Merge branch 'development' into development-restricted

* development: (236 commits)
  Changing the key length to 32 bytes in one of the PSA cipher setup tests
  Removal of RC4 certs and fixes to docs and tests
  Fix fd range for select on Windows
  Refactor file descriptor checks into a common function
  Removing global variable and moving variant function comment block
  Fix typo in doc'n of session resumption API
  Code review fixes
  Fix warning in some configurations
  Fix cmake build of fuzz_privkey
  Fix async support in ssl_server2
  Improve ChangeLog and migration guide entries
  Use a proper DRBG in programs
  Use the dedicated dummy_random in fuzzing programs
  Fix cmake build of programs
  Add ChangeLog and migration guide entries
  Simplify internal code
  Remove "internal RNG" code from ECP
  Remove config option MBEDTLS_ECP_NO_INTERNAL_RNG
  Add RNG params to private key parsing
  Add RNG parameter to check_pair functions
  ...

ChangeLog.d/alt-context-relaxation.txt

@@ -0,0 +1,6 @@
+Features
+   * Alternative implementations of the AES, DHM, ECJPAKE, ECP, RSA and timing
+     modules had undocumented constraints on their context types. These
+     constraints have been relaxed.
+     See docs/architecture/alternative-implementations.md for the remaining
+     constraints.

ChangeLog.d/dhm-fields.txt

@@ -0,0 +1,9 @@
+Features
+   * The new functions mbedtls_dhm_get_len() and mbedtls_dhm_get_bitlen()
+     query the size of the modulus in a Diffie-Hellman context.
+   * The new function mbedtls_dhm_get_value() copy a field out of a
+     Diffie-Hellman context.
+
+API changes
+   * Instead of accessing the len field of a DHM context, which is no longer
+     supported, use the new function mbedtls_dhm_get_len() .

ChangeLog.d/ecjpake-point_format.txt

@@ -0,0 +1,4 @@
+Features
+   * Use the new function mbedtls_ecjpake_set_point_format() to select the
+     point format for ECJPAKE instead of accessing the point_format field
+     directly, which is no longer supported.

ChangeLog.d/ecp_max_bits.txt

@@ -0,0 +1,3 @@
+Removals
+   * MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it is
+     now determined automatically based on supported curves.

ChangeLog.d/fix-ssl-cf-hmac-alt.txt

@@ -0,0 +1,5 @@
+Bugfix
+   * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
+     (when the encrypt-then-MAC extension is not in use) with some ALT
+     implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
+     the affected side to wrongly reject valid messages. Fixes #4118.

ChangeLog.d/issue4083.txt

@@ -0,0 +1,4 @@
+Removals
+    * Remove the following functions: mbedtls_timing_self_test(),
+      mbedtls_hardclock_poll(), mbedtls_timing_hardclock() and
+      mbedtls_set_alarm(). Fixes #4083.

ChangeLog.d/issue4084.txt

@@ -0,0 +1,4 @@
+Removals
+    * Remove all support for MD2, MD4, RC4, Blowfish and XTEA. This removes the
+      corresponding modules and all their APIs and related configuration
+      options. Fixes #4084.

ChangeLog.d/issue4212.txt

@@ -0,0 +1,6 @@
+API changes
+   * In modules that implement cryptographic hash functions, many functions
+     mbedtls_xxx() now return int instead of void, and the corresponding
+     function mbedtls_xxx_ret() which was identical except for returning int
+     has been removed. This also concerns mbedtls_xxx_drbg_update(). See the
+     migration guide for more information. Fixes #4212.

ChangeLog.d/issue4286.txt

@@ -1,11 +1,10 @@
 Removals
-   * Remove the TLS 1.0, TLS 1.1 and DTLS 1.0 support by removing the following
-     library constants: MBEDTLS_SSL_PROTO_TLS1,
-     MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING,
-     MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED,
-     MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED,
-     MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE,
-     MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions:
+   * Remove support for TLS 1.0, TLS 1.1 and DTLS 1.0, as well as support for
+     CBC record splitting, fallback SCSV, and the ability to configure
+     ciphersuites per version, which are no longer relevant. This removes the
+     configuration options MBEDTLS_SSL_PROTO_TLS1,
+     MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING and
+     MBEDTLS_SSL_FALLBACK_SCSV as well as the functions
      mbedtls_ssl_conf_cbc_record_splitting(),
-     mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback().
-     Fixes #4286.
+     mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(),
+     and mbedtls_ssl_conf_ciphersuites_for_version(). Fixes #4286.

