add support for ML-DSA-* etc., various small fixes; C23 and OpenSSL 4.0 compat

[DDvO]

This adds
EVP_PKEY *KEY_new_ex(const char *spec, OPTIONAL OSSL_LIB_CTX *libctx, OPTIONAL const char *propq)
and defines KEY_new(spec) as KEY_new_ex(spec, NULL, NULL) for backward compatibility.

For OpenSSL 3.0+, a location of the form "tpm2:handle=0x" can be used for key generation within the tpm2-openssl provider.
For OpenSSL 3.5+, the spec parameter may now be a PQC algorithm name (and level), e.g.., "ML-DSA-65".

On this, occasion, due to Copilot review comment on credentials.c,
also fix find_update_cb() crash on NULL tag/description strings.

Moreover:

• for OpenSSL 4.0 compatibility, fix constness in cdp_util.{c,h} and crl_mgmt.c
• improve STORE_set1_host_ip() behavior on equal 'name' and 'ip' argument
• CREDENTIALS_print_cert_verify_cb(): fix output of expected IP address on mismatch
• improve CONN_IS_HTTP(S) and use it to replace respective occurrences of strncasecmp()
• conn.c,util.h: add UTIL_SKIP_SCHEME() and improve skip_scheme() using it
• basic.h: fix compatibility with C23, which provides true and false as keywords (also covered meanwhile by Fix Debian packaging #74)

[Copilot]

Pull request overview

This PR extends libsecutils key generation to support OpenSSL 3 provider-based algorithms (including ML-DSA-*), and introduces a new KEY_new_ex() API that can generate/provider-reference TPM2-held keys via a TPM2 persistent handle URI.

Changes:

• Add KEY_new_ex(spec, location, libctx) and redefine KEY_new() as a wrapper.
• Implement OpenSSL 3 provider-based key generation (name-based, plus TPM2 handle support).
• Adjust credential saving logic and docs to avoid trying to persist private keys that are not file-backed (engine/TPM2 handle).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/libsecutils/src/credentials/key.c	Adds provider-based keygen path (OpenSSL 3), TPM2 handle parsing, and expanded spec parsing.
src/libsecutils/src/credentials/credentials.c	Avoids attempting to save private key when key is a TPM2 handle URI.
src/libsecutils/include/secutils/util/util.h	Adds an OpenSSL < 3.0 compatibility typedef for OSSL_LIB_CTX.
src/libsecutils/include/secutils/credentials/key.h	Declares KEY_new_ex(), adds TPM2 handle prefix constant, and changes KEY_new to a macro wrapper.
src/libsecutils/include/secutils/credentials/credentials.h	Updates API docs to reflect provider/TPM2-handle save behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

src/libsecutils/src/credentials/credentials.c:348

• strcmp(key, certs) will dereference certs even when certs is NULL (this function allows certs to be optional as long as key is provided). This can crash when saving only a key. Consider guarding with key != NULL && certs != NULL && strcmp(...) == 0 (or restructuring) before calling FILES_get_format().

    file_format_t format = key not_eq 0 and strcmp(key, certs) is_eq 0 ? FILES_get_format(key) : FORMAT_PEM;
    bool res = FILES_store_credentials(pkey, creds->cert, creds->chain, key, certs, format, source, desc);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

src/libsecutils/src/credentials/credentials.c:348

• certs is an OPTIONAL parameter, but this line unconditionally calls strcmp(key, certs) whenever key != 0. If certs == NULL (allowed by the API), this will dereference a null pointer and crash. Guard the comparison with certs != NULL (and only compute joint-file format when both are non-null).

    file_format_t format = key not_eq 0 and strcmp(key, certs) is_eq 0 ? FILES_get_format(key) : FORMAT_PEM;
    bool res = FILES_store_credentials(pkey, creds->cert, creds->chain, key, certs, format, source, desc);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

src/libsecutils/src/credentials/credentials.c:350

• CREDENTIALS_save() computes format using strcmp(key, certs) without guarding against certs == NULL. Since the function allows certs to be NULL when saving only a key, this can dereference a NULL pointer when key != NULL. Please guard the comparison (e.g., require both key and certs to be non-NULL before calling strcmp) and consider setting key = NULL in the TPM2-handle case to avoid treating the handle string like a filename later in the function.

    if (key != NULL && HAS_PREFIX(key, SECUTILS_TPM2_HANDLE_PREFIX)) {
        /* key refers to TPM2 handle, so cannot save private key */
        if (creds->cert == NULL && creds->chain == NULL)
            goto update; /* well, though nothing is actually saved in this case */
        source = 0;
    } else if (source != NULL && strncmp(source, sec_ENGINE_STR, strlen(sec_ENGINE_STR)) == 0) {
        /* source refers to engine, so cannot save private key */
        source = 0;
    } else {
        pkey = creds->pkey;
    }

    file_format_t format = key not_eq 0 and strcmp(key, certs) is_eq 0 ? FILES_get_format(key) : FORMAT_PEM;
    bool res = FILES_store_credentials(pkey, creds->cert, creds->chain, key, certs, format, source, desc);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 5 comments.

[DDvO]

@rajeev-0 as discussed yesterday,
I've removed (for the time being at least) the tentative special support of TPM2 handles during key creation,
which was ad-hoc and premature, not working as expected, and likely unrealistic.

[DDvO]

This PR is now in final shape for reviews.

[rajeev-0]

LGTM

[DDvO]

Ping @benjamin-schilling for review/approval

[DDvO]

Rebased on latest master, which lead to improving
debian/changelog: add entries and make sure lines are not too long

[benjamin-schilling]

only two minor topics, can be merged afterwards.

[benjamin-schilling]

is this still relevant or can it be deleted?

[DDvO]

I had added this TODO as a reminder for myself to complete it when doing the next release.
It is not yet fully done, as more changes are to be expected.

[benjamin-schilling]

why remove the <> for port and not for the others?

[DDvO]

Good spotting - I removed the < and > specifically for port
because, for some weird reason, Doxygen got confused by those.