Trivial patch which makes INET?_{AH,ESP} depend on CRYPTO_HMAC.
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Sun, 18 May 2003, Herbert Xu wrote:
> Trivial patch which makes INET?_{AH,ESP} depend on CRYPTO_HMAC.
See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols
are selected.
- James
--
James Morris
<[email protected]>
On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
>
> See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols
> are selected.
Yes, but the user can then set them to no. This does happen as the
Crypto menu is listed after Networking so someone going through it
in that order can select INET_AH and then go on to disable Crypto.
Dependencies are there to prevent these things from happening.
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Sun, 18 May 2003, Herbert Xu wrote:
> On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> >
> > See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols
> > are selected.
>
> Yes, but the user can then set them to no. This does happen as the
> Crypto menu is listed after Networking so someone going through it
> in that order can select INET_AH and then go on to disable Crypto.
Yes, we allow users to override the defaults if they wish, at their own
peril.
> Dependencies are there to prevent these things from happening.
Using dependencies would mean that the ipsec protocols would not appear in
the networking menu until after selecting the correct algorthims in the
crypto menu.
How would users know what the minimally required set of algorithms are?
Would they then know to go _back_ to the networking menu to enable the
protocols?
- James
--
James Morris
<[email protected]>
On Sun, May 18, 2003 at 01:40:28PM +1000, James Morris wrote:
>
> How would users know what the minimally required set of algorithms are?
> Would they then know to go _back_ to the networking menu to enable the
> protocols?
Good point. What about this patch then?
--
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
From: Herbert Xu <[email protected]>
Date: Sun, 18 May 2003 14:04:11 +1000
Good point. What about this patch then?
No, this is gross. The ipsec protocols should be available by
default, I don't like this message solution at all.
Why don't we do this for every thing that needs ZLIB for example?
The answer is that we don't because it's rediculious. We instead
define sensible defaults and if the user grinds out his own changes
that override them, as James said, he does so at his own peril.
On Sun, May 18, 2003 at 01:40:28PM +1000, James Morris wrote:
> On Sun, 18 May 2003, Herbert Xu wrote:
>
> > On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> > >
> > > See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols
> > > are selected.
> >
> > Yes, but the user can then set them to no. This does happen as the
> > Crypto menu is listed after Networking so someone going through it
> > in that order can select INET_AH and then go on to disable Crypto.
>
> Yes, we allow users to override the defaults if they wish, at their own
> peril.
>
> > Dependencies are there to prevent these things from happening.
>
> Using dependencies would mean that the ipsec protocols would not appear in
> the networking menu until after selecting the correct algorthims in the
> crypto menu.
>
> How would users know what the minimally required set of algorithms are?
> Would they then know to go _back_ to the networking menu to enable the
> protocols?
It seems the cryptographic options don't depend on anything else. What
about Herbert's patch plus moving the crypto menu above network support?
> - James
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Sun, 18 May 2003, Adrian Bunk wrote:
> It seems the cryptographic options don't depend on anything else. What
> about Herbert's patch plus moving the crypto menu above network support?
It's up to the authors whether they want their modules to always be
selectable or not. We can't assume that only the networking wants this.
Think of crypto algorithms like a library: components are enabled
depending on what user-selected features need them.
- James
--
James Morris
<[email protected]>
On Sun, May 18, 2003 at 01:40:28PM +1000, James Morris wrote:
> On Sun, 18 May 2003, Herbert Xu wrote:
>
> > On Sun, May 18, 2003 at 12:19:09PM +1000, James Morris wrote:
> > >
> > > See crypto/Kconfig, CRYPTO_HMAC is being defaulted to Y if these protocols
> > > are selected.
> >
> > Yes, but the user can then set them to no. This does happen as the
> > Crypto menu is listed after Networking so someone going through it
> > in that order can select INET_AH and then go on to disable Crypto.
>
> Yes, we allow users to override the defaults if they wish, at their own
> peril.
>...
The real problems are more subtle:
Consider someone uses neither CRYPTO_HMAC nor INET_AH and later changes
his .config using menuconfig - the "default" does _nothing_ since
CRYPTO_HMAC already has a value.
Thinking more about this issue it seems the "enable" feature in the
latest Kconfig patch will be the correct solution.
> James Morris
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed