From 4d1074cc7752481d04ca6f50e77fc28390c74d12 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 21 2020 21:19:03 +0000 Subject: import frr-7.0-5.el8 --- diff --git a/SOURCES/0002-enable-openssl.patch b/SOURCES/0002-enable-openssl.patch new file mode 100644 index 0000000..dd423b9 --- /dev/null +++ b/SOURCES/0002-enable-openssl.patch @@ -0,0 +1,333 @@ +diff --git a/configure.ac b/configure.ac +index 9f8b31b..38781da 100755 +--- a/configure.ac ++++ b/configure.ac +@@ -529,6 +529,20 @@ AC_ARG_ENABLE([thread-sanitizer], + AS_HELP_STRING([--enable-thread-sanitizer], [enable ThreadSanitizer support for detecting data races])) + AC_ARG_ENABLE([memory-sanitizer], + AS_HELP_STRING([--enable-memory-sanitizer], [enable MemorySanitizer support for detecting uninitialized memory reads])) ++AC_ARG_WITH([crypto], ++ AS_HELP_STRING([--with-crypto=], [choose between different implementations of cryptographic functions(default value is --with-crypto=internal)])) ++ ++#if openssl, else use internal as default ++AS_IF([test x"${with_crypto}" = x"openssl"], [ ++ AC_CHECK_LIB([crypto], [EVP_DigestInit], [LIBS="$LIBS -lcrypto"], [], []) ++ if test "$ac_cv_lib_crypto_EVP_DigestInit" = no; then ++ AC_MSG_ERROR([build with openssl has been specified but openssl library was not found on your system]) ++ else ++ AC_DEFINE([CRYPTO_OPENSSL], [1], [Compile with openssl support]) ++ fi ++], [test x"${with_crypto}" = x"internal" || test x"${with_crypto}" = x"" ], [AC_DEFINE([CRYPTO_INTERNAL], [1], [Compile with internal cryptographic implementation]) ++], [AC_MSG_ERROR([Unknown value for --with-crypto])] ++) + + AS_IF([test "${enable_clippy_only}" != "yes"], [ + AC_CHECK_HEADERS([json-c/json.h]) +diff --git a/lib/subdir.am b/lib/subdir.am +index 0b7af18..0533e24 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \ + lib/libfrr.c \ + lib/linklist.c \ + lib/log.c \ +- lib/md5.c \ + lib/memory.c \ + lib/memory_vty.c \ + lib/module.c \ +diff --git a/lib/subdir.am b/lib/subdir.am +index 0533e24..b3d3700 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -170,7 +170,6 @@ pkginclude_HEADERS += \ + lib/libospf.h \ + lib/linklist.h \ + lib/log.h \ +- lib/md5.h \ + lib/memory.h \ + lib/memory_vty.h \ + lib/module.h \ +diff --git a/lib/subdir.am b/lib/subdir.am +index 53f7115..cea866f 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \ + lib/ringbuf.c \ + lib/routemap.c \ + lib/sbuf.c \ +- lib/sha256.c \ + lib/sigevent.c \ + lib/skiplist.c \ + lib/sockopt.c \ +@@ -191,7 +190,6 @@ pkginclude_HEADERS += \ + lib/ringbuf.h \ + lib/routemap.h \ + lib/sbuf.h \ +- lib/sha256.h \ + lib/sigevent.h \ + lib/skiplist.h \ + lib/smux.h \ +diff --git a/lib/zebra.h b/lib/zebra.h +index 22239f8e60..a308d46cc9 100644 +--- a/lib/zebra.h ++++ b/lib/zebra.h +@@ -134,6 +134,11 @@ typedef unsigned char uint8_t; + #endif + #endif + ++#ifdef CRYPTO_OPENSSL ++#include ++#include ++#endif ++ + #include "openbsd-tree.h" + + #include +diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c +index 6bc8c25153..b951e94ae6 100644 +--- a/ospfd/ospf_packet.c ++++ b/ospfd/ospf_packet.c +@@ -33,7 +33,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE) + #include "md5.h" ++#endif + #include "vrf.h" + #include "lib_errors.h" + +@@ -332,7 +334,11 @@ static unsigned int ospf_packet_max(struct ospf_interface *oi) + static int ospf_check_md5_digest(struct ospf_interface *oi, + struct ospf_header *ospfh) + { ++#ifdef CRYPTO_OPENSSL ++ EVP_MD_CTX *ctx; ++#else + MD5_CTX ctx; ++#endif + unsigned char digest[OSPF_AUTH_MD5_SIZE]; + struct crypt_key *ck; + struct ospf_neighbor *nbr; +@@ -361,11 +367,21 @@ static int ospf_check_md5_digest(struct ospf_interface *oi, + } + + /* Generate a digest for the ospf packet - their digest + our digest. */ ++#ifdef CRYPTO_OPENSSL ++ unsigned int md5_size = OSPF_AUTH_MD5_SIZE; ++ ctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(ctx, EVP_md5()); ++ EVP_DigestUpdate(ctx, ospfh, length); ++ EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); ++ EVP_DigestFinal(ctx, digest, &md5_size); ++ EVP_MD_CTX_free(ctx); ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + