- update to 2.25.0:
* This release of Mbed TLS provides bug fixes, minor enhancements and new
features. This release includes fixes for security issues.
* see https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0
* The functions mbedtls_cipher_auth_encrypt() and
mbedtls_cipher_auth_decrypt() would write past the minimum documented size
of the output buffer when used with NIST_KW. As a result, code using those
functions as documented with NIST_KW could have a buffer overwrite of up to
15 bytes, with consequences ranging up to arbitrary code execution
depending on the location of the output buffer.
* Limit the size of calculations performed by mbedtls_mpi_exp_mod to
MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating
Diffie-Hellman key pairs. Credit to OSS-Fuzz.

* A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
which is how most uses of randomization in asymmetric cryptography (including
key generation, intermediate value randomization and blinding) are implemented.
This could cause failures or the silent use of non-random values. A random
generator can fail if it needs reseeding and cannot not obtain entropy, or due
to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can
only happen due to a misconfiguration).

* Fix a compliance issue whereby we were not checking the tag on the algorithm
parameters (only the size) when comparing the signature in the description part
of the cert to the real signature. This meant that a NULL algorithm parameters
entry would look identical to an array of REAL (size zero) to the library and
thus the certificate would be considered valid. However, if the parameters do
not match in any way then the certificate should be considered invalid, and
indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks
to guidovranken who found this issue via differential fuzzing and reported it