rpms/frr
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New way of finding python version during build

Browse Source 
Replacing crypto of all routing daemons with openssl
Disabling EIGRP crypto because it is broken
Disabling crypto in FIPS mode
This commit is contained in:
Michal Ruprich 2019-09-13 16:38:56 +02:00
parent 3cdc475215
commit 1924a87e88
5 changed files with 1533 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

325
0002-enable-openssl.patch Normal file
View File

@ -0,0 +1,325 @@
diff --git a/configure.ac b/configure.ac
index 9f8b31b..38781da 100755
--- a/configure.ac
+++ b/configure.ac
@@ -529,6 +529,20 @@ AC_ARG_ENABLE([thread-sanitizer],
AS_HELP_STRING([--enable-thread-sanitizer], [enable ThreadSanitizer support for detecting data races]))
AC_ARG_ENABLE([memory-sanitizer],
AS_HELP_STRING([--enable-memory-sanitizer], [enable MemorySanitizer support for detecting uninitialized memory reads]))
+AC_ARG_WITH([crypto],
+ AS_HELP_STRING([--with-crypto=<internal|openssl>], [choose between different implementations of cryptographic functions(default value is --with-crypto=internal)]))
+
+#if openssl, else use internal as default
+AS_IF([test x"${with_crypto}" = x"openssl"], [
+ AC_CHECK_LIB([crypto], [EVP_DigestInit], [LIBS="$LIBS -lcrypto"], [], [])
+ if test "$ac_cv_lib_crypto_EVP_DigestInit" = no; then
+ AC_MSG_ERROR([build with openssl has been specified but openssl library was not found on your system])
+ else
+ AC_DEFINE([CRYPTO_OPENSSL], [1], [Compile with openssl support])
+ fi
+], [test x"${with_crypto}" = x"internal" || test x"${with_crypto}" = x"" ], [AC_DEFINE([CRYPTO_INTERNAL], [1], [Compile with internal cryptographic implementation])
+], [AC_MSG_ERROR([Unknown value for --with-crypto])]
+)
AS_IF([test "${enable_clippy_only}" != "yes"], [
AC_CHECK_HEADERS([json-c/json.h])
diff --git a/lib/subdir.am b/lib/subdir.am
index 0b7af18..0533e24 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
lib/libfrr.c \
lib/linklist.c \
lib/log.c \
- lib/md5.c \
lib/memory.c \
lib/memory_vty.c \
lib/mlag.c \
@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
lib/routemap.c \
lib/sbuf.c \
lib/seqlock.c \
- lib/sha256.c \
lib/sigevent.c \
lib/skiplist.c \
lib/sockopt.c \
@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
lib/libospf.h \
lib/linklist.h \
lib/log.h \
- lib/md5.h \
lib/memory.h \
lib/memory_vty.h \
lib/module.h \
@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
lib/routemap.h \
lib/sbuf.h \
lib/seqlock.h \
- lib/sha256.h \
lib/sigevent.h \
lib/skiplist.h \
lib/smux.h \
diff --git a/lib/zebra.h b/lib/zebra.h
index 22239f8e60..a308d46cc9 100644
--- a/lib/zebra.h
+++ b/lib/zebra.h
@@ -134,6 +134,11 @@ typedef unsigned char uint8_t;
#endif
#endif
+#ifdef CRYPTO_OPENSSL
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#endif
+
#include "openbsd-tree.h"
#include <netinet/in.h>
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 6bc8c25153..b951e94ae6 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -33,7 +33,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
#include "md5.h"
+#endif
#include "vrf.h"
#include "lib_errors.h"
@@ -332,7 +334,11 @@ static unsigned int ospf_packet_max(struct ospf_interface *oi)
static int ospf_check_md5_digest(struct ospf_interface *oi,
struct ospf_header *ospfh)
{
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
unsigned char digest[OSPF_AUTH_MD5_SIZE];
struct crypt_key *ck;
struct ospf_neighbor *nbr;
@@ -361,11 +367,21 @@ static int ospf_check_md5_digest(struct ospf_interface *oi,
}
/* Generate a digest for the ospf packet - their digest + our digest. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ospfh, length);
+ EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, ospfh, length);
MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* compare the two */
if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) {
@@ -389,7 +404,11 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
{
struct ospf_header *ospfh;
unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0};
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
void *ibuf;
uint32_t t;
struct crypt_key *ck;
@@ -422,11 +441,21 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
}
/* Generate a digest for the entire packet + our secret key. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length));
+ EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, ibuf, ntohs(ospfh->length));
MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* Append md5 digest to the end of the stream. */
stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
diff --git a/ripd/ripd.c b/ripd/ripd.c
index e0ff0430f8..b311ac5717 100644
--- a/ripd/ripd.c
+++ b/ripd/ripd.c
@@ -37,7 +37,9 @@
#include "if_rmap.h"
#include "plist.h"
#include "distribute.h"
+#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
#include "md5.h"
+#endif
#include "keychain.h"
#include "privs.h"
#include "lib_errors.h"
@@ -870,7 +872,11 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
struct rip_md5_data *md5data;
struct keychain *keychain;
struct key *key;
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
uint8_t digest[RIP_AUTH_MD5_SIZE];
uint16_t packet_len;
char auth_str[RIP_AUTH_MD5_SIZE] = {};
@@ -934,11 +940,21 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
return 0;
/* MD5 digest authentication. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = RIP_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, packet, packet_len + RIP_HEADER_SIZE);
+ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, packet, packet_len + RIP_HEADER_SIZE);
MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
if (memcmp(md5data->digest, digest, RIP_AUTH_MD5_SIZE) == 0)
return packet_len;
@@ -1063,7 +1078,11 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
size_t doff, char *auth_str, int authlen)
{
unsigned long len;
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
unsigned char digest[RIP_AUTH_MD5_SIZE];
/* Make it sure this interface is configured as MD5
@@ -1092,11 +1111,21 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
stream_putw(s, RIP_AUTH_DATA);
