Update PQC Draft to Version 12

[TJ-91]

This PR updates to the newest PQC draft version, and adds/fixes some RFC 9580 functionality. The PR replaces #2287. The PQC draft can be seen as stable now since it has passed Working Group Last Call recently.

The most prominent changes are:

V6 / RFC 9580

• correctly implement v6 salt for document signatures (was only properly working for key signatures before)
  • change HashList for use with salt
  • implement v6 OPS with salt
  • gracefully fail when verifying v6 cleartext signatures by skipping them. Due to the salt that is detected at the end, two passes are required which requires further changes to the code.
• add Ed448 and X448 standalone algorithms

PQC

• update Kyber, Dilithium and Sphincs+ to final PQC NIST algorithms: ML-KEM, ML-DSA, SLH-DSA
• update to PQC draft version 12:
  • add X448 and Ed448 for composite PQC combinations
  • implement SHA3 KEM Combiner (replaces KMAC)
  • remove Sphincsplus/SLH-DSA parametrization
  • implement tests / test vectors
  • seed format for ML-KEM/ML-DSA private keys
• also update to use the new codepoints in the upcoming draft-ietf-openpgp-nist-bp-comp-02

Further Code Changes

• PQC code is not independent from Crypto Refresh / RFC9580 any more and thus ENABLE_CRYPTO_REFRESH is required for ENABLE_PQC This is changed again in newer commits to allow MLKEM768+X25519 for v4 keys without compiling the crypto refresh code.
• ENABLE_CRYPTO_REFRESH and ENABLE_PQC now requires Botan 3.6.
  • Ed448/X448 only available from 3.4
  • PQC final NIST standards available from Botan 3.6
  • Supporting partial features from lower Botan versions would mean to either have lots of deprecation warnings or have special code for the different versions.
• Since RIPEMD is also deprecated in RFC 9580, I added a Security Rule that marks it insecure like SHA1 if CRYPTO_REFRESH_ENABLED is true.
  • I don't know what date would be most appropriate though

---

@ni4 since I had to rebase a lot and fixed some stuff only at the end of the rebasing, the history is not perfectly intact. Please tell me if you prefer to keep the commits anyway or whether I should squash them into a single commit. I hope I did not mess anything up when rebasing.

As next steps I would like to rebase the other PRs #2296 and #2207 (that is considerably less code than in this PR).

[codecov]

Codecov Report

❌ Patch coverage is 94.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.46%. Comparing base (0d5c2b9) to head (e1af516).

Files with missing lines	Patch %	Lines
src/lib/crypto/signatures.cpp	0.00%	1 Missing ⚠️
src/librepgp/stream-packet.cpp	93.33%	1 Missing ⚠️
src/librepgp/stream-sig.cpp	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2355      +/-   ##
==========================================
- Coverage   85.46%   85.46%   -0.01%     
==========================================
  Files         126      126              
  Lines       22713    22731      +18     
==========================================
+ Hits        19411    19426      +15     
- Misses       3302     3305       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TJ-91]

@ni4 3 checks fail due to the Botan version (3.6.0 required now). I suppose the images can easily be changed (or alternatively RFC95080/PQC disabled) in the corresponding yml files. I'm not familiar with your CI/CD setup, therefore I think someone else should do the necessary changes.