Add submodule dependency filesHEADmaster

Change-Id: Iaf8d18082d3991dec7c0ebbea540f092188eb4ec

1 files changed, 492 insertions, 0 deletions

diff --git a/roms/edk2/CryptoPkg/Library/OpensslLib/openssl/krb5/doc/mitK5features.rst b/roms/edk2/CryptoPkg/Library/OpensslLib/openssl/krb5/doc/mitK5features.rst
new file mode 100644
index 000000000..584f7b893
--- /dev/null
+++ b/roms/edk2/CryptoPkg/Library/OpensslLib/openssl/krb5/doc/mitK5features.rst
@@ -0,0 +1,492 @@
+.. highlight:: rst
+
+.. toctree::
+    :hidden:
+
+    mitK5license.rst
+
+.. _mitK5features:
+
+MIT Kerberos features
+=====================
+
+https://web.mit.edu/kerberos
+
+
+Quick facts
+-----------
+
+License - :ref:`mitK5license`
+
+Releases:
+    - Latest stable: https://web.mit.edu/kerberos/krb5-1.17/
+    - Supported: https://web.mit.edu/kerberos/krb5-1.16/
+    - Release cycle: 9 -- 12 months
+
+Supported platforms \/ OS distributions:
+    - Windows (KfW 4.0): Windows 7, Vista, XP
+    - Solaris: SPARC, x86_64/x86
+    - GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86
+    - BSD: NetBSD x86_64/x86
+
+Crypto backends:
+    - builtin - MIT Kerberos native crypto library
+    - OpenSSL (1.0\+) - https://www.openssl.org
+
+Database backends: LDAP, DB2, LMDB
+
+krb4 support: Kerberos 5 release < 1.8
+
+DES support: configurable (See :ref:`retiring-des`)
+
+Interoperability
+----------------
+
+`Microsoft`
+
+Starting from release 1.7:
+
+* Follow client principal referrals in the client library when
+  obtaining initial tickets.
+
+* KDC can issue realm referrals for service principals based on domain names.
+
+* Extensions supporting DCE RPC, including three-leg GSS context setup
+  and unencapsulated GSS tokens inside SPNEGO.
+
+* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
+  similar to the equivalent SSPI functionality.  This is needed to
+  support some instances of DCE RPC.
+
+* NTLM recognition support in GSS-API, to facilitate dropping in an
+  NTLM implementation for improved compatibility with older releases
+  of Microsoft Windows.
+
+* KDC support for principal aliases, if the back end supports them.
+  Currently, only the LDAP back end supports aliases.
+
+* Support Microsoft set/change password (:rfc:`3244`) protocol in
+  kadmind.
+
+* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
+  allows a GSS application to request credential delegation only if
+  permitted by KDC policy.
+
+
+Starting from release 1.8:
+
+* Microsoft Services for User (S4U) compatibility
+
+
+`Heimdal`
+
+* Support for KCM credential cache starting from release 1.13
+
+Feature list
+------------
+
+For more information on the specific project see https://k5wiki.kerberos.org/wiki/Projects
+
+Release 1.7
+ -   Credentials delegation                   :rfc:`5896`
+ -   Cross-realm authentication and referrals :rfc:`6806`
+ -   Master key migration
+ -   PKINIT                                   :rfc:`4556` :ref:`pkinit`
+
+Release 1.8
+ -   Anonymous PKINIT         :rfc:`6112` :ref:`anonymous_pkinit`
+ -   Constrained delegation
+ -   IAKERB                   https://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02
+ -   Heimdal bridge plugin for KDC backend
+ -   GSS-API S4U extensions   https://msdn.microsoft.com/en-us/library/cc246071
+ -   GSS-API naming extensions                            :rfc:`6680`
+ -   GSS-API extensions for storing delegated credentials :rfc:`5588`
+
+Release 1.9
+ -   Advance warning on password expiry
+ -   Camellia encryption (CTS-CMAC mode)       :rfc:`6803`
+ -   KDC support for SecurID preauthentication
+ -   kadmin over IPv6
+ -   Trace logging                             :ref:`trace_logging`
