Add Security ChangeLog entry for lack of blinding Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

commit: 84fd65724027a360207d3c294cc5af35a071ade0 [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Jun 04 10:31:06 2020 +0200
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Jun 16 10:52:36 2020 +0200
tree: ec4f26423708adda25e202def87efe86d1469104
parent: b34aeeb8d64ad7f21962954c4616ffa942304b16 [diff]
diff --git a/ChangeLog.d/ecp-internal-rng.txt b/ChangeLog.d/ecp-internal-rng.txt
index bf11a73..c0419ac 100644
--- a/ChangeLog.d/ecp-internal-rng.txt
+++ b/ChangeLog.d/ecp-internal-rng.txt

@@ -3,3 +3,13 @@
      `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
      coutermeasures. If side channels are not a concern, this dependency can
      be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
+
+Security
+   * Fix side channel in mbedtls_ecp_check_pub_priv() and
+     mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
+     private key that didn't include the uncompressed public key), as well as
+     mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
+     f_rng argument. An attacker with access to precise enough timing and
+     memory access information (typically an untrusted operating system
+     attacking a secure enclave) could fully recover the ECC private key.
+     Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
commit	84fd65724027a360207d3c294cc5af35a071ade0	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Thu Jun 04 10:31:06 2020 +0200
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Tue Jun 16 10:52:36 2020 +0200
tree	ec4f26423708adda25e202def87efe86d1469104
parent	b34aeeb8d64ad7f21962954c4616ffa942304b16 [diff]