import frr-7.0-5.el8

This commit is contained in:
CentOS Sources 2019-11-05 14:43:51 -05:00 committed by Andrew Lukoshko
commit 7db87818ed
8 changed files with 992 additions and 0 deletions

1
.frr.metadata Normal file
View File

@ -0,0 +1 @@
ecfb105ca630fb9f265b93f054468efbdb6f2319 SOURCES/frr-7.0.tar.gz

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/frr-7.0.tar.gz

View File

@ -0,0 +1,61 @@
diff --git a/Makefile.am b/Makefile.am
index 5be3264..33abc1d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -130,8 +130,6 @@ include ospf6d/subdir.am
include ospfclient/subdir.am
include isisd/subdir.am
include nhrpd/subdir.am
-include ldpd/subdir.am
-include babeld/subdir.am
include eigrpd/subdir.am
include sharpd/subdir.am
include pimd/subdir.am
@@ -182,7 +180,6 @@ EXTRA_DIST += \
snapcraft/helpers \
snapcraft/snap \
\
- babeld/Makefile \
bgpd/Makefile \
bgpd/rfp-example/librfp/Makefile \
bgpd/rfp-example/rfptest/Makefile \
@@ -193,7 +190,6 @@ EXTRA_DIST += \
eigrpd/Makefile \
fpm/Makefile \
isisd/Makefile \
- ldpd/Makefile \
lib/Makefile \
nhrpd/Makefile \
ospf6d/Makefile \
diff --git a/redhat/daemons b/redhat/daemons
index 068d74d..36730ba 100644
--- a/redhat/daemons
+++ b/redhat/daemons
@@ -44,11 +44,9 @@ ospf6d=no
ripd=no
ripngd=no
isisd=no
-ldpd=no
pimd=no
nhrpd=no
eigrpd=no
-babeld=no
sharpd=no
pbrd=no
staticd=no
diff --git a/redhat/daemons b/redhat/daemons
index 36730ba..c6090a7 100644
--- a/redhat/daemons
+++ b/redhat/daemons
@@ -62,11 +62,9 @@ ospf6d_options=("-A ::1")
ripd_options=("-A 127.0.0.1")
ripngd_options=("-A ::1")
isisd_options=("-A 127.0.0.1")
-ldpd_options=("-A 127.0.0.1")
pimd_options=("-A 127.0.0.1")
nhrpd_options=("-A 127.0.0.1")
eigrpd_options=("-A 127.0.0.1")
-babeld_options=("-A 127.0.0.1")
sharpd_options=("-A 127.0.0.1")
pbrd_options=("-A 127.0.0.1")
staticd_options=("-A 127.0.0.1")

View File

@ -0,0 +1,10 @@
diff --git a/tools/frr-reload.py b/tools/frr-reload.py
index 208fb11..0692adc 100755
--- a/tools/frr-reload.py
+++ b/tools/frr-reload.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
# Frr Reloader
# Copyright (C) 2014 Cumulus Networks, Inc.
#

View File

@ -0,0 +1,333 @@
diff --git a/configure.ac b/configure.ac
index 9f8b31b..38781da 100755
--- a/configure.ac
+++ b/configure.ac
@@ -529,6 +529,20 @@ AC_ARG_ENABLE([thread-sanitizer],
AS_HELP_STRING([--enable-thread-sanitizer], [enable ThreadSanitizer support for detecting data races]))
AC_ARG_ENABLE([memory-sanitizer],
AS_HELP_STRING([--enable-memory-sanitizer], [enable MemorySanitizer support for detecting uninitialized memory reads]))
+AC_ARG_WITH([crypto],
+ AS_HELP_STRING([--with-crypto=<internal|openssl>], [choose between different implementations of cryptographic functions(default value is --with-crypto=internal)]))
+
+#if openssl, else use internal as default
+AS_IF([test x"${with_crypto}" = x"openssl"], [
+ AC_CHECK_LIB([crypto], [EVP_DigestInit], [LIBS="$LIBS -lcrypto"], [], [])
+ if test "$ac_cv_lib_crypto_EVP_DigestInit" = no; then
+ AC_MSG_ERROR([build with openssl has been specified but openssl library was not found on your system])
+ else
+ AC_DEFINE([CRYPTO_OPENSSL], [1], [Compile with openssl support])
+ fi
+], [test x"${with_crypto}" = x"internal" || test x"${with_crypto}" = x"" ], [AC_DEFINE([CRYPTO_INTERNAL], [1], [Compile with internal cryptographic implementation])
+], [AC_MSG_ERROR([Unknown value for --with-crypto])]
+)
AS_IF([test "${enable_clippy_only}" != "yes"], [
AC_CHECK_HEADERS([json-c/json.h])
diff --git a/lib/subdir.am b/lib/subdir.am
index 0b7af18..0533e24 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
lib/libfrr.c \
lib/linklist.c \
lib/log.c \
- lib/md5.c \
lib/memory.c \
lib/memory_vty.c \
lib/module.c \
diff --git a/lib/subdir.am b/lib/subdir.am
index 0533e24..b3d3700 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
lib/libospf.h \
lib/linklist.h \
lib/log.h \
- lib/md5.h \
lib/memory.h \
lib/memory_vty.h \
lib/module.h \
diff --git a/lib/subdir.am b/lib/subdir.am
index 53f7115..cea866f 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
lib/ringbuf.c \
lib/routemap.c \
lib/sbuf.c \
- lib/sha256.c \
lib/sigevent.c \
lib/skiplist.c \
lib/sockopt.c \
@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
lib/ringbuf.h \
lib/routemap.h \
lib/sbuf.h \
- lib/sha256.h \
lib/sigevent.h \
lib/skiplist.h \
lib/smux.h \
diff --git a/lib/zebra.h b/lib/zebra.h
index 22239f8e60..a308d46cc9 100644
--- a/lib/zebra.h
+++ b/lib/zebra.h
@@ -134,6 +134,11 @@ typedef unsigned char uint8_t;
#endif
#endif
+#ifdef CRYPTO_OPENSSL
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#endif
+
#include "openbsd-tree.h"
#include <netinet/in.h>
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 6bc8c25153..b951e94ae6 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -33,7 +33,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
#include "md5.h"
+#endif
#include "vrf.h"
#include "lib_errors.h"
@@ -332,7 +334,11 @@ static unsigned int ospf_packet_max(struct ospf_interface *oi)
static int ospf_check_md5_digest(struct ospf_interface *oi,
struct ospf_header *ospfh)
{
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
unsigned char digest[OSPF_AUTH_MD5_SIZE];
struct crypt_key *ck;
struct ospf_neighbor *nbr;
@@ -361,11 +367,21 @@ static int ospf_check_md5_digest(struct ospf_interface *oi,
}
/* Generate a digest for the ospf packet - their digest + our digest. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ospfh, length);
+ EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, ospfh, length);
MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* compare the two */
if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) {
@@ -389,7 +404,11 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
{
struct ospf_header *ospfh;
unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0};
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
void *ibuf;
uint32_t t;
struct crypt_key *ck;
@@ -422,11 +441,21 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
}
/* Generate a digest for the entire packet + our secret key. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length));
+ EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, ibuf, ntohs(ospfh->length));
MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* Append md5 digest to the end of the stream. */
stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
diff --git a/ripd/ripd.c b/ripd/ripd.c
index e0ff0430f8..b311ac5717 100644
--- a/ripd/ripd.c
+++ b/ripd/ripd.c
@@ -37,7 +37,9 @@
#include "if_rmap.h"
#include "plist.h"
#include "distribute.h"
+#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
#include "md5.h"
+#endif
