| Changes |
| * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on |
| `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel |
| coutermeasures. If side channels are not a concern, this dependency can |
| be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. |
| |
| Security |
| * Fix side channel in mbedtls_ecp_check_pub_priv() and |
| mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a |
| private key that didn't include the uncompressed public key), as well as |
| mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL |
| f_rng argument. An attacker with access to precise enough timing and |
| memory access information (typically an untrusted operating system |
| attacking a secure enclave) could fully recover the ECC private key. |
| Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. |