MD5Update(&ctx, ospfh, length); + MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); + MD5Final(digest, &ctx); ++#endif + + /* compare the two */ + if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) { +@@ -389,7 +404,11 @@ static int ospf_make_md5_digest(struct ospf_interface *oi, + { + struct ospf_header *ospfh; + unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0}; ++#ifdef CRYPTO_OPENSSL ++ EVP_MD_CTX *ctx; ++#else + MD5_CTX ctx; ++#endif + void *ibuf; + uint32_t t; + struct crypt_key *ck; +@@ -422,11 +441,21 @@ static int ospf_make_md5_digest(struct ospf_interface *oi, + } + + /* Generate a digest for the entire packet + our secret key. */ ++#ifdef CRYPTO_OPENSSL ++ unsigned int md5_size = OSPF_AUTH_MD5_SIZE; ++ ctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(ctx, EVP_md5()); ++ EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length)); ++ EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE); ++ EVP_DigestFinal(ctx, digest, &md5_size); ++ EVP_MD_CTX_free(ctx); ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + MD5Update(&ctx, ibuf, ntohs(ospfh->length)); + MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE); + MD5Final(digest, &ctx); ++#endif + + /* Append md5 digest to the end of the stream. */ + stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE); +diff --git a/ripd/ripd.c b/ripd/ripd.c +index e0ff0430f8..b311ac5717 100644 +--- a/ripd/ripd.c ++++ b/ripd/ripd.c +@@ -37,7 +37,9 @@ + #include "if_rmap.h" + #include "plist.h" + #include "distribute.h" ++#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE) + #include "md5.h" ++#endif + #include "keychain.h" + #include "privs.h" + #include "lib_errors.h" +@@ -870,7 +872,11 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from, + struct rip_md5_data *md5data; + struct keychain *keychain; + struct key *key; ++#ifdef CRYPTO_OPENSSL ++ EVP_MD_CTX *ctx; ++#else + MD5_CTX ctx; ++#endif + uint8_t digest[RIP_AUTH_MD5_SIZE]; + uint16_t packet_len; + char auth_str[RIP_AUTH_MD5_SIZE]; +@@ -934,11 +940,21 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from, + return 0; + + /* MD5 digest authentication. */ ++#ifdef CRYPTO_OPENSSL ++ unsigned int md5_size = RIP_AUTH_MD5_SIZE; ++ ctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(ctx, EVP_md5()); ++ EVP_DigestUpdate(ctx, packet, packet_len + RIP_HEADER_SIZE); ++ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE); ++ EVP_DigestFinal(ctx, digest, &md5_size); ++ EVP_MD_CTX_free(ctx); ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + MD5Update(&ctx, packet, packet_len + RIP_HEADER_SIZE); + MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE); + MD5Final(digest, &ctx); ++#endif + + if (memcmp(md5data->digest, digest, RIP_AUTH_MD5_SIZE) == 0) + return packet_len; +@@ -1063,7 +1078,11 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri, + size_t doff, char *auth_str, int authlen) + { + unsigned long len; ++#ifdef CRYPTO_OPENSSL ++ EVP_MD_CTX *ctx; ++#else + MD5_CTX ctx; ++#endif + unsigned char digest[RIP_AUTH_MD5_SIZE]; + + /* Make it sure this interface is configured as MD5 +@@ -1092,11 +1111,21 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri, + stream_putw(s, RIP_AUTH_DATA); + + /* Generate a digest for the RIP packet. */ ++#ifdef CRYPTO_OPENSSL ++ unsigned int md5_size = RIP_AUTH_MD5_SIZE; ++ ctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(ctx, EVP_md5()); ++ EVP_DigestUpdate(ctx, STREAM_DATA(s), stream_get_endp(s)); ++ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE); ++ EVP_DigestFinal(ctx, digest, &md5_size); ++ EVP_MD_CTX_free(ctx); ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + MD5Update(&ctx, STREAM_DATA(s), stream_get_endp(s)); + MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE); + MD5Final(digest, &ctx); ++#endif + + /* Copy the digest to the packet. */ + stream_write(s, digest, RIP_AUTH_MD5_SIZE); +diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c +index 488dfedae4..862d675e84 100644 +--- a/isisd/isis_tlvs.c ++++ b/isisd/isis_tlvs.c +@@ -22,7 +22,9 @@ + */ + #include + ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "memory.h" + #include "stream.h" + #include "sbuf.h" +@@ -2770,8 +2772,13 @@ static void update_auth_hmac_md5(struct isis_auth *auth, struct stream *s, + safe_auth_md5(s, &checksum, &rem_lifetime); + + memset(STREAM_DATA(s) + auth->offset, 0, 16); ++#ifdef CRYPTO_OPENSSL ++ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), auth->passwd, auth->plength, STREAM_DATA(s), stream_get_endp(s), NULL, NULL); ++ memcpy(digest, result, 16); ++#elif CRYPTO_INTERNAL + hmac_md5(STREAM_DATA(s), stream_get_endp(s), auth->passwd, + auth->plength, digest); ++#endif + memcpy(auth->value, digest, 16); + memcpy(STREAM_DATA(s) + auth->offset, digest, 16); + +@@ -3310,8 +3317,13 @@ static bool auth_validator_hmac_md5(struct isis_passwd *passwd, + safe_auth_md5(stream, &checksum, &rem_lifetime); + + memset(STREAM_DATA(stream) + auth->offset, 0, 16); ++#ifdef CRYPTO_OPENSSL ++ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), passwd->passwd, passwd->len, STREAM_DATA(stream), stream_get_endp(stream), NULL, NULL); ++ memcpy(digest, result, 16); ++#elif CRYPTO_INTERNAL + hmac_md5(STREAM_DATA(stream), stream_get_endp(stream), passwd->passwd, + passwd->len, digest); ++#endif + memcpy(STREAM_DATA(stream) + auth->offset, auth->value, 16); + + bool rv = !memcmp(digest, auth->value, 16); +diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c +index 1991666..2e4fe55 100644 +--- a/isisd/isis_lsp.c ++++ b/isisd/isis_lsp.c +@@ -35,7 +35,9 @@ + #include "hash.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "table.h" + #include "srcdest_table.h" + #include "lib_errors.h" +diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c +index 9c63311..7cf594c 100644 +--- a/isisd/isis_pdu.c ++++ b/isisd/isis_pdu.c +@@ -33,7 +33,9 @@ + #include "prefix.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "lib_errors.h" + + #include "isisd/dict.h" +diff --git a/isisd/isis_te.c b/isisd/isis_te.c +index 4ea6c2c..72ff0d2 100644 +--- a/isisd/isis_te.c ++++ b/isisd/isis_te.c +@@ -38,7 +38,9 @@ + #include "if.h" + #include "vrf.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "sockunion.h" + #include "network.h" + #include "sbuf.h" diff --git a/SOURCES/0003-disable-eigrp-crypto.patch b/SOURCES/0003-disable-eigrp-crypto.patch new file mode 100644 index 0000000..58734df --- /dev/null +++ b/SOURCES/0003-disable-eigrp-crypto.patch @@ -0,0 +1,253 @@ +diff --git a/eigrpd/eigrp_vty.c b/eigrpd/eigrp_vty.c +index fc5bdbd..56ebac6 100644 +--- a/eigrpd/eigrp_vty.c ++++ b/eigrpd/eigrp_vty.c +@@ -968,6 +968,9 @@ DEFUN (eigrp_authentication_mode, + "Keyed message digest\n" + "HMAC SHA256 algorithm \n") + { ++ vty_out(vty, " EIGRP Authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ + VTY_DECLVAR_CONTEXT(interface, ifp); + struct eigrp_interface *ei = ifp->info; + struct eigrp *eigrp; +@@ -1003,6 +1006,9 @@ DEFUN (no_eigrp_authentication_mode, + "Keyed message digest\n" + "HMAC SHA256 algorithm \n") + { ++ vty_out(vty, " EIGRP Authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ + VTY_DECLVAR_CONTEXT(interface, ifp); + struct eigrp_interface *ei = ifp->info; + struct eigrp *eigrp; +@@ -1034,6 +1040,9 @@ DEFPY (eigrp_authentication_keychain, + "Autonomous system number\n" + "Name of key-chain\n") + { ++ vty_out(vty, " EIGRP Authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ + VTY_DECLVAR_CONTEXT(interface, ifp); + struct eigrp_interface *ei = ifp->info; + struct eigrp *eigrp; +diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c +index bedaf15..8dc09bf 100644 +--- a/eigrpd/eigrp_packet.c ++++ b/eigrpd/eigrp_packet.c +@@ -40,8 +40,10 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" + #include "sha256.h" ++#endif + #include "lib_errors.h" + + #include "eigrpd/eigrp_structs.h" +@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + struct key *key = NULL; + struct keychain *keychain; + ++ + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + uint8_t *ibuf; + size_t backup_get, backup_end; + struct TLV_MD5_Authentication_Type *auth_TLV; +@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + return EIGRP_AUTH_TYPE_NONE; + } + ++#ifdef