s3:rpc: Fix is_known_pipename for dynamically loaded pipes
[sfrench/samba-autobuild/.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
5  *  
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *  
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *  
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /*  this module apparently provides an implementation of DCE/RPC over a
21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
22  *  documentation are available (in on-line form) from the X-Open group.
23  *
24  *  this module should provide a level of abstraction between SMB
25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
26  *  data copies, and network traffic.
27  *
28  */
29
30 #include "includes.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../librpc/gen_ndr/ndr_schannel.h"
33 #include "../libcli/auth/schannel.h"
34 #include "../libcli/auth/schannel_proto.h"
35 #include "../libcli/auth/spnego.h"
36
37 extern struct current_user current_user;
38
39 #undef DBGC_CLASS
40 #define DBGC_CLASS DBGC_RPC_SRV
41
42 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
43 {
44         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
45
46         if (a) {
47                 auth_ntlmssp_end(&a);
48         }
49         auth->a_u.auth_ntlmssp_state = NULL;
50 }
51
52 static DATA_BLOB generic_session_key(void)
53 {
54         return data_blob("SystemLibraryDTC", 16);
55 }
56
57 /*******************************************************************
58  Generate the next PDU to be returned from the data in p->rdata. 
59  Handle NTLMSSP.
60  ********************************************************************/
61
62 static bool create_next_pdu_ntlmssp(pipes_struct *p)
63 {
64         RPC_HDR_RESP hdr_resp;
65         uint32 ss_padding_len = 0;
66         uint32 data_space_available;
67         uint32 data_len_left;
68         uint32 data_len;
69         NTSTATUS status;
70         DATA_BLOB auth_blob;
71         RPC_HDR_AUTH auth_info;
72         uint8 auth_type, auth_level;
73         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
74
75         /*
76          * If we're in the fault state, keep returning fault PDU's until
77          * the pipe gets closed. JRA.
78          */
79
80         if(p->fault_state) {
81                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
82                 return True;
83         }
84
85         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
86
87         /* Change the incoming request header to a response. */
88         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
89
90         /* Set up rpc header flags. */
91         if (p->out_data.data_sent_length == 0) {
92                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
93         } else {
94                 p->hdr.flags = 0;
95         }
96
97         /*
98          * Work out how much we can fit in a single PDU.
99          */
100
101         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
102
103         /*
104          * Ensure there really is data left to send.
105          */
106
107         if(!data_len_left) {
108                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
109                 return False;
110         }
111
112         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
113                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
114
115         /*
116          * The amount we send is the minimum of the available
117          * space and the amount left to send.
118          */
119
120         data_len = MIN(data_len_left, data_space_available);
121
122         /*
123          * Set up the alloc hint. This should be the data left to
124          * send.
125          */
126
127         hdr_resp.alloc_hint = data_len_left;
128
129         /*
130          * Work out if this PDU will be the last.
131          */
132
133         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
134                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
135                 if (data_len_left % 8) {
136                         ss_padding_len = 8 - (data_len_left % 8);
137                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
138                                 ss_padding_len ));
139                 }
140         }
141
142         /*
143          * Set up the header lengths.
144          */
145
146         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
147                         data_len + ss_padding_len +
148                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
149         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
150
151
152         /*
153          * Init the parse struct to point at the outgoing
154          * data.
155          */
156
157         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
158
159         /* Store the header in the data stream. */
160         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
161                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
162                 prs_mem_free(&p->out_data.frag);
163                 return False;
164         }
165
166         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
167                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
168                 prs_mem_free(&p->out_data.frag);
169                 return False;
170         }
171
172         /* Copy the data into the PDU. */
173
174         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
175                                      p->out_data.data_sent_length, data_len)) {
176                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
177                 prs_mem_free(&p->out_data.frag);
178                 return False;
179         }
180
181         /* Copy the sign/seal padding data. */
182         if (ss_padding_len) {
183                 char pad[8];
184
185                 memset(pad, '\0', 8);
186                 if (!prs_copy_data_in(&p->out_data.frag, pad,
187                                       ss_padding_len)) {
188                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
189                                         (unsigned int)ss_padding_len));
190                         prs_mem_free(&p->out_data.frag);
191                         return False;
192                 }
193         }
194
195
196         /* Now write out the auth header and null blob. */
197         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
198                 auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
199         } else {
200                 auth_type = DCERPC_AUTH_TYPE_SPNEGO;
201         }
202         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
203                 auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
204         } else {
205                 auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
206         }
207
208         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
209         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
210                                 0)) {
211                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
212                 prs_mem_free(&p->out_data.frag);
213                 return False;
214         }
215
216         /* Generate the sign blob. */
217
218         switch (p->auth.auth_level) {
219                 case DCERPC_AUTH_LEVEL_PRIVACY:
220                         /* Data portion is encrypted. */
221                         status = ntlmssp_seal_packet(
222                                 a->ntlmssp_state,
223                                 (uint8_t *)prs_data_p(&p->out_data.frag)
224                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
225                                 data_len + ss_padding_len,
226                                 (unsigned char *)prs_data_p(&p->out_data.frag),
227                                 (size_t)prs_offset(&p->out_data.frag),
228                                 &auth_blob);
229                         if (!NT_STATUS_IS_OK(status)) {
230                                 data_blob_free(&auth_blob);
231                                 prs_mem_free(&p->out_data.frag);
232                                 return False;
233                         }
234                         break;
235                 case DCERPC_AUTH_LEVEL_INTEGRITY:
236                         /* Data is signed. */
237                         status = ntlmssp_sign_packet(
238                                 a->ntlmssp_state,
239                                 (unsigned char *)prs_data_p(&p->out_data.frag)
240                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
241                                 data_len + ss_padding_len,
242                                 (unsigned char *)prs_data_p(&p->out_data.frag),
243                                 (size_t)prs_offset(&p->out_data.frag),
244                                 &auth_blob);
245                         if (!NT_STATUS_IS_OK(status)) {
246                                 data_blob_free(&auth_blob);
247                                 prs_mem_free(&p->out_data.frag);
248                                 return False;
249                         }
250                         break;
251                 default:
252                         prs_mem_free(&p->out_data.frag);
253                         return False;
254         }
255
256         /* Append the auth blob. */
257         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
258                               NTLMSSP_SIG_SIZE)) {
259                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
260                                 (unsigned int)NTLMSSP_SIG_SIZE));
261                 data_blob_free(&auth_blob);
262                 prs_mem_free(&p->out_data.frag);
263                 return False;
264         }
265
266         data_blob_free(&auth_blob);
267
268         /*
269          * Setup the counts for this PDU.
270          */
271
272         p->out_data.data_sent_length += data_len;
273         p->out_data.current_pdu_sent = 0;
274
275         return True;
276 }
277
278 /*******************************************************************
279  Generate the next PDU to be returned from the data in p->rdata. 
280  Return an schannel authenticated fragment.
281  ********************************************************************/
282
283 static bool create_next_pdu_schannel(pipes_struct *p)
284 {
285         RPC_HDR_RESP hdr_resp;
286         uint32 ss_padding_len = 0;
287         uint32 data_len;
288         uint32 data_space_available;
289         uint32 data_len_left;
290         uint32 data_pos;
291         NTSTATUS status;
292
293         /*
294          * If we're in the fault state, keep returning fault PDU's until
295          * the pipe gets closed. JRA.
296          */
297
298         if(p->fault_state) {
299                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
300                 return True;
301         }
302
303         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
304
305         /* Change the incoming request header to a response. */
306         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
307
308         /* Set up rpc header flags. */
309         if (p->out_data.data_sent_length == 0) {
310                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
311         } else {
312                 p->hdr.flags = 0;
313         }
314
315         /*
316          * Work out how much we can fit in a single PDU.
317          */
318
319         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
320
321         /*
322          * Ensure there really is data left to send.
323          */
324
325         if(!data_len_left) {
326                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
327                 return False;
328         }
329
330         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
331                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
332                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
333
334         /*
335          * The amount we send is the minimum of the available
336          * space and the amount left to send.
