Add SPAKE preauth support

Add SPAKE preauth support

This is an implementation of draft-ietf-kitten-krb-spake-preauth-05.
SPAKE preauth authenticates using the client principal long-term key,
but protects against offline dictionary attacks.

SPAKE preauth negotiates a group for use by the SPAKE2 algorithm.  The
edwards25519 group is implemented using code adapted from BoringSSL.
The P-256, P-384, and P-521 groups are implemented against OpenSSL.
edwards25519 is enabled by default on the client; no groups are
enabled by default on the KDC.

SPAKE preauth can also include a second factor.  Second factor support
isn't included in this implementation; comments have been left to
indicate what should change when it is added in.

Integration tests (tests/t_spake.py) are included with good coverage
of the negotiation scenarios.

Test vectors from the draft are checked against the group's "result"
operation.  The "keygen" operation is inherently random and is
therefore not tested against the vectors, but is effectively exercised
by the integration tests.

KDC optimistic challenge is implemented.  In the future we should
implement client optimistic SPAKE as well; this will require changes
to the generic client preauth framework.

In the future we should add per-realm configuration to deny encrypted
timestamp and encrypted challenge on a per-realm basis.  This
configuration should stick across client realm referrals.

In the future we should avoid attempting encrypting timestamp or
encrypted challenge if the KDC replies to a single-factor
SPAKEResponse message with PREAUTH_FAILED.  This will require a change
to the generic client preauth framework.

In the future we should make SPAKE support apply to the Windows build,
either by adding support for building plugin DLLs or by moving the
edwards25519 and client code to libkrb5.

[npmccallum@redhat.com: split up internal headers; split out group
registry contents; implemented P-384 and P-521]

ticket: 8647 (new)