc_gid;
1077
1078         /* name has to be \PIPE\xxxxx */
1079         u.bind_ack.secondary_address =
1080                         talloc_asprintf(pkt, "\\PIPE\\%s",
1081                                         rpc_srv_get_pipe_srv_name(&id));
1082         if (!u.bind_ack.secondary_address) {
1083                 DEBUG(0, ("Out of memory!\n"));
1084                 goto err_exit;
1085         }
1086         u.bind_ack.secondary_address_size =
1087                                 strlen(u.bind_ack.secondary_address) + 1;
1088
1089         u.bind_ack.num_results = 1;
1090         u.bind_ack.ctx_list = &bind_ack_ctx;
1091
1092         /* NOTE: We leave the auth_info empty so we can calculate the padding
1093          * later and then append the auth_info --simo */
1094
1095         /*
1096          * Marshall directly into the outgoing PDU space. We
1097          * must do this as we need to set to the bind response
1098          * header and are never sending more than one PDU here.
1099          */
1100
1101         status = dcerpc_push_ncacn_packet(p->mem_ctx,
1102                                           DCERPC_PKT_BIND_ACK,
1103                                           DCERPC_PFC_FLAG_FIRST |
1104                                                 DCERPC_PFC_FLAG_LAST,
1105                                           auth_resp.length,
1106                                           pkt->call_id,
1107                                           &u,
1108                                           &p->out_data.frag);
1109         if (!NT_STATUS_IS_OK(status)) {
1110                 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1111                           nt_errstr(status)));
1112         }
1113
1114         if (auth_resp.length) {
1115
1116                 status = dcerpc_push_dcerpc_auth(pkt,
1117                                                  auth_type,
1118                                                  auth_info.auth_level,
1119                                                  0,
1120                                                  1, /* auth_context_id */
1121                                                  &auth_resp,
1122                                                  &auth_blob);
1123                 if (!NT_STATUS_IS_OK(status)) {
1124                         DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1125                         goto err_exit;
1126                 }
1127         }
1128
1129         /* Now that we have the auth len store it into the right place in
1130          * the dcerpc header */
1131         dcerpc_set_frag_length(&p->out_data.frag,
1132                                 p->out_data.frag.length + auth_blob.length);
1133
1134         if (auth_blob.length) {
1135
1136                 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1137                                         auth_blob.data, auth_blob.length)) {
1138                         DEBUG(0, ("Append of auth info failed.\n"));
1139                         goto err_exit;
1140                 }
1141         }
1142
1143         /*
1144          * Setup the lengths for the initial reply.
1145          */
1146
1147         p->out_data.data_sent_length = 0;
1148         p->out_data.current_pdu_sent = 0;
1149
1150         TALLOC_FREE(auth_blob.data);
1151         return True;
1152
1153   err_exit:
1154
1155         data_blob_free(&p->out_data.frag);
1156         TALLOC_FREE(auth_blob.data);
1157         return setup_bind_nak(p, pkt);
1158 }
1159
1160 /*******************************************************************
1161  This is the "stage3" response after a bind request and reply.
1162 *******************************************************************/
1163
1164 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1165 {
1166         struct dcerpc_auth auth_info;
1167         DATA_BLOB response = data_blob_null;
1168         struct auth_ntlmssp_state *ntlmssp_ctx;
1169         struct spnego_context *spnego_ctx;
1170         struct gse_context *gse_ctx;
1171         NTSTATUS status;
1172
1173         DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1174
1175         if (pkt->auth_length == 0) {
1176                 DEBUG(0, ("No auth field sent for bind request!\n"));
1177                 goto err;
1178         }
1179
1180         /* Ensure there's enough data for an authenticated request. */
1181         if (pkt->frag_length < RPC_HEADER_LEN
1182                                 + DCERPC_AUTH_TRAILER_LENGTH
1183                                 + pkt->auth_length) {
1184                         DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1185                                 "%u is too large.\n",
1186                         (unsigned int)pkt->auth_length));
1187                 goto err;
1188         }
1189
1190         /*
1191          * Decode the authentication verifier response.
