[PATCH] Added missing dependencies on CRYPTO_HMAC

[PATCH] Added missing dependencies on CRYPTO_HMAC

[Herbert Xu]

[-- Attachment #1: Type: text/plain, Size: 288 bytes --]

Trivial patch which makes INET?_{AH,ESP} depend on CRYPTO_HMAC.
-- 
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[-- Attachment #2: p --]
[-- Type: text/plain, Size: 1494 bytes --]

Index: net/ipv4/Kconfig
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv4/Kconfig,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 Kconfig
--- net/ipv4/Kconfig	4 May 2003 23:53:36 -0000	1.1.1.4
+++ net/ipv4/Kconfig	18 May 2003 02:04:06 -0000
@@ -350,6 +350,7 @@
 
 config INET_AH
 	tristate "IP: AH transformation"
+	depends on INET && CRYPTO_HMAC
 	---help---
 	  Support for IPsec AH.
 
@@ -357,6 +358,7 @@
 
 config INET_ESP
 	tristate "IP: ESP transformation"
+	depends on INET && CRYPTO_HMAC
 	---help---
 	  Support for IPsec ESP.
 
@@ -364,6 +366,7 @@
 
 config INET_IPCOMP
 	tristate "IP: IPComp transformation"
+	depends on INET
 	---help---
 	  Support for IP Paylod Compression (RFC3173), typically needed
 	  for IPsec.
Index: net/ipv6/Kconfig
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv6/Kconfig,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 Kconfig
--- net/ipv6/Kconfig	24 Mar 2003 22:00:39 -0000	1.1.1.3
+++ net/ipv6/Kconfig	18 May 2003 02:04:26 -0000
@@ -19,7 +19,7 @@
 
 config INET6_AH
 	tristate "IPv6: AH transformation"
-	depends on IPV6
+	depends on IPV6 && CRYPTO_HMAC
 	---help---
 	  Support for IPsec AH.
 
@@ -27,7 +27,7 @@
 
 config INET6_ESP
 	tristate "IPv6: ESP transformation"
-	depends on IPV6
+	depends on IPV6 && CRYPTO_HMAC
 	---help---
 	  Support for IPsec ESP.
 

Re: [PATCH] Added missing dependencies on CRYPTO_HMAC

[James Morris]

On Sun, 18 May 2003, Herbert Xu wrote:

> Trivial patch which makes INET?_{AH,ESP} depend on CRYPTO_HMAC.

See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
are selected.


- James
-- 
James Morris
<jmorris@intercode.com.au>

Re: [PATCH] Added missing dependencies on CRYPTO_HMAC

[Herbert Xu]

On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> 
> See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
> are selected.

Yes, but the user can then set them to no.  This does happen as the
Crypto menu is listed after Networking so someone going through it
in that order can select INET_AH and then go on to disable Crypto.

Dependencies are there to prevent these things from happening.
-- 
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] Added missing dependencies on CRYPTO_HMAC

[James Morris]

On Sun, 18 May 2003, Herbert Xu wrote:

> On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> > 
> > See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
> > are selected.
> 
> Yes, but the user can then set them to no.  This does happen as the
> Crypto menu is listed after Networking so someone going through it
> in that order can select INET_AH and then go on to disable Crypto.

Yes, we allow users to override the defaults if they wish, at their own 
peril.

> Dependencies are there to prevent these things from happening.

Using dependencies would mean that the ipsec protocols would not appear in 
the networking menu until after selecting the correct algorthims in the 
crypto menu.

How would users know what the minimally required set of algorithms are?  
Would they then know to go _back_ to the networking menu to enable the
protocols?


- James
-- 
James Morris
<jmorris@intercode.com.au>

Re: [PATCH] Added missing dependencies on CRYPTO_HMAC

[Herbert Xu]

[-- Attachment #1: Type: text/plain, Size: 493 bytes --]

On Sun, May 18, 2003 at 01:40:28PM +1000, James Morris wrote:
> 
> How would users know what the minimally required set of algorithms are?  
> Would they then know to go _back_ to the networking menu to enable the
> protocols?

Good point.  What about this patch then?
-- 
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[-- Attachment #2: p --]
[-- Type: text/plain, Size: 1865 bytes --]

Index: net/ipv4/Kconfig
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv4/Kconfig,v
retrieving revision 1.1.1.4
retrieving revision 1.3
diff -u -r1.1.1.4 -r1.3
--- net/ipv4/Kconfig	4 May 2003 23:53:36 -0000	1.1.1.4
+++ net/ipv4/Kconfig	18 May 2003 04:02:20 -0000	1.3
@@ -348,8 +348,12 @@
 
 	  If unsure, say N.
 
+comment "Cryptographic HMAC support is needed for IPv4 AH or ESP support"
+	depends on INET && CRYPTO_HMAC=n
+
 config INET_AH
 	tristate "IP: AH transformation"
+	depends on INET && CRYPTO_HMAC
 	---help---
 	  Support for IPsec AH.
 
