From 47dd345f3ab3f0152a046fc1211314d8a4f1b200 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Mon, 14 Aug 2017 19:02:45 +0200
Subject: doc: mention the AES-DRBG random generator [ci skip]

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 NEWS                   |  5 +++++
 doc/cha-internals.texi | 19 ++++++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 494ae159aa..540d79d669 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,11 @@ See the end for copying conditions.
    Resolves gitlab issue #141.
    http://nmav.gnutls.org/2017/03/improving-by-simplifying-gnutls-prng.html
 
+** libgnutls: Replaced the Salsa20 random generator with one based on CHACHA.
+   The goal is to reduce code needed in cache (CHACHA is also used for TLS),
+   and the number of primitives used by the library. That does not affect the
+   AES-DRBG random generator used in FIPS140-2 mode.
+
 ** libgnutls: Added support for RSA-PSS key type as well as signatures in
    certificates, and TLS key exchange. Contributed by Daiki Ueno.
    RSA-PSS signatures can be generated by RSA-PSS keys and normal RSA keys,
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 532057d51a..4cb3364d8c 100644
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -527,7 +527,13 @@ For more information see @ref{Hardware security modules and abstract key types}.
 @node Random Number Generators-internals
 @section Random Number Generators
 
-@subheading Inner workings
+@subheading About the generators
+
+GnuTLS provides two random generators. The default, and the AES-DRBG random
+generator which is only used when the library is compiled with support for
+FIPS140-2 and the system is in FIPS140-2 mode.
+
+@subheading The default generator - inner workings
 
 The random number generator levels in @code{gnutls_rnd_level_t} map to two CHACHA-based random generators which
 are initially seeded using the OS random device, e.g., @code{/dev/urandom}
@@ -575,6 +581,17 @@ a re-key of the PRNG using its own output, is additionally performed. That ensur
 the recovery of the PRNG state will not be sufficient to recover previously generated values.
 
 
+@subheading The AES-DRBG generator - inner workings
+
+Similar with the default generator, the random number generator levels in @code{gnutls_rnd_level_t} map to two
+AES-DRBG random generators which are initially seeded using the OS random device,
+e.g., @code{/dev/urandom} or @code{getrandom()}. These random generators are
+unique per thread, and are automatically re-seeded when a fork is detected.
+
+The AES-DRBG generator is based on the AES cipher in counter mode and is
+re-seeded after a fixed amount of bytes are generated.
+
+
 @subheading Defense against PRNG attacks
 
 This section describes the counter-measures available in the Pseudo-random number generator (PRNG)
-- 
cgit v1.2.1