From e69865384f682ec5dfd6470e6afd098aee70e8aa Mon Sep 17 00:00:00 2001 From: Conor Patrick Date: Sun, 3 Jun 2018 00:50:46 -0400 Subject: [PATCH] crypto is sorted out for nrf52 --- ctap_test.py | 53 ++++++++++- ctaphid.c | 61 +++++++------ log.c | 1 + log.h | 1 + main.c | 14 ++- nrf52840/crypto.c | 208 ++++++++++++++++++++++++++++++++++-------- nrf52840/device.c | 2 +- nrf52840/sdk_config.h | 28 +++++- 8 files changed, 289 insertions(+), 79 deletions(-) diff --git a/ctap_test.py b/ctap_test.py index 58022e0..13f432c 100644 --- a/ctap_test.py +++ b/ctap_test.py @@ -369,17 +369,65 @@ class Tester(): exclude_list.append({'id': fake_id1, 'type': 'public-key'}) exclude_list.append({'id': fake_id2, 'type': 'public-key'}) + t1 = time.time() * 1000 attest, data = self.client.make_credential(rp, user, challenge, pin = PIN, exclude_list = []) + t2 = time.time() * 1000 attest.verify(data.hash) + print('Register valid (%d ms)' % (t2-t1)) cred = attest.auth_data.credential_data creds.append(cred) allow_list = [{'id':creds[0].credential_id, 'type': 'public-key'}] + t1 = time.time() * 1000 assertions, client_data = self.client.get_assertion(rp['id'], challenge, allow_list, pin = PIN) + t2 = time.time() * 1000 assertions[0].verify(client_data.hash, creds[0].public_key) - print('PASS') + print('Assertion valid (%d ms)' % (t2-t1)) + + def test_fido2_brute_force(self): + creds = [] + exclude_list = [] + rp = {'id': 'examplo.org', 'name': 'ExaRP'} + user = {'id': b'usee_od', 'name': 'AB User'} + PIN = None + abc = 'abcdefghijklnmopqrstuvwxyz' + abc += abc.upper() + + self.ctap.reset() + + for i in range(0,2048): + creds = [] + + print(i) + challenge = ''.join([abc[randint(0,len(abc)-1)] for x in range(0,32)]) + + fake_id1 = array.array('B',[randint(0,255) for i in range(0,150)]).tostring() + fake_id2 = array.array('B',[randint(0,255) for i in range(0,73)]).tostring() + + exclude_list.append({'id': fake_id1, 'type': 'public-key'}) + exclude_list.append({'id': fake_id2, 'type': 'public-key'}) + + t1 = time.time() * 1000 + attest, data = self.client.make_credential(rp, user, challenge, pin = PIN, exclude_list = []) + t2 = time.time() * 1000 + attest.verify(data.hash) + print('Register valid (%d ms)' % (t2-t1)) + sys.stdout.flush() + + cred = attest.auth_data.credential_data + creds.append(cred) + + allow_list = [{'id':creds[0].credential_id, 'type': 'public-key'}] + t1 = time.time() * 1000 + assertions, client_data = self.client.get_assertion(rp['id'], challenge, allow_list, pin = PIN) + t2 = time.time() * 1000 + assertions[0].verify(client_data.hash, creds[0].public_key) + + print('Assertion valid (%d ms)' % (t2-t1)) + sys.stdout.flush() + def test_fido2(self): @@ -504,7 +552,8 @@ if __name__ == '__main__': t.find_device() #t.test_hid() #t.test_fido2() - t.test_fido2_simple() + #t.test_fido2_simple() + t.test_fido2_brute_force() diff --git a/ctaphid.c b/ctaphid.c