Document lack of API stability for the cipher module in 4.0

[yanesca]

We have decided to keep the cipher module in 4.0 but as an internal API that doesn't have API stability guarantees and therefore can be changed or removed in a minor version.

The header will be made internal as part of the repo-split, but it is best to document this fact clearly and say explicitly.

NIST KW and XTS are not available in PSA yet and need to be moved to a separate public header.

[mpg]

I think this is mostly covered by https://github.com/Mbed-TLS/mbedtls/issues/10087 and https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/220 - at least the part mentioned in the title.

Regarding the details:

• NIST-KW is handled by https://github.com/Mbed-TLS/TF-PSA-Crypto/pull/180
• XTS I'm not sure - it doesn't seem to be really available in PSA yet (the only hits in tests are in the metadata test suite), is this a temporary regression we've accepted by making cipher private? Or should we make a subset of cipher public just for XTS?

@yanesca @gilles-peskine-arm wdyt?

[yanesca]

My first thought would be to split out the xts part of aes.h and make that public. On a quick look it looks relatively standalone and it feels simpler/more direct than through cipher.

[gilles-peskine-arm]

We aren't going to do any coding work for this before 1.0.

XTS is one of the things that we've agreed to sacrified in 1.0.

I think this task does need to remain open, but solely as a documentation task, mostly on the migration guide.

[mpg]

This has been done. cipher.h is no longer a public header, it has now been moved to a private subdirectory of the include path.