8611be49e31e112c6ea731f2089c3ab8923b218a
[sfrench/samba-autobuild/.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/schannel_proto.h"
35 #include "../libcli/auth/spnego.h"
36
37 extern struct current_user current_user;
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
41
42 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
43 {
44         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
45
46         if (a) {
47                 auth_ntlmssp_end(&a);
48         }
49         auth->a_u.auth_ntlmssp_state = NULL;
50 }
51
52 static DATA_BLOB generic_session_key(void)
53 {
54         return data_blob("SystemLibraryDTC", 16);
55 }
56
57 /*******************************************************************
58  Generate the next PDU to be returned from the data in p->rdata. 
59  Handle NTLMSSP.
60  ********************************************************************/
61
62 static bool create_next_pdu_ntlmssp(pipes_struct *p)
63 {
64         RPC_HDR_RESP hdr_resp;
65         uint32 ss_padding_len = 0;
66         uint32 data_space_available;
67         uint32 data_len_left;
68         uint32 data_len;
69         NTSTATUS status;
70         DATA_BLOB auth_blob;
71         RPC_HDR_AUTH auth_info;
72         uint8 auth_type, auth_level;
73         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
74
75         /*
76          * If we're in the fault state, keep returning fault PDU's until
77          * the pipe gets closed. JRA.
78          */
79
80         if(p->fault_state) {
81                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
82                 return True;
83         }
84
85         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
86
87         /* Change the incoming request header to a response. */
88         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
89
90         /* Set up rpc header flags. */
91         if (p->out_data.data_sent_length == 0) {
92                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
93         } else {
94                 p->hdr.flags = 0;
95         }
96
97         /*
98          * Work out how much we can fit in a single PDU.
99          */
100
101         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
102
103         /*
104          * Ensure there really is data left to send.
105          */
106
107         if(!data_len_left) {
108                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
109                 return False;
110         }
111
112         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
113                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114
115         /*
116          * The amount we send is the minimum of the available
117          * space and the amount left to send.
118          */
119
120         data_len = MIN(data_len_left, data_space_available);
121
122         /*
123          * Set up the alloc hint. This should be the data left to
124          * send.
125          */
126
127         hdr_resp.alloc_hint = data_len_left;
128
129         /*
130          * Work out if this PDU will be the last.
131          */
132
133         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
134                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
135                 if (data_len_left % 8) {
136                         ss_padding_len = 8 - (data_len_left % 8);
137                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
138                                 ss_padding_len ));
139                 }
140         }
141
142         /*
143          * Set up the header lengths.
144          */
145
146         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
147                         data_len + ss_padding_len +
148                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
149         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
150
151
152         /*
153          * Init the parse struct to point at the outgoing
154          * data.
155          */
156
157         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
158
159         /* Store the header in the data stream. */
160         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
161                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
162                 prs_mem_free(&p->out_data.frag);
163                 return False;
164         }
165
166         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
167                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
168                 prs_mem_free(&p->out_data.frag);
169                 return False;
170         }
171
172         /* Copy the data into the PDU. */
173
174         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
175                                      p->out_data.data_sent_length, data_len)) {
176                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
177                 prs_mem_free(&p->out_data.frag);
178                 return False;
179         }
180
181         /* Copy the sign/seal padding data. */
182         if (ss_padding_len) {
183                 char pad[8];
184
185                 memset(pad, '\0', 8);
186                 if (!prs_copy_data_in(&p->out_data.frag, pad,
187                                       ss_padding_len)) {
188                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
189                                         (unsigned int)ss_padding_len));
190                         prs_mem_free(&p->out_data.frag);
191                         return False;
192                 }
193         }
194
195
196         /* Now write out the auth header and null blob. */
197         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
198                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
199         } else {
200                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
201         }
202         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
203                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
204         } else {
205                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
206         }
207
208         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
209         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
210                                 0)) {
211                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
212                 prs_mem_free(&p->out_data.frag);
213                 return False;
214         }
215
216         /* Generate the sign blob. */
217
218         switch (p->auth.auth_level) {
219                 case DCERPC_AUTH_LEVEL_PRIVACY:
220                         /* Data portion is encrypted. */
221                         status = ntlmssp_seal_packet(
222                                 a->ntlmssp_state,
223                                 (uint8_t *)prs_data_p(&p->out_data.frag)
224                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
225                                 data_len + ss_padding_len,
226                                 (unsigned char *)prs_data_p(&p->out_data.frag),
227                                 (size_t)prs_offset(&p->out_data.frag),
228                                 &auth_blob);
229                         if (!NT_STATUS_IS_OK(status)) {
230                                 data_blob_free(&auth_blob);
231                                 prs_mem_free(&p->out_data.frag);
232                                 return False;
233                         }
234                         break;
235                 case DCERPC_AUTH_LEVEL_INTEGRITY:
236                         /* Data is signed. */
237                         status = ntlmssp_sign_packet(
238                                 a->ntlmssp_state,
239                                 (unsigned char *)prs_data_p(&p->out_data.frag)
240                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
241                                 data_len + ss_padding_len,
242                                 (unsigned char *)prs_data_p(&p->out_data.frag),
243                                 (size_t)prs_offset(&p->out_data.frag),
244                                 &auth_blob);
245                         if (!NT_STATUS_IS_OK(status)) {
246                                 data_blob_free(&auth_blob);
247                                 prs_mem_free(&p->out_data.frag);
248                                 return False;
249                         }
250                         break;
251                 default:
252                         prs_mem_free(&p->out_data.frag);
253                         return False;
254         }
255
256         /* Append the auth blob. */
257         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
258                               NTLMSSP_SIG_SIZE)) {
259                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
260                                 (unsigned int)NTLMSSP_SIG_SIZE));
261                 data_blob_free(&auth_blob);
262                 prs_mem_free(&p->out_data.frag);
263                 return False;
264         }
265
266         data_blob_free(&auth_blob);
267
268         /*
269          * Setup the counts for this PDU.
270          */
271
272         p->out_data.data_sent_length += data_len;
273         p->out_data.current_pdu_sent = 0;
274
275         return True;
276 }
277
278 /*******************************************************************
279  Generate the next PDU to be returned from the data in p->rdata. 
280  Return an schannel authenticated fragment.
281  ********************************************************************/
282
283 static bool create_next_pdu_schannel(pipes_struct *p)
284 {
285         RPC_HDR_RESP hdr_resp;
286         uint32 ss_padding_len = 0;
287         uint32 data_len;
288         uint32 data_space_available;
289         uint32 data_len_left;
290         uint32 data_pos;
291         NTSTATUS status;
292
293         /*
294          * If we're in the fault state, keep returning fault PDU's until
295          * the pipe gets closed. JRA.
296          */
297
298         if(p->fault_state) {
299                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
300                 return True;
301         }
302
303         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
304
305         /* Change the incoming request header to a response. */
306         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
307
308         /* Set up rpc header flags. */
309         if (p->out_data.data_sent_length == 0) {
310                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
311         } else {
312                 p->hdr.flags = 0;
313         }
314
315         /*
316          * Work out how much we can fit in a single PDU.
317          */
318
319         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
320
321         /*
322          * Ensure there really is data left to send.
323          */
324
325         if(!data_len_left) {
326                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
327                 return False;
328         }
329
330         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
331                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
332                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
333
334         /*
335          * The amount we send is the minimum of the available
336          * space and the amount left to send.
337          */
338
339         data_len = MIN(data_len_left, data_space_available);
340
341         /*
342          * Set up the alloc hint. This should be the data left to
343          * send.
