Security
* Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
  An adversary who is capable of very precise timing measurements could
  learn partial information about the leading bits of the nonce used for the
  signature, allowing the recovery of the private key after observing a
  large number of signature operations. This completes a partial fix in
  Mbed TLS 2.20.0.