./security/mbedtls3, Lightweight, modular cryptographic and SSL/TLS library (3.x branch)

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.4.0nb1, Package name: mbedtls3-3.4.0nb1, Maintainer: nia

mbed TLS (formerly known as PolarSSL) makes it trivially easy for
developers to include cryptographic and SSL/TLS capabilities in
their (embedded) products, facilitating this functionality with a
minimal coding footprint.

This contains major version 3 of the library, which is not backwards
compatible to version 2.


Master sites:

Filesize: 4777.402 KB

Version history: (Expand)


CVS history: (Expand)


   2023-08-14 07:25:36 by Thomas Klausner | Files touched by this commit (1247)
Log message:
*: recursive bump for Python 3.11 as new default
   2023-04-25 23:42:17 by Thomas Klausner | Files touched by this commit (1)
Log message:
mbedtls3: remove zlib option from bl3.mk as well
   2023-04-25 23:41:50 by Thomas Klausner | Files touched by this commit (2)
Log message:
mbedtls3: no zlib support since mbedtls 3.0, remove option
   2023-04-25 23:39:51 by Thomas Klausner | Files touched by this commit (4) | Package updated
Log message:
mbedtls3: update to 3.4.0.

= Mbed TLS 3.4.0 branch released 2023-03-28

Default behavior changes
   * The default priority order of TLS 1.3 cipher suites has been modified to
     follow the same rules as the TLS 1.2 cipher suites (see
     ssl_ciphersuites.c). The preferred cipher suite is now
     TLS_CHACHA20_POLY1305_SHA256.

New deprecations
   * mbedtls_x509write_crt_set_serial() is now being deprecated in favor of
     mbedtls_x509write_crt_set_serial_raw(). The goal here is to remove any
     direct dependency of X509 on BIGNUM_C.
   * PSA to mbedtls error translation is now unified in psa_util.h,
     deprecating mbedtls_md_error_from_psa. Each file that performs error
     translation should define its own version of PSA_TO_MBEDTLS_ERR,
     optionally providing file-specific error pairs. Please see psa_util.h for
     more details.

