import frr-7.5-4.el8

This commit is contained in:
CentOS Sources 2021-05-18 02:57:28 -04:00 committed by Andrew Lukoshko
parent ab60136027
commit 20a9d254d7
13 changed files with 181 additions and 454 deletions

View File

@ -1 +1 @@
ecfb105ca630fb9f265b93f054468efbdb6f2319 SOURCES/frr-7.0.tar.gz 67064fd2c9f971a7004e3e66411f9c99e56cfb9c SOURCES/frr-7.5.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/frr-7.0.tar.gz SOURCES/frr-7.5.tar.gz

View File

@ -12,50 +12,44 @@ index 5be3264..33abc1d 100644
include sharpd/subdir.am include sharpd/subdir.am
include pimd/subdir.am include pimd/subdir.am
@@ -182,7 +180,6 @@ EXTRA_DIST += \ @@ -182,7 +180,6 @@ EXTRA_DIST += \
snapcraft/defaults \
snapcraft/helpers \ snapcraft/helpers \
snapcraft/snap \ snapcraft/snap \
\
- babeld/Makefile \ - babeld/Makefile \
bgpd/Makefile \ bgpd/Makefile \
bgpd/rfp-example/librfp/Makefile \ bgpd/rfp-example/librfp/Makefile \
bgpd/rfp-example/rfptest/Makefile \ bgpd/rfp-example/rfptest/Makefile \
@@ -193,7 +190,6 @@ EXTRA_DIST += \ @@ -193,7 +190,6 @@ EXTRA_DIST += \
eigrpd/Makefile \
fpm/Makefile \ fpm/Makefile \
grpc/Makefile \
isisd/Makefile \ isisd/Makefile \
- ldpd/Makefile \ - ldpd/Makefile \
lib/Makefile \ lib/Makefile \
nhrpd/Makefile \ nhrpd/Makefile \
ospf6d/Makefile \ ospf6d/Makefile \
diff --git a/redhat/daemons b/redhat/daemons diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
index 068d74d..36730ba 100644 index f6d512b..6d4831d 100644
--- a/redhat/daemons --- a/tools/etc/frr/daemons
+++ b/redhat/daemons +++ b/tools/etc/frr/daemons
@@ -44,11 +44,9 @@ ospf6d=no @@ -21,10 +21,8 @@ ripd=no
ripd=no
ripngd=no ripngd=no
isisd=no isisd=no
-ldpd=no
pimd=no pimd=no
-ldpd=no
nhrpd=no nhrpd=no
eigrpd=no eigrpd=no
-babeld=no -babeld=no
sharpd=no sharpd=no
pbrd=no pbrd=no
staticd=no bfdd=no
diff --git a/redhat/daemons b/redhat/daemons @@ -45,10 +43,8 @@ ripd_options=" -A 127.0.0.1"
index 36730ba..c6090a7 100644 ripngd_options=" -A ::1"
--- a/redhat/daemons isisd_options=" -A 127.0.0.1"
+++ b/redhat/daemons pimd_options=" -A 127.0.0.1"
@@ -62,11 +62,9 @@ ospf6d_options=("-A ::1") -ldpd_options=" -A 127.0.0.1"
ripd_options=("-A 127.0.0.1") nhrpd_options=" -A 127.0.0.1"
ripngd_options=("-A ::1") eigrpd_options=" -A 127.0.0.1"
isisd_options=("-A 127.0.0.1") -babeld_options=" -A 127.0.0.1"
-ldpd_options=("-A 127.0.0.1") sharpd_options=" -A 127.0.0.1"
pimd_options=("-A 127.0.0.1") pbrd_options=" -A 127.0.0.1"
nhrpd_options=("-A 127.0.0.1") staticd_options="-A 127.0.0.1"
eigrpd_options=("-A 127.0.0.1")
-babeld_options=("-A 127.0.0.1")
sharpd_options=("-A 127.0.0.1")
pbrd_options=("-A 127.0.0.1")
staticd_options=("-A 127.0.0.1")

View File

@ -8,3 +8,13 @@ index 208fb11..0692adc 100755
# Frr Reloader # Frr Reloader
# Copyright (C) 2014 Cumulus Networks, Inc. # Copyright (C) 2014 Cumulus Networks, Inc.
# #
diff --git a/tools/generate_support_bundle.py b/tools/generate_support_bundle.py
index 540b7a1..0876ebb 100755
--- a/tools/generate_support_bundle.py
+++ b/tools/generate_support_bundle.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
########################################################
### Python Script to generate the FRR support bundle ###

