Merge branch 'bugfix/cleanup_ctr_drbg' into 'master'

wpa_supplicant: Replace use of mbedtls_ctr_drbg with esp_mbedtls_random()

Closes IDFGH-14978

See merge request espressif/esp-idf!39221

Author: kapilkedawat

components/mbedtls/port/esp_hardware.c

@@ -9,6 +9,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include "esp_random.h"
+#include "mbedtls/esp_mbedtls_random.h"
 
 #include <entropy_poll.h>
 
@@ -23,3 +24,10 @@ int mbedtls_hardware_poll( void *data,
     *olen = len;
     return 0;
 }
+
+int mbedtls_esp_random(void *ctx, unsigned char *buf, size_t len)
+{
+    (void) ctx; // unused
+    esp_fill_random(buf, len);
+    return 0;
+}

components/mbedtls/port/include/mbedtls/esp_mbedtls_random.h

@@ -0,0 +1,32 @@
+/*
+ * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#pragma once
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @brief MbedTLS-compatible RNG function
+ *
+ * @note Suitable for passing as f_rng to various MbedTLS APIs that require it.
+ *       It uses esp_fill_random internally, and the caller must ensure that the
+ *       entropy sources of the RNG peripheral are enabled correctly. See the RNG
+ *       chapter in the TRM for more details.
+ *
+ * @param ctx User-supplied context
+ * @param buf Pointer to a buffer to fill with random numbers
+ * @param len Length of the buffer in bytes
+ *
+ * @return 0 on success
+ */
+int mbedtls_esp_random(void *ctx, unsigned char *buf, size_t len);
+
+#ifdef __cplusplus
+}
+#endif

components/mbedtls/test_apps/main/test_ds_sign_and_decrypt.c

@@ -21,7 +21,7 @@ static heap_trace_record_t trace_record[NUM_RECORDS]; // This buffer must be in
 #include "esp_ds.h"
 #include "esp_ds/esp_ds_rsa.h"
 
-int mbedtls_esp_random(void *ctx, unsigned char *output, size_t len)
+static int mbedtls_esp_random(void *ctx, unsigned char *output, size_t len)
 {
     if (len == 0 || output == NULL) {
         return -1;

components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c

@@ -7,6 +7,7 @@
 #ifdef ESP_PLATFORM
 #include "esp_system.h"
 #include "mbedtls/bignum.h"
+#include "mbedtls/esp_mbedtls_random.h"
 #endif
 
 #include "utils/includes.h"
@@ -16,11 +17,6 @@
 #include "sha256.h"
 #include "mbedtls/pk.h"
 
-static int crypto_rng_wrapper(void *ctx, unsigned char *buf, size_t len)
-{
-    return random_get_bytes(buf, len);
-}
-
 struct crypto_bignum *crypto_bignum_init(void)
 {
     mbedtls_mpi *bn = os_zalloc(sizeof(mbedtls_mpi));
@@ -220,7 +216,7 @@ int crypto_bignum_is_odd(const struct crypto_bignum *a)
 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
 {
     return ((mbedtls_mpi_random((mbedtls_mpi *) r, 0, (const mbedtls_mpi *) m,
-                                crypto_rng_wrapper, NULL) != 0) ? -1 : 0);
+                                mbedtls_esp_random, NULL) != 0) ? -1 : 0);
 }
 
 int crypto_bignum_legendre(const struct crypto_bignum *a,

components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c

@@ -7,6 +7,7 @@
 #ifdef ESP_PLATFORM
 #include "esp_system.h"
 #include "mbedtls/bignum.h"
+#include "mbedtls/esp_mbedtls_random.h"
 #endif
 
 #include "utils/includes.h"
@@ -16,8 +17,6 @@
 #include "random.h"
 
 #include "mbedtls/ecp.h"
-#include "mbedtls/entropy.h"
-#include "mbedtls/ctr_drbg.h"
 