Features
   * Added partial support for parsing the PKCS #7 Cryptographic Message
     Syntax, as defined in RFC 2315. Currently, support is limited to the
     following:
     - Only the signed-data content type, version 1 is supported.
     - Only DER encoding is supported.
     - Only a single digest algorithm per message is supported.
     - Certificates must be in X.509 format. A message must have either 0
       or 1 certificates.
     - There is no support for certificate revocation lists.
     - The authenticated and unauthenticated attribute fields of SignerInfo
       must be empty.
     Many thanks to Daniel Axtens, Nayna Jain, and Nick Child from IBM for
     contributing this feature, and to Demi-Marie Obenour for contributing
     various improvements, tests and bug fixes.
   * General performance improvements by accessing multiple bytes at a time.
     Fixes #1666.
   * Improvements to use of unaligned and byte-swapped memory, reducing code
     size and improving performance (depending on compiler and target
     architecture).
   * Add support for reading points in compressed format
     (MBEDTLS_ECP_PF_COMPRESSED) with mbedtls_ecp_point_read_binary()
     (and callers) for Short Weierstrass curves with prime p where p = 3 mod 4
     (all mbedtls MBEDTLS_ECP_DP_SECP* and MBEDTLS_ECP_DP_BP* curves
      except MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1)
   * SHA224_C/SHA384_C are now independent from SHA384_C/SHA512_C respectively.
     This helps in saving code size when some of the above hashes are not
     required.
   * Add parsing of V3 extensions (key usage, Netscape cert-type,
     Subject Alternative Names) in x509 Certificate Sign Requests.
   * Use HOSTCC (if it is set) when compiling C code during generation of the
     configuration-independent files. This allows them to be generated when
     CC is set for cross compilation.
   * Add parsing of uniformResourceIdentifier subtype for subjectAltName
     extension in x509 certificates.
   * Add an interruptible version of sign and verify hash to the PSA interface,
     backed by internal library support for ECDSA signing and verification.
   * Add parsing of rfc822Name subtype for subjectAltName
     extension in x509 certificates.
   * The configuration macros MBEDTLS_PSA_CRYPTO_PLATFORM_FILE and
     MBEDTLS_PSA_CRYPTO_STRUCT_FILE specify alternative locations for
     the headers "psa/crypto_platform.h" and \ 
"psa/crypto_struct.h".
   * When a PSA driver for ECDSA is present, it is now possible to disable
     MBEDTLS_ECDSA_C in the build in order to save code size. For PK, X.509
     and TLS to fully work, this requires MBEDTLS_USE_PSA_CRYPTO to be enabled.
     Restartable/interruptible ECDSA operations in PK, X.509 and TLS are not
     supported in those builds yet, as driver support for interruptible ECDSA
     operations is not present yet.
   * Add a driver dispatch layer for EC J-PAKE, enabling alternative
     implementations of EC J-PAKE through the driver entry points.
   * Add new API mbedtls_ssl_cache_remove for cache entry removal by
     its session id.
   * Add support to include the SubjectAltName extension to a CSR.
   * Add support for AES with the Armv8-A Cryptographic Extension on
     64-bit Arm. A new configuration option, MBEDTLS_AESCE_C, can
     be used to enable this feature. Run-time detection is supported
     under Linux only.
   * When a PSA driver for EC J-PAKE is present, it is now possible to disable
     MBEDTLS_ECJPAKE_C in the build in order to save code size. For the
     corresponding TLS 1.2 key exchange to work, MBEDTLS_USE_PSA_CRYPTO needs
     to be enabled.
   * Add functions mbedtls_rsa_get_padding_mode() and mbedtls_rsa_get_md_alg()
     to read non-public fields for padding mode and hash id from
     an mbedtls_rsa_context, as requested in #6917.
   * AES-NI is now supported with Visual Studio.
   * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
     is disabled, when compiling with GCC or Clang or a compatible compiler
     for a target CPU that supports the requisite instructions (for example
     gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
     compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)
   * It is now possible to use a PSA-held (opaque) password with the TLS 1.2
     ECJPAKE key exchange, using the new API function
     mbedtls_ssl_set_hs_ecjpake_password_opaque().

Security
   * Use platform-provided secure zeroization function where possible, such as
     explicit_bzero().
   * Zeroize SSL cache entries when they are freed.
   * Fix a potential heap buffer overread in TLS 1.3 client-side when
     MBEDTLS_DEBUG_C is enabled. This may result in an application crash.
   * Add support for AES with the Armv8-A Cryptographic Extension on 64-bit
     Arm, so that these systems are no longer vulnerable to timing side-channel
     attacks. This is configured by MBEDTLS_AESCE_C, which is on by default.
     Reported by Demi Marie Obenour.
   * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
     builds that couldn't compile the GCC-style assembly implementation
     (most notably builds with Visual Studio), leaving them vulnerable to
     timing side-channel attacks. There is now an intrinsics-based AES-NI
     implementation as a fallback for when the assembly one cannot be used.