View File

@ -1,294 +1,47 @@
diff --git a/configure.ac b/configure.ac
index 9f8b31b..38781da 100755
--- a/configure.ac
+++ b/configure.ac
@@ -529,6 +529,20 @@ AC_ARG_ENABLE([thread-sanitizer],
AS_HELP_STRING([--enable-thread-sanitizer], [enable ThreadSanitizer support for detecting data races]))
AC_ARG_ENABLE([memory-sanitizer],
AS_HELP_STRING([--enable-memory-sanitizer], [enable MemorySanitizer support for detecting uninitialized memory reads]))
+AC_ARG_WITH([crypto],
+ AS_HELP_STRING([--with-crypto=<internal|openssl>], [choose between different implementations of cryptographic functions(default value is --with-crypto=internal)]))
+
+#if openssl, else use internal as default
+AS_IF([test x"${with_crypto}" = x"openssl"], [
+ AC_CHECK_LIB([crypto], [EVP_DigestInit], [LIBS="$LIBS -lcrypto"], [], [])
+ if test "$ac_cv_lib_crypto_EVP_DigestInit" = no; then
+ AC_MSG_ERROR([build with openssl has been specified but openssl library was not found on your system])
+ else
+ AC_DEFINE([CRYPTO_OPENSSL], [1], [Compile with openssl support])
+ fi
+], [test x"${with_crypto}" = x"internal" || test x"${with_crypto}" = x"" ], [AC_DEFINE([CRYPTO_INTERNAL], [1], [Compile with internal cryptographic implementation])
+], [AC_MSG_ERROR([Unknown value for --with-crypto])]
+)
AS_IF([test "${enable_clippy_only}" != "yes"], [
AC_CHECK_HEADERS([json-c/json.h])
diff --git a/lib/subdir.am b/lib/subdir.am diff --git a/lib/subdir.am b/lib/subdir.am
index 0b7af18..0533e24 100644 index 0b7af18..0533e24 100644
--- a/lib/subdir.am --- a/lib/subdir.am
+++ b/lib/subdir.am +++ b/lib/subdir.am
@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \ @@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
lib/libfrr.c \
lib/linklist.c \
lib/log.c \ lib/log.c \
lib/log_filter.c \
lib/log_vty.c \
- lib/md5.c \ - lib/md5.c \
lib/memory.c \ lib/memory.c \
lib/memory_vty.c \ lib/mlag.c \
lib/module.c \ lib/module.c \
diff --git a/lib/subdir.am b/lib/subdir.am diff --git a/lib/subdir.am b/lib/subdir.am
index 0533e24..b3d3700 100644 index 0533e24..b3d3700 100644
--- a/lib/subdir.am --- a/lib/subdir.am
+++ b/lib/subdir.am +++ b/lib/subdir.am
@@ -170,7 +170,6 @@ pkginclude_HEADERS += \ @@ -170,7 +170,6 @@ pkginclude_HEADERS += \
lib/libospf.h \
lib/linklist.h \ lib/linklist.h \
lib/log.h \ lib/log.h \
lib/log_vty.h \
- lib/md5.h \ - lib/md5.h \
lib/memory.h \ lib/memory.h \
lib/memory_vty.h \
lib/module.h \ lib/module.h \
lib/monotime.h \
diff --git a/lib/subdir.am b/lib/subdir.am diff --git a/lib/subdir.am b/lib/subdir.am
index 53f7115..cea866f 100644 index 53f7115..cea866f 100644
--- a/lib/subdir.am --- a/lib/subdir.am
+++ b/lib/subdir.am +++ b/lib/subdir.am
@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \ @@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
lib/ringbuf.c \ lib/routemap_northbound.c \
lib/routemap.c \
lib/sbuf.c \ lib/sbuf.c \
lib/seqlock.c \
- lib/sha256.c \ - lib/sha256.c \
lib/sigevent.c \ lib/sigevent.c \
lib/skiplist.c \ lib/skiplist.c \
lib/sockopt.c \ lib/sockopt.c \
@@ -191,7 +190,6 @@ pkginclude_HEADERS += \ @@ -191,7 +190,6 @@ pkginclude_HEADERS += \
lib/ringbuf.h \
lib/routemap.h \ lib/routemap.h \
lib/sbuf.h \ lib/sbuf.h \
lib/seqlock.h \
- lib/sha256.h \ - lib/sha256.h \
lib/sigevent.h \ lib/sigevent.h \
lib/skiplist.h \ lib/skiplist.h \
lib/smux.h \ lib/smux.h \
diff --git a/lib/zebra.h b/lib/zebra.h
index 22239f8e60..a308d46cc9 100644
--- a/lib/zebra.h
+++ b/lib/zebra.h
@@ -134,6 +134,11 @@ typedef unsigned char uint8_t;
#endif
#endif
+#ifdef CRYPTO_OPENSSL
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#endif
+
#include "openbsd-tree.h"
#include <netinet/in.h>
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 6bc8c25153..b951e94ae6 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -33,7 +33,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
#include "md5.h"
+#endif
#include "vrf.h"
#include "lib_errors.h"
@@ -332,7 +334,11 @@ static unsigned int ospf_packet_max(struct ospf_interface *oi)
static int ospf_check_md5_digest(struct ospf_interface *oi,
struct ospf_header *ospfh)
{
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
unsigned char digest[OSPF_AUTH_MD5_SIZE];
struct crypt_key *ck;
struct ospf_neighbor *nbr;
@@ -361,11 +367,21 @@ static int ospf_check_md5_digest(struct ospf_interface *oi,
}
/* Generate a digest for the ospf packet - their digest + our digest. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ospfh, length);
+ EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, ospfh, length);
MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* compare the two */
if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) {
