krb5: import Heimdal-597.121.1 AS/TGS client

Sync with most changes in AS/TGS client from Apple's Heimdal-597.121.1
(opensource.apple.com).

Changes include:

 - FAST support in TGS client
 - Refactored pre-auth client to be more easily extensible
 - Pin KDC host and AD site name in API calls

Note the completely refactored TGS client loop is not imported as that was
considered too intrusive.

lib/krb5/version-script.map

@@ -600,6 +600,8 @@ HEIMDAL_KRB5_2.0 {
 		krb5_sendto_ctx_set_type;
 		krb5_sendto_kdc;
 		krb5_sendto_kdc_flags;
+		krb5_sendto_set_hostname;
+		krb5_sendto_set_sitename;
 		krb5_set_config;
 		krb5_set_config_files;
 		krb5_set_debug_dest;
@@ -791,10 +793,13 @@ HEIMDAL_KRB5_2.0 {
 		_krb5_init_creds_get_gss_mechanism;
 		_krb5_init_creds_set_gss_cred;
 		_krb5_init_creds_get_gss_cred;
-		_krb5_init_creds_set_gss_context;
-		_krb5_init_creds_get_gss_context;
 		_krb5_init_creds_init_gss;
 
+		# Private init_creds API
+		_krb5_init_creds_get_cred_starttime;
+		_krb5_init_creds_get_cred_endtime;
+		_krb5_init_creds_get_cred_client;
+
 		# Shared with libkadm5
 		_krb5_load_plugins;
 		_krb5_unload_plugins;
@@ -824,6 +829,8 @@ HEIMDAL_KRB5_2.0 {
 		_krb5_s4u2self_to_checksumdata;
 		_krb5_HMAC_MD5_checksum;
 		_krb5_crypto_set_flags;
+		_krb5_make_pa_enc_challenge;
+		_krb5_validate_pa_enc_challenge;
 
 		# kinit helper
 		krb5_get_init_creds_opt_set_pkinit_user_certs;
@@ -834,10 +841,13 @@ HEIMDAL_KRB5_2.0 {
 		krb5_init_creds_set_fast_anon_pkinit;
 		krb5_init_creds_set_fast_ccache;
 		krb5_init_creds_set_keytab;
+		krb5_init_creds_set_kdc_hostname;
 		krb5_init_creds_get;
+		krb5_init_creds_get_as_reply_key;
 		krb5_init_creds_get_creds;
 		krb5_init_creds_get_error;
 		krb5_init_creds_set_password;
+		krb5_init_creds_set_sitename;
 		krb5_init_creds_step;
 		krb5_init_creds_store;
 		krb5_init_creds_free;