Bugfix
   * Fix possible integer overflow in mbedtls_timing_hardclock(), which
     could cause a crash in programs/test/benchmark.
   * Fix IAR compiler warnings. Fixes #6924.
   * Fix a bug in the build where directory names containing spaces were
     causing generate_errors.pl to error out resulting in a build failure.
     Fixes issue #6879.
   * In TLS 1.3, when using a ticket for session resumption, tweak its age
     calculation on the client side. It prevents a server with more accurate
     ticket timestamps (typically timestamps in milliseconds) compared to the
     Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
     than the age computed and transmitted by the client and thus potentially
     reject the ticket. Fix #6623.
   * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
     defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
   * List PSA_WANT_ALG_CCM_STAR_NO_TAG in psa/crypto_config.h so that it can
     be toggled with config.py.
   * The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
     used on a shared secret from a key agreement since its input must be
     an ECC public key. Reject this properly.
   * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
     whose binary representation is longer than 20 bytes. This was already
     forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
     enforced also at code level.
   * Fix potential undefined behavior in mbedtls_mpi_sub_abs().  Reported by
     Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
     Aaron Ucko under Valgrind.
   * Fix behavior of certain sample programs which could, when run with no
     arguments, access uninitialized memory in some cases. Fixes #6700 (which
     was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
   * Fix parsing of X.509 SubjectAlternativeName extension. Previously,
     malformed alternative name components were not caught during initial
     certificate parsing, but only on subsequent calls to
     mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
   * Make the fields of mbedtls_pk_rsassa_pss_options public. This makes it
     possible to verify RSA PSS signatures with the pk module, which was
     inadvertently broken since Mbed TLS 3.0.
   * Fix bug in conversion from OID to string in
     mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
     correctly.
   * Reject OIDs with overlong-encoded subidentifiers when converting
     them to a string.
   * Reject OIDs with subidentifier values exceeding UINT_MAX.  Such
     subidentifiers can be valid, but Mbed TLS cannot currently handle them.
   * Reject OIDs that have unterminated subidentifiers, or (equivalently)
     have the most-significant bit set in their last byte.
   * Silence warnings from clang -Wdocumentation about empty \retval
     descriptions, which started appearing with Clang 15. Fixes #6960.
   * Fix the handling of renegotiation attempts in TLS 1.3. They are now
     systematically rejected.
   * Fix an unused-variable warning in TLS 1.3-only builds if
     MBEDTLS_SSL_RENEGOTIATION was enabled. Fixes #6200.
   * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
     len argument is 0 and buffer is NULL.
   * Allow setting user and peer identifiers for EC J-PAKE operation
     instead of role in PAKE PSA Crypto API as described in the specification.
     This is a partial fix that allows only "client" and \ 
"server" identifiers.
   * Fix a compilation error when PSA Crypto is built with support for
     TLS12_PRF but not TLS12_PSK_TO_MS. Reported by joerchan in #7125.
   * In the TLS 1.3 server, select the preferred client cipher suite, not the
     least preferred. The selection error was introduced in Mbed TLS 3.3.0.
   * Fix TLS 1.3 session resumption when the established pre-shared key is
     384 bits long. That is the length of pre-shared keys created under a
     session where the cipher suite is TLS_AES_256_GCM_SHA384.
   * Fix an issue when compiling with MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
     enabled, which required specifying compiler flags enabling SHA3 Crypto
     Extensions, where some compilers would emit EOR3 instructions in other
     modules, which would then fail if run on a CPU without the SHA3
     extensions. Fixes #5758.

Changes
   * Install the .cmake files into CMAKE_INSTALL_LIBDIR/cmake/MbedTLS,
     typically /usr/lib/cmake/MbedTLS.
   * Mixed-endian systems are explicitly not supported any more.
   * When MBEDTLS_USE_PSA_CRYPTO and MBEDTLS_ECDSA_DETERMINISTIC are both
     defined, mbedtls_pk_sign() now use deterministic ECDSA for ECDSA
     signatures. This aligns the behaviour with MBEDTLS_USE_PSA_CRYPTO to
     the behaviour without it, where deterministic ECDSA was already used.
   * Visual Studio: Rename the directory containing Visual Studio files from
     visualc/VS2010 to visualc/VS2013 as we do not support building with versions
     older than 2013. Update the solution file to specify VS2013 as a minimum.
   * programs/x509/cert_write:
     - now it accepts the serial number in 2 different formats: decimal and
       hex. They cannot be used simultaneously
     - "serial" is used for the decimal format and it's limted in size to
       unsigned long long int
     - "serial_hex" is used for the hex format; max length here is
       MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN*2
   * The C code follows a new coding style. This is transparent for users but
     affects contributors and maintainers of local patches. For more
     information, see
     \ 
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
   * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
     As tested in issue 6790, the correlation between this define and
     RSA decryption performance has changed lately due to security fixes.
     To fix the performance degradation when using default values the
     window was reduced from 6 to 2, a value that gives the best or close
     to best results when tested on Cortex-M4 and Intel i7.
   * When enabling MBEDTLS_SHA256_USE_A64_CRYPTO_* or
     MBEDTLS_SHA512_USE_A64_CRYPTO_*, it is no longer necessary to specify
     compiler target flags on the command line; the library now sets target
     options within the appropriate modules.

