commit 617ee75e983526657c423adc544db57a73880e57
author Gilles Peskine <Gilles.Peskine@arm.com> Wed Jun 25 16:52:01 2025 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Mon Jun 30 13:17:23 2025 +0200
tree 12e99e6c54bc9d421f9adca68898eae2693e7b92
parent cd5abfe7b485b6e81f6115238966657a1ab4eb08

Copyediting and wording improvements

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

docs/4.0-migration-guide/rng-removal.md

diff --git a/docs/4.0-migration-guide/rng-removal.md b/docs/4.0-migration-guide/rng-removal.md
index 8ec273b..447a6ae 100644
--- a/docs/4.0-migration-guide/rng-removal.md
+++ b/docs/4.0-migration-guide/rng-removal.md
@@ -2,57 +2,52 @@
 
 ### Public functions no longer take a RNG callback
 
-The `f_rng` and `p_rng` arguments have been removed from the X509 and SSL modules. All calls to `f_rng` have then been replaced by a call to `psa_generate_random` and all software utilising these modules will now require a call to `psa_crypto_init` prior to calling them.
+Functions that need randomness no longer take an RNG callback in the form of `f_rng, p_rng` arguments. Instead, they use the PSA Crypto random generator (accessible as `psa_generate_random()`). All software using the X.509 or SSL modules must call `psa_crypto_init()` before calling any of the functions listed here.
 
-### Changes in x509
+### Changes in X.509
 
-The following function calls have been changed in x509:
+The following function prototypes have been changed in `mbedtls/x509_crt.h`:
 
 ```c
 int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
                               int (*f_rng)(void *, unsigned char *, size_t),
                               void *p_rng);
-```
 
-```c
 int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
                               int (*f_rng)(void *, unsigned char *, size_t),
                               void *p_rng);
 ```
 
-```c
-int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
-                              int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng);
-```
-
-```c
-int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
-                              int (*f_rng)(void *, unsigned char *, size_t),
-                              void *p_rng);
-```
-
 to
 
 ```c
 int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);
-```
 
-```c
 int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);
 ```
 
+The following function prototypes have been changed in `mbedtls/x509_csr.h`:
 ```c
-int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size);
+int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng);
+
+int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng);
 ```
 
+to
+
 ```c
+int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size);
+
 int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size);
 ```
 
 ### Changes in SSL
 
-The following function calls have been changed in SSL:
+The following function prototypes have been changed in `mbedtls/ssl.h`:
 
 ```c
 int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
@@ -116,4 +111,4 @@
 
 ### Removal of `mbedtls_ssl_conf_rng`
 
-`mbedtls_ssl_conf_rng` has been removed from the library as its sole purpose is to configure RNG for ssl and this is no longer required.
+`mbedtls_ssl_conf_rng()` has been removed from the library. Its sole purpose was to configure the RNG used for TLS, but now the PSA Crypto random generator is used throughout the library.