Document new random generator in NEWS and CHANGES

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5344)

diff --git a/CHANGES b/CHANGES
index b94b8e97269f26df274054929b24983b6f12c55f..5c0c2ea40767bbf212f4f5e19b01c9ca4bc9ce95 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -29,6 +29,25 @@
      TODO(TLS1.3): Remove the above note before final release
      [Matt Caswell]
 
+  *) Grand redesign of the OpenSSL random generator
+
+     The default RAND method now utilizes an AES-CTR DRBG according to
+     NIST standard SP 800-90Ar1. The new random generator is essentially
+     a port of the default random generator from the OpenSSL FIPS 2.0
+     object module. It is a hybrid deterministic random bit generator
+     using an AES-CTR bit stream and which seeds and reseeds itself
+     automatically using trusted system entropy sources.
+
+     Some of its new features are:
+      o Support for multiple DRBG instances with seed chaining.
+      o Add a public DRBG instance for the default RAND method.
+      o Add a dedicated DRBG instance for generating long term private keys.
+      o Make the DRBG instances fork-safe.
+      o Keep all global DRBG instances on the secure heap if it is enabled.
+      o Add a DRBG instance to every SSL instance for lock free operation
+        and to increase unpredictability.
+     [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
+
   *) Changed Configure so it only says what it does and doesn't dump
      so much data.  Instead, ./configdata.pm should be used as a script
      to display all sorts of configuration data.

diff --git a/NEWS b/NEWS
index 7a15e8653f45e9cf35a496f232caffeafd5160e9..909ffed7cd3421f587d170685547c3d1cbf9b00d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,7 @@
       o Add SHA3
       o Rewrite of devcrypto engine
       o Add support for SipHash
+      o Grand redesign of the OpenSSL random generator
 
   Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [under development]