krb5: Improve cccol sub naming; add gss_store_cred_into2()

- Formalize the TYPE:collection_name:subsidiary_name naming scheme for
   ccaches in ccache collections
    - KEYRING: ccaches are weird because they have one more optional field: the
      "anchor", so rather than just assume a naming convention everywhere, we
      add new functions as well
 - Add krb5_cc_{resolve,default}_sub() that allows one to specify a
   "subsidiary" ccache name in a collection separately from the
   collection name
 - Add krb5_cc_{resolve,default}_for() which take a principal name,
   unparse it, and use it as the subsidiary ccache name (with colons
   replaced)
 - Make kinit use the new interfaces
 - Add missing DIR ccache iteration functionality
 - Revamps test_cc
 - Add krb5_cc_get_collection() and krb5_cc_get_subsidiary()
 - Bump the ccops SPI version number
 - Add gss_store_cred_into2()
 - Make MEMORY:anonymous not linked into the global MEMORY ccache
   collection, and uses this for delegated cred handles

TBD:

 - Split this up into a krb5 change and gss mech_krb5 change?
 - Add krb5_cc_init_and_store() utility, per Greg's suggestion?

lib/gssapi/mech/gss_store_cred_into.c

@@ -38,14 +38,23 @@ store_mech_cred(OM_uint32 *minor_status,
 		gssapi_mech_interface m,
 		const struct _gss_mechanism_cred *mc,
 		gss_cred_usage_t input_usage,
-		OM_uint32 overwrite_cred,
-		OM_uint32 default_cred,
+		OM_uint32 store_cred_flags,
 		gss_const_key_value_set_t cred_store,
-		gss_cred_usage_t *usage_stored)
+		gss_cred_usage_t *usage_stored,
+                gss_buffer_set_t *env)
 {
     OM_uint32 major_status;
+    OM_uint32 overwrite_cred =
+        !!(store_cred_flags & GSS_C_STORE_CRED_OVERWRITE);
+    OM_uint32 default_cred = !!(store_cred_flags & GSS_C_STORE_CRED_DEFAULT);
 
-    if (m->gm_store_cred_into) 
+    if (m->gm_store_cred_into2)
+	major_status = m->gm_store_cred_into2(minor_status, mc->gmc_cred,
+					      input_usage, &m->gm_mech_oid,
+                                              store_cred_flags, cred_store,
+                                              NULL, usage_stored,
+                                              env);
+    else if (m->gm_store_cred_into)
 	major_status = m->gm_store_cred_into(minor_status, mc->gmc_cred,
 					     input_usage, &m->gm_mech_oid,
 					     overwrite_cred, default_cred,
@@ -66,25 +75,28 @@ store_mech_cred(OM_uint32 *minor_status,
  * const key/value hashmap-like thing that specifies a credential store in a
  * mechanism- and implementation-specific way, though Heimdal and MIT agree on
  * at least the following keys for the Kerberos mechanism: ccache, keytab, and
- * client_keytab.
+ * client_keytab.  A set of environment variables may be output as well
  */
 GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_store_cred_into(OM_uint32 *minor_status,
-		    gss_const_cred_id_t input_cred_handle,
-		    gss_cred_usage_t input_usage,
-		    const gss_OID desired_mech,
-		    OM_uint32 overwrite_cred,
-		    OM_uint32 default_cred,
-		    gss_const_key_value_set_t cred_store,
-		    gss_OID_set *elements_stored,
-		    gss_cred_usage_t *cred_usage_stored)
+gss_store_cred_into2(OM_uint32 *minor_status,
+                     gss_const_cred_id_t input_cred_handle,
+                     gss_cred_usage_t input_usage,
+                     const gss_OID desired_mech,
+                     OM_uint32 store_cred_flags,
+                     gss_const_key_value_set_t cred_store,
+                     gss_OID_set *elements_stored,
+                     gss_cred_usage_t *cred_usage_stored,
+                     gss_buffer_set_t *env)
 {
-    struct _gss_cred *cred = (struct _gss_cred *) input_cred_handle;
+    struct _gss_cred *cred = (struct _gss_cred *)input_cred_handle;
     struct _gss_mechanism_cred *mc;
     OM_uint32 major_status;
     OM_uint32 minor;
     size_t successes;
 
+    if (env != NULL)
+        *env = NULL;
+
     if (input_cred_handle == NULL)
 	return GSS_S_CALL_INACCESSIBLE_READ;
 
@@ -117,10 +129,9 @@ gss_store_cred_into(OM_uint32 *minor_status,
             !gss_oid_equal(&m->gm_mech_oid, desired_mech))
             continue;
 
-	major_status = store_mech_cred(minor_status, m, mc,
-				       input_usage, overwrite_cred,
-				       default_cred, cred_store,
-				       cred_usage_stored);
+        major_status = store_mech_cred(minor_status, m, mc, input_usage,
+                                       store_cred_flags, cred_store,
+                                       cred_usage_stored, env);
 	if (major_status == GSS_S_COMPLETE) {
             if (elements_stored && desired_mech != GSS_C_NO_OID)
                 gss_add_oid_set_member(&minor, desired_mech, elements_stored);
@@ -142,3 +153,29 @@ gss_store_cred_into(OM_uint32 *minor_status,
 
     return major_status;
 }
+
+/*
+ * See RFC5588 for gss_store_cred().  This function is a variant that takes a
+ * const key/value hashmap-like thing that specifies a credential store in a
+ * mechanism- and implementation-specific way, though Heimdal and MIT agree on
+ * at least the following keys for the Kerberos mechanism: ccache, keytab, and
+ * client_keytab.
+ */
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_store_cred_into(OM_uint32 *minor_status,
+		    gss_const_cred_id_t input_cred_handle,
+		    gss_cred_usage_t input_usage,
+		    const gss_OID desired_mech,
+		    OM_uint32 overwrite_cred,
+		    OM_uint32 default_cred,
+		    gss_const_key_value_set_t cred_store,
+		    gss_OID_set *elements_stored,
+		    gss_cred_usage_t *cred_usage_stored)
+{
+    OM_uint32 store_cred_flags =
+        (overwrite_cred ? GSS_C_STORE_CRED_OVERWRITE : 0) |
+        (default_cred ? GSS_C_STORE_CRED_DEFAULT : 0);
+    return gss_store_cred_into2(minor_status, input_cred_handle, input_usage,
+                                desired_mech, store_cred_flags, cred_store,
+                                elements_stored, cred_usage_stored, NULL);
+}