+ -   GSSAPI/KRB5 multi-realm support
+ -   Plugin to test password quality           :ref:`pwqual_plugin`
+ -   Plugin to synchronize password changes    :ref:`kadm5_hook_plugin`
+ -   Parallel KDC
+ -   GSS-API extentions for SASL GS2 bridge    :rfc:`5801` :rfc:`5587`
+ -   Purging old keys
+ -   Naming extensions for delegation chain
+ -   Password expiration API
+ -   Windows client support   (build-only)
+ -   IPv6 support in iprop
+
+Release 1.10
+ -   Plugin interface for configuration        :ref:`profile_plugin`
+ -   Credentials for multiple identities       :ref:`ccselect_plugin`
+
+Release 1.11
+ -   Client support for FAST OTP               :rfc:`6560`
+ -   GSS-API extensions for credential locations
+ -   Responder mechanism
+
+Release 1.12
+ -   Plugin to control krb5_aname_to_localname and krb5_kuserok behavior   :ref:`localauth_plugin`
+ -   Plugin to control hostname-to-realm mappings and the default realm    :ref:`hostrealm_plugin`
+ -   GSSAPI extensions for constructing MIC tokens using IOV lists         :ref:`gssapi_mic_token`
+ -   Principal may refer to nonexistent policies `Policy Refcount project <https://k5wiki.kerberos.org/wiki/Projects/Policy_refcount_elimination>`_
+ -   Support for having no long-term keys for a principal `Principals Without Keys project <https://k5wiki.kerberos.org/wiki/Projects/Principals_without_keys>`_
+ -   Collection support to the KEYRING credential cache type on Linux :ref:`ccache_definition`
+ -   FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values :ref:`otp_preauth`
+ -   Experimental Audit plugin for KDC processing `Audit project <https://k5wiki.kerberos.org/wiki/Projects/Audit>`_
+
+Release 1.13
+
+ -   Add support for accessing KDCs via an HTTPS proxy server using
+     the `MS-KKDCP
+     <https://msdn.microsoft.com/en-us/library/hh553774.aspx>`_
+     protocol.
+ -   Add support for `hierarchical incremental propagation
+     <https://k5wiki.kerberos.org/wiki/Projects/Hierarchical_iprop>`_,
+     where replicas can act as intermediates between an upstream master
+     and other downstream replicas.
+ -   Add support for configuring GSS mechanisms using
+     ``/etc/gss/mech.d/*.conf`` files in addition to
+     ``/etc/gss/mech``.
+ -   Add support to the LDAP KDB module for `binding to the LDAP
+     server using SASL
+     <https://k5wiki.kerberos.org/wiki/Projects/LDAP_SASL_support>`_.
+ -   The KDC listens for TCP connections by default.
+ -   Fix a minor key disclosure vulnerability where using the
+     "keepold" option to the kadmin randkey operation could return the
+     old keys. `[CVE-2014-5351]
+     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351>`_
+ -   Add client support for the Kerberos Cache Manager protocol. If
+     the host is running a Heimdal kcm daemon, caches served by the
+     daemon can be accessed with the KCM: cache type.
+ -   When built on macOS 10.7 and higher, use "KCM:" as the default
+     cachetype, unless overridden by command-line options or
+     krb5-config values.
+ -   Add support for doing unlocked database dumps for the DB2 KDC
+     back end, which would allow the KDC and kadmind to continue
+     accessing the database during lengthy database dumps.
+
+Release 1.14
+
+ * Administrator experience
+
+   - Add a new kdb5_util tabdump command to provide reporting-friendly
+     tabular dump formats (tab-separated or CSV) for the KDC database.
+     Unlike the normal dump format, each output table has a fixed number
+     of fields.  Some tables include human-readable forms of data that
+     are opaque in ordinary dump files.  This format is also suitable for
+     importing into relational databases for complex queries.