@@ -389,7 +404,11 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
{
struct ospf_header *ospfh;
unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0};
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
void *ibuf;
uint32_t t;
struct crypt_key *ck;
@@ -422,11 +441,21 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
}
/* Generate a digest for the entire packet + our secret key. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length));
+ EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, ibuf, ntohs(ospfh->length));
MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* Append md5 digest to the end of the stream. */
stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
diff --git a/ripd/ripd.c b/ripd/ripd.c
index e0ff0430f8..b311ac5717 100644
--- a/ripd/ripd.c
+++ b/ripd/ripd.c
@@ -37,7 +37,9 @@
#include "if_rmap.h"
#include "plist.h"
#include "distribute.h"
+#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
#include "md5.h"
+#endif
#include "keychain.h"
#include "privs.h"
#include "lib_errors.h"
@@ -870,7 +872,11 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
struct rip_md5_data *md5data;
struct keychain *keychain;
struct key *key;
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
uint8_t digest[RIP_AUTH_MD5_SIZE];
uint16_t packet_len;
char auth_str[RIP_AUTH_MD5_SIZE];
@@ -934,11 +940,21 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
return 0;
/* MD5 digest authentication. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = RIP_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, packet, packet_len + RIP_HEADER_SIZE);
+ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, packet, packet_len + RIP_HEADER_SIZE);
MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
if (memcmp(md5data->digest, digest, RIP_AUTH_MD5_SIZE) == 0)
return packet_len;
@@ -1063,7 +1078,11 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
size_t doff, char *auth_str, int authlen)
{
unsigned long len;
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
unsigned char digest[RIP_AUTH_MD5_SIZE];
/* Make it sure this interface is configured as MD5
@@ -1092,11 +1111,21 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
stream_putw(s, RIP_AUTH_DATA);
/* Generate a digest for the RIP packet. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = RIP_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, STREAM_DATA(s), stream_get_endp(s));
+ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, STREAM_DATA(s), stream_get_endp(s));
MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* Copy the digest to the packet. */
stream_write(s, digest, RIP_AUTH_MD5_SIZE);
diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index 488dfedae4..862d675e84 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -22,7 +22,9 @@
*/
#include <zebra.h>
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "memory.h"
#include "stream.h"
#include "sbuf.h"
@@ -2770,8 +2772,13 @@ static void update_auth_hmac_md5(struct isis_auth *auth, struct stream *s,
safe_auth_md5(s, &checksum, &rem_lifetime);
memset(STREAM_DATA(s) + auth->offset, 0, 16);
+#ifdef CRYPTO_OPENSSL
+ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), auth->passwd, auth->plength, STREAM_DATA(s), stream_get_endp(s), NULL, NULL);
+ memcpy(digest, result, 16);
+#elif CRYPTO_INTERNAL
hmac_md5(STREAM_DATA(s), stream_get_endp(s), auth->passwd,
auth->plength, digest);
+#endif
memcpy(auth->value, digest, 16);
memcpy(STREAM_DATA(s) + auth->offset, digest, 16);
@@ -3310,8 +3317,13 @@ static bool auth_validator_hmac_md5(struct isis_passwd *passwd,
safe_auth_md5(stream, &checksum, &rem_lifetime);
memset(STREAM_DATA(stream) + auth->offset, 0, 16);
+#ifdef CRYPTO_OPENSSL
+ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), passwd->passwd, passwd->len, STREAM_DATA(stream), stream_get_endp(stream), NULL, NULL);
+ memcpy(digest, result, 16);
+#elif CRYPTO_INTERNAL
hmac_md5(STREAM_DATA(stream), stream_get_endp(stream), passwd->passwd,
passwd->len, digest);
+#endif
memcpy(STREAM_DATA(stream) + auth->offset, auth->value, 16);
bool rv = !memcmp(digest, auth->value, 16);
diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
index 1991666..2e4fe55 100644 index 1991666..2e4fe55 100644
--- a/isisd/isis_lsp.c --- a/isisd/isis_lsp.c
@ -316,7 +69,7 @@ index 9c63311..7cf594c 100644
+#endif +#endif
#include "lib_errors.h" #include "lib_errors.h"
#include "isisd/dict.h" #include "isisd/isis_constants.h"
diff --git a/isisd/isis_te.c b/isisd/isis_te.c diff --git a/isisd/isis_te.c b/isisd/isis_te.c
index 4ea6c2c..72ff0d2 100644 index 4ea6c2c..72ff0d2 100644
--- a/isisd/isis_te.c --- a/isisd/isis_te.c