= Mbed TLS 3.3.0 branch released 2022-12-14

Default behavior changes
   * Previously the macro MBEDTLS_SSL_DTLS_CONNECTION_ID implemented version 05
     of the IETF draft, and was marked experimental and disabled by default.
     It is now no longer experimental, and implements the final version from
     RFC 9146, which is not interoperable with the draft-05 version.
     If you need to communicate with peers that use earlier versions of
     Mbed TLS, then you need to define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
     to 1, but then you won't be able to communicate with peers that use the
     standard (non-draft) version.
     If you need to interoperate with both classes of peers with the
     same build of Mbed TLS, please let us know about your situation on the
     mailing list or GitHub.

Requirement changes
   * When building with PSA drivers using generate_driver_wrappers.py, or
     when building the library from the development branch rather than
     from a release, the Python module jsonschema is now necessary, in
     addition to jinja2. The official list of required Python modules is
     maintained in scripts/basic.requirements.txt and may change again
     in the future.

New deprecations
   * Deprecate mbedtls_asn1_free_named_data().
     Use mbedtls_asn1_free_named_data_list()
     or mbedtls_asn1_free_named_data_list_shallow().

Features
   * Support rsa_pss_rsae_* signature algorithms in TLS 1.2.
   * make: enable building unversioned shared library, with e.g.:
     "SHARED=1 SOEXT_TLS=so SOEXT_X509=so SOEXT_CRYPTO=so make lib"
     resulting in library names like "libmbedtls.so" rather than
     "libmbedcrypto.so.11".
   * Expose the EC J-PAKE functionality through the Draft PSA PAKE Crypto API.
     Only the ECC primitive with secp256r1 curve and SHA-256 hash algorithm
     are supported in this implementation.
   * Some modules can now use PSA drivers for hashes, including with no
     built-in implementation present, but only in some configurations.
     - RSA OAEP and PSS (PKCS#1 v2.1), PKCS5, PKCS12 and EC J-PAKE now use
       hashes from PSA when (and only when) MBEDTLS_MD_C is disabled.
     - PEM parsing of encrypted files now uses MD-5 from PSA when (and only
       when) MBEDTLS_MD5_C is disabled.
     See the documentation of the corresponding macros in mbedtls_config.h for
     details.
     Note that some modules are not able to use hashes from PSA yet, including
     the entropy module. As a consequence, for now the only way to build with
     all hashes only provided by drivers (no built-in hash) is to use
     MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
   * When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 now
     properly negotiate/accept hashes based on their availability in PSA.
     As a consequence, they now work in configurations where the built-in
     implementations of (some) hashes are excluded and those hashes are only
     provided by PSA drivers. (See previous entry for limitation on RSA-PSS
     though: that module only use hashes from PSA when MBEDTLS_MD_C is off).
   * Add support for opaque keys as the private keys associated to certificates
     for authentication in TLS 1.3.
   * Add the LMS post-quantum-safe stateful-hash asymmetric signature scheme.
     Signature verification is production-ready, but generation is for testing
     purposes only. This currently only supports one parameter set
     (LMS_SHA256_M32_H10), meaning that each private key can be used to sign
     1024 messages. As such, it is not intended for use in TLS, but instead
     for verification of assets transmitted over an insecure channel,
     particularly firmware images.
   * Add the LM-OTS post-quantum-safe one-time signature scheme, which is
     required for LMS. This can be used independently, but each key can only
     be used to sign one message so is impractical for most circumstances.
   * Mbed TLS now supports TLS 1.3 key establishment via pre-shared keys.
     The pre-shared keys can be provisioned externally or via the ticket
     mechanism (session resumption).
     The ticket mechanism is supported when the configuration option
     MBEDTLS_SSL_SESSION_TICKETS is enabled.
     New options MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_xxx_ENABLED
     control the support for the three possible TLS 1.3 key exchange modes.
   * cert_write: support for setting extended key usage attributes. A
     corresponding new public API call has been added in the library,
     mbedtls_x509write_crt_set_ext_key_usage().
   * cert_write: support for writing certificate files in either PEM
     or DER format.
   * The PSA driver wrapper generator generate_driver_wrappers.py now
     supports a subset of the driver description language, including
     the following entry points: import_key, export_key, export_public_key,
     get_builtin_key, copy_key.
   * The new functions mbedtls_asn1_free_named_data_list() and
     mbedtls_asn1_free_named_data_list_shallow() simplify the management
     of memory in named data lists in X.509 structures.
   * The TLS 1.2 EC J-PAKE key exchange can now use the PSA Crypto API.
     Additional PSA key slots will be allocated in the process of such key
     exchange for builds that enable MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED and
     MBEDTLS_USE_PSA_CRYPTO.
   * Add support for DTLS Connection ID as defined by RFC 9146, controlled by
     MBEDTLS_SSL_DTLS_CONNECTION_ID (enabled by default) and configured with
     mbedtls_ssl_set_cid().
   * Add a driver dispatch layer for raw key agreement, enabling alternative
     implementations of raw key agreement through the key_agreement driver
     entry point. This entry point is specified in the proposed PSA driver
     interface, but had not yet been implemented.
   * Add an ad-hoc key derivation function handling EC J-PAKE to PMS
     calculation that can be used to derive the session secret in TLS 1.2,
     as described in draft-cragie-tls-ecjpake-01. This can be achieved by
     using PSA_ALG_TLS12_ECJPAKE_TO_PMS as the key derivation algorithm.

