Implement the GSS-API credential store API extensions defined by MIT here:
https://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions
Note: we kill off gss_acquire_cred_ext() here. This was never a public API,
although mechanisms could have implemented it and I briefly used it in my
BrowserID prototype mechanism. gss_acquire_cred_ext_from() occupies the place
in the dispatch table where gss_acquire_cred_ext() used to, but this structure
was never visible outside Heimdal (i.e. it is only used by internal
mechanisms);
(Mechanisms that need to accept arbitrary key/value dictionaries from
applications should now implement gss_acquire_cred_from().)
Bugs exposed by 61720a0:
- test_context --client-name=... --mech-type=ntlm ... fails;
- gss_acquire_cred() with desired_mech=NTLM and
desired_name==GSS_C_NO_NAME fails;
- gss_init_sec_context() with non-default cred handle calls the
mechanism even when the given cred handle has no element for the
requencet mechanism.
tests/gss/check-ntlm works by accident: gss_acquire_cred() with
desired_mechs==GSS_C_NO_OID_SET succeeds mostly because there are
Kerberos credentials available, and then the subsequent
gss_init_sec_context() call works because of the third bug described
above.
