[krbdev.mit.edu #5349] Proposed implementation of krb5_server_decrypt_ticket_keyblock and krb5_server_decrypt_ticket_keytab

[Jeffrey Altman via RT]

Over the last few years there have been several higher level security
protocols (TLS KRB5 and RX KRB5) which have required the ability to
perform a ticket decryption outside of the AP_REQ/AP_REP exchange.  

In addition, in recent days it has become clear that there is a need for
some mechanism for tools such as kvno and asetkey to be able to validate
whether or not a given keytab in fact contains a entry that can be used
to decrypt the service ticket issued by the KDC.   This has become an
issue because of Microsoft's failure to maintain consistent behavior
related to salts and the various versions of their ktpass tool when
generating keytab entries for single DES enctypes.

Attached to this ticket is a proposed src/lib/krb5/krb/srv_dec_tkt.c
file.  It contains both keytab and keyblock versions of a
krb5_server_decrypt_ticket function.  The keytab version is appropriate
for use with tools such as kvno and asetkey.  The keyblock version is
more appropriate for use with higher level security protocols.

This contribution is a minor re-working of work originally performed by
Marcus Watts.