pkg/tinydtls: enforce the selection of a crypto secure PRNG

Also add a sanity checks on the prng_ modules.
2020-08-14 17:24:39 +02:00 · 2020-08-14 17:24:39 +02:00 · 531367a9a2
commit 531367a9a2
parent 613d0cfffd
8 changed files with 37 additions and 4 deletions
--- a/examples/dtls-echo/Makefile
+++ b/examples/dtls-echo/Makefile
@ -20,6 +20,8 @@ USEMODULE += shell
 USEMODULE += shell_commands
 USEPKG += tinydtls
 # tinydtls needs crypto secure PRNG
 USEMODULE += prng_sha1prng
 # UDP Port to use (20220 is default for DTLS).
 DTLS_PORT ?= 20220
--- a/examples/dtls-sock/Makefile
+++ b/examples/dtls-sock/Makefile
@ -21,6 +21,9 @@ USEMODULE += gnrc_sock_udp
 # Use tinydtls for sock_dtls
 USEMODULE += tinydtls_sock_dtls
 # tinydtls needs crypto secure PRNG
 USEMODULE += prng_sha1prng
 # Add also the shell, some shell commands
 USEMODULE += shell
 USEMODULE += shell_commands
--- a/pkg/tinydtls/Makefile.dep
+++ b/pkg/tinydtls/Makefile.dep
@ -6,9 +6,5 @@ USEMODULE += random
 USEMODULE += tinydtls_aes
 USEMODULE += tinydtls_ecc
 # tinydtls needs cryptographically secure randomness
 # TODO: restore configurability, e.g. allow to use HWRNG instead if available
 USEMODULE += prng_sha1prng
 # TinyDTLS only has support for 32-bit architectures ATM
 FEATURES_REQUIRED += arch_32bit
--- a/pkg/tinydtls/Makefile.include
+++ b/pkg/tinydtls/Makefile.include
@ -11,6 +11,15 @@ INCLUDES += -I$(PKG_BUILDDIR)
 # Mandatory for tinyDTLS
 CFLAGS += -DDTLSv12 -DWITH_SHA256
 # Check that the used PRNG implementation is cryptographically secure
 CRYPTO_SECURE_IMPLEMENTATIONS := prng_sha256prng prng_sha1prng prng_hwrng
 USED_PRNG_IMPLEMENTATIONS := $(filter prng_%,$(USEMODULE))
 ifeq (,$(filter $(CRYPTO_SECURE_IMPLEMENTATIONS),$(USEMODULE)))
  $(info TinyDTLS needs a cryptographically secure implementation of the PRNG module.)
  $(info Currently using: $(USED_PRNG_IMPLEMENTATIONS))
  $(error Please use one of: $(CRYPTO_SECURE_IMPLEMENTATIONS))
 endif
 # Dependencies partially under control of the App's requirements
 # The configuration for socket overrides Sock
--- a/pkg/tinydtls/doc.txt
+++ b/pkg/tinydtls/doc.txt
@ -12,6 +12,8 @@
 *
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {.mk}
 * USEPKG += tinydtls
 * # a cryptographically secure implementation of PRNG is needed
 * USEMODULE += prng_sha1prng
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 * Supported Cipher Suites
--- a/sys/Makefile.include
+++ b/sys/Makefile.include
@ -117,3 +117,7 @@ endif
 ifneq (,$(filter ztimer_xtimer_compat,$(USEMODULE)))
  PSEUDOMODULES += xtimer
 endif
 ifneq (,$(filter prng,$(USEMODULE)))
  include $(RIOTBASE)/sys/random/Makefile.include
 endif
--- a/sys/random/Makefile.include
+++ b/sys/random/Makefile.include
@ -0,0 +1,15 @@
 USED_PRNG_IMPLEMENTATIONS := $(filter prng_%,$(USEMODULE))
 # Check that prng_shaxprng is not used by itself
 ifneq (,$(filter prng_shaxprng,$(USEMODULE)))
  ifeq (,$(filter prng_sha1prng prng_sha256prng,$(USEMODULE)))
    $(error prng_shaxprng should not be used directly. Select one of: prng_sha1prng, prng_sha256prng)
  endif
 endif
 # Check that only one implementation of PRNG is used
 # NOTE: prng_shaxprng is filtered out because it is used by the specific implementations
 ifneq (1,$(words $(filter-out prng_shaxprng,$(USED_PRNG_IMPLEMENTATIONS))))
  $(info Currently the following prng modules are used: $(USED_PRNG_IMPLEMENTATIONS))
  $(error Only one implementation of PRNG should be used.)
 endif
--- a/tests/pkg_tinydtls_sock_async/Makefile
+++ b/tests/pkg_tinydtls_sock_async/Makefile
@ -17,6 +17,8 @@ USEMODULE += event_timeout
 # Use tinydtls for sock_dtls
 USEMODULE += tinydtls_sock_dtls
 # tinydtls needs crypto secure PRNG
 USEMODULE += prng_sha1prng
 # Add also the shell, some shell commands
 USEMODULE += shell