From 7db87818edc6edceb64b48253bc1b3f406b743a1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 5 Nov 2019 14:43:51 -0500 Subject: [PATCH] import frr-7.0-5.el8 --- .frr.metadata | 1 + .gitignore | 1 + SOURCES/0000-remove-babeld-and-ldpd.patch | 61 ++++ SOURCES/0001-use-python3.patch | 10 + SOURCES/0002-enable-openssl.patch | 333 ++++++++++++++++++++++ SOURCES/0003-disable-eigrp-crypto.patch | 253 ++++++++++++++++ SOURCES/0004-fips-mode.patch | 103 +++++++ SPECS/frr.spec | 230 +++++++++++++++ 8 files changed, 992 insertions(+) create mode 100644 .frr.metadata create mode 100644 .gitignore create mode 100644 SOURCES/0000-remove-babeld-and-ldpd.patch create mode 100644 SOURCES/0001-use-python3.patch create mode 100644 SOURCES/0002-enable-openssl.patch create mode 100644 SOURCES/0003-disable-eigrp-crypto.patch create mode 100644 SOURCES/0004-fips-mode.patch create mode 100644 SPECS/frr.spec diff --git a/.frr.metadata b/.frr.metadata new file mode 100644 index 0000000..d1cd685 --- /dev/null +++ b/.frr.metadata @@ -0,0 +1 @@ +ecfb105ca630fb9f265b93f054468efbdb6f2319 SOURCES/frr-7.0.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1bbe9d4 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/frr-7.0.tar.gz diff --git a/SOURCES/0000-remove-babeld-and-ldpd.patch b/SOURCES/0000-remove-babeld-and-ldpd.patch new file mode 100644 index 0000000..d5028d1 --- /dev/null +++ b/SOURCES/0000-remove-babeld-and-ldpd.patch @@ -0,0 +1,61 @@ +diff --git a/Makefile.am b/Makefile.am +index 5be3264..33abc1d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -130,8 +130,6 @@ include ospf6d/subdir.am + include ospfclient/subdir.am + include isisd/subdir.am + include nhrpd/subdir.am +-include ldpd/subdir.am +-include babeld/subdir.am + include eigrpd/subdir.am + include sharpd/subdir.am + include pimd/subdir.am +@@ -182,7 +180,6 @@ EXTRA_DIST += \ + snapcraft/helpers \ + snapcraft/snap \ + \ +- babeld/Makefile \ + bgpd/Makefile \ + bgpd/rfp-example/librfp/Makefile \ + bgpd/rfp-example/rfptest/Makefile \ +@@ -193,7 +190,6 @@ EXTRA_DIST += \ + eigrpd/Makefile \ + fpm/Makefile \ + isisd/Makefile \ +- ldpd/Makefile \ + lib/Makefile \ + nhrpd/Makefile \ + ospf6d/Makefile \ +diff --git a/redhat/daemons b/redhat/daemons +index 068d74d..36730ba 100644 +--- a/redhat/daemons ++++ b/redhat/daemons +@@ -44,11 +44,9 @@ ospf6d=no + ripd=no + ripngd=no + isisd=no +-ldpd=no + pimd=no + nhrpd=no + eigrpd=no +-babeld=no + sharpd=no + pbrd=no + staticd=no +diff --git a/redhat/daemons b/redhat/daemons +index 36730ba..c6090a7 100644 +--- a/redhat/daemons ++++ b/redhat/daemons +@@ -62,11 +62,9 @@ ospf6d_options=("-A ::1") + ripd_options=("-A 127.0.0.1") + ripngd_options=("-A ::1") + isisd_options=("-A 127.0.0.1") +-ldpd_options=("-A 127.0.0.1") + pimd_options=("-A 127.0.0.1") + nhrpd_options=("-A 127.0.0.1") + eigrpd_options=("-A 127.0.0.1") +-babeld_options=("-A 127.0.0.1") + sharpd_options=("-A 127.0.0.1") + pbrd_options=("-A 127.0.0.1") + staticd_options=("-A 127.0.0.1") diff --git a/SOURCES/0001-use-python3.patch b/SOURCES/0001-use-python3.patch new file mode 100644 index 0000000..6ecafb3 --- /dev/null +++ b/SOURCES/0001-use-python3.patch @@ -0,0 +1,10 @@ +diff --git a/tools/frr-reload.py b/tools/frr-reload.py +index 208fb11..0692adc 100755 +--- a/tools/frr-reload.py ++++ b/tools/frr-reload.