View File

@ -1,37 +1,3 @@
diff --git a/eigrpd/eigrp_vty.c b/eigrpd/eigrp_vty.c
index fc5bdbd..56ebac6 100644
--- a/eigrpd/eigrp_vty.c
+++ b/eigrpd/eigrp_vty.c
@@ -968,6 +968,9 @@ DEFUN (eigrp_authentication_mode,
"Keyed message digest\n"
"HMAC SHA256 algorithm \n")
{
+ vty_out(vty, " EIGRP Authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+
VTY_DECLVAR_CONTEXT(interface, ifp);
struct eigrp_interface *ei = ifp->info;
struct eigrp *eigrp;
@@ -1003,6 +1006,9 @@ DEFUN (no_eigrp_authentication_mode,
"Keyed message digest\n"
"HMAC SHA256 algorithm \n")
{
+ vty_out(vty, " EIGRP Authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+
VTY_DECLVAR_CONTEXT(interface, ifp);
struct eigrp_interface *ei = ifp->info;
struct eigrp *eigrp;
@@ -1034,6 +1040,9 @@ DEFPY (eigrp_authentication_keychain,
"Autonomous system number\n"
"Name of key-chain\n")
{
+ vty_out(vty, " EIGRP Authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+
VTY_DECLVAR_CONTEXT(interface, ifp);
struct eigrp_interface *ei = ifp->info;
struct eigrp *eigrp;
diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
index bedaf15..8dc09bf 100644 index bedaf15..8dc09bf 100644
--- a/eigrpd/eigrp_packet.c --- a/eigrpd/eigrp_packet.c
@ -122,7 +88,7 @@ index bedaf15..8dc09bf 100644
struct TLV_SHA256_Authentication_Type *auth_TLV; struct TLV_SHA256_Authentication_Type *auth_TLV;
@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, @@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
inet_ntop(AF_INET, &ei->address->u.prefix4, source_ip, PREFIX_STRLEN); inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
+#ifdef CRYPTO_OPENSSL +#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream + //TBD when eigrpd crypto is fixed in upstream
@ -251,3 +217,36 @@ index 8db4903..2a4f0bb 100644
#include "vty.h" #include "vty.h"
#include "plist.h" #include "plist.h"
#include "plist_int.h" #include "plist_int.h"
diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c
index a93d4c8..b01e121 100644
--- a/eigrpd/eigrp_cli.c
+++ b/eigrpd/eigrp_cli.c
@@ -25,6 +25,7 @@
#include "lib/command.h"
#include "lib/log.h"
#include "lib/northbound_cli.h"
+#include "lib/libfrr.h"
#include "eigrp_structs.h"
#include "eigrpd.h"
@@ -726,6 +726,20 @@ DEFPY(
"Keyed message digest\n"
"HMAC SHA256 algorithm \n")
{
+ //EIGRP authentication is currently broken in FRR
+ switch (frr_get_cli_mode()) {
+ case FRR_CLI_CLASSIC:
+ vty_out(vty, "%% Eigrp Authentication is disabled\n\n");
+ break;
+ case FRR_CLI_TRANSACTIONAL:
+ vty_out(vty,
+ "%% Failed to edit candidate configuration - "
+ "Eigrp Authentication is disabled.\n\n");
+ break;
+ }
+
+ return CMD_WARNING_CONFIG_FAILED;
+
char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64];
snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']",

