mbedtls_cipher functions return 0 in invalid scenarios

[gilles-peskine-arm]

If you call mbedtls_cipher_update_ad or mbedtls_cipher_write_tag or mbedtls_cipher_check_tag on a non-AEAD algorithm, they return 0. This looks wrong: surely it's an application error, and it's easily detectable, so we should return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT or MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA?

Our unit tests indiscriminately call these functions on non-AEAD algorithms though. Is this just a test bug or is this deliberate? The documentation doesn't say anything explicit.

Similar pattern with mbedtls_cipher_set_iv on ECB.

Since the unit tests validate the current behavior, if we change it, we should probably not change LTS branches.

Note: moot if we remove cipher.h as a public API.