mbedtls: Update to upstream version 2.28.7

(cherry picked from commit dec635119e)

thirdparty/mbedtls/patches/1453.diff

@@ -1,53 +0,0 @@
-diff --git a/thirdparty/mbedtls/library/entropy_poll.c b/thirdparty/mbedtls/library/entropy_poll.c
-index 3420616a06..57fddd4d62 100644
---- a/thirdparty/mbedtls/library/entropy_poll.c
-+++ b/thirdparty/mbedtls/library/entropy_poll.c
-@@ -55,26 +55,41 @@
- #define _WIN32_WINNT 0x0400
- #endif
- #include <windows.h>
--#include <wincrypt.h>
-+#include <bcrypt.h>
-+#if defined(_MSC_VER) && _MSC_VER <= 1600
-+/* Visual Studio 2010 and earlier issue a warning when both <stdint.h> and
-+ * <intsafe.h> are included, as they redefine a number of <TYPE>_MAX constants.
-+ * These constants are guaranteed to be the same, though, so we suppress the
-+ * warning when including intsafe.h.
-+ */
-+#pragma warning( push )
-+#pragma warning( disable : 4005 )
-+#endif
-+#include <intsafe.h>
-+#if defined(_MSC_VER) && _MSC_VER <= 1600
-+#pragma warning( pop )
-+#endif
- 
- int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
-                                   size_t *olen)
- {
--    HCRYPTPROV provider;
-+    ULONG len_as_ulong = 0;
-     ((void) data);
-     *olen = 0;
- 
--    if (CryptAcquireContext(&provider, NULL, NULL,
--                            PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == FALSE) {
-+    /*
-+     * BCryptGenRandom takes ULONG for size, which is smaller than size_t on
-+     * 64-bit Windows platforms. Ensure len's value can be safely converted into
-+     * a ULONG.
-+     */
-+    if (FAILED(SizeTToULong(len, &len_as_ulong))) {
-         return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-     }
- 
--    if (CryptGenRandom(provider, (DWORD) len, output) == FALSE) {
--        CryptReleaseContext(provider, 0);
-+    if (!BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, len_as_ulong, BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
-         return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-     }
- 
--    CryptReleaseContext(provider, 0);
-     *olen = len;
- 
-     return 0;

thirdparty/mbedtls/patches/windows-arm64-hardclock.diff

@@ -1,8 +1,8 @@
 diff --git a/thirdparty/mbedtls/library/timing.c b/thirdparty/mbedtls/library/timing.c
-index 94b55b3715..58c2c2730d 100644
+index f2f0a4386b..7ef9f473b5 100644
 --- a/thirdparty/mbedtls/library/timing.c
 +++ b/thirdparty/mbedtls/library/timing.c
-@@ -190,8 +190,10 @@ unsigned long mbedtls_timing_hardclock(void)
+@@ -178,8 +178,10 @@ unsigned long mbedtls_timing_hardclock(void)
  #endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
            __GNUC__ && __ia64__ */
  

thirdparty/mbedtls/patches/windows-entropy-bcrypt.diff

@@ -0,0 +1,56 @@
+Backported from: https://github.com/Mbed-TLS/mbedtls/pull/8047
+
+diff --git a/thirdparty/mbedtls/library/entropy_poll.c b/thirdparty/mbedtls/library/entropy_poll.c
+index cde49e66a0..4c5184686e 100644
+--- a/thirdparty/mbedtls/library/entropy_poll.c
++++ b/thirdparty/mbedtls/library/entropy_poll.c
+@@ -39,32 +39,34 @@
+ 
+ #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+ 
+-#if !defined(_WIN32_WINNT)
+-#define _WIN32_WINNT 0x0400
+-#endif
+ #include <windows.h>
+-#include <wincrypt.h>
++#include <bcrypt.h>
++#include <intsafe.h>
+ 
+ int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
+                                   size_t *olen)
+ {
+-    HCRYPTPROV provider;
+     ((void) data);
+     *olen = 0;
+ 
+-    if (CryptAcquireContext(&provider, NULL, NULL,
+-                            PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == FALSE) {
+-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+-    }
++    /*
++     * BCryptGenRandom takes ULONG for size, which is smaller than size_t on
++     * 64-bit Windows platforms. Extract entropy in chunks of len (dependent
++     * on ULONG_MAX) size.
++     */
++    while (len != 0) {
++        unsigned long ulong_bytes =
++            (len > ULONG_MAX) ? ULONG_MAX : (unsigned long) len;
++
++        if (!BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, ulong_bytes,
++                                            BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {
++            return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
++        }
+ 
+-    if (CryptGenRandom(provider, (DWORD) len, output) == FALSE) {
+-        CryptReleaseContext(provider, 0);
+-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
++        *olen += ulong_bytes;
++        len -= ulong_bytes;
+     }
+ 
+-    CryptReleaseContext(provider, 0);
+-    *olen = len;
+-
+     return 0;
+ }
+ #else /* _WIN32 && !EFIX64 && !EFI32 */