CTR, HASH and HMAC DRBGs in provider

[openssl.git] / doc / man3 / RAND_DRBG_new.pod

diff --git a/doc/man3/RAND_DRBG_new.pod b/doc/man3/RAND_DRBG_new.pod
index 8b7384069711611ca33b5b9164f55e357d735862..cd770fd6738c1f75c4a517b556aad08c36c2dd21 100644 (file)
--- a/doc/man3/RAND_DRBG_new.pod
+++ b/doc/man3/RAND_DRBG_new.pod
@@ -2,7 +2,9 @@
 
 =head1 NAME
 
+RAND_DRBG_new_ex,
 RAND_DRBG_new,
+RAND_DRBG_secure_new_ex,
 RAND_DRBG_secure_new,
 RAND_DRBG_set,
 RAND_DRBG_set_defaults,
@@ -15,18 +17,24 @@ RAND_DRBG_free
 
  #include <openssl/rand_drbg.h>
 
+ RAND_DRBG *RAND_DRBG_new_ex(OPENSSL_CTX *ctx,
+                             int type,
+                             unsigned int flags,
+                             RAND_DRBG *parent);
 
  RAND_DRBG *RAND_DRBG_new(int type,
                           unsigned int flags,
                           RAND_DRBG *parent);
 
+ RAND_DRBG *RAND_DRBG_secure_new_ex(OPENSSL_CTX *ctx,
+                                    int type,
+                                    unsigned int flags,
+                                    RAND_DRBG *parent);
+
  RAND_DRBG *RAND_DRBG_secure_new(int type,
                                  unsigned int flags,
                                  RAND_DRBG *parent);
 
- int RAND_DRBG_set(RAND_DRBG *drbg,
-                   int type, unsigned int flags);
-
  int RAND_DRBG_set_defaults(int type, unsigned int flags);
 
  int RAND_DRBG_instantiate(RAND_DRBG *drbg,
@@ -36,15 +44,27 @@ RAND_DRBG_free
 
  void RAND_DRBG_free(RAND_DRBG *drbg);
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
+ int RAND_DRBG_set(RAND_DRBG *drbg,
+                   int type, unsigned int flags);
 
 =head1 DESCRIPTION
 
-RAND_DRBG_new() and RAND_DRBG_secure_new()
-create a new DRBG instance of the given B<type>, allocated from the heap resp.
-the secure heap
-(using OPENSSL_zalloc() resp. OPENSSL_secure_zalloc()).
+RAND_DRBG_new_ex() and RAND_DRBG_secure_new_ex() create a new DRBG instance
+of the given B<type> for the given OPENSSL_CTX <ctx>.
+The <ctx> parameter can be NULL in which case the default OPENSSL_CTX is used.
+RAND_DRBG_new() and RAND_DRBG_secure_new() are the same as RAND_DRBG_new_ex()
+and RAND_DRBG_secure_new_ex() except that the default OPENSSL_CTX is always
+used.
+As of OpenSSL 3.0, there is no different between the new and secure_new
+functions.
 
 RAND_DRBG_set() initializes the B<drbg> with the given B<type> and B<flags>.
+This function is deprecated.  Applications should instead use
+RAND_DRBG_new_ex() to create a new DRBG.
 
 RAND_DRBG_set_defaults() sets the default B<type> and B<flags> for new DRBG
 instances.
@@ -108,8 +128,9 @@ uninstantiated state.
 =head1 RETURN VALUES
 
 
-RAND_DRBG_new() and RAND_DRBG_secure_new() return a pointer to a DRBG
-instance allocated on the heap, resp. secure heap.
+RAND_DRBG_new_ex(), RAND_DRBG_new(), RAND_DRBG_secure_new_ex() and
+RAND_DRBG_secure_new() return a pointer to a DRBG instance allocated on the
+heap.
 
 RAND_DRBG_set(),
 RAND_DRBG_instantiate(), and
@@ -134,6 +155,11 @@ To ensure that they are applied to the global and thread-local DRBG instances
 RAND_DRBG_set_defaults() before creating any thread and before calling any
 cryptographic routines that obtain random data directly or indirectly.
 
+As of OpenSSL 3.0, RAND_DRBG_new() and RAND_DRBG_secure_new() are
+functionally identical.  The DRBG is allocated on the normal heap and its
+sensitive state is allocated on the secure heap.  Likewise for,
+RAND_DRBG_new_ex() and RAND_DRBG_secure_new_ex().
+
 =head1 SEE ALSO
 
 L<OPENSSL_zalloc(3)>,
@@ -143,6 +169,8 @@ L<RAND_DRBG(7)>
 
 =head1 HISTORY
 
+The RAND_DRBG_set() function was deprecated in OpenSSL 3.0.
+
 The RAND_DRBG functions were added in OpenSSL 1.1.1.
 
 =head1 COPYRIGHT