View File

@ -67,8 +67,8 @@ index 81b4b39..cce33d9 100644
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); + return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+ +
circuit->passwd.len = len; circuit->passwd.len = len;
strncpy((char *)circuit->passwd.passwd, passwd, 255); strlcpy((char *)circuit->passwd.passwd, passwd,
circuit->passwd.type = passwd_type; sizeof(circuit->passwd.passwd));
diff --git a/isisd/isisd.c b/isisd/isisd.c diff --git a/isisd/isisd.c b/isisd/isisd.c
index 419127c..a6c36af 100644 index 419127c..a6c36af 100644
--- a/isisd/isisd.c --- a/isisd/isisd.c
@ -82,8 +82,8 @@ index 419127c..a6c36af 100644
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); + return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+ +
modified.len = len; modified.len = len;
strncpy((char *)modified.passwd, passwd, 255); strlcpy((char *)modified.passwd, passwd,
modified.type = passwd_type; sizeof(modified.passwd));
diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
index 5bb81ef..02a09ef 100644 index 5bb81ef..02a09ef 100644
--- a/ripd/rip_cli.c --- a/ripd/rip_cli.c
@ -100,4 +100,4 @@ index 5bb81ef..02a09ef 100644
+ +
nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
strmatch(mode, "md5") ? "md5" : "plain-text"); strmatch(mode, "md5") ? "md5" : "plain-text");
nb_cli_enqueue_change(vty, "./authentication-scheme/md5-auth-length", if (strmatch(mode, "md5"))

View File

@ -1,36 +0,0 @@
From ff4516227cc48b3175106a419f43b8fc9eee3710 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Tue, 25 Jun 2019 00:30:11 -0400
Subject: [PATCH] pimd: Dissallow query to be received from a non-connected
source
When we receive an igmp query on a interface, ensure that the
source address of the packet is connected to the incoming
interface. This will prevent a meanie from crafting a igmp
packet with a source address less than ours and causing
us to suspend query activities.
Fixes: #1692
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
pimd/pim_igmp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/pimd/pim_igmp.c b/pimd/pim_igmp.c
index 270f1e3f27..5beabbd8df 100644
--- a/pimd/pim_igmp.c
+++ b/pimd/pim_igmp.c
@@ -305,6 +305,13 @@ static int igmp_recv_query(struct igmp_sock *igmp, int query_version,
return -1;
}
+ if (!pim_if_connected_to_source(ifp, from)) {
+ if (PIM_DEBUG_IGMP_PACKETS)
+ zlog_debug("Recv IGMP query on interface: %s from a non-connected source: %s",
+ ifp->name, from_str);
+ return 0;
+ }
+
/* Collecting IGMP Rx stats */
switch (query_version) {
case 1:

View File

@ -1,16 +1,16 @@
diff --git a/redhat/frr.init b/redhat/frr.init diff --git a/tools/frr.in b/tools/frr.in
index b59656a..4cf3fd4 100755 index b860797..eb64a93 100755
--- a/redhat/frr.init --- a/tools/frr.in
+++ b/redhat/frr.init +++ b/tools/frr.in
@@ -94,10 +94,12 @@ check_daemon() @@ -105,10 +105,12 @@ check_daemon()
if [ ! -r "$C_PATH/$1-$2.conf" ]; then if [ ! -r "$C_PATH/$1-$2.conf" ]; then
touch "$C_PATH/$1-$2.conf" touch "$C_PATH/$1-$2.conf"
chown frr:frr "$C_PATH/$1-$2.conf" chownfrr "$C_PATH/$1-$2.conf"
+ chmod 0600 "$C_PATH/$1-$2.conf" + chmod 0600 "$C_PATH/$1-$2.conf"
fi fi
elif [ ! -r "$C_PATH/$1.conf" ]; then elif [ ! -r "$C_PATH/$1.conf" ]; then
touch "$C_PATH/$1.conf" touch "$C_PATH/$1.conf"
chown frr:frr "$C_PATH/$1.conf" chownfrr "$C_PATH/$1.conf"
+ chmod 0600 "$C_PATH/$1.conf" + chmod 0600 "$C_PATH/$1.conf"
fi fi
fi fi

