root/source3/rpc_server/srv_pipe.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. free_pipe_ntlmssp_auth_data
  2. generic_session_key
  3. create_next_pdu_ntlmssp
  4. create_next_pdu_schannel
  5. create_next_pdu_noauth
  6. create_next_pdu
  7. pipe_ntlmssp_verify_final
  8. api_pipe_bind_auth3
  9. setup_bind_nak
  10. setup_fault_pdu
  11. setup_cancel_ack_reply
  12. check_bind_req
  13. rpc_srv_register
  14. is_known_pipename
  15. pipe_spnego_auth_bind_kerberos
  16. pipe_spnego_auth_bind_negotiate
  17. pipe_spnego_auth_bind_continue
  18. pipe_schannel_auth_bind
  19. pipe_ntlmssp_auth_bind
  20. api_pipe_bind_req
  21. api_pipe_alter_context
  22. api_pipe_ntlmssp_auth_process
  23. api_pipe_schannel_process
  24. find_pipe_fns_by_context
  25. free_pipe_rpc_context
  26. api_pipe_request
  27. api_rpcTNP

   1 /* 
   2  *  Unix SMB/CIFS implementation.
   3  *  RPC Pipe client / server routines
   4  *  Almost completely rewritten by (C) Jeremy Allison 2005.
   5  *  
   6  *  This program is free software; you can redistribute it and/or modify
   7  *  it under the terms of the GNU General Public License as published by
   8  *  the Free Software Foundation; either version 3 of the License, or
   9  *  (at your option) any later version.
  10  *  
  11  *  This program is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *  GNU General Public License for more details.
  15  *  
  16  *  You should have received a copy of the GNU General Public License
  17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  18  */
  19 
  20 /*  this module apparently provides an implementation of DCE/RPC over a
  21  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
  22  *  documentation are available (in on-line form) from the X-Open group.
  23  *
  24  *  this module should provide a level of abstraction between SMB
  25  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
  26  *  data copies, and network traffic.
  27  *
  28  */
  29 
  30 #include "includes.h"
  31 
  32 extern struct current_user current_user;
  33 
  34 #undef DBGC_CLASS
  35 #define DBGC_CLASS DBGC_RPC_SRV
  36 
  37 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
     /* [<][>][^][v][top][bottom][index][help] */
  38 {
  39         AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
  40 
  41         if (a) {
  42                 auth_ntlmssp_end(&a);
  43         }
  44         auth->a_u.auth_ntlmssp_state = NULL;
  45 }
  46 
  47 static DATA_BLOB generic_session_key(void)
     /* [<][>][^][v][top][bottom][index][help] */
  48 {
  49         return data_blob("SystemLibraryDTC", 16);
  50 }
  51 
  52 /*******************************************************************
  53  Generate the next PDU to be returned from the data in p->rdata. 
  54  Handle NTLMSSP.
  55  ********************************************************************/
  56 
  57 static bool create_next_pdu_ntlmssp(pipes_struct *p)
     /* [<][>][^][v][top][bottom][index][help] */
  58 {
  59         RPC_HDR_RESP hdr_resp;
  60         uint32 ss_padding_len = 0;
  61         uint32 data_space_available;
  62         uint32 data_len_left;
  63         uint32 data_len;
  64         NTSTATUS status;
  65         DATA_BLOB auth_blob;
  66         RPC_HDR_AUTH auth_info;
  67         uint8 auth_type, auth_level;
  68         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
  69 
  70         /*
  71          * If we're in the fault state, keep returning fault PDU's until
  72          * the pipe gets closed. JRA.
  73          */
  74 
  75         if(p->fault_state) {
  76                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
  77                 return True;
  78         }
  79 
  80         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
  81 
  82         /* Change the incoming request header to a response. */
  83         p->hdr.pkt_type = RPC_RESPONSE;
  84 
  85         /* Set up rpc header flags. */
  86         if (p->out_data.data_sent_length == 0) {
  87                 p->hdr.flags = RPC_FLG_FIRST;
  88         } else {
  89                 p->hdr.flags = 0;
  90         }
  91 
  92         /*
  93          * Work out how much we can fit in a single PDU.
  94          */
  95 
  96         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
  97 
  98         /*
  99          * Ensure there really is data left to send.
 100          */
 101 
 102         if(!data_len_left) {
 103                 DEBUG(0,("create_next_pdu_ntlmssp: no data left to send !\n"));
 104                 return False;
 105         }
 106 
 107         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
 108                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN - NTLMSSP_SIG_SIZE;
 109 
 110         /*
 111          * The amount we send is the minimum of the available
 112          * space and the amount left to send.
 113          */
 114 
 115         data_len = MIN(data_len_left, data_space_available);
 116 
 117         /*
 118          * Set up the alloc hint. This should be the data left to
 119          * send.
 120          */
 121 
 122         hdr_resp.alloc_hint = data_len_left;
 123 
 124         /*
 125          * Work out if this PDU will be the last.
 126          */
 127 
 128         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
 129                 p->hdr.flags |= RPC_FLG_LAST;
 130                 if (data_len_left % 8) {
 131                         ss_padding_len = 8 - (data_len_left % 8);
 132                         DEBUG(10,("create_next_pdu_ntlmssp: adding sign/seal padding of %u\n",
 133                                 ss_padding_len ));
 134                 }
 135         }
 136 
 137         /*
 138          * Set up the header lengths.
 139          */
 140 
 141         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN +
 142                         data_len + ss_padding_len +
 143                         RPC_HDR_AUTH_LEN + NTLMSSP_SIG_SIZE;
 144         p->hdr.auth_len = NTLMSSP_SIG_SIZE;
 145 
 146 
 147         /*
 148          * Init the parse struct to point at the outgoing
 149          * data.
 150          */
 151 
 152         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
 153 
 154         /* Store the header in the data stream. */
 155         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
 156                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR.\n"));
 157                 prs_mem_free(&p->out_data.frag);
 158                 return False;
 159         }
 160 
 161         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
 162                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_RESP.\n"));
 163                 prs_mem_free(&p->out_data.frag);
 164                 return False;
 165         }
 166 
 167         /* Copy the data into the PDU. */
 168 
 169         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
 170                                      p->out_data.data_sent_length, data_len)) {
 171                 DEBUG(0,("create_next_pdu_ntlmssp: failed to copy %u bytes of data.\n", (unsigned int)data_len));
 172                 prs_mem_free(&p->out_data.frag);
 173                 return False;
 174         }
 175 
 176         /* Copy the sign/seal padding data. */
 177         if (ss_padding_len) {
 178                 char pad[8];
 179 
 180                 memset(pad, '\0', 8);
 181                 if (!prs_copy_data_in(&p->out_data.frag, pad,
 182                                       ss_padding_len)) {
 183                         DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes of pad data.\n",
 184                                         (unsigned int)ss_padding_len));
 185                         prs_mem_free(&p->out_data.frag);
 186                         return False;
 187                 }
 188         }
 189 
 190 
 191         /* Now write out the auth header and null blob. */
 192         if (p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
 193                 auth_type = RPC_NTLMSSP_AUTH_TYPE;
 194         } else {
 195                 auth_type = RPC_SPNEGO_AUTH_TYPE;
 196         }
 197         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
 198                 auth_level = RPC_AUTH_LEVEL_PRIVACY;
 199         } else {
 200                 auth_level = RPC_AUTH_LEVEL_INTEGRITY;
 201         }
 202 
 203         init_rpc_hdr_auth(&auth_info, auth_type, auth_level, ss_padding_len, 1 /* context id. */);
 204         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &p->out_data.frag,
 205                                 0)) {
 206                 DEBUG(0,("create_next_pdu_ntlmssp: failed to marshall RPC_HDR_AUTH.\n"));
 207                 prs_mem_free(&p->out_data.frag);
 208                 return False;
 209         }
 210 
 211         /* Generate the sign blob. */
 212 
 213         switch (p->auth.auth_level) {
 214                 case PIPE_AUTH_LEVEL_PRIVACY:
 215                         /* Data portion is encrypted. */
 216                         status = ntlmssp_seal_packet(
 217                                 a->ntlmssp_state,
 218                                 (uint8_t *)prs_data_p(&p->out_data.frag)
 219                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
 220                                 data_len + ss_padding_len,
 221                                 (unsigned char *)prs_data_p(&p->out_data.frag),
 222                                 (size_t)prs_offset(&p->out_data.frag),
 223                                 &auth_blob);
 224                         if (!NT_STATUS_IS_OK(status)) {
 225                                 data_blob_free(&auth_blob);
 226                                 prs_mem_free(&p->out_data.frag);
 227                                 return False;
 228                         }
 229                         break;
 230                 case PIPE_AUTH_LEVEL_INTEGRITY:
 231                         /* Data is signed. */
 232                         status = ntlmssp_sign_packet(
 233                                 a->ntlmssp_state,
 234                                 (unsigned char *)prs_data_p(&p->out_data.frag)
 235                                 + RPC_HEADER_LEN + RPC_HDR_RESP_LEN,
 236                                 data_len + ss_padding_len,
 237                                 (unsigned char *)prs_data_p(&p->out_data.frag),
 238                                 (size_t)prs_offset(&p->out_data.frag),
 239                                 &auth_blob);
 240                         if (!NT_STATUS_IS_OK(status)) {
 241                                 data_blob_free(&auth_blob);
 242                                 prs_mem_free(&p->out_data.frag);
 243                                 return False;
 244                         }
 245                         break;
 246                 default:
 247                         prs_mem_free(&p->out_data.frag);
 248                         return False;
 249         }
 250 
 251         /* Append the auth blob. */
 252         if (!prs_copy_data_in(&p->out_data.frag, (char *)auth_blob.data,
 253                               NTLMSSP_SIG_SIZE)) {
 254                 DEBUG(0,("create_next_pdu_ntlmssp: failed to add %u bytes auth blob.\n",
 255                                 (unsigned int)NTLMSSP_SIG_SIZE));
 256                 data_blob_free(&auth_blob);
 257                 prs_mem_free(&p->out_data.frag);
 258                 return False;
 259         }
 260 
 261         data_blob_free(&auth_blob);
 262 
 263         /*
 264          * Setup the counts for this PDU.