/* Generate a digest for the RIP packet. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = RIP_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, STREAM_DATA(s), stream_get_endp(s));
+ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, STREAM_DATA(s), stream_get_endp(s));
MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* Copy the digest to the packet. */
stream_write(s, digest, RIP_AUTH_MD5_SIZE);
diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index 488dfedae4..862d675e84 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -22,7 +22,9 @@
*/
#include <zebra.h>
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "memory.h"
#include "stream.h"
#include "sbuf.h"
@@ -2770,8 +2772,13 @@ static void update_auth_hmac_md5(struct isis_auth *auth, struct stream *s,
safe_auth_md5(s, &checksum, &rem_lifetime);
memset(STREAM_DATA(s) + auth->offset, 0, 16);
+#ifdef CRYPTO_OPENSSL
+ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), auth->passwd, auth->plength, STREAM_DATA(s), stream_get_endp(s), NULL, NULL);
+ memcpy(digest, result, 16);
+#elif CRYPTO_INTERNAL
hmac_md5(STREAM_DATA(s), stream_get_endp(s), auth->passwd,
auth->plength, digest);
+#endif
memcpy(auth->value, digest, 16);
memcpy(STREAM_DATA(s) + auth->offset, digest, 16);
@@ -3310,8 +3317,13 @@ static bool auth_validator_hmac_md5(struct isis_passwd *passwd,
safe_auth_md5(stream, &checksum, &rem_lifetime);
memset(STREAM_DATA(stream) + auth->offset, 0, 16);
+#ifdef CRYPTO_OPENSSL
+ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), passwd->passwd, passwd->len, STREAM_DATA(stream), stream_get_endp(stream), NULL, NULL);
+ memcpy(digest, result, 16);
+#elif CRYPTO_INTERNAL
hmac_md5(STREAM_DATA(stream), stream_get_endp(stream), passwd->passwd,
passwd->len, digest);
+#endif
memcpy(STREAM_DATA(stream) + auth->offset, auth->value, 16);
bool rv = !memcmp(digest, auth->value, 16);
diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
index 1991666..2e4fe55 100644
--- a/isisd/isis_lsp.c
+++ b/isisd/isis_lsp.c
@@ -35,7 +35,9 @@
#include "hash.h"
#include "if.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "table.h"
#include "srcdest_table.h"
#include "lib_errors.h"
diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
index 9c63311..7cf594c 100644
--- a/isisd/isis_pdu.c
+++ b/isisd/isis_pdu.c
@@ -33,7 +33,9 @@
#include "prefix.h"
#include "if.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "lib_errors.h"
#include "isisd/isis_constants.h"
diff --git a/isisd/isis_te.c b/isisd/isis_te.c
index 4ea6c2c..72ff0d2 100644
--- a/isisd/isis_te.c
+++ b/isisd/isis_te.c
@@ -38,7 +38,9 @@
#include "if.h"
#include "vrf.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "sockunion.h"
#include "network.h"
#include "sbuf.h"

253
0003-disable-eigrp-crypto.patch Normal file
View File

@ -0,0 +1,253 @@
diff --git a/eigrpd/eigrp_vty.c b/eigrpd/eigrp_vty.c
index fc5bdbd..56ebac6 100644
--- a/eigrpd/eigrp_vty.c
+++ b/eigrpd/eigrp_vty.c
@@ -968,6 +968,9 @@ DEFUN (eigrp_authentication_mode,
"Keyed message digest\n"
"HMAC SHA256 algorithm \n")
{
+ vty_out(vty, " EIGRP Authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+
VTY_DECLVAR_CONTEXT(interface, ifp);
struct eigrp_interface *ei = ifp->info;
struct eigrp *eigrp;
@@ -1003,6 +1006,9 @@ DEFUN (no_eigrp_authentication_mode,
"Keyed message digest\n"
"HMAC SHA256 algorithm \n")
{
+ vty_out(vty, " EIGRP Authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+
VTY_DECLVAR_CONTEXT(interface, ifp);
struct eigrp_interface *ei = ifp->info;
struct eigrp *eigrp;
@@ -1034,6 +1040,9 @@ DEFPY (eigrp_authentication_keychain,
"Autonomous system number\n"
"Name of key-chain\n")
{
+ vty_out(vty, " EIGRP Authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+
VTY_DECLVAR_CONTEXT(interface, ifp);
struct eigrp_interface *ei = ifp->info;
struct eigrp *eigrp;
diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
index bedaf15..8dc09bf 100644
--- a/eigrpd/eigrp_packet.c
+++ b/eigrpd/eigrp_packet.c
@@ -40,8 +40,10 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
#include "sha256.h"
+#endif
#include "lib_errors.h"
#include "eigrpd/eigrp_structs.h"
@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
struct key *key = NULL;
struct keychain *keychain;
+
unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
MD5_CTX ctx;
+#endif
uint8_t *ibuf;
size_t backup_get, backup_end;
struct TLV_MD5_Authentication_Type *auth_TLV;
@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
return EIGRP_AUTH_TYPE_NONE;
}
+#ifdef CRYPTO_OPENSSL
+//TBD when this is fixed in upstream
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
}
MD5Final(digest, &ctx);
-
+#endif
/* Append md5 digest to the end of the stream. */
memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s,
struct TLV_MD5_Authentication_Type *authTLV,
struct eigrp_neighbor *nbr, uint8_t flags)
{
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
MD5_CTX ctx;
+#endif
unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
struct key *key = NULL;
@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s,
return 0;
}
+#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s,
}
MD5Final(digest, &ctx);
+#endif
/* compare the two */
if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
+#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
HMAC_SHA256_CTX ctx;
+#endif
void *ibuf;
size_t backup_get, backup_end;
struct TLV_SHA256_Authentication_Type *auth_TLV;
@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
+#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
buffer[0] = '\n';
memcpy(buffer + 1, key, strlen(key->string));
@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
1 + strlen(key->string) + strlen(source_ip));
HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
HMAC__SHA256_Final(digest, &ctx);
-
+#endif
/* Put hmac-sha256 digest to it's place */
memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
index 93eed94..f1c7347 100644
--- a/eigrpd/eigrp_filter.c
+++ b/eigrpd/eigrp_filter.c
@@ -47,7 +47,9 @@
#include "if_rmap.h"
#include "plist.h"
#include "distribute.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "keychain.h"
#include "privs.h"
#include "vrf.h"
diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
index dacd5ca..b232cc5 100644
--- a/eigrpd/eigrp_hello.c
+++ b/eigrpd/eigrp_hello.c