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/python3 + # Frr Reloader + # Copyright (C) 2014 Cumulus Networks, Inc. + # diff --git a/SOURCES/0002-enable-openssl.patch b/SOURCES/0002-enable-openssl.patch new file mode 100644 index 0000000..dd423b9 --- /dev/null +++ b/SOURCES/0002-enable-openssl.patch @@ -0,0 +1,333 @@ +diff --git a/configure.ac b/configure.ac +index 9f8b31b..38781da 100755 +--- a/configure.ac ++++ b/configure.ac +@@ -529,6 +529,20 @@ AC_ARG_ENABLE([thread-sanitizer], + AS_HELP_STRING([--enable-thread-sanitizer], [enable ThreadSanitizer support for detecting data races])) + AC_ARG_ENABLE([memory-sanitizer], + AS_HELP_STRING([--enable-memory-sanitizer], [enable MemorySanitizer support for detecting uninitialized memory reads])) ++AC_ARG_WITH([crypto], ++ AS_HELP_STRING([--with-crypto=], [choose between different implementations of cryptographic functions(default value is --with-crypto=internal)])) ++ ++#if openssl, else use internal as default ++AS_IF([test x"${with_crypto}" = x"openssl"], [ ++ AC_CHECK_LIB([crypto], [EVP_DigestInit], [LIBS="$LIBS -lcrypto"], [], []) ++ if test "$ac_cv_lib_crypto_EVP_DigestInit" = no; then ++ AC_MSG_ERROR([build with openssl has been specified but openssl library was not found on your system]) ++ else ++ AC_DEFINE([CRYPTO_OPENSSL], [1], [Compile with openssl support]) ++ fi ++], [test x"${with_crypto}" = x"internal" || test x"${with_crypto}" = x"" ], [AC_DEFINE([CRYPTO_INTERNAL], [1], [Compile with internal cryptographic implementation]) ++], [AC_MSG_ERROR([Unknown value for --with-crypto])] ++) + + AS_IF([test "${enable_clippy_only}" != "yes"], [ + AC_CHECK_HEADERS([json-c/json.h]) +diff --git a/lib/subdir.am b/lib/subdir.am +index 0b7af18..0533e24 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \ + lib/libfrr.c \ + lib/linklist.c \ + lib/log.c \ +- lib/md5.c \ + lib/memory.c \ + lib/memory_vty.c \ + lib/module.c \ +diff --git a/lib/subdir.am b/lib/subdir.am +index 0533e24..b3d3700 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -170,7 +170,6 @@ pkginclude_HEADERS += \ + lib/libospf.h \ + lib/linklist.h \ + lib/log.h \ +- lib/md5.h \ + lib/memory.h \ + lib/memory_vty.h \ + lib/module.h \ +diff --git a/lib/subdir.am b/lib/subdir.am +index 53f7115..cea866f 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \ + lib/ringbuf.c \ + lib/routemap.c \ + lib/sbuf.c \ +- lib/sha256.c \ + lib/sigevent.c \ + lib/skiplist.c \ + lib/sockopt.c \ +@@ -191,7 +190,6 @@ pkginclude_HEADERS += \ + lib/ringbuf.h \ + lib/routemap.h \ + lib/sbuf.h \ +- lib/sha256.h \ + lib/sigevent.h \ + lib/skiplist.h \ + lib/smux.h \ +diff --git a/lib/zebra.h b/lib/zebra.h +index 22239f8e60..a308d46cc9 100644 +--- a/lib/zebra.h ++++ b/lib/zebra.h +@@ -134,6 +134,11 @@ typedef unsigned char uint8_t; + #endif + #endif + ++#ifdef CRYPTO_OPENSSL ++#include ++#include ++#endif ++ + #include "openbsd-tree.h" + + #include +diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c +index 6bc8c25153..b951e94ae6 100644 +--- a/ospfd/ospf_packet.c ++++ b/ospfd/ospf_packet.c +@@ -33,7 +33,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE) + #include "md5.h" ++#endif + #include "vrf.h" + #include "lib_errors.h" + +@@ -332,7 +334,11 @@ static unsigned int ospf_packet_max(struct ospf_interface *oi) + static int ospf_check_md5_digest(struct ospf_interface *oi, + struct ospf_header *ospfh) + { ++#ifdef CRYPTO_OPENSSL ++ EVP_MD_CTX *ctx; ++#else + MD5_CTX ctx; ++#endif + unsigned char digest[OSPF_AUTH_MD5_SIZE]; + struct crypt_key *ck; + struct ospf_neighbor *nbr; +@@ -361,11 +367,21 @@ static int ospf_check_md5_digest(struct ospf_interface *oi, + } + + /* Generate a digest for the ospf packet - their digest + our digest. */ ++#ifdef CRYPTO_OPENSSL ++ unsigned int md5_size = OSPF_AUTH_MD5_SIZE; ++ ctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(ctx, EVP_md5()); ++ EVP_DigestUpdate(ctx, ospfh, length); ++ EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); ++ EVP_DigestFinal(ctx, digest, &md5_size); ++ EVP_MD_CTX_free(ctx); ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + MD5Update(&ctx, ospfh, length); + MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); + MD5Final(digest, &ctx); ++#endif + + /* compare the two */ + if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) { +@@ -389,7 +404,11 @@ static int ospf_make_md5_digest(struct ospf_interface *oi, + { + struct ospf_header *ospfh; + unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0}; ++#ifdef CRYPTO_OPENSSL ++ EVP_MD_CTX *ctx; ++#else + MD5_CTX ctx; ++#endif + void *ibuf; + uint32_t t; + struct crypt_key *ck; +@@ -422,11 +441,21 @@ static int ospf_make_md5_digest(struct ospf_interface *oi, + } + + /* Generate a digest for the entire packet + our secret key. */ ++#ifdef CRYPTO_OPENSSL ++ unsigned int md5_size = OSPF_AUTH_MD5_SIZE; ++ ctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(ctx, EVP_md5()); ++ EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length)); ++ EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE); ++ EVP_DigestFinal(ctx, digest, &md5_size); ++ EVP_MD_CTX_free(ctx); ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + MD5Update(&ctx, ibuf, ntohs(ospfh->length)); + MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE); + MD5Final(digest, &ctx); ++#endif + + /* Append md5 digest to the end of the stream. */ + stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE); +diff --git a/ripd/ripd.c b/ripd/ripd.c +index e0ff0430f8..b311ac5717 100644 +--- a/ripd/ripd.c ++++ b/ripd/ripd.c +@@ -37,7 +37,9 @@ + #include "if_rmap.h" + #include "plist.h" + #include "distribute.h" ++#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE) + #include "md5.h" ++#endif + #include "keychain.h" + #include "privs.h" + #include "lib_errors.h" +@@ -870,7 +872,11 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from, + struct rip_md5_data *md5data; + struct keychain *keychain; + struct key *key; ++#ifdef CRYPTO_OPENSSL ++ EVP_MD_CTX *ctx; ++#else + MD5_CTX ctx; ++#endif + uint8_t digest[RIP_AUTH_MD5_SIZE]; + uint16_t packet_len; + char auth_str[RIP_AUTH_MD5_SIZE]; +@@ -934,11 +940,21 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from, + return 0; + + /* MD5 digest authentication. */ ++#ifdef CRYPTO_OPENSSL ++ unsigned int md5_size = RIP_AUTH_MD5_SIZE; ++ ctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(ctx, EVP_md5()); ++ EVP_DigestUpdate(ctx, packet, packet_len + RIP_HEADER_SIZE); ++ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE); ++ EVP_DigestFinal(ctx, digest, &md5_size); ++ EVP_MD_CTX_free(ctx); ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + MD5Update(&ctx, packet, packet_len + RIP_HEADER_SIZE); + MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE); + MD5Final(digest, &ctx); ++#endif + + if (memcmp(md5data->digest, digest, RIP_AUTH_MD5_SIZE) == 0) + return packet_len; +@@ -1063,7 +1078,11 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri, + size_t doff, char *auth_str, int authlen) + { + unsigned long len; ++#ifdef CRYPTO_OPENSSL ++ EVP_MD_CTX *ctx; ++#else + MD5_CTX ctx; ++#endif + unsigned char digest[RIP_AUTH_MD5_SIZE]; + + /* Make it sure this interface is configured as MD5 +@@ -1092,11 +1111,21 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri, + stream_putw(s, RIP_AUTH_DATA); + + /* Generate a digest for the RIP packet. */ ++#ifdef CRYPTO_OPENSSL ++ unsigned int md5_size = RIP_AUTH_MD5_SIZE; ++ ctx = EVP_MD_CTX_new(); ++ EVP_DigestInit(ctx, EVP_md5()); ++ EVP_DigestUpdate(ctx, STREAM_DATA(s), stream_get_endp(s)); ++ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE); ++ EVP_DigestFinal(ctx, digest, &md5_size); ++ EVP_MD_CTX_free(ctx); ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + MD5Update(&ctx, STREAM_DATA(s), stream_get_endp(s)); + MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE); + MD5Final(digest, &ctx); ++#endif + + /* Copy the digest to the packet. */ + stream_write(s, digest, RIP_AUTH_MD5_SIZE); +diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c +index 488dfedae4..862d675e84 100644 +--- a/isisd/isis_tlvs.c ++++ b/isisd/isis_tlvs.c +@@ -22,7 +22,9 @@ + */ + #include + ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "memory.h" + #include "stream.h" + #include "sbuf.h" +@@ -2770,8 +2772,13 @@ static void update_auth_hmac_md5(struct isis_auth *auth, struct stream *s, + safe_auth_md5(s, &checksum, &rem_lifetime); + + memset(STREAM_DATA(s) + auth->offset, 0, 16); ++#ifdef CRYPTO_OPENSSL ++ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), auth->passwd, auth->plength, STREAM_DATA(s), stream_get_endp(s), NULL, NULL); ++ memcpy(digest, result, 16); ++#elif CRYPTO_INTERNAL + hmac_md5(STREAM_DATA(s), stream_get_endp(s), auth->passwd, + auth->plength, digest); ++#endif + memcpy(auth->value, digest, 16); + memcpy(STREAM_DATA(s) + auth->offset, digest, 16); + +@@ -3310,8 +3317,13 @@ static bool auth_validator_hmac_md5(struct isis_passwd *passwd, + safe_auth_md5(stream, &checksum, &rem_lifetime); + + memset(STREAM_DATA(stream) + auth->offset, 0, 16); ++#ifdef CRYPTO_OPENSSL ++ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), passwd->passwd, passwd->len, STREAM_DATA(stream), stream_get_endp(stream), NULL, NULL); ++ memcpy(digest, result, 16); ++#elif CRYPTO_INTERNAL + hmac_md5(STREAM_DATA(stream), stream_get_endp(stream), passwd->passwd, + passwd->len, digest); ++#endif + memcpy(STREAM_DATA(stream) + auth->offset, auth->value, 16); + + bool rv = !memcmp(digest, auth->value, 16); +diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c +index 1991666..2e4fe55 100644 +--- a/isisd/isis_lsp.c ++++ b/isisd/isis_lsp.c +@@ -35,7 +35,9 @@ + #include "hash.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "table.h" + #include "srcdest_table.h" + #include "lib_errors.h" +diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c +index 9c63311..7cf594c 100644 +--- a/isisd/isis_pdu.c ++++ b/isisd/isis_pdu.c +@@ -33,7 +33,9 @@ + #include "prefix.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "lib_errors.h" + + #include "isisd/dict.h" +diff --git a/isisd/isis_te.c b/isisd/isis_te.c +index 4ea6c2c..72ff0d2 100644 +--- a/isisd/isis_te.c ++++ b/isisd/isis_te.c +@@ -38,7 +38,9 @@ + #include "if.h" + #include "vrf.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "sockunion.h" + #include "network.h" + #include "sbuf.h" diff --git a/SOURCES/0003-disable-eigrp-crypto.patch b/SOURCES/0003-disable-eigrp-crypto.patch new file mode 100644 index 0000000..58734df --- /dev/null +++ b/SOURCES/0003-disable-eigrp-crypto.patch @@ -0,0 +1,253 @@ +diff --git a/eigrpd/eigrp_vty.c b/eigrpd/eigrp_vty.c +index fc5bdbd..56ebac6 100644 +--- a/eigrpd/eigrp_vty.c ++++ b/eigrpd/eigrp_vty.c +@@ -968,6 +968,9 @@ DEFUN (eigrp_authentication_mode, + "Keyed message digest\n" + "HMAC SHA256 algorithm \n") + { ++ vty_out(vty, " EIGRP Authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ + VTY_DECLVAR_CONTEXT(interface, ifp); + struct eigrp_interface *ei = ifp->info; + struct eigrp *eigrp; +@@ -1003,6 +1006,9 @@ DEFUN (no_eigrp_authentication_mode, + "Keyed message digest\n" + "HMAC SHA256 algorithm \n") + { ++ vty_out(vty, " EIGRP Authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ + VTY_DECLVAR_CONTEXT(interface, ifp); + struct eigrp_interface *ei = ifp->info; + struct eigrp *eigrp; +@@ -1034,6 +1040,9 @@ DEFPY (eigrp_authentication_keychain, + "Autonomous system number\n" + "Name of key-chain\n") + { ++ vty_out(vty, " EIGRP Authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ + VTY_DECLVAR_CONTEXT(interface, ifp); + struct eigrp_interface *ei = ifp->info; + struct eigrp *eigrp; +diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c +index bedaf15..8dc09bf 100644 +--- a/eigrpd/eigrp_packet.c ++++ b/eigrpd/eigrp_packet.c +@@ -40,8 +40,10 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" + #include "sha256.h" ++#endif + #include "lib_errors.h" + + #include "eigrpd/eigrp_structs.h" +@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + struct key *key = NULL; + struct keychain *keychain; + ++ + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + uint8_t *ibuf; + size_t backup_get, backup_end; + struct TLV_MD5_Authentication_Type *auth_TLV; +@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + return EIGRP_AUTH_TYPE_NONE; + } + ++#ifdef CRYPTO_OPENSSL ++//TBD when this is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + } + + MD5Final(digest, &ctx); +- ++#endif + /* Append md5 digest to the end of the stream. */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN); + +@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s, + struct TLV_MD5_Authentication_Type *authTLV, + struct eigrp_neighbor *nbr, uint8_t flags) + { ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; + unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN]; + struct key *key = NULL; +@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s, + return 0; + } + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s, + } + + MD5Final(digest, &ctx); ++#endif + + /* compare the two */ + if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) { +@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN]; + unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0}; + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + HMAC_SHA256_CTX ctx; ++#endif + void *ibuf; + size_t backup_get, backup_end; + struct TLV_SHA256_Authentication_Type *auth_TLV; +@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + + inet_ntop(AF_INET, &ei->address->u.prefix4, source_ip, PREFIX_STRLEN); + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + buffer[0] = '\n'; + memcpy(buffer + 1, key, strlen(key->string)); +@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + 1 + strlen(key->string) + strlen(source_ip)); + HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf)); + HMAC__SHA256_Final(digest, &ctx); +- ++#endif + + /* Put hmac-sha256 digest to it's place */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN); +diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c +index 93eed94..f1c7347 100644 +--- a/eigrpd/eigrp_filter.c ++++ b/eigrpd/eigrp_filter.c +@@ -47,7 +47,9 @@ + #include "if_rmap.h" + #include "plist.h" + #include "distribute.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "privs.h" + #include "vrf.h" +diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c +index dacd5ca..b232cc5 100644 +--- a/eigrpd/eigrp_hello.c ++++ b/eigrpd/eigrp_hello.c +@@ -43,7 +43,9 @@ + #include "sockopt.h" + #include "checksum.h" + #include "vty.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + + #include "eigrpd/eigrp_structs.h" + #include "eigrpd/eigrpd.h" +diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c +index 84dcf5e..a2575e3 100644 +--- a/eigrpd/eigrp_query.c ++++ b/eigrpd/eigrp_query.