Add ChangeLog and migration guide entries

Merge part of the RSA entries into this one, as I think it's easier for
users to have all similar changes in one place regardless of whether
they were introduce in the same PR or not.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

ChangeLog.d/mandatory-rng-param.txt

@@ -0,0 +1,12 @@
+API changes
+   * For all functions that take an RNG parameter, this parameter is now
+     mandatory (that is, NULL is not an acceptable value). Functions which
+     previously accepted NULL and now reject it are: the X.509 CRT and CSR
+     writing functions; the PK sign and decrypt function; the RSA encrypt,
+     decrypt, sign and private functions; the function in DHM and ECDH that
+     compute the share secret; the scalar multiplication functions in ECP.
+   * The following functions now require an RNG parameter:
+     mbedtls_ecp_check_pub_priv(), mbedtls_pk_check_pair(),
+     mbedtls_pk_parse_key(), mbedtls_pk_parse_keyfile().
+   * The configuration option MBEDTLS_ECP_NO_INTERNAL_RNG has been removed as
+     it no longer had any effect.

ChangeLog.d/remove-rsa-mode-parameter.txt

@@ -6,4 +6,3 @@ API changes
      decryption functions now always use the private key and verification and
      encryption use the public key. Verification functions also no longer have
      RNG parameters.
-   * The RNG is now mandatory for all private-key RSA operations.

docs/3.0-migration-guide.d/mandatory-rng-param.md

@@ -0,0 +1,36 @@
+The RNG parameter is now mandatory for all functions that accept one
+--------------------------------------------------------------------
+
+This change affects all users who called a function accepting a `f_rng`
+parameter with `NULL` as the value of this argument; this is no longer
+supported.
+
+The changed functions are: the X.509 CRT and CSR writing functions; the PK
+sign and decrypt function; the RSA encrypt, decrypt, sign and private
+functions; the functions in DHM and ECDH that compute the share secret; the
+scalar multiplication functions in ECP.
+
+You now need to pass a properly seeded, cryptographically secure RNG to all
+functions that accept a `f_rng` parameter. It is of course still possible to
+pass `NULL` as the context pointer `p_rng` if your RNG function doesn't need a
+context.
+
+Some functions gained an RNG parameter
+--------------------------------------
+
+This affects users of the following functions: `mbedtls_ecp_check_pub_priv()`,
+`mbedtls_pk_check_pair()`, `mbedtls_pk_parse_key()`, and
+`mbedtls_pk_parse_keyfile()`.
+
+You now need to pass a properly seeded, cryptographically secure RNG when
+calling these functions. It is used for blinding, a counter-measure against
+side-channel attacks.
+
+The configuration option `MBEDTLS_ECP_NO_INTERNAL_RNG` was removed
+------------------------------------------------------------------
+
+This doesn't affect users of the default configuration; it only affects people
+who were explicitly setting this option.
+
+This was a trade-off between code size and counter-measures; it is no longer
+relevant as the counter-measure is now always on at no cost in code size.

docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md

@@ -19,11 +19,3 @@ RSA verification functions also no longer take random generator arguments (this
 was only needed when using a private key). This affects all applications using
 the RSA verify functions.
 
-RNG is now mandatory in all RSA private key operations
-------------------------------------------------------
-
-The random generator is now mandatory for blinding in all RSA private-key
-operations (`mbedtls_rsa_private`, `mbedtls_rsa_xxx_sign`,
-`mbedtls_rsa_xxx_decrypt`) as well as for encryption
-(`mbedtls_rsa_xxx_encrypt`). This means that passing a null `f_rng` is no longer
-supported.