 265          */
 266 
 267         p->out_data.data_sent_length += data_len;
 268         p->out_data.current_pdu_sent = 0;
 269 
 270         return True;
 271 }
 272 
 273 /*******************************************************************
 274  Generate the next PDU to be returned from the data in p->rdata. 
 275  Return an schannel authenticated fragment.
 276  ********************************************************************/
 277 
 278 static bool create_next_pdu_schannel(pipes_struct *p)
     /* [<][>][^][v][top][bottom][index][help] */
 279 {
 280         RPC_HDR_RESP hdr_resp;
 281         uint32 ss_padding_len = 0;
 282         uint32 data_len;
 283         uint32 data_space_available;
 284         uint32 data_len_left;
 285         uint32 data_pos;
 286 
 287         /*
 288          * If we're in the fault state, keep returning fault PDU's until
 289          * the pipe gets closed. JRA.
 290          */
 291 
 292         if(p->fault_state) {
 293                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
 294                 return True;
 295         }
 296 
 297         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
 298 
 299         /* Change the incoming request header to a response. */
 300         p->hdr.pkt_type = RPC_RESPONSE;
 301 
 302         /* Set up rpc header flags. */
 303         if (p->out_data.data_sent_length == 0) {
 304                 p->hdr.flags = RPC_FLG_FIRST;
 305         } else {
 306                 p->hdr.flags = 0;
 307         }
 308 
 309         /*
 310          * Work out how much we can fit in a single PDU.
 311          */
 312 
 313         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
 314 
 315         /*
 316          * Ensure there really is data left to send.
 317          */
 318 
 319         if(!data_len_left) {
 320                 DEBUG(0,("create_next_pdu_schannel: no data left to send !\n"));
 321                 return False;
 322         }
 323 
 324         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
 325                 - RPC_HDR_RESP_LEN - RPC_HDR_AUTH_LEN
 326                 - RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
 327 
 328         /*
 329          * The amount we send is the minimum of the available
 330          * space and the amount left to send.
 331          */
 332 
 333         data_len = MIN(data_len_left, data_space_available);
 334 
 335         /*
 336          * Set up the alloc hint. This should be the data left to
 337          * send.
 338          */
 339 
 340         hdr_resp.alloc_hint = data_len_left;
 341 
 342         /*
 343          * Work out if this PDU will be the last.
 344          */
 345 
 346         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
 347                 p->hdr.flags |= RPC_FLG_LAST;
 348                 if (data_len_left % 8) {
 349                         ss_padding_len = 8 - (data_len_left % 8);
 350                         DEBUG(10,("create_next_pdu_schannel: adding sign/seal padding of %u\n",
 351                                 ss_padding_len ));
 352                 }
 353         }
 354 
 355         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len + ss_padding_len +
 356                                 RPC_HDR_AUTH_LEN + RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
 357         p->hdr.auth_len = RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN;
 358 
 359         /*
 360          * Init the parse struct to point at the outgoing
 361          * data.
 362          */
 363 
 364         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
 365 
 366         /* Store the header in the data stream. */
 367         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
 368                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR.\n"));
 369                 prs_mem_free(&p->out_data.frag);
 370                 return False;
 371         }
 372 
 373         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
 374                 DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_RESP.\n"));
 375                 prs_mem_free(&p->out_data.frag);
 376                 return False;
 377         }
 378 
 379         /* Store the current offset. */
 380         data_pos = prs_offset(&p->out_data.frag);
 381 
 382         /* Copy the data into the PDU. */
 383 
 384         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
 385                                      p->out_data.data_sent_length, data_len)) {
 386                 DEBUG(0,("create_next_pdu_schannel: failed to copy %u bytes of data.\n", (unsigned int)data_len));
 387                 prs_mem_free(&p->out_data.frag);
 388                 return False;
 389         }
 390 
 391         /* Copy the sign/seal padding data. */
 392         if (ss_padding_len) {
 393                 char pad[8];
 394                 memset(pad, '\0', 8);
 395                 if (!prs_copy_data_in(&p->out_data.frag, pad,
 396                                       ss_padding_len)) {
 397                         DEBUG(0,("create_next_pdu_schannel: failed to add %u bytes of pad data.\n", (unsigned int)ss_padding_len));
 398                         prs_mem_free(&p->out_data.frag);
 399                         return False;
 400                 }
 401         }
 402 
 403         {
 404                 /*
 405                  * Schannel processing.
 406                  */
 407                 RPC_HDR_AUTH auth_info;
 408                 RPC_AUTH_SCHANNEL_CHK verf;
 409 
 410                 /* Check it's the type of reply we were expecting to decode */
 411 
 412                 init_rpc_hdr_auth(&auth_info,
 413                                 RPC_SCHANNEL_AUTH_TYPE,
 414                                 p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY ?
 415                                         RPC_AUTH_LEVEL_PRIVACY : RPC_AUTH_LEVEL_INTEGRITY,
 416                                 ss_padding_len, 1);
 417 
 418                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info,
 419                                         &p->out_data.frag, 0)) {
 420                         DEBUG(0,("create_next_pdu_schannel: failed to marshall RPC_HDR_AUTH.\n"));
 421                         prs_mem_free(&p->out_data.frag);
 422                         return False;
 423                 }
 424 
 425                 schannel_encode(p->auth.a_u.schannel_auth, 
 426                                 p->auth.auth_level, SENDER_IS_ACCEPTOR, &verf,
 427                                 prs_data_p(&p->out_data.frag) + data_pos,
 428                                 data_len + ss_padding_len);
 429 
 430                 if (!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, 
 431                                 &verf, &p->out_data.frag, 0)) {
 432                         prs_mem_free(&p->out_data.frag);
 433                         return False;
 434                 }
 435 
 436                 p->auth.a_u.schannel_auth->seq_num++;
 437         }
 438 
 439         /*
 440          * Setup the counts for this PDU.
 441          */
 442 
 443         p->out_data.data_sent_length += data_len;
 444         p->out_data.current_pdu_sent = 0;
 445 
 446         return True;
 447 }
 448 
 449 /*******************************************************************
 450  Generate the next PDU to be returned from the data in p->rdata. 
 451  No authentication done.
 452 ********************************************************************/
 453 
 454 static bool create_next_pdu_noauth(pipes_struct *p)
     /* [<][>][^][v][top][bottom][index][help] */
 455 {
 456         RPC_HDR_RESP hdr_resp;
 457         uint32 data_len;
 458         uint32 data_space_available;
 459         uint32 data_len_left;
 460 
 461         /*
 462          * If we're in the fault state, keep returning fault PDU's until
 463          * the pipe gets closed. JRA.
 464          */
 465 
 466         if(p->fault_state) {
 467                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
 468                 return True;
 469         }
 470 
 471         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
 472 
 473         /* Change the incoming request header to a response. */
 474         p->hdr.pkt_type = RPC_RESPONSE;
 475 
 476         /* Set up rpc header flags. */
 477         if (p->out_data.data_sent_length == 0) {
 478                 p->hdr.flags = RPC_FLG_FIRST;
 479         } else {
 480                 p->hdr.flags = 0;
 481         }
 482 
 483         /*
 484          * Work out how much we can fit in a single PDU.
 485          */
 486 
 487         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
 488 
 489         /*
 490          * Ensure there really is data left to send.
 491          */
 492 
 493         if(!data_len_left) {
 494                 DEBUG(0,("create_next_pdu_noath: no data left to send !\n"));
 495                 return False;
 496         }
 497 
 498         data_space_available = RPC_MAX_PDU_FRAG_LEN - RPC_HEADER_LEN
 499                 - RPC_HDR_RESP_LEN;
 500 
 501         /*
 502          * The amount we send is the minimum of the available
 503          * space and the amount left to send.
 504          */
 505 
 506         data_len = MIN(data_len_left, data_space_available);
 507 
 508         /*
 509          * Set up the alloc hint. This should be the data left to
 510          * send.
 511          */
 512 
 513         hdr_resp.alloc_hint = data_len_left;
 514 
 515         /*
 516          * Work out if this PDU will be the last.
 517          */
 518 
 519         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata)) {
 520                 p->hdr.flags |= RPC_FLG_LAST;
 521         }
 522 
 523         /*
 524          * Set up the header lengths.
 525          */
 526 
 527         p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
 528         p->hdr.auth_len = 0;
 529 
 530         /*
 531          * Init the parse struct to point at the outgoing
 532          * data.
 533          */
 534 
 535         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
 536 
 537         /* Store the header in the data stream. */
 538         if(!smb_io_rpc_hdr("hdr", &p->hdr, &p->out_data.frag, 0)) {
 539                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR.\n"));
 540                 prs_mem_free(&p->out_data.frag);
 541                 return False;
 542         }
 543 
 544         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
 545                 DEBUG(0,("create_next_pdu_noath: failed to marshall RPC_HDR_RESP.\n"));
 546                 prs_mem_free(&p->out_data.frag);
 547                 return False;
 548         }
 549 
 550         /* Copy the data into the PDU. */
 551 
 552         if(!prs_append_some_prs_data(&p->out_data.frag, &p->out_data.rdata,
 553                                      p->out_data.data_sent_length, data_len)) {
 554                 DEBUG(0,("create_next_pdu_noauth: failed to copy %u bytes of data.\n", (unsigned int)data_len));
 555                 prs_mem_free(&p->out_data.frag);
 556                 return False;
 557         }
 558 
 559         /*
 560          * Setup the counts for this PDU.
 561          */
 562 
 563         p->out_data.data_sent_length += data_len;
 564         p->out_data.current_pdu_sent = 0;
 565 
 566         return True;
 567 }
 568 
 569 /*******************************************************************
 570  Generate the next PDU to be returned from the data in p->rdata. 
 571 ********************************************************************/
 572 
 573 bool create_next_pdu(pipes_struct *p)
     /* [<][>][^][v][top][bottom][index][help] */
 574 {
 575         switch(p->auth.auth_level) {
 576                 case PIPE_AUTH_LEVEL_NONE:
 577                 case PIPE_AUTH_LEVEL_CONNECT:
 578                         /* This is incorrect for auth level connect. Fixme. JRA */
 579                         return create_next_pdu_noauth(p);
 580 
 581                 default:
 582                         switch(p->auth.auth_type) {
 583                                 case PIPE_AUTH_TYPE_NTLMSSP:
 584                                 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
 585                                         return create_next_pdu_ntlmssp(p);
 586                                 case PIPE_AUTH_TYPE_SCHANNEL:
 587                                         return create_next_pdu_schannel(p);
 588                                 default:
 589                                         break;
 590                         }
 591         }
 592 
 593         DEBUG(0,("create_next_pdu: invalid internal auth level %u / type %u",
 594                         (unsigned int)p->auth.auth_level,
 595                         (unsigned int)p->auth.auth_type));
 596         return False;
 597 }
 598 
 599 /*******************************************************************
 600  Process an NTLMSSP authentication response.
 601  If this function succeeds, the user has been authenticated
 602  and their domain, name and calling workstation stored in
 603  the pipe struct.
