From 2d91c30f4cbf6fa30735a8b6d995db7a3e889768 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 17 Jun 2020 12:26:54 +0200 Subject: [PATCH] Update dependencies documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/ecp-internal-rng.txt | 3 ++- include/mbedtls/config.h | 11 ++++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ChangeLog.d/ecp-internal-rng.txt b/ChangeLog.d/ecp-internal-rng.txt index c0419acad..f6b3c0f7f 100644 --- a/ChangeLog.d/ecp-internal-rng.txt +++ b/ChangeLog.d/ecp-internal-rng.txt @@ -1,6 +1,7 @@ Changes * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on - `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel + `MBEDTLS_CTR_DRBG_C`, `MBEDTLS_HMAC_DRBG_C`, `MBEDTLS_SHA512_C`, + `MBEDTLS_SHA256_C` or `MBEDTLS_SHA1_C` for some side-channel coutermeasures. If side channels are not a concern, this dependency can be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 9442eb44b..90c90f931 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -788,11 +788,12 @@ * against some side-channel attacks. * * This protection introduces a dependency of the ECP module on one of the - * DRBG modules. For very constrained implementations that don't require this - * protection (for example, because you're only doing signature verification, - * so not manipulating any secret, or because local/physical side-channel - * attacks are outside your threat model), it might be desirable to get rid of - * that dependency. + * DRBG or SHA modules (HMAC-DRBG, CTR-DRBG, SHA-512, SHA-256 or SHA-1). + * For very constrained applications that don't require this protection + * (for example, because you're only doing signature verification, so not + * manipulating any secret, or because local/physical side-channel attacks are + * outside your threat model), it might be desirable to get rid of that + * dependency. * * \warning Enabling this option makes some uses of ECP vulnerable to some * side-channel attacks. Only enable it if you know that's not a problem for