@@ -43,7 +43,9 @@
#include "sockopt.h"
#include "checksum.h"
#include "vty.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "eigrpd/eigrp_structs.h"
#include "eigrpd/eigrpd.h"
diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
index 84dcf5e..a2575e3 100644
--- a/eigrpd/eigrp_query.c
+++ b/eigrpd/eigrp_query.c
@@ -38,7 +38,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
index ccf0496..2902365 100644
--- a/eigrpd/eigrp_reply.c
+++ b/eigrpd/eigrp_reply.c
@@ -42,7 +42,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "keychain.h"
#include "plist.h"
diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
index ff38325..09b9369 100644
--- a/eigrpd/eigrp_siaquery.c
+++ b/eigrpd/eigrp_siaquery.c
@@ -38,7 +38,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
index d3dd123..f6a2bd6 100644
--- a/eigrpd/eigrp_siareply.c
+++ b/eigrpd/eigrp_siareply.c
@@ -37,7 +37,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
index 21c9238..cfb8890 100644
--- a/eigrpd/eigrp_snmp.c
+++ b/eigrpd/eigrp_snmp.c
@@ -42,7 +42,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "keychain.h"
#include "smux.h"
diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
index 8db4903..2a4f0bb 100644
--- a/eigrpd/eigrp_update.c
+++ b/eigrpd/eigrp_update.c
@@ -42,7 +42,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "plist.h"
#include "plist_int.h"

103
0004-fips-mode.patch Normal file
View File

@ -0,0 +1,103 @@
diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
index 631465f..e084ff3 100644
--- a/ospfd/ospf_vty.c
+++ b/ospfd/ospf_vty.c
@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
if (argv_find(argv, argc, "message-digest", &idx)) {
/* authentication message-digest */
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
} else if (argv_find(argv, argc, "null", &idx)) {
/* "authentication null" */
@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
? OSPF_AUTH_NULL
: OSPF_AUTH_CRYPTOGRAPHIC;
+ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC)
+ {
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
+ }
+
return CMD_SUCCESS;
}
@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
/* Handle message-digest authentication */
if (argv[idx_encryption]->arg[0] == 'm') {
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
SET_IF_PARAM(params, auth_type);
params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
return CMD_SUCCESS;
@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
"The OSPF password (key)\n"
"Address of interface\n")
{
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
VTY_DECLVAR_CONTEXT(interface, ifp);
struct crypt_key *ck;
uint8_t key_id;
diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
index 81b4b39..cce33d9 100644
--- a/isisd/isis_circuit.c
+++ b/isisd/isis_circuit.c
@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
return ferr_code_bug(
"circuit password too long (max 254 chars)");
+ //When in FIPS mode, the password never gets set in MD5
+ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
circuit->passwd.len = len;
strlcpy((char *)circuit->passwd.passwd, passwd,
sizeof(circuit->passwd.passwd));
diff --git a/isisd/isisd.c b/isisd/isisd.c
index 419127c..a6c36af 100644
--- a/isisd/isisd.c
+++ b/isisd/isisd.c
@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
if (len > 254)
return -1;
+ //When in FIPS mode, the password never get set in MD5
+ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
modified.len = len;
strlcpy((char *)modified.passwd, passwd,
sizeof(modified.passwd));
diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
index 5bb81ef..02a09ef 100644
--- a/ripd/rip_cli.c
+++ b/ripd/rip_cli.c
@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
value = "20";
}
+ if(strmatch(mode, "md5") && FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
+
nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
strmatch(mode, "md5") ? "md5" : "plain-text");
nb_cli_enqueue_change(vty, "./authentication-scheme/md5-auth-length",

840
0005-python-3.8-build.patch Normal file
View File

@ -0,0 +1,840 @@
From 45da32d7a417ea639a092029c37c7fcc3bbc7813 Mon Sep 17 00:00:00 2001
From: David Lamparter <equinox@diac24.net>
Date: Tue, 28 May 2019 00:35:24 +0200
Subject: [PATCH] build: refactor & revamp python autoconf logic
Signed-off-by: David Lamparter <equinox@diac24.net>
---
configure.ac | 129 ++------
doc/developer/building-frr-for-centos6.rst | 5 +-
doc/developer/building-frr-for-debian8.rst | 4 +-
doc/developer/building-frr-for-debian9.rst | 4 +-
doc/developer/building-frr-for-fedora.rst | 4 +-
doc/developer/building-frr-for-freebsd10.rst | 2 +-
doc/developer/building-frr-for-freebsd11.rst | 2 +-
doc/developer/building-frr-for-freebsd9.rst | 4 +-
doc/developer/building-frr-for-netbsd6.rst | 9 +-
doc/developer/building-frr-for-netbsd7.rst | 9 +-
doc/developer/building-frr-for-ubuntu1404.rst | 2 +-
doc/developer/building-frr-for-ubuntu1604.rst | 2 +-
doc/developer/building-frr-for-ubuntu1804.rst | 2 +-
doc/developer/packaging-redhat.rst | 2 +-
doc/subdir.am | 11 +-
doc/user/installation.rst | 21 ++
m4/ax_python.m4 | 284 ++++++++++++++++++
redhat/frr.spec.in | 8 +-
tests/subdir.am | 2 -
20 files changed, 361 insertions(+), 146 deletions(-)
create mode 100644 m4/ax_python.m4
diff --git a/configure.ac b/configure.ac
index c228ff0c91..906006a974 100755
--- a/configure.ac
+++ b/configure.ac
@@ -183,15 +183,17 @@ AC_DEFUN([AC_LINK_IFELSE_FLAGS], [{
AC_LINK_IFELSE(
[$3],
[
- AC_MSG_RESULT([yes])
CFLAGS="$ac_cflags_save"
LIBS="$ac_libs_save"
- $5
+ m4_default([$5], [
+ AC_MSG_RESULT([yes])
+ ])
], [
- AC_MSG_RESULT([no])
CFLAGS="$ac_cflags_save"
LIBS="$ac_libs_save"
- $4
+ m4_default([$4], [
+ AC_MSG_RESULT([no])
+ ])
])
AC_LANG_POP([C])
}])
@@ -609,92 +611,30 @@ AM_CONDITIONAL([FPM], [test "x$enable_fpm" = "xyes"])
# Python for clippy
#
-AC_DEFUN([FRR_PYTHON_CHECK_WORKING], [
- AC_MSG_CHECKING([whether we found a working Python version])
- AC_LINK_IFELSE_FLAGS([$PYTHON_CFLAGS], [$PYTHON_LIBS], [AC_LANG_PROGRAM([
-#include <Python.h>
-#if PY_VERSION_HEX < 0x02070000
-#error python too old
-#endif
-int main(void);
-],
-[
-{
- Py_Initialize();
- return 0;
-}
-])], [
- # some python installs are missing the zlib dependency...