1192          */
1193
1194         status = dcerpc_pull_dcerpc_auth(pkt,
1195                                          &pkt->u.auth3.auth_info,
1196                                          &auth_info, p->endian);
1197         if (!NT_STATUS_IS_OK(status)) {
1198                 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1199                 goto err;
1200         }
1201
1202         /* We must NEVER look at auth_info->auth_pad_len here,
1203          * as old Samba client code gets it wrong and sends it
1204          * as zero. JRA.
1205          */
1206
1207         if (auth_info.auth_type != p->auth.auth_type) {
1208                 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1209                           "but auth was started as type %d!\n",
1210                           auth_info.auth_type, p->auth.auth_type));
1211                 goto err;
1212         }
1213
1214         switch (auth_info.auth_type) {
1215         case DCERPC_AUTH_TYPE_NTLMSSP:
1216                 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1217                                                     struct auth_ntlmssp_state);
1218                 status = ntlmssp_server_step(ntlmssp_ctx,
1219                                              pkt, &auth_info.credentials,
1220                                              &response);
1221                 break;
1222         case DCERPC_AUTH_TYPE_KRB5:
1223                 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1224                                                 struct gse_context);
1225                 status = gssapi_server_step(gse_ctx,
1226                                             pkt, &auth_info.credentials,
1227                                             &response);
1228                 break;
1229         case DCERPC_AUTH_TYPE_SPNEGO:
1230                 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1231                                                    struct spnego_context);
1232                 status = spnego_server_step(spnego_ctx,
1233                                             pkt, &auth_info.credentials,
1234                                             &response);
1235                 break;
1236         default:
1237                 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
1238                           (unsigned int)auth_info.auth_type));
1239                 return false;
1240         }
1241
1242         if (NT_STATUS_EQUAL(status,
1243                             NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1244             response.length) {
1245                 DEBUG(0, (__location__ ": This was supposed to be the final "
1246                           "leg, but crypto machinery claims a response is "
1247                           "needed, aborting auth!\n"));
1248                 data_blob_free(&response);
1249                 goto err;
1250         }
1251         if (!NT_STATUS_IS_OK(status)) {
1252                 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
1253                 goto err;
1254         }
1255
1256         /* Now verify auth was indeed successful and extract server info */
1257         status = pipe_auth_verify_final(p);
1258         if (!NT_STATUS_IS_OK(status)) {
1259                 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1260                 goto err;
1261         }
1262
1263         return true;
1264
1265 err:
1266
1267         TALLOC_FREE(p->auth.auth_ctx);
1268         return false;
1269 }
1270
1271 /****************************************************************************
1272  Deal with an alter context call. Can be third part of 3 leg auth request for
1273  SPNEGO calls.
1274 ****************************************************************************/
1275
1276 static bool api_pipe_alter_context(struct pipes_struct *p,
1277                                         struct ncacn_packet *pkt)
1278 {
1279         struct dcerpc_auth auth_info;
1280         uint16 assoc_gid;
1281         NTSTATUS status;
1282         union dcerpc_payload u;
1283         struct dcerpc_ack_ctx bind_ack_ctx;
1284         DATA_BLOB auth_resp = data_blob_null;
1285         DATA_BLOB auth_blob = data_blob_null;
1286         int pad_len = 0;
1287         struct auth_ntlmssp_state *ntlmssp_ctx;
1288         struct spnego_context *spnego_ctx;
1289         struct gse_context *gse_ctx;
1290
1291         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1292
1293         if (pkt->u.bind.assoc_group_id != 0) {
1294                 assoc_gid = pkt->u.bind.assoc_group_id;
1295         } else {
1296                 assoc_gid = 0x53f0;
1297         }
1298
1299         /*
1300          * Create the bind response struct.