index 835006b..7f67997 100644 --- a/ctaphid.c +++ b/ctaphid.c @@ -8,6 +8,7 @@ #include "u2f.h" #include "time.h" #include "util.h" +#include "log.h" typedef enum { @@ -336,7 +337,7 @@ void ctaphid_check_timeouts() { if (CIDS[i].busy && ((millis() - CIDS[i].last_used) >= 750)) { - printf("TIMEOUT CID: %08x\n", CIDS[i].cid); + printf1(TAG_HID, "TIMEOUT CID: %08x\n", CIDS[i].cid); ctaphid_send_error(CIDS[i].cid, CTAP1_ERR_TIMEOUT); memset(CIDS + i, 0, sizeof(struct CID)); } @@ -349,10 +350,10 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) { CTAPHID_PACKET * pkt = (CTAPHID_PACKET *)(pkt_raw); - printf("Recv packet\n"); - printf(" CID: %08x \n", pkt->cid); - printf(" cmd: %02x\n", pkt->pkt.init.cmd); - if (!is_cont_pkt(pkt)) printf(" length: %d\n", ctaphid_packet_len(pkt)); + printf1(TAG_HID, "Recv packet\n"); + printf1(TAG_HID, " CID: %08x \n", pkt->cid); + printf1(TAG_HID, " cmd: %02x\n", pkt->pkt.init.cmd); + if (!is_cont_pkt(pkt)) printf1(TAG_HID, " length: %d\n", ctaphid_packet_len(pkt)); int ret; uint8_t status; @@ -368,13 +369,13 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) { if (ctaphid_packet_len(pkt) != 8) { - printf("Error,invalid length field for init packet\n"); + printf2(TAG_ERR, "Error,invalid length field for init packet\n"); ctaphid_send_error(pkt->cid, CTAP1_ERR_INVALID_LENGTH); return; } if (pkt->cid == 0) { - printf("Error, invalid cid 0\n"); + printf2(TAG_ERR,"Error, invalid cid 0\n"); ctaphid_send_error(pkt->cid, CTAP1_ERR_INVALID_CHANNEL); return; } @@ -383,7 +384,7 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) if (is_broadcast(pkt)) { // Check if any existing cids are busy first ? - printf("adding a new cid\n"); + printf1(TAG_HID,"adding a new cid\n"); oldcid = CTAPHID_BROADCAST_CID; newcid = get_new_cid(); ret = add_cid(newcid); @@ -391,7 +392,7 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) } else { - printf("synchronizing to cid\n"); + printf1(TAG_HID, "synchronizing to cid\n"); oldcid = pkt->cid; newcid = pkt->cid; if (cid_exists(newcid)) @@ -401,7 +402,7 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) } if (ret == -1) { - printf("Error, not enough memory for new CID. return BUSY.\n"); + printf2(TAG_ERR, "Error, not enough memory for new CID. return BUSY.\n"); ctaphid_send_error(pkt->cid, CTAP1_ERR_CHANNEL_BUSY); return; } @@ -424,14 +425,14 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) { if (pkt->cid == buffer_cid() && ! is_cont_pkt(pkt)) { - printf("INVALID_SEQ\n"); - printf("Have %d/%d bytes\n", ctap_buffer_offset, ctap_buffer_bcnt); + printf2(TAG_ERR,"INVALID_SEQ\n"); + printf2(TAG_ERR,"Have %d/%d bytes\n", ctap_buffer_offset, ctap_buffer_bcnt); ctaphid_send_error(pkt->cid, CTAP1_ERR_INVALID_SEQ); return; } else if (pkt->cid != buffer_cid()) { - printf("BUSY with %08x\n", buffer_cid()); + printf2(TAG_ERR,"BUSY with %08x\n", buffer_cid()); ctaphid_send_error(pkt->cid, CTAP1_ERR_CHANNEL_BUSY); return; } @@ -449,33 +450,33 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) { if (buffer_status() == EMPTY || pkt->cid != buffer_cid()) { - printf("ignoring random cont packet\n"); + printf2(TAG_ERR,"ignoring random cont packet\n"); return; } } if (buffer_packet(pkt) == SEQUENCE_ERROR) { - printf("Buffering sequence error\n"); + printf2(TAG_ERR,"Buffering sequence error\n"); ctaphid_send_error(pkt->cid, CTAP1_ERR_INVALID_SEQ); return; } ret = cid_refresh(pkt->cid); if (ret != 0) { - printf("Error, refresh cid failed\n"); + printf2(TAG_ERR,"Error, refresh cid failed\n"); exit(1); } active_cid = pkt->cid; } else if (is_cont_pkt(pkt)) { - printf("ignoring unwarranted cont packet\n"); + printf2(TAG_ERR,"ignoring unwarranted cont packet\n"); // Ignore return; } else { - printf("BUSY\n"); + printf2(TAG_ERR,"BUSY\n"); ctaphid_send_error(pkt->cid, CTAP1_ERR_CHANNEL_BUSY); return; } @@ -486,21 +487,21 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) switch(buffer_status()) { case BUFFERING: - printf("BUFFERING\n"); + printf1(TAG_HID,"BUFFERING\n"); active_cid_timestamp = millis(); break; case EMPTY: - printf("empty buffer!\n"); + printf1(TAG_HID,"empty buffer!\n"); case BUFFERED: switch(buffer_cmd()) { case CTAPHID_INIT: - printf("CTAPHID_INIT, error this should already be handled\n"); + printf2(TAG_ERR,"CTAPHID_INIT, error this should already be handled\n"); exit(1); break; case CTAPHID_PING: - printf("CTAPHID_PING\n"); + printf1(TAG_HID,"CTAPHID_PING\n"); ctaphid_write_buffer_init(&wb); wb.cid = active_cid; @@ -513,7 +514,7 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) break; case CTAPHID_WINK: - printf("CTAPHID_WINK\n"); + printf1(TAG_HID,"CTAPHID_WINK\n"); ctaphid_write_buffer_init(&wb); @@ -525,10 +526,10 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) break; case CTAPHID_CBOR: - printf("CTAPHID_CBOR\n"); + printf1(TAG_HID,"CTAPHID_CBOR\n"); if (buffer_len() == 0) { - printf("Error,invalid 0 length field for cbor packet\n"); + printf2(TAG_ERR,"Error,invalid 0 length field for cbor packet\n"); ctaphid_send_error(pkt->cid, CTAP1_ERR_INVALID_LENGTH); return; } @@ -547,10 +548,10 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) break; case CTAPHID_MSG: - printf("CTAPHID_MSG\n"); + printf1(TAG_HID,"CTAPHID_MSG\n"); if (buffer_len() == 0) { - printf("Error,invalid 0 length field for MSG/U2F packet\n"); + printf2(TAG_ERR,"Error,invalid 0 length field for MSG/U2F packet\n"); ctaphid_send_error(pkt->cid, CTAP1_ERR_INVALID_LENGTH); return; } @@ -568,7 +569,7 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) break; default: - printf("error, unimplemented HID cmd: %02x\r\n", buffer_cmd()); + printf2(TAG_ERR,"error, unimplemented HID cmd: %02x\r\n", buffer_cmd()); ctaphid_send_error(pkt->cid, CTAP1_ERR_INVALID_COMMAND); break; } @@ -577,12 +578,12 @@ void ctaphid_handle_packet(uint8_t * pkt_raw) break; default: - printf("invalid buffer state; abort\n"); + printf2(TAG_ERR,"invalid buffer state; abort\n"); exit(1); break; } - printf("\n"); + printf1(TAG_HID,"\n"); } diff --git a/log.c b/log.c index 8e05519..4f8d707 100644 --- a/log.c +++ b/log.c @@ -25,6 +25,7 @@ struct logtag tagtable[] = { {TAG_CTAP,"CTAP"}, {TAG_U2F,"U2F"}, {TAG_DUMP,"DUMP"}, + {TAG_HID,"HID"}, {TAG_GREEN,"\x1b[32mDEBUG\x1b[0m"}, {TAG_RED,"\x1b[31mDEBUG\x1b[0m"}, {TAG_TIME,"\x1b[33mTIME\x1b[0m"}, diff --git a/log.h b/log.h index b2110f7..d64e73e 100644 --- a/log.h +++ b/log.h @@ -22,6 +22,7 @@ typedef enum TAG_GREEN = (1 << 8), TAG_RED= (1 << 9), TAG_TIME= (1 << 10), + TAG_HID = (1 << 11), TAG_FILENO = (1<<31) } LOG_TAG; diff --git a/main.c b/main.c index 8e26788..312a8b3 100644 --- a/main.c +++ b/main.c @@ -16,20 +16,22 @@ int main(int argc, char * argv[]) { int count = 0; uint64_t t1 = 0; + uint64_t t2 = 0; + uint64_t accum = 0; uint8_t hidmsg[64]; set_logging_mask( /*TAG_MC |*/ /*TAG_GA |*/ /*TAG_CP |*/ - TAG_CTAP| + /*TAG_CTAP|*/ /*TAG_U2F|*/ /*TAG_PARSE |*/ - TAG_TIME + /*TAG_TIME|*/ /*TAG_DUMP|*/ /*TAG_GREEN|*/ /*TAG_RED|*/ - /*TAG_ERR*/ + TAG_ERR ); printf("init device\n"); @@ -57,13 +59,15 @@ int main(int argc, char * argv[]) if (usbhid_recv(hidmsg) > 0) { printf1(TAG_DUMP,"%d>> ",count++); dump_hex1(TAG_DUMP, hidmsg,sizeof(hidmsg)); - + t2 = millis(); ctaphid_handle_packet(hidmsg); + accum += millis() - t2; + printf1(TAG_TIME,"accum: %lu\n", (uint32_t)accum); memset(hidmsg, 0, sizeof(hidmsg)); } else { - main_loop_delay(); + /*main_loop_delay();*/ } ctaphid_check_timeouts(); } diff --git a/nrf52840/crypto.c b/nrf52840/crypto.c index 8633077..204ed2c 100644 --- a/nrf52840/crypto.c +++ b/nrf52840/crypto.c @@ -33,7 +33,10 @@ const uint16_t attestation_key_size; -static SHA256_CTX sha256_ctx; +/*static SHA256_CTX sha256_ctx;*/ + +struct CRYS_HASHUserContext_t sha256_ctx; + const CRYS_ECPKI_Domain_t* _es256_curve; CRYS_RND_State_t rndState_ptr; CRYS_RND_WorkBuff_t rndWorkBuff_ptr; @@ -54,7 +57,13 @@ static uint8_t transport_secret[32] = "\x10\x01\x22\x33\x44\x55\x66\x77\x87\x90\ void crypto_sha256_init() { - sha256_init(&sha256_ctx); + /*sha256_init(&sha256_ctx);*/ + int ret = CRYS_HASH_Init(&sha256_ctx, CRYS_HASH_SHA256_mode); + if (ret != CRYS_OK ) + { + printf("sha init fail\n"); + exit(1); + } } void crypto_reset_master_secret() @@ -65,19 +74,41 @@ void crypto_reset_master_secret() void crypto_sha256_update(uint8_t * data, size_t len) { - sha256_update(&sha256_ctx, data, len); + /*sha256_update(&sha256_ctx, data, len);*/ + int ret = CRYS_HASH_Update(&sha256_ctx, data, len); + if (ret != CRYS_OK ) + { + printf("sha update fail\n"); + exit(1); + } + } void crypto_sha256_update_secret() { - sha256_update(&sha256_ctx, master_secret, 32); + /*sha256_update(&sha256_ctx, master_secret, 32);*/ + int ret = CRYS_HASH_Update(&sha256_ctx, master_secret, 