SPNEGO was already using union creds. Now make the mechglue know about
it, delete all of the cred-related SPNEGO stubs that are now not called
(lib/gssapi/spnego/cred_stubs.c), and implement gss_get/set_neg_mechs()
by storing the OID set in the union cred.
This commit was essentially authored as much if not more by Luke Howard
<lukeh at padl.com> as much as by the listed author.
An implementation of draft-zhu-negoex-04 for MIT Kerberos was developed in
2011. This has been recently integrated, with many fixes from Greg Hudson. This
commit ports it to Heimdal. The implementation has been interoperability tested
with MIT Kerberos and Windows, using the GSS EAP mechanism developed as part of
the Moonshot project.
The SPNEGO code was also updated to import the state machine from Apple which
improves mechListMIC processing and avoids discarding initial context tokens
generated during mechanism probing, that can be used for optimistic tokens.
Finally, to aid in testing, the GSS-API mechanism glue configuration file can
be changed using the environment variable GSS_MECH_CONFIG. This environment
variable name, along with the format of the configuration file, is compatible
with MIT (although it would be difficult for a single mechanism binary to
support both implementations).
The GSS mechglue uses singly linked lists for mechanisms and mechanism objects,
to which new entries are inserted at the head. This breaks ordering of
mechanisms specified in OID sets and in /etc/gss/mech, as they will be back to
front. Use a tail queue instead so that new entries are inserted at the end.
Apple's Heimdal impelmentation uses a number of utility functions for
allocating names and credentials, to avoid calling malloc or calloc directly.
Import them.
* check `ctx->gc_ctx` in `gss_inquire_context()`
* check `gm_inquire_cred != NULL` in `gss_inquire_context()`
* check `min_lifetime` in `gss_inquire_cred()`
* check `gm_inquire_cred_by_mech != NULL` in `gss_inquire_cred_by_mech()`
* set mech error in `gss_inquire_cred_by_oid()`
* don't clobber error in `gss_inquire_cred_by_oid()`
* don't pass NULL minor_status to `gss_krb5_free_lucid_sec_context()`
* allow NULL ccache in `gss_krb5_ccache_name()`
* NULL names OK in `_gss_find_mn()`
* allow empty names in `gss_import_name()` (removes `input_name_buffer` length
check). to support ANONYMOUS. in `gss_import_name()`, ignore mech name
import failure as long as it's possible to import the name in some other
mechanism
* better argument validation in `gss_export_sec_context()`
* in `gss_compare_name()`, check `mn2 != NULL`
* check `gss_add_oid_set_member()` return code in `gss_indicate_mechs()`
* in `gss_destroy_cred()`, set output cred handle to `GSS_C_NO_CREDENTIAL`
* cast size_t to OM_uint32 where required