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c +index ccf0496..2902365 100644 +--- a/eigrpd/eigrp_reply.c ++++ b/eigrpd/eigrp_reply.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "keychain.h" + #include "plist.h" +diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c +index ff38325..09b9369 100644 +--- a/eigrpd/eigrp_siaquery.c ++++ b/eigrpd/eigrp_siaquery.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c +index d3dd123..f6a2bd6 100644 +--- a/eigrpd/eigrp_siareply.c ++++ b/eigrpd/eigrp_siareply.c +@@ -37,7 +37,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c +index 21c9238..cfb8890 100644 +--- a/eigrpd/eigrp_snmp.c ++++ b/eigrpd/eigrp_snmp.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "smux.h" + +diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c +index 8db4903..2a4f0bb 100644 +--- a/eigrpd/eigrp_update.c ++++ b/eigrpd/eigrp_update.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "plist.h" + #include "plist_int.h" diff --git a/SOURCES/0004-fips-mode.patch b/SOURCES/0004-fips-mode.patch new file mode 100644 index 0000000..ddb522e --- /dev/null +++ b/SOURCES/0004-fips-mode.patch @@ -0,0 +1,103 @@ +diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c +index 631465f..e084ff3 100644 +--- a/ospfd/ospf_vty.c ++++ b/ospfd/ospf_vty.c +@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink, + + if (argv_find(argv, argc, "message-digest", &idx)) { + /* authentication message-digest */ ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + } else if (argv_find(argv, argc, "null", &idx)) { + /* "authentication null" */ +@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest, + ? OSPF_AUTH_NULL + : OSPF_AUTH_CRYPTOGRAPHIC; + ++ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC) ++ { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ } ++ + return CMD_SUCCESS; + } + +@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args, + + /* Handle message-digest authentication */ + if (argv[idx_encryption]->arg[0] == 'm') { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + SET_IF_PARAM(params, auth_type); + params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + return CMD_SUCCESS; +@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key, + "The OSPF password (key)\n" + "Address of interface\n") + { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + VTY_DECLVAR_CONTEXT(interface, ifp); + struct crypt_key *ck; + uint8_t key_id; +diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c +index 81b4b39..cce33d9 100644 +--- a/isisd/isis_circuit.c ++++ b/isisd/isis_circuit.c +@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit, + return ferr_code_bug( + "circuit password too long (max 254 chars)"); + ++ //When in FIPS mode, the password never gets set in MD5 ++ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode()) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + circuit->passwd.len = len; + strncpy((char *)circuit->passwd.passwd, passwd, 255); + circuit->passwd.type = passwd_type; +diff --git a/isisd/isisd.c b/isisd/isisd.c +index 419127c..a6c36af 100644 +--- a/isisd/isisd.c ++++ b/isisd/isisd.c +@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level, + if (len > 254) + return -1; + ++ //When in FIPS mode, the password never get set in MD5 ++ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode())) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + modified.len = len; + strncpy((char *)modified.passwd, passwd, 255); + modified.type = passwd_type; +diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c +index 5bb81ef..02a09ef 100644 +--- a/ripd/rip_cli.c ++++ b/ripd/rip_cli.c +@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode, + value = "20"; + } + ++ if(strmatch(mode, "md5") && FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ + nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, + strmatch(mode, "md5") ? "md5" : "plain-text"); + nb_cli_enqueue_change(vty, "./authentication-scheme/md5-auth-length", diff --git a/SPECS/frr.spec b/SPECS/frr.spec new file mode 100644 index 0000000..4d2929b --- /dev/null +++ b/SPECS/frr.spec @@ -0,0 +1,230 @@ +%global frr_uid 92 +%global frr_gid 92 +%global vty_group frrvty +%global vty_gid 85 +%global frrversion 7.0 +%global frr_libdir /usr/lib/frr + +%global _hardened_build 1 + +Name: frr +Version: 7.0 +Release: 5%{?checkout}%{?dist} +Summary: Routing daemon +License: GPLv2+ +URL: http://www.frrouting.org +Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz +BuildRequires: perl-generators +BuildRequires: systemd +BuildRequires: gcc +BuildRequires: net-snmp-devel +BuildRequires: texinfo libcap-devel texi2html autoconf automake libtool patch groff +BuildRequires: readline readline-devel ncurses ncurses-devel +BuildRequires: git pam-devel c-ares-devel +BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML +BuildRequires: python3-devel python3-sphinx python3-pytest +BuildRequires: systemd systemd-devel +BuildRequires: libyang-devel +Requires: net-snmp ncurses +Requires(post): systemd /sbin/install-info +Requires(preun): systemd /sbin/install-info +Requires(postun): systemd +Provides: routingdaemon = %{version}-%{release} +Obsoletes: frr-sysvinit quagga + +Patch0000: 0000-remove-babeld-and-ldpd.patch +Patch0001: 0001-use-python3.patch +Patch0002: 0002-enable-openssl.patch +Patch0003: 0003-disable-eigrp-crypto.patch +Patch0004: 0004-fips-mode.patch + +%description +FRRouting is free software that manages TCP/IP based routing protocols. It takes +a multi-server and multi-threaded approach to resolve the current complexity +of the Internet. + +FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. + +FRRouting is a fork of Quagga. + +%package contrib +Summary: Contrib tools for frr +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description contrib +Contributed/3rd party tools which may be of use with frr. + +%package devel +Summary: Header and object files for frr development +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The frr-devel package contains the header and object files necessary for +developing OSPF-API and frr applications. + +%prep +%autosetup -S git + +%build +autoreconf -ivf + +%configure \ + --sbindir=%{frr_libdir} \ + --sysconfdir=%{_sysconfdir}/frr \ + --libdir=%{_libdir}/frr \ + --libexecdir=%{_libexecdir}/frr \ + --localstatedir=%{_localstatedir}/run/frr \ + --enable-snmp=agentx \ + --enable-multipath=64 \ + --enable-vtysh=yes \ + --enable-ospfclient=no \ + --enable-ospfapi=no \ + --enable-user=frr \ + --enable-group=frr \ + --enable-vty-group=%vty_group \ + --enable-rtadv \ + --disable-exampledir \ + --enable-systemd=yes \ + --enable-static=no \ + --disable-ldpd \ + --disable-babeld \ + --with-moduledir=%{_libdir}/frr/modules \ + --with-crypto=openssl \ + --enable-fpm + +%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3} + +pushd doc +make info +popd + +%install +mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ + %{buildroot}/var/log/frr %{buildroot}%{_infodir} \ + %{buildroot}%{_unitdir} + +mkdir -p -m 0755 %{buildroot}%{_libdir}/frr + +%make_install + +# Remove this file, as it is uninstalled and causes errors when building on RH9 +rm -rf %{buildroot}/usr/share/info/dir + +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/daemons %{buildroot}/etc/frr/daemons +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.service %{buildroot}%{_unitdir}/frr.service +install -p -m 755 %{_builddir}/%{name}-%{frrversion}/redhat/frr.init %{buildroot}%{frr_libdir}/frr +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr +install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr +install -d -m 775 %{buildroot}/run/frr + +rm %{buildroot}%{_libdir}/frr/*.la +rm %{buildroot}%{_libdir}/frr/modules/*.la + +%pre +getent group %vty_group >/dev/null 2>&1 || groupadd -r %vty_group >/dev/null 2>&1 || : +getent group frr >/dev/null 2>&1 || groupadd -g frr >/dev/null 2>&1 || : +getent passwd frr >/dev/null 2>&1 || useradd -M -r -s /sbin/nologin \ + -c "FRRouting suite" -d %{_localstatedir}/run/frr frr || : +usermod -aG %vty_group frr + +%post +%systemd_post frr.service + +if [ -f %{_infodir}/%{name}.inf* ]; then + install-info %{_infodir}/frr.info %{_infodir}/dir || : +fi + +# Create dummy files if they don't exist so basic functions can be used. +if [ ! -e %{_sysconfdir}/frr/zebra.conf ]; then + echo "hostname `hostname`" > %{_sysconfdir}/frr/zebra.conf + chown frr:frr %{_sysconfdir}/frr/zebra.conf + chmod 640 %{_sysconfdir}/frr/zebra.conf +fi + +if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then + touch %{_sysconfdir}/frr/vtysh.conf + chmod 640 %{_sysconfdir}/frr/vtysh.conf + chown frr:%{vty_group} %{_sysconfdir}/frr/vtysh.conf +fi + +%postun +%systemd_postun_with_restart frr.service + +#only when removing the package +if [ $1 -ge 0 ]; then + if [ -f %{_infodir}/%{name}.inf* ]; then + install-info --delete %{_infodir}/frr.info %{_infodir}/dir || : + fi +fi + +%preun +%systemd_preun frr.service + +%check +make check PYTHON=%{__python3} + +%files +%defattr(-,root,root) +%license COPYING +%doc zebra/zebra.conf.sample +%doc isisd/isisd.conf.sample +%doc ripd/ripd.conf.sample +%doc bgpd/bgpd.conf.sample* +%doc ospfd/ospfd.conf.sample +%doc ospf6d/ospf6d.conf.sample +%doc ripngd/ripngd.conf.sample +%doc pimd/pimd.conf.sample +%doc doc/mpls +%dir %attr(755,frr,frr) %{_sysconfdir}/frr +%dir %attr(755,frr,frr) /var/log/frr +%dir %attr(755,frr,frr) /run/frr +%{_infodir}/*info* +%{_mandir}/man*/* +%{frr_libdir}/* +%{_bindir}/* +%dir %{_libdir}/frr +%{_libdir}/frr/*.so.* +%{_libdir}/frr/modules/* +%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr +%config(noreplace) /etc/frr/daemons +%config(noreplace) /etc/pam.d/frr +%{_unitdir}/*.service +/usr/share/yang/*.yang +#%%{_libdir}/frr/frr/libyang_plugins/* + +%files contrib +%defattr(-,root,root) +%doc COPYING +%doc %attr(0644,root,root) tools/frrinit.sh +%doc %attr(0644,root,root) tools/watchfrr.sh +%doc %attr(0644,root,root) tools/zebra.el +%doc %attr(0644,root,root) tools/rrcheck.pl +%doc %attr(0644,root,root) tools/rrlookup.pl + +%files devel +%defattr(-,root,root) +%doc COPYING +%dir %{_libdir}/frr/ +%{_libdir}/frr/*.so +%dir %{_includedir}/frr +%{_includedir}/frr/*.h +%dir %{_includedir}/frr/ospfd +%{_includedir}/frr/ospfd/*.h +%dir %{_includedir}/frr/eigrpd +%{_includedir}/frr/eigrpd/*.h + +%changelog +* Tue Sep 03 2019 Michal Ruprich - 7.0-5 +- Resolves: #1719465 - Removal of component Frr or its crypto + +* Wed Jun 19 2019 Michal Ruprich - 7.0-4 +- Related: #1657029 - frr-contrib is back, it is breaking the rpmdeplint test + +* Wed Jun 19 2019 Michal Ruprich - 7.0-3 +- Related: #1657029 - more cleanup, removed frr-contrib, frrvt changed to frrvty + +* Wed Jun 19 2019 Michal Ruprich - 7.0-2 +- Related: #1657029 - cleaning specfile, adding Requires on libyang-devel + +* Wed May 29 2019 Michal Ruprich - 7.0-1 +- Resolves: #1657029 - Add FRR as a replacement of Quagga in RHEL 8