344          */
345
346         hdr_resp.alloc_hint = data_len_left;
347
348         /*
349          * Work out if this PDU will be the last.
350          */
351
352         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
353                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
354                 if (data_len_left % 8) {
355                         ss_padding_len = 8 - (data_len_left % 8);
356                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
357                                 ss_padding_len ));
358                 }
359         }
360
361         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
362                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
363         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
364
365         /*
366          * Init the parse struct to point at the outgoing
367          * data.
368          */
369
370         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
371
372         /* Store the header in the data stream. */
373         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
374                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
375                 prs_mem_free(&p->out_data.frag);
376                 return False;
377         }
378
379         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
380                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
381                 prs_mem_free(&p->out_data.frag);
382                 return False;
383         }
384
385         /* Store the current offset. */
386         data_pos = prs_offset(&p->out_data.frag);
387
388         /* Copy the data into the PDU. */
389
390         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
391                                      p->out_data.data_sent_length, data_len)) {
392                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
393                 prs_mem_free(&p->out_data.frag);
394                 return False;
395         }
396
397         /* Copy the sign/seal padding data. */
398         if (ss_padding_len) {
399                 char pad[8];
400                 memset(pad, '\0', 8);
401                 if (!prs_copy_data_in(&p->out_data.frag, pad,
402                                       ss_padding_len)) {
403                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
404                         prs_mem_free(&p->out_data.frag);
405                         return False;
406                 }
407         }
408
409         {
410                 /*
411                  * Schannel processing.
412                  */
413                 RPC_HDR_AUTH auth_info;
414                 DATA_BLOB blob;
415                 uint8_t *data;
416
417                 /* Check it's the type of reply we were expecting to decode */
418
419                 init_rpc_hdr_auth(&auth_info,
420                                 DCERPC_AUTH_TYPE_SCHANNEL,
421                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
422                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
423                                 ss_padding_len, 1);
424
425                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
426                                         &p->out_data.frag, 0)) {
427                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
428                         prs_mem_free(&p->out_data.frag);
429                         return False;
430                 }
431
432                 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
433
434                 switch (p->auth.auth_level) {
435                 case DCERPC_AUTH_LEVEL_PRIVACY:
436                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
437                                                         talloc_tos(),
438                                                         true,
439                                                         data,
440                                                         data_len + ss_padding_len,
441                                                         &blob);
442                         break;
443                 case DCERPC_AUTH_LEVEL_INTEGRITY:
444                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
445                                                         talloc_tos(),
446                                                         false,
447                                                         data,
448                                                         data_len + ss_padding_len,
449                                                         &blob);
450                         break;
451                 default:
452                         status = NT_STATUS_INTERNAL_ERROR;
453                         break;
454                 }
455
456                 if (!NT_STATUS_IS_OK(status)) {
457                         DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
458                                 nt_errstr(status)));
459                         prs_mem_free(&p->out_data.frag);
460                         return false;
461                 }
462
463                 /* Finally marshall the blob. */
464
465                 if (DEBUGLEVEL >= 10) {
466                         dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
467                 }
468
469                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
470                         prs_mem_free(&p->out_data.frag);
471                         return false;
472                 }
473         }
474
475         /*
476          * Setup the counts for this PDU.
477          */
478
479         p->out_data.data_sent_length += data_len;
480         p->out_data.current_pdu_sent = 0;
481
482         return True;
483 }
484
485 /*******************************************************************
486  Generate the next PDU to be returned from the data in p->rdata. 
487  No authentication done.
488 ********************************************************************/
489
490 static bool create_next_pdu_noauth(pipes_struct *p)
491 {
492         RPC_HDR_RESP hdr_resp;
493         uint32 data_len;
494         uint32 data_space_available;
495         uint32 data_len_left;
496
497         /*
498          * If we're in the fault state, keep returning fault PDU's until
499          * the pipe gets closed. JRA.
500          */
501
502         if(p->fault_state) {
503                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
504                 return True;
505         }
506
507         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
508
509         /* Change the incoming request header to a response. */
510         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
511
512         /* Set up rpc header flags. */
513         if (p->out_data.data_sent_length == 0) {
514                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
515         } else {
516                 p->hdr.flags = 0;
517         }
518
519         /*
520          * Work out how much we can fit in a single PDU.
521          */
522
523         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
524
525         /*
526          * Ensure there really is data left to send.
527          */
528
529         if(!data_len_left) {
530                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
531                 return False;
532         }
533
534         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
535                 - RPC_HDR_RESP_LEN;
536
537         /*
538          * The amount we send is the minimum of the available
539          * space and the amount left to send.
540          */
541
542         data_len = MIN(data_len_left, data_space_available);
543
544         /*
545          * Set up the alloc hint. This should be the data left to
546          * send.
547          */
548
549         hdr_resp.alloc_hint = data_len_left;
550
551         /*
552          * Work out if this PDU will be the last.
553          */
554
555         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
556                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
557         }
558
559         /*
560          * Set up the header lengths.
561          */
562
563         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
564         p->hdr.auth_len = 0;
565
566         /*
567          * Init the parse struct to point at the outgoing
568          * data.
569          */
570
571         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
572
573         /* Store the header in the data stream. */
574         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
575                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
576                 prs_mem_free(&p->out_data.frag);
577                 return False;
578         }
579
580         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
581                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
582                 prs_mem_free(&p->out_data.frag);
583                 return False;
584         }
585
586         /* Copy the data into the PDU. */
587
588         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
589                                      p->out_data.data_sent_length, data_len)) {
590                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
591                 prs_mem_free(&p->out_data.frag);
592                 return False;
593         }
594
595         /*
596          * Setup the counts for this PDU.
597          */
598
599         p->out_data.data_sent_length += data_len;
600         p->out_data.current_pdu_sent = 0;
601
602         return True;
603 }
604
605 /*******************************************************************
606  Generate the next PDU to be returned from the data in p->rdata. 
607 ********************************************************************/
608
609 bool create_next_pdu(pipes_struct *p)
610 {
611         switch(p->auth.auth_level) {
612                 case DCERPC_AUTH_LEVEL_NONE:
613                 case DCERPC_AUTH_LEVEL_CONNECT:
614                         /* This is incorrect for auth level connect. Fixme. JRA */
615                         return create_next_pdu_noauth(p);
616
617                 default:
618                         switch(p->auth.auth_type) {
619                                 case PIPE_AUTH_TYPE_NTLMSSP:
620                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
621                                         return create_next_pdu_ntlmssp(p);
622                                 case PIPE_AUTH_TYPE_SCHANNEL:
623                                         return create_next_pdu_schannel(p);
624                                 default:
625                                         break;
626                         }
627         }
628
629         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
630                         (unsigned int)p->auth.auth_level,
631                         (unsigned int)p->auth.auth_type));
632         return False;
633 }
634
635 /*******************************************************************
636  Process an NTLMSSP authentication response.
637  If this function succeeds, the user has been authenticated
638  and their domain, name and calling workstation stored in
639  the pipe struct.
