API changes
   * The functions mbedtls_cipher_auth_encrypt() and
     mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
     as they have no way to check if the output buffer is large enough.
     Please use mbedtls_cipher_auth_encrypt_ext() and
     mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
     Cryptofuzz. Fixes #3665.

Security
   * The functions mbedtls_cipher_auth_encrypt() and
     mbedtls_cipher_auth_decrypt() would write past the minimum documented
     size of the output buffer when used with NIST_KW. As a result, code using
     those functions as documented with NIST_KW could have a buffer overwrite
     of up to 15 bytes, with consequences ranging up to arbitrary code
     execution depending on the location of the output buffer.

New deprecations
   * The functions mbedtls_cipher_auth_encrypt() and
     mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
     functions mbedtls_cipher_auth_encrypt_ext() and
     mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers,
     these new functions always append the tag to the ciphertext, and include
     the tag in the ciphertext length.