@@ -357,6 +361,7 @@
 
 config INET_ESP
 	tristate "IP: ESP transformation"
+	depends on INET && CRYPTO_HMAC
 	---help---
 	  Support for IPsec ESP.
 
@@ -364,6 +369,7 @@
 
 config INET_IPCOMP
 	tristate "IP: IPComp transformation"
+	depends on INET
 	---help---
 	  Support for IP Paylod Compression (RFC3173), typically needed
 	  for IPsec.
Index: net/ipv6/Kconfig
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv6/Kconfig,v
retrieving revision 1.1.1.3
retrieving revision 1.3
diff -u -r1.1.1.3 -r1.3
--- net/ipv6/Kconfig	24 Mar 2003 22:00:39 -0000	1.1.1.3
+++ net/ipv6/Kconfig	18 May 2003 04:02:20 -0000	1.3
@@ -17,9 +17,12 @@
 
 	  See <file:Documentation/networking/ip-sysctl.txt> for details.
 
+comment "Cryptographic HMAC support is needed for IPv6 AH or ESP support"
+	depends on IPV6 && CRYPTO_HMAC=n
+
 config INET6_AH
 	tristate "IPv6: AH transformation"
-	depends on IPV6
+	depends on IPV6 && CRYPTO_HMAC
 	---help---
 	  Support for IPsec AH.
 
@@ -27,7 +30,7 @@
 
 config INET6_ESP
 	tristate "IPv6: ESP transformation"
-	depends on IPV6
+	depends on IPV6 && CRYPTO_HMAC
 	---help---
 	  Support for IPsec ESP.
 

Re: [PATCH] Added missing dependencies on CRYPTO_HMAC

[David S. Miller]

   From: Herbert Xu <herbert@gondor.apana.org.au>
   Date: Sun, 18 May 2003 14:04:11 +1000

   Good point.  What about this patch then?

No, this is gross.  The ipsec protocols should be available by
default, I don't like this message solution at all.

Why don't we do this for every thing that needs ZLIB for example?

The answer is that we don't because it's rediculious.  We instead
define sensible defaults and if the user grinds out his own changes
that override them, as James said, he does so at his own peril.

Re: [PATCH] Added missing dependencies on CRYPTO_HMAC

[Adrian Bunk]

On Sun, May 18, 2003 at 01:40:28PM +1000, James Morris wrote:
> On Sun, 18 May 2003, Herbert Xu wrote:
> 
> > On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> > > 
> > > See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
> > > are selected.
> > 
> > Yes, but the user can then set them to no.  This does happen as the
> > Crypto menu is listed after Networking so someone going through it
> > in that order can select INET_AH and then go on to disable Crypto.
> 
> Yes, we allow users to override the defaults if they wish, at their own 
> peril.
> 
> > Dependencies are there to prevent these things from happening.
> 
> Using dependencies would mean that the ipsec protocols would not appear in 
> the networking menu until after selecting the correct algorthims in the 
> crypto menu.
> 
> How would users know what the minimally required set of algorithms are?  
> Would they then know to go _back_ to the networking menu to enable the
> protocols?

It seems the cryptographic options don't depend on anything else. What 
about Herbert's patch plus moving the crypto menu above network support?

> - James

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [PATCH] Added missing dependencies on CRYPTO_HMAC

[James Morris]

On Sun, 18 May 2003, Adrian Bunk wrote:

> It seems the cryptographic options don't depend on anything else. What 
> about Herbert's patch plus moving the crypto menu above network support?

It's up to the authors whether they want their modules to always be 
selectable or not.  We can't assume that only the networking wants this.

Think of crypto algorithms like a library: components are enabled
depending on what user-selected features need them.


- James
-- 
James Morris
<jmorris@intercode.com.au>

Re: [PATCH] Added missing dependencies on CRYPTO_HMAC

[Adrian Bunk]

On Sun, May 18, 2003 at 01:40:28PM +1000, James Morris wrote:
> On Sun, 18 May 2003, Herbert Xu wrote:
> 
> > On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> > > 
> > > See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
> > > are selected.
> > 
> > Yes, but the user can then set them to no.  This does happen as the
> > Crypto menu is listed after Networking so someone going through it
> > in that order can select INET_AH and then go on to disable Crypto.
> 
> Yes, we allow users to override the defaults if they wish, at their own 
> peril.
>...

The real problems are more subtle:
Consider someone uses neither CRYPTO_HMAC nor INET_AH and later changes 
his .config using menuconfig - the "default" does _nothing_ since 
CRYPTO_HMAC already has a value.

Thinking more about this issue it seems the "enable" feature in the
latest Kconfig patch will be the correct solution.


> James Morris

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed