Add new kadmin/ktutil --keep* and --enctypes opts

- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
   commands.  Default behavior to "prune old keys".

 - When setting keys for a service, we need to specify enctypes for it:

    - Always use kadm5_randkey_principal_3() instead of the older
      kadm5_randkey_principal().

    - Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
      but with a context, and simpler.

    - Add --enctypes options to various kadmin/ktutil commands.

    - Add [libdefaults] supported_enctypes param with enctype[:salttype]
      list.

    - Add [realms] realm supported_enctypes param with enctype[:salttype]
      list.

      Default to aes128-cts-hmac-sha1-96:normal.

lib/krb5/salt.c

@@ -91,6 +91,69 @@ krb5_string_to_salttype (krb5_context context,
     return HEIM_ERR_SALTTYPE_NOSUPP;
 }
 
+/*
+ * Like MIT's krb5_string_to_keysalts(), but simpler and with a context
+ * argument.
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_string_to_keysalts2(krb5_context context, const char *string,
+                         size_t *nksaltp, krb5_key_salt_tuple **ksaltp)
+{
+    /* deleted: tupleseps, ksaltseps, dups */
+    krb5_key_salt_tuple *tmp = NULL;
+    krb5_error_code ret = 0;
+    char *copy, *token, *stype_str;
+    char *lasts = NULL;
+    krb5_enctype etype;
+    krb5_salttype stype;
+    size_t i;
+
+    *ksaltp = NULL;
+    *nksaltp = 0;
+    if ((copy = strdup(string)) == NULL)
+        return krb5_enomem(context);
+    for (token = strtok_r(copy, ", \t", &lasts), ret = 0;
+         token != NULL;
+         token = strtok_r(NULL, ", \t", &lasts)) {
+        if ((stype_str = strchr(token, ':')) != NULL)
+            *(stype_str++) = '\0';
+        if ((ret = krb5_string_to_enctype(context, token, &etype)))
+            continue;
+        if (stype_str == NULL)
+            stype = KRB5_PW_SALT;
+        else if ((ret = krb5_string_to_salttype(context, etype, stype_str, &stype)))
+            continue;
+        for (i = 0; i < *nksaltp; i++) {
+            if ((*ksaltp)[i].ks_enctype == etype &&
+                (*ksaltp)[i].ks_salttype == stype)
+                goto skip;
+        }
+        tmp = realloc(*ksaltp, ((*nksaltp) + 1) * sizeof(**ksaltp));
+        if (tmp == NULL) {
+            ret = krb5_enomem(context);
+            break;
+        }
+        *ksaltp = tmp;
+        (*ksaltp)[*nksaltp].ks_enctype = etype;
+        (*ksaltp)[*nksaltp].ks_salttype = stype;
+        (*nksaltp)++;
+skip:
+        (void)1;
+    }
+    free(copy);
+    if (ret == ENOMEM) {
+        free(*ksaltp);
+        *nksaltp = 0;
+        *ksaltp = NULL;
+    } else if (*nksaltp) {
+        return 0;
+    } else if (ret == 0) {
+        return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    return ret;
+}
+
+
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_pw_salt(krb5_context context,
 		 krb5_const_principal principal,