640 *******************************************************************/
641
642 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
643 {
644         DATA_BLOB session_key, reply;
645         NTSTATUS status;
646         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
647         bool ret;
648
649         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
650                  get_pipe_name_from_iface(&p->syntax)));
651
652         ZERO_STRUCT(reply);
653
654         /* this has to be done as root in order to verify the password */
655         become_root();
656         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
657         unbecome_root();
658
659         /* Don't generate a reply. */
660         data_blob_free(&reply);
661
662         if (!NT_STATUS_IS_OK(status)) {
663                 return False;
664         }
665
666         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
667            ensure the underlying NTLMSSP flags are also set. If not we should
668            refuse the bind. */
669
670         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
671                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
672                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
673                                 "but client declined signing.\n",
674                                 get_pipe_name_from_iface(&p->syntax)));
675                         return False;
676                 }
677         }
678         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
679                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
680                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
681                                 "but client declined sealing.\n",
682                                 get_pipe_name_from_iface(&p->syntax)));
683                         return False;
684                 }
685         }
686
687         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
688                   "workstation: %s\n", a->ntlmssp_state->user,
689                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
690
691         if (a->server_info->ptok == NULL) {
692                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
693                 return False;
694         }
695
696         TALLOC_FREE(p->server_info);
697
698         p->server_info = copy_serverinfo(p, a->server_info);
699         if (p->server_info == NULL) {
700                 DEBUG(0, ("copy_serverinfo failed\n"));
701                 return false;
702         }
703
704         /*
705          * We're an authenticated bind over smb, so the session key needs to
706          * be set to "SystemLibraryDTC". Weird, but this is what Windows
707          * does. See the RPC-SAMBA3SESSIONKEY.
708          */
709
710         session_key = generic_session_key();
711         if (session_key.data == NULL) {
712                 return False;
713         }
714
715         ret = server_info_set_session_key(p->server_info, session_key);
716
717         data_blob_free(&session_key);
718
719         return True;
720 }
721
722 /*******************************************************************
723  The switch table for the pipe names and the functions to handle them.
724 *******************************************************************/
725
726 struct rpc_table {
727         struct {
728                 const char *clnt;
729                 const char *srv;
730         } pipe;
731         struct ndr_syntax_id rpc_interface;
732         const struct api_struct *cmds;
733         int n_cmds;
734 };
735
736 static struct rpc_table *rpc_lookup;
737 static int rpc_lookup_size;
738
739 /*******************************************************************
740  This is the "stage3" NTLMSSP response after a bind request and reply.
741 *******************************************************************/
742
743 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
744 {
745         RPC_HDR_AUTH auth_info;
746         uint32 pad = 0;
747         DATA_BLOB blob;
748
749         ZERO_STRUCT(blob);
750
751         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
752
753         if (p->hdr.auth_len == 0) {
754                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
755                 goto err;
756         }
757
758         /* 4 bytes padding. */
759         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
760                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
761                 goto err;
762         }
763
764         /*
765          * Decode the authentication verifier response.
766          */
767
768         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
769                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
770                 goto err;
771         }
772
773         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
774                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
775                         (unsigned int)auth_info.auth_type ));
776                 return False;
777         }
778
779         blob = data_blob(NULL,p->hdr.auth_len);
780
781         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
782                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
783                         (unsigned int)p->hdr.auth_len ));
784                 goto err;
785         }
786
787         /*
788          * The following call actually checks the challenge/response data.
789          * for correctness against the given DOMAIN\user name.
790          */
791
792         if (!pipe_ntlmssp_verify_final(p, &blob)) {
793                 goto err;
794         }
795
796         data_blob_free(&blob);
797
798         p->pipe_bound = True;
799
800         return True;
801
802  err:
803
804         data_blob_free(&blob);
805         free_pipe_ntlmssp_auth_data(&p->auth);
806         p->auth.a_u.auth_ntlmssp_state = NULL;
807
808         return False;
809 }
810
811 /*******************************************************************
812  Marshall a bind_nak pdu.
813 *******************************************************************/
814
815 static bool setup_bind_nak(pipes_struct *p)
816 {
817         RPC_HDR nak_hdr;
818         uint16 zero = 0;
819
820         /* Free any memory in the current return data buffer. */
821         prs_mem_free(&p->out_data.rdata);
822
823         /*
824          * Marshall directly into the outgoing PDU space. We
825          * must do this as we need to set to the bind response
826          * header and are never sending more than one PDU here.
827          */
828
829         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
830
831         /*
832          * Initialize a bind_nak header.
833          */
834
835         init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
836                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
837
838         /*
839          * Marshall the header into the outgoing PDU.
840          */
841
842         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
843                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
844                 prs_mem_free(&p->out_data.frag);
845                 return False;
846         }
847
848         /*
849          * Now add the reject reason.
850          */
851
852         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
853                 prs_mem_free(&p->out_data.frag);
854                 return False;
855         }
856
857         p->out_data.data_sent_length = 0;
858         p->out_data.current_pdu_sent = 0;
859
860         if (p->auth.auth_data_free_func) {
861                 (*p->auth.auth_data_free_func)(&p->auth);
862         }
863         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
864         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
865         p->pipe_bound = False;
866
867         return True;
868 }
869
870 /*******************************************************************
871  Marshall a fault pdu.
872 *******************************************************************/
873
874 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
875 {
876         RPC_HDR fault_hdr;
877         RPC_HDR_RESP hdr_resp;
878         RPC_HDR_FAULT fault_resp;
879
880         /* Free any memory in the current return data buffer. */
881         prs_mem_free(&p->out_data.rdata);
882
883         /*
884          * Marshall directly into the outgoing PDU space. We
885          * must do this as we need to set to the bind response
886          * header and are never sending more than one PDU here.
887          */
888
889         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
890
891         /*
892          * Initialize a fault header.
893          */
894
895         init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
896             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
897
898         /*
899          * Initialize the HDR_RESP and FAULT parts of the PDU.
900          */
901
902         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
903
904         fault_resp.status = status;
905         fault_resp.reserved = 0;
906
907         /*
908          * Marshall the header into the outgoing PDU.
909          */
910
911         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
912                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
913                 prs_mem_free(&p->out_data.frag);
914                 return False;
915         }
916
917         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
918                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
919                 prs_mem_free(&p->out_data.frag);
920                 return False;
921         }
922
923         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
924                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
925                 prs_mem_free(&p->out_data.frag);
926                 return False;
927         }
928
929         p->out_data.data_sent_length = 0;
930         p->out_data.current_pdu_sent = 0;
931
932         return True;
933 }
934
935 #if 0
936 /*******************************************************************
937  Marshall a cancel_ack pdu.
938  We should probably check the auth-verifier here.
939 *******************************************************************/
940
941 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
942 {
943         prs_struct outgoing_pdu;
944         RPC_HDR ack_reply_hdr;
945
946         /* Free any memory in the current return data buffer. */
947         prs_mem_free(&p->out_data.rdata);
948
949         /*
950          * Marshall directly into the outgoing PDU space. We
951          * must do this as we need to set to the bind response
952          * header and are never sending more than one PDU here.
953          */
954
955         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
956         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
957
958         /*
959          * Initialize a cancel_ack header.
960          */
961
962         init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
963                         p->hdr.call_id, RPC_HEADER_LEN, 0);
964
965         /*
966          * Marshall the header into the outgoing PDU.