1301          */
1302
1303         /* If the requested abstract synt uuid doesn't match our client pipe,
1304                 reject the bind_ack & set the transfer interface synt to all 0's,
1305                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1306                 unknown to NT4)
1307                 Needed when adding entries to a DACL from NT5 - SK */
1308
1309         if (check_bind_req(p,
1310                         &pkt->u.bind.ctx_list[0].abstract_syntax,
1311                         &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1312                         pkt->u.bind.ctx_list[0].context_id)) {
1313
1314                 bind_ack_ctx.result = 0;
1315                 bind_ack_ctx.reason = 0;
1316                 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1317         } else {
1318                 p->pipe_bound = False;
1319                 /* Rejection reason: abstract syntax not supported */
1320                 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1321                 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1322                 bind_ack_ctx.syntax = null_ndr_syntax_id;
1323         }
1324
1325         /*
1326          * Check if this is an authenticated alter context request.
1327          */
1328         if (pkt->auth_length) {
1329                 /* Quick length check. Won't catch a bad auth footer,
1330                  * prevents overrun. */
1331
1332                 if (pkt->frag_length < RPC_HEADER_LEN +
1333                                         DCERPC_AUTH_TRAILER_LENGTH +
1334                                         pkt->auth_length) {
1335                         DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1336                                 "too long for fragment %u.\n",
1337                                 (unsigned int)pkt->auth_length,
1338                                 (unsigned int)pkt->frag_length ));
1339                         goto err_exit;
1340                 }
1341
1342                 status = dcerpc_pull_dcerpc_auth(pkt,
1343                                                  &pkt->u.bind.auth_info,
1344                                                  &auth_info, p->endian);
1345                 if (!NT_STATUS_IS_OK(status)) {
1346                         DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1347                         goto err_exit;
1348                 }
1349
1350                 /* We can only finish if the pipe is unbound for now */
1351                 if (p->pipe_bound) {
1352                         DEBUG(0, (__location__ ": Pipe already bound, "
1353                                   "Altering Context not yet supported!\n"));
1354                         goto err_exit;
1355                 }
1356
1357                 if (auth_info.auth_type != p->auth.auth_type) {
1358                         DEBUG(0, ("Auth type mismatch! Client sent %d, "
1359                                   "but auth was started as type %d!\n",
1360                                   auth_info.auth_type, p->auth.auth_type));
1361                         goto err_exit;
1362                 }
1363
1364
1365                 switch (auth_info.auth_type) {
1366                 case DCERPC_AUTH_TYPE_SPNEGO:
1367                         spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1368                                                         struct spnego_context);
1369                         status = spnego_server_step(spnego_ctx,
1370                                                     pkt,
1371                                                     &auth_info.credentials,
1372                                                     &auth_resp);
1373                         break;
1374
1375                 case DCERPC_AUTH_TYPE_KRB5:
1376                         gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1377                                                         struct gse_context);
1378                         status = gssapi_server_step(gse_ctx,
1379                                                     pkt,
1380                                                     &auth_info.credentials,
1381                                                     &auth_resp);
1382                         break;
1383                 case DCERPC_AUTH_TYPE_NTLMSSP:
1384                         ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1385                                                     struct auth_ntlmssp_state);
1386                         status = ntlmssp_server_step(ntlmssp_ctx,
1387                                                      pkt,
1388                                                      &auth_info.credentials,
1389                                                      &auth_resp);
1390                         break;
1391
1392                 default:
1393                         DEBUG(3, (__location__ ": Usupported auth type (%d) "
1394                                   "in alter-context call\n",
1395                                   auth_info.auth_type));
1396                         goto err_exit;
1397                 }
1398
1399                 if (NT_STATUS_IS_OK(status)) {
1400                         /* third leg of auth, verify auth info */
1401                         status = pipe_auth_verify_final(p);
1402                         if (!NT_STATUS_IS_OK(status)) {
1403                                 DEBUG(0, ("Auth Verify failed (%s)\n",
1404                                           nt_errstr(status)));
1405                                 goto err_exit;
1406                         }
1407                 } else if (NT_STATUS_EQUAL(status,
1408                                         NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1409                         DEBUG(10, ("More auth legs required.\n"));
1410                 } else {
1411                         DEBUG(0, ("Auth step returned an error (%s)\n",
1412                                   nt_errstr(status)));
1413                         goto err_exit;
1414                 }
1415         }
1416
1417         ZERO_STRUCT(u.alter_resp);
1418         u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1419         u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1420         u.alter_resp.assoc_group_id = assoc_gid;
1421
1422         /* secondary address CAN be NULL
1423          * as the specs say it's ignored.
