AH transformation broken since 2.5.56

AH transformation broken since 2.5.56

[Brice Goglin]

Hi,

Support for IPsec AH in net/ipv4/ah.c is broken since 2.5.56
(still broken in 2.5.59).
I tried with CONFIG_INET_AH=y and m, I got the same error :

make -f scripts/Makefile.build obj=net/ipv4
  gcc -Wp,-MD,net/ipv4/.ah.o.d -D__KERNEL__ -Iinclude -Wall -Wstrict-prototypes 
-Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -pipe 
-mpreferred-stack-boundary=2 -march=i686 -Iinclude/asm-i386/mach-default 
-fomit-frame-pointer -nostdinc -iwithprefix include -DMODULE   
-DKBUILD_BASENAME=ah -DKBUILD_MODNAME=ah   -c -o net/ipv4/ah.o net/ipv4/ah.c
net/ipv4/ah.c: In function `ah_hmac_digest':
net/ipv4/ah.c:154: warning: implicit declaration of function `crypto_hmac_init'
net/ipv4/ah.c:155: `crypto_hmac_update' undeclared (first use in this function)
net/ipv4/ah.c:155: (Each undeclared identifier is reported only once
net/ipv4/ah.c:155: for each function it appears in.)
net/ipv4/ah.c:156: warning: implicit declaration of function `crypto_hmac_final'
make[2]: *** [net/ipv4/ah.o] Erreur 1
make[1]: *** [net/ipv4] Erreur 2
make: *** [net] Erreur 2

Regards

Brice Goglin
============
Ph.D Student
Laboratoire de l'Informatique et du Parallélisme
ENS Lyon
France

Re: AH transformation broken since 2.5.56

[David S. Miller]

   From: Brice Goglin <bgoglin@ens-lyon.fr>
   Date: Wed, 22 Jan 2003 14:31:07 +0100

   Support for IPsec AH in net/ipv4/ah.c is broken since 2.5.56
   (still broken in 2.5.59).
   I tried with CONFIG_INET_AH=y and m, I got the same error :

You have to enable CONFIG_CRYPTO_HMAC if you want to enable
CONFIG_INET_AH

Re: AH transformation broken since 2.5.56

[David S. Miller]

   From: Brice Goglin <bgoglin@ens-lyon.fr>
   Date: Fri, 24 Jan 2003 11:05:30 +0100

   My problem was based on the fact that you can disable
   CONFIG_CRYPTO_HMAC by disabling CONFIG_CRYPTO. But this will not
   disable CONFIG_INET_AH.
   
   Shouldn't there be a fix in dependencies between CONFIG_CRYPTO
   and CONFIG_CRYPTO_HMAC, or between CONFIG_INET_AH and
   CONFIG_CRYPTO ?

If you override the defaults, the responsibility lands in your
hands to do the right thing.

The only facility we have right now is to choose the defaults
sensibly for you, and if you look at crypto/Kconfig we are
doing exactly that.  It checks there fore whether AH or ESP
have been enabled, and chooses a default based upon that.

Also, CRYPTO selection comes after the ipsec choices.  So the
only thing we can do is make decisions based upon whether
you've enabled AH or ESP not the other way around.

Whether there should be a way to FORCE config options on or off
(instead of controlling the default) to avoid situations like this is
a seperate topic.

Re: AH transformation broken since 2.5.56

[Brice Goglin]

> From: David S. Miller (davem@redhat.com)
> Date: Thu Jan 23 2003 - 21:21:14 EST
>
>   From: Brice Goglin <bgoglin@ens-lyon.fr>
>   Date: Wed, 22 Jan 2003 14:31:07 +0100
> 
>   Support for IPsec AH in net/ipv4/ah.c is broken since 2.5.56
>
>   (still broken in 2.5.59).
>   I tried with CONFIG_INET_AH=y and m, I got the same error :
>
> You have to enable CONFIG_CRYPTO_HMAC if you want to enable
> CONFIG_INET_AH

Ok, thanks.
I just saw that net/ipv4/Kconfig make CONFIG_INET_AH depend on
CONFIG_CRYPTO_HMAC.

My problem was based on the fact that you can disable
CONFIG_CRYPTO_HMAC by disabling CONFIG_CRYPTO. But this will not
disable CONFIG_INET_AH.

Shouldn't there be a fix in dependencies between CONFIG_CRYPTO
and CONFIG_CRYPTO_HMAC, or between CONFIG_INET_AH and
CONFIG_CRYPTO ?

Regards

Brice Goglin
============
Ph.D Student
Laboratoire de l'Informatique du Parallélisme
ENS Lyon
France