+   - Add support to kadmin and kadmin.local for specifying a single
+     command line following any global options, where the command
+     arguments are split by the shell--for example, "kadmin getprinc
+     principalname".  Commands issued this way do not prompt for
+     confirmation or display warning messages, and exit with non-zero
+     status if the operation fails.
+   - Accept the same principal flag names in kadmin as we do for the
+     default_principal_flags kdc.conf variable, and vice versa.  Also
+     accept flag specifiers in the form that kadmin prints, as well as
+     hexadecimal numbers.
+   - Remove the triple-DES and RC4 encryption types from the default
+     value of supported_enctypes, which determines the default key and
+     salt types for new password-derived keys.  By default, keys will
+     only created only for AES128 and AES256.  This mitigates some types
+     of password guessing attacks.
+   - Add support for directory names in the KRB5_CONFIG and
+     KRB5_KDC_PROFILE environment variables.
+   - Add support for authentication indicators, which are ticket
+     annotations to indicate the strength of the initial authentication.
+     Add support for the "require_auth" string attribute, which can be
+     set on server principal entries to require an indicator when
+     authenticating to the server.
+   - Add support for key version numbers larger than 255 in keytab files,
+     and for version numbers up to 65535 in KDC databases.
+   - Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC
+     during pre-authentication, corresponding to the client's most
+     preferred encryption type.
+   - Add support for server name identification (SNI) when proxying KDC
+     requests over HTTPS.
+   - Add support for the err_fmt profile parameter, which can be used to
+     generate custom-formatted error messages.
+
+ * Developer experience:
+
+   - Change gss_acquire_cred_with_password() to acquire credentials into
+     a private memory credential cache.  Applications can use
+     gss_store_cred() to make the resulting credentials visible to other
+     processes.
+   - Change gss_acquire_cred() and SPNEGO not to acquire credentials for
+     IAKERB or for non-standard variants of the krb5 mechanism OID unless
+     explicitly requested.  (SPNEGO will still accept the Microsoft
+     variant of the krb5 mechanism OID during negotiation.)
+   - Change gss_accept_sec_context() not to accept tokens for IAKERB or
+     for non-standard variants of the krb5 mechanism OID unless an
+     acceptor credential is acquired for those mechanisms.
+   - Change gss_acquire_cred() to immediately resolve credentials if the
+     time_rec parameter is not NULL, so that a correct expiration time
+     can be returned.  Normally credential resolution is delayed until
+     the target name is known.
+   - Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs,
+     which can be used by plugin modules or applications to add prefixes
+     to existing detailed error messages.
+   - Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which
+     implement the RFC 6113 PRF+ operation and key derivation using PRF+.
+   - Add support for pre-authentication mechanisms which use multiple
+     round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
+     code.  Add get_cookie() and set_cookie() callbacks to the kdcpreauth
+     interface; these callbacks can be used to save marshalled state
+     information in an encrypted cookie for the next request.
+   - Add a client_key() callback to the kdcpreauth interface to retrieve
+     the chosen client key, corresponding to the ETYPE-INFO2 entry sent
+     by the KDC.
+   - Add an add_auth_indicator() callback to the kdcpreauth interface,
+     allowing pre-authentication modules to assert authentication
+     indicators.
+   - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to
+     suppress sending the confidentiality and integrity flags in GSS
+     initiator tokens unless they are requested by the caller.  These
+     flags control the negotiated SASL security layer for the Microsoft
+     GSS-SPNEGO SASL mechanism.
+   - Make the FILE credential cache implementation less prone to
+     corruption issues in multi-threaded programs, especially on
+     platforms with support for open file description locks.
+
+ * Performance:
+
+   - On replica KDCs, poll the master KDC immediately after processing
+     a full resync, and do not require two full resyncs after the
+     master KDC's log file is reset.
+
+Release 1.15
+
+* Administrator experience:
+
+  - Add support to kadmin for remote extraction of current keys
+    without changing them (requires a special kadmin permission that
+    is excluded from the wildcard permission), with the exception of
+    highly protected keys.
