Move the X.509 and SSL content from the crypto migration guide
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/docs/4.0-migration-guide/rng-removal.md b/docs/4.0-migration-guide/rng-removal.md
new file mode 100644
index 0000000..8ec273b
--- /dev/null
+++ b/docs/4.0-migration-guide/rng-removal.md
@@ -0,0 +1,119 @@
+## RNG removal
+
+### Public functions no longer take a RNG callback
+
+The `f_rng` and `p_rng` arguments have been removed from the X509 and SSL modules. All calls to `f_rng` have then been replaced by a call to `psa_generate_random` and all software utilising these modules will now require a call to `psa_crypto_init` prior to calling them.
+
+### Changes in x509
+
+The following function calls have been changed in x509:
+
+```c
+int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+```
+
+```c
+int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+```
+
+```c
+int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+```
+
+```c
+int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+```
+
+to
+
+```c
+int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);
+```
+
+```c
+int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);
+```
+
+```c
+int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size);
+```
+
+```c
+int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size);
+```
+
+### Changes in SSL
+
+The following function calls have been changed in SSL:
+
+```c
+int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits, uint32_t lifetime);
+```
+
+```c
+int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng);
+```
+
+to
+
+```c
+int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
+ psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits, uint32_t lifetime);
+```
+
+```c
+int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx);
+```
+
+The following structs have also been changed in SSL
+
+```c
+typedef struct mbedtls_ssl_ticket_context {
+ mbedtls_ssl_ticket_key MBEDTLS_PRIVATE(keys)[2]; /*!< ticket protection keys */
+ unsigned char MBEDTLS_PRIVATE(active); /*!< index of the currently active key */
+
+ uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< lifetime of tickets in seconds */
+
+ /** Callback for getting (pseudo-)random numbers */
+ int(*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t);
+ void *MBEDTLS_PRIVATE(p_rng); /*!< context for the RNG function */
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
+#endif
+}
+mbedtls_ssl_ticket_context;
+```
+
+
+to
+
+```c
+typedef struct mbedtls_ssl_ticket_context {
+ mbedtls_ssl_ticket_key MBEDTLS_PRIVATE(keys)[2]; /*!< ticket protection keys */
+ unsigned char MBEDTLS_PRIVATE(active); /*!< index of the currently active key */
+
+ uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< lifetime of tickets in seconds */
+
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
+#endif
+}
+mbedtls_ssl_ticket_context;
+```
+
+### Removal of `mbedtls_ssl_conf_rng`
+
+`mbedtls_ssl_conf_rng` has been removed from the library as its sole purpose is to configure RNG for ssl and this is no longer required.