Security
   * Fix potential heap buffer overread and overwrite in DTLS if
     MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
     MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
   * Fix an issue where an adversary with access to precise enough information
     about memory accesses (typically, an untrusted operating system attacking
     a secure enclave) could recover an RSA private key after observing the
     victim performing a single private-key operation if the window size used
     for the exponentiation was 3 or smaller. Found and reported by Zili KOU,
     Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
     and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
     and Test in Europe 2023.

Bugfix
   * Refactor mbedtls_aes_context to support shallow-copying. Fixes #2147.
   * Fix an issue with in-tree CMake builds in releases with GEN_FILES
     turned off: if a shipped file was missing from the working directory,
     it could be turned into a symbolic link to itself.
   * Fix a long-standing build failure when building x86 PIC code with old
     gcc (4.x). The code will be slower, but will compile. We do however
     recommend upgrading to a more recent compiler instead. Fixes #1910.
   * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
     Contributed by Kazuyuki Kimura to fix #2020.
   * Use double quotes to include private header file psa_crypto_cipher.h.
     Fixes 'file not found with <angled> include' error
     when building with Xcode.
   * Fix handling of broken symlinks when loading certificates using
     mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
     broken link is encountered, skip the broken link and continue parsing
     other certificate files. Contributed by Eduardo Silva in #2602.
   * Fix an interoperability failure between an Mbed TLS client with both
     TLS 1.2 and TLS 1.3 support, and a TLS 1.2 server that supports
     rsa_pss_rsae_* signature algorithms. This failed because Mbed TLS
     advertised support for PSS in both TLS 1.2 and 1.3, but only
     actually supported PSS in TLS 1.3.
   * Fix a compilation error when using CMake with an IAR toolchain.
     Fixes #5964.
   * Fix a build error due to a missing prototype warning when
     MBEDTLS_DEPRECATED_REMOVED is enabled.
   * Fix mbedtls_ctr_drbg_free() on an initialized but unseeded context. When
     MBEDTLS_AES_ALT is enabled, it could call mbedtls_aes_free() on an
     uninitialized context.
   * Fix a build issue on Windows using CMake where the source and build
     directories could not be on different drives. Fixes #5751.
   * Fix bugs and missing dependencies when building and testing
     configurations with only one encryption type enabled in TLS 1.2.
   * Provide the missing definition of mbedtls_setbuf() in some configurations
     with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
   * Fix compilation errors when trying to build with
     PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
   * Fix memory leak in ssl_parse_certificate_request() caused by
     mbedtls_x509_get_name() not freeing allocated objects in case of error.
     Change mbedtls_x509_get_name() to clean up allocated objects on error.
   * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
     MBEDTLS_USE_PSA_CRYPTO or MBEDTLS_PK_WRITE_C. Fixes #6408.