967          */
968
969         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
970                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
971                 prs_mem_free(&outgoing_pdu);
972                 return False;
973         }
974
975         p->out_data.data_sent_length = 0;
976         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
977         p->out_data.current_pdu_sent = 0;
978
979         prs_mem_free(&outgoing_pdu);
980         return True;
981 }
982 #endif
983
984 /*******************************************************************
985  Ensure a bind request has the correct abstract & transfer interface.
986  Used to reject unknown binds from Win2k.
987 *******************************************************************/
988
989 static bool check_bind_req(struct pipes_struct *p,
990                            struct ndr_syntax_id* abstract,
991                            struct ndr_syntax_id* transfer,
992                            uint32 context_id)
993 {
994         int i=0;
995         struct pipe_rpc_fns *context_fns;
996
997         DEBUG(3,("check_bind_req for %s\n",
998                  get_pipe_name_from_iface(&p->syntax)));
999
1000         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1001
1002         for (i=0; i<rpc_lookup_size; i++) {
1003                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1004                 if (ndr_syntax_id_equal(
1005                             abstract, &rpc_lookup[i].rpc_interface)
1006                     && ndr_syntax_id_equal(
1007                             transfer, &ndr_transfer_syntax)) {
1008                         break;
1009                 }
1010         }
1011
1012         if (i == rpc_lookup_size) {
1013                 return false;
1014         }
1015
1016         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1017         if (context_fns == NULL) {
1018                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1019                 return False;
1020         }
1021
1022         context_fns->cmds = rpc_lookup[i].cmds;
1023         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1024         context_fns->context_id = context_id;
1025
1026         /* add to the list of open contexts */
1027
1028         DLIST_ADD( p->contexts, context_fns );
1029
1030         return True;
1031 }
1032
1033 /*******************************************************************
1034  Register commands to an RPC pipe
1035 *******************************************************************/
1036
1037 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1038                           const struct ndr_interface_table *iface,
1039                           const struct api_struct *cmds, int size)
1040 {
1041         struct rpc_table *rpc_entry;
1042
1043         if (!clnt || !srv || !cmds) {
1044                 return NT_STATUS_INVALID_PARAMETER;
1045         }
1046
1047         if (version != SMB_RPC_INTERFACE_VERSION) {
1048                 DEBUG(0,("Can't register rpc commands!\n"
1049                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1050                          ", while this version of samba uses version %d!\n", 
1051                          version,SMB_RPC_INTERFACE_VERSION));
1052                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1053         }
1054
1055         /* TODO: 
1056          *
1057          * we still need to make sure that don't register the same commands twice!!!
1058          * 
1059          * --metze
1060          */
1061
1062         /* We use a temporary variable because this call can fail and 
1063            rpc_lookup will still be valid afterwards.  It could then succeed if
1064            called again later */
1065         rpc_lookup_size++;
1066         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1067         if (NULL == rpc_entry) {
1068                 rpc_lookup_size--;
1069                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1070                 return NT_STATUS_NO_MEMORY;
1071         } else {
1072                 rpc_lookup = rpc_entry;
1073         }
1074
1075         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1076         ZERO_STRUCTP(rpc_entry);
1077         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1078         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1079         rpc_entry->rpc_interface = iface->syntax_id;
1080         rpc_entry->cmds = cmds;
1081         rpc_entry->n_cmds = size;
1082
1083         return NT_STATUS_OK;
1084 }
1085
1086 /**
1087  * Is a named pipe known?
1088  * @param[in] cli_filename      The pipe name requested by the client
1089  * @result                      Do we want to serve this?
1090  */
1091 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1092 {
1093         const char *pipename = cli_filename;
1094         int i;
1095
1096         if (strnequal(pipename, "\\PIPE\\", 6)) {
1097                 pipename += 5;
1098         }
1099
1100         if (*pipename == '\\') {
1101                 pipename += 1;
1102         }
1103
1104         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1105                 DEBUG(10, ("refusing spoolss access\n"));
1106                 return false;
1107         }
1108
1109         for (i=0; i<rpc_lookup_size; i++) {
1110                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1111                         *syntax = rpc_lookup[i].rpc_interface;
1112                         return true;
1113                 }
1114         }
1115
1116         DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1117         return false;
1118 }
1119
1120 /*******************************************************************
1121  Handle a SPNEGO krb5 bind auth.
1122 *******************************************************************/
1123
1124 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1125                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1126 {
1127         return False;
1128 }
1129
1130 /*******************************************************************
1131  Handle the first part of a SPNEGO bind auth.
1132 *******************************************************************/
1133
1134 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1135                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1136 {
1137         DATA_BLOB blob;
1138         DATA_BLOB secblob;
1139         DATA_BLOB response;
1140         DATA_BLOB chal;
1141         char *OIDs[ASN1_MAX_OIDS];
1142         int i;
1143         NTSTATUS status;
1144         bool got_kerberos_mechanism = false;
1145         AUTH_NTLMSSP_STATE *a = NULL;
1146         RPC_HDR_AUTH auth_info;
1147
1148         ZERO_STRUCT(secblob);
1149         ZERO_STRUCT(chal);
1150         ZERO_STRUCT(response);
1151
1152         /* Grab the SPNEGO blob. */
1153         blob = data_blob(NULL,p->hdr.auth_len);
1154
1155         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1156                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1157                         (unsigned int)p->hdr.auth_len ));
1158                 goto err;
1159         }
1160
1161         if (blob.data[0] != ASN1_APPLICATION(0)) {
1162                 goto err;
1163         }
1164
1165         /* parse out the OIDs and the first sec blob */
1166         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1167                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1168                 goto err;
1169         }
1170
1171         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1172                 got_kerberos_mechanism = true;
1173         }
1174
1175         for (i=0;OIDs[i];i++) {
1176                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1177                 TALLOC_FREE(OIDs[i]);
1178         }
1179         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1180
1181         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1182                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1183                 data_blob_free(&secblob);
1184                 data_blob_free(&blob);
1185                 return ret;
1186         }
1187
1188         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1189                 /* Free any previous auth type. */
1190                 free_pipe_ntlmssp_auth_data(&p->auth);
1191         }
1192
1193         if (!got_kerberos_mechanism) {
1194                 /* Initialize the NTLM engine. */
1195                 status = auth_ntlmssp_start(&a);
1196                 if (!NT_STATUS_IS_OK(status)) {
1197                         goto err;
1198                 }
1199
1200                 /*
1201                  * Pass the first security blob of data to it.
1202                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1203                  * which means we need another packet to complete the bind.
1204                  */
1205
1206                 status = auth_ntlmssp_update(a, secblob, &chal);
1207
1208                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1209                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1210                         goto err;
1211                 }
1212
1213                 /* Generate the response blob we need for step 2 of the bind. */
1214                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1215         } else {
1216                 /*
1217                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1218                  * code to process follow-up packets is not complete
1219                  * yet. JRA.
1220                  */
1221                 response = spnego_gen_auth_response(NULL,
1222                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1223                                         OID_NTLMSSP);
1224         }
1225
1226         /* Copy the blob into the pout_auth parse struct */
1227         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1228         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1229                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1230                 goto err;
1231         }
1232
1233         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1234                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1235                 goto err;
1236         }
1237
1238         p->auth.a_u.auth_ntlmssp_state = a;
1239         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1240         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1241
1242         data_blob_free(&blob);
1243         data_blob_free(&secblob);
1244         data_blob_free(&chal);
1245         data_blob_free(&response);
1246
1247         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1248         return True;
1249
1250  err:
1251
1252         data_blob_free(&blob);
1253         data_blob_free(&secblob);
1254         data_blob_free(&chal);
1255         data_blob_free(&response);
1256
1257         p->auth.a_u.auth_ntlmssp_state = NULL;
1258
1259         return False;
1260 }
1261
1262 /*******************************************************************
1263  Handle the second part of a SPNEGO bind auth.
1264 *******************************************************************/
1265
1266 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1267                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1268 {
1269         RPC_HDR_AUTH auth_info;
1270         DATA_BLOB spnego_blob;
1271         DATA_BLOB auth_blob;
1272         DATA_BLOB auth_reply;
1273         DATA_BLOB response;
1274         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1275
1276         ZERO_STRUCT(spnego_blob);
1277         ZERO_STRUCT(auth_blob);
1278         ZERO_STRUCT(auth_reply);
1279         ZERO_STRUCT(response);
1280
1281         /*
1282          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1283          * fail here as 'a' == NULL.
