From bf40d5321f3257bf9354a42d31265f1a9b0d53ad Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 1 Mar 2005 16:08:36 +0000 Subject: [PATCH] r5603: add "authservice()" property to the interface property list so we can specify allowed target service names in the idl file the default is "host" metze --- source/build/pidl/ndr.pm | 38 ++++++++++++++++++++++++++------- source/librpc/rpc/dcerpc.h | 7 ++++++ source/librpc/rpc/dcerpc_auth.c | 12 ++++++++++- source/librpc/rpc/dcerpc_util.c | 12 +++++++---- source/torture/rpc/bind.c | 14 ++++++------ 5 files changed, 63 insertions(+), 20 deletions(-) diff --git a/source/build/pidl/ndr.pm b/source/build/pidl/ndr.pm index 27f0b87d971..c460c92c95a 100644 --- a/source/build/pidl/ndr.pm +++ b/source/build/pidl/ndr.pm @@ -2008,18 +2008,40 @@ sub FunctionTable($) pidl ""; pidl "static const struct dcerpc_endpoint_list $interface->{NAME}\_endpoints = {"; - pidl "\t$endpoint_count, $interface->{NAME}\_endpoint_strings"; + pidl "\t.count\t= $endpoint_count,"; + pidl "\t.names\t= $interface->{NAME}\_endpoint_strings"; + pidl "};"; + pidl ""; + + if (! defined $interface->{PROPERTIES}->{authservice}) { + $interface->{PROPERTIES}->{authservice} = "\"host\""; + } + + my @a = split / /, $interface->{PROPERTIES}->{authservice}; + my $authservice_count = $#a + 1; + + pidl "static const char * const $interface->{NAME}\_authservice_strings[] = {"; + foreach my $ap (@a) { + pidl "\t$ap, "; + } + pidl "};"; + pidl ""; + + pidl "static const struct dcerpc_authservice_list $interface->{NAME}\_authservices = {"; + pidl "\t.count\t= $endpoint_count,"; + pidl "\t.names\t= $interface->{NAME}\_authservice_strings"; pidl "};"; pidl ""; pidl "\nconst struct dcerpc_interface_table dcerpc_table_$interface->{NAME} = {"; - pidl "\t\"$interface->{NAME}\","; - pidl "\tDCERPC_$uname\_UUID,"; - pidl "\tDCERPC_$uname\_VERSION,"; - pidl "\tDCERPC_$uname\_HELPSTRING,"; - pidl "\t$count,"; - pidl "\t$interface->{NAME}\_calls,"; - pidl "\t&$interface->{NAME}\_endpoints"; + pidl "\t.name\t\t= \"$interface->{NAME}\","; + pidl "\t.uuid\t\t= DCERPC_$uname\_UUID,"; + pidl "\t.if_version\t= DCERPC_$uname\_VERSION,"; + pidl "\t.helpstring\t= DCERPC_$uname\_HELPSTRING,"; + pidl "\t.num_calls\t= $count,"; + pidl "\t.calls\t\t= $interface->{NAME}\_calls,"; + pidl "\t.endpoints\t= &$interface->{NAME}\_endpoints,"; + pidl "\t.authservices\t= &$interface->{NAME}\_authservices"; pidl "};"; pidl ""; diff --git a/source/librpc/rpc/dcerpc.h b/source/librpc/rpc/dcerpc.h index 32a03d71a76..db7b76a7796 100644 --- a/source/librpc/rpc/dcerpc.h +++ b/source/librpc/rpc/dcerpc.h @@ -153,6 +153,11 @@ struct dcerpc_endpoint_list { const char * const *names; }; +struct dcerpc_authservice_list { + uint32_t count; + const char * const *names; +}; + struct dcerpc_interface_table { const char *name; const char *uuid; @@ -161,6 +166,7 @@ struct dcerpc_interface_table { uint32_t num_calls; const struct dcerpc_interface_call *calls; const struct dcerpc_endpoint_list *endpoints; + const struct dcerpc_authservice_list *authservices; }; struct dcerpc_interface_list { @@ -175,6 +181,7 @@ struct dcerpc_binding { uint16_t object_version; const char *host; const char *endpoint; + const char *authservice; const char **options; uint32_t flags; }; diff --git a/source/librpc/rpc/dcerpc_auth.c b/source/librpc/rpc/dcerpc_auth.c index c0b72b68423..1bcf4224c46 100644 --- a/source/librpc/rpc/dcerpc_auth.c +++ b/source/librpc/rpc/dcerpc_auth.c @@ -146,7 +146,8 @@ NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p, const char *domain, const char *username, const char *password, - uint8_t auth_type) + uint8_t auth_type, + const char *service) { NTSTATUS status; @@ -189,6 +190,15 @@ NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p, return status; } + if (service) { + status = gensec_set_target_service(p->conn->security_state.generic_state, service); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC target service: %s\n", + nt_errstr(status))); + return status; + } + } + status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, auth_type, dcerpc_auth_level(p->conn)); diff --git a/source/librpc/rpc/dcerpc_util.c b/source/librpc/rpc/dcerpc_util.c index 3697d2f181b..7b753d1b307 100644 --- a/source/librpc/rpc/dcerpc_util.c +++ b/source/librpc/rpc/dcerpc_util.c @@ -789,13 +789,15 @@ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *bind if (table) { struct dcerpc_binding default_binding; - + + binding->authservice = talloc_strdup(mem_ctx, table->authservices->names[0]); + /* Find one of the default pipes for this interface */ for (i = 0; i < table->endpoints->count; i++) { status = dcerpc_parse_binding(mem_ctx, table->endpoints->names[i], &default_binding); if (NT_STATUS_IS_OK(status) && default_binding.transport == binding->transport && default_binding.endpoint) { - binding->endpoint = talloc_strdup(mem_ctx, default_binding.endpoint); + binding->endpoint = talloc_strdup(mem_ctx, default_binding.endpoint); return NT_STATUS_OK; } } @@ -808,6 +810,7 @@ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *bind epmapper_binding.options = NULL; epmapper_binding.flags = 0; epmapper_binding.endpoint = NULL; + epmapper_binding.authservice = NULL; status = dcerpc_pipe_connect_b(&p, &epmapper_binding, @@ -903,8 +906,9 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version, domain, username, password, - auth_type); - } else { + auth_type, + binding->authservice); + } else { status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version); } diff --git a/source/torture/rpc/bind.c b/source/torture/rpc/bind.c index d6265361696..10ffa502899 100644 --- a/source/torture/rpc/bind.c +++ b/source/torture/rpc/bind.c @@ -53,7 +53,7 @@ BOOL torture_multi_bind(void) status = dcerpc_parse_binding(mem_ctx, binding_string, &b); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("Failed to parse dcerpc binding '%s'\n", binding_string)); + printf("Failed to parse dcerpc binding '%s'\n", binding_string); talloc_free(mem_ctx); return False; } @@ -82,21 +82,21 @@ BOOL torture_multi_bind(void) status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version, domain, username, password, - auth_type); - } else { + auth_type, + binding->authservice); + } else { status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version); } if (NT_STATUS_IS_OK(status)) { - DEBUG(0,("(incorrectly) allowed re-bind to uuid %s - %s\n", - pipe_uuid, nt_errstr(status))); + printf("(incorrectly) allowed re-bind to uuid %s - %s\n", + pipe_uuid, nt_errstr(status)); ret = False; } else { + printf("\n"); ret = True; } - printf("\n"); - talloc_free(mem_ctx); torture_rpc_close(p);