 #include "mbedtls/pk.h"
 #include "mbedtls/ecdh.h"
@@ -36,10 +35,6 @@
 #endif
 
 #ifdef CONFIG_ECC
-static int crypto_rng_wrapper(void *ctx, unsigned char *buf, size_t len)
-{
-    return random_get_bytes(buf, len);
-}
 
 struct crypto_ec *crypto_ec_init(int group)
 {
@@ -294,24 +289,14 @@ int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
                         struct crypto_ec_point *res)
 {
     int ret;
-    mbedtls_entropy_context entropy;
-    mbedtls_ctr_drbg_context ctr_drbg;
-
-    mbedtls_entropy_init(&entropy);
-    mbedtls_ctr_drbg_init(&ctr_drbg);
-
-    MBEDTLS_MPI_CHK(mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
-                                          NULL, 0));
-
     MBEDTLS_MPI_CHK(mbedtls_ecp_mul((mbedtls_ecp_group *)e,
                                     (mbedtls_ecp_point *) res,
                                     (const mbedtls_mpi *)b,
                                     (const mbedtls_ecp_point *)p,
-                                    mbedtls_ctr_drbg_random,
-                                    &ctr_drbg));
+                                    mbedtls_esp_random,
+                                    NULL));
+
 cleanup:
-    mbedtls_ctr_drbg_free(&ctr_drbg);
-    mbedtls_entropy_free(&entropy);
     return ret ? -1 : 0;
 }
 
@@ -491,23 +476,10 @@ int crypto_ec_point_cmp(const struct crypto_ec *e,
 
 int crypto_ec_key_compare(struct crypto_ec_key *key1, struct crypto_ec_key *key2)
 {
-    int ret = 0;
-    mbedtls_entropy_context entropy;
-    mbedtls_ctr_drbg_context ctr_drbg;
-
-    mbedtls_entropy_init(&entropy);
-    mbedtls_ctr_drbg_init(&ctr_drbg);
-
-    MBEDTLS_MPI_CHK(mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0));
-    if (mbedtls_pk_check_pair((mbedtls_pk_context *)key1, (mbedtls_pk_context *)key2, mbedtls_ctr_drbg_random, &ctr_drbg) < 0) {
-        goto cleanup;
+    if (mbedtls_pk_check_pair((mbedtls_pk_context *)key1, (mbedtls_pk_context *)key2, mbedtls_esp_random, NULL) < 0) {
+        return 0;
     }
-
-    ret = 1;
-cleanup:
-    mbedtls_ctr_drbg_free(&ctr_drbg);
-    mbedtls_entropy_free(&entropy);
-    return ret;
+    return 1;
 }
 
 void crypto_debug_print_point(const char *title, struct crypto_ec *e,
@@ -707,7 +679,7 @@ struct crypto_ec_key *crypto_ec_key_parse_priv(const u8 *privkey, size_t privkey
         wpa_printf(MSG_ERROR, "memory allocation failed");
         return NULL;
     }
-    ret = mbedtls_pk_parse_key(kctx, privkey, privkey_len, NULL, 0, crypto_rng_wrapper, NULL);
+    ret = mbedtls_pk_parse_key(kctx, privkey, privkey_len, NULL, 0, mbedtls_esp_random, NULL);
 
     if (ret < 0) {
         //crypto_print_error_string(ret);
@@ -763,17 +735,8 @@ int crypto_ecdh(struct crypto_ec_key *key_own, struct crypto_ec_key *key_peer,
     mbedtls_ecdh_context *ctx = NULL;
     mbedtls_pk_context *own = (mbedtls_pk_context *)key_own;
     mbedtls_pk_context *peer = (mbedtls_pk_context *)key_peer;
-    mbedtls_entropy_context entropy;
-    mbedtls_ctr_drbg_context ctr_drbg;
     int ret = -1;
 
-    mbedtls_entropy_init(&entropy);
-    mbedtls_ctr_drbg_init(&ctr_drbg);
-
-    if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) < 0) {
-        goto fail;
-    }
-
     *secret_len = 0;
     ctx = os_malloc(sizeof(*ctx));
     if (!ctx) {
@@ -801,7 +764,7 @@ int crypto_ecdh(struct crypto_ec_key *key_own, struct crypto_ec_key *key_peer,
     }
 
     if (mbedtls_ecdh_calc_secret(ctx, secret_len, secret, DPP_MAX_SHARED_SECRET_LEN,
-                                 mbedtls_ctr_drbg_random, &ctr_drbg) < 0) {
+                                 mbedtls_esp_random, NULL) < 0) {
         wpa_printf(MSG_ERROR, "failed to calculate secret");
         goto fail;
     }
@@ -814,8 +777,6 @@ int crypto_ecdh(struct crypto_ec_key *key_own, struct crypto_ec_key *key_peer,
     ret = 0;
 
