Add krb5_get_renewed_creds() and krb5_get_validated_creds()

[steffen-kiess]

I updated the PR to include a testcase for krb5_get_validated_creds(), and now the tests on MacOS seem to be failing.

From what I can see the problem is that:

• heimdal under Linux has an implementation for krb5_get_validated_creds(), but does not export it (it is not listed in https://github.com/heimdal/heimdal/blob/1b62220778c570f27e25db6eac14229b1769775a/lib/krb5/version-script.map), therefore the _creds_mit extension will not be built.
• heimdal on MacOS seems to export krb5_get_validated_creds(), therefore the _creds_mit extension will be built (see e.g. the logs in https://github.com/jborean93/pykrb5/actions/runs/8269018140/job/22623359479?pr=40).
• However, the heimdal implementation of krb5_get_validated_creds() seems to be broken / doing something completely different from the MIT implementation, see https://github.com/heimdal/heimdal/blob/1b62220778c570f27e25db6eac14229b1769775a/lib/krb5/verify_init.c#L217: It tries to use the creds argument, which according to https://web.mit.edu/kerberos/krb5-1.15/doc/appdev/refs/api/krb5_verify_init_creds.html is an output argument, completely ignores ccache, and then calls krb5_verify_init_creds() (which will try to do a verification of the credentials against the default keytab, which has nothing to do with asking the KDC to validate a postdated ticket). Because the creds argument is used as an input argument but is set to NULL, this triggers a segmentation fault: (I reproduced this on Linux by exporting krb5_get_validated_creds from heimdal libkrb5)

  (gdb) where
  #0  0x00007ffff74c174b in krb5_realm_compare (context=context@entry=0x1054ad0, 
  princ1=princ1@entry=0x0, princ2=princ2@entry=0x1058960) at principal.c:1013
  #1  0x00007ffff74c1782 in krb5_principal_compare (
  context=context@entry=0x1054ad0, princ1=0x0, princ2=0x1058960)
  at principal.c:991
  #2  0x00007ffff74d1ca9 in krb5_get_validated_creds (context=0x1054ad0, 
  creds=creds@entry=0x7ffff761dd98, client=<optimized out>, 
  ccache=<optimized out>, service=service@entry=0x0) at verify_init.c:228
  #3  0x00007ffff6adc9af in __pyx_pf_4krb5_10_creds_mit_get_validated_creds (
  __pyx_self=<optimized out>, __pyx_v_in_tkt_service=..., 
  __pyx_v_ccache=0x7ffff75bcbe0, __pyx_v_client=0x7ffff75c4200, 
  __pyx_v_context=0x7ffff773ae10) at src/krb5/_creds_mit.c:2670

So I'll change the PR to never include krb5_get_validated_creds with heimdal, even if it is available.

[jborean93]

So I'll change the PR to never include krb5_get_validated_creds with heimdal, even if it is available.

Makes sense, I probably prefer to favour the MIT implementation anyway.