mbedtls: add support for 4.0.0

After this patch libcurl requires (as already documented)
the `curl_global_init()` call when using the `curl_formadd()` API with
mbedTLS.

Note: NTLM is not supported with mbedTLS 4+, because it lacks
the necessary crypto primitive: DES.

Also:
- lib: de-dupe mbedTLS minimum version checks into `curl_setup.h`.
- lib: initialize PSA Crypto as part of `curl_global_init()`.
  For MD5, SHA-256, `curl_formadd()`, and MultiSSL builds with mbedTLS
  but where mbedTLS isn't the default backend.
- lib1308: fix to call `curl_global_init()` (for the Form API).
- curl_ntlm_core: disable with mbedTLS 4+.
- md4: disable mbedTLS implementation when building against 4.x.
- md5: use mbedTLS PSA Crypto API when available, otherwise use
  the default local implementation.
- sha256: use mbedTLS PSA Crypto API when available, otherwise use
  the default local implementation.
- vtls/mbedtls: drop PSA Crypto initialization in favor of
  `curl_global_init()`.
- vtls/mbedtls: use PSA Crypto random API with all mbedTLS versions.
- vtls/mbedtls: do the same for the SHA-256 callback.
- autotools: detect mbedTLS 4+, and disable NTLM for 3.x.
- cmake: disable NTLM for mbedTLS 3.x.
- GHA/linux: keep building mbedTLS 3.x manually and use it in
  an existing job, while also enabling pytest in it.
- GHA/linux: bump to mbedTLS 4.0.0.
  Closes #19075
  Closes #19074

Refs:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.0.0
https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-4.0.0/docs/4.0-migration-guide.md
https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-4.0.0/tf-psa-crypto/docs/1.0-migration-guide.md [404]
https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/tf-psa-crypto-1.0.0/docs/1.0-migration-guide.md
https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/tf-psa-crypto-1.0.0/docs/psa-transition.md
627f727bbe/docs/4.0-migration-guide

Closes #19077

.github/workflows/linux.yml

@@ -42,7 +42,9 @@ env:
   # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
   WOLFSSL_VERSION: 5.8.2
   # renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver registryUrl=https://github.com
-  MBEDTLS_VERSION: 3.6.4
+  MBEDTLS_VERSION: 4.0.0
+  # renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver:^3.0.0 registryUrl=https://github.com
+  MBEDTLS_VERSION_PREV: 3.6.4
   # renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
   AWSLC_VERSION: 1.61.4
   # renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com
@@ -109,10 +111,10 @@ jobs:
             install_steps: mbedtls pytest
             configure: CC=clang LDFLAGS=-Wl,-rpath,/home/runner/mbedtls/lib --with-mbedtls=/home/runner/mbedtls --enable-debug --with-fish-functions-dir --with-zsh-functions-dir
 
-          - name: 'mbedtls'
+          - name: 'mbedtls-prev'
             install_packages: libnghttp2-dev libuv1-dev
-            install_steps: mbedtls
-            PKG_CONFIG_PATH: /home/runner/mbedtls/lib/pkgconfig  # Requires v3.6.0
+            install_steps: mbedtls-prev pytest
+            PKG_CONFIG_PATH: /home/runner/mbedtls-prev/lib/pkgconfig  # Requires v3.6.0
             generate: -DCURL_USE_MBEDTLS=ON -DCURL_USE_LIBUV=ON -DENABLE_DEBUG=ON
 
           - name: 'mbedtls-pkg MultiSSL !pc'
@@ -435,7 +437,7 @@ jobs:
       - name: 'cache mbedtls'
         if: ${{ contains(matrix.build.install_steps, 'mbedtls') }}
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        id: cache-mbedtls
+        id: cache-mbedtls-threadsafe
         env:
           cache-name: cache-mbedtls-threadsafe
         with:
@@ -443,7 +445,7 @@ jobs:
           key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MBEDTLS_VERSION }}
 
       - name: 'build mbedtls'
-        if: ${{ contains(matrix.build.install_steps, 'mbedtls') && steps.cache-mbedtls.outputs.cache-hit != 'true' }}
+        if: ${{ contains(matrix.build.install_steps, 'mbedtls') && steps.cache-mbedtls-threadsafe.outputs.cache-hit != 'true' }}
         run: |
           curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
             --location "https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-${MBEDTLS_VERSION}/mbedtls-${MBEDTLS_VERSION}.tar.bz2" | tar -xj
@@ -455,7 +457,30 @@ jobs:
           cmake --build .
           cmake --install .
 
-      - name: 'cache openldap-static'
+      - name: 'cache mbedtls (prev)'
+        if: ${{ contains(matrix.build.install_steps, 'mbedtls-prev') }}
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        id: cache-mbedtls-threadsafe-prev
+        env:
+          cache-name: cache-mbedtls-threadsafe-prev
+        with:
+          path: ~/mbedtls-prev
+          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MBEDTLS_VERSION }}
+
+      - name: 'build mbedtls (prev)'
+        if: ${{ contains(matrix.build.install_steps, 'mbedtls-prev') && steps.cache-mbedtls-threadsafe-prev.outputs.cache-hit != 'true' }}
+        run: |
+          curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
+            --location "https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-${MBEDTLS_VERSION_PREV}/mbedtls-${MBEDTLS_VERSION_PREV}.tar.bz2" | tar -xj
+          cd "mbedtls-${MBEDTLS_VERSION_PREV}"
+          ./scripts/config.py set MBEDTLS_THREADING_C
+          ./scripts/config.py set MBEDTLS_THREADING_PTHREAD
+          cmake -B . -G Ninja -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX=/home/runner/mbedtls-prev \
+            -DENABLE_PROGRAMS=OFF -DENABLE_TESTING=OFF
+          cmake --build .
+          cmake --install .
+
+      - name: 'cache openldap (static)'
         if: ${{ contains(matrix.build.install_steps, 'openldap-static') }}
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         id: cache-openldap-static