From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Mon, 04 Jul 2022 14:19:48 +0200
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1o8L3I-005XVe-KW
	for lore@lore.pengutronix.de; Mon, 04 Jul 2022 14:19:48 +0200
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1o8L3L-0004ID-8n; Mon, 04 Jul 2022 14:19:47 +0200
Received: from mail.thorsis.com ([92.198.35.195])
 by metis.ext.pengutronix.de with esmtp (Exim 4.92)
 (envelope-from <ada@thorsis.com>)
 id 1o8L29-0002w1-0O; Mon, 04 Jul 2022 14:18:35 +0200
Received: from adahl by ada.ifak-system.com with local (Exim 4.92)
 (envelope-from <ada@thorsis.com>)
 id 1o8L27-0006Ck-BM; Mon, 04 Jul 2022 14:18:31 +0200
From: Alexander Dahl <ada@thorsis.com>
To: ptxdist@pengutronix.de
Date: Mon,  4 Jul 2022 14:18:30 +0200
Message-Id: <20220704121831.23787-8-ada@thorsis.com>
In-Reply-To: <20220704121831.23787-1-ada@thorsis.com>
References: <20220704121831.23787-1-ada@thorsis.com>
Content-Transfer-Encoding: 8bit
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 metis.ext.pengutronix.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=4.0 tests=AWL,BAYES_00,SPF_HELO_NONE,
 SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
 version=3.4.2
Subject: [ptxdist] [PATCH 7/8] dropbear: Add conditional comments with
 warnings
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>, Ian Abbott <abbotti@mev.co.uk>,
 Bruno Thomsen <bruno.thomsen@gmail.com>
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false

We have multiple groups where it is required to select at least one (and
optionally more) option.  On some groups selecting no option would fail
at buildtime, on other dropbear would build and run, but necessary user
interactions (like log in) would not be possible at runtime, e.g.
because no message integrity hmac method was built in.

These warnings still allow not selecting any option, but should give a
stronger hint than before, that this would be a bad idea.

Suggested-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.in | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/rules/dropbear.in b/rules/dropbear.in
index 043b0e76d..4f6a6a906 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -179,6 +179,9 @@ config DROPBEAR_CHACHA20POLY1305
 	  instructions, having the same key size.
 	  Recommended.
 
+comment "WARNING: No encryption method selected!"
+	depends on !DROPBEAR_AES128 && !DROPBEAR_3DES && !DROPBEAR_AES256 && !DROPBEAR_CHACHA20POLY1305
+
 config DROPBEAR_CBC_CIPHERS
 	bool
 	prompt "CBC mode ciphers (legacy)"
@@ -247,6 +250,9 @@ config DROPBEAR_SHA512
 	  SHA-1. SHA-2 consists of a set of four hash functions with digests
 	  that are 224, 256, 384 or 512 bits.
 
+comment "WARNING: No Message Integrity method selected!"
+	depends on !DROPBEAR_SHA1 && !DROPBEAR_SHA1_96 && !DROPBEAR_SHA256 && !DROPBEAR_SHA512
+
 comment "Hostkey/public key algorithms, at least one required ---"
 
 config DROPBEAR_RSA
@@ -278,6 +284,9 @@ config DROPBEAR_ED25519
 	  Public keys are 256 bits long and signatures are 512 bits
 	  long.
 
+comment "WARNING: No Hostkey/public key algorithm selected!"
+	depends on !DROPBEAR_RSA && !DROPBEAR_ECDSA && !DROPBEAR_ED25519
+
 comment "Key exchange algorithm, at least one required ---"
 
 config DROPBEAR_DH_GROUP14_SHA256
@@ -335,6 +344,9 @@ config DROPBEAR_DH_GROUP1
 	  versions < 0.53.
 	  Client only!
 
+comment "WARNING: No key exchange algorithm selected!"
+	depends on !DROPBEAR_DH_GROUP14_SHA256 && !DROPBEAR_DH_GROUP14_SHA1 && !DROPBEAR_DH_GROUP16 && !DROPBEAR_ECDH && !DROPBEAR_CURVE25519 && !DROPBEAR_DH_GROUP1
+
 comment "Authentication types, at least one required --- RFC Draft requires pubkey auth"
 
 config DROPBEAR_PASSWD
@@ -351,6 +363,9 @@ config DROPBEAR_PUBKEY
 	help
 	  Use public key authentication
 
+comment "WARNING: No authentication type selected!"
+	depends on !DROPBEAR_PASSWD && !DROPBEAR_PUBKEY
+
 comment "installation options   ---"
 
 config DROPBEAR_DROPBEAR
-- 
2.30.2