1284          */
1285         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1286                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1287                 goto err;
1288         }
1289
1290         /* Grab the SPNEGO blob. */
1291         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1292
1293         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1294                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1295                         (unsigned int)p->hdr.auth_len ));
1296                 goto err;
1297         }
1298
1299         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1300                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1301                 goto err;
1302         }
1303
1304         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1305                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1306                 goto err;
1307         }
1308
1309         /*
1310          * The following call actually checks the challenge/response data.
1311          * for correctness against the given DOMAIN\user name.
1312          */
1313
1314         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1315                 goto err;
1316         }
1317
1318         data_blob_free(&spnego_blob);
1319         data_blob_free(&auth_blob);
1320
1321         /* Generate the spnego "accept completed" blob - no incoming data. */
1322         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1323
1324         /* Copy the blob into the pout_auth parse struct */
1325         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1326         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1327                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1328                 goto err;
1329         }
1330
1331         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1332                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1333                 goto err;
1334         }
1335
1336         data_blob_free(&auth_reply);
1337         data_blob_free(&response);
1338
1339         p->pipe_bound = True;
1340
1341         return True;
1342
1343  err:
1344
1345         data_blob_free(&spnego_blob);
1346         data_blob_free(&auth_blob);
1347         data_blob_free(&auth_reply);
1348         data_blob_free(&response);
1349
1350         free_pipe_ntlmssp_auth_data(&p->auth);
1351         p->auth.a_u.auth_ntlmssp_state = NULL;
1352
1353         return False;
1354 }
1355
1356 /*******************************************************************
1357  Handle an schannel bind auth.
1358 *******************************************************************/
1359
1360 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1361                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1362 {
1363         RPC_HDR_AUTH auth_info;
1364         struct NL_AUTH_MESSAGE neg;
1365         struct NL_AUTH_MESSAGE reply;
1366         bool ret;
1367         NTSTATUS status;
1368         struct netlogon_creds_CredentialState *creds;
1369         DATA_BLOB session_key;
1370         enum ndr_err_code ndr_err;
1371         DATA_BLOB blob;
1372
1373         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1374                                prs_data_size(rpc_in_p));
1375
1376         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1377                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1378         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1379                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1380                 return false;
1381         }
1382
1383         if (DEBUGLEVEL >= 10) {
1384                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1385         }
1386
1387         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1388                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1389                 return false;
1390         }
1391
1392         /*
1393          * The neg.oem_netbios_computer.a key here must match the remote computer name
1394          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1395          * operations that use credentials.
1396          */
1397
1398         become_root();
1399         status = schannel_fetch_session_key(p,
1400                                             neg.oem_netbios_computer.a,
1401                                             &creds);
1402         unbecome_root();
1403
1404         if (!NT_STATUS_IS_OK(status)) {
1405                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1406                 return False;
1407         }
1408
1409         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1410         if (!p->auth.a_u.schannel_auth) {
1411                 TALLOC_FREE(creds);
1412                 return False;
1413         }
1414
1415         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1416         p->auth.a_u.schannel_auth->seq_num = 0;
1417         p->auth.a_u.schannel_auth->initiator = false;
1418         p->auth.a_u.schannel_auth->creds = creds;
1419
1420         /*
1421          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1422          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1423          * struct of the person who opened the pipe. I need to test this further. JRA.
1424          *
1425          * VL. As we are mapping this to guest set the generic key
1426          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1427          * W2k3, as it does not allow schannel binds against SAMR and LSA
1428          * anymore.
1429          */
1430
1431         session_key = generic_session_key();
1432         if (session_key.data == NULL) {
1433                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1434                           " key\n"));
1435                 return false;
1436         }
1437
1438         ret = server_info_set_session_key(p->server_info, session_key);
1439
1440         data_blob_free(&session_key);
1441
1442         if (!ret) {
1443                 DEBUG(0, ("server_info_set_session_key failed\n"));
1444                 return false;
1445         }
1446
1447         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1448         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1449                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1450                 return False;
1451         }
1452
1453         /*** SCHANNEL verifier ***/
1454
1455         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1456         reply.Flags                             = 0;
1457         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1458                                                       * this has any meaning
1459                                                       * here - gd */
1460
1461         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1462                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1463         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1464                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1465                 return false;
1466         }
1467
1468         if (DEBUGLEVEL >= 10) {
1469                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1470         }
1471
1472         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1473                 return false;
1474         }
1475
1476         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1477                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1478
1479         /* We're finished with this bind - no more packets. */
1480         p->auth.auth_data_free_func = NULL;
1481         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1482
1483         p->pipe_bound = True;
1484
1485         return True;
1486 }
1487
1488 /*******************************************************************
1489  Handle an NTLMSSP bind auth.
1490 *******************************************************************/
1491
1492 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1493                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1494 {
1495         RPC_HDR_AUTH auth_info;
1496         DATA_BLOB blob;
1497         DATA_BLOB response;
1498         NTSTATUS status;
1499         AUTH_NTLMSSP_STATE *a = NULL;
1500
1501         ZERO_STRUCT(blob);
1502         ZERO_STRUCT(response);
1503
1504         /* Grab the NTLMSSP blob. */
1505         blob = data_blob(NULL,p->hdr.auth_len);
1506
1507         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1508                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1509                         (unsigned int)p->hdr.auth_len ));
1510                 goto err;
1511         }
1512
1513         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1514                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1515                 goto err;
1516         }
1517
1518         /* We have an NTLMSSP blob. */
1519         status = auth_ntlmssp_start(&a);
1520         if (!NT_STATUS_IS_OK(status)) {
1521                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1522                         nt_errstr(status) ));
1523                 goto err;
1524         }
1525
1526         status = auth_ntlmssp_update(a, blob, &response);
1527         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1528                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1529                         nt_errstr(status) ));
1530                 goto err;
1531         }
1532
1533         data_blob_free(&blob);
1534
1535         /* Copy the blob into the pout_auth parse struct */
1536         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1537         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1538                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1539                 goto err;
1540         }
1541
1542         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1543                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1544                 goto err;
1545         }
1546
1547         p->auth.a_u.auth_ntlmssp_state = a;
1548         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1549         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1550
1551         data_blob_free(&blob);
1552         data_blob_free(&response);
1553
1554         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1555
1556         /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1557         return True;
1558
1559   err:
1560
1561         data_blob_free(&blob);
1562         data_blob_free(&response);
1563
1564         free_pipe_ntlmssp_auth_data(&p->auth);
1565         p->auth.a_u.auth_ntlmssp_state = NULL;
1566         return False;
1567 }
1568
1569 /*******************************************************************
1570  Respond to a pipe bind request.
1571 *******************************************************************/
1572
1573 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1574 {
1575         RPC_HDR_BA hdr_ba;
1576         RPC_HDR_RB hdr_rb;
1577         RPC_HDR_AUTH auth_info;
1578         uint16 assoc_gid;
1579         fstring ack_pipe_name;
1580         prs_struct out_hdr_ba;
1581         prs_struct out_auth;
1582         int i = 0;
1583         int auth_len = 0;
1584         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1585
1586         /* No rebinds on a bound pipe - use alter context. */
1587         if (p->pipe_bound) {
1588                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1589                          "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1590                 return setup_bind_nak(p);
1591         }
1592
1593         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1594
1595         /* 
1596          * Marshall directly into the outgoing PDU space. We
1597          * must do this as we need to set to the bind response
1598          * header and are never sending more than one PDU here.