 fail:
-    mbedtls_ctr_drbg_free(&ctr_drbg);
-    mbedtls_entropy_free(&entropy);
     if (ctx) {
         mbedtls_ecdh_free(ctx);
         os_free(ctx);
@@ -840,7 +801,7 @@ int crypto_ecdsa_get_sign(unsigned char *hash,
         goto fail;
     }
     ret = mbedtls_ecdsa_sign(&ctx->MBEDTLS_PRIVATE(grp), (mbedtls_mpi *)r, (mbedtls_mpi *)s,
-                             &ctx->MBEDTLS_PRIVATE(d), hash, SHA256_MAC_LEN, crypto_rng_wrapper, NULL);
+                             &ctx->MBEDTLS_PRIVATE(d), hash, SHA256_MAC_LEN, mbedtls_esp_random, NULL);
 
 fail:
     mbedtls_ecdsa_free(ctx);
@@ -939,7 +900,7 @@ struct crypto_ec_key * crypto_ec_key_gen(u16 ike_group)
     }
 
     mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, mbedtls_pk_ec(*kctx), //get this from argument
-                        crypto_rng_wrapper, NULL);
+                        mbedtls_esp_random, NULL);
 
     return (struct crypto_ec_key *)kctx;
 fail:
@@ -1124,8 +1085,6 @@ void crypto_ecdh_deinit(struct crypto_ecdh *ecdh)
 
 struct crypto_ecdh * crypto_ecdh_init(int group)
 {
-    mbedtls_ctr_drbg_context ctr_drbg;
-    mbedtls_entropy_context entropy;
     mbedtls_ecdh_context *ctx;
 
     ctx = os_zalloc(sizeof(*ctx));
@@ -1143,33 +1102,19 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
         goto fail;
     }
 
-    /* Initialize CTR_DRBG context */
-    mbedtls_ctr_drbg_init(&ctr_drbg);
-    mbedtls_entropy_init(&entropy);
-
-    /* Seed and setup CTR_DRBG entropy source for future reseeds */
-    if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) != 0) {
-        wpa_printf(MSG_ERROR, "Seeding entropy source failed");
-        goto fail;
-    }
-
     /* Generates ECDH keypair on elliptic curve */
-    if (mbedtls_ecdh_gen_public(ACCESS_ECDH(&ctx, grp), ACCESS_ECDH(&ctx, d), ACCESS_ECDH(&ctx, Q), mbedtls_ctr_drbg_random, &ctr_drbg) != 0) {
+    if (mbedtls_ecdh_gen_public(ACCESS_ECDH(&ctx, grp), ACCESS_ECDH(&ctx, d), ACCESS_ECDH(&ctx, Q), mbedtls_esp_random, NULL) != 0) {
         wpa_printf(MSG_ERROR, "ECDH keypair on curve failed");
         goto fail;
     }
 
-    mbedtls_ctr_drbg_free(&ctr_drbg);
-    mbedtls_entropy_free(&entropy);
     return (struct crypto_ecdh *)ctx;
 fail:
     if (ctx) {
         mbedtls_ecdh_free(ctx);
         os_free(ctx);
         ctx = NULL;
     }
-    mbedtls_ctr_drbg_free(&ctr_drbg);
-    mbedtls_entropy_free(&entropy);
     return NULL;
 }
 
@@ -1217,18 +1162,6 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
         return 0;
     }
 
-    mbedtls_ctr_drbg_context ctr_drbg;
-    mbedtls_entropy_context entropy;
-
-    /* Initialize CTR_DRBG context */
-    mbedtls_ctr_drbg_init(&ctr_drbg);
-    mbedtls_entropy_init(&entropy);
-
-    /* Seed and setup CTR_DRBG entropy source for future reseeds */
-    if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) != 0) {
-        wpa_printf(MSG_ERROR, "Seeding entropy source failed");
-        goto cleanup;
-    }
     len_prime = ACCESS_ECDH(ctx, grp).pbits / 8;
     bn_x = crypto_bignum_init_set(key, len);
 
@@ -1287,7 +1220,7 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
 
     /* Calculate secret
     z = F(DH(x,Y)) */
-    secret_key = mbedtls_ecdh_calc_secret(ctx, &olen, secret, len_prime, mbedtls_ctr_drbg_random, &ctr_drbg);
+    secret_key = mbedtls_ecdh_calc_secret(ctx, &olen, secret, len_prime, mbedtls_esp_random, NULL);
     if (secret_key != 0) {
         wpa_printf(MSG_ERROR, "Calculation of secret failed");
         goto cleanup;
@@ -1302,8 +1235,6 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
     crypto_ec_key_deinit(pkey);
     crypto_bignum_deinit(bn_x, 1);
     crypto_ec_point_deinit(ec_pt, 1);
-    mbedtls_ctr_drbg_free(&ctr_drbg);
-    mbedtls_entropy_free(&entropy);
     return sh_secret;
 }