Merge remote-tracking branch 'upstream-restricted/pr/503' into development-restricted-proposed
diff --git a/ChangeLog b/ChangeLog
index 37373a2..5032be6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,13 @@
 
 = mbed TLS x.x.x branch released xxxx-xx-xx
 
+Security
+   * When writing a private EC key, use a constant size for the private
+     value, as specified in RFC 5915. Previously, the value was written
+     as an ASN.1 INTEGER, which caused the size of the key to leak
+     about 1 bit of information on average and could cause the value to be
+     1 byte too large for the output buffer.
+
 Features
    * Add the Any Policy certificate policy oid, as defined in
      rfc 5280 section 4.2.1.4.
@@ -32,6 +39,15 @@
      MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
      through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid().
 
+API Changes
+   * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
+     and the used tls-prf.
+   * Add public API for tls-prf function, according to requested enum.
+   * Add DER-encoded test CRTs to library/certs.c, allowing
+     the example programs ssl_server2 and ssl_client2 to be run
+     if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
+   * The HAVEGE state type now uses uint32_t elements instead of int.
+
 Bugfix
    * Fix private key DER output in the key_app_writer example. File contents
      were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
@@ -80,15 +96,6 @@
      in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
    * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
 
-API Changes
-   * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
-     and the used tls-prf.
-   * Add public API for tls-prf function, according to requested enum.
-   * Add DER-encoded test CRTs to library/certs.c, allowing
-     the example programs ssl_server2 and ssl_client2 to be run
-     if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
-   * The HAVEGE state type now uses uint32_t elements instead of int.
-
 Changes
    * Server's RSA certificate in certs.c was SHA-1 signed. In the default
      mbedTLS configuration only SHA-2 signed certificates are accepted.