1599          */
1600
1601         /*
1602          * Setup the memory to marshall the ba header, and the
1603          * auth footers.
1604          */
1605
1606         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1607                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1608                 prs_mem_free(&p->out_data.frag);
1609                 return False;
1610         }
1611
1612         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1613                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1614                 prs_mem_free(&p->out_data.frag);
1615                 prs_mem_free(&out_hdr_ba);
1616                 return False;
1617         }
1618
1619         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1620
1621         ZERO_STRUCT(hdr_rb);
1622
1623         /* decode the bind request */
1624
1625         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1626                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1627                          "struct.\n"));
1628                 goto err_exit;
1629         }
1630
1631         if (hdr_rb.num_contexts == 0) {
1632                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1633                 goto err_exit;
1634         }
1635
1636         /*
1637          * Try and find the correct pipe name to ensure
1638          * that this is a pipe name we support.
1639          */
1640
1641         for (i = 0; i < rpc_lookup_size; i++) {
1642                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1643                                         &hdr_rb.rpc_context[0].abstract)) {
1644                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1645                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1646                         break;
1647                 }
1648         }
1649
1650         if (i == rpc_lookup_size) {
1651                 NTSTATUS status;
1652
1653                 status = smb_probe_module(
1654                         "rpc", get_pipe_name_from_iface(
1655                                 &hdr_rb.rpc_context[0].abstract));
1656
1657                 if (NT_STATUS_IS_ERR(status)) {
1658                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1659                                 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1660                         prs_mem_free(&p->out_data.frag);
1661                         prs_mem_free(&out_hdr_ba);
1662                         prs_mem_free(&out_auth);
1663
1664                         return setup_bind_nak(p);
1665                 }
1666
1667                 for (i = 0; i < rpc_lookup_size; i++) {
1668                        if (strequal(rpc_lookup[i].pipe.clnt,
1669                                     get_pipe_name_from_iface(&p->syntax))) {
1670                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1671                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1672                                break;
1673                        }
1674                 }
1675
1676                 if (i == rpc_lookup_size) {
1677                         DEBUG(0, ("module %s doesn't provide functions for "
1678                                   "pipe %s!\n",
1679                                   get_pipe_name_from_iface(&p->syntax),
1680                                   get_pipe_name_from_iface(&p->syntax)));
1681                         goto err_exit;
1682                 }
1683         }
1684
1685         /* name has to be \PIPE\xxxxx */
1686         fstrcpy(ack_pipe_name, "\\PIPE\\");
1687         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1688
1689         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1690
1691         /*
1692          * Check if this is an authenticated bind request.
1693          */
1694
1695         if (p->hdr.auth_len) {
1696                 /* 
1697                  * Decode the authentication verifier.
1698                  */
1699
1700                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1701                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1702                         goto err_exit;
1703                 }
1704
1705                 auth_type = auth_info.auth_type;
1706
1707                 /* Work out if we have to sign or seal etc. */
1708                 switch (auth_info.auth_level) {
1709                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1710                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1711                                 break;
1712                         case DCERPC_AUTH_LEVEL_PRIVACY:
1713                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1714                                 break;
1715                         default:
1716                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1717                                         (unsigned int)auth_info.auth_level ));
1718                                 goto err_exit;
1719                 }
1720         } else {
1721                 ZERO_STRUCT(auth_info);
1722         }
1723
1724         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1725
1726         switch(auth_type) {
1727                 case DCERPC_AUTH_TYPE_NTLMSSP:
1728                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1729                                 goto err_exit;
1730                         }
1731                         assoc_gid = 0x7a77;
1732                         break;
1733
1734                 case DCERPC_AUTH_TYPE_SCHANNEL:
1735                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1736                                 goto err_exit;
1737                         }
1738                         break;
1739
1740                 case DCERPC_AUTH_TYPE_SPNEGO:
1741                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1742                                 goto err_exit;
1743                         }
1744                         break;
1745
1746                 case DCERPC_AUTH_TYPE_NONE:
1747                         /* Unauthenticated bind request. */
1748                         /* We're finished - no more packets. */
1749                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1750                         /* We must set the pipe auth_level here also. */
1751                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1752                         p->pipe_bound = True;
1753                         /* The session key was initialized from the SMB
1754                          * session in make_internal_rpc_pipe_p */
1755                         break;
1756
1757                 default:
1758                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1759                         goto err_exit;
1760         }
1761
1762         /*
1763          * Create the bind response struct.
1764          */
1765
1766         /* If the requested abstract synt uuid doesn't match our client pipe,
1767                 reject the bind_ack & set the transfer interface synt to all 0's,
1768                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1769                 unknown to NT4)
1770                 Needed when adding entries to a DACL from NT5 - SK */
1771
1772         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1773                                 hdr_rb.rpc_context[0].context_id )) {
1774                 init_rpc_hdr_ba(&hdr_ba,
1775                         RPC_MAX_PDU_FRAG_LEN,
1776                         RPC_MAX_PDU_FRAG_LEN,
1777                         assoc_gid,
1778                         ack_pipe_name,
1779                         0x1, 0x0, 0x0,
1780                         &hdr_rb.rpc_context[0].transfer[0]);
1781         } else {
1782                 /* Rejection reason: abstract syntax not supported */
1783                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1784                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1785                                         ack_pipe_name, 0x1, 0x2, 0x1,
1786                                         &null_ndr_syntax_id);
1787                 p->pipe_bound = False;
1788         }
1789
1790         /*
1791          * and marshall it.
1792          */
1793
1794         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1795                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1796                 goto err_exit;
1797         }
1798
1799         /*
1800          * Create the header, now we know the length.
1801          */
1802
1803         if (prs_offset(&out_auth)) {
1804                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1805         }
1806
1807         init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1808                         p->hdr.call_id,
1809                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1810                         auth_len);
1811
1812         /*
1813          * Marshall the header into the outgoing PDU.
1814          */
1815
1816         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1817                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1818                 goto err_exit;
1819         }
1820
1821         /*
1822          * Now add the RPC_HDR_BA and any auth needed.
1823          */
1824
1825         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1826                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1827                 goto err_exit;
1828         }
1829
1830         if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1831                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1832                 goto err_exit;
1833         }
1834
1835         /*
1836          * Setup the lengths for the initial reply.
1837          */
1838
1839         p->out_data.data_sent_length = 0;
1840         p->out_data.current_pdu_sent = 0;
1841
1842         prs_mem_free(&out_hdr_ba);
1843         prs_mem_free(&out_auth);
1844
1845         return True;
1846
1847   err_exit:
1848
1849         prs_mem_free(&p->out_data.frag);
1850         prs_mem_free(&out_hdr_ba);
1851         prs_mem_free(&out_auth);
1852         return setup_bind_nak(p);
1853 }
1854
1855 /****************************************************************************
1856  Deal with an alter context call. Can be third part of 3 leg auth request for
1857  SPNEGO calls.
1858 ****************************************************************************/
1859
1860 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1861 {
1862         RPC_HDR_BA hdr_ba;
1863         RPC_HDR_RB hdr_rb;
1864         RPC_HDR_AUTH auth_info;
1865         uint16 assoc_gid;
1866         fstring ack_pipe_name;
1867         prs_struct out_hdr_ba;
1868         prs_struct out_auth;
1869         int auth_len = 0;
1870
1871         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1872
1873         /* 
1874          * Marshall directly into the outgoing PDU space. We
1875          * must do this as we need to set to the bind response
1876          * header and are never sending more than one PDU here.