View File

@ -1,15 +0,0 @@
diff --git a/bfdd/bfd.h b/bfdd/bfd.h
index 3a58a8d..0970333 100644
--- a/bfdd/bfd.h
+++ b/bfdd/bfd.h
@@ -315,8 +315,8 @@ struct bfd_iface {
#define BFD_PKT_INFO_VAL 1
#define BFD_IPV6_PKT_INFO_VAL 1
#define BFD_IPV6_ONLY_VAL 1
-#define BFD_SRCPORTINIT 49142
-#define BFD_SRCPORTMAX 65536
+#define BFD_SRCPORTINIT 49152
+#define BFD_SRCPORTMAX 65535
#define BFD_DEFDESTPORT 3784
#define BFD_DEF_ECHO_PORT 3785
#define BFD_DEF_MHOP_DEST_PORT 4784

View File

@ -0,0 +1,31 @@
diff --git a/tools/frrinit.sh.in b/tools/frrinit.sh.in
index 539ab7d..d27d1be 100644
--- a/tools/frrinit.sh.in
+++ b/tools/frrinit.sh.in
@@ -43,7 +43,7 @@ fi
case "$1" in
start)
daemon_list daemons
- watchfrr_options="$watchfrr_options $daemons"
+ watchfrr_options="$daemons"
daemon_start watchfrr
;;
stop)
@@ -57,7 +57,7 @@ restart|force-reload)
all_stop --reallyall
daemon_list daemons
- watchfrr_options="$watchfrr_options $daemons"
+ watchfrr_options="$daemons"
daemon_start watchfrr
;;
@@ -87,7 +87,7 @@ reload)
# restart watchfrr to pick up added daemons.
# NB: This will NOT cause the other daemons to be restarted.
daemon_list daemons
- watchfrr_options="$watchfrr_options $daemons"
+ watchfrr_options="$daemons"
daemon_stop watchfrr && \
daemon_start watchfrr

