[mbedtls] Upgrade mbedTLS to version 3.6.2

[kailun-qin]

Description of the changes

This upgrade includes fixes for four CVEs that affect Mbed TLS but not Gramine:

• CVE-2024-45158: we don't use affected functions: mbedtls_ecdsa_der_to_raw() or mbedtls_ecdsa_raw_to_der().
• CVE-2024-45159: we don't enable TLS 1.3 for internal Gramine PAL crypto/TLS and control server certificates (that don't use keyUsage or extKeyUsage extensions) in the ra-tls-mbedtls CI-example.
• CVE-2024-45157: we don't enable the affected configuration: MBEDTLS_PSA_HMAC_DRBG_MD_TYPE.
• CVE-2024-49195: we use mbedtls_pk_write_key_der() with a buffer that is large enough for the content.

Closes #2024.

How to test this PR?

CI.

---

This change is 

[kailun-qin]

Reviewable status: 0 of 7 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel)

---

-- commits line 14 at r1:
Pls see https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/#vulnerability and

gramine/tools/sgx/ra-tls/ra_tls_attest.c

Lines 651 to 670 in 5e2f18f

	uint8_t* output_buf = NULL;
	size_t output_buf_size = 4096; /* enough for any public key in DER format */
	output_buf = malloc(output_buf_size);
	if (!output_buf) {
	ret = MBEDTLS_ERR_X509_ALLOC_FAILED;
	goto out;
	}
	ret = create_key_and_crt(&key, NULL, der_crt, der_crt_size);
	if (ret < 0) {
	goto out;
	}
	/* populate der_key; note that der_crt was already populated */
	int size = mbedtls_pk_write_key_der(&key, output_buf, output_buf_size);
	if (size < 0) {
	ret = size;
	goto out;
	}

for details.

Code quote:

  * CVE-2024-49195: we use `mbedtls_pk_write_key_der()` with a buffer that
    is large enough for the content.

---

subprojects/mbedtls-3.6.2.wrap line 4 at r1 (raw file):

directory = mbedtls-3.6.2
source_url = https:/Mbed-TLS/mbedtls/releases/download/mbedtls-3.6.2/mbedtls-3.6.2.tar.bz2
source_fallback_url = https://packages.gramineproject.io/distfiles/mbedtls-3.6.2.tar.bz2

@woju: Sorry to bother again, but a newer mbedTLS (v3.6.2) was just released: https:/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.2. Would you pls help mirror this file? Thanks!

Code quote:

https://packages.gramineproject.io/distfiles/mbedtls-3.6.2.tar.bz2

[dimakuv]

Reviewed 7 of 7 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @woju)

---

subprojects/mbedtls-3.6.2.wrap line 4 at r1 (raw file):

Previously, kailun-qin (Kailun Qin) wrote…

@woju: Sorry to bother again, but a newer mbedTLS (v3.6.2) was just released: https:/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.2. Would you pls help mirror this file? Thanks!

@woju And https://packages.gramineproject.io/distfiles/mbedtls-3.6.1.tar.bz2 can be removed (as we just skip this version in favor of the newer one).

[mkow]

Reviewed 7 of 7 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @woju)

[woju]

Reviewed 7 of 7 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required) (waiting on @dimakuv, @kailun-qin, and @mkow)

---

subprojects/mbedtls-3.6.2.wrap line 4 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

@woju And https://packages.gramineproject.io/distfiles/mbedtls-3.6.1.tar.bz2 can be removed (as we just skip this version in favor of the newer one).

Done. I'll keep 3.6.1, it's just 5 MB.