1424          * It MUST be NULL to have the spoolss working.
1425          */
1426         u.alter_resp.secondary_address = "";
1427         u.alter_resp.secondary_address_size = 1;
1428
1429         u.alter_resp.num_results = 1;
1430         u.alter_resp.ctx_list = &bind_ack_ctx;
1431
1432         /* NOTE: We leave the auth_info empty so we can calculate the padding
1433          * later and then append the auth_info --simo */
1434
1435         /*
1436          * Marshall directly into the outgoing PDU space. We
1437          * must do this as we need to set to the bind response
1438          * header and are never sending more than one PDU here.
1439          */
1440
1441         status = dcerpc_push_ncacn_packet(p->mem_ctx,
1442                                           DCERPC_PKT_ALTER_RESP,
1443                                           DCERPC_PFC_FLAG_FIRST |
1444                                                 DCERPC_PFC_FLAG_LAST,
1445                                           auth_resp.length,
1446                                           pkt->call_id,
1447                                           &u,
1448                                           &p->out_data.frag);
1449         if (!NT_STATUS_IS_OK(status)) {
1450                 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1451                           nt_errstr(status)));
1452         }
1453
1454         if (auth_resp.length) {
1455
1456                 /* Work out any padding needed before the auth footer. */
1457                 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1458                 if (pad_len) {
1459                         pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1460                         DEBUG(10, ("auth pad_len = %u\n",
1461                                    (unsigned int)pad_len));
1462                 }
1463
1464                 status = dcerpc_push_dcerpc_auth(pkt,
1465                                                  auth_info.auth_type,
1466                                                  auth_info.auth_level,
1467                                                  pad_len,
1468                                                  1, /* auth_context_id */
1469                                                  &auth_resp,
1470                                                  &auth_blob);
1471                 if (!NT_STATUS_IS_OK(status)) {
1472                         DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1473                         goto err_exit;
1474                 }
1475         }
1476
1477         /* Now that we have the auth len store it into the right place in
1478          * the dcerpc header */
1479         dcerpc_set_frag_length(&p->out_data.frag,
1480                                 p->out_data.frag.length +
1481                                         pad_len + auth_blob.length);
1482
1483         if (auth_resp.length) {
1484                 if (pad_len) {
1485                         char pad[SERVER_NDR_PADDING_SIZE];
1486                         memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1487                         if (!data_blob_append(p->mem_ctx,
1488                                                 &p->out_data.frag,
1489                                                 pad, pad_len)) {
1490                                 DEBUG(0, ("api_pipe_bind_req: failed to add "
1491                                           "%u bytes of pad data.\n",
1492                                           (unsigned int)pad_len));
1493                                 goto err_exit;
1494                         }
1495                 }
1496
1497                 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1498                                         auth_blob.data, auth_blob.length)) {
1499                         DEBUG(0, ("Append of auth info failed.\n"));
1500                         goto err_exit;
1501                 }
1502         }
1503
1504         /*
1505          * Setup the lengths for the initial reply.
1506          */
1507
1508         p->out_data.data_sent_length = 0;
1509         p->out_data.current_pdu_sent = 0;
1510
1511         TALLOC_FREE(auth_blob.data);
1512         return True;
1513
1514   err_exit:
1515
1516         data_blob_free(&p->out_data.frag);
1517         TALLOC_FREE(auth_blob.data);
1518         return setup_bind_nak(p, pkt);
1519 }
1520
1521 /****************************************************************************
1522  Find the set of RPC functions associated with this context_id
1523 ****************************************************************************/
1524
1525 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1526 {
1527         PIPE_RPC_FNS *fns = NULL;
1528
1529         if ( !list ) {
1530                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
1531                 return NULL;
1532         }
1533
1534         for (fns=list; fns; fns=fns->next ) {
1535                 if ( fns->context_id == context_id )
1536                         return fns;
1537         }
1538         return NULL;
1539 }
1540
1541 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1542                        const struct api_struct *api_rpc_cmds, int n_cmds);
1543
1544 /****************************************************************************
1545  Find the correct RPC function to call for this request.
1546  If the pipe is authenticated then become the correct UNIX user
1547  before doing the call.