1877          */
1878
1879         /*
1880          * Setup the memory to marshall the ba header, and the
1881          * auth footers.
1882          */
1883
1884         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1885                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1886                 prs_mem_free(&p->out_data.frag);
1887                 return False;
1888         }
1889
1890         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1891                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1892                 prs_mem_free(&p->out_data.frag);
1893                 prs_mem_free(&out_hdr_ba);
1894                 return False;
1895         }
1896
1897         ZERO_STRUCT(hdr_rb);
1898
1899         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1900
1901         /* decode the alter context request */
1902         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1903                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1904                 goto err_exit;
1905         }
1906
1907         /* secondary address CAN be NULL
1908          * as the specs say it's ignored.
1909          * It MUST be NULL to have the spoolss working.
1910          */
1911         fstrcpy(ack_pipe_name,"");
1912
1913         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1914
1915         /*
1916          * Check if this is an authenticated alter context request.
1917          */
1918
1919         if (p->hdr.auth_len != 0) {
1920                 /* 
1921                  * Decode the authentication verifier.
1922                  */
1923
1924                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1925                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1926                         goto err_exit;
1927                 }
1928
1929                 /*
1930                  * Currently only the SPNEGO auth type uses the alter ctx
1931                  * response in place of the NTLMSSP auth3 type.
1932                  */
1933
1934                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1935                         /* We can only finish if the pipe is unbound. */
1936                         if (!p->pipe_bound) {
1937                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1938                                         goto err_exit;
1939                                 }
1940                         } else {
1941                                 goto err_exit;
1942                         }
1943                 }
1944         } else {
1945                 ZERO_STRUCT(auth_info);
1946         }
1947
1948         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1949
1950         /*
1951          * Create the bind response struct.
1952          */
1953
1954         /* If the requested abstract synt uuid doesn't match our client pipe,
1955                 reject the bind_ack & set the transfer interface synt to all 0's,
1956                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1957                 unknown to NT4)
1958                 Needed when adding entries to a DACL from NT5 - SK */
1959
1960         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1961                                 hdr_rb.rpc_context[0].context_id )) {
1962                 init_rpc_hdr_ba(&hdr_ba,
1963                         RPC_MAX_PDU_FRAG_LEN,
1964                         RPC_MAX_PDU_FRAG_LEN,
1965                         assoc_gid,
1966                         ack_pipe_name,
1967                         0x1, 0x0, 0x0,
1968                         &hdr_rb.rpc_context[0].transfer[0]);
1969         } else {
1970                 /* Rejection reason: abstract syntax not supported */
1971                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1972                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1973                                         ack_pipe_name, 0x1, 0x2, 0x1,
1974                                         &null_ndr_syntax_id);
1975                 p->pipe_bound = False;
1976         }
1977
1978         /*
1979          * and marshall it.
1980          */
1981
1982         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1983                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1984                 goto err_exit;
1985         }
1986
1987         /*
1988          * Create the header, now we know the length.
1989          */
1990
1991         if (prs_offset(&out_auth)) {
1992                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1993         }
1994
1995         init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1996                         p->hdr.call_id,
1997                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1998                         auth_len);
1999
2000         /*
2001          * Marshall the header into the outgoing PDU.
2002          */
2003
2004         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2005                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2006                 goto err_exit;
2007         }
2008
2009         /*
2010          * Now add the RPC_HDR_BA and any auth needed.
2011          */
2012
2013         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2014                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2015                 goto err_exit;
2016         }
2017
2018         if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2019                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2020                 goto err_exit;
2021         }
2022
2023         /*
2024          * Setup the lengths for the initial reply.
2025          */
2026
2027         p->out_data.data_sent_length = 0;
2028         p->out_data.current_pdu_sent = 0;
2029
2030         prs_mem_free(&out_hdr_ba);
2031         prs_mem_free(&out_auth);
2032
2033         return True;
2034
2035   err_exit:
2036
2037         prs_mem_free(&p->out_data.frag);
2038         prs_mem_free(&out_hdr_ba);
2039         prs_mem_free(&out_auth);
2040         return setup_bind_nak(p);
2041 }
2042
2043 /****************************************************************************
2044  Deal with NTLMSSP sign & seal processing on an RPC request.
2045 ****************************************************************************/
2046
2047 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2048                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2049 {
2050         RPC_HDR_AUTH auth_info;
2051         uint32 auth_len = p->hdr.auth_len;
2052         uint32 save_offset = prs_offset(rpc_in);
2053         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2054         unsigned char *data = NULL;
2055         size_t data_len;
2056         unsigned char *full_packet_data = NULL;
2057         size_t full_packet_data_len;
2058         DATA_BLOB auth_blob;
2059
2060         *pstatus = NT_STATUS_OK;
2061
2062         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2063                 return True;
2064         }
2065
2066         if (!a) {
2067                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2068                 return False;
2069         }
2070
2071         /* Ensure there's enough data for an authenticated request. */
2072         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2073                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2074                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2075                         (unsigned int)auth_len ));
2076                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2077                 return False;
2078         }
2079
2080         /*
2081          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2082          * after the RPC header. 
2083          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2084          * functions as NTLMv2 checks the rpc headers also.
2085          */
2086
2087         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2088         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2089
2090         full_packet_data = p->in_data.current_in_pdu;
2091         full_packet_data_len = p->hdr.frag_len - auth_len;
2092
2093         /* Pull the auth header and the following data into a blob. */
2094         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2095                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2096                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2097                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2098                 return False;
2099         }
2100
2101         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2102                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2103                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2104                 return False;
2105         }
2106
2107         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2108         auth_blob.length = auth_len;
2109
2110         switch (p->auth.auth_level) {
2111                 case DCERPC_AUTH_LEVEL_PRIVACY:
2112                         /* Data is encrypted. */
2113                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2114                                                         data, data_len,
2115                                                         full_packet_data,
2116                                                         full_packet_data_len,
2117                                                         &auth_blob);
2118                         if (!NT_STATUS_IS_OK(*pstatus)) {
2119                                 return False;
2120                         }
2121                         break;
2122                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2123                         /* Data is signed. */
2124                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2125                                                         data, data_len,
2126                                                         full_packet_data,
2127                                                         full_packet_data_len,
2128                                                         &auth_blob);
2129                         if (!NT_STATUS_IS_OK(*pstatus)) {
2130                                 return False;
2131                         }
2132                         break;
2133                 default:
2134                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2135                         return False;
2136         }
2137
2138         /*
2139          * Return the current pointer to the data offset.
2140          */
2141
2142         if(!prs_set_offset(rpc_in, save_offset)) {
2143                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2144                         (unsigned int)save_offset ));
2145                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2146                 return False;
2147         }
2148
2149         /*
2150          * Remember the padding length. We must remove it from the real data
2151          * stream once the sign/seal is done.
2152          */
2153
2154         *p_ss_padding_len = auth_info.auth_pad_len;
2155
2156         return True;
2157 }
2158
2159 /****************************************************************************
2160  Deal with schannel processing on an RPC request.
2161 ****************************************************************************/
2162
2163 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2164 {
2165         uint32 data_len;
2166         uint32 auth_len;
2167         uint32 save_offset = prs_offset(rpc_in);
2168         RPC_HDR_AUTH auth_info;
2169         DATA_BLOB blob;
2170         NTSTATUS status;
2171         uint8_t *data;
2172
2173         auth_len = p->hdr.auth_len;
2174
2175         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2176                         auth_len > RPC_HEADER_LEN +
2177                                         RPC_HDR_REQ_LEN +
2178                                         RPC_HDR_AUTH_LEN +
2179                                         auth_len) {
2180                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2181                 return False;
2182         }
2183
2184         /*
2185          * The following is that length of the data we must verify or unseal.