CRYPTO_OPENSSL ++//TBD when this is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + } + + MD5Final(digest, &ctx); +- ++#endif + /* Append md5 digest to the end of the stream. */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN); + +@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s, + struct TLV_MD5_Authentication_Type *authTLV, + struct eigrp_neighbor *nbr, uint8_t flags) + { ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; + unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN]; + struct key *key = NULL; +@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s, + return 0; + } + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s, + } + + MD5Final(digest, &ctx); ++#endif + + /* compare the two */ + if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) { +@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN]; + unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0}; + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + HMAC_SHA256_CTX ctx; ++#endif + void *ibuf; + size_t backup_get, backup_end; + struct TLV_SHA256_Authentication_Type *auth_TLV; +@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + + inet_ntop(AF_INET, &ei->address->u.prefix4, source_ip, PREFIX_STRLEN); + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + buffer[0] = '\n'; + memcpy(buffer + 1, key, strlen(key->string)); +@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + 1 + strlen(key->string) + strlen(source_ip)); + HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf)); + HMAC__SHA256_Final(digest, &ctx); +- ++#endif + + /* Put hmac-sha256 digest to it's place */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN); +diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c +index 93eed94..f1c7347 100644 +--- a/eigrpd/eigrp_filter.c ++++ b/eigrpd/eigrp_filter.c +@@ -47,7 +47,9 @@ + #include "if_rmap.h" + #include "plist.h" + #include "distribute.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "privs.h" + #include "vrf.h" +diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c +index dacd5ca..b232cc5 100644 +--- a/eigrpd/eigrp_hello.c ++++ b/eigrpd/eigrp_hello.c +@@ -43,7 +43,9 @@ + #include "sockopt.h" + #include "checksum.h" + #include "vty.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + + #include "eigrpd/eigrp_structs.h" + #include "eigrpd/eigrpd.h" +diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c +index 84dcf5e..a2575e3 100644 +--- a/eigrpd/eigrp_query.c ++++ b/eigrpd/eigrp_query.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c +index ccf0496..2902365 100644 +--- a/eigrpd/eigrp_reply.c ++++ b/eigrpd/eigrp_reply.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "keychain.h" + #include "plist.h" +diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c +index ff38325..09b9369 100644 +--- a/eigrpd/eigrp_siaquery.c ++++ b/eigrpd/eigrp_siaquery.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c +index d3dd123..f6a2bd6 100644 +--- a/eigrpd/eigrp_siareply.c ++++ b/eigrpd/eigrp_siareply.c +@@ -37,7 +37,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c +index 21c9238..cfb8890 100644 +--- a/eigrpd/eigrp_snmp.c ++++ b/eigrpd/eigrp_snmp.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "smux.h" + +diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c +index 8db4903..2a4f0bb 100644 +--- a/eigrpd/eigrp_update.c ++++ b/eigrpd/eigrp_update.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "plist.h" + #include "plist_int.h" diff --git a/SOURCES/0004-fips-mode.patch b/SOURCES/0004-fips-mode.patch new file mode 100644 index 0000000..ddb522e --- /dev/null +++ b/SOURCES/0004-fips-mode.patch @@ -0,0 +1,103 @@ +diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c +index 631465f..e084ff3 100644 +--- a/ospfd/ospf_vty.c ++++ b/ospfd/ospf_vty.c +@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink, + + if (argv_find(argv, argc, "message-digest", &idx)) { + /* authentication message-digest */ ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + } else if (argv_find(argv, argc, "null", &idx)) { + /* "authentication null" */ +@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest, + ? OSPF_AUTH_NULL + : OSPF_AUTH_CRYPTOGRAPHIC; + ++ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC) ++ { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ } ++ + return CMD_SUCCESS; + } + +@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args, + + /* Handle message-digest authentication */ + if (argv[idx_encryption]->arg[0] == 'm') { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + SET_IF_PARAM(params, auth_type); + params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + return CMD_SUCCESS; +@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key, + "The OSPF password (key)\n" + "Address of interface\n") + { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + VTY_DECLVAR_CONTEXT(interface, ifp); + struct crypt_key *ck; + uint8_t key_id; +diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c +index 81b4b39..cce33d9 100644 +--- a/isisd/isis_circuit.c ++++ b/isisd/isis_circuit.c +@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit, + return ferr_code_bug( + "circuit password too long (max 254 chars)"); + ++ //When in FIPS mode, the password never gets set in MD5 ++ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode()) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + circuit->passwd.len = len; + strncpy((char *)circuit->passwd.passwd, passwd, 255); + circuit->passwd.type = passwd_type; +diff --git a/isisd/isisd.c b/isisd/isisd.c +index 419127c..a6c36af 100644 +--- a/isisd/isisd.c ++++ b/isisd/isisd.c +@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level, + if (len > 254) + return -1; + ++ //When in FIPS mode, the password never get set in MD5 ++ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode())) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + modified.len = len; + strncpy((char *)modified.passwd, passwd, 255); + modified.type = passwd_type; +diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c +index 5bb81ef..02a09ef 100644 +--- a/ripd/rip_cli.c ++++ b/ripd/rip_cli.c +@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode, + value = "20"; + } + ++ if(strmatch(mode, "md5") && FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ + nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, + strmatch(mode, "md5") ? "md5" : "plain-text"); + nb_cli_enqueue_change(vty, "./authentication-scheme/md5-auth-length", diff --git a/SPECS/frr.spec b/SPECS/frr.spec index 021846e..4d2929b 100644 --- a/SPECS/frr.spec +++ b/SPECS/frr.spec @@ -9,7 +9,7 @@ Name: frr Version: 7.0 -Release: 4%{?checkout}%{?dist} +Release: 5%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -25,7 +25,7 @@ BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML BuildRequires: python3-devel python3-sphinx python3-pytest BuildRequires: systemd systemd-devel BuildRequires: libyang-devel -Requires: net-snmp ncurses libyang-devel +Requires: net-snmp ncurses Requires(post): systemd /sbin/install-info Requires(preun): systemd /sbin/install-info Requires(postun): systemd @@ -34,6 +34,9 @@ Obsoletes: frr-sysvinit quagga Patch0000: 0000-remove-babeld-and-ldpd.patch Patch0001: 0001-use-python3.patch +Patch0002: 0002-enable-openssl.patch +Patch0003: 0003-disable-eigrp-crypto.patch +Patch0004: 0004-fips-mode.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -86,6 +89,7 @@ autoreconf -ivf --disable-ldpd \ --disable-babeld \ --with-moduledir=%{_libdir}/frr/modules \ + --with-crypto=openssl \ --enable-fpm %make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3} @@ -182,7 +186,7 @@ make check PYTHON=%{__python3} %{_libdir}/frr/*.so.* %{_libdir}/frr/modules/* %config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr -/etc/frr/daemons +%config(noreplace) /etc/frr/daemons %config(noreplace) /etc/pam.d/frr %{_unitdir}/*.service /usr/share/yang/*.yang @@ -210,6 +214,9 @@ make check PYTHON=%{__python3} %{_includedir}/frr/eigrpd/*.h %changelog +* Tue Sep 03 2019 Michal Ruprich - 7.0-5 +- Resolves: #1719465 - Removal of component Frr or its crypto + * Wed Jun 19 2019 Michal Ruprich - 7.0-4 - Related: #1657029 - frr-contrib is back, it is breaking the rpmdeplint test