[krbdev.mit.edu #7858] SPNEGO server responds incorrectly to Microsoft krb5 mech type

[Greg Hudson via RT]

Microsoft's SPNEGO implementation erroneously uses 1.2.840.48018.1.2.2 
as the krb5 mech OID.  If an initiator sends a SPNEGO token with an 
optimistic mech token of this erroneous OID and the acceptor uses this 
token, the acceptor must respond with the erroneous OID in the 
supportedMech field of the NegTokenResp message, per [MS-SPNG].

Since 1.10 we have been responding with the real krb5 mech OID 
(1.2.840.113554.1.2.2) in supportedMech, due to a combination of two 
changes:

* In r21361 (which was part of the mskrb5-integ branch and went into 
1.7), Luke added explicit code to match the Microsoft krb5 mech OID in 
negotiate_mech_type, so that we would look for the real krb5 mech in 
supported_mechSet.  It is not clear why this is needed since we have a 
mech definition for the Microsoft krb5 mech OID, but it didn't cause any 
problems because the sender's mech OID was copied to create the mech 
OID.

* In r25590 (which was pulled up to 1.10), I changed the SPNEGO context 
to contain a list of mechs and an alias into that list for 
internal_mech.  The intent of the change was only to affect the behavior 
of the initiator, but negotiate_mech_type was renamed to negotiate_mech 
and changed to return an alias to the element we found in supported 
rather than a copy of the element we chose from the sender.  Because of 
this, when the sender uses the MS krb5 mech OID, we respond with the 
real one.

The acceptor code doesn't use mech_set field except to hold the memory 
pointed to by internal_mech, so we can safely change it to store the 
initiator's mech list and an alias into it.