337          */
338
339         data_len = MIN(data_len_left, data_space_available);
340
341         /*
342          * Set up the alloc hint. This should be the data left to
343          * send.
344          */
345
346         hdr_resp.alloc_hint = data_len_left;
347
348         /*
349          * Work out if this PDU will be the last.
350          */
351
352         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
353                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
354                 if (data_len_left % 8) {
355                         ss_padding_len = 8 - (data_len_left % 8);
356                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
357                                 ss_padding_len ));
358                 }
359         }
360
361         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
362                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
363         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
364
365         /*
366          * Init the parse struct to point at the outgoing
367          * data.
368          */
369
370         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
371
372         /* Store the header in the data stream. */
373         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
374                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
375                 prs_mem_free(&p->out_data.frag);
376                 return False;
377         }
378
379         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
380                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
381                 prs_mem_free(&p->out_data.frag);
382                 return False;
383         }
384
385         /* Store the current offset. */
386         data_pos = prs_offset(&p->out_data.frag);
387
388         /* Copy the data into the PDU. */
389
390         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
391                                      p->out_data.data_sent_length, data_len)) {
392                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
393                 prs_mem_free(&p->out_data.frag);
394                 return False;
395         }
396
397         /* Copy the sign/seal padding data. */
398         if (ss_padding_len) {
399                 char pad[8];
400                 memset(pad, '\0', 8);
401                 if (!prs_copy_data_in(&p->out_data.frag, pad,
402                                       ss_padding_len)) {
403                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
404                         prs_mem_free(&p->out_data.frag);
405                         return False;
406                 }
407         }
408
409         {
410                 /*
411                  * Schannel processing.
412                  */
413                 RPC_HDR_AUTH auth_info;
414                 DATA_BLOB blob;
415                 uint8_t *data;
416
417                 /* Check it's the type of reply we were expecting to decode */
418
419                 init_rpc_hdr_auth(&auth_info,
420                                 DCERPC_AUTH_TYPE_SCHANNEL,
421                                 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY ?
422                                         DCERPC_AUTH_LEVEL_PRIVACY : DCERPC_AUTH_LEVEL_INTEGRITY,
423                                 ss_padding_len, 1);
424
425                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
426                                         &p->out_data.frag, 0)) {
427                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
428                         prs_mem_free(&p->out_data.frag);
429                         return False;
430                 }
431
432                 data = (uint8_t *)prs_data_p(&p->out_data.frag) + data_pos;
433
434                 switch (p->auth.auth_level) {
435                 case DCERPC_AUTH_LEVEL_PRIVACY:
436                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
437                                                         talloc_tos(),
438                                                         true,
439                                                         data,
440                                                         data_len + ss_padding_len,
441                                                         &blob);
442                         break;
443                 case DCERPC_AUTH_LEVEL_INTEGRITY:
444                         status = netsec_outgoing_packet(p->auth.a_u.schannel_auth,
445                                                         talloc_tos(),
446                                                         false,
447                                                         data,
448                                                         data_len + ss_padding_len,
449                                                         &blob);
450                         break;
451                 default:
452                         status = NT_STATUS_INTERNAL_ERROR;
453                         break;
454                 }
455
456                 if (!NT_STATUS_IS_OK(status)) {
457                         DEBUG(0,("create_next_pdu_schannel: failed to process packet: %s\n",
458                                 nt_errstr(status)));
459                         prs_mem_free(&p->out_data.frag);
460                         return false;
461                 }
462
463                 /* Finally marshall the blob. */
464
465                 if (DEBUGLEVEL >= 10) {
466                         dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
467                 }
468
469                 if (!prs_copy_data_in(&p->out_data.frag, (const char *)blob.data, blob.length)) {
470                         prs_mem_free(&p->out_data.frag);
471                         return false;
472                 }
473         }
474
475         /*
476          * Setup the counts for this PDU.
477          */
478
479         p->out_data.data_sent_length += data_len;
480         p->out_data.current_pdu_sent = 0;
481
482         return True;
483 }
484
485 /*******************************************************************
486  Generate the next PDU to be returned from the data in p->rdata. 
487  No authentication done.
488 ********************************************************************/
489
490 static bool create_next_pdu_noauth(pipes_struct *p)
491 {
492         RPC_HDR_RESP hdr_resp;
493         uint32 data_len;
494         uint32 data_space_available;
495         uint32 data_len_left;
496
497         /*
498          * If we're in the fault state, keep returning fault PDU's until
499          * the pipe gets closed. JRA.
500          */
501
502         if(p->fault_state) {
503                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
504                 return True;
505         }
506
507         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
508
509         /* Change the incoming request header to a response. */
510         p->hdr.pkt_type = DCERPC_PKT_RESPONSE;
511
512         /* Set up rpc header flags. */
513         if (p->out_data.data_sent_length == 0) {
514                 p->hdr.flags = DCERPC_PFC_FLAG_FIRST;
515         } else {
516                 p->hdr.flags = 0;
517         }
518
519         /*
520          * Work out how much we can fit in a single PDU.
521          */
522
523         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
524
525         /*
526          * Ensure there really is data left to send.
527          */
528
529         if(!data_len_left) {
530                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
531                 return False;
532         }
533
534         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
535                 - RPC_HDR_RESP_LEN;
536
537         /*
538          * The amount we send is the minimum of the available
539          * space and the amount left to send.
540          */
541
542         data_len = MIN(data_len_left, data_space_available);
543
544         /*
545          * Set up the alloc hint. This should be the data left to
546          * send.
547          */
548
549         hdr_resp.alloc_hint = data_len_left;
550
551         /*
552          * Work out if this PDU will be the last.
553          */
554
555         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
556                 p->hdr.flags |= DCERPC_PFC_FLAG_LAST;
557         }
558
559         /*
560          * Set up the header lengths.
561          */
562
563         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
564         p->hdr.auth_len = 0;
565
566         /*
567          * Init the parse struct to point at the outgoing
568          * data.
569          */
570
571         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
572
573         /* Store the header in the data stream. */
574         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
575                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
576                 prs_mem_free(&p->out_data.frag);
577                 return False;
578         }
579
580         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
581                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
582                 prs_mem_free(&p->out_data.frag);
583                 return False;
584         }
585
586         /* Copy the data into the PDU. */
587
588         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
589                                      p->out_data.data_sent_length, data_len)) {
590                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
591                 prs_mem_free(&p->out_data.frag);
592                 return False;
593         }
594
595         /*
596          * Setup the counts for this PDU.
597          */
598
599         p->out_data.data_sent_length += data_len;
600         p->out_data.current_pdu_sent = 0;
601
602         return True;
603 }
604
605 /*******************************************************************
606  Generate the next PDU to be returned from the data in p->rdata. 
607 ********************************************************************/
608
609 bool create_next_pdu(pipes_struct *p)
610 {
611         switch(p->auth.auth_level) {
612                 case DCERPC_AUTH_LEVEL_NONE:
613                 case DCERPC_AUTH_LEVEL_CONNECT:
614                         /* This is incorrect for auth level connect. Fixme. JRA */
615                         return create_next_pdu_noauth(p);
616
617                 default:
618                         switch(p->auth.auth_type) {
619                                 case PIPE_AUTH_TYPE_NTLMSSP:
620                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
621                                         return create_next_pdu_ntlmssp(p);
622                                 case PIPE_AUTH_TYPE_SCHANNEL:
623                                         return create_next_pdu_schannel(p);
624                                 default:
625                                         break;
626                         }
627         }
628
629         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
630                         (unsigned int)p->auth.auth_level,
631                         (unsigned int)p->auth.auth_type));
632         return False;
633 }
634
635 /*******************************************************************
636  Process an NTLMSSP authentication response.
637  If this function succeeds, the user has been authenticated
638  and their domain, name and calling workstation stored in
639  the pipe struct.