 604 *******************************************************************/
 605 
 606 static bool pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
     /* [<][>][^][v][top][bottom][index][help] */
 607 {
 608         DATA_BLOB session_key, reply;
 609         NTSTATUS status;
 610         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
 611         bool ret;
 612 
 613         DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n",
 614                  get_pipe_name_from_iface(&p->syntax)));
 615 
 616         ZERO_STRUCT(reply);
 617 
 618         /* this has to be done as root in order to verify the password */
 619         become_root();
 620         status = auth_ntlmssp_update(a, *p_resp_blob, &reply);
 621         unbecome_root();
 622 
 623         /* Don't generate a reply. */
 624         data_blob_free(&reply);
 625 
 626         if (!NT_STATUS_IS_OK(status)) {
 627                 return False;
 628         }
 629 
 630         /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
 631            ensure the underlying NTLMSSP flags are also set. If not we should
 632            refuse the bind. */
 633 
 634         if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
 635                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
 636                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
 637                                 "but client declined signing.\n",
 638                                 get_pipe_name_from_iface(&p->syntax)));
 639                         return False;
 640                 }
 641         }
 642         if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
 643                 if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
 644                         DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
 645                                 "but client declined sealing.\n",
 646                                 get_pipe_name_from_iface(&p->syntax)));
 647                         return False;
 648                 }
 649         }
 650 
 651         DEBUG(5, ("pipe_ntlmssp_verify_final: OK: user: %s domain: %s "
 652                   "workstation: %s\n", a->ntlmssp_state->user,
 653                   a->ntlmssp_state->domain, a->ntlmssp_state->workstation));
 654 
 655         if (a->server_info->ptok == NULL) {
 656                 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
 657                 return False;
 658         }
 659 
 660         TALLOC_FREE(p->server_info);
 661 
 662         p->server_info = copy_serverinfo(p, a->server_info);
 663         if (p->server_info == NULL) {
 664                 DEBUG(0, ("copy_serverinfo failed\n"));
 665                 return false;
 666         }
 667 
 668         /*
 669          * We're an authenticated bind over smb, so the session key needs to
 670          * be set to "SystemLibraryDTC". Weird, but this is what Windows
 671          * does. See the RPC-SAMBA3SESSIONKEY.
 672          */
 673 
 674         session_key = generic_session_key();
 675         if (session_key.data == NULL) {
 676                 return False;
 677         }
 678 
 679         ret = server_info_set_session_key(p->server_info, session_key);
 680 
 681         data_blob_free(&session_key);
 682 
 683         return True;
 684 }
 685 
 686 /*******************************************************************
 687  The switch table for the pipe names and the functions to handle them.
 688 *******************************************************************/
 689 
 690 struct rpc_table {
 691         struct {
 692                 const char *clnt;
 693                 const char *srv;
 694         } pipe;
 695         struct ndr_syntax_id rpc_interface;
 696         const struct api_struct *cmds;
 697         int n_cmds;
 698 };
 699 
 700 static struct rpc_table *rpc_lookup;
 701 static int rpc_lookup_size;
 702 
 703 /*******************************************************************
 704  This is the "stage3" NTLMSSP response after a bind request and reply.
 705 *******************************************************************/
 706 
 707 bool api_pipe_bind_auth3(pipes_struct *p, prs_struct *rpc_in_p)
     /* [<][>][^][v][top][bottom][index][help] */
 708 {
 709         RPC_HDR_AUTH auth_info;
 710         uint32 pad = 0;
 711         DATA_BLOB blob;
 712 
 713         ZERO_STRUCT(blob);
 714 
 715         DEBUG(5,("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
 716 
 717         if (p->hdr.auth_len == 0) {
 718                 DEBUG(0,("api_pipe_bind_auth3: No auth field sent !\n"));
 719                 goto err;
 720         }
 721 
 722         /* 4 bytes padding. */
 723         if (!prs_uint32("pad", rpc_in_p, 0, &pad)) {
 724                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of 4 byte pad failed.\n"));
 725                 goto err;
 726         }
 727 
 728         /*
 729          * Decode the authentication verifier response.
 730          */
 731 
 732         if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
 733                 DEBUG(0,("api_pipe_bind_auth3: unmarshall of RPC_HDR_AUTH failed.\n"));
 734                 goto err;
 735         }
 736 
 737         if (auth_info.auth_type != RPC_NTLMSSP_AUTH_TYPE) {
 738                 DEBUG(0,("api_pipe_bind_auth3: incorrect auth type (%u).\n",
 739                         (unsigned int)auth_info.auth_type ));
 740                 return False;
 741         }
 742 
 743         blob = data_blob(NULL,p->hdr.auth_len);
 744 
 745         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
 746                 DEBUG(0,("api_pipe_bind_auth3: Failed to pull %u bytes - the response blob.\n",
 747                         (unsigned int)p->hdr.auth_len ));
 748                 goto err;
 749         }
 750 
 751         /*
 752          * The following call actually checks the challenge/response data.
 753          * for correctness against the given DOMAIN\user name.
 754          */
 755 
 756         if (!pipe_ntlmssp_verify_final(p, &blob)) {
 757                 goto err;
 758         }
 759 
 760         data_blob_free(&blob);
 761 
 762         p->pipe_bound = True;
 763 
 764         return True;
 765 
 766  err:
 767 
 768         data_blob_free(&blob);
 769         free_pipe_ntlmssp_auth_data(&p->auth);
 770         p->auth.a_u.auth_ntlmssp_state = NULL;
 771 
 772         return False;
 773 }
 774 
 775 /*******************************************************************
 776  Marshall a bind_nak pdu.
 777 *******************************************************************/
 778 
 779 static bool setup_bind_nak(pipes_struct *p)
     /* [<][>][^][v][top][bottom][index][help] */
 780 {
 781         RPC_HDR nak_hdr;
 782         uint16 zero = 0;
 783 
 784         /* Free any memory in the current return data buffer. */
 785         prs_mem_free(&p->out_data.rdata);
 786 
 787         /*
 788          * Marshall directly into the outgoing PDU space. We
 789          * must do this as we need to set to the bind response
 790          * header and are never sending more than one PDU here.
 791          */
 792 
 793         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
 794 
 795         /*
 796          * Initialize a bind_nak header.
 797          */
 798 
 799         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
 800                 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
 801 
 802         /*
 803          * Marshall the header into the outgoing PDU.
 804          */
 805 
 806         if(!smb_io_rpc_hdr("", &nak_hdr, &p->out_data.frag, 0)) {
 807                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
 808                 prs_mem_free(&p->out_data.frag);
 809                 return False;
 810         }
 811 
 812         /*
 813          * Now add the reject reason.
 814          */
 815 
 816         if(!prs_uint16("reject code", &p->out_data.frag, 0, &zero)) {
 817                 prs_mem_free(&p->out_data.frag);
 818                 return False;
 819         }
 820 
 821         p->out_data.data_sent_length = 0;
 822         p->out_data.current_pdu_sent = 0;
 823 
 824         if (p->auth.auth_data_free_func) {
 825                 (*p->auth.auth_data_free_func)(&p->auth);
 826         }
 827         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
 828         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
 829         p->pipe_bound = False;
 830 
 831         return True;
 832 }
 833 
 834 /*******************************************************************
 835  Marshall a fault pdu.
 836 *******************************************************************/
 837 
 838 bool setup_fault_pdu(pipes_struct *p, NTSTATUS status)
     /* [<][>][^][v][top][bottom][index][help] */
 839 {
 840         RPC_HDR fault_hdr;
 841         RPC_HDR_RESP hdr_resp;
 842         RPC_HDR_FAULT fault_resp;
 843 
 844         /* Free any memory in the current return data buffer. */
 845         prs_mem_free(&p->out_data.rdata);
 846 
 847         /*
 848          * Marshall directly into the outgoing PDU space. We
 849          * must do this as we need to set to the bind response
 850          * header and are never sending more than one PDU here.
 851          */
 852 
 853         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
 854 
 855         /*
 856          * Initialize a fault header.
 857          */
 858 
 859         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
 860             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
 861 
 862         /*
 863          * Initialize the HDR_RESP and FAULT parts of the PDU.
 864          */
 865 
 866         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
 867 
 868         fault_resp.status = status;
 869         fault_resp.reserved = 0;
 870 
 871         /*
 872          * Marshall the header into the outgoing PDU.
 873          */
 874 
 875         if(!smb_io_rpc_hdr("", &fault_hdr, &p->out_data.frag, 0)) {
 876                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
 877                 prs_mem_free(&p->out_data.frag);
 878                 return False;
 879         }
 880 
 881         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &p->out_data.frag, 0)) {
 882                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
 883                 prs_mem_free(&p->out_data.frag);
 884                 return False;
 885         }
 886 
 887         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &p->out_data.frag, 0)) {
 888                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
 889                 prs_mem_free(&p->out_data.frag);
 890                 return False;
 891         }
 892 
 893         p->out_data.data_sent_length = 0;
 894         p->out_data.current_pdu_sent = 0;
 895 
 896         return True;
 897 }
 898 
 899 #if 0
 900 /*******************************************************************
 901  Marshall a cancel_ack pdu.
 902  We should probably check the auth-verifier here.
 903 *******************************************************************/
 904 
 905 bool setup_cancel_ack_reply(pipes_struct *p, prs_struct *rpc_in_p)
     /* [<][>][^][v][top][bottom][index][help] */
 906 {
 907         prs_struct outgoing_pdu;
 908         RPC_HDR ack_reply_hdr;
 909 
 910         /* Free any memory in the current return data buffer. */
 911         prs_mem_free(&p->out_data.rdata);
 912 
 913         /*
 914          * Marshall directly into the outgoing PDU space. We
 915          * must do this as we need to set to the bind response
 916          * header and are never sending more than one PDU here.
 917          */
 918 
 919         prs_init_empty( &outgoing_pdu, p->mem_ctx, MARSHALL);
 920         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
 921 
 922         /*
 923          * Initialize a cancel_ack header.
 924          */
 925 
 926         init_rpc_hdr(&ack_reply_hdr, RPC_CANCEL_ACK, RPC_FLG_FIRST | RPC_FLG_LAST,
 927                         p->hdr.call_id, RPC_HEADER_LEN, 0);
 928 
 929         /*
 930          * Marshall the header into the outgoing PDU.
 931          */
 932 
 933         if(!smb_io_rpc_hdr("", &ack_reply_hdr, &outgoing_pdu, 0)) {
 934                 DEBUG(0,("setup_cancel_ack_reply: marshalling of RPC_HDR failed.\n"));
 935                 prs_mem_free(&outgoing_pdu);
 936                 return False;
 937         }
 938 
 939         p->out_data.data_sent_length = 0;
 940         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
 941         p->out_data.current_pdu_sent = 0;
 942 
 943         prs_mem_free(&outgoing_pdu);
 944         return True;
 945 }
 946 #endif
 947 
 948 /*******************************************************************
 949  Ensure a bind request has the correct abstract & transfer interface.
 950  Used to reject unknown binds from Win2k.
 951 *******************************************************************/
 952 
 953 bool check_bind_req(struct pipes_struct *p, RPC_IFACE* abstract,
     /* [<][>][^][v][top][bottom][index][help] */
 954                     RPC_IFACE* transfer, uint32 context_id)
 955 {
 956         int i=0;
 957         struct pipe_rpc_fns *context_fns;
 958 
 959         DEBUG(3,("check_bind_req for %s\n",
 960                  get_pipe_name_from_iface(&p->syntax)));
 961 
 962         /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
 963 
 964         for (i=0; i<rpc_lookup_size; i++) {
 965                 DEBUGADD(10, ("checking %s\n", rpc_lookup[i].pipe.clnt));
 966                 if (ndr_syntax_id_equal(
 967                             abstract, &rpc_lookup[i].rpc_interface)
 968                     && ndr_syntax_id_equal(
 969                             transfer, &ndr_transfer_syntax)) {
 970                         break;
 971                 }
 972         }
 973 
 974         if (i == rpc_lookup_size) {
 975                 return false;
 976         }
 977 
 978         context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
 979         if (context_fns == NULL) {
 980                 DEBUG(0,("check_bind_req: malloc() failed!\n"));
 981                 return False;
 982         }
 983 
 984         context_fns->cmds = rpc_lookup[i].cmds;
 985         context_fns->n_cmds = rpc_lookup[i].n_cmds;
 986         context_fns->context_id = context_id;
 987 
 988         /* add to the list of open contexts */
 989 
 990         DLIST_ADD( p->contexts, context_fns );
 991 
 992         return True;
 993 }
 994 
 995 /*******************************************************************
 996  Register commands to an RPC pipe
 997 *******************************************************************/
 998 
 999 NTSTATUS rpc_srv_register(int version, const char *clnt, const char *srv,
     /* [<][>][^][v][top][bottom][index][help] */
1000                           const struct ndr_interface_table *iface,
1001                           const struct api_struct *cmds, int size)
1002 {
1003         struct rpc_table *rpc_entry;
1004 
1005         if (!clnt || !srv || !cmds) {
1006                 return NT_STATUS_INVALID_PARAMETER;
1007         }
1008 
1009         if (version != SMB_RPC_INTERFACE_VERSION) {
1010                 DEBUG(0,("Can't register rpc commands!\n"
1011                          "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
1012                          ", while this version of samba uses version %d!\n", 
1013                          version,SMB_RPC_INTERFACE_VERSION));
1014                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
1015         }
1016 
1017         /* TODO: 
1018          *
1019          * we still need to make sure that don't register the same commands twice!!!
1020          * 
1021          * --metze
1022          */
1023 
1024         /* We use a temporary variable because this call can fail and 
1025            rpc_lookup will still be valid afterwards.  It could then succeed if
1026            called again later */
1027         rpc_lookup_size++;
1028         rpc_entry = SMB_REALLOC_ARRAY_KEEP_OLD_ON_ERROR(rpc_lookup, struct rpc_table, rpc_lookup_size);
1029         if (NULL == rpc_entry) {
1030                 rpc_lookup_size--;
1031                 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
1032                 return NT_STATUS_NO_MEMORY;
1033         } else {
1034                 rpc_lookup = rpc_entry;
1035         }
1036 
1037         rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
1038         ZERO_STRUCTP(rpc_entry);
1039         rpc_entry->pipe.clnt = SMB_STRDUP(clnt);
1040         rpc_entry->pipe.srv = SMB_STRDUP(srv);
1041         rpc_entry->rpc_interface = iface->syntax_id;
1042         rpc_entry->cmds = cmds;
1043         rpc_entry->n_cmds = size;
1044 
1045         return NT_STATUS_OK;
1046 }
1047 
1048 /**
1049  * Is a named pipe known?
1050  * @param[in] cli_filename      The pipe name requested by the client
1051  * @result                      Do we want to serve this?
1052  */
1053 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
     /* [<][>][^][v][top][bottom][index][help] */
1054 {
1055         const char *pipename = cli_filename;
1056         int i;
1057 
1058         if (strnequal(pipename, "\\PIPE\\", 6)) {
1059                 pipename += 5;
1060         }
1061 
1062         if (*pipename == '\\') {
1063                 pipename += 1;
1064         }
1065 
1066         if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
1067                 DEBUG(10, ("refusing spoolss access\n"));
1068                 return false;
1069         }
1070 
1071         for (i=0; i<rpc_lookup_size; i++) {
1072                 if (strequal(pipename, rpc_lookup[i].pipe.clnt)) {
1073                         *syntax = rpc_lookup[i].rpc_interface;
1074                         return true;
1075                 }
1076         }
1077 
1078         DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
1079         return false;
1080 }
1081 
1082 /*******************************************************************
1083  Handle a SPNEGO krb5 bind auth.
1084 *******************************************************************/
1085 
1086 static bool pipe_spnego_auth_bind_kerberos(pipes_struct *p, prs_struct *rpc_in_p, RPC_HDR_AUTH *pauth_info,
     /* [<][>][^][v][top][bottom][index][help] */
1087                 DATA_BLOB *psecblob, prs_struct *pout_auth)
1088 {
1089         return False;
1090 }
1091 
1092 /*******************************************************************
1093  Handle the first part of a SPNEGO bind auth.
1094 *******************************************************************/
1095 
1096 static bool pipe_spnego_auth_bind_negotiate(pipes_struct *p, prs_struct *rpc_in_p,
     /* [<][>][^][v][top][bottom][index][help] */
1097                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1098 {
1099         DATA_BLOB blob;
1100         DATA_BLOB secblob;
1101         DATA_BLOB response;
1102         DATA_BLOB chal;
1103         char *OIDs[ASN1_MAX_OIDS];
1104         int i;
1105         NTSTATUS status;
1106         bool got_kerberos_mechanism = false;
1107         AUTH_NTLMSSP_STATE *a = NULL;
1108         RPC_HDR_AUTH auth_info;
1109 
1110         ZERO_STRUCT(secblob);
1111         ZERO_STRUCT(chal);
1112         ZERO_STRUCT(response);
1113 
1114         /* Grab the SPNEGO blob. */
1115         blob = data_blob(NULL,p->hdr.auth_len);
1116 
1117         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1118                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to pull %u bytes - the SPNEGO auth header.\n",
1119                         (unsigned int)p->hdr.auth_len ));
1120                 goto err;
1121         }
1122 
1123         if (blob.data[0] != ASN1_APPLICATION(0)) {
1124                 goto err;
1125         }
1126 
1127         /* parse out the OIDs and the first sec blob */
1128         if (!parse_negTokenTarg(blob, OIDs, &secblob)) {
1129                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
1130                 goto err;
1131         }
1132 
1133         if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 || strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
1134                 got_kerberos_mechanism = true;
1135         }
1136 
1137         for (i=0;OIDs[i];i++) {
1138                 DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got OID %s\n", OIDs[i]));
1139                 TALLOC_FREE(OIDs[i]);
1140         }
1141         DEBUG(3,("pipe_spnego_auth_bind_negotiate: Got secblob of size %lu\n", (unsigned long)secblob.length));
1142 
1143         if ( got_kerberos_mechanism && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) {
1144                 bool ret = pipe_spnego_auth_bind_kerberos(p, rpc_in_p, pauth_info, &secblob, pout_auth);
1145                 data_blob_free(&secblob);
1146                 data_blob_free(&blob);
1147                 return ret;
1148         }
1149 
1150         if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
1151                 /* Free any previous auth type. */
1152                 free_pipe_ntlmssp_auth_data(&p->auth);
1153         }
1154 
1155         if (!got_kerberos_mechanism) {
1156                 /* Initialize the NTLM engine. */
1157                 status = auth_ntlmssp_start(&a);
1158                 if (!NT_STATUS_IS_OK(status)) {
1159                         goto err;
1160                 }
1161 
1162                 /*
1163                  * Pass the first security blob of data to it.
1164                  * This can return an error or NT_STATUS_MORE_PROCESSING_REQUIRED
1165                  * which means we need another packet to complete the bind.
1166                  */
1167 
1168                 status = auth_ntlmssp_update(a, secblob, &chal);
1169 
1170                 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1171                         DEBUG(3,("pipe_spnego_auth_bind_negotiate: auth_ntlmssp_update failed.\n"));
1172                         goto err;
1173                 }
1174 
1175                 /* Generate the response blob we need for step 2 of the bind. */
1176                 response = spnego_gen_auth_response(&chal, status, OID_NTLMSSP);
1177         } else {
1178                 /*
1179                  * SPNEGO negotiate down to NTLMSSP. The subsequent
1180                  * code to process follow-up packets is not complete
1181                  * yet. JRA.
1182                  */
1183                 response = spnego_gen_auth_response(NULL,
1184                                         NT_STATUS_MORE_PROCESSING_REQUIRED,
1185                                         OID_NTLMSSP);
1186         }
1187 
1188         /* Copy the blob into the pout_auth parse struct */
1189         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1190         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1191                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of RPC_HDR_AUTH failed.\n"));
1192                 goto err;
1193         }
1194 
1195         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1196                 DEBUG(0,("pipe_spnego_auth_bind_negotiate: marshalling of data blob failed.\n"));
1197                 goto err;
1198         }
1199 
1200         p->auth.a_u.auth_ntlmssp_state = a;
1201         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1202         p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
1203 
1204         data_blob_free(&blob);
1205         data_blob_free(&secblob);
1206         data_blob_free(&chal);
1207         data_blob_free(&response);
1208 
1209         /* We can't set pipe_bound True yet - we need an RPC_ALTER_CONTEXT response packet... */
1210         return True;
1211 
1212  err:
1213 
1214         data_blob_free(&blob);
1215         data_blob_free(&secblob);
1216         data_blob_free(&chal);
1217         data_blob_free(&response);
1218 
1219         p->auth.a_u.auth_ntlmssp_state = NULL;
1220 
1221         return False;
1222 }
1223 
1224 /*******************************************************************
1225  Handle the second part of a SPNEGO bind auth.
1226 *******************************************************************/
1227 
1228 static bool pipe_spnego_auth_bind_continue(pipes_struct *p, prs_struct *rpc_in_p,
     /* [<][>][^][v][top][bottom][index][help] */
1229                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1230 {
1231         RPC_HDR_AUTH auth_info;
1232         DATA_BLOB spnego_blob;
1233         DATA_BLOB auth_blob;
1234         DATA_BLOB auth_reply;
1235         DATA_BLOB response;
1236         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1237 
1238         ZERO_STRUCT(spnego_blob);
1239         ZERO_STRUCT(auth_blob);
1240         ZERO_STRUCT(auth_reply);
1241         ZERO_STRUCT(response);
1242 
1243         /*
1244          * NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
1245          * fail here as 'a' == NULL.
1246          */
1247         if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
1248                 DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
1249                 goto err;
1250         }
1251 
1252         /* Grab the SPNEGO blob. */
1253         spnego_blob = data_blob(NULL,p->hdr.auth_len);
1254 
1255         if (!prs_copy_data_out((char *)spnego_blob.data, rpc_in_p, p->hdr.auth_len)) {
1256                 DEBUG(0,("pipe_spnego_auth_bind_continue: Failed to pull %u bytes - the SPNEGO auth header.\n",
1257                         (unsigned int)p->hdr.auth_len ));
1258                 goto err;
1259         }
1260 
1261         if (spnego_blob.data[0] != ASN1_CONTEXT(1)) {
1262                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob type.\n"));
1263                 goto err;
1264         }
1265 
1266         if (!spnego_parse_auth(spnego_blob, &auth_blob)) {
1267                 DEBUG(0,("pipe_spnego_auth_bind_continue: invalid SPNEGO blob.\n"));
1268                 goto err;
1269         }
1270 
1271         /*
1272          * The following call actually checks the challenge/response data.
1273          * for correctness against the given DOMAIN\user name.
1274          */
1275 
1276         if (!pipe_ntlmssp_verify_final(p, &auth_blob)) {
1277                 goto err;
1278         }
1279 
1280         data_blob_free(&spnego_blob);
1281         data_blob_free(&auth_blob);
1282 
1283         /* Generate the spnego "accept completed" blob - no incoming data. */
1284         response = spnego_gen_auth_response(&auth_reply, NT_STATUS_OK, OID_NTLMSSP);
1285 
1286         /* Copy the blob into the pout_auth parse struct */
1287         init_rpc_hdr_auth(&auth_info, RPC_SPNEGO_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1288         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1289                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of RPC_HDR_AUTH failed.\n"));
1290                 goto err;
1291         }
1292 
1293         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1294                 DEBUG(0,("pipe_spnego_auth_bind_continue: marshalling of data blob failed.\n"));
1295                 goto err;
1296         }
1297 
1298         data_blob_free(&auth_reply);
1299         data_blob_free(&response);
1300 
1301         p->pipe_bound = True;
1302 
1303         return True;
1304 
1305  err:
1306 
1307         data_blob_free(&spnego_blob);
1308         data_blob_free(&auth_blob);
1309         data_blob_free(&auth_reply);
1310         data_blob_free(&response);
1311 
1312         free_pipe_ntlmssp_auth_data(&p->auth);
1313         p->auth.a_u.auth_ntlmssp_state = NULL;
1314 
1315         return False;
1316 }
1317 
1318 /*******************************************************************
1319  Handle an schannel bind auth.
1320 *******************************************************************/
1321 
1322 static bool pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
     /* [<][>][^][v][top][bottom][index][help] */
1323                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1324 {
1325         RPC_HDR_AUTH auth_info;
1326         RPC_AUTH_SCHANNEL_NEG neg;
1327         RPC_AUTH_VERIFIER auth_verifier;
1328         bool ret;
1329         struct dcinfo *pdcinfo;
1330         uint32 flags;
1331         DATA_BLOB session_key;
1332 
1333         if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
1334                 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
1335                 return False;
1336         }
1337 
1338         /*
1339          * The neg.myname key here must match the remote computer name
1340          * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
1341          * operations that use credentials.
1342          */
1343 
1344         become_root();
1345         ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &pdcinfo);
1346         unbecome_root();
1347 
1348         if (!ret) {
1349                 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
1350                 return False;
1351         }
1352 
1353         p->auth.a_u.schannel_auth = talloc(p, struct schannel_auth_struct);
1354         if (!p->auth.a_u.schannel_auth) {
1355                 TALLOC_FREE(pdcinfo);
1356                 return False;
1357         }
1358 
1359         memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
1360         memcpy(p->auth.a_u.schannel_auth->sess_key, pdcinfo->sess_key,
1361                         sizeof(pdcinfo->sess_key));
1362 
1363         TALLOC_FREE(pdcinfo);
1364 
1365         p->auth.a_u.schannel_auth->seq_num = 0;
1366 
1367         /*
1368          * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
1369          * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
1370          * struct of the person who opened the pipe. I need to test this further. JRA.
1371          *
1372          * VL. As we are mapping this to guest set the generic key
1373          * "SystemLibraryDTC" key here. It's a bit difficult to test against
1374          * W2k3, as it does not allow schannel binds against SAMR and LSA
1375          * anymore.
1376          */
1377 
1378         session_key = generic_session_key();
1379         if (session_key.data == NULL) {
1380                 DEBUG(0, ("pipe_schannel_auth_bind: Could not alloc session"
1381                           " key\n"));
1382                 return false;
1383         }
1384 
1385         ret = server_info_set_session_key(p->server_info, session_key);
1386 
1387         data_blob_free(&session_key);
1388 
1389         if (!ret) {
1390                 DEBUG(0, ("server_info_set_session_key failed\n"));
1391                 return false;
1392         }
1393 
1394         init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1395         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1396                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1397                 return False;
1398         }
1399 
1400         /*** SCHANNEL verifier ***/
1401 
1402         init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1403         if(!smb_io_rpc_schannel_verifier("", &auth_verifier, pout_auth, 0)) {
1404                 DEBUG(0,("pipe_schannel_auth_bind: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1405                 return False;
1406         }
1407 
1408         prs_align(pout_auth);
1409 
1410         flags = 5;
1411         if(!prs_uint32("flags ", pout_auth, 0, &flags)) {
1412                 return False;
1413         }
1414 
1415         DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
1416                 neg.domain, neg.myname));
1417 
1418         /* We're finished with this bind - no more packets. */
1419         p->auth.auth_data_free_func = NULL;
1420         p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
1421 
1422         p->pipe_bound = True;
1423 
1424         return True;
1425 }
1426 
1427 /*******************************************************************
1428  Handle an NTLMSSP bind auth.
1429 *******************************************************************/
1430 
1431 static bool pipe_ntlmssp_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
     /* [<][>][^][v][top][bottom][index][help] */
1432                                         RPC_HDR_AUTH *pauth_info, prs_struct *pout_auth)
1433 {
1434         RPC_HDR_AUTH auth_info;
1435         DATA_BLOB blob;
1436         DATA_BLOB response;
1437         NTSTATUS status;
1438         AUTH_NTLMSSP_STATE *a = NULL;
1439 
1440         ZERO_STRUCT(blob);
1441         ZERO_STRUCT(response);
1442 
1443         /* Grab the NTLMSSP blob. */
1444         blob = data_blob(NULL,p->hdr.auth_len);
1445 
1446         if (!prs_copy_data_out((char *)blob.data, rpc_in_p, p->hdr.auth_len)) {
1447                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to pull %u bytes - the NTLM auth header.\n",
1448                         (unsigned int)p->hdr.auth_len ));
1449                 goto err;
1450         }
1451 
1452         if (strncmp((char *)blob.data, "NTLMSSP", 7) != 0) {
1453                 DEBUG(0,("pipe_ntlmssp_auth_bind: Failed to read NTLMSSP in blob\n"));
1454                 goto err;
1455         }
1456 
1457         /* We have an NTLMSSP blob. */
1458         status = auth_ntlmssp_start(&a);
1459         if (!NT_STATUS_IS_OK(status)) {
1460                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_start failed: %s\n",
1461                         nt_errstr(status) ));
1462                 goto err;
1463         }
1464 
1465         status = auth_ntlmssp_update(a, blob, &response);
1466         if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1467                 DEBUG(0,("pipe_ntlmssp_auth_bind: auth_ntlmssp_update failed: %s\n",
1468                         nt_errstr(status) ));
1469                 goto err;
1470         }
1471 
1472         data_blob_free(&blob);
1473 
1474         /* Copy the blob into the pout_auth parse struct */
1475         init_rpc_hdr_auth(&auth_info, RPC_NTLMSSP_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
1476         if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {
1477                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of RPC_HDR_AUTH failed.\n"));
1478                 goto err;
1479         }
1480 
1481         if (!prs_copy_data_in(pout_auth, (char *)response.data, response.length)) {
1482                 DEBUG(0,("pipe_ntlmssp_auth_bind: marshalling of data blob failed.\n"));
1483                 goto err;
1484         }
1485 
1486         p->auth.a_u.auth_ntlmssp_state = a;
1487         p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
1488         p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
1489 
1490         data_blob_free(&blob);
1491         data_blob_free(&response);
1492 
1493         DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
1494 
1495         /* We can't set pipe_bound True yet - we need an RPC_AUTH3 response packet... */
1496         return True;
1497 
1498   err:
1499 
1500         data_blob_free(&blob);
1501         data_blob_free(&response);
1502 
1503         free_pipe_ntlmssp_auth_data(&p->auth);
1504         p->auth.a_u.auth_ntlmssp_state = NULL;
1505         return False;