- PYTHON_LIBS="${PYTHON_LIBS} -lz"
- AC_LINK_IFELSE_FLAGS([$PYTHON_CFLAGS], [$PYTHON_LIBS], [AC_LANG_PROGRAM([
-#include <Python.h>
-#if PY_VERSION_HEX < 0x02070000
-#error python too old
-#endif
-int main(void);
-],
-[
-{
- Py_Initialize();
- return 0;
-}
-])], [
- m4_if([$1], [], [
- PYTHONCONFIG=""
- unset PYTHON_LIBS
- unset PYTHON_CFLAGS
- ], [$1])
- ])
- ])
-])
-
AS_IF([test "$host" = "$build"], [
- PYTHONCONFIG=""
-
- # ordering:
- # 1. try python3, but respect the user's preference on which minor ver
- # 2. try python, which might be py3 or py2 again on the user's preference
- # 3. try python2 (can really only be 2.7 but eh)
- # 4. try 3.6 > 3.5 > 3.4 > 3.3 > 3.2 > 2.7 through pkg-config (no user pref)
- #
- # (AX_PYTHON_DEVEL has no clue about py3 vs py2)
- # (AX_PYTHON does not do what we need)
-
- AC_CHECK_TOOLS([PYTHONCONFIG], [ \
- python3-config \
- python-config \
- python2-config \
- python3.6-config \
- python3.5-config \
- python3.4-config \
- python3.3-config \
- python3.2-config \
- python2.7-config ])
- if test -n "$PYTHONCONFIG"; then
- PYTHON_CFLAGS="`\"${PYTHONCONFIG}\" --includes`"
- PYTHON_LIBS="`\"${PYTHONCONFIG}\" --ldflags`"
-
- FRR_PYTHON_CHECK_WORKING([])
- fi
+ FRR_PYTHON_DEV
+], [
+ FRR_PYTHON
+])
- if test -z "$PYTHONCONFIG"; then
- PKG_CHECK_MODULES([PYTHON], [python-3.6], [], [
- PKG_CHECK_MODULES([PYTHON], [python-3.5], [], [
- PKG_CHECK_MODULES([PYTHON], [python-3.4], [], [
- PKG_CHECK_MODULES([PYTHON], [python-3.3], [], [
- PKG_CHECK_MODULES([PYTHON], [python-3.2], [], [
- PKG_CHECK_MODULES([PYTHON], [python-2.7], [], [
- AC_MSG_FAILURE([could not find python-config or pkg-config python, please install Python development files from libpython-dev or similar])
- ])])])])])])
+FRR_PYTHON_MODULES([pytest])
+if test "${enable_doc}" != "no"; then
+ FRR_PYTHON_MODULES([sphinx], , [
+ if test "${enable_doc}" = "yes"; then
+ AC_MSG_ERROR([Documentation was explicitly requested with --enable-doc but sphinx is not available for $PYTHON. Please disable docs or install sphinx.])
+ fi
+ ])
+fi
+AM_CONDITIONAL([DOC], [test "${enable_doc}" != "no" -a "$frr_py_mod_sphinx" != "false"])
+AM_CONDITIONAL([DOC_HTML], [test "${enable_doc_html}" = "yes"])
- FRR_PYTHON_CHECK_WORKING([
- AC_MSG_FAILURE([could not find python-config or pkg-config python, please install Python development files from libpython-dev or similar])
- ])
- fi
+FRR_PYTHON_MOD_EXEC([sphinx], [--version], [
+ PYSPHINX="-m sphinx"
+], [
+ PYSPHINX="-c 'import sys; from sphinx import main; sys.exit(main(sys.argv))'"
])
-AC_SUBST([PYTHON_CFLAGS])
-AC_SUBST([PYTHON_LIBS])
+AC_SUBST([PYSPHINX])
#
# Logic for protobuf support.
@@ -1507,16 +1447,6 @@ FRR_INCLUDES
#endif
])dnl
-dnl disable doc check
-AC_CHECK_PROGS([SPHINXBUILD], [sphinx-build sphinx-build3 sphinx-build2], [/bin/false])
-if test "$SPHINXBUILD" = "/bin/false"; then
- if test "${enable_doc}" = "yes"; then
- AC_MSG_ERROR([Documentation was explicitly requested with --enable-doc but sphinx-build is not available. Please disable docs or install sphinx.])
- fi
-fi
-AM_CONDITIONAL([DOC], [test "${enable_doc}" != "no" -a "$SPHINXBUILD" != "/bin/false"])
-AM_CONDITIONAL([DOC_HTML], [test "${enable_doc_html}" = "yes"])
-
dnl --------------------
dnl Daemon disable check
dnl --------------------
@@ -1666,6 +1596,7 @@ int main(void);
return 0;
}
])], [
+ AC_MSG_RESULT([no])
AC_MSG_ERROR([--enable-snmp given but not usable])])
case "${enable_snmp}" in
yes)
@@ -2356,7 +2287,9 @@ zebra protobuf enabled : ${enable_protobuf:-no}
The above user and group must have read/write access to the state file
directory and to the config files in the config file directory."
-if test "${enable_doc}" != "no";then
- AS_IF([test "$SPHINXBUILD" = /bin/false],
- AC_MSG_WARN([sphinx-build is missing but required to build documentation]))
+if test "${enable_doc}" != "no" -a "$frr_py_mod_sphinx" = false; then
+ AC_MSG_WARN([sphinx is missing but required to build documentation])
+fi
+if test "$frr_py_mod_pytest" = false; then
+ AC_MSG_WARN([pytest is missing, unit tests cannot be performed])
fi
diff --git a/doc/developer/building-frr-for-centos6.rst b/doc/developer/building-frr-for-centos6.rst
index f1ec2ad3ea..ee0ffc2bf7 100644
--- a/doc/developer/building-frr-for-centos6.rst
+++ b/doc/developer/building-frr-for-centos6.rst
@@ -163,10 +163,9 @@ an example.)
--disable-ldpd \
--enable-fpm \
--with-pkg-git-version \
- --with-pkg-extra-version=-MyOwnFRRVersion \
- SPHINXBUILD=sphinx-build2.7
+ --with-pkg-extra-version=-MyOwnFRRVersion
make
- make check PYTHON=/usr/bin/python2.7
+ make check
sudo make install
Create empty FRR configuration files
diff --git a/doc/developer/building-frr-for-debian8.rst b/doc/developer/building-frr-for-debian8.rst
index a26d055bc2..76f927853d 100644
--- a/doc/developer/building-frr-for-debian8.rst
+++ b/doc/developer/building-frr-for-debian8.rst
@@ -16,7 +16,7 @@ Add packages:
::
sudo apt-get install git autoconf automake libtool make \
- libreadline-dev texinfo libjson-c-dev pkg-config bison flex python-pip \
+ libreadline-dev texinfo libjson-c-dev pkg-config bison flex python3-pip \
libc-ares-dev python3-dev python3-sphinx build-essential libsystemd-dev
Install newer pytest (>3.0) from pip
@@ -24,7 +24,7 @@ Install newer pytest (>3.0) from pip
::
- sudo pip install pytest
+ sudo pip3 install pytest
.. include:: building-libyang.rst
diff --git a/doc/developer/building-frr-for-debian9.rst b/doc/developer/building-frr-for-debian9.rst
index 2c5a9681af..e58c59f451 100644
--- a/doc/developer/building-frr-for-debian9.rst
+++ b/doc/developer/building-frr-for-debian9.rst
@@ -9,8 +9,8 @@ Add packages:
::
sudo apt-get install git autoconf automake libtool make \
- libreadline-dev texinfo libjson-c-dev pkg-config bison flex python-pip \
- libc-ares-dev python3-dev python-pytest python3-sphinx build-essential \
+ libreadline-dev texinfo libjson-c-dev pkg-config bison flex \
+ libc-ares-dev python3-dev python3-pytest python3-sphinx build-essential \
libsystemd-dev
.. include:: building-libyang.rst
diff --git a/doc/developer/building-frr-for-fedora.rst b/doc/developer/building-frr-for-fedora.rst
index 204c185f56..d11da2d647 100644
--- a/doc/developer/building-frr-for-fedora.rst
+++ b/doc/developer/building-frr-for-fedora.rst
