From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Fri, 29 Jul 2022 08:27:27 +0200
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1oHJT5-003GAD-N6
	for lore@lore.pengutronix.de; Fri, 29 Jul 2022 08:27:27 +0200
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1oHJT4-0002Qa-Qf; Fri, 29 Jul 2022 08:27:26 +0200
Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1oHJPN-00066c-PH; Fri, 29 Jul 2022 08:23:37 +0200
Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de)
 by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2)
 (envelope-from <mol@pengutronix.de>)
 id 1oHJPN-000SNq-2w; Fri, 29 Jul 2022 08:23:37 +0200
Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.94.2)
 (envelope-from <mol@pengutronix.de>)
 id 1oHJPM-00A2MI-Fx; Fri, 29 Jul 2022 08:23:36 +0200
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Date: Fri, 29 Jul 2022 08:23:36 +0200
Message-Id: <20220729062336.2392302-1-m.olbrich@pengutronix.de>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20220704121831.23787-8-ada@thorsis.com>
References: <20220704121831.23787-8-ada@thorsis.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: Re: [ptxdist] [APPLIED] dropbear: Add conditional comments with
 warnings
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: Alexander Dahl <ada@thorsis.com>
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false

Thanks, applied as e8f526c3a8d126139da25384d68542ce4895480c.

Michael

[sent from post-receive hook]

On Fri, 29 Jul 2022 08:23:36 +0200, Alexander Dahl <ada@thorsis.com> wrote:
> We have multiple groups where it is required to select at least one (and
> optionally more) option.  On some groups selecting no option would fail
> at buildtime, on other dropbear would build and run, but necessary user
> interactions (like log in) would not be possible at runtime, e.g.
> because no message integrity hmac method was built in.
> 
> These warnings still allow not selecting any option, but should give a
> stronger hint than before, that this would be a bad idea.
> 
> Suggested-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20220704121831.23787-8-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/dropbear.in b/rules/dropbear.in
> index a64b2306a64a..a3059c60502d 100644
> --- a/rules/dropbear.in
> +++ b/rules/dropbear.in
> @@ -180,6 +180,9 @@ config DROPBEAR_CHACHA20POLY1305
>  	  instructions, having the same key size.
>  	  Recommended.
>  
> +comment "WARNING: No encryption method selected!"
> +	depends on !DROPBEAR_AES128 && !DROPBEAR_3DES && !DROPBEAR_AES256 && !DROPBEAR_CHACHA20POLY1305
> +
>  config DROPBEAR_CBC_CIPHERS
>  	bool
>  	prompt "CBC mode ciphers (legacy)"
> @@ -248,6 +251,9 @@ config DROPBEAR_SHA512
>  	  SHA-1. SHA-2 consists of a set of four hash functions with digests
>  	  that are 224, 256, 384 or 512 bits.
>  
> +comment "WARNING: No Message Integrity method selected!"
> +	depends on !DROPBEAR_SHA1 && !DROPBEAR_SHA1_96 && !DROPBEAR_SHA256 && !DROPBEAR_SHA512
> +
>  comment "Hostkey/public key algorithms, at least one required ---"
>  
>  config DROPBEAR_RSA
> @@ -279,6 +285,9 @@ config DROPBEAR_ED25519
>  	  Public keys are 256 bits long and signatures are 512 bits
>  	  long.
>  
> +comment "WARNING: No Hostkey/public key algorithm selected!"
> +	depends on !DROPBEAR_RSA && !DROPBEAR_ECDSA && !DROPBEAR_ED25519
> +
>  comment "Key exchange algorithm, at least one required ---"
>  
>  config DROPBEAR_DH_GROUP14_SHA256
> @@ -336,6 +345,9 @@ config DROPBEAR_DH_GROUP1
>  	  versions < 0.53.
>  	  Client only!
>  
> +comment "WARNING: No key exchange algorithm selected!"
> +	depends on !DROPBEAR_DH_GROUP14_SHA256 && !DROPBEAR_DH_GROUP14_SHA1 && !DROPBEAR_DH_GROUP16 && !DROPBEAR_ECDH && !DROPBEAR_CURVE25519 && !DROPBEAR_DH_GROUP1
> +
>  comment "Authentication types, at least one required --- RFC Draft requires pubkey auth"
>  
>  config DROPBEAR_PASSWD
> @@ -352,6 +364,9 @@ config DROPBEAR_PUBKEY
>  	help
>  	  Use public key authentication
>  
> +comment "WARNING: No authentication type selected!"
> +	depends on !DROPBEAR_PASSWD && !DROPBEAR_PUBKEY
> +
>  comment "installation options   ---"
>  
>  config DROPBEAR_DROPBEAR