32); + if (ret != CRYS_OK ) + { + printf("sha update secret fail\n"); + exit(1); + } } void crypto_sha256_final(uint8_t * hash) { - sha256_final(&sha256_ctx, hash); + /*sha256_final(&sha256_ctx, hash);*/ + int ret = CRYS_HASH_Finish(&sha256_ctx, (uint32_t*)hash); + if (ret != CRYS_OK ) + { + printf("sha finish fail\n"); + exit(1); + } + + } + void crypto_sha256_hmac_init(uint8_t * key, uint32_t klen, uint8_t * hmac) { uint8_t buf[64]; @@ -148,40 +179,40 @@ void crypto_ecc256_init() ret = SaSi_LibInit(); if (ret != SA_SILIB_RET_OK) { printf("Failed SaSi_LibInit - ret = 0x%x\n", ret); - switch(ret) - { - case SA_SILIB_RET_OK: - printf("SA_SILIB_RET_OK\n"); - break; + /*switch(ret)*/ + /*{*/ + /*case SA_SILIB_RET_OK:*/ + /*printf("SA_SILIB_RET_OK\n");*/ + /*break;*/ - case SA_SILIB_RET_EINVAL_CTX_PTR: - printf("SA_SILIB_RET_EINVAL_CTX_PTR\n"); - break; + /*case SA_SILIB_RET_EINVAL_CTX_PTR:*/ + /*printf("SA_SILIB_RET_EINVAL_CTX_PTR\n");*/ + /*break;*/ - case SA_SILIB_RET_EINVAL_WORK_BUF_PTR: - printf("SA_SILIB_RET_EINVAL_WORK_BUF_PTR\n"); - break; + /*case SA_SILIB_RET_EINVAL_WORK_BUF_PTR:*/ + /*printf("SA_SILIB_RET_EINVAL_WORK_BUF_PTR\n");*/ + /*break;*/ - case SA_SILIB_RET_HAL: - printf("SA_SILIB_RET_HAL\n"); - break; + /*case SA_SILIB_RET_HAL:*/ + /*printf("SA_SILIB_RET_HAL\n");*/ + /*break;*/ - case SA_SILIB_RET_PAL: - printf("SA_SILIB_RET_PAL\n"); - break; + /*case SA_SILIB_RET_PAL:*/ + /*printf("SA_SILIB_RET_PAL\n");*/ + /*break;*/ - case SA_SILIB_RET_EINVAL_HW_VERSION : - printf("SA_SILIB_RET_EINVAL_HW_VERSION \n"); - break; + /*case SA_SILIB_RET_EINVAL_HW_VERSION :*/ + /*printf("SA_SILIB_RET_EINVAL_HW_VERSION \n");*/ + /*break;*/ - case SA_SILIB_RET_EINVAL_HW_SIGNATURE: - printf("SA_SILIB_RET_EINVAL_HW_SIGNATURE\n"); - break; + /*case SA_SILIB_RET_EINVAL_HW_SIGNATURE:*/ + /*printf("SA_SILIB_RET_EINVAL_HW_SIGNATURE\n");*/ + /*break;*/ - case SA_SILIB_RESERVE32B: - printf("SA_SILIB_RESERVE32B\n"); - break; - } + /*case SA_SILIB_RESERVE32B:*/ + /*printf("SA_SILIB_RESERVE32B\n");*/ + /*break;*/ + /*}*/ exit(1); } @@ -242,19 +273,21 @@ void crypto_ecc256_sign(uint8_t * data, int len, uint8_t * sig) /*int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key, uECC_Curve curve);*/ +void derive_private_key_pair(uint8_t * data, int len, uint8_t * data2, int len2, uint8_t * privkey, uint8_t * pubkey); void crypto_ecc256_derive_public_key(uint8_t * data, int len, uint8_t * x, uint8_t * y) { uint8_t privkey[32]; uint8_t pubkey[64]; - generate_private_key(data,len,NULL,0,privkey); + derive_private_key_pair(data,len,NULL,0,privkey,pubkey); - memset(pubkey,0,sizeof(pubkey)); - uECC_compute_public_key(privkey, pubkey, uECC_secp256r1()); + /*memset(pubkey,0,sizeof(pubkey));*/ + /*uECC_compute_public_key(privkey, pubkey, uECC_secp256r1());*/ memmove(x,pubkey,32); memmove(y,pubkey+32,32); } + void crypto_ecc256_load_key(uint8_t * data, int