1506 }
1507 
1508 /*******************************************************************
1509  Respond to a pipe bind request.
1510 *******************************************************************/
1511 
1512 bool api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
     /* [<][>][^][v][top][bottom][index][help] */
1513 {
1514         RPC_HDR_BA hdr_ba;
1515         RPC_HDR_RB hdr_rb;
1516         RPC_HDR_AUTH auth_info;
1517         uint16 assoc_gid;
1518         fstring ack_pipe_name;
1519         prs_struct out_hdr_ba;
1520         prs_struct out_auth;
1521         int i = 0;
1522         int auth_len = 0;
1523         unsigned int auth_type = RPC_ANONYMOUS_AUTH_TYPE;
1524 
1525         /* No rebinds on a bound pipe - use alter context. */
1526         if (p->pipe_bound) {
1527                 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
1528                          "pipe %s.\n", get_pipe_name_from_iface(&p->syntax)));
1529                 return setup_bind_nak(p);
1530         }
1531 
1532         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1533 
1534         /* 
1535          * Marshall directly into the outgoing PDU space. We
1536          * must do this as we need to set to the bind response
1537          * header and are never sending more than one PDU here.
1538          */
1539 
1540         /*
1541          * Setup the memory to marshall the ba header, and the
1542          * auth footers.
1543          */
1544 
1545         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1546                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1547                 prs_mem_free(&p->out_data.frag);
1548                 return False;
1549         }
1550 
1551         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1552                 DEBUG(0,("api_pipe_bind_req: malloc out_auth failed.\n"));
1553                 prs_mem_free(&p->out_data.frag);
1554                 prs_mem_free(&out_hdr_ba);
1555                 return False;
1556         }
1557 
1558         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
1559 
1560         ZERO_STRUCT(hdr_rb);
1561 
1562         /* decode the bind request */
1563 
1564         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1565                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB "
1566                          "struct.\n"));
1567                 goto err_exit;
1568         }
1569 
1570         if (hdr_rb.num_contexts == 0) {
1571                 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
1572                 goto err_exit;
1573         }
1574 
1575         /*
1576          * Try and find the correct pipe name to ensure
1577          * that this is a pipe name we support.
1578          */
1579 
1580         for (i = 0; i < rpc_lookup_size; i++) {
1581                 if (ndr_syntax_id_equal(&rpc_lookup[i].rpc_interface,
1582                                         &hdr_rb.rpc_context[0].abstract)) {
1583                         DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1584                                 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1585                         break;
1586                 }
1587         }
1588 
1589         if (i == rpc_lookup_size) {
1590                 NTSTATUS status;
1591 
1592                 status = smb_probe_module(
1593                         "rpc", get_pipe_name_from_iface(
1594                                 &hdr_rb.rpc_context[0].abstract));
1595 
1596                 if (NT_STATUS_IS_ERR(status)) {
1597                        DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
1598                                 get_pipe_name_from_iface(&hdr_rb.rpc_context[0].abstract)));
1599                         prs_mem_free(&p->out_data.frag);
1600                         prs_mem_free(&out_hdr_ba);
1601                         prs_mem_free(&out_auth);
1602 
1603                         return setup_bind_nak(p);
1604                 }
1605 
1606                 for (i = 0; i < rpc_lookup_size; i++) {
1607                        if (strequal(rpc_lookup[i].pipe.clnt,
1608                                     get_pipe_name_from_iface(&p->syntax))) {
1609                                DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
1610                                          rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
1611                                break;
1612                        }
1613                 }
1614 
1615                 if (i == rpc_lookup_size) {
1616                         DEBUG(0, ("module %s doesn't provide functions for "
1617                                   "pipe %s!\n",
1618                                   get_pipe_name_from_iface(&p->syntax),
1619                                   get_pipe_name_from_iface(&p->syntax)));
1620                         goto err_exit;
1621                 }
1622         }
1623 
1624         /* name has to be \PIPE\xxxxx */
1625         fstrcpy(ack_pipe_name, "\\PIPE\\");
1626         fstrcat(ack_pipe_name, rpc_lookup[i].pipe.srv);
1627 
1628         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
1629 
1630         /*
1631          * Check if this is an authenticated bind request.
1632          */
1633 
1634         if (p->hdr.auth_len) {
1635                 /* 
1636                  * Decode the authentication verifier.
1637                  */
1638 
1639                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1640                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1641                         goto err_exit;
1642                 }
1643 
1644                 auth_type = auth_info.auth_type;
1645 
1646                 /* Work out if we have to sign or seal etc. */
1647                 switch (auth_info.auth_level) {
1648                         case RPC_AUTH_LEVEL_INTEGRITY:
1649                                 p->auth.auth_level = PIPE_AUTH_LEVEL_INTEGRITY;
1650                                 break;
1651                         case RPC_AUTH_LEVEL_PRIVACY:
1652                                 p->auth.auth_level = PIPE_AUTH_LEVEL_PRIVACY;
1653                                 break;
1654                         default:
1655                                 DEBUG(0,("api_pipe_bind_req: unexpected auth level (%u).\n",
1656                                         (unsigned int)auth_info.auth_level ));
1657                                 goto err_exit;
1658                 }
1659         } else {
1660                 ZERO_STRUCT(auth_info);
1661         }
1662 
1663         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1664 
1665         switch(auth_type) {
1666                 case RPC_NTLMSSP_AUTH_TYPE:
1667                         if (!pipe_ntlmssp_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1668                                 goto err_exit;
1669                         }
1670                         assoc_gid = 0x7a77;
1671                         break;
1672 
1673                 case RPC_SCHANNEL_AUTH_TYPE:
1674                         if (!pipe_schannel_auth_bind(p, rpc_in_p, &auth_info, &out_auth)) {
1675                                 goto err_exit;
1676                         }
1677                         break;
1678 
1679                 case RPC_SPNEGO_AUTH_TYPE:
1680                         if (!pipe_spnego_auth_bind_negotiate(p, rpc_in_p, &auth_info, &out_auth)) {
1681                                 goto err_exit;
1682                         }
1683                         break;
1684 
1685                 case RPC_ANONYMOUS_AUTH_TYPE:
1686                         /* Unauthenticated bind request. */
1687                         /* We're finished - no more packets. */
1688                         p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
1689                         /* We must set the pipe auth_level here also. */
1690                         p->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
1691                         p->pipe_bound = True;
1692                         /* The session key was initialized from the SMB
1693                          * session in make_internal_rpc_pipe_p */
1694                         break;
1695 
1696                 default:
1697                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n", auth_type ));
1698                         goto err_exit;
1699         }
1700 
1701         /*
1702          * Create the bind response struct.
1703          */
1704 
1705         /* If the requested abstract synt uuid doesn't match our client pipe,
1706                 reject the bind_ack & set the transfer interface synt to all 0's,
1707                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1708                 unknown to NT4)
1709                 Needed when adding entries to a DACL from NT5 - SK */
1710 
1711         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1712                                 hdr_rb.rpc_context[0].context_id )) {
1713                 init_rpc_hdr_ba(&hdr_ba,
1714                         RPC_MAX_PDU_FRAG_LEN,
1715                         RPC_MAX_PDU_FRAG_LEN,
1716                         assoc_gid,
1717                         ack_pipe_name,
1718                         0x1, 0x0, 0x0,
1719                         &hdr_rb.rpc_context[0].transfer[0]);
1720         } else {
1721                 RPC_IFACE null_interface;
1722                 ZERO_STRUCT(null_interface);
1723                 /* Rejection reason: abstract syntax not supported */
1724                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1725                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1726                                         ack_pipe_name, 0x1, 0x2, 0x1,
1727                                         &null_interface);
1728                 p->pipe_bound = False;
1729         }
1730 
1731         /*
1732          * and marshall it.
1733          */
1734 
1735         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1736                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1737                 goto err_exit;
1738         }
1739 
1740         /*
1741          * Create the header, now we know the length.
1742          */
1743 
1744         if (prs_offset(&out_auth)) {
1745                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1746         }
1747 
1748         init_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
1749                         p->hdr.call_id,
1750                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1751                         auth_len);
1752 
1753         /*
1754          * Marshall the header into the outgoing PDU.
1755          */
1756 
1757         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1758                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1759                 goto err_exit;
1760         }
1761 
1762         /*
1763          * Now add the RPC_HDR_BA and any auth needed.
1764          */
1765 
1766         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1767                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1768                 goto err_exit;
1769         }
1770 
1771         if (auth_len && !prs_append_prs_data( &p->out_data.frag, &out_auth)) {
1772                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1773                 goto err_exit;
1774         }
1775 
1776         /*
1777          * Setup the lengths for the initial reply.
1778          */
1779 
1780         p->out_data.data_sent_length = 0;
1781         p->out_data.current_pdu_sent = 0;
1782 
1783         prs_mem_free(&out_hdr_ba);
1784         prs_mem_free(&out_auth);
1785 
1786         return True;
1787 
1788   err_exit:
1789 
1790         prs_mem_free(&p->out_data.frag);
1791         prs_mem_free(&out_hdr_ba);
1792         prs_mem_free(&out_auth);
1793         return setup_bind_nak(p);
1794 }
1795 
1796 /****************************************************************************
1797  Deal with an alter context call. Can be third part of 3 leg auth request for
1798  SPNEGO calls.
1799 ****************************************************************************/
1800 
1801 bool api_pipe_alter_context(pipes_struct *p, prs_struct *rpc_in_p)
     /* [<][>][^][v][top][bottom][index][help] */
1802 {
1803         RPC_HDR_BA hdr_ba;
1804         RPC_HDR_RB hdr_rb;
1805         RPC_HDR_AUTH auth_info;
1806         uint16 assoc_gid;
1807         fstring ack_pipe_name;
1808         prs_struct out_hdr_ba;
1809         prs_struct out_auth;
1810         int auth_len = 0;
1811 
1812         prs_init_empty(&p->out_data.frag, p->mem_ctx, MARSHALL);
1813 
1814         /* 
1815          * Marshall directly into the outgoing PDU space. We
1816          * must do this as we need to set to the bind response
1817          * header and are never sending more than one PDU here.
