krb5ccache.idl: Add definition for a Kerberos credentials cache

Based on specifications found at
https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html

This is primarily designed for parsing and storing a single Kerberos
ticket, due to the limitations of PIDL.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 74fb2cc473cea0eebf641fc4d32d706bac8aa6f2)

3 files changed, 123 insertions, 1 deletions

diff --git a/librpc/idl/krb5ccache.idl b/librpc/idl/krb5ccache.idl
new file mode 100644
index 00000000000..1f0cfa752a9
--- /dev/null
+++ b/librpc/idl/krb5ccache.idl
@@ -0,0 +1,115 @@
+/*
+  krb5 credentials cache (version 3 or 4)
+  specification: https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html
+*/
+
+#include "idl_types.h"
+
+[
+  uuid("1702b695-99ca-4f32-93e4-1e1c4d5ddb53"),
+  version(0.0),
+  pointer_default(unique),
+  helpstring("KRB5 credentials cache")
+]
+interface krb5ccache
+{
+	typedef struct {
+		uint32 name_type;
+		uint32 component_count;
+		[flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string realm;
+		[flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string components[component_count];
+	} PRINCIPAL;
+
+	typedef struct {
+		uint16 enctype;
+		DATA_BLOB data;
+	} KEYBLOCK;
+
+	typedef struct {
+		uint16 addrtype;
+		DATA_BLOB data;
+	} ADDRESS;
+
+	typedef struct {
+		uint32 count;
+		ADDRESS data[count];
+	} ADDRESSES;
+
+	typedef struct {
+		uint16 ad_type;
+		DATA_BLOB data;
+	} AUTHDATUM;
+
+	typedef struct {
+		uint32 count;
+		AUTHDATUM data[count];
+	} AUTHDATA;
+
+	typedef struct {
+		PRINCIPAL client;
+		PRINCIPAL server;
+		KEYBLOCK keyblock;
+		uint32 authtime;
+		uint32 starttime;
+		uint32 endtime;
+		uint32 renew_till;
+		uint8 is_skey;
+		uint32 ticket_flags;
+		ADDRESSES addresses;
+		AUTHDATA authdata;
+		DATA_BLOB ticket;
+		DATA_BLOB second_ticket;
+	} CREDENTIAL;
+
+	typedef struct {
+		[value(0)] int32 kdc_sec_offset;
+		[value(0)] int32 kdc_usec_offset;
+	} DELTATIME_TAG;
+
+	typedef [nodiscriminant] union {
+		[case(1)] DELTATIME_TAG deltatime_tag;
+	} FIELD;
+
+	typedef struct {
+		[value(1)] uint16 tag;
+		[subcontext(2),switch_is(tag)] FIELD field;
+	} V4TAG;
+
+	typedef struct {
+		V4TAG tag;
+		/*
+		 * We should allow for more than one tag to be properly parsed, but that
+		 * would require manual parsing.
+		 */
+		[flag(NDR_REMAINING)] DATA_BLOB further_tags;
+	} V4TAGS;
+
+	typedef struct {
+		[subcontext(2)] V4TAGS v4tags;
+	} V4HEADER;
+
+	typedef [nodiscriminant] union {
+		/*
+		 * We don't attempt to support file format versions 1 and 2 as they
+		 * assume native CPU byte order, which makes no sense in PIDL.
+		 */
+		[case(3)] ;
+		[case(4)] V4HEADER v4header;
+	} OPTIONAL_HEADER;
+
+	/* Public structures. */
+
+	typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
+		[value(5)] uint8 pvno;
+		[value(4)] uint8 version;
+		[switch_is(version)] OPTIONAL_HEADER optional_header;
+		PRINCIPAL principal;
+		CREDENTIAL cred;
+		[flag(NDR_REMAINING)] DATA_BLOB further_creds;
+	} CCACHE;
+
+	typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
+		CREDENTIAL cred;
+		[flag(NDR_REMAINING)] DATA_BLOB further_creds;
+	} MULTIPLE_CREDENTIALS;
+}
diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build
index 928f54abde0..0cbd7f8fdfc 100644
--- a/librpc/idl/wscript_build
+++ b/librpc/idl/wscript_build
@@ -147,6 +147,7 @@ bld.SAMBA_PIDL_LIST('PIDL',
                     drsblobs.idl
                     idmap.idl
                     krb5pac.idl
+                    krb5ccache.idl
                     messaging.idl
                     misc.idl
                     nbt.idl
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 02b7640046e..e4632d538a4 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -374,6 +374,11 @@ bld.SAMBA_LIBRARY('ndr-krb5pac',
     vnum='0.0.1'
     )
 
+bld.SAMBA_SUBSYSTEM('NDR_KRB5CCACHE',
+    source='gen_ndr/ndr_krb5ccache.c',
+    deps='ndr NDR_COMPRESSION NDR_SECURITY ndr-standard asn1util'
+    )
+
 bld.SAMBA_LIBRARY('ndr-standard',
     source='',
     vnum='0.0.1',
@@ -616,7 +621,8 @@ bld.SAMBA_LIBRARY('ndr-samba',
     source=[],
     deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_NEGOEX NDR_SCHANNEL NDR_MGMT
     NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
-    NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV''',
+    NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV
+    NDR_KRB5CCACHE''',
     private_library=True,
     grouping_library=True
     )