Move subsections
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
diff --git a/docs/3.0-migration-guide.md b/docs/3.0-migration-guide.md
index 8b3275c..06f389d 100644
--- a/docs/3.0-migration-guide.md
+++ b/docs/3.0-migration-guide.md
@@ -137,36 +137,6 @@
Please also refer to the section [High-level crypto](#high-level-crypto) for
changes that could sit in either category.
-### The RNG parameter is now mandatory for all functions that accept one
-
-This change affects all users who called a function accepting a `f_rng`
-parameter with `NULL` as the value of this argument; this is no longer
-supported.
-
-The changed functions are: the X.509 CRT and CSR writing functions; the PK and
-RSA sign and decrypt functions; `mbedtls_rsa_private()`; the functions in DHM
-and ECDH that compute the shared secret; the scalar multiplication functions in
-ECP.
-
-You now need to pass a properly seeded, cryptographically secure RNG to all
-functions that accept a `f_rng` parameter. It is of course still possible to
-pass `NULL` as the context pointer `p_rng` if your RNG function doesn't need a
-context.
-
-Alternative implementations of a module (enabled with the `MBEDTLS_module_ALT`
-configuration options) may have their own internal and are free to ignore the
-`f_rng` argument but must allow users to pass one anyway.
-
-### Some functions gained an RNG parameter
-
-This affects users of the following functions: `mbedtls_ecp_check_pub_priv()`,
-`mbedtls_pk_check_pair()`, `mbedtls_pk_parse_key()`, and
-`mbedtls_pk_parse_keyfile()`.
-
-You now need to pass a properly seeded, cryptographically secure RNG when
-calling these functions. It is used for blinding, a countermeasure against
-side-channel attacks.
-
### Deprecated functions were removed from bignum
The function `mbedtls_mpi_is_prime()` was removed. Please use
@@ -476,6 +446,36 @@
those functions. In this case, you'll need to update the type of your pointers
in order to match the new signature.
+### The RNG parameter is now mandatory for all functions that accept one
+
+This change affects all users who called a function accepting a `f_rng`
+parameter with `NULL` as the value of this argument; this is no longer
+supported.
+
+The changed functions are: the X.509 CRT and CSR writing functions; the PK and
+RSA sign and decrypt functions; `mbedtls_rsa_private()`; the functions in DHM
+and ECDH that compute the shared secret; the scalar multiplication functions in
+ECP.
+
+You now need to pass a properly seeded, cryptographically secure RNG to all
+functions that accept a `f_rng` parameter. It is of course still possible to
+pass `NULL` as the context pointer `p_rng` if your RNG function doesn't need a
+context.
+
+Alternative implementations of a module (enabled with the `MBEDTLS_module_ALT`
+configuration options) may have their own internal and are free to ignore the
+`f_rng` argument but must allow users to pass one anyway.
+
+### Some functions gained an RNG parameter
+
+This affects users of the following functions: `mbedtls_ecp_check_pub_priv()`,
+`mbedtls_pk_check_pair()`, `mbedtls_pk_parse_key()`, and
+`mbedtls_pk_parse_keyfile()`.
+
+You now need to pass a properly seeded, cryptographically secure RNG when
+calling these functions. It is used for blinding, a countermeasure against
+side-channel attacks.
+
## PSA