ChangeLog.d/issue4313.txt

@@ -0,0 +1,4 @@
+Removals
+   * Remove the following macros: MBEDTLS_CHECK_PARAMS,
+     MBEDTLS_CHECK_PARAMS_ASSERT, MBEDTLS_PARAM_FAILED,
+     MBEDTLS_PARAM_FAILED_ALT. Fixes #4313.

ChangeLog.d/issue4378.txt

@@ -0,0 +1,4 @@
+Removals
+   * Remove the  MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
+     option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
+     migration path. Fixes #4378.

ChangeLog.d/issue4398.txt

@@ -0,0 +1,3 @@
+API changes
+    * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
+      configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.

ChangeLog.d/issue4405.txt

@@ -0,0 +1,4 @@
+Removals
+    * Remove the MBEDTLS_X509_CHECK_KEY_USAGE and
+      MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE config.h options and let the code
+      behave as if they were always enabled. Fixes #4405.

ChangeLog.d/mandatory-rng-param.txt

@@ -0,0 +1,14 @@
+API changes
+   * For all functions that take a random number generator (RNG) as a
+     parameter, this parameter is now mandatory (that is, NULL is not an
+     acceptable value). Functions which previously accepted NULL and now
+     reject it are: the X.509 CRT and CSR writing functions; the PK and RSA
+     sign and decrypt function; mbedtls_rsa_private(); the functions
+     in DHM and ECDH that compute the shared secret; the scalar multiplication
+     functions in ECP.
+   * The following functions now require an RNG parameter:
+     mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
+     mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
+Removals
+   * The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as
+     it no longer had any effect.

ChangeLog.d/max-record-payload-api.txt

@@ -0,0 +1,9 @@
+API changes
+   * Remove the SSL APIs mbedtls_ssl_get_input_max_frag_len() and
+     mbedtls_ssl_get_output_max_frag_len(), and add a new API
+     mbedtls_ssl_get_max_in_record_payload(), complementing the existing
+     mbedtls_ssl_get_max_out_record_payload().
+     Uses of mbedtls_ssl_get_input_max_frag_len() and
+     mbedtls_ssl_get_input_max_frag_len() should be replaced by
+     mbedtls_ssl_get_max_in_record_payload() and
+     mbedtls_ssl_get_max_out_record_payload(), respectively.

ChangeLog.d/mbed-can-do-timing.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Remove outdated check-config.h check that prevented implementing the
+     timing module on Mbed OS. Fixes #4633.

ChangeLog.d/psa_key_derivation-bad_workflow.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
+     about missing inputs.

ChangeLog.d/remove-rsa-mode-parameter.txt

@@ -6,4 +6,3 @@ API changes
      decryption functions now always use the private key and verification and
      encryption use the public key. Verification functions also no longer have
      RNG parameters.
-   * The RNG is now mandatory for all private-key RSA operations.

ChangeLog.d/rsa-padding.txt

@@ -0,0 +1,5 @@
+API changes
+   * mbedtls_rsa_init() now always selects the PKCS#1v1.5 encoding for an RSA
+     key. To use an RSA key with PSS or OAEP, call mbedtls_rsa_set_padding()
+     after initializing the context. mbedtls_rsa_set_padding() now returns an
+     error if its parameters are invalid.

ChangeLog.d/tool-versions.txt

@@ -0,0 +1,4 @@
+Requirement changes
+   * Refresh the minimum supported versions of tools to build the
+     library. CMake versions older than 3.10.2 and Python older
+     than 3.6 are no longer supported.

ChangeLog.d/winsock.txt

@@ -0,0 +1,4 @@
+Bugfix
+   * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
+     MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
+