r5603: add "authservice()" property to the interface property list

so we can specify allowed target service names in the idl file

the default is "host"

metze

source/build/pidl/ndr.pm

@@ -2008,18 +2008,40 @@ sub FunctionTable($)
 	pidl "";
 
 	pidl "static const struct dcerpc_endpoint_list $interface->{NAME}\_endpoints = {";
-	pidl "\t$endpoint_count, $interface->{NAME}\_endpoint_strings";
+	pidl "\t.count\t= $endpoint_count,";
+	pidl "\t.names\t= $interface->{NAME}\_endpoint_strings";
+	pidl "};";
+	pidl "";
+
+	if (! defined $interface->{PROPERTIES}->{authservice}) {
+		$interface->{PROPERTIES}->{authservice} = "\"host\"";
+	}
+
+	my @a = split / /, $interface->{PROPERTIES}->{authservice};
+	my $authservice_count = $#a + 1;
+
+	pidl "static const char * const $interface->{NAME}\_authservice_strings[] = {";
+	foreach my $ap (@a) {
+		pidl "\t$ap, ";
+	}
+	pidl "};";
+	pidl "";
+
+	pidl "static const struct dcerpc_authservice_list $interface->{NAME}\_authservices = {";
+	pidl "\t.count\t= $endpoint_count,";
+	pidl "\t.names\t= $interface->{NAME}\_authservice_strings";
 	pidl "};";
 	pidl "";
 
 	pidl "\nconst struct dcerpc_interface_table dcerpc_table_$interface->{NAME} = {";
-	pidl "\t\"$interface->{NAME}\",";
-	pidl "\tDCERPC_$uname\_UUID,";
-	pidl "\tDCERPC_$uname\_VERSION,";
-	pidl "\tDCERPC_$uname\_HELPSTRING,";
-	pidl "\t$count,";
-	pidl "\t$interface->{NAME}\_calls,";
-	pidl "\t&$interface->{NAME}\_endpoints";
+	pidl "\t.name\t\t= \"$interface->{NAME}\",";
+	pidl "\t.uuid\t\t= DCERPC_$uname\_UUID,";
+	pidl "\t.if_version\t= DCERPC_$uname\_VERSION,";
+	pidl "\t.helpstring\t= DCERPC_$uname\_HELPSTRING,";
+	pidl "\t.num_calls\t= $count,";
+	pidl "\t.calls\t\t= $interface->{NAME}\_calls,";
+	pidl "\t.endpoints\t= &$interface->{NAME}\_endpoints,";
+	pidl "\t.authservices\t= &$interface->{NAME}\_authservices";
 	pidl "};";
 	pidl "";
 

source/librpc/rpc/dcerpc.h

@@ -153,6 +153,11 @@ struct dcerpc_endpoint_list {
 	const char * const *names;
 };
 
+struct dcerpc_authservice_list {
+	uint32_t count;
+	const char * const *names;
+};
+
 struct dcerpc_interface_table {
 	const char *name;
 	const char *uuid;
@@ -161,6 +166,7 @@ struct dcerpc_interface_table {
 	uint32_t num_calls;
 	const struct dcerpc_interface_call *calls;
 	const struct dcerpc_endpoint_list *endpoints;
+	const struct dcerpc_authservice_list *authservices;
 };
 
 struct dcerpc_interface_list {
@@ -175,6 +181,7 @@ struct dcerpc_binding {
 	uint16_t object_version;
 	const char *host;
 	const char *endpoint;
+	const char *authservice;
 	const char **options;
 	uint32_t flags;
 };

source/librpc/rpc/dcerpc_auth.c

@@ -146,7 +146,8 @@ NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
 				   const char *domain,
 				   const char *username,
 				   const char *password,
-				   uint8_t auth_type)
+				   uint8_t auth_type,
+				   const char *service)
 {
 	NTSTATUS status;
 
@@ -189,6 +190,15 @@ NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p,
 		return status;
 	}
 
+	if (service) {
+		status = gensec_set_target_service(p->conn->security_state.generic_state, service);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(1, ("Failed to start set GENSEC target service: %s\n", 
+				  nt_errstr(status)));
+			return status;
+		}
+	}
+
 	status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, 
 					       auth_type,
 					       dcerpc_auth_level(p->conn));

source/librpc/rpc/dcerpc_util.c

@@ -789,13 +789,15 @@ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *bind
 
 	if (table) {
 		struct dcerpc_binding default_binding;
-		
+
+		binding->authservice = talloc_strdup(mem_ctx, table->authservices->names[0]);
+
 		/* Find one of the default pipes for this interface */
 		for (i = 0; i < table->endpoints->count; i++) {
 			status = dcerpc_parse_binding(mem_ctx, table->endpoints->names[i], &default_binding);
 
 			if (NT_STATUS_IS_OK(status) && default_binding.transport == binding->transport && default_binding.endpoint) {
-				binding->endpoint = talloc_strdup(mem_ctx, default_binding.endpoint);	
+				binding->endpoint = talloc_strdup(mem_ctx, default_binding.endpoint);
 				return NT_STATUS_OK;
 			}
 		}
@@ -808,6 +810,7 @@ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *bind
 	epmapper_binding.options = NULL;
 	epmapper_binding.flags = 0;
 	epmapper_binding.endpoint = NULL;
+	epmapper_binding.authservice = NULL;
 	
 	status = dcerpc_pipe_connect_b(&p,
 					&epmapper_binding,
@@ -903,8 +906,9 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
 
 		status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version, 
 						   domain, username, password, 
-						   auth_type);
-	} else {    
+						   auth_type,
+						   binding->authservice);
+	} else {
 		status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
 	}
 

source/torture/rpc/bind.c

@@ -53,7 +53,7 @@ BOOL torture_multi_bind(void)
 
 	status = dcerpc_parse_binding(mem_ctx, binding_string, &b);
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("Failed to parse dcerpc binding '%s'\n", binding_string));
+		printf("Failed to parse dcerpc binding '%s'\n", binding_string);
 		talloc_free(mem_ctx);
 		return False;
 	}
@@ -82,21 +82,21 @@ BOOL torture_multi_bind(void)
 
 		status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version, 
 						   domain, username, password, 
-						   auth_type);
-	} else {    
+						   auth_type,
+						   binding->authservice);
+	} else {
 		status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version);
 	}
 
 	if (NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("(incorrectly) allowed re-bind to uuid %s - %s\n", 
-			 pipe_uuid, nt_errstr(status)));
+		printf("(incorrectly) allowed re-bind to uuid %s - %s\n", 
+			pipe_uuid, nt_errstr(status));
 		ret = False;
 	} else {
+		printf("\n");
 		ret = True;
 	}
 
-	printf("\n");
-	
 	talloc_free(mem_ctx);
 	torture_rpc_close(p);