Implement TGS authenticator subkey usage

Implement support for use of a subkey in the TGS req.  This is needed
by FAST TGS support.  The interface to krb5_send_tgs changed in order
to gain a subkey output parameter.  Since this is a private interface
it was renamed to krb5int_send_tgs and removed from the export list.

* send_tgs.c: generate a subkey and return to caller
* decode_kdc_rep.c: Use subkey keyusage
* gc_via_tkt.c: pass in subkey to decode_kdc_rep
* send_tgs.c: use subkey for encrypting authorization data

ticket: 6393
tags: enhancement

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21993 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 8 insertions, 3 deletions

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 61d1aa18f..79d1cf1cd 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -2523,7 +2523,7 @@ krb5_error_code KRB5_CALLCONV krb5_get_default_config_files
 
 void KRB5_CALLCONV krb5_free_config_files
 	(char **filenames);
-krb5_error_code krb5_send_tgs
+krb5_error_code krb5int_send_tgs
 	(krb5_context,
 		krb5_flags,
 		const krb5_ticket_times *,
@@ -2534,11 +2534,16 @@ krb5_error_code krb5_send_tgs
 		krb5_pa_data * const *,
 		const krb5_data *,
 		krb5_creds *,
-		krb5_response * );
+		krb5_response * , krb5_keyblock **subkey);
+                /* The subkey field is an output parameter; if a
+		 * tgs-rep is received then the subkey will be filled
+		 * in with the subkey needed to decrypt the TGS
+		 * response. Otherwise it will be set to null.
+		 */
 krb5_error_code krb5_decode_kdc_rep
 	(krb5_context,
 		krb5_data *,
-		const krb5_keyblock *,
+	  const krb5_keyblock *,
 		krb5_kdc_rep ** );
 
 krb5_error_code krb5_rd_req_decoded