@@ -13,8 +13,8 @@ Installing Dependencies
sudo dnf install git autoconf automake libtool make \
readline-devel texinfo net-snmp-devel groff pkgconfig json-c-devel \
- pam-devel pytest bison flex c-ares-devel python3-devel python2-sphinx \
- perl-core patch
+ pam-devel python3-pytest bison flex c-ares-devel python3-devel \
+ python3-sphinx perl-core patch
.. include:: building-libyang.rst
diff --git a/doc/developer/building-frr-for-freebsd10.rst b/doc/developer/building-frr-for-freebsd10.rst
index 86c44f4d90..e85cb80053 100644
--- a/doc/developer/building-frr-for-freebsd10.rst
+++ b/doc/developer/building-frr-for-freebsd10.rst
@@ -17,7 +17,7 @@ is first package install and asked)
::
pkg install git autoconf automake libtool gmake json-c pkgconf \
- bison flex py27-pytest c-ares python3 py-sphinx
+ bison flex py36-pytest c-ares python3.6 py36-sphinx
Make sure there is no /usr/bin/flex preinstalled (and use the newly
installed in /usr/local/bin): (FreeBSD frequently provides a older flex
diff --git a/doc/developer/building-frr-for-freebsd11.rst b/doc/developer/building-frr-for-freebsd11.rst
index 5e56c8cd7a..b97538b763 100644
--- a/doc/developer/building-frr-for-freebsd11.rst
+++ b/doc/developer/building-frr-for-freebsd11.rst
@@ -17,7 +17,7 @@ is first package install and asked)
.. code-block:: shell
pkg install git autoconf automake libtool gmake json-c pkgconf \
- bison flex py27-pytest c-ares python3 py36-sphinx texinfo
+ bison flex py36-pytest c-ares python3.6 py36-sphinx texinfo
Make sure there is no /usr/bin/flex preinstalled (and use the newly
installed in /usr/local/bin): (FreeBSD frequently provides a older flex
diff --git a/doc/developer/building-frr-for-freebsd9.rst b/doc/developer/building-frr-for-freebsd9.rst
index 59241d1d13..1e97749795 100644
--- a/doc/developer/building-frr-for-freebsd9.rst
+++ b/doc/developer/building-frr-for-freebsd9.rst
@@ -17,8 +17,8 @@ is first package install and asked)
::
pkg install -y git autoconf automake libtool gmake \
- pkgconf texinfo json-c bison flex py27-pytest c-ares \
- python3 py-sphinx libexecinfo
+ pkgconf texinfo json-c bison flex py36-pytest c-ares \
+ python3 py36-sphinx libexecinfo
Make sure there is no /usr/bin/flex preinstalled (and use the newly
installed in /usr/local/bin): (FreeBSD frequently provides a older flex
diff --git a/doc/developer/building-frr-for-netbsd6.rst b/doc/developer/building-frr-for-netbsd6.rst
index 49091c49b4..e50d11130a 100644
--- a/doc/developer/building-frr-for-netbsd6.rst
+++ b/doc/developer/building-frr-for-netbsd6.rst
@@ -23,7 +23,7 @@ Add packages:
::
sudo pkg_add git autoconf automake libtool gmake openssl \
- pkg-config json-c python27 py27-test python35 py-sphinx
+ pkg-config json-c py36-test python36 py36-sphinx
Install SSL Root Certificates (for git https access):
@@ -33,13 +33,6 @@ Install SSL Root Certificates (for git https access):
sudo touch /etc/openssl/openssl.cnf
sudo mozilla-rootcerts install
-Select default Python and py.test
-
-::
-
- sudo ln -s /usr/pkg/bin/python2.7 /usr/bin/python
- sudo ln -s /usr/pkg/bin/py.test-2.7 /usr/bin/py.test
-
.. include:: building-libyang.rst
Get FRR, compile it and install it (from Git)
diff --git a/doc/developer/building-frr-for-netbsd7.rst b/doc/developer/building-frr-for-netbsd7.rst
index 64c462a5c8..32d1145edc 100644
--- a/doc/developer/building-frr-for-netbsd7.rst
+++ b/doc/developer/building-frr-for-netbsd7.rst
@@ -14,7 +14,7 @@ Install required packages
::
sudo pkgin install git autoconf automake libtool gmake openssl \
- pkg-config json-c python27 py27-test python35 py-sphinx
+ pkg-config json-c python36 py36-test py36-sphinx
Install SSL Root Certificates (for git https access):
@@ -24,13 +24,6 @@ Install SSL Root Certificates (for git https access):
sudo touch /etc/openssl/openssl.cnf
sudo mozilla-rootcerts install
-Select default Python and py.test
-
-::
-
- sudo ln -s /usr/pkg/bin/python2.7 /usr/bin/python
- sudo ln -s /usr/pkg/bin/py.test-2.7 /usr/bin/py.test
-
.. include:: building-libyang.rst
Get FRR, compile it and install it (from Git)
diff --git a/doc/developer/building-frr-for-ubuntu1404.rst b/doc/developer/building-frr-for-ubuntu1404.rst
index 6e2765c1c8..569b3bded1 100644
--- a/doc/developer/building-frr-for-ubuntu1404.rst
+++ b/doc/developer/building-frr-for-ubuntu1404.rst
@@ -12,7 +12,7 @@ Installing Dependencies
apt-get update
apt-get install \
git autoconf automake libtool make libreadline-dev texinfo \
- pkg-config libpam0g-dev libjson-c-dev bison flex python-pytest \
+ pkg-config libpam0g-dev libjson-c-dev bison flex python3-pytest \
libc-ares-dev python3-dev python3-sphinx install-info build-essential \
libsnmp-dev perl
diff --git a/doc/developer/building-frr-for-ubuntu1604.rst b/doc/developer/building-frr-for-ubuntu1604.rst
index a9a0a2f733..03852a62aa 100644
--- a/doc/developer/building-frr-for-ubuntu1604.rst
+++ b/doc/developer/building-frr-for-ubuntu1604.rst
@@ -12,7 +12,7 @@ Installing Dependencies
apt-get update
apt-get install \
git autoconf automake libtool make libreadline-dev texinfo \
- pkg-config libpam0g-dev libjson-c-dev bison flex python-pytest \
+ pkg-config libpam0g-dev libjson-c-dev bison flex python3-pytest \
libc-ares-dev python3-dev libsystemd-dev python-ipaddress python3-sphinx \
install-info build-essential libsystemd-dev libsnmp-dev perl
diff --git a/doc/developer/building-frr-for-ubuntu1804.rst b/doc/developer/building-frr-for-ubuntu1804.rst
index 8bdc2b9c76..96c0efe02a 100644
--- a/doc/developer/building-frr-for-ubuntu1804.rst
+++ b/doc/developer/building-frr-for-ubuntu1804.rst
@@ -12,7 +12,7 @@ Installing Dependencies
sudo apt update
sudo apt-get install \
git autoconf automake libtool make libreadline-dev texinfo \
- pkg-config libpam0g-dev libjson-c-dev bison flex python-pytest \
+ pkg-config libpam0g-dev libjson-c-dev bison flex python3-pytest \
libc-ares-dev python3-dev libsystemd-dev python-ipaddress python3-sphinx \
install-info build-essential libsystemd-dev libsnmp-dev perl
diff --git a/doc/developer/packaging-redhat.rst b/doc/developer/packaging-redhat.rst
index f6b9931156..d344046148 100644
--- a/doc/developer/packaging-redhat.rst
+++ b/doc/developer/packaging-redhat.rst
@@ -32,7 +32,7 @@ Tested on CentOS 6, CentOS 7 and Fedora 24.