1818          */
1819 
1820         /*
1821          * Setup the memory to marshall the ba header, and the
1822          * auth footers.
1823          */
1824 
1825         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1826                 DEBUG(0,("api_pipe_alter_context: malloc out_hdr_ba failed.\n"));
1827                 prs_mem_free(&p->out_data.frag);
1828                 return False;
1829         }
1830 
1831         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1832                 DEBUG(0,("api_pipe_alter_context: malloc out_auth failed.\n"));
1833                 prs_mem_free(&p->out_data.frag);
1834                 prs_mem_free(&out_hdr_ba);
1835                 return False;
1836         }
1837 
1838         ZERO_STRUCT(hdr_rb);
1839 
1840         DEBUG(5,("api_pipe_alter_context: decode request. %d\n", __LINE__));
1841 
1842         /* decode the alter context request */
1843         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
1844                 DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_RB struct.\n"));
1845                 goto err_exit;
1846         }
1847 
1848         /* secondary address CAN be NULL
1849          * as the specs say it's ignored.
1850          * It MUST be NULL to have the spoolss working.
1851          */
1852         fstrcpy(ack_pipe_name,"");
1853 
1854         DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1855 
1856         /*
1857          * Check if this is an authenticated alter context request.
1858          */
1859 
1860         if (p->hdr.auth_len != 0) {
1861                 /* 
1862                  * Decode the authentication verifier.
1863                  */
1864 
1865                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
1866                         DEBUG(0,("api_pipe_alter_context: unable to unmarshall RPC_HDR_AUTH struct.\n"));
1867                         goto err_exit;
1868                 }
1869 
1870                 /*
1871                  * Currently only the SPNEGO auth type uses the alter ctx
1872                  * response in place of the NTLMSSP auth3 type.
1873                  */
1874 
1875                 if (auth_info.auth_type == RPC_SPNEGO_AUTH_TYPE) {
1876                         /* We can only finish if the pipe is unbound. */
1877                         if (!p->pipe_bound) {
1878                                 if (!pipe_spnego_auth_bind_continue(p, rpc_in_p, &auth_info, &out_auth)) {
1879                                         goto err_exit;
1880                                 }
1881                         } else {
1882                                 goto err_exit;
1883                         }
1884                 }
1885         } else {
1886                 ZERO_STRUCT(auth_info);
1887         }
1888 
1889         assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1890 
1891         /*
1892          * Create the bind response struct.
1893          */
1894 
1895         /* If the requested abstract synt uuid doesn't match our client pipe,
1896                 reject the bind_ack & set the transfer interface synt to all 0's,
1897                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1898                 unknown to NT4)
1899                 Needed when adding entries to a DACL from NT5 - SK */
1900 
1901         if(check_bind_req(p, &hdr_rb.rpc_context[0].abstract, &hdr_rb.rpc_context[0].transfer[0],
1902                                 hdr_rb.rpc_context[0].context_id )) {
1903                 init_rpc_hdr_ba(&hdr_ba,
1904                         RPC_MAX_PDU_FRAG_LEN,
1905                         RPC_MAX_PDU_FRAG_LEN,
1906                         assoc_gid,
1907                         ack_pipe_name,
1908                         0x1, 0x0, 0x0,
1909                         &hdr_rb.rpc_context[0].transfer[0]);
1910         } else {
1911                 RPC_IFACE null_interface;
1912                 ZERO_STRUCT(null_interface);
1913                 /* Rejection reason: abstract syntax not supported */
1914                 init_rpc_hdr_ba(&hdr_ba, RPC_MAX_PDU_FRAG_LEN,
1915                                         RPC_MAX_PDU_FRAG_LEN, assoc_gid,
1916                                         ack_pipe_name, 0x1, 0x2, 0x1,
1917                                         &null_interface);
1918                 p->pipe_bound = False;
1919         }
1920 
1921         /*
1922          * and marshall it.
1923          */
1924 
1925         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1926                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR_BA failed.\n"));
1927                 goto err_exit;
1928         }
1929 
1930         /*
1931          * Create the header, now we know the length.
1932          */
1933 
1934         if (prs_offset(&out_auth)) {
1935                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1936         }
1937 
1938         init_rpc_hdr(&p->hdr, RPC_ALTCONTRESP, RPC_FLG_FIRST | RPC_FLG_LAST,
1939                         p->hdr.call_id,
1940                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1941                         auth_len);
1942 
1943         /*
1944          * Marshall the header into the outgoing PDU.
1945          */
1946 
1947         if(!smb_io_rpc_hdr("", &p->hdr, &p->out_data.frag, 0)) {
1948                 DEBUG(0,("api_pipe_alter_context: marshalling of RPC_HDR failed.\n"));
1949                 goto err_exit;
1950         }
1951 
1952         /*
1953          * Now add the RPC_HDR_BA and any auth needed.
1954          */
1955 
1956         if(!prs_append_prs_data(&p->out_data.frag, &out_hdr_ba)) {
1957                 DEBUG(0,("api_pipe_alter_context: append of RPC_HDR_BA failed.\n"));
1958                 goto err_exit;
1959         }
1960 
1961         if (auth_len && !prs_append_prs_data(&p->out_data.frag, &out_auth)) {
1962                 DEBUG(0,("api_pipe_alter_context: append of auth info failed.\n"));
1963                 goto err_exit;
1964         }
1965 
1966         /*
1967          * Setup the lengths for the initial reply.
1968          */
1969 
1970         p->out_data.data_sent_length = 0;
1971         p->out_data.current_pdu_sent = 0;
1972 
1973         prs_mem_free(&out_hdr_ba);
1974         prs_mem_free(&out_auth);
1975 
1976         return True;
1977 
1978   err_exit:
1979 
1980         prs_mem_free(&p->out_data.frag);
1981         prs_mem_free(&out_hdr_ba);
1982         prs_mem_free(&out_auth);
1983         return setup_bind_nak(p);
1984 }
1985 
1986 /****************************************************************************
1987  Deal with NTLMSSP sign & seal processing on an RPC request.
1988 ****************************************************************************/
1989 
1990 bool api_pipe_ntlmssp_auth_process(pipes_struct *p, prs_struct *rpc_in,
     /* [<][>][^][v][top][bottom][index][help] */
1991                                         uint32 *p_ss_padding_len, NTSTATUS *pstatus)
1992 {
1993         RPC_HDR_AUTH auth_info;
1994         uint32 auth_len = p->hdr.auth_len;
1995         uint32 save_offset = prs_offset(rpc_in);
1996         AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
1997         unsigned char *data = NULL;
1998         size_t data_len;
1999         unsigned char *full_packet_data = NULL;
2000         size_t full_packet_data_len;
2001         DATA_BLOB auth_blob;
2002 
2003         *pstatus = NT_STATUS_OK;
2004 
2005         if (p->auth.auth_level == PIPE_AUTH_LEVEL_NONE || p->auth.auth_level == PIPE_AUTH_LEVEL_CONNECT) {
2006                 return True;
2007         }
2008 
2009         if (!a) {
2010                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2011                 return False;
2012         }
2013 
2014         /* Ensure there's enough data for an authenticated request. */
2015         if ((auth_len > RPC_MAX_SIGN_SIZE) ||
2016                         (RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len > p->hdr.frag_len)) {
2017                 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len %u is too large.\n",
2018                         (unsigned int)auth_len ));
2019                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2020                 return False;
2021         }
2022 
2023         /*
2024          * We need the full packet data + length (minus auth stuff) as well as the packet data + length
2025          * after the RPC header. 
2026          * We need to pass in the full packet (minus auth len) to the NTLMSSP sign and check seal
2027          * functions as NTLMv2 checks the rpc headers also.
2028          */
2029 
2030         data = (unsigned char *)(prs_data_p(rpc_in) + RPC_HDR_REQ_LEN);
2031         data_len = (size_t)(p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - RPC_HDR_AUTH_LEN - auth_len);
2032 
2033         full_packet_data = p->in_data.current_in_pdu;
2034         full_packet_data_len = p->hdr.frag_len - auth_len;
2035 
2036         /* Pull the auth header and the following data into a blob. */
2037         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2038                 DEBUG(0,("api_pipe_ntlmssp_auth_process: cannot move offset to %u.\n",
2039                         (unsigned int)RPC_HDR_REQ_LEN + (unsigned int)data_len ));
2040                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2041                 return False;
2042         }
2043 
2044         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2045                 DEBUG(0,("api_pipe_ntlmssp_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
2046                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2047                 return False;
2048         }
2049 
2050         auth_blob.data = (unsigned char *)prs_data_p(rpc_in) + prs_offset(rpc_in);
2051         auth_blob.length = auth_len;
2052 
2053         switch (p->auth.auth_level) {
2054                 case PIPE_AUTH_LEVEL_PRIVACY:
2055                         /* Data is encrypted. */
2056                         *pstatus = ntlmssp_unseal_packet(a->ntlmssp_state,
2057                                                         data, data_len,
2058                                                         full_packet_data,
2059                                                         full_packet_data_len,
2060                                                         &auth_blob);
2061                         if (!NT_STATUS_IS_OK(*pstatus)) {
2062                                 return False;
2063                         }
2064                         break;
2065                 case PIPE_AUTH_LEVEL_INTEGRITY:
2066                         /* Data is signed. */
2067                         *pstatus = ntlmssp_check_packet(a->ntlmssp_state,
2068                                                         data, data_len,
2069                                                         full_packet_data,
2070                                                         full_packet_data_len,
2071                                                         &auth_blob);
2072                         if (!NT_STATUS_IS_OK(*pstatus)) {
2073                                 return False;
2074                         }
2075                         break;
2076                 default:
2077                         *pstatus = NT_STATUS_INVALID_PARAMETER;
2078                         return False;
2079         }
2080 
2081         /*
2082          * Return the current pointer to the data offset.