+
+  - Add a lockdown_keys principal attribute to prevent retrieval of
+    the principal's keys (old or new) via the kadmin protocol.  In
+    newly created databases, this attribute is set on the krbtgt and
+    kadmin principals.
+
+  - Restore recursive dump capability for DB2 back end, so sites can
+    more easily recover from database corruption resulting from power
+    failure events.
+
+  - Add DNS auto-discovery of KDC and kpasswd servers from URI
+    records, in addition to SRV records.  URI records can convey TCP
+    and UDP servers and master KDC status in a single DNS lookup, and
+    can also point to HTTPS proxy servers.
+
+  - Add support for password history to the LDAP back end.
+
+  - Add support for principal renaming to the LDAP back end.
+
+  - Use the getrandom system call on supported Linux kernels to avoid
+    blocking problems when getting entropy from the operating system.
+
+* Code quality:
+
+  - Clean up numerous compilation warnings.
+
+  - Remove various infrequently built modules, including some preauth
+    modules that were not built by default.
+
+* Developer experience:
+
+  - Add support for building with OpenSSL 1.1.
+
+  - Use SHA-256 instead of MD5 for (non-cryptographic) hashing of
+    authenticators in the replay cache.  This helps sites that must
+    build with FIPS 140 conformant libraries that lack MD5.
+
+* Protocol evolution:
+
+  - Add support for the AES-SHA2 enctypes, which allows sites to
+    conform to Suite B crypto requirements.
+
+Release 1.16
+
+* Administrator experience:
+
+  - The KDC can match PKINIT client certificates against the
+    "pkinit_cert_match" string attribute on the client principal
+    entry, using the same syntax as the existing "pkinit_cert_match"
+    profile option.
+
+  - The ktutil addent command supports the "-k 0" option to ignore the
+    key version, and the "-s" option to use a non-default salt string.
+
+  - kpropd supports a --pid-file option to write a pid file at
+    startup, when it is run in standalone mode.
+
+  - The "encrypted_challenge_indicator" realm option can be used to
+    attach an authentication indicator to tickets obtained using FAST
+    encrypted challenge pre-authentication.
+
+  - Localization support can be disabled at build time with the
+    --disable-nls configure option.
+
+* Developer experience:
+
+  - The kdcpolicy pluggable interface allows modules control whether
+    tickets are issued by the KDC.
+
+  - The kadm5_auth pluggable interface allows modules to control
+    whether kadmind grants access to a kadmin request.
+
+  - The certauth pluggable interface allows modules to control which
+    PKINIT client certificates can authenticate to which client
+    principals.
+
+  - KDB modules can use the client and KDC interface IP addresses to
+    determine whether to allow an AS request.
+
+  - GSS applications can query the bit strength of a krb5 GSS context
+    using the GSS_C_SEC_CONTEXT_SASL_SSF OID with
+    gss_inquire_sec_context_by_oid().
+
+  - GSS applications can query the impersonator name of a krb5 GSS
+    credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with
+    gss_inquire_cred_by_oid().
+
+  - kdcpreauth modules can query the KDC for the canonicalized
+    requested client principal name, or match a principal name against
+    the requested client principal name with canonicalization.
+
+* Protocol evolution:
+
+  - The client library will continue to try pre-authentication
+    mechanisms after most failure conditions.
+
+  - The KDC will issue trivially renewable tickets (where the
+    renewable lifetime is equal to or less than the ticket lifetime)
+    if requested by the client, to be friendlier to scripts.
+
+  - The client library will use a random nonce for TGS requests
+    instead of the current system time.
+
+  - For the RC4 string-to-key or PAC operations, UTF-16 is supported
+    (previously only UCS-2 was supported).
+
+  - When matching PKINIT client certificates, UPN SANs will be matched
+    correctly as UPNs, with canonicalization.
