Update dependencies documentation

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2020-06-17 12:26:54 +02:00
parent 601128eb58
commit f1aca9fdba
2 changed files with 8 additions and 6 deletions

View file

@ -1,6 +1,7 @@
Changes
* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
`MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
`MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C`,
`MBEDTLS_SHA256_C` or `MBEDTLS_SHA1_C` for some side-channel
coutermeasures. If side channels are not a concern, this dependency can
be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.

View file

@ -626,11 +626,12 @@
* against some side-channel attacks.
*
* This protection introduces a dependency of the ECP module on one of the
* DRBG modules. For very constrained implementations that don't require this
* protection (for example, because you're only doing signature verification,
* so not manipulating any secret, or because local/physical side-channel
* attacks are outside your threat model), it might be desirable to get rid of
* that dependency.
* DRBG or SHA modules (HMAC-DRBG, CTR-DRBG, SHA-512, SHA-256 or SHA-1).
* For very constrained applications that don't require this protection
* (for example, because you're only doing signature verification, so not
* manipulating any secret, or because local/physical side-channel attacks are
* outside your threat model), it might be desirable to get rid of that
* dependency.
*
* \warning Enabling this option makes some uses of ECP vulnerable to some
* side-channel attacks. Only enable it if you know that's not a problem for