640 *******************************************************************/
641
642 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
643 {
644         DATA_BLOB session_key, reply;
645         NTSTATUS status;
646         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
647         bool ret;
648
649         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
650                  get_pipe_name_from_iface(&p->syntax)));
651
652         ZERO_STRUCT(reply);
653
654         /* this has to be done as root in order to verify the password */
655         become_root();
656         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
657         unbecome_root();
658
659         /* Don't generate a reply. */
660         data_blob_free(&reply);
661
662         if (!NT_STATUS_IS_OK(status)) {
663                 return False;
664         }
665
666         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
667            ensure the underlying NTLMSSP flags are also set. If not we should
668            refuse the bind. */
669
670         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
671                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
672                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
673                                 "but client declined signing.\n",
674                                 get_pipe_name_from_iface(&p->syntax)));
675                         return False;
676                 }
677         }
678         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
679                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
680                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
681                                 "but client declined sealing.\n",
682                                 get_pipe_name_from_iface(&p->syntax)));
683                         return False;
684                 }
685         }
686
687         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
688                   "workstation: %s\n", a->ntlmssp_state->user,
689                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
690
691         if (a->server_info->ptok == NULL) {
692                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
693                 return False;
694         }
695
696         TALLOC_FREE(p->server_info);
697
698         p->server_info = copy_serverinfo(p, a->server_info);
699         if (p->server_info == NULL) {
700                 DEBUG(0, ("copy_serverinfo failed\n"));
701                 return false;
702         }
703
704         /*
705          * We're an authenticated bind over smb, so the session key needs to
706          * be set to "SystemLibraryDTC". Weird, but this is what Windows
707          * does. See the RPC-SAMBA3SESSIONKEY.
708          */
709
710         session_key = generic_session_key();
711         if (session_key.data == NULL) {
712                 return False;
713         }
714
715         ret = server_info_set_session_key(p->server_info, session_key);
716
717         data_blob_free(&session_key);
718
719         return True;
720 }
721
722 /*******************************************************************
723  The switch table for the pipe names and the functions to handle them.
724 *******************************************************************/
725
726 struct rpc_table {
727         struct {
728                 const char *clnt;
729                 const char *srv;
730         } pipe;
731         struct ndr_syntax_id rpc_interface;
732         const struct api_struct *cmds;
733         int n_cmds;
734 };
735
736 static struct rpc_table *rpc_lookup;
737 static int rpc_lookup_size;
738
739 /*******************************************************************
740  This is the "stage3" NTLMSSP response after a bind request and reply.
741 *******************************************************************/
742
743 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
744 {
745         RPC_HDR_AUTH auth_info;
746         uint32 pad = 0;
747         DATA_BLOB blob;
748
749         ZERO_STRUCT(blob);
750
751         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
752
753         if (p->hdr.auth_len == 0) {
754                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
755                 goto err;
756         }
757
758         /* 4 bytes padding. */
759         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
760                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
761                 goto err;
762         }
763
764         /*
765          * Decode the authentication verifier response.
766          */
767
768         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
769                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
770                 goto err;
771         }
772
773         if (auth_info.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
774                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
775                         (unsigned int)auth_info.auth_type ));
776                 return False;
777         }
778
779         blob = data_blob(NULL,p->hdr.auth_len);
780
781         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
782                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
783                         (unsigned int)p->hdr.auth_len ));
784                 goto err;
785         }
786
787         /*
788          * The following call actually checks the challenge/response data.
789          * for correctness against the given DOMAIN\user name.
790          */
791
792         if (!pipe_ntlmssp_verify_final(p, &blob)) {
793                 goto err;
794         }
795
796         data_blob_free(&blob);
797
798         p->pipe_bound = True;
799
800         return True;
801
802  err:
803
804         data_blob_free(&blob);
805         free_pipe_ntlmssp_auth_data(&p->auth);
806         p->auth.a_u.auth_ntlmssp_state = NULL;
807
808         return False;
809 }
810
811 /*******************************************************************
812  Marshall a bind_nak pdu.
813 *******************************************************************/
814
815 static bool setup_bind_nak(pipes_struct *p)
816 {
817         RPC_HDR nak_hdr;
818         uint16 zero = 0;
819
820         /* Free any memory in the current return data buffer. */
821         prs_mem_free(&p->out_data.rdata);
822
823         /*
824          * Marshall directly into the outgoing PDU space. We
825          * must do this as we need to set to the bind response
826          * header and are never sending more than one PDU here.
827          */
828
829         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
830
831         /*
832          * Initialize a bind_nak header.
833          */
834
835         init_rpc_hdr(&nak_hdr, DCERPC_PKT_BIND_NAK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
836                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
837
838         /*
839          * Marshall the header into the outgoing PDU.
840          */
841
842         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
843                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
844                 prs_mem_free(&p->out_data.frag);
845                 return False;
846         }
847
848         /*
849          * Now add the reject reason.
850          */
851
852         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
853                 prs_mem_free(&p->out_data.frag);
854                 return False;
855         }
856
857         p->out_data.data_sent_length = 0;
858         p->out_data.current_pdu_sent = 0;
859
860         if (p->auth.auth_data_free_func) {
861                 (*p->auth.auth_data_free_func)(&p->auth);
862         }
863         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
864         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
865         p->pipe_bound = False;
866
867         return True;
868 }
869
870 /*******************************************************************
871  Marshall a fault pdu.
872 *******************************************************************/
873
874 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
875 {
876         RPC_HDR fault_hdr;
877         RPC_HDR_RESP hdr_resp;
878         RPC_HDR_FAULT fault_resp;
879
880         /* Free any memory in the current return data buffer. */
881         prs_mem_free(&p->out_data.rdata);
882
883         /*
884          * Marshall directly into the outgoing PDU space. We
885          * must do this as we need to set to the bind response
886          * header and are never sending more than one PDU here.
887          */
888
889         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
890
891         /*
892          * Initialize a fault header.
893          */
894
895         init_rpc_hdr(&fault_hdr, DCERPC_PKT_FAULT, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
896             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
897
898         /*
899          * Initialize the HDR_RESP and FAULT parts of the PDU.
900          */
901
902         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
903
904         fault_resp.status = status;
905         fault_resp.reserved = 0;
906
907         /*
908          * Marshall the header into the outgoing PDU.
909          */
910
911         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
912                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
913                 prs_mem_free(&p->out_data.frag);
914                 return False;
915         }
916
917         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
918                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
919                 prs_mem_free(&p->out_data.frag);
920                 return False;
921         }
922
923         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
924                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
925                 prs_mem_free(&p->out_data.frag);
926                 return False;
927         }
928
929         p->out_data.data_sent_length = 0;
930         p->out_data.current_pdu_sent = 0;
931
932         return True;
933 }
934
935 #if 0
936 /*******************************************************************
937  Marshall a cancel_ack pdu.
938  We should probably check the auth-verifier here.
939 *******************************************************************/
940
941 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
942 {
943         prs_struct outgoing_pdu;
944         RPC_HDR ack_reply_hdr;
945
946         /* Free any memory in the current return data buffer. */
947         prs_mem_free(&p->out_data.rdata);
948
949         /*
950          * Marshall directly into the outgoing PDU space. We
951          * must do this as we need to set to the bind response
952          * header and are never sending more than one PDU here.
953          */
954
955         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
956         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
957
958         /*
959          * Initialize a cancel_ack header.
960          */
961
962         init_rpc_hdr(&ack_reply_hdr, DCERPC_PKT_CANCEL_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
963                         p->hdr.call_id, RPC_HEADER_LEN, 0);
964
965         /*
966          * Marshall the header into the outgoing PDU.
