Guidance to remove check_config.h inclusion from mbedtls_config.h

[gilles-peskine-arm]

Summary for Mbed TLS users: in Mbed TLS 3.x, don't include mbedtls/check_config.h any longer.

Some users had an Mbed TLS 2.x mbedtls/config.h (or alternate name given via MBEDTLS_CONFIG_FILE) included mbedtls/check_config.h as then recommended, and now have an Mbed TLS 3.x config file (mbedtls/mbedtls_config.h or alternate name given via MBEDTLS_CONFIG_FILE) that still includes mbedtls/check_config.h.

Since Mbed TLS 3.0, including mbedtls/check_config.h from the config file is unnecessary: it's now included automatically (from mbedtls/build_info.h, and indirectly from all Mbed TLS headers). We documented this in the migration guide, but we hadn't announced it in a changelog entry. Including mbedtls/check_config.h from the config file also strongly not recommended because it's likely to report spurious errors, increasingly so over 3.x releases as there are more and more auxiliary symbols and adjustments.

Some projects have worked around the errors from check_config by including *adjust*.h headers manually. This is a bad workaround: it's dangerous because it can lead to an inconsistent configuration. In some cases, the inconsistency could potentially cause security vulnerabilities such as buffer overflows if a buffer is sized based on a derived symbol but used based on a user-set symbol or vice versa.

The goal of this issue is to provide better guidance to users so they apply the proper fix instead of a bad workaround.