2186          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2187          * preceeding the auth_data.
2188          */
2189
2190         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2191                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2192                         (unsigned int)p->hdr.frag_len,
2193                         (unsigned int)auth_len ));
2194                 return False;
2195         }
2196
2197         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2198                 RPC_HDR_AUTH_LEN - auth_len;
2199
2200         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2201
2202         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2203                 DEBUG(0,("cannot move offset to %u.\n",
2204                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2205                 return False;
2206         }
2207
2208         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2209                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2210                 return False;
2211         }
2212
2213         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2214                 DEBUG(0,("Invalid auth info %d on schannel\n",
2215                          auth_info.auth_type));
2216                 return False;
2217         }
2218
2219         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2220
2221         if (DEBUGLEVEL >= 10) {
2222                 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2223         }
2224
2225         data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2226
2227         switch (auth_info.auth_level) {
2228         case DCERPC_AUTH_LEVEL_PRIVACY:
2229                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2230                                                 talloc_tos(),
2231                                                 true,
2232                                                 data,
2233                                                 data_len,
2234                                                 &blob);
2235                 break;
2236         case DCERPC_AUTH_LEVEL_INTEGRITY:
2237                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2238                                                 talloc_tos(),
2239                                                 false,
2240                                                 data,
2241                                                 data_len,
2242                                                 &blob);
2243                 break;
2244         default:
2245                 status = NT_STATUS_INTERNAL_ERROR;
2246                 break;
2247         }
2248
2249         if (!NT_STATUS_IS_OK(status)) {
2250                 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2251                 return false;
2252         }
2253
2254         /*
2255          * Return the current pointer to the data offset.
2256          */
2257
2258         if(!prs_set_offset(rpc_in, save_offset)) {
2259                 DEBUG(0,("failed to set offset back to %u\n",
2260                          (unsigned int)save_offset ));
2261                 return False;
2262         }
2263
2264         /*
2265          * Remember the padding length. We must remove it from the real data
2266          * stream once the sign/seal is done.
2267          */
2268
2269         *p_ss_padding_len = auth_info.auth_pad_len;
2270
2271         return True;
2272 }
2273
2274 /****************************************************************************
2275  Find the set of RPC functions associated with this context_id
2276 ****************************************************************************/
2277
2278 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2279 {
2280         PIPE_RPC_FNS *fns = NULL;
2281
2282         if ( !list ) {
2283                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2284                 return NULL;
2285         }
2286
2287         for (fns=list; fns; fns=fns->next ) {
2288                 if ( fns->context_id == context_id )
2289                         return fns;
2290         }
2291         return NULL;
2292 }
2293
2294 /****************************************************************************
2295  Memory cleanup.
2296 ****************************************************************************/
2297
2298 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2299 {
2300         PIPE_RPC_FNS *tmp = list;
2301         PIPE_RPC_FNS *tmp2;
2302
2303         while (tmp) {
2304                 tmp2 = tmp->next;
2305                 SAFE_FREE(tmp);
2306                 tmp = tmp2;
2307         }
2308
2309         return; 
2310 }
2311
2312 static bool api_rpcTNP(pipes_struct *p,
2313                        const struct api_struct *api_rpc_cmds, int n_cmds);
2314
2315 /****************************************************************************
2316  Find the correct RPC function to call for this request.
2317  If the pipe is authenticated then become the correct UNIX user
2318  before doing the call.
2319 ****************************************************************************/
2320
2321 bool api_pipe_request(pipes_struct *p)
2322 {
2323         bool ret = False;
2324         bool changed_user = False;
2325         PIPE_RPC_FNS *pipe_fns;
2326
2327         if (p->pipe_bound &&
2328                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2329                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2330                 if(!become_authenticated_pipe_user(p)) {
2331                         prs_mem_free(&p->out_data.rdata);
2332                         return False;
2333                 }
2334                 changed_user = True;
2335         }
2336
2337         DEBUG(5, ("Requested \\PIPE\\%s\n",
2338                   get_pipe_name_from_iface(&p->syntax)));
2339
2340         /* get the set of RPC functions for this context */
2341
2342         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2343
2344         if ( pipe_fns ) {
2345                 TALLOC_CTX *frame = talloc_stackframe();
2346                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2347                 TALLOC_FREE(frame);
2348         }
2349         else {
2350                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2351                         p->hdr_req.context_id,
2352                         get_pipe_name_from_iface(&p->syntax)));
2353         }
2354
2355         if (changed_user) {
2356                 unbecome_authenticated_pipe_user();
2357         }
2358
2359         return ret;
2360 }
2361
2362 /*******************************************************************
2363  Calls the underlying RPC function for a named pipe.
2364  ********************************************************************/
2365
2366 static bool api_rpcTNP(pipes_struct *p,
2367                        const struct api_struct *api_rpc_cmds, int n_cmds)
2368 {
2369         int fn_num;
2370         uint32 offset1, offset2;
2371
2372         /* interpret the command */
2373         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2374                  get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2375
2376         if (DEBUGLEVEL >= 50) {
2377                 fstring name;
2378                 slprintf(name, sizeof(name)-1, "in_%s",
2379                          get_pipe_name_from_iface(&p->syntax));
2380                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2381         }
2382
2383         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2384                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2385                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2386                         break;
2387                 }
2388         }
2389
2390         if (fn_num == n_cmds) {
2391                 /*
2392                  * For an unknown RPC just return a fault PDU but
2393                  * return True to allow RPC's on the pipe to continue
2394                  * and not put the pipe into fault state. JRA.
2395                  */
2396                 DEBUG(4, ("unknown\n"));
2397                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2398                 return True;
2399         }
2400
2401         offset1 = prs_offset(&p->out_data.rdata);
2402
2403         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2404                 fn_num, api_rpc_cmds[fn_num].fn));
2405         /* do the actual command */
2406         if(!api_rpc_cmds[fn_num].fn(p)) {
2407                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2408                          get_pipe_name_from_iface(&p->syntax),
2409                          api_rpc_cmds[fn_num].name));
2410                 prs_mem_free(&p->out_data.rdata);
2411                 return False;
2412         }
2413
2414         if (p->bad_handle_fault_state) {
2415                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2416                 p->bad_handle_fault_state = False;
2417                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2418                 return True;
2419         }
2420
2421         if (p->rng_fault_state) {
2422                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2423                 p->rng_fault_state = False;
2424                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2425                 return True;
2426         }
2427
2428         offset2 = prs_offset(&p->out_data.rdata);
2429         prs_set_offset(&p->out_data.rdata, offset1);
2430         if (DEBUGLEVEL >= 50) {
2431                 fstring name;
2432                 slprintf(name, sizeof(name)-1, "out_%s",
2433                          get_pipe_name_from_iface(&p->syntax));
2434                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2435         }
2436         prs_set_offset(&p->out_data.rdata, offset2);
2437
2438         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2439                  get_pipe_name_from_iface(&p->syntax)));
2440
2441         /* Check for buffer underflow in rpc parsing */
2442
2443         if ((DEBUGLEVEL >= 10) && 
2444             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2445                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2446                 char *data = (char *)SMB_MALLOC(data_len);
2447
2448                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2449                 if (data) {
2450                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2451                         SAFE_FREE(data);
2452                 }
2453
2454         }
2455
2456         return True;
2457 }