967          */
968
969         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
970                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
971                 prs_mem_free(&outgoing_pdu);
972                 return False;
973         }
974
975         p->out_data.data_sent_length = 0;
976         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
977         p->out_data.current_pdu_sent = 0;
978
979         prs_mem_free(&outgoing_pdu);
980         return True;
981 }
982 #endif
983
984 /*******************************************************************
985  Ensure a bind request has the correct abstract & transfer interface.
986  Used to reject unknown binds from Win2k.
987 *******************************************************************/
988
989 static bool check_bind_req(struct pipes_struct *p,
990                            struct ndr_syntax_id* abstract,
991                            struct ndr_syntax_id* transfer,
992                            uint32 context_id)
993 {
994         int i=0;
995         struct pipe_rpc_fns *context_fns;
996
997         DEBUG(3,("check_bind_req for %s\n",
998                  get_pipe_name_from_iface(&p->syntax)));
999
1000         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
1001
1002         for (i=0; i<rpc_lookup_size; i++) {
1003                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
1004                 if (ndr_syntax_id_equal(
1005                             abstract, &rpc_lookup[i].rpc_interface)
1006                     && ndr_syntax_id_equal(
1007                             transfer, &ndr_transfer_syntax)) {
1008                         break;
1009                 }
1010         }
1011
1012         if (i == rpc_lookup_size) {
1013                 return false;
1014         }
1015
1016         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
1017         if (context_fns == NULL) {
1018                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
1019                 return False;
1020         }
1021
1022         context_fns->cmds = rpc_lookup[i].cmds;
1023         context_fns->n_cmds = rpc_lookup[i].n_cmds;
1024         context_fns->context_id = context_id;
1025
1026         /* add to the list of open contexts */
1027
1028         DLIST_ADD( p->contexts, context_fns );
1029
1030         return True;
1031 }
1032
1033 /*******************************************************************
1034  Register commands to an RPC pipe
1035 *******************************************************************/
1036
1037 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
1038                           const struct ndr_interface_table *iface,
1039                           const struct api_struct *cmds, int size)
1040 {
1041         struct rpc_table *rpc_entry;
1042
1043         if (!clnt || !srv || !cmds) {
1044                 return NT_STATUS_INVALID_PARAMETER;
1045         }
1046
1047         if (version != SMB_RPC_INTERFACE_VERSION) {
1048                 DEBUG(0,("Can't register rpc commands!\n"
1049                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1050                          ", while this version of samba uses version %d!\n", 
1051                          version,SMB_RPC_INTERFACE_VERSION));
1052                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1053         }
1054
1055         /* TODO: 
1056          *
1057          * we still need to make sure that don't register the same commands twice!!!
1058          * 
1059          * --metze
1060          */
1061
1062         /* We use a temporary variable because this call can fail and 
1063            rpc_lookup will still be valid afterwards.  It could then succeed if
1064            called again later */
1065         rpc_lookup_size++;
1066         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1067         if (NULL == rpc_entry) {
1068                 rpc_lookup_size--;
1069                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1070                 return NT_STATUS_NO_MEMORY;
1071         } else {
1072                 rpc_lookup = rpc_entry;
1073         }
1074
1075         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1076         ZERO_STRUCTP(rpc_entry);
1077         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1078         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1079         rpc_entry->rpc_interface = iface->syntax_id;
1080         rpc_entry->cmds = cmds;
1081         rpc_entry->n_cmds = size;
1082
1083         return NT_STATUS_OK;
1084 }
1085
1086 /**
1087  * Is a named pipe known?
1088  * @param[in] cli_filename      The pipe name requested by the client
1089  * @result                      Do we want to serve this?
1090  */
1091 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
1092 {
1093         const char *pipename = cli_filename;
1094         int i;
1095         NTSTATUS status;
1096
1097         if (strnequal(pipename, "\\PIPE\\", 6)) {
1098                 pipename += 5;
1099         }
1100
1101         if (*pipename == '\\') {
1102                 pipename += 1;
1103         }
1104
1105         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1106                 DEBUG(10, ("refusing spoolss access\n"));
1107                 return false;
1108         }
1109
1110         for (i=0; i<rpc_lookup_size; i++) {
1111                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1112                         *syntax = rpc_lookup[i].rpc_interface;
1113                         return true;
1114                 }
1115         }
1116
1117         status = smb_probe_module("rpc", pipename);
1118         if (!NT_STATUS_IS_OK(status)) {
1119                 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1120                 return false;
1121         }
1122         DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
1123
1124         /*
1125          * Scan the list again for the interface id
1126          */
1127
1128         for (i=0; i<rpc_lookup_size; i++) {
1129                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1130                         *syntax = rpc_lookup[i].rpc_interface;
1131                         return true;
1132                 }
1133         }
1134
1135         DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
1136                    pipename));
1137
1138         return false;
1139 }
1140
1141 /*******************************************************************
1142  Handle a SPNEGO krb5 bind auth.
1143 *******************************************************************/
1144
1145 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
1146                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1147 {
1148         return False;
1149 }
1150
1151 /*******************************************************************
1152  Handle the first part of a SPNEGO bind auth.
1153 *******************************************************************/
1154
1155 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
1156                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1157 {
1158         DATA_BLOB blob;
1159         DATA_BLOB secblob;
1160         DATA_BLOB response;
1161         DATA_BLOB chal;
1162         char *OIDs[ASN1_MAX_OIDS];
1163         int i;
1164         NTSTATUS status;
1165         bool got_kerberos_mechanism = false;
1166         AUTH_NTLMSSP_STATE *a = NULL;
1167         RPC_HDR_AUTH auth_info;
1168
1169         ZERO_STRUCT(secblob);
1170         ZERO_STRUCT(chal);
1171         ZERO_STRUCT(response);
1172
1173         /* Grab the SPNEGO blob. */
1174         blob = data_blob(NULL,p->hdr.auth_len);
1175
1176         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1177                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1178                         (unsigned int)p->hdr.auth_len ));
1179                 goto err;
1180         }
1181
1182         if (blob.data[0] != ASN1_APPLICATION(0)) {
1183                 goto err;
1184         }
1185
1186         /* parse out the OIDs and the first sec blob */
1187         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1188                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1189                 goto err;
1190         }
1191
1192         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1193                 got_kerberos_mechanism = true;
1194         }
1195
1196         for (i=0;OIDs[i];i++) {
1197                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1198                 TALLOC_FREE(OIDs[i]);
1199         }
1200         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1201
1202         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1203                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1204                 data_blob_free(&secblob);
1205                 data_blob_free(&blob);
1206                 return ret;
1207         }
1208
1209         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1210                 /* Free any previous auth type. */
1211                 free_pipe_ntlmssp_auth_data(&p->auth);
1212         }
1213
1214         if (!got_kerberos_mechanism) {
1215                 /* Initialize the NTLM engine. */
1216                 status = auth_ntlmssp_start(&a);
1217                 if (!NT_STATUS_IS_OK(status)) {
1218                         goto err;
1219                 }
1220
1221                 /*
1222                  * Pass the first security blob of data to it.
1223                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1224                  * which means we need another packet to complete the bind.
1225                  */
1226
1227                 status = auth_ntlmssp_update(a, secblob, &chal);
1228
1229                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1230                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1231                         goto err;
1232                 }
1233
1234                 /* Generate the response blob we need for step 2 of the bind. */
1235                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1236         } else {
1237                 /*
1238                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1239                  * code to process follow-up packets is not complete
1240                  * yet. JRA.
1241                  */
1242                 response = spnego_gen_auth_response(NULL,
1243                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1244                                         OID_NTLMSSP);
1245         }
1246
1247         /* Copy the blob into the pout_auth parse struct */
1248         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1249         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1250                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1251                 goto err;
1252         }
1253
1254         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1255                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1256                 goto err;
1257         }
1258
1259         p->auth.a_u.auth_ntlmssp_state = a;
1260         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1261         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1262
1263         data_blob_free(&blob);
1264         data_blob_free(&secblob);
1265         data_blob_free(&chal);
1266         data_blob_free(&response);
1267
1268         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1269         return True;
1270
1271  err:
1272
1273         data_blob_free(&blob);
1274         data_blob_free(&secblob);
1275         data_blob_free(&chal);
1276         data_blob_free(&response);
1277
1278         p->auth.a_u.auth_ntlmssp_state = NULL;
1279
1280         return False;
1281 }
1282
1283 /*******************************************************************
1284  Handle the second part of a SPNEGO bind auth.
1285 *******************************************************************/
1286
1287 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
1288                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1289 {
1290         RPC_HDR_AUTH auth_info;
1291         DATA_BLOB spnego_blob;
1292         DATA_BLOB auth_blob;
1293         DATA_BLOB auth_reply;
1294         DATA_BLOB response;
1295         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1296
1297         ZERO_STRUCT(spnego_blob);
1298         ZERO_STRUCT(auth_blob);
1299         ZERO_STRUCT(auth_reply);
1300         ZERO_STRUCT(response);
1301
1302         /*
1303          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1304          * fail here as 'a' == NULL.