cd frr
./bootstrap.sh
- ./configure --with-pkg-extra-version=-MyRPMVersion SPHINXBUILD=sphinx-build2.7
+ ./configure --with-pkg-extra-version=-MyRPMVersion
make dist
.. note::
diff --git a/doc/subdir.am b/doc/subdir.am
index 7d3792bf2b..a1297a4f81 100644
--- a/doc/subdir.am
+++ b/doc/subdir.am
@@ -4,7 +4,6 @@
# You can set these variables from the command line.
SPHINXOPTS ?=
-SPHINXBUILD ?= sphinx-build
PAPER ?=
# Internal variables.
@@ -32,20 +31,20 @@ am__v_MAKEINFO_1 =
doc/%/_build/.doctrees/environment.pickle:
$(AM_V_SPHINX) ( \
subdoc="$@"; subdoc="$${subdoc#doc/}"; subdoc="doc/$${subdoc%%/*}"; \
- $(SPHINXBUILD) -a -q -b text -d "$${subdoc}/_build/.doctrees" \
+ $(PYTHON) $(PYSPHINX) -a -q -b text -d "$${subdoc}/_build/.doctrees" \
$(ALLSPHINXOPTS) "$(top_srcdir)/$${subdoc}" "$${subdoc}/_build/text" \
)
doc/%/_build/html/.buildinfo: doc/%/_build/.doctrees/environment.pickle
$(AM_V_SPHINX) ( \
subdoc="$@"; subdoc="$${subdoc#doc/}"; subdoc="doc/$${subdoc%%/*}"; \
- $(SPHINXBUILD) -q -b html -d "$${subdoc}/_build/.doctrees" \
+ $(PYTHON) $(PYSPHINX) -q -b html -d "$${subdoc}/_build/.doctrees" \
$(ALLSPHINXOPTS) "$(top_srcdir)/$${subdoc}" "$${subdoc}/_build/html" \
)
.PRECIOUS: doc/%/_build/texinfo/frr.texi
doc/%/_build/texinfo/frr.texi: doc/%/_build/.doctrees/environment.pickle
$(AM_V_SPHINX) ( \
subdoc="$@"; subdoc="$${subdoc#doc/}"; subdoc="doc/$${subdoc%%/*}"; \
- $(SPHINXBUILD) -q -b texinfo -d "$${subdoc}/_build/.doctrees" \
+ $(PYTHON) $(PYSPHINX) -q -b texinfo -d "$${subdoc}/_build/.doctrees" \
$(ALLSPHINXOPTS) "$(top_srcdir)/$${subdoc}" "$${subdoc}/_build/texinfo" \
)
doc/%/_build/texinfo/frr.info: doc/%/_build/texinfo/frr.texi
@@ -54,7 +53,7 @@ doc/%/_build/man/man.stamp: doc/%/_build/.doctrees/environment.pickle
$(AM_V_SPHINX) ( \
subdoc="$@"; subdoc="$${subdoc#doc/}"; subdoc="doc/$${subdoc%%/*}"; \
$(MKDIR_P) "$${subdoc}/_build/man"; touch $@.tmp; \
- $(SPHINXBUILD) -a -q -b man -d "$${subdoc}/_build/.doctrees" \
+ $(PYTHON) $(PYSPHINX) -a -q -b man -d "$${subdoc}/_build/.doctrees" \
$(ALLSPHINXOPTS) "$(top_srcdir)/$${subdoc}" "$${subdoc}/_build/man" && \
mv -f $@.tmp $@ \
)
@@ -80,7 +79,7 @@ $(M_SPHINXTARGETS): doc/%/_build/.doctrees/environment.pickle
builder="$${target##*/}"; \
subdoc="$${target#doc/}"; subdoc="doc/$${subdoc%%/*}"; \
rm -rf "$@"; \
- $(SPHINXBUILD) -q -b $${builder} -d $${subdoc}/_build/.doctrees \
+ $(PYTHON) $(PYSPHINX) -q -b $${builder} -d $${subdoc}/_build/.doctrees \
$(ALLSPHINXOPTS) $(top_srcdir)/$${subdoc} $@ \
)
diff --git a/doc/user/installation.rst b/doc/user/installation.rst
index 964297292f..6438c11413 100644
--- a/doc/user/installation.rst
+++ b/doc/user/installation.rst
@@ -347,6 +347,27 @@ compile directory:
./configure --with-libyang-pluginsdir="`pwd`/yang/libyang_plugins/.libs" \
--with-yangmodelsdir="`pwd`/yang"
+Python dependency, documentation and tests
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+FRR's documentation and basic unit tests heavily use code written in Python.
+Additionally, FRR ships Python extensions written in C which are used during
+its build process.
+
+To this extent, FRR needs the following:
+
+* an installation of CPython, preferably version 3.2 or newer (2.7 works but
+ is end of life and will stop working at some point.)
+* development files (mostly headers) for that version of CPython
+* an installation of `sphinx` for that version of CPython, to build the
+ documentation
+* an installation of `pytest` for that version of CPython, to run the unit
+ tests
+
+The `sphinx` and `pytest` dependencies can be avoided by not building
+documentation / not running ``make check``, but the CPython dependency is a
+hard dependency of the FRR build process (for the `clippy` tool.)
+
.. _least-privilege-support:
Least-Privilege Support
diff --git a/m4/ax_python.m4 b/m4/ax_python.m4
new file mode 100644
index 0000000000..32043c81ae
--- /dev/null
+++ b/m4/ax_python.m4
@@ -0,0 +1,288 @@
+dnl FRR Python autoconf magic
+dnl 2019 David Lamparter for NetDEF, Inc.
