krb5: Fix handling of transient crypto request failures

• Instead of using CRYPTO_F_DONE to decide whether a request has completed, use a custom protocol of setting crp_opaque = NULL in the callback and checking that instead. CRYPTO_F_DONE is set independent of whether an error occurred, but for transient errors signaled by EAGAIN, we want to simply retry the request.
• Clear CRYPTO_F_DONE before retrying the request.
• Panic if the request truly failed, as we currently have no way to pass hard errors back up.

Reviewed by: jhb
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D50238

(cherry picked from commit 04421fda140b92eb0d22bc4c0f81b6de05f21225)