View File

@ -0,0 +1 @@
d /run/frr 0755 frr frr -

View File

@ -1,30 +1,26 @@
%global frr_uid 92 %global frrversion 7.5
%global frr_gid 92
%global vty_group frrvty
%global vty_gid 85
%global frrversion 7.0
%global frr_libdir /usr/lib/frr %global frr_libdir /usr/lib/frr
%global _hardened_build 1 %global _hardened_build 1
Name: frr Name: frr
Version: 7.0 Version: 7.5
Release: 10%{?checkout}%{?dist} Release: 4%{?checkout}%{?dist}
Summary: Routing daemon Summary: Routing daemon
License: GPLv2+ License: GPLv2+
URL: http://www.frrouting.org URL: http://www.frrouting.org
Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz
Source1: %{name}-tmpfiles.conf
BuildRequires: perl-generators BuildRequires: perl-generators
BuildRequires: systemd
BuildRequires: gcc BuildRequires: gcc
BuildRequires: net-snmp-devel BuildRequires: net-snmp-devel
BuildRequires: texinfo libcap-devel texi2html autoconf automake libtool patch groff BuildRequires: texinfo libcap-devel autoconf automake libtool patch groff
BuildRequires: readline readline-devel ncurses ncurses-devel BuildRequires: readline readline-devel ncurses ncurses-devel
BuildRequires: git pam-devel c-ares-devel BuildRequires: git pam-devel c-ares-devel
BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML
BuildRequires: python3-devel python3-sphinx python3-pytest BuildRequires: python3-devel python3-sphinx python3-pytest
BuildRequires: systemd systemd-devel BuildRequires: systemd systemd-devel
BuildRequires: libyang-devel BuildRequires: libyang-devel >= 1.0.184
Requires: net-snmp ncurses Requires: net-snmp ncurses
Requires(post): systemd /sbin/install-info Requires(post): systemd /sbin/install-info
Requires(preun): systemd /sbin/install-info Requires(preun): systemd /sbin/install-info
@ -32,16 +28,15 @@ Requires(postun): systemd
Requires: iproute Requires: iproute
Requires: initscripts Requires: initscripts
Provides: routingdaemon = %{version}-%{release} Provides: routingdaemon = %{version}-%{release}
Obsoletes: frr-sysvinit quagga Obsoletes: frr-sysvinit quagga frr-contrib
Patch0000: 0000-remove-babeld-and-ldpd.patch Patch0000: 0000-remove-babeld-and-ldpd.patch
Patch0001: 0001-use-python3.patch Patch0001: 0001-use-python3.patch
Patch0002: 0002-enable-openssl.patch Patch0002: 0002-enable-openssl.patch
Patch0003: 0003-disable-eigrp-crypto.patch Patch0003: 0003-disable-eigrp-crypto.patch
Patch0004: 0004-fips-mode.patch Patch0004: 0004-fips-mode.patch
Patch0005: 0005-igmp-trusted-query.patch
Patch0006: 0006-CVE-2020-12831.patch Patch0006: 0006-CVE-2020-12831.patch
Patch0007: 0007-bfd-port-range.patch Patch0007: 0007-frrinit.patch
%description %description
FRRouting is free software that manages TCP/IP based routing protocols. It takes FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -52,21 +47,6 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP
FRRouting is a fork of Quagga. FRRouting is a fork of Quagga.
%package contrib
Summary: Contrib tools for frr
Requires: %{name}%{?_isa} = %{version}-%{release}
%description contrib
Contributed/3rd party tools which may be of use with frr.
%package devel
Summary: Header and object files for frr development
Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel
The frr-devel package contains the header and object files necessary for
developing OSPF-API and frr applications.
%prep %prep
%autosetup -S git %autosetup -S git
@ -86,7 +66,7 @@ autoreconf -ivf
--enable-ospfapi=no \ --enable-ospfapi=no \
--enable-user=frr \ --enable-user=frr \
--enable-group=frr \ --enable-group=frr \
--enable-vty-group=%vty_group \ --enable-vty-group=frrvty \
--enable-rtadv \ --enable-rtadv \
--disable-exampledir \ --disable-exampledir \
--enable-systemd=yes \ --enable-systemd=yes \
@ -109,15 +89,20 @@ mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default}
%{buildroot}%{_unitdir} %{buildroot}%{_unitdir}
mkdir -p -m 0755 %{buildroot}%{_libdir}/frr mkdir -p -m 0755 %{buildroot}%{_libdir}/frr
mkdir -p %{buildroot}%{_tmpfilesdir}
%make_install %make_install
# Remove this file, as it is uninstalled and causes errors when building on RH9 # Remove this file, as it is uninstalled and causes errors when building on RH9
rm -rf %{buildroot}/usr/share/info/dir rm -rf %{buildroot}/usr/share/info/dir
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/daemons %{buildroot}/etc/frr/daemons install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.service %{buildroot}%{_unitdir}/frr.service install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/etc/frr/daemons %{buildroot}/etc/frr/daemons