+dnl SPDX-License-Identifier: GPL-2.0-or-later
+
+dnl the _ at the beginning will be cut off (to support the empty version string)
+m4_define_default([_FRR_PY_VERS], [_3 _ _2 _3.7 _3.6 _3.5 _3.4 _3.3 _3.2 _2.7])
+
+dnl check basic interpreter properties (py2/py3)
+dnl doubles as simple check whether the interpreter actually works
+dnl also swaps in the full path to the interpreter
+dnl arg1: if-true, arg2: if-false
+AC_DEFUN([_FRR_PYTHON_INTERP], [dnl
+AC_ARG_VAR([PYTHON], [Python interpreter to use])dnl
+ AC_MSG_CHECKING([python interpreter $PYTHON])
+ AC_RUN_LOG(["$PYTHON" -c 'import sys; open("conftest.pyver", "w").write(sys.executable or ""); sys.exit(not (sys.version_info.major == 2 and sys.version_info.minor >= 7))'])
+ py2=$ac_status
+ _py2_full="`cat conftest.pyver 2>/dev/null`"
+ rm -f "conftest.pyver" >/dev/null 2>/dev/null
+
+ AC_RUN_LOG(["$PYTHON" -c 'import sys; open("conftest.pyver", "w").write(sys.executable or ""); sys.exit(not ((sys.version_info.major == 3 and sys.version_info.minor >= 2) or sys.version_info.major > 3))'])
+ py3=$ac_status
+ _py3_full="`cat conftest.pyver 2>/dev/null`"
+ rm -f "conftest.pyver" >/dev/null 2>/dev/null
+
+ case "p${py2}p${py3}" in
+ p0p1) frr_cv_python=python2
+ _python_full="$_py2_full" ;;
+ p1p0) frr_cv_python=python3
+ _python_full="$_py3_full" ;;
+ *) frr_cv_python=none ;;
+ esac
+
+ if test "$frr_cv_python" = none; then
+ AC_MSG_RESULT([not working])
+ $2
+ else
+ test -n "$_python_full" -a -x "$_python_full" && PYTHON="$_python_full"
+ AC_MSG_RESULT([$PYTHON ($frr_cv_python)])
+ $1
+ fi
+
+ dnl return value
+ test "$frr_cv_python" != none
+])
+
+dnl check whether $PYTHON has modules available
+dnl arg1: list of modules (space separated)
+dnl arg2: if all true, arg3: if any missing
+dnl also sets frr_py_mod_<name> to "true" or "false"
+AC_DEFUN([FRR_PYTHON_MODULES], [
+ result=true
+ for pymod in $1; do
+ AC_MSG_CHECKING([whether $PYTHON module $pymod is available])
+ AC_RUN_LOG(["$PYTHON" -c "import $pymod"])
+ sane="`echo \"$pymod\" | tr -c '[a-zA-Z0-9\n]' '_'`"
+ if test "$ac_status" -eq 0; then
+ AC_MSG_RESULT([yes])
+ eval frr_py_mod_$sane=true
+ else
+ AC_MSG_RESULT([no])
+ eval frr_py_mod_$sane=false
+ result=false
+ fi
+ done
+ if $result; then
+ m4_default([$2], [:])
+ else
+ m4_default([$3], [:])
+ fi
+ $result
+])
+
+dnl check whether $PYTHON has modules available
+dnl arg1: list of modules (space separated)
+dnl arg2: command line parameters for executing
+dnl arg3: if all true, arg4: if any missing
+dnl also sets frr_py_modexec_<name> to "true" or "false"
+AC_DEFUN([FRR_PYTHON_MOD_EXEC], [
+ result=true
+ for pymod in $1; do
+ AC_MSG_CHECKING([whether $PYTHON module $pymod is executable])
+ AC_RUN_LOG(["$PYTHON" -m "$pymod" $2 > /dev/null])
+ sane="`echo \"$pymod\" | tr -c '[a-zA-Z0-9\n]' '_'`"
+ if test "$ac_status" -eq 0; then
+ AC_MSG_RESULT([yes])
+ eval frr_py_modexec_$sane=true
+ else
+ AC_MSG_RESULT([no])
+ eval frr_py_modexec_$sane=false
+ result=false
+ fi
+ done
+ if $result; then
+ m4_default([$3], [:])
+ else
+ m4_default([$4], [:])
+ fi
+ $result
+])
+
+dnl check whether we can build & link python bits
+dnl input: PYTHON_CFLAGS and PYTHON_LIBS
+AC_DEFUN([_FRR_PYTHON_DEVENV], [
+ result=true
+ AC_LINK_IFELSE_FLAGS([$PYTHON_CFLAGS], [$PYTHON_LIBS], [AC_LANG_PROGRAM([
+#include <Python.h>
+#if PY_VERSION_HEX < 0x02070000
+#error python too old
+#endif
+int main(void);
+],
+[
+{
+ Py_Initialize();
+ return 0;
+}
+])], [
+ # some python installs are missing the zlib dependency...
+ PYTHON_LIBS="${PYTHON_LIBS} -lz"
+ AC_LINK_IFELSE_FLAGS([$PYTHON_CFLAGS], [$PYTHON_LIBS], [AC_LANG_PROGRAM([
+#include <Python.h>
+#if PY_VERSION_HEX < 0x02070000
+#error python too old
+#endif
+int main(void);
+],
+[
+{
+ Py_Initialize();
+ return 0;
+}
+])], [
+ result=false
+ AC_MSG_RESULT([no])
+ ], [:])
+ ], [:])
+
+ if $result; then
+ AC_LINK_IFELSE_FLAGS([$PYTHON_CFLAGS], [$PYTHON_LIBS], [AC_LANG_PROGRAM([
+#include <Python.h>
+#if PY_VERSION_HEX != $1
+#error python version mismatch
+#endif
+int main(void);
+],
+[
+{
+ Py_Initialize();
+ return 0;
+}
+])], [
+ result=false
+ AC_MSG_RESULT([version mismatch])
+ ], [
+ AC_MSG_RESULT([yes])
+ ])
+ fi
+
+ if $result; then
+ m4_default([$2], [:])
+ else
+ m4_default([$3], [
+ unset PYTHON_LIBS
+ unset PYTHON_CFLAGS
+ ])
+ fi
+])
+
+AC_DEFUN([_FRR_PYTHON_GETDEV], [dnl
+AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
+
+ py_abi="` \"$1\" -c \"import sys; print(getattr(sys, 'abiflags', ''))\"`"
+ py_hex="` \"$1\" -c \"import sys; print(hex(sys.hexversion))\"`"
+ py_ldver="` \"$1\" -c \"import sysconfig; print(sysconfig.get_config_var('LDVERSION') or '')\"`"
+ py_ver="` \"$1\" -c \"import sysconfig; print(sysconfig.get_config_var('VERSION') or '')\"`"
+ py_bindir="`\"$1\" -c \"import sysconfig; print(sysconfig.get_config_var('BINDIR') or '')\"`"