len, uint8_t * data2, int len2) { static uint8_t privkey[32]; @@ -264,11 +297,29 @@ void crypto_ecc256_load_key(uint8_t * data, int len, uint8_t * data2, int len2) void crypto_ecc256_make_key_pair(uint8_t * pubkey, uint8_t * privkey) { - if (uECC_make_key(pubkey, privkey, uECC_secp256r1()) != 1) - { - printf("Error, uECC_make_key failed\n"); + CRYS_ECPKI_UserPrivKey_t nrfpriv; + CRYS_ECPKI_UserPublKey_t nrfpub; + CRYS_ECPKI_KG_TempData_t tmp; + uint8_t pubkey1[65]; + int ret; + uint32_t sz; + + ret = CRYS_ECPKI_GenKeyPair(&rndState_ptr, + CRYS_RND_GenerateVector, + _es256_curve, + &nrfpriv, &nrfpub, &tmp, NULL); + + if (ret != SA_SILIB_RET_OK){ + printf(" gen key failed with 0x%x \n",ret); exit(1); } + + sz = 32; + CRYS_ECPKI_ExportPrivKey(&nrfpriv, privkey, &sz); + sz = 65; + CRYS_ECPKI_ExportPublKey(&nrfpub,CRYS_EC_PointUncompressed, pubkey1, &sz); + memmove(pubkey, pubkey1+1, 64); + } void crypto_ecc256_shared_secret(const uint8_t * pubkey, const uint8_t * privkey, uint8_t * shared_secret) @@ -281,13 +332,92 @@ void crypto_ecc256_shared_secret(const uint8_t * pubkey, const uint8_t * privkey } -void generate_private_key(uint8_t * data, int len, uint8_t * data2, int len2, uint8_t * privkey) +uint8_t fixed_vector_hmac[32]; +int fixed_vector_iter = 31; +uint32_t fixed_vector(void * rng, uint16_t sz, uint8_t * out) { + while(sz--) + { + *out++ = fixed_vector_hmac[fixed_vector_iter--]; + if (fixed_vector_iter == -1) + { + fixed_vector_iter = 31; + } + } + return 0; +} + +void derive_private_key_pair(uint8_t * data, int len, uint8_t * data2, int len2, uint8_t * privkey, uint8_t * pubkey) +{ + CRYS_ECPKI_UserPrivKey_t nrfpriv; + CRYS_ECPKI_UserPublKey_t nrfpub; + CRYS_ECPKI_KG_TempData_t tmp; + uint32_t ret; + uint32_t sz; + int i; + uint8_t pubkey1[65]; + crypto_sha256_hmac_init(CRYPTO_MASTER_KEY, 0, privkey); crypto_sha256_update(data, len); crypto_sha256_update(data2, len2); crypto_sha256_update(master_secret, 32); crypto_sha256_hmac_final(CRYPTO_MASTER_KEY, 0, privkey); + + memmove(fixed_vector_hmac, privkey, 32); + fixed_vector_iter=31; + + /*privkey[31] += 1;*/ + for (i = 31; i > -1; i++) + { + privkey[i] += 1; + if (privkey[i] != 0) + break; + } + + // There isn't a CC310 function for calculating a public key from a private + // so to get around it, we can "fix" the RNG input to GenKeyPair + + if(pubkey != NULL) + { + ret = CRYS_ECPKI_GenKeyPair(&rndState_ptr, + fixed_vector, + /*CRYS_RND_GenerateVector,*/ + _es256_curve, + &nrfpriv, &nrfpub, &tmp, NULL); + + if (ret != SA_SILIB_RET_OK){ + printf(" gen key failed with 0x%x \n",ret); + exit(1); + } + + /*sz = 32;*/ + /*ret = CRYS_ECPKI_ExportPrivKey(&nrfpriv, privkey, &sz);*/ + /*if (ret != 0)*/ + /*{*/ + /*printf("privkey export fail\n");*/ + /*exit(1);*/ + /*}*/ + + + sz = 65; + ret = CRYS_ECPKI_ExportPublKey(&nrfpub,CRYS_EC_PointUncompressed , pubkey1, &sz); + if (ret != 0 || sz != 65) + { + printf("pubkey export fail 0x%04x\n",ret); + exit(1); + } + if (pubkey1[0] != 0x04) + { + printf("pubkey uncompressed export fail 0x%02x\n",(int)pubkey1[0]); + exit(1); + } + memmove(pubkey, pubkey1+1 , 64); + } +} + +void generate_private_key(uint8_t * data, int len, uint8_t * data2, int len2, uint8_t * privkey) +{ + derive_private_key_pair(data,len,data2,len2,privkey,NULL); } struct AES_ctx aes_ctx; diff --git a/nrf52840/device.c b/nrf52840/device.c index 930a075..700c4e4 100644 --- a/nrf52840/device.c +++ b/nrf52840/device.c @@ -1,7 +1,7 @@ /* * Device specific functionality here * */ - +#define DEBUG #include #include #include diff --git a/nrf52840/sdk_config.h b/nrf52840/sdk_config.h index 582e594..d7e409c 100644 --- a/nrf52840/sdk_config.h +++ b/nrf52840/sdk_config.h @@ -510,6 +510,30 @@ #define NRF_CRYPTO_ALLOCATOR 0 #endif +// nrf_crypto_rng - RNG Configuration + +//========================================================== +// NRF_CRYPTO_RNG_STATIC_MEMORY_BUFFERS_ENABLED - Use static memory buffers for context and temporary init buffer. + + +// Always recommended when using the nRF HW RNG as the context and temporary buffers are small. Consider disabling if using the CC310 RNG in a RAM constrained application. In this case, memory must be provided to nrf_crypto_rng_init, or it can be allocated internally provided that NRF_CRYPTO_ALLOCATOR does not allocate memory on the stack. + +#ifndef NRF_CRYPTO_RNG_STATIC_MEMORY_BUFFERS_ENABLED +#define NRF_CRYPTO_RNG_STATIC_MEMORY_BUFFERS_ENABLED 1 +#endif + +// NRF_CRYPTO_RNG_AUTO_INIT_ENABLED - Initialize the RNG module automatically when nrf_crypto is initialized. + + +// Automatic initialization is only supported with static or internally allocated context and temporary memory. + +#ifndef NRF_CRYPTO_RNG_AUTO_INIT_ENABLED +#define NRF_CRYPTO_RNG_AUTO_INIT_ENABLED 1 +#endif + +// +//========================================================== + // NRF_CRYPTO_BACKEND_CC310_BL_ENABLED - Enable the ARM Cryptocell CC310 reduced backend. // The CC310 hardware-accelerated cryptography backend with reduced functionality and footprint (only available on nRF52840). @@ -581,7 +605,7 @@ // The CC310 hardware-accelerated cryptography backend (only available on nRF52840). //========================================================== #ifndef NRF_CRYPTO_BACKEND_CC310_ENABLED -#define NRF_CRYPTO_BACKEND_CC310_ENABLED 0 +#define NRF_CRYPTO_BACKEND_CC310_ENABLED 1 #endif // NRF_CRYPTO_BACKEND_CC310_AES_CBC_ENABLED - Enable the AES CBC mode using CC310. @@ -6350,7 +6374,7 @@ // MEM_MANAGER_ENABLED - mem_manager - Dynamic memory allocator //========================================================== #ifndef MEM_MANAGER_ENABLED -#define MEM_MANAGER_ENABLED 0 +#define MEM_MANAGER_ENABLED 1 #endif // MEMORY_MANAGER_SMALL_BLOCK_COUNT - Size of each memory blocks identified as 'small' block. <0-255>