+
+* User experience:
+
+  - Dates after the year 2038 are accepted (provided that the platform
+    time facilities support them), through the year 2106.
+
+  - Automatic credential cache selection based on the client realm
+    will take into account the fallback realm and the service
+    hostname.
+
+  - Referral and alternate cross-realm TGTs will not be cached,
+    avoiding some scenarios where they can be added to the credential
+    cache multiple times.
+
+  - A German translation has been added.
+
+* Code quality:
+
+  - The build is warning-clean under clang with the configured warning
+    options.
+
+  - The automated test suite runs cleanly under AddressSanitizer.
+
+Release 1.17
+
+* Administrator experience:
+
+  - A new Kerberos database module using the Lightning Memory-Mapped
+    Database library (LMDB) has been added.  The LMDB KDB module
+    should be more performant and more robust than the DB2 module, and
+    may become the default module for new databases in a future
+    release.
+
+  - "kdb5_util dump" will no longer dump policy entries when specific
+    principal names are requested.
+
+* Developer experience:
+
+  - The new krb5_get_etype_info() API can be used to retrieve enctype,
+    salt, and string-to-key parameters from the KDC for a client
+    principal.
+
+  - The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
+    principal names to be used with GSS-API functions.
+
+  - KDC and kadmind modules which call com_err() will now write to the
+    log file in a format more consistent with other log messages.
+
+  - Programs which use large numbers of memory credential caches
+    should perform better.
+
+* Protocol evolution:
+
+  - The SPAKE pre-authentication mechanism is now supported.  This
+    mechanism protects against password dictionary attacks without
+    requiring any additional infrastructure such as certificates.
+    SPAKE is enabled by default on clients, but must be manually
+    enabled on the KDC for this release.
+
+  - PKINIT freshness tokens are now supported.  Freshness tokens can
+    protect against scenarios where an attacker uses temporary access
+    to a smart card to generate authentication requests for the
+    future.
+
+  - Password change operations now prefer TCP over UDP, to avoid
+    spurious error messages about replays when a response packet is
+    dropped.
+
+  - The KDC now supports cross-realm S4U2Self requests when used with
+    a third-party KDB module such as Samba's.  The client code for
+    cross-realm S4U2Self requests is also now more robust.
+
+* User experience:
+
+  - The new ktutil addent -f flag can be used to fetch salt
+    information from the KDC for password-based keys.
+
+  - The new kdestroy -p option can be used to destroy a credential
+    cache within a collection by client principal name.
+
+  - The Kerberos man page has been restored, and documents the
+    environment variables that affect programs using the Kerberos
+    library.
+
+* Code quality:
+
+  - Python test scripts now use Python 3.
+
+  - Python test scripts now display markers in verbose output, making
+    it easier to find where a failure occurred within the scripts.
+
+  - The Windows build system has been simplified and updated to work
+    with more recent versions of Visual Studio.  A large volume of
+    unused Windows-specific code has been removed.  Visual Studio 2013
+    or later is now required.
+
+`Pre-authentication mechanisms`
+
+- PW-SALT                                         :rfc:`4120#section-5.2.7.3`
+- ENC-TIMESTAMP                                   :rfc:`4120#section-5.2.7.2`
+- SAM-2
+- FAST negotiation framework   (release 1.8)      :rfc:`6113`
+- PKINIT with FAST on client   (release 1.10)     :rfc:`6113`
+- PKINIT                                          :rfc:`4556`
+- FX-COOKIE                                       :rfc:`6113#section-5.2`
+- S4U-X509-USER                (release 1.8)      https://msdn.microsoft.com/en-us/library/cc246091
+- OTP                          (release 1.12)     :ref:`otp_preauth`
+- SPAKE                        (release 1.17)     :ref:`spake`
+
+`PRNG`
+
+- modularity       (release 1.9)
+- Yarrow PRNG      (release < 1.10)
+- Fortuna PRNG     (release 1.9)       https://www.schneier.com/book-practical.html
+- OS PRNG          (release 1.10)      OS's native PRNG