The functions for storing and retrieving GSS OIDs and buffers from
krb5_storage, added in 6554dc69, are generally useful. Move those into private
_gss_mg_XXX() API and update gss_{export,import}_{cred,sec_context} to use them
where appropriate.
Code style/consistency: store_negoex_auth_mech() should free the exported
context buffer after use. There is no leak as the buffer was freed at the end
of the function.
Support for exporting partially established acceptor context tokens. With this,
an acceptor can send the initiator an encrypted state cookie containing the
exported context token.
(The concrete mechanism, of course, must either require a single round trip or
support partial context export itself. Kerberos and GSS EAP would work, but
Kerberos with GSS_C_DCE_STYLE would not, as currently implemented.)
Partial context export is not permitted for initiators.