2083          */
2084 
2085         if(!prs_set_offset(rpc_in, save_offset)) {
2086                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
2087                         (unsigned int)save_offset ));
2088                 *pstatus = NT_STATUS_INVALID_PARAMETER;
2089                 return False;
2090         }
2091 
2092         /*
2093          * Remember the padding length. We must remove it from the real data
2094          * stream once the sign/seal is done.
2095          */
2096 
2097         *p_ss_padding_len = auth_info.auth_pad_len;
2098 
2099         return True;
2100 }
2101 
2102 /****************************************************************************
2103  Deal with schannel processing on an RPC request.
2104 ****************************************************************************/
2105 
2106 bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss_padding_len)
     /* [<][>][^][v][top][bottom][index][help] */
2107 {
2108         uint32 data_len;
2109         uint32 auth_len;
2110         uint32 save_offset = prs_offset(rpc_in);
2111         RPC_HDR_AUTH auth_info;
2112         RPC_AUTH_SCHANNEL_CHK schannel_chk;
2113 
2114         auth_len = p->hdr.auth_len;
2115 
2116         if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
2117                         auth_len > RPC_HEADER_LEN +
2118                                         RPC_HDR_REQ_LEN +
2119                                         RPC_HDR_AUTH_LEN +
2120                                         auth_len) {
2121                 DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
2122                 return False;
2123         }
2124 
2125         /*
2126          * The following is that length of the data we must verify or unseal.
2127          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
2128          * preceeding the auth_data.
2129          */
2130 
2131         if (p->hdr.frag_len < RPC_HEADER_LEN + RPC_HDR_REQ_LEN + RPC_HDR_AUTH_LEN + auth_len) {
2132                 DEBUG(0,("Incorrect frag %u, auth %u.\n",
2133                         (unsigned int)p->hdr.frag_len,
2134                         (unsigned int)auth_len ));
2135                 return False;
2136         }
2137 
2138         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
2139                 RPC_HDR_AUTH_LEN - auth_len;
2140 
2141         DEBUG(5,("data %d auth %d\n", data_len, auth_len));
2142 
2143         if(!prs_set_offset(rpc_in, RPC_HDR_REQ_LEN + data_len)) {
2144                 DEBUG(0,("cannot move offset to %u.\n",
2145                          (unsigned int)RPC_HDR_REQ_LEN + data_len ));
2146                 return False;
2147         }
2148 
2149         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
2150                 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
2151                 return False;
2152         }
2153 
2154         if (auth_info.auth_type != RPC_SCHANNEL_AUTH_TYPE) {
2155                 DEBUG(0,("Invalid auth info %d on schannel\n",
2156                          auth_info.auth_type));
2157                 return False;
2158         }
2159 
2160         if(!smb_io_rpc_auth_schannel_chk("", RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN, &schannel_chk, rpc_in, 0)) {
2161                 DEBUG(0,("failed to unmarshal RPC_AUTH_SCHANNEL_CHK.\n"));
2162                 return False;
2163         }
2164 
2165         if (!schannel_decode(p->auth.a_u.schannel_auth,
2166                            p->auth.auth_level,
2167                            SENDER_IS_INITIATOR,
2168                            &schannel_chk,
2169                            prs_data_p(rpc_in)+RPC_HDR_REQ_LEN, data_len)) {
2170                 DEBUG(3,("failed to decode PDU\n"));
2171                 return False;
2172         }
2173 
2174         /*
2175          * Return the current pointer to the data offset.
2176          */
2177 
2178         if(!prs_set_offset(rpc_in, save_offset)) {
2179                 DEBUG(0,("failed to set offset back to %u\n",
2180                          (unsigned int)save_offset ));
2181                 return False;
2182         }
2183 
2184         /* The sequence number gets incremented on both send and receive. */
2185         p->auth.a_u.schannel_auth->seq_num++;
2186 
2187         /*
2188          * Remember the padding length. We must remove it from the real data
2189          * stream once the sign/seal is done.
2190          */
2191 
2192         *p_ss_padding_len = auth_info.auth_pad_len;
2193 
2194         return True;
2195 }
2196 
2197 /****************************************************************************
2198  Find the set of RPC functions associated with this context_id
2199 ****************************************************************************/
2200 
2201 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
     /* [<][>][^][v][top][bottom][index][help] */
2202 {
2203         PIPE_RPC_FNS *fns = NULL;
2204 
2205         if ( !list ) {
2206                 DEBUG(0,("find_pipe_fns_by_context: ERROR!  No context list for pipe!\n"));
2207                 return NULL;
2208         }
2209 
2210         for (fns=list; fns; fns=fns->next ) {
2211                 if ( fns->context_id == context_id )
2212                         return fns;
2213         }
2214         return NULL;
2215 }
2216 
2217 /****************************************************************************
2218  Memory cleanup.
2219 ****************************************************************************/
2220 
2221 void free_pipe_rpc_context( PIPE_RPC_FNS *list )
     /* [<][>][^][v][top][bottom][index][help] */
2222 {
2223         PIPE_RPC_FNS *tmp = list;
2224         PIPE_RPC_FNS *tmp2;
2225 
2226         while (tmp) {
2227                 tmp2 = tmp->next;
2228                 SAFE_FREE(tmp);
2229                 tmp = tmp2;
2230         }
2231 
2232         return; 
2233 }
2234 
2235 static bool api_rpcTNP(pipes_struct *p,
2236                        const struct api_struct *api_rpc_cmds, int n_cmds);
2237 
2238 /****************************************************************************
2239  Find the correct RPC function to call for this request.
2240  If the pipe is authenticated then become the correct UNIX user
2241  before doing the call.
2242 ****************************************************************************/
2243 
2244 bool api_pipe_request(pipes_struct *p)
     /* [<][>][^][v][top][bottom][index][help] */
2245 {
2246         bool ret = False;
2247         bool changed_user = False;
2248         PIPE_RPC_FNS *pipe_fns;
2249 
2250         if (p->pipe_bound &&
2251                         ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
2252                          (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
2253                 if(!become_authenticated_pipe_user(p)) {
2254                         prs_mem_free(&p->out_data.rdata);
2255                         return False;
2256                 }
2257                 changed_user = True;
2258         }
2259 
2260         DEBUG(5, ("Requested \\PIPE\\%s\n",
2261                   get_pipe_name_from_iface(&p->syntax)));
2262 
2263         /* get the set of RPC functions for this context */
2264 
2265         pipe_fns = find_pipe_fns_by_context(p->contexts, p->hdr_req.context_id);
2266 
2267         if ( pipe_fns ) {
2268                 TALLOC_CTX *frame = talloc_stackframe();
2269                 ret = api_rpcTNP(p, pipe_fns->cmds, pipe_fns->n_cmds);
2270                 TALLOC_FREE(frame);
2271         }
2272         else {
2273                 DEBUG(0,("api_pipe_request: No rpc function table associated with context [%d] on pipe [%s]\n",
2274                         p->hdr_req.context_id,
2275                         get_pipe_name_from_iface(&p->syntax)));
2276         }
2277 
2278         if (changed_user) {
2279                 unbecome_authenticated_pipe_user();
2280         }
2281 
2282         return ret;
2283 }
2284 
2285 /*******************************************************************
2286  Calls the underlying RPC function for a named pipe.
2287  ********************************************************************/
2288 
2289 static bool api_rpcTNP(pipes_struct *p,
     /* [<][>][^][v][top][bottom][index][help] */
2290                        const struct api_struct *api_rpc_cmds, int n_cmds)
2291 {
2292         int fn_num;
2293         uint32 offset1, offset2;
2294 
2295         /* interpret the command */
2296         DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
2297                  get_pipe_name_from_iface(&p->syntax), p->hdr_req.opnum));
2298 
2299         if (DEBUGLEVEL >= 50) {
2300                 fstring name;
2301                 slprintf(name, sizeof(name)-1, "in_%s",
2302                          get_pipe_name_from_iface(&p->syntax));
2303                 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
2304         }
2305 
2306         for (fn_num = 0; fn_num < n_cmds; fn_num++) {
2307                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
2308                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
2309                         break;
2310                 }
2311         }
2312 
2313         if (fn_num == n_cmds) {
2314                 /*
2315                  * For an unknown RPC just return a fault PDU but
2316                  * return True to allow RPC's on the pipe to continue
2317                  * and not put the pipe into fault state. JRA.
2318                  */
2319                 DEBUG(4, ("unknown\n"));
2320                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2321                 return True;
2322         }
2323 
2324         offset1 = prs_offset(&p->out_data.rdata);
2325 
2326         DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n", 
2327                 fn_num, api_rpc_cmds[fn_num].fn));
2328         /* do the actual command */
2329         if(!api_rpc_cmds[fn_num].fn(p)) {
2330                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
2331                          get_pipe_name_from_iface(&p->syntax),
2332                          api_rpc_cmds[fn_num].name));
2333                 prs_mem_free(&p->out_data.rdata);
2334                 return False;
2335         }
2336 
2337         if (p->bad_handle_fault_state) {
2338                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
2339                 p->bad_handle_fault_state = False;
2340                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
2341                 return True;
2342         }
2343 
2344         if (p->rng_fault_state) {
2345                 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
2346                 p->rng_fault_state = False;
2347                 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2348                 return True;
2349         }
2350 
2351         offset2 = prs_offset(&p->out_data.rdata);
2352         prs_set_offset(&p->out_data.rdata, offset1);
2353         if (DEBUGLEVEL >= 50) {
2354                 fstring name;
2355                 slprintf(name, sizeof(name)-1, "out_%s",
2356                          get_pipe_name_from_iface(&p->syntax));
2357                 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
2358         }
2359         prs_set_offset(&p->out_data.rdata, offset2);
2360 
2361         DEBUG(5,("api_rpcTNP: called %s successfully\n",
2362                  get_pipe_name_from_iface(&p->syntax)));
2363 
2364         /* Check for buffer underflow in rpc parsing */
2365 
2366         if ((DEBUGLEVEL >= 10) && 
2367             (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
2368                 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
2369                 char *data = (char *)SMB_MALLOC(data_len);
2370 
2371                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
2372                 if (data) {
2373                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);
2374                         SAFE_FREE(data);
2375                 }
2376 
2377         }
2378 
2379         return True;
2380 }

/* [<][>][^][v][top][bottom][index][help] */