+ test -z "$py_bindir" || py_bindir="$py_bindir/"
+ echo "py_abi=${py_abi} py_ldver=${py_ldver} py_ver=${py_ver} py_bindir=${py_bindir}" >&AS_MESSAGE_LOG_FD
+
+ py_found=false
+
+ for tryver in "${py_ldver}" "${py_ver}"; do
+ pycfg="${py_bindir}python${tryver}-config"
+ AC_MSG_CHECKING([whether ${pycfg} is available])
+ if "$pycfg" --configdir >/dev/null 2>/dev/null; then
+ AC_MSG_RESULT([yes])
+
+ PYTHON_CFLAGS="`\"$pycfg\" --includes`"
+ if test x"${py_ver}" == x"3.8" || test x"{py_ver}" == x"3.9"; then
+ PYTHON_LIBS="`\"$pycfg\" --ldflags --embed`"
+ else
+ PYTHON_LIBS="`\"$pycfg\" --ldflags`"
+ fi
+
+ AC_MSG_CHECKING([whether ${pycfg} provides a working build environment])
+ _FRR_PYTHON_DEVENV([$py_hex], [
+ py_found=true
+ break
+ ])
+ else
+ AC_MSG_RESULT([no])
+ fi
+
+ pkg_failed=no
+ AC_MSG_CHECKING([whether pkg-config python-${tryver} is available])
+ unset PYTHON_CFLAGS
+ unset PYTHON_LIBS
+ pkg="python-${tryver}"
+ pkg="${pkg%-}"
+ _PKG_CONFIG([PYTHON_CFLAGS], [cflags], [${pkg}])
+ _PKG_CONFIG([PYTHON_LIBS], [libs], [${pkg}])
+ if test $pkg_failed = no; then
+ AC_MSG_RESULT([yes])
+
+ PYTHON_CFLAGS=$pkg_cv_PYTHON_CFLAGS
+ PYTHON_LIBS=$pkg_cv_PYTHON_LIBS
+
+ AC_MSG_CHECKING([whether pkg-config python-${tryver} provides a working build environment])
+ _FRR_PYTHON_DEVENV([$py_hex], [
+ py_found=true
+ break
+ ])
+ else
+ AC_MSG_RESULT([no])
+ fi
+ done
+
+ if $py_found; then
+ m4_default([$2], [:])
+ else
+ unset PYTHON_CFLAGS
+ unset PYTHON_LIBS
+ m4_default([$3], [:])
+ fi
+])
+
+dnl just find python without checking headers/libs
+AC_DEFUN([FRR_PYTHON], [
+ dnl user override
+ if test "x$PYTHON" != "x"; then
+ _FRR_PYTHON_INTERP([], [
+ AC_MSG_ERROR([PYTHON ($PYTHON) explicitly specified but not working])
+ ])
+ else
+ for frr_pyver in _FRR_PY_VERS; do
+ PYTHON="python${frr_pyver#_}"
+ _FRR_PYTHON_INTERP([break])
+ PYTHON=":"
+ done
+ if test "$PYTHON" = ":"; then
+ AC_MSG_ERROR([no working python version found])
+ fi
+ fi
+ AC_SUBST([PYTHON])
+])
+
+dnl find python with checking headers/libs
+AC_DEFUN([FRR_PYTHON_DEV], [dnl
+AC_ARG_VAR([PYTHON_CFLAGS], [C compiler flags for Python])dnl
+AC_ARG_VAR([PYTHON_LIBS], [linker flags for Python])dnl
+
+ dnl user override
+ if test "x$PYTHON" != "x"; then
+ _FRR_PYTHON_INTERP([], [
+ AC_MSG_ERROR([PYTHON ($PYTHON) explicitly specified but not working])
+ ])
+ _FRR_PYTHON_GETDEV([$PYTHON], [], [
+ AC_MSG_ERROR([PYTHON ($PYTHON) explicitly specified but development environment not working])
+ ])
+ else
+ for frr_pyver in _FRR_PY_VERS; do
+ PYTHON="python${frr_pyver#_}"
+ _FRR_PYTHON_INTERP([
+ _FRR_PYTHON_GETDEV([$PYTHON], [
+ break
+ ])
+ ])
+ PYTHON=":"
+ done
+ if test "$PYTHON" = ":"; then
+ AC_MSG_ERROR([no working python version found])
+ fi
+ fi
+
+ AC_SUBST([PYTHON_CFLAGS])
+ AC_SUBST([PYTHON_LIBS])
+ AC_SUBST([PYTHON])
+])
diff --git a/redhat/frr.spec.in b/redhat/frr.spec.in
index ebd9ac3f47..27042e197c 100644
--- a/redhat/frr.spec.in
+++ b/redhat/frr.spec.in
@@ -44,12 +44,6 @@
# defines for configure
%define rundir %{_localstatedir}/run/%{name}
-# define for sphinx-build binary
-%if 0%{?rhel} && 0%{?rhel} < 7
- %define sphinx sphinx-build2.7
-%else
- %define sphinx sphinx-build
-%endif
############################################################################
#### Version String tweak
@@ -360,7 +354,7 @@ developing OSPF-API and frr applications.
%else
--disable-bfdd \
%endif
- SPHINXBUILD=%{sphinx}
+ # end
make %{?_smp_mflags} MAKEINFO="makeinfo --no-split"
diff --git a/tests/subdir.am b/tests/subdir.am
index ec5fea705e..10a78b98a0 100644
--- a/tests/subdir.am
+++ b/tests/subdir.am
@@ -2,8 +2,6 @@
# tests
#
-PYTHON ?= python
-
if BGPD
TESTS_BGPD = \
tests/bgpd/test_aspath \

13
frr.spec
View File

@ -5,7 +5,7 @@
Name: frr
Version: 7.1
Release: 2%{?checkout}%{?dist}
Release: 3%{?checkout}%{?dist}
Summary: Routing daemon
License: GPLv2+
URL: http://www.frrouting.org
@ -30,6 +30,10 @@ Conflicts: quagga
Patch0000: 0000-remove-babeld-and-ldpd.patch
Patch0001: 0001-use-python3.patch
Patch0002: 0002-enable-openssl.patch
Patch0003: 0003-disable-eigrp-crypto.patch
Patch0004: 0004-fips-mode.patch
Patch0005: 0005-python-3.8-build.patch
%description
FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -67,6 +71,7 @@ autoreconf -ivf
--disable-ldpd \
--disable-babeld \
--with-moduledir=%{_libdir}/frr/modules \
--with-crypto=openssl \
--enable-fpm
%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
@ -171,6 +176,12 @@ make check PYTHON=%{__python3}
#%%{_libdir}/frr/frr/libyang_plugins/*
%changelog
* Fri Sep 13 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-3
- New way of finding python version during build
- Replacing crypto of all routing daemons with openssl
- Disabling EIGRP crypto because it is broken
- Disabling crypto in FIPS mode
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild