Update mbedtls submodule to 3.3.0

This version includes the patch we were carrying so that has been
removed. There are also a few changes to work with the new version:
* Config updates to pull in new source files
* Add MBEDTLS_ALLOW_PRIVATE_ACCESS which allows the ECDSA ops code to remain
  unchanged
* Provide a DRBG for deterministic ECDSA signing, used for blinding

Bug: b/265165949
Change-Id: I710859a32c30a4ba015fa33c13f4ac0fb1ed1aeb
Reviewed-on: https://pigweed-review.googlesource.com/c/open-dice/+/126452
Reviewed-by: Andrew Scull <ascull@google.com>
Commit-Queue: Darren Krahn <dkrahn@google.com>
diff --git a/.gitignore b/.gitignore
index 7aeb491..073fd5f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .clangd
+.cache
 compile_commands.json
 out
diff --git a/BUILD.gn b/BUILD.gn
index 756bcb8..105b9b6 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -74,6 +74,7 @@
 
 config("mbedtls_ops_config") {
   include_dirs = [ "//include//dice/config/mbedtls_ecdsa_p256" ]
+  defines = [ "MBEDTLS_ALLOW_PRIVATE_ACCESS" ]
 }
 
 pw_static_library("dice_with_mbedtls_ops") {
diff --git a/bootstrap.sh b/bootstrap.sh
index 3404d07..b599594 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -25,9 +25,6 @@
 # manually.
 git submodule update --init
 
-# Apply local submodule patches.
-git -C third_party/mbedtls/src am ../0001-Mark-basic-constraints-critical-as-appropriate.patch
-
 # Bootstrap the pigweed environment.
 . third_party/pigweed/src/bootstrap.sh
 
diff --git a/src/mbedtls_ops.c b/src/mbedtls_ops.c
index 4085481..4dbf2dd 100644
--- a/src/mbedtls_ops.c
+++ b/src/mbedtls_ops.c
@@ -439,11 +439,18 @@
   }
   // This implementation is deterministic and assumes entropy is not available.
   // If this code is run where entropy is available, however, f_rng and p_rng
-  // should be set appropriately.
+  // should be set to use that entropy. As is, we'll provide a DRBG for blinding
+  // but it will be ineffective.
+  mbedtls_hmac_drbg_context drbg;
+  mbedtls_hmac_drbg_init(&drbg);
+  mbedtls_hmac_drbg_seed_buf(&drbg,
+                             mbedtls_md_info_from_type(MBEDTLS_MD_SHA512),
+                             subject_key_id, subject_key_id_size);
   uint8_t tmp_buffer[DICE_MAX_CERTIFICATE_SIZE];
   int length_or_error =
       mbedtls_x509write_crt_der(&cert_context, tmp_buffer, sizeof(tmp_buffer),
-                                /*f_rng=*/NULL, /*p_rng=*/NULL);
+                                mbedtls_hmac_drbg_random, &drbg);
+  mbedtls_hmac_drbg_free(&drbg);
   if (length_or_error < 0) {
     result = kDiceResultPlatformError;
     goto out;
diff --git a/third_party/mbedtls/0001-Mark-basic-constraints-critical-as-appropriate.patch b/third_party/mbedtls/0001-Mark-basic-constraints-critical-as-appropriate.patch
deleted file mode 100644
index 097eb17..0000000
--- a/third_party/mbedtls/0001-Mark-basic-constraints-critical-as-appropriate.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From d5cbe3484248ee5f44543b1b50604bcd5739cc85 Mon Sep 17 00:00:00 2001
-From: Darren Krahn <dkrahn@google.com>
-Date: Fri, 10 Jul 2020 17:03:57 -0700
-Subject: [PATCH] Mark basic constraints critical as appropriate.
-
-Per RFC 5280 4.2.1.9 if the 'cA' field is set to true, the extension
-must be marked critical.
----
- library/x509write_crt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/library/x509write_crt.c b/library/x509write_crt.c
-index 32c655096..498b8b0a0 100644
---- a/library/x509write_crt.c
-+++ b/library/x509write_crt.c
-@@ -163,7 +163,7 @@ int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
-     return(
-         mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
-                              MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ),
--                             0, buf + sizeof(buf) - len, len ) );
-+                             is_ca, buf + sizeof(buf) - len, len ) );
- }
- 
- #if defined(MBEDTLS_SHA1_C)
--- 
-2.29.0.rc1.297.gfa9743e501-goog
-
diff --git a/third_party/mbedtls/BUILD.gn b/third_party/mbedtls/BUILD.gn
index e77c1b2..7e6d0f7 100644
--- a/third_party/mbedtls/BUILD.gn
+++ b/third_party/mbedtls/BUILD.gn
@@ -31,9 +31,12 @@
     "src/library/asn1parse.c",
     "src/library/asn1write.c",
     "src/library/bignum.c",
+    "src/library/bignum_core.c",
+    "src/library/constant_time.c",
     "src/library/ecdsa.c",
     "src/library/ecp.c",
     "src/library/ecp_curves.c",
+    "src/library/hash_info.c",
     "src/library/hkdf.c",
     "src/library/hmac_drbg.c",
     "src/library/md.c",
diff --git a/third_party/mbedtls/custom_config.h b/third_party/mbedtls/custom_config.h
index ff71785..24d5418 100644
--- a/third_party/mbedtls/custom_config.h
+++ b/third_party/mbedtls/custom_config.h
@@ -32,6 +32,7 @@
 #define MBEDTLS_MD_C
 #define MBEDTLS_OID_C
 #define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
 #define MBEDTLS_PK_WRITE_C
 #define MBEDTLS_SHA512_C
 #define MBEDTLS_X509_CREATE_C
diff --git a/third_party/mbedtls/src b/third_party/mbedtls/src
index 1c54b54..8c89224 160000
--- a/third_party/mbedtls/src
+++ b/third_party/mbedtls/src
@@ -1 +1 @@
-Subproject commit 1c54b5410fd48d6bcada97e30cac417c5c7eea67
+Subproject commit 8c89224991adff88d53cd380f42a2baa36f91454