I'm looking at WICED 3.5.2 has what looks like a crypto PRNG. In the file named "wiced_crypto.c", the default PRNG implementation is initialised like this:
static wiced_crypto_prng_t prng_well512 =
{
.get_random = &prng_well512_get_random,
.add_entropy = &prng_well512_add_entropy
};
It's using WELL512 algorithm which is not cryptographically secure. It even has this comment:
static uint32_t prng_well512_get_random( void )
{
/*
* Implementation of WELL (Well equidistributed long-period linear) pseudorandom number generator.
* Use WELL512 source code placed by inventor to public domain.
*
* This is NOT cryptographically secure pseudorandom number generator (CSPRNG).
* If need CSPRNG please use third party implementation, for example OpenSSL (it includes CPRNG),
* FORTUNA algorithm (implementation can be found in PostgresSQL).
* Current PRNG can be used for seeding them.
*/
So, why in the world is this code there? Why is a PRNG that's explicitly stated to be not cryptographically secure used in a module with a name that implies cryptographic security?
