[krbdev.mit.edu #8373] SPNEGO gss_init_sec_context() can fail or prematurely resolve creds

[Greg Hudson via RT]

SPNEGO's gss_init_sec_context() must determines a set of negotiable 
mechanisms to send to the server.  If an initiator cred handle was 
provided by the caller, this process begins by calling 
gss_inquire_cred() on the mechglue cred handle, passing NULL for all 
of the result fields except the mechanism list.

Although the mechglue can service this request without making any 
calls to mechs, it makes a call to the first mech in the credential 
anyway.  This can have some unfortunate side-effects:

* If the first cred is a krb5 cred which has not yet been resolved to 
a specific ccache, it will be resolved without the benefit of the 
target name, so the SPNEGO authorization will use the primary 
credential cache rather than one chosen based on the authentication 
target.

* If the first cred is a krb5 cred which has expired (before or after 
resolution), the krb5 gss_inquire_cred() method will return 
GSS_S_CREDENTIALS_EXPIRED, causing the SPNEGO gss_init_sec_context() 
call to fail when it could otherwise proceed with a different 
mechanism.  (In at least some cases, this error could be detected at 
gss_acquire_cred() time.)

The mechglue gss_inquire_context() function should skip the call into 
the mechanism if the caller did not request a name, lifetime, or cred 
usage.