[openssl/openssl] 836080: Support all five EdDSA instances from RFC 8032

[James Muir]

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 836080a89a1f5e45dac4e0df76b9270587f65d5b
      https://github.com/openssl/openssl/commit/836080a89a1f5e45dac4e0df76b9270587f65d5b
  Author: James Muir <muir.james.a at gmail.com>
  Date:   2023-01-13 (Fri, 13 Jan 2023)

  Changed paths:
    M crypto/ec/curve25519.c
    M crypto/ec/curve448/curve448_local.h
    M crypto/ec/curve448/eddsa.c
    M crypto/ec/ecx_meth.c
    M doc/man7/EVP_SIGNATURE-ED25519.pod
    M include/crypto/ecx.h
    M include/openssl/core_names.h
    M providers/implementations/signature/eddsa_sig.c
    M test/curve448_internal_test.c
    M test/recipes/30-test_evp_data/evppkey_ecx.txt

  Log Message:
  -----------
  Support all five EdDSA instances from RFC 8032

Fixes #6277

Description:
Make each of the five EdDSA instances defined in RFC 8032 -- Ed25519,
Ed25519ctx, Ed25519ph, Ed448, Ed448ph -- available via the EVP APIs.

The desired EdDSA instance is specified via an OSSL_PARAM.

All instances, except for Ed25519, allow context strings as input.
Context strings are passed via an OSSL_PARAM.  For Ed25519ctx, the
context string must be nonempty.

Ed25519, Ed25519ctx, Ed448 are PureEdDSA instances, which means that
the full message (not a digest) must be passed to sign and verify
operations.

Ed25519ph, Ed448ph are HashEdDSA instances, which means that the input
message is hashed before sign and verify.

Testing:
All 21 test vectors from RFC 8032 have been added to evppkey_ecx.txt
(thanks to Shane Lontis for showing how to do that).  Those 21 test
vectors are exercised by evp_test.c and cover all five instances.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19705)