1305          */
1306         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1307                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1308                 goto err;
1309         }
1310
1311         /* Grab the SPNEGO blob. */
1312         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1313
1314         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1315                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1316                         (unsigned int)p->hdr.auth_len ));
1317                 goto err;
1318         }
1319
1320         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1321                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1322                 goto err;
1323         }
1324
1325         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1326                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1327                 goto err;
1328         }
1329
1330         /*
1331          * The following call actually checks the challenge/response data.
1332          * for correctness against the given DOMAIN\user name.
1333          */
1334
1335         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1336                 goto err;
1337         }
1338
1339         data_blob_free(&spnego_blob);
1340         data_blob_free(&auth_blob);
1341
1342         /* Generate the spnego "accept completed" blob - no incoming data. */
1343         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1344
1345         /* Copy the blob into the pout_auth parse struct */
1346         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SPNEGO, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1347         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1348                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1349                 goto err;
1350         }
1351
1352         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1353                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1354                 goto err;
1355         }
1356
1357         data_blob_free(&auth_reply);
1358         data_blob_free(&response);
1359
1360         p->pipe_bound = True;
1361
1362         return True;
1363
1364  err:
1365
1366         data_blob_free(&spnego_blob);
1367         data_blob_free(&auth_blob);
1368         data_blob_free(&auth_reply);
1369         data_blob_free(&response);
1370
1371         free_pipe_ntlmssp_auth_data(&p->auth);
1372         p->auth.a_u.auth_ntlmssp_state = NULL;
1373
1374         return False;
1375 }
1376
1377 /*******************************************************************
1378  Handle an schannel bind auth.
1379 *******************************************************************/
1380
1381 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1382                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1383 {
1384         RPC_HDR_AUTH auth_info;
1385         struct NL_AUTH_MESSAGE neg;
1386         struct NL_AUTH_MESSAGE reply;
1387         bool ret;
1388         NTSTATUS status;
1389         struct netlogon_creds_CredentialState *creds;
1390         DATA_BLOB session_key;
1391         enum ndr_err_code ndr_err;
1392         DATA_BLOB blob;
1393
1394         blob = data_blob_const(prs_data_p(rpc_in_p) + prs_offset(rpc_in_p),
1395                                prs_data_size(rpc_in_p));
1396
1397         ndr_err = ndr_pull_struct_blob(&blob, talloc_tos(), NULL, &neg,
1398                                (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
1399         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1400                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1401                 return false;
1402         }
1403
1404         if (DEBUGLEVEL >= 10) {
1405                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
1406         }
1407
1408         if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
1409                 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
1410                 return false;
1411         }
1412
1413         /*
1414          * The neg.oem_netbios_computer.a key here must match the remote computer name
1415          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1416          * operations that use credentials.
1417          */
1418
1419         become_root();
1420         status = schannel_fetch_session_key(p,
1421                                             neg.oem_netbios_computer.a,
1422                                             &creds);
1423         unbecome_root();
1424
1425         if (!NT_STATUS_IS_OK(status)) {
1426                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1427                 return False;
1428         }
1429
1430         p->auth.a_u.schannel_auth = talloc(p, struct schannel_state);
1431         if (!p->auth.a_u.schannel_auth) {
1432                 TALLOC_FREE(creds);
1433                 return False;
1434         }
1435
1436         p->auth.a_u.schannel_auth->state = SCHANNEL_STATE_START;
1437         p->auth.a_u.schannel_auth->seq_num = 0;
1438         p->auth.a_u.schannel_auth->initiator = false;
1439         p->auth.a_u.schannel_auth->creds = creds;
1440
1441         /*
1442          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1443          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1444          * struct of the person who opened the pipe. I need to test this further. JRA.
1445          *
1446          * VL. As we are mapping this to guest set the generic key
1447          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1448          * W2k3, as it does not allow schannel binds against SAMR and LSA
1449          * anymore.
1450          */
1451
1452         session_key = generic_session_key();
1453         if (session_key.data == NULL) {
1454                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1455                           " key\n"));
1456                 return false;
1457         }
1458
1459         ret = server_info_set_session_key(p->server_info, session_key);
1460
1461         data_blob_free(&session_key);
1462
1463         if (!ret) {
1464                 DEBUG(0, ("server_info_set_session_key failed\n"));
1465                 return false;
1466         }
1467
1468         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_SCHANNEL, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1469         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1470                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1471                 return False;
1472         }
1473
1474         /*** SCHANNEL verifier ***/
1475
1476         reply.MessageType                       = NL_NEGOTIATE_RESPONSE;
1477         reply.Flags                             = 0;
1478         reply.Buffer.dummy                      = 5; /* ??? actually I don't think
1479                                                       * this has any meaning
1480                                                       * here - gd */
1481
1482         ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), NULL, &reply,
1483                        (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
1484         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1485                 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
1486                 return false;
1487         }
1488
1489         if (DEBUGLEVEL >= 10) {
1490                 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
1491         }
1492
1493         if (!prs_copy_data_in(pout_auth, (const char *)blob.data, blob.length)) {
1494                 return false;
1495         }
1496
1497         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1498                 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
1499
1500         /* We're finished with this bind - no more packets. */
1501         p->auth.auth_data_free_func = NULL;
1502         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1503
1504         p->pipe_bound = True;
1505
1506         return True;
1507 }
1508
1509 /*******************************************************************
1510  Handle an NTLMSSP bind auth.
1511 *******************************************************************/
1512
1513 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
1514                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1515 {
1516         RPC_HDR_AUTH auth_info;
1517         DATA_BLOB blob;
1518         DATA_BLOB response;
1519         NTSTATUS status;
1520         AUTH_NTLMSSP_STATE *a = NULL;
1521
1522         ZERO_STRUCT(blob);
1523         ZERO_STRUCT(response);
1524
1525         /* Grab the NTLMSSP blob. */
1526         blob = data_blob(NULL,p->hdr.auth_len);
1527
1528         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1529                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1530                         (unsigned int)p->hdr.auth_len ));
1531                 goto err;
1532         }
1533
1534         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1535                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1536                 goto err;
1537         }
1538
1539         /* We have an NTLMSSP blob. */
1540         status = auth_ntlmssp_start(&a);
1541         if (!NT_STATUS_IS_OK(status)) {
1542                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1543                         nt_errstr(status) ));
1544                 goto err;
1545         }
1546
1547         status = auth_ntlmssp_update(a, blob, &response);
1548         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1549                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1550                         nt_errstr(status) ));
1551                 goto err;
1552         }
1553
1554         data_blob_free(&blob);
1555
1556         /* Copy the blob into the pout_auth parse struct */
1557         init_rpc_hdr_auth(&auth_info, DCERPC_AUTH_TYPE_NTLMSSP, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1558         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1559                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1560                 goto err;
1561         }
1562
1563         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1564                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1565                 goto err;
1566         }
1567
1568         p->auth.a_u.auth_ntlmssp_state = a;
1569         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1570         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1571
1572         data_blob_free(&blob);
1573         data_blob_free(&response);
1574
1575         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1576
1577         /* We can't set pipe_bound True yet - we need an DCERPC_PKT_AUTH3 response packet... */
1578         return True;
1579
1580   err:
1581
1582         data_blob_free(&blob);
1583         data_blob_free(&response);
1584
1585         free_pipe_ntlmssp_auth_data(&p->auth);
1586         p->auth.a_u.auth_ntlmssp_state = NULL;
1587         return False;
1588 }
1589
1590 /*******************************************************************
1591  Respond to a pipe bind request.
1592 *******************************************************************/
1593
1594 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
1595 {
1596         RPC_HDR_BA hdr_ba;
1597         RPC_HDR_RB hdr_rb;
1598         RPC_HDR_AUTH auth_info;
1599         uint16 assoc_gid;
1600         fstring ack_pipe_name;
1601         prs_struct out_hdr_ba;
1602         prs_struct out_auth;
1603         int i = 0;
1604         int auth_len = 0;
1605         unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
1606
1607         /* No rebinds on a bound pipe - use alter context. */
1608         if (p->pipe_bound) {
1609                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1610                          "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1611                 return setup_bind_nak(p);
1612         }
1613
1614         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1615
1616         /* 
1617          * Marshall directly into the outgoing PDU space. We
1618          * must do this as we need to set to the bind response
1619          * header and are never sending more than one PDU here.