1548 ****************************************************************************/
1549
1550 static bool api_pipe_request(struct pipes_struct *p,
1551                                 struct ncacn_packet *pkt)
1552 {
1553         bool ret = False;
1554         bool changed_user = False;
1555         PIPE_RPC_FNS *pipe_fns;
1556
1557         if (p->pipe_bound &&
1558             ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
1559              (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) ||
1560              (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) {
1561                 if(!become_authenticated_pipe_user(p)) {
1562                         data_blob_free(&p->out_data.rdata);
1563                         return False;
1564                 }
1565                 changed_user = True;
1566         }
1567
1568         DEBUG(5, ("Requested \\PIPE\\%s\n",
1569                   get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1570
1571         /* get the set of RPC functions for this context */
1572
1573         pipe_fns = find_pipe_fns_by_context(p->contexts,
1574                                             pkt->u.request.context_id);
1575
1576         if ( pipe_fns ) {
1577                 TALLOC_CTX *frame = talloc_stackframe();
1578                 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds);
1579                 TALLOC_FREE(frame);
1580         }
1581         else {
1582                 DEBUG(0, ("No rpc function table associated with context "
1583                           "[%d] on pipe [%s]\n",
1584                           pkt->u.request.context_id,
1585                           get_pipe_name_from_syntax(talloc_tos(),
1586                                                     &p->syntax)));
1587         }
1588
1589         if (changed_user) {
1590                 unbecome_authenticated_pipe_user();
1591         }
1592
1593         return ret;
1594 }
1595
1596 /*******************************************************************
1597  Calls the underlying RPC function for a named pipe.
1598  ********************************************************************/
1599
1600 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1601                        const struct api_struct *api_rpc_cmds, int n_cmds)
1602 {
1603         int fn_num;
1604         uint32_t offset1;
1605
1606         /* interpret the command */
1607         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1608                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1609                  pkt->u.request.opnum));
1610
1611         if (DEBUGLEVEL >= 50) {
1612                 fstring name;
1613                 slprintf(name, sizeof(name)-1, "in_%s",
1614                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1615                 dump_pdu_region(name, pkt->u.request.opnum,
1616                                 &p->in_data.data, 0,
1617                                 p->in_data.data.length);
1618         }
1619
1620         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1621                 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1622                     api_rpc_cmds[fn_num].fn != NULL) {
1623                         DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1624                                   api_rpc_cmds[fn_num].name));
1625                         break;
1626                 }
1627         }
1628
1629         if (fn_num == n_cmds) {
1630                 /*
1631                  * For an unknown RPC just return a fault PDU but
1632                  * return True to allow RPC's on the pipe to continue
1633                  * and not put the pipe into fault state. JRA.
1634                  */
1635                 DEBUG(4, ("unknown\n"));
1636                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1637                 return True;
1638         }
1639
1640         offset1 = p->out_data.rdata.length;
1641
1642         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
1643                 fn_num, api_rpc_cmds[fn_num].fn));
1644         /* do the actual command */
1645         if(!api_rpc_cmds[fn_num].fn(p)) {
1646                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1647                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1648                          api_rpc_cmds[fn_num].name));
1649                 data_blob_free(&p->out_data.rdata);
1650                 return False;
1651         }
1652
1653         if (p->bad_handle_fault_state) {
1654                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1655                 p->bad_handle_fault_state = False;
1656                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1657                 return True;
1658         }
1659
1660         if (p->rng_fault_state) {
1661                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1662                 p->rng_fault_state = False;
1663                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1664                 return True;
1665         }
1666
1667         if (DEBUGLEVEL >= 50) {
1668                 fstring name;
1669                 slprintf(name, sizeof(name)-1, "out_%s",
1670                          get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1671                 dump_pdu_region(name, pkt->u.request.opnum,
1672                                 &p->out_data.rdata, offset1,
1673                                 p->out_data.rdata.length);
1674         }
1675
1676         DEBUG(5,("api_rpcTNP: called %s successfully\n",
1677                  get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1678
1679         /* Check for buffer underflow in rpc parsing */
1680         if ((DEBUGLEVEL >= 10) &&
1681             (pkt->frag_length < p->in_data.data.length)) {
1682                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1683                 dump_data(10, p->in_data.data.data + pkt->frag_length,
1684                               p->in_data.data.length - pkt->frag_length);
1685         }
1686
1687         return True;
1688 }
1689
1690 /****************************************************************************
1691  Initialise an outgoing packet.
1692 ****************************************************************************/
1693
1694 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1695 {
1696         output_data *o_data = &p->out_data;
1697
1698         /* Reset the offset counters. */
1699         o_data->data_sent_length = 0;
1700         o_data->current_pdu_sent = 0;
1701
1702         data_blob_free(&o_data->frag);
1703
1704         /* Free any memory in the current return data buffer. */
1705         data_blob_free(&o_data->rdata);
1706
1707         return True;
1708 }
1709
1710 /****************************************************************************
1711  Sets the fault state on incoming packets.
1712 ****************************************************************************/
1713
1714 void set_incoming_fault(struct pipes_struct *p)
1715 {
1716         data_blob_free(&p->in_data.data);
1717         p->in_data.pdu_needed_len = 0;
1718         p->in_data.pdu.length = 0;
1719         p->fault_state = True;
1720         DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",
1721                    get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1722 }
1723
1724 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1725                                     struct ncacn_packet *pkt,
1726                                     DATA_BLOB *raw_pkt)
1727 {
1728         NTSTATUS status;
1729         size_t hdr_size = DCERPC_REQUEST_LENGTH;
1730         size_t pad_len;
1731
1732         DEBUG(10, ("Checking request auth.\n"));
1733
1734         if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1735                 hdr_size += 16;
1736         }
1737
1738         /* in case of sealing this function will unseal the data in place */
1739         status = dcerpc_check_auth(auth, pkt,
1740                                    &pkt->u.request.stub_and_verifier,
1741                                    hdr_size, raw_pkt,
1742                                    &pad_len);
1743         if (!NT_STATUS_IS_OK(status)) {
1744                 return status;
1745         }
1746
1747
1748         /* remove padding and auth trailer,
1749          * this way the caller will get just the data */
1750         if (pkt->auth_length) {
1751                 size_t trail_len = pad_len
1752                                         + DCERPC_AUTH_TRAILER_LENGTH
1753                                         + pkt->auth_length;
1754                 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1755                         return NT_STATUS_INFO_LENGTH_MISMATCH;
1756                 }
1757                 pkt->u.request.stub_and_verifier.length -= trail_len;
1758         }
1759
1760         return NT_STATUS_OK;
1761 }
1762
1763 /****************************************************************************
1764  Processes a request pdu. This will do auth processing if needed, and
1765  appends the data into the complete stream if the LAST flag is not set.
1766 ****************************************************************************/
1767
1768 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1769 {
1770         NTSTATUS status;
1771         DATA_BLOB data;
1772
1773         if (!p->pipe_bound) {
1774                 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1775                 set_incoming_fault(p);
1776                 return False;
1777         }
1778
1779         /* Store the opnum */
1780         p->opnum = pkt->u.request.opnum;
1781
1782         status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1783         if (!NT_STATUS_IS_OK(status)) {
1784                 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1785                           nt_errstr(status)));
1786                 set_incoming_fault(p);
1787                 return false;
1788         }
1789
1790         data = pkt->u.request.stub_and_verifier;
1791
1792         /*
1793          * Check the data length doesn't go over the 15Mb limit.
1794          * increased after observing a bug in the Windows NT 4.0 SP6a
1795          * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1796          * will not fit in the initial buffer of size 0x1068   --jerry 22/01/2002
1797          */
1798
1799         if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1800                 DEBUG(0, ("process_request_pdu: "
1801                           "rpc data buffer too large (%u) + (%u)\n",
1802                           (unsigned int)p->in_data.data.length,
1803                           (unsigned int)data.length));
1804                 set_incoming_fault(p);
1805                 return False;
1806         }
1807
1808         /*
1809          * Append the data portion into the buffer and return.
