Fixing OpenSSL SHA2 incremental API integration

[baentsch]

Possibly fixes open-quantum-safe/oqs-provider#168. Fixes issues in #1420.

• Corrects SHA2 API documentation
• Checks all SHA2 OpenSSL API return values
• Fixes SHA384 and SHA512 incremental API implementations
• Corrects testing for these APIs
• Enhances test vectors to avoid re-occurrence of problem

• [yes] Does this PR change the input/output behaviour of a cryptographic algorithm (i.e., does it change known answer test values)? (If so, a version bump will be required from x.y.z to x.(y+1).0.)
• [no] Does this PR change the list of algorithms available -- either adding, removing, or renaming? Does this PR otherwise change an API? (If so, PRs in oqs-provider, OQS-OpenSSL, OQS-BoringSSL, and OQS-OpenSSH will also need to be ready for review and merge by the time this is merged.)

[beldmit]

As we prefetch objects, it's probably worth exiting in case on initialization failure?

[baentsch]

As we prefetch objects, it's probably worth exiting in case on initialization failure?

Good point. And while we're at it, initialize only those objects that we'll also need (depending on OQS_USE_XYZ_OPENSSL).

[beldmit]

In theory, the problem is we need only some openssl-provided implementations for a particular application. So lack of SHA3 hashes shouldn't stop using SHA2.

[baentsch]

@xvzcf This PR should also encompass the things you had looked into as per our conversation yesterday, right? So, if OK, please approve this PR and as discussed instead focus on the AVX2 issue(s?) in #1420 (and/or let me know if I should take a look at that): Thanks in advance.

[baentsch]

In theory, the problem is we need only some openssl-provided implementations for a particular application. So lack of SHA3 hashes shouldn't stop using SHA2.

Agreed. Is anything in this PR precluding this?

[beldmit]

I don't know.
In the ideal world there should be, e.g., fallback to a native implementation (as you definitely have it), but then it becomes a mess from a certification point of view. Another option is introduction of bit flags (I want AES and SHA3, SHA2 is not necessary) as a parameter of the init function.

[baentsch]

then it becomes a mess from a certification point of view

Let's cross that bridge as and if we reach it.

[xvzcf]

Can you rename this file to test_sha2.c? I think that's more clearer than test_hash.c

[baentsch]

This file name was not my choice. It's also embedded in test scripts. Are you sure you want this? Let's hope nobody else relies on this name...

[dstebila]

Let's keep it as test_hash.c; in principal one could add other hash algorithms to it. And in some sense, it does behave differently than test_aes.c and test_sha3.c: the AES and SHA-3 ones test against internal specified test vectors, where as test_hash.c just computes the hash of the supplied input which needs to be externally checked against another implementation or test vector.

[baentsch]

As per Douglas' comment above, left unchanged in 5f8d02c

[dstebila]

Would there be any value in setting state->ctx = NULL after this as a precaution against double frees?

[baentsch]

so changed in 5f8d02c

[dstebila]

I'm okay to merge this.

[baentsch]

@xvzcf : Merge is currently blocked by your feedback. Please mark change requests/conversations as resolved or provide explicit approval.