1620          */
1621
1622         /*
1623          * Setup the memory to marshall the ba header, and the
1624          * auth footers.
1625          */
1626
1627         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1628                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1629                 prs_mem_free(&p->out_data.frag);
1630                 return False;
1631         }
1632
1633         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1634                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1635                 prs_mem_free(&p->out_data.frag);
1636                 prs_mem_free(&out_hdr_ba);
1637                 return False;
1638         }
1639
1640         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1641
1642         ZERO_STRUCT(hdr_rb);
1643
1644         /* decode the bind request */
1645
1646         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1647                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1648                          "struct.\n"));
1649                 goto err_exit;
1650         }
1651
1652         if (hdr_rb.num_contexts == 0) {
1653                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1654                 goto err_exit;
1655         }
1656
1657         /*
1658          * Try and find the correct pipe name to ensure
1659          * that this is a pipe name we support.
1660          */
1661
1662         for (i = 0; i < rpc_lookup_size; i++) {
1663                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1664                                         &hdr_rb.rpc_context[0].abstract)) {
1665                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1666                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1667                         break;
1668                 }
1669         }
1670
1671         if (i == rpc_lookup_size) {
1672                 NTSTATUS status;
1673
1674                 status = smb_probe_module(
1675                         "rpc", get_pipe_name_from_iface(
1676                                 &hdr_rb.rpc_context[0].abstract));
1677
1678                 if (NT_STATUS_IS_ERR(status)) {
1679                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1680                                 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1681                         prs_mem_free(&p->out_data.frag);
1682                         prs_mem_free(&out_hdr_ba);
1683                         prs_mem_free(&out_auth);
1684
1685                         return setup_bind_nak(p);
1686                 }
1687
1688                 for (i = 0; i < rpc_lookup_size; i++) {
1689                        if (strequal(rpc_lookup[i].pipe.clnt,
1690                                     get_pipe_name_from_iface(&p->syntax))) {
1691                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1692                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1693                                break;
1694                        }
1695                 }
1696
1697                 if (i == rpc_lookup_size) {
1698                         DEBUG(0, ("module %s doesn't provide functions for "
1699                                   "pipe %s!\n",
1700                                   get_pipe_name_from_iface(&p->syntax),
1701                                   get_pipe_name_from_iface(&p->syntax)));
1702                         goto err_exit;
1703                 }
1704         }
1705
1706         /* name has to be \PIPE\xxxxx */
1707         fstrcpy(ack_pipe_name, "\\PIPE\\");
1708         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1709
1710         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1711
1712         /*
1713          * Check if this is an authenticated bind request.
1714          */
1715
1716         if (p->hdr.auth_len) {
1717                 /* 
1718                  * Decode the authentication verifier.
1719                  */
1720
1721                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1722                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1723                         goto err_exit;
1724                 }
1725
1726                 auth_type = auth_info.auth_type;
1727
1728                 /* Work out if we have to sign or seal etc. */
1729                 switch (auth_info.auth_level) {
1730                         case DCERPC_AUTH_LEVEL_INTEGRITY:
1731                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
1732                                 break;
1733                         case DCERPC_AUTH_LEVEL_PRIVACY:
1734                                 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
1735                                 break;
1736                         default:
1737                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1738                                         (unsigned int)auth_info.auth_level ));
1739                                 goto err_exit;
1740                 }
1741         } else {
1742                 ZERO_STRUCT(auth_info);
1743         }
1744
1745         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1746
1747         switch(auth_type) {
1748                 case DCERPC_AUTH_TYPE_NTLMSSP:
1749                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1750                                 goto err_exit;
1751                         }
1752                         assoc_gid = 0x7a77;
1753                         break;
1754
1755                 case DCERPC_AUTH_TYPE_SCHANNEL:
1756                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1757                                 goto err_exit;
1758                         }
1759                         break;
1760
1761                 case DCERPC_AUTH_TYPE_SPNEGO:
1762                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1763                                 goto err_exit;
1764                         }
1765                         break;
1766
1767                 case DCERPC_AUTH_TYPE_NONE:
1768                         /* Unauthenticated bind request. */
1769                         /* We're finished - no more packets. */
1770                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1771                         /* We must set the pipe auth_level here also. */
1772                         p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1773                         p->pipe_bound = True;
1774                         /* The session key was initialized from the SMB
1775                          * session in make_internal_rpc_pipe_p */
1776                         break;
1777
1778                 default:
1779                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1780                         goto err_exit;
1781         }
1782
1783         /*
1784          * Create the bind response struct.
1785          */
1786
1787         /* If the requested abstract synt uuid doesn't match our client pipe,
1788                 reject the bind_ack & set the transfer interface synt to all 0's,
1789                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1790                 unknown to NT4)
1791                 Needed when adding entries to a DACL from NT5 - SK */
1792
1793         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1794                                 hdr_rb.rpc_context[0].context_id )) {
1795                 init_rpc_hdr_ba(&hdr_ba,
1796                         RPC_MAX_PDU_FRAG_LEN,
1797                         RPC_MAX_PDU_FRAG_LEN,
1798                         assoc_gid,
1799                         ack_pipe_name,
1800                         0x1, 0x0, 0x0,
1801                         &hdr_rb.rpc_context[0].transfer[0]);
1802         } else {
1803                 /* Rejection reason: abstract syntax not supported */
1804                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1805                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1806                                         ack_pipe_name, 0x1, 0x2, 0x1,
1807                                         &null_ndr_syntax_id);
1808                 p->pipe_bound = False;
1809         }
1810
1811         /*
1812          * and marshall it.
1813          */
1814
1815         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1816                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1817                 goto err_exit;
1818         }
1819
1820         /*
1821          * Create the header, now we know the length.
1822          */
1823
1824         if (prs_offset(&out_auth)) {
1825                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1826         }
1827
1828         init_rpc_hdr(&p->hdr, DCERPC_PKT_BIND_ACK, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
1829                         p->hdr.call_id,
1830                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1831                         auth_len);
1832
1833         /*
1834          * Marshall the header into the outgoing PDU.
1835          */
1836
1837         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1838                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1839                 goto err_exit;
1840         }
1841
1842         /*
1843          * Now add the RPC_HDR_BA and any auth needed.
1844          */
1845
1846         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1847                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1848                 goto err_exit;
1849         }
1850
1851         if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1852                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1853                 goto err_exit;
1854         }
1855
1856         /*
1857          * Setup the lengths for the initial reply.
1858          */
1859
1860         p->out_data.data_sent_length = 0;
1861         p->out_data.current_pdu_sent = 0;
1862
1863         prs_mem_free(&out_hdr_ba);
1864         prs_mem_free(&out_auth);
1865
1866         return True;
1867
1868   err_exit:
1869
1870         prs_mem_free(&p->out_data.frag);
1871         prs_mem_free(&out_hdr_ba);
1872         prs_mem_free(&out_auth);
1873         return setup_bind_nak(p);
1874 }
1875
1876 /****************************************************************************
1877  Deal with an alter context call. Can be third part of 3 leg auth request for
1878  SPNEGO calls.
1879 ****************************************************************************/
1880
1881 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
1882 {
1883         RPC_HDR_BA hdr_ba;
1884         RPC_HDR_RB hdr_rb;
1885         RPC_HDR_AUTH auth_info;
1886         uint16 assoc_gid;
1887         fstring ack_pipe_name;
1888         prs_struct out_hdr_ba;
1889         prs_struct out_auth;
1890         int auth_len = 0;
1891
1892         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1893
1894         /* 
1895          * Marshall directly into the outgoing PDU space. We
1896          * must do this as we need to set to the bind response
1897          * header and are never sending more than one PDU here.
