Support SHA-256 in ssl_cookie.c

[gilles-peskine-arm]

ssl_cookie.c uses the smallest secure hash available, with SHA-1 as a last resort. In Mbed TLS 3.x, it will become possible to configure SHA-384 and SHA-512 separately, and to configure SHA-256 and SHA-224 separately. https://github.com/ARMmbed/mbedtls/pull/4304 adds the configuration options, with follow-ups yet to come to make all combinations work optimally.

The goal of this task is to ensure that ssl_cookie.c works in all reasonable configurations and uses the desired hash. This definitely includes a SHA-256-only build. Open questions:

• Do we want to bother with SHA-224 at all?
• Do we want to add support for a SHA-512-only build (which is already possible in Mbed TLS 2.x since MBEDTLS_SHA512_NO_SHA384 was added)?
• Do we want to support migration from builds of older versions of the library that had a different set of hashes?

[mpg]

• Do we want to add support for a SHA-512-only build (which is already possible in Mbed TLS 2.x since MBEDTLS_SHA512_NO_SHA384 was added)?

I don't think (D)TLS works with a SHA-512-only build, as no SHA-512 ciphersuites have been defined so far - see IANA registry.

I agree that SHA-384-only and SHA-256-only should be supported.

Do we want to bother with SHA-224 at all?

Probably not. It was chosen because it saved 4 bytes on the wire and it was convenient, but if it stops being as convenient, we should favour simplicity.