   * Fix build failure with MBEDTLS_RSA_C and MBEDTLS_PSA_CRYPTO_C but not
     MBEDTLS_PK_PARSE_C. Fixes #6409.
   * Fix ECDSA verification, where it was not always validating the
     public key. This bug meant that it was possible to verify a
     signature with an invalid public key, in some cases. Reported by
     Guido Vranken using Cryptofuzz in #4420.
   * Fix a possible null pointer dereference if a memory allocation fails
     in TLS PRF code. Reported by Michael Madsen in #6516.
   * Fix TLS 1.3 session resumption. Fixes #6488.
   * Add a configuration check to exclude optional client authentication
     in TLS 1.3 (where it is forbidden).
   * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
     bytes when parsing certificates containing a binary RFC 4108
     HardwareModuleName as a Subject Alternative Name extension. Hardware
     serial numbers are now rendered in hex format. Fixes #6262.
   * Fix bug in error reporting in dh_genprime.c where upon failure,
     the error code returned by mbedtls_mpi_write_file() is overwritten
     and therefore not printed.
   * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
     with A > 0 created an unintended representation of the value 0 which was
     not processed correctly by some bignum operations. Fix this. This had no
     consequence on cryptography code, but might affect applications that call
     bignum directly and use negative numbers.
   * Fix a bug whereby the list of signature algorithms sent as part of
     the TLS 1.2 server certificate request would get corrupted, meaning the
     first algorithm would not get sent and an entry consisting of two random
     bytes would be sent instead. Found by Serban Bejan and Dudek Sebastian.
   * Fix undefined behavior (typically harmless in practice) of
     mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
     when both operands are 0 and the left operand is represented with 0 limbs.
   * Fix undefined behavior (typically harmless in practice) when some bignum
     functions receive the most negative value of mbedtls_mpi_sint. Credit
     to OSS-Fuzz. Fixes #6597.
   * Fix undefined behavior (typically harmless in practice) in PSA ECB
     encryption and decryption.
   * Move some SSL-specific code out of libmbedcrypto where it had been placed
     accidentally.
   * Fix a build error when compiling the bignum module for some Arm platforms.
     Fixes #6089, #6124, #6217.

Changes
   * Add the ability to query PSA_WANT_xxx macros to query_compile_time_config.
   * Calling AEAD tag-specific functions for non-AEAD algorithms (which
     should not be done - they are documented for use only by AES-GCM and
     ChaCha20+Poly1305) now returns MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
     instead of success (0).
   2023-01-24 19:36:36 by Thomas Klausner | Files touched by this commit (103)
Log message:
*: convert to cmake/build.mk
   2022-08-11 08:49:16 by Thomas Klausner | Files touched by this commit (6)
Log message:
security/mbedtls3: import mbedtls3-3.2.1

mbed TLS (formerly known as PolarSSL) makes it trivially easy for
developers to include cryptographic and SSL/TLS capabilities in
their (embedded) products, facilitating this functionality with a
minimal coding footprint.

This contains major version 3 of the library, which is not backwards
compatible to version 2.