1898          */
1899
1900         /*
1901          * Setup the memory to marshall the ba header, and the
1902          * auth footers.
1903          */
1904
1905         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1906                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1907                 prs_mem_free(&p->out_data.frag);
1908                 return False;
1909         }
1910
1911         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1912                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1913                 prs_mem_free(&p->out_data.frag);
1914                 prs_mem_free(&out_hdr_ba);
1915                 return False;
1916         }
1917
1918         ZERO_STRUCT(hdr_rb);
1919
1920         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1921
1922         /* decode the alter context request */
1923         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1924                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1925                 goto err_exit;
1926         }
1927
1928         /* secondary address CAN be NULL
1929          * as the specs say it's ignored.
1930          * It MUST be NULL to have the spoolss working.
1931          */
1932         fstrcpy(ack_pipe_name,"");
1933
1934         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1935
1936         /*
1937          * Check if this is an authenticated alter context request.
1938          */
1939
1940         if (p->hdr.auth_len != 0) {
1941                 /* 
1942                  * Decode the authentication verifier.
1943                  */
1944
1945                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1946                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1947                         goto err_exit;
1948                 }
1949
1950                 /*
1951                  * Currently only the SPNEGO auth type uses the alter ctx
1952                  * response in place of the NTLMSSP auth3 type.
1953                  */
1954
1955                 if (auth_info.auth_type == DCERPC_AUTH_TYPE_SPNEGO) {
1956                         /* We can only finish if the pipe is unbound. */
1957                         if (!p->pipe_bound) {
1958                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1959                                         goto err_exit;
1960                                 }
1961                         } else {
1962                                 goto err_exit;
1963                         }
1964                 }
1965         } else {
1966                 ZERO_STRUCT(auth_info);
1967         }
1968
1969         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1970
1971         /*
1972          * Create the bind response struct.
1973          */
1974
1975         /* If the requested abstract synt uuid doesn't match our client pipe,
1976                 reject the bind_ack & set the transfer interface synt to all 0's,
1977                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1978                 unknown to NT4)
1979                 Needed when adding entries to a DACL from NT5 - SK */
1980
1981         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1982                                 hdr_rb.rpc_context[0].context_id )) {
1983                 init_rpc_hdr_ba(&hdr_ba,
1984                         RPC_MAX_PDU_FRAG_LEN,
1985                         RPC_MAX_PDU_FRAG_LEN,
1986                         assoc_gid,
1987                         ack_pipe_name,
1988                         0x1, 0x0, 0x0,
1989                         &hdr_rb.rpc_context[0].transfer[0]);
1990         } else {
1991                 /* Rejection reason: abstract syntax not supported */
1992                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1993                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1994                                         ack_pipe_name, 0x1, 0x2, 0x1,
1995                                         &null_ndr_syntax_id);
1996                 p->pipe_bound = False;
1997         }
1998
1999         /*
2000          * and marshall it.
2001          */
2002
2003         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
2004                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
2005                 goto err_exit;
2006         }
2007
2008         /*
2009          * Create the header, now we know the length.
2010          */
2011
2012         if (prs_offset(&out_auth)) {
2013                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
2014         }
2015
2016         init_rpc_hdr(&p->hdr, DCERPC_PKT_ALTER_RESP, DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST,
2017                         p->hdr.call_id,
2018                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
2019                         auth_len);
2020
2021         /*
2022          * Marshall the header into the outgoing PDU.
2023          */
2024
2025         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
2026                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
2027                 goto err_exit;
2028         }
2029
2030         /*
2031          * Now add the RPC_HDR_BA and any auth needed.
2032          */
2033
2034         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
2035                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
2036                 goto err_exit;
2037         }
2038
2039         if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
2040                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
2041                 goto err_exit;
2042         }
2043
2044         /*
2045          * Setup the lengths for the initial reply.
2046          */
2047
2048         p->out_data.data_sent_length = 0;
2049         p->out_data.current_pdu_sent = 0;
2050
2051         prs_mem_free(&out_hdr_ba);
2052         prs_mem_free(&out_auth);
2053
2054         return True;
2055
2056   err_exit:
2057
2058         prs_mem_free(&p->out_data.frag);
2059         prs_mem_free(&out_hdr_ba);
2060         prs_mem_free(&out_auth);
2061         return setup_bind_nak(p);
2062 }
2063
2064 /****************************************************************************
2065  Deal with NTLMSSP sign & seal processing on an RPC request.
2066 ****************************************************************************/
2067
2068 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
2069                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
2070 {
2071         RPC_HDR_AUTH auth_info;
2072         uint32 auth_len = p->hdr.auth_len;
2073         uint32 save_offset = prs_offset(rpc_in);
2074         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
2075         unsigned char *data = NULL;
2076         size_t data_len;
2077         unsigned char *full_packet_data = NULL;
2078         size_t full_packet_data_len;
2079         DATA_BLOB auth_blob;
2080
2081         *pstatus = NT_STATUS_OK;
2082
2083         if (p->auth.auth_level == DCERPC_AUTH_LEVEL_NONE || p->auth.auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2084                 return True;
2085         }
2086
2087         if (!a) {
2088                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2089                 return False;
2090         }
2091
2092         /* Ensure there's enough data for an authenticated request. */
2093         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2094                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2095                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2096                         (unsigned int)auth_len ));
2097                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2098                 return False;
2099         }
2100
2101         /*
2102          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2103          * after the RPC header. 
2104          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2105          * functions as NTLMv2 checks the rpc headers also.
2106          */
2107
2108         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2109         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2110
2111         full_packet_data = p->in_data.current_in_pdu;
2112         full_packet_data_len = p->hdr.frag_len - auth_len;
2113
2114         /* Pull the auth header and the following data into a blob. */
2115         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2116                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2117                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2118                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2119                 return False;
2120         }
2121
2122         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2123                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2124                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2125                 return False;
2126         }
2127
2128         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2129         auth_blob.length = auth_len;
2130
2131         switch (p->auth.auth_level) {
2132                 case DCERPC_AUTH_LEVEL_PRIVACY:
2133                         /* Data is encrypted. */
2134                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2135                                                         data, data_len,
2136                                                         full_packet_data,
2137                                                         full_packet_data_len,
2138                                                         &auth_blob);
2139                         if (!NT_STATUS_IS_OK(*pstatus)) {
2140                                 return False;
2141                         }
2142                         break;
2143                 case DCERPC_AUTH_LEVEL_INTEGRITY:
2144                         /* Data is signed. */
2145                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2146                                                         data, data_len,
2147                                                         full_packet_data,
2148                                                         full_packet_data_len,
2149                                                         &auth_blob);
2150                         if (!NT_STATUS_IS_OK(*pstatus)) {
2151                                 return False;
2152                         }
2153                         break;
2154                 default:
2155                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2156                         return False;
2157         }
2158
2159         /*
2160          * Return the current pointer to the data offset.
2161          */
2162
2163         if(!prs_set_offset(rpc_in, save_offset)) {
2164                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2165                         (unsigned int)save_offset ));
2166                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2167                 return False;
2168         }
2169
2170         /*
2171          * Remember the padding length. We must remove it from the real data
2172          * stream once the sign/seal is done.
2173          */
2174
2175         *p_ss_padding_len = auth_info.auth_pad_len;
2176
2177         return True;
2178 }
2179
2180 /****************************************************************************
2181  Deal with schannel processing on an RPC request.
2182 ****************************************************************************/
2183
2184 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
2185 {
2186         uint32 data_len;
2187         uint32 auth_len;
2188         uint32 save_offset = prs_offset(rpc_in);
2189         RPC_HDR_AUTH auth_info;
2190         DATA_BLOB blob;
2191         NTSTATUS status;
2192         uint8_t *data;
2193
2194         auth_len = p->hdr.auth_len;
2195
2196         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2197                         auth_len > RPC_HEADER_LEN +
2198                                         RPC_HDR_REQ_LEN +
2199                                         RPC_HDR_AUTH_LEN +
2200                                         auth_len) {
2201                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2202                 return False;
2203         }
2204
2205         /*
2206          * The following is that length of the data we must verify or unseal.
