1 files changed, 18 insertions, 1 deletions

diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 532057d51a..4cb3364d8c 100644
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -527,7 +527,13 @@ For more information see @ref{Hardware security modules and abstract key types}.
 @node Random Number Generators-internals
 @section Random Number Generators
 
-@subheading Inner workings
+@subheading About the generators
+
+GnuTLS provides two random generators. The default, and the AES-DRBG random
+generator which is only used when the library is compiled with support for
+FIPS140-2 and the system is in FIPS140-2 mode.
+
+@subheading The default generator - inner workings
 
 The random number generator levels in @code{gnutls_rnd_level_t} map to two CHACHA-based random generators which
 are initially seeded using the OS random device, e.g., @code{/dev/urandom}
@@ -575,6 +581,17 @@ a re-key of the PRNG using its own output, is additionally performed. That ensur
 the recovery of the PRNG state will not be sufficient to recover previously generated values.
 
 
+@subheading The AES-DRBG generator - inner workings
+
+Similar with the default generator, the random number generator levels in @code{gnutls_rnd_level_t} map to two
+AES-DRBG random generators which are initially seeded using the OS random device,
+e.g., @code{/dev/urandom} or @code{getrandom()}. These random generators are
+unique per thread, and are automatically re-seeded when a fork is detected.
+
+The AES-DRBG generator is based on the AES cipher in counter mode and is
+re-seeded after a fixed amount of bytes are generated.
+
+
 @subheading Defense against PRNG attacks
 
 This section describes the counter-measures available in the Pseudo-random number generator (PRNG)