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/redhat/frr.init %{buildroot}%{frr_libdir}/frr install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/frr.service %{buildroot}%{_unitdir}/frr.service
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr
install -d -m 775 %{buildroot}/run/frr install -d -m 775 %{buildroot}/run/frr
@ -125,12 +110,16 @@ install -d -m 775 %{buildroot}/run/frr
rm %{buildroot}%{_libdir}/frr/*.la rm %{buildroot}%{_libdir}/frr/*.la
rm %{buildroot}%{_libdir}/frr/modules/*.la rm %{buildroot}%{_libdir}/frr/modules/*.la
#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed
rm %{buildroot}%{_libdir}/frr/*.so
rm -r %{buildroot}%{_includedir}/frr/
%pre %pre
getent group %vty_group >/dev/null 2>&1 || groupadd -r %vty_group >/dev/null 2>&1 || : getent group fttvty >/dev/null 2>&1 || groupadd -r frrvty >/dev/null 2>&1 || :
getent group frr >/dev/null 2>&1 || groupadd -g frr >/dev/null 2>&1 || : getent group frr >/dev/null 2>&1 || groupadd -r frr >/dev/null 2>&1 || :
getent passwd frr >/dev/null 2>&1 || useradd -M -r -s /sbin/nologin \ getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \
-c "FRRouting suite" -d %{_localstatedir}/run/frr frr || : -c "FRRouting suite" -d %{_localstatedir}/run/frr frr || :
usermod -aG %vty_group frr usermod -aG frrvty frr
%post %post
%systemd_post frr.service %systemd_post frr.service
@ -147,9 +136,16 @@ if [ ! -e %{_sysconfdir}/frr/zebra.conf ]; then
fi fi
if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
touch %{_sysconfdir}/frr/vtysh.conf echo 'no service integrated-vtysh-config' > %{_sysconfdir}/frr/vtysh.conf
chmod 640 %{_sysconfdir}/frr/vtysh.conf chmod 640 %{_sysconfdir}/frr/vtysh.conf
chown frr:%{vty_group} %{_sysconfdir}/frr/vtysh.conf chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf
fi
#Making sure that the old format of config file still works
#Checking whether .rpmnew conf file is present - in that case I want to change the old config
if [ -e %{_sysconfdir}/frr/daemons.rpmnew ]; then
sed -i s'/watchfrr_/#watchfrr_/g' %{_sysconfdir}/frr/daemons
sed -i s'/zebra=/#zebra=/g' %{_sysconfdir}/frr/daemons
fi fi
%postun %postun
@ -180,45 +176,39 @@ make check PYTHON=%{__python3}
%doc ripngd/ripngd.conf.sample %doc ripngd/ripngd.conf.sample
%doc pimd/pimd.conf.sample %doc pimd/pimd.conf.sample
%doc doc/mpls %doc doc/mpls
%dir %attr(755,frr,frr) %{_sysconfdir}/frr %dir %attr(740,frr,frr) %{_sysconfdir}/frr
%dir %attr(755,frr,frr) /var/log/frr %dir %attr(755,frr,frr) /var/log/frr
%dir %attr(755,frr,frr) /run/frr %dir %attr(755,frr,frr) /run/frr
%{_infodir}/*info* %{_infodir}/*info*
%{_mandir}/man*/* %{_mandir}/man*/*
%dir %{frr_libdir}/
%{frr_libdir}/* %{frr_libdir}/*
%{_bindir}/* %{_bindir}/*
%dir %{_libdir}/frr %dir %{_libdir}/frr
%{_libdir}/frr/*.so.* %{_libdir}/frr/*.so.*
%dir %{_libdir}/frr/modules/
%{_libdir}/frr/modules/* %{_libdir}/frr/modules/*
%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr %config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr
%config(noreplace) /etc/frr/daemons %config(noreplace) %attr(644,frr,frr) /etc/frr/daemons
%config(noreplace) /etc/pam.d/frr %config(noreplace) /etc/pam.d/frr
%{_unitdir}/*.service %{_unitdir}/*.service
%dir /usr/share/yang
/usr/share/yang/*.yang /usr/share/yang/*.yang
#%%{_libdir}/frr/frr/libyang_plugins/* %{_tmpfilesdir}/%{name}.conf
%files contrib
%defattr(-,root,root)
%doc COPYING
%doc %attr(0644,root,root) tools/frrinit.sh
%doc %attr(0644,root,root) tools/watchfrr.sh
%doc %attr(0644,root,root) tools/zebra.el
%doc %attr(0644,root,root) tools/rrcheck.pl
%doc %attr(0644,root,root) tools/rrlookup.pl
%files devel
%defattr(-,root,root)
%doc COPYING
%dir %{_libdir}/frr/
%{_libdir}/frr/*.so
%dir %{_includedir}/frr
%{_includedir}/frr/*.h
%dir %{_includedir}/frr/ospfd
%{_includedir}/frr/ospfd/*.h
%dir %{_includedir}/frr/eigrpd
%{_includedir}/frr/eigrpd/*.h
%changelog %changelog
* Tue Jan 12 2021 root - 7.5-4
- Related: #1889323 - Fixing start-up with old config file
* Mon Jan 11 2021 root - 7.5-3
- Related: #1889323 - Reverting to non-integrated cofiguration
* Thu Jan 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-2
- Related: #1889323 - Obsoleting frr-contrib
* Thu Jan 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-1
- Resolves: #1889323 - [RFE] Rebase FRR to 7.5
* Thu Aug 20 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-10 * Thu Aug 20 2020 Michal Ruprich <mruprich@redhat.com> - 7.0-10
- Resolves: #1867793 - FRR does not conform to the source port range specified in RFC5881 - Resolves: #1867793 - FRR does not conform to the source port range specified in RFC5881