2207          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2208          * preceeding the auth_data.
2209          */
2210
2211         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2212                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2213                         (unsigned int)p->hdr.frag_len,
2214                         (unsigned int)auth_len ));
2215                 return False;
2216         }
2217
2218         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2219                 RPC_HDR_AUTH_LEN - auth_len;
2220
2221         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2222
2223         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2224                 DEBUG(0,("cannot move offset to %u.\n",
2225                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2226                 return False;
2227         }
2228
2229         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2230                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2231                 return False;
2232         }
2233
2234         if (auth_info.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
2235                 DEBUG(0,("Invalid auth info %d on schannel\n",
2236                          auth_info.auth_type));
2237                 return False;
2238         }
2239
2240         blob = data_blob_const(prs_data_p(rpc_in) + prs_offset(rpc_in), auth_len);
2241
2242         if (DEBUGLEVEL >= 10) {
2243                 dump_NL_AUTH_SIGNATURE(talloc_tos(), &blob);
2244         }
2245
2246         data = (uint8_t *)prs_data_p(rpc_in)+RPC_HDR_REQ_LEN;
2247
2248         switch (auth_info.auth_level) {
2249         case DCERPC_AUTH_LEVEL_PRIVACY:
2250                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2251                                                 talloc_tos(),
2252                                                 true,
2253                                                 data,
2254                                                 data_len,
2255                                                 &blob);
2256                 break;
2257         case DCERPC_AUTH_LEVEL_INTEGRITY:
2258                 status = netsec_incoming_packet(p->auth.a_u.schannel_auth,
2259                                                 talloc_tos(),
2260                                                 false,
2261                                                 data,
2262                                                 data_len,
2263                                                 &blob);
2264                 break;
2265         default:
2266                 status = NT_STATUS_INTERNAL_ERROR;
2267                 break;
2268         }
2269
2270         if (!NT_STATUS_IS_OK(status)) {
2271                 DEBUG(0,("failed to unseal packet: %s\n", nt_errstr(status)));
2272                 return false;
2273         }
2274
2275         /*
2276          * Return the current pointer to the data offset.
2277          */
2278
2279         if(!prs_set_offset(rpc_in, save_offset)) {
2280                 DEBUG(0,("failed to set offset back to %u\n",
2281                          (unsigned int)save_offset ));
2282                 return False;
2283         }
2284
2285         /*
2286          * Remember the padding length. We must remove it from the real data
2287          * stream once the sign/seal is done.
2288          */
2289
2290         *p_ss_padding_len = auth_info.auth_pad_len;
2291
2292         return True;
2293 }
2294
2295 /****************************************************************************
2296  Find the set of RPC functions associated with this context_id
2297 ****************************************************************************/
2298
2299 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
2300 {
2301         PIPE_RPC_FNS *fns = NULL;
2302
2303         if ( !list ) {
2304                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2305                 return NULL;
2306         }
2307
2308         for (fns=list; fns; fns=fns->next ) {
2309                 if ( fns->context_id == context_id )
2310                         return fns;
2311         }
2312         return NULL;
2313 }
2314
2315 /****************************************************************************
2316  Memory cleanup.
2317 ****************************************************************************/
2318
2319 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
2320 {
2321         PIPE_RPC_FNS *tmp = list;
2322         PIPE_RPC_FNS *tmp2;
2323
2324         while (tmp) {
2325                 tmp2 = tmp->next;
2326                 SAFE_FREE(tmp);
2327                 tmp = tmp2;
2328         }
2329
2330         return; 
2331 }
2332
2333 static bool api_rpcTNP(pipes_struct *p,
2334                        const struct api_struct *api_rpc_cmds, int n_cmds);
2335
2336 /****************************************************************************
2337  Find the correct RPC function to call for this request.
2338  If the pipe is authenticated then become the correct UNIX user
2339  before doing the call.
2340 ****************************************************************************/
2341
2342 bool api_pipe_request(pipes_struct *p)
2343 {
2344         bool ret = False;
2345         bool changed_user = False;
2346         PIPE_RPC_FNS *pipe_fns;
2347
2348         if (p->pipe_bound &&
2349                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2350                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2351                 if(!become_authenticated_pipe_user(p)) {
2352                         prs_mem_free(&p->out_data.rdata);
2353                         return False;
2354                 }
2355                 changed_user = True;
2356         }
2357
2358         DEBUG(5, ("Requested \\PIPE\\%s\n",
2359                   get_pipe_name_from_iface(&p->syntax)));
2360
2361         /* get the set of RPC functions for this context */
2362
2363         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2364
2365         if ( pipe_fns ) {
2366                 TALLOC_CTX *frame = talloc_stackframe();
2367                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2368                 TALLOC_FREE(frame);
2369         }
2370         else {
2371                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2372                         p->hdr_req.context_id,
2373                         get_pipe_name_from_iface(&p->syntax)));
2374         }
2375
2376         if (changed_user) {
2377                 unbecome_authenticated_pipe_user();
2378         }
2379
2380         return ret;
2381 }
2382
2383 /*******************************************************************
2384  Calls the underlying RPC function for a named pipe.
2385  ********************************************************************/
2386
2387 static bool api_rpcTNP(pipes_struct *p,
2388                        const struct api_struct *api_rpc_cmds, int n_cmds)
2389 {
2390         int fn_num;
2391         uint32 offset1, offset2;
2392
2393         /* interpret the command */
2394         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2395                  get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2396
2397         if (DEBUGLEVEL >= 50) {
2398                 fstring name;
2399                 slprintf(name, sizeof(name)-1, "in_%s",
2400                          get_pipe_name_from_iface(&p->syntax));
2401                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2402         }
2403
2404         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2405                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2406                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2407                         break;
2408                 }
2409         }
2410
2411         if (fn_num == n_cmds) {
2412                 /*
2413                  * For an unknown RPC just return a fault PDU but
2414                  * return True to allow RPC's on the pipe to continue
2415                  * and not put the pipe into fault state. JRA.
2416                  */
2417                 DEBUG(4, ("unknown\n"));
2418                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2419                 return True;
2420         }
2421
2422         offset1 = prs_offset(&p->out_data.rdata);
2423
2424         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2425                 fn_num, api_rpc_cmds[fn_num].fn));
2426         /* do the actual command */
2427         if(!api_rpc_cmds[fn_num].fn(p)) {
2428                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2429                          get_pipe_name_from_iface(&p->syntax),
2430                          api_rpc_cmds[fn_num].name));
2431                 prs_mem_free(&p->out_data.rdata);
2432                 return False;
2433         }
2434
2435         if (p->bad_handle_fault_state) {
2436                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2437                 p->bad_handle_fault_state = False;
2438                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2439                 return True;
2440         }
2441
2442         if (p->rng_fault_state) {
2443                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2444                 p->rng_fault_state = False;
2445                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2446                 return True;
2447         }
2448
2449         offset2 = prs_offset(&p->out_data.rdata);
2450         prs_set_offset(&p->out_data.rdata, offset1);
2451         if (DEBUGLEVEL >= 50) {
2452                 fstring name;
2453                 slprintf(name, sizeof(name)-1, "out_%s",
2454                          get_pipe_name_from_iface(&p->syntax));
2455                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2456         }
2457         prs_set_offset(&p->out_data.rdata, offset2);
2458
2459         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2460                  get_pipe_name_from_iface(&p->syntax)));
2461
2462         /* Check for buffer underflow in rpc parsing */
2463
2464         if ((DEBUGLEVEL >= 10) && 
2465             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2466                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2467                 char *data = (char *)SMB_MALLOC(data_len);
2468
2469                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2470                 if (data) {
2471                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2472                         SAFE_FREE(data);
2473                 }
2474
2475         }
2476
2477         return True;
2478 }