On Fri, Jun 05, 2020 at 11:00:23AM -0700, Eric Biggers wrote: > On Fri, Jun 05, 2020 at 10:39:31AM -0700, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > > > diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig > > index 23ba5045e3d3..6520b30883cf 100644 > > --- a/net/ipv4/Kconfig > > +++ b/net/ipv4/Kconfig > > @@ -361,6 +361,7 @@ config INET_ESP > > select CRYPTO_SHA1 > > select CRYPTO_DES > > select CRYPTO_ECHAINIV > > + select CRYPTO_SEQIV if CRYPTO_CTR || CRYPTO_CHACHA20POLY1305 > > ---help--- > > Support for IPsec ESP. > > > > Oops, this doesn't actually work: > > scripts/kconfig/conf --olddefconfig Kconfig > crypto/Kconfig:1799:error: recursive dependency detected! > crypto/Kconfig:1799: symbol CRYPTO_DRBG_MENU is selected by CRYPTO_RNG_DEFAULT > crypto/Kconfig:83: symbol CRYPTO_RNG_DEFAULT is selected by CRYPTO_SEQIV > crypto/Kconfig:330: symbol CRYPTO_SEQIV is selected by CRYPTO_CTR > crypto/Kconfig:370: symbol CRYPTO_CTR is selected by CRYPTO_DRBG_CTR > crypto/Kconfig:1819: symbol CRYPTO_DRBG_CTR depends on CRYPTO_DRBG_MENU > For a resolution refer to Documentation/kbuild/kconfig-language.rst > subsection "Kconfig recursive dependency limitations" > > > I guess we need to go with v1 (which just had 'select CRYPTO_SEQIV'), > or else make users explicitly select CRYPTO_SEQIV? I think we should make INET_ESP to select everything that is needed to instantiate the ciphers marked as 'MUST' in RFC 8221 and let the users explicitly select everything else.