1810          */
1811
1812         if (data.length) {
1813                 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1814                                           data.data, data.length)) {
1815                         DEBUG(0, ("Unable to append data size %u "
1816                                   "to parse buffer of size %u.\n",
1817                                   (unsigned int)data.length,
1818                                   (unsigned int)p->in_data.data.length));
1819                         set_incoming_fault(p);
1820                         return False;
1821                 }
1822         }
1823
1824         if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1825                 bool ret = False;
1826                 /*
1827                  * Ok - we finally have a complete RPC stream.
1828                  * Call the rpc command to process it.
1829                  */
1830
1831                 /*
1832                  * Process the complete data stream here.
1833                  */
1834                 if (pipe_init_outgoing_data(p)) {
1835                         ret = api_pipe_request(p, pkt);
1836                 }
1837
1838                 return ret;
1839         }
1840
1841         return True;
1842 }
1843
1844 /****************************************************************************
1845  Processes a finished PDU stored in p->in_data.pdu.
1846 ****************************************************************************/
1847
1848 void process_complete_pdu(struct pipes_struct *p)
1849 {
1850         struct ncacn_packet *pkt = NULL;
1851         NTSTATUS status;
1852         bool reply = False;
1853
1854         if(p->fault_state) {
1855                 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
1856                           get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1857                 goto done;
1858         }
1859
1860         pkt = talloc(p->mem_ctx, struct ncacn_packet);
1861         if (!pkt) {
1862                 DEBUG(0, ("Out of memory!\n"));
1863                 goto done;
1864         }
1865
1866         /*
1867          * Ensure we're using the corrent endianness for both the
1868          * RPC header flags and the raw data we will be reading from.
1869          */
1870         if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1871                 p->endian = RPC_LITTLE_ENDIAN;
1872         } else {
1873                 p->endian = RPC_BIG_ENDIAN;
1874         }
1875         DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1876
1877         status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1878                                           pkt, p->endian);
1879         if (!NT_STATUS_IS_OK(status)) {
1880                 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1881                           nt_errstr(status)));
1882                 goto done;
1883         }
1884
1885         /* Store the call_id */
1886         p->call_id = pkt->call_id;
1887
1888         DEBUG(10, ("Processing packet type %d\n", (int)pkt->ptype));
1889
1890         switch (pkt->ptype) {
1891         case DCERPC_PKT_REQUEST:
1892                 reply = process_request_pdu(p, pkt);
1893                 break;
1894
1895         case DCERPC_PKT_PING: /* CL request - ignore... */
1896                 DEBUG(0, ("process_complete_pdu: Error. "
1897                           "Connectionless packet type %d received on "
1898                           "pipe %s.\n", (int)pkt->ptype,
1899                          get_pipe_name_from_syntax(talloc_tos(),
1900                                                    &p->syntax)));
1901                 break;
1902
1903         case DCERPC_PKT_RESPONSE: /* No responses here. */
1904                 DEBUG(0, ("process_complete_pdu: Error. "
1905                           "DCERPC_PKT_RESPONSE received from client "
1906                           "on pipe %s.\n",
1907                          get_pipe_name_from_syntax(talloc_tos(),
1908                                                    &p->syntax)));
1909                 break;
1910
1911         case DCERPC_PKT_FAULT:
1912         case DCERPC_PKT_WORKING:
1913                 /* CL request - reply to a ping when a call in process. */
1914         case DCERPC_PKT_NOCALL:
1915                 /* CL - server reply to a ping call. */
1916         case DCERPC_PKT_REJECT:
1917         case DCERPC_PKT_ACK:
1918         case DCERPC_PKT_CL_CANCEL:
1919         case DCERPC_PKT_FACK:
1920         case DCERPC_PKT_CANCEL_ACK:
1921                 DEBUG(0, ("process_complete_pdu: Error. "
1922                           "Connectionless packet type %u received on "
1923                           "pipe %s.\n", (unsigned int)pkt->ptype,
1924                          get_pipe_name_from_syntax(talloc_tos(),
1925                                                    &p->syntax)));
1926                 break;
1927
1928         case DCERPC_PKT_BIND:
1929                 /*
1930                  * We assume that a pipe bind is only in one pdu.
1931                  */
1932                 if (pipe_init_outgoing_data(p)) {
1933                         reply = api_pipe_bind_req(p, pkt);
1934                 }
1935                 break;
1936
1937         case DCERPC_PKT_BIND_ACK:
1938         case DCERPC_PKT_BIND_NAK:
1939                 DEBUG(0, ("process_complete_pdu: Error. "
1940                           "DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1941                           "packet type %u received on pipe %s.\n",
1942                           (unsigned int)pkt->ptype,
1943                          get_pipe_name_from_syntax(talloc_tos(),
1944                                                    &p->syntax)));
1945                 break;
1946
1947
1948         case DCERPC_PKT_ALTER:
1949                 /*
1950                  * We assume that a pipe bind is only in one pdu.
1951                  */
1952                 if (pipe_init_outgoing_data(p)) {
1953                         reply = api_pipe_alter_context(p, pkt);
1954                 }
1955                 break;
1956
1957         case DCERPC_PKT_ALTER_RESP:
1958                 DEBUG(0, ("process_complete_pdu: Error. "
1959                           "DCERPC_PKT_ALTER_RESP on pipe %s: "
1960                           "Should only be server -> client.\n",
1961                          get_pipe_name_from_syntax(talloc_tos(),
1962                                                    &p->syntax)));
1963                 break;
1964
1965         case DCERPC_PKT_AUTH3:
1966                 /*
1967                  * The third packet in an auth exchange.
1968                  */
1969                 if (pipe_init_outgoing_data(p)) {
1970                         reply = api_pipe_bind_auth3(p, pkt);
1971                 }
1972                 break;
1973
1974         case DCERPC_PKT_SHUTDOWN:
1975                 DEBUG(0, ("process_complete_pdu: Error. "
1976                           "DCERPC_PKT_SHUTDOWN on pipe %s: "
1977                           "Should only be server -> client.\n",
1978                          get_pipe_name_from_syntax(talloc_tos(),
1979                                                    &p->syntax)));
1980                 break;
1981
1982         case DCERPC_PKT_CO_CANCEL:
1983                 /* For now just free all client data and continue
1984                  * processing. */
1985                 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1986                          " Abandoning rpc call.\n"));
1987                 /* As we never do asynchronous RPC serving, we can
1988                  * never cancel a call (as far as I know).
1989                  * If we ever did we'd have to send a cancel_ack reply.
1990                  * For now, just free all client data and continue
1991                  * processing. */
1992                 reply = True;
1993                 break;
1994
1995 #if 0
1996                 /* Enable this if we're doing async rpc. */
1997                 /* We must check the outstanding callid matches. */
1998                 if (pipe_init_outgoing_data(p)) {
1999                         /* Send a cancel_ack PDU reply. */
2000                         /* We should probably check the auth-verifier here. */
2001                         reply = setup_cancel_ack_reply(p, pkt);
2002                 }
2003                 break;
2004 #endif
2005
2006         case DCERPC_PKT_ORPHANED:
2007                 /* We should probably check the auth-verifier here.
2008                  * For now just free all client data and continue
2009                  * processing. */
2010                 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
2011                           " Abandoning rpc call.\n"));
2012                 reply = True;
2013                 break;
2014
2015         default:
2016                 DEBUG(0, ("process_complete_pdu: "
2017                           "Unknown rpc type = %u received.\n",
2018                           (unsigned int)pkt->ptype));
2019                 break;
2020         }
2021
2022 done:
2023         if (!reply) {
2024                 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on "
2025                          "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
2026                                                                 &p->syntax)));
2027                 set_incoming_fault(p);
2028                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2029                 TALLOC_FREE(pkt);
2030         } else {
2031                 /*
2032                  * Reset the lengths. We're ready for a new pdu.
2033                  */
2034                 TALLOC_FREE(p->in_data.pdu.data);
2035                 p->in_data.pdu_needed_len = 0;
2036                 p->in_data.pdu.length = 0;
2037         }
2038
2039         TALLOC_FREE(pkt);
2040 }
2041