Remove rand() from p256_generate_random() and move to an implementation based on mbedtls_ctr_drbg

Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2026-03-20 19:21:09 +01:00 · 2023-02-14 14:55:49 +00:00
parent caed18e741
commit bac592d53e
4 changed files with 36 additions and 11 deletions
--- a/3rdparty/p256-m/README.md
+++ b/3rdparty/p256-m/README.md
@@ -1,3 +1,4 @@
-The files within the `p256-m/` subdirectory originate from the [p256-m GitHub repository](https://github.com/mpg/p256-m), which is distributed under the Apache 2.0 license. They are authored by Manuel Pégourié-Gonnard. The files `p256-m.c` and `.h` have been taken from the repository. p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256, especially suited to constrained 32-bit environments. Mbed TLS documentation for integrating drivers uses p256-m as an example of a software accelerator, and describes how it can be integrated alongside Mbed TLS.
+The files within the `p256-m/` subdirectory originate from the [p256-m GitHub repository](https://github.com/mpg/p256-m), which is distributed under the Apache 2.0 license. They are authored by Manuel Pégourié-Gonnard. p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256, especially suited to constrained 32-bit environments. Mbed TLS documentation for integrating drivers uses p256-m as an example of a software accelerator, and describes how it can be integrated alongside Mbed TLS.

-It should be noted that p256-m does not supply its own cryptographically secure RNG function. An implementation based on `rand()` (taken from `benchmark.c` in the p256-m repo) has been added to `p256-m.c` to support key generation. This means that while key generation will work, p256-m's key generation entry point should not be called in production builds.
+The files `p256-m.c` and `.h`, along with the license, have been taken from the `p256-m` repository.
+It should be noted that p256-m deliberately does not supply its own cryptographically secure RNG function. As a result, an RNG function using `mbedtls_ctr_dbrg` has been implemented and added to `p256m.c`.
--- a/3rdparty/p256-m/p256-m/p256-m.c
+++ b/3rdparty/p256-m/p256-m/p256-m.c
@@ -6,7 +6,11 @@
 */

 #include "p256-m.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include <stdio.h>
 #include <stdlib.h>
+#include <string.h>

 /*
 * Zeroize memory - this should not be optimized away
@@ -1149,14 +1153,36 @@ static int scalar_from_bytes(uint32_t s[8], const uint8_t p[32])
    return -1;
 }

-/* test version based on stdlib - never do this in production! */
+/* Using RNG functions from Mbed TLS as p256-m does not come with a
+ * cryptographically secure RNG function.
+ */
 int p256_generate_random(uint8_t *output, unsigned output_size)
 {
-    for (unsigned i = 0; i < output_size; i++) {
-        output[i] = (uint8_t) rand();
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_entropy_context entropy;
+    mbedtls_ctr_drbg_context ctr_drbg;
+    char *personalization = "p256m";
+    mbedtls_entropy_init(&entropy);
+    mbedtls_ctr_drbg_init(&ctr_drbg);
+    int ret;
+
+    ret = mbedtls_ctr_drbg_seed(&ctr_drbg , mbedtls_entropy_func, &entropy,
+                                (const unsigned char *) personalization,
+                                strlen(personalization));
+    if (ret != 0) {
+        goto exit;
    }

-    return 0;
+    ret = mbedtls_ctr_drbg_random(&ctr_drbg, output, output_size);
+    if (ret != 0) {
+        goto exit;
+    }
+
+    return P256_SUCCESS;
+#endif
+
+exit:
+    return P256_RANDOM_FAILED;
 }

 /*