Added missing dependencies on CRYPTO_HMAC
diff mbox series

Message ID 20030518021034.GA4667@gondor.apana.org.au
State New, archived
Headers show
Series
  • Added missing dependencies on CRYPTO_HMAC
Related show

Commit Message

Herbert Xu May 18, 2003, 2:10 a.m. UTC
Trivial patch which makes INET?_{AH,ESP} depend on CRYPTO_HMAC.

Comments

James Morris May 18, 2003, 2:19 a.m. UTC | #1
On Sun, 18 May 2003, Herbert Xu wrote:

> Trivial patch which makes INET?_{AH,ESP} depend on CRYPTO_HMAC.

See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
are selected.


- James
Herbert Xu May 18, 2003, 3:15 a.m. UTC | #2
On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> 
> See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
> are selected.

Yes, but the user can then set them to no.  This does happen as the
Crypto menu is listed after Networking so someone going through it
in that order can select INET_AH and then go on to disable Crypto.

Dependencies are there to prevent these things from happening.
James Morris May 18, 2003, 3:40 a.m. UTC | #3
On Sun, 18 May 2003, Herbert Xu wrote:

> On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> > 
> > See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
> > are selected.
> 
> Yes, but the user can then set them to no.  This does happen as the
> Crypto menu is listed after Networking so someone going through it
> in that order can select INET_AH and then go on to disable Crypto.

Yes, we allow users to override the defaults if they wish, at their own 
peril.

> Dependencies are there to prevent these things from happening.

Using dependencies would mean that the ipsec protocols would not appear in 
the networking menu until after selecting the correct algorthims in the 
crypto menu.

How would users know what the minimally required set of algorithms are?  
Would they then know to go _back_ to the networking menu to enable the
protocols?


- James
Herbert Xu May 18, 2003, 4:04 a.m. UTC | #4
On Sun, May 18, 2003 at 01:40:28PM +1000, James Morris wrote:
> 
> How would users know what the minimally required set of algorithms are?  
> Would they then know to go _back_ to the networking menu to enable the
> protocols?

Good point.  What about this patch then?
David Miller May 18, 2003, 5:17 a.m. UTC | #5
From: Herbert Xu <herbert@gondor.apana.org.au>
   Date: Sun, 18 May 2003 14:04:11 +1000

   Good point.  What about this patch then?

No, this is gross.  The ipsec protocols should be available by
default, I don't like this message solution at all.

Why don't we do this for every thing that needs ZLIB for example?

The answer is that we don't because it's rediculious.  We instead
define sensible defaults and if the user grinds out his own changes
that override them, as James said, he does so at his own peril.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
Adrian Bunk May 18, 2003, 12:46 p.m. UTC | #6
On Sun, May 18, 2003 at 01:40:28PM +1000, James Morris wrote:
> On Sun, 18 May 2003, Herbert Xu wrote:
> 
> > On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> > > 
> > > See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
> > > are selected.
> > 
> > Yes, but the user can then set them to no.  This does happen as the
> > Crypto menu is listed after Networking so someone going through it
> > in that order can select INET_AH and then go on to disable Crypto.
> 
> Yes, we allow users to override the defaults if they wish, at their own 
> peril.
> 
> > Dependencies are there to prevent these things from happening.
> 
> Using dependencies would mean that the ipsec protocols would not appear in 
> the networking menu until after selecting the correct algorthims in the 
> crypto menu.
> 
> How would users know what the minimally required set of algorithms are?  
> Would they then know to go _back_ to the networking menu to enable the
> protocols?

It seems the cryptographic options don't depend on anything else. What 
about Herbert's patch plus moving the crypto menu above network support?

> - James

cu
Adrian
James Morris May 18, 2003, 3:03 p.m. UTC | #7
On Sun, 18 May 2003, Adrian Bunk wrote:

> It seems the cryptographic options don't depend on anything else. What 
> about Herbert's patch plus moving the crypto menu above network support?

It's up to the authors whether they want their modules to always be 
selectable or not.  We can't assume that only the networking wants this.

Think of crypto algorithms like a library: components are enabled
depending on what user-selected features need them.


- James
Adrian Bunk May 18, 2003, 3:14 p.m. UTC | #8
On Sun, May 18, 2003 at 01:40:28PM +1000, James Morris wrote:
> On Sun, 18 May 2003, Herbert Xu wrote:
> 
> > On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> > > 
> > > See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols 
> > > are selected.
> > 
> > Yes, but the user can then set them to no.  This does happen as the
> > Crypto menu is listed after Networking so someone going through it
> > in that order can select INET_AH and then go on to disable Crypto.
> 
> Yes, we allow users to override the defaults if they wish, at their own 
> peril.
>...

The real problems are more subtle:
Consider someone uses neither CRYPTO_HMAC nor INET_AH and later changes 
his .config using menuconfig - the "default" does _nothing_ since 
CRYPTO_HMAC already has a value.

Thinking more about this issue it seems the "enable" feature in the
latest Kconfig patch will be the correct solution.


> James Morris

cu
Adrian

Patch
diff mbox series

Index: net/ipv4/Kconfig
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv4/Kconfig,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 Kconfig
--- net/ipv4/Kconfig	4 May 2003 23:53:36 -0000	1.1.1.4
+++ net/ipv4/Kconfig	18 May 2003 02:04:06 -0000
@@ -350,6 +350,7 @@ 
 
 config INET_AH
 	tristate "IP: AH transformation"
+	depends on INET && CRYPTO_HMAC
 	---help---
 	  Support for IPsec AH.
 
@@ -357,6 +358,7 @@ 
 
 config INET_ESP
 	tristate "IP: ESP transformation"
+	depends on INET && CRYPTO_HMAC
 	---help---
 	  Support for IPsec ESP.
 
@@ -364,6 +366,7 @@ 
 
 config INET_IPCOMP
 	tristate "IP: IPComp transformation"
+	depends on INET
 	---help---
 	  Support for IP Paylod Compression (RFC3173), typically needed
 	  for IPsec.
Index: net/ipv6/Kconfig
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/debian/kernel-source-2.5/net/ipv6/Kconfig,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 Kconfig
--- net/ipv6/Kconfig	24 Mar 2003 22:00:39 -0000	1.1.1.3
+++ net/ipv6/Kconfig	18 May 2003 02:04:26 -0000
@@ -19,7 +19,7 @@ 
 
 config INET6_AH
 	tristate "IPv6: AH transformation"
-	depends on IPV6
+	depends on IPV6 && CRYPTO_HMAC
 	---help---
 	  Support for IPsec AH.
 
@@ -27,7 +27,7 @@ 
 
 config INET6_ESP
 	tristate "IPv6: ESP transformation"
-	depends on IPV6
+	depends on IPV6 && CRYPTO_HMAC
 	---help---
 	  Support for IPsec ESP.