#include "keychain.h"
#include "privs.h"
#include "lib_errors.h"
@@ -870,7 +872,11 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
struct rip_md5_data *md5data;
struct keychain *keychain;
struct key *key;
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
uint8_t digest[RIP_AUTH_MD5_SIZE];
uint16_t packet_len;
char auth_str[RIP_AUTH_MD5_SIZE];
@@ -934,11 +940,21 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
return 0;
/* MD5 digest authentication. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = RIP_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, packet, packet_len + RIP_HEADER_SIZE);
+ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, packet, packet_len + RIP_HEADER_SIZE);
MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
if (memcmp(md5data->digest, digest, RIP_AUTH_MD5_SIZE) == 0)
return packet_len;
@@ -1063,7 +1078,11 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
size_t doff, char *auth_str, int authlen)
{
unsigned long len;
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
unsigned char digest[RIP_AUTH_MD5_SIZE];
/* Make it sure this interface is configured as MD5
@@ -1092,11 +1111,21 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
stream_putw(s, RIP_AUTH_DATA);
/* Generate a digest for the RIP packet. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = RIP_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, STREAM_DATA(s), stream_get_endp(s));
+ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, STREAM_DATA(s), stream_get_endp(s));
MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* Copy the digest to the packet. */
stream_write(s, digest, RIP_AUTH_MD5_SIZE);
diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index 488dfedae4..862d675e84 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -22,7 +22,9 @@
*/
#include <zebra.h>
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "memory.h"
#include "stream.h"
#include "sbuf.h"
@@ -2770,8 +2772,13 @@ static void update_auth_hmac_md5(struct isis_auth *auth, struct stream *s,
safe_auth_md5(s, &checksum, &rem_lifetime);
memset(STREAM_DATA(s) + auth->offset, 0, 16);
+#ifdef CRYPTO_OPENSSL
+ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), auth->passwd, auth->plength, STREAM_DATA(s), stream_get_endp(s), NULL, NULL);
+ memcpy(digest, result, 16);
+#elif CRYPTO_INTERNAL
hmac_md5(STREAM_DATA(s), stream_get_endp(s), auth->passwd,
auth->plength, digest);
+#endif
memcpy(auth->value, digest, 16);
memcpy(STREAM_DATA(s) + auth->offset, digest, 16);
@@ -3310,8 +3317,13 @@ static bool auth_validator_hmac_md5(struct isis_passwd *passwd,
safe_auth_md5(stream, &checksum, &rem_lifetime);
memset(STREAM_DATA(stream) + auth->offset, 0, 16);
+#ifdef CRYPTO_OPENSSL
+ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), passwd->passwd, passwd->len, STREAM_DATA(stream), stream_get_endp(stream), NULL, NULL);
+ memcpy(digest, result, 16);
+#elif CRYPTO_INTERNAL
hmac_md5(STREAM_DATA(stream), stream_get_endp(stream), passwd->passwd,
passwd->len, digest);
+#endif
memcpy(STREAM_DATA(stream) + auth->offset, auth->value, 16);
bool rv = !memcmp(digest, auth->value, 16);
diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
index 1991666..2e4fe55 100644
--- a/isisd/isis_lsp.c
+++ b/isisd/isis_lsp.c
@@ -35,7 +35,9 @@
#include "hash.h"
#include "if.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "table.h"
#include "srcdest_table.h"
#include "lib_errors.h"
diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
index 9c63311..7cf594c 100644
--- a/isisd/isis_pdu.c
+++ b/isisd/isis_pdu.c
@@ -33,7 +33,9 @@
#include "prefix.h"
#include "if.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "lib_errors.h"
#include "isisd/dict.h"
diff --git a/isisd/isis_te.c b/isisd/isis_te.c
index 4ea6c2c..72ff0d2 100644
--- a/isisd/isis_te.c
+++ b/isisd/isis_te.c
@@ -38,7 +38,9 @@
#include "if.h"
#include "vrf.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "sockunion.h"
#include "network.h"
#include "sbuf.h"

View File

@ -0,0 +1,253 @@
diff --git a/eigrpd/eigrp_vty.c b/eigrpd/eigrp_vty.c
index fc5bdbd..56ebac6 100644
--- a/eigrpd/eigrp_vty.c
+++ b/eigrpd/eigrp_vty.c
@@ -968,6 +968,9 @@ DEFUN (eigrp_authentication_mode,
"Keyed message digest\n"
"HMAC SHA256 algorithm \n")
{
+ vty_out(vty, " EIGRP Authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+
VTY_DECLVAR_CONTEXT(interface, ifp);
struct eigrp_interface *ei = ifp->info;
struct eigrp *eigrp;
@@ -1003,6 +1006,9 @@ DEFUN (no_eigrp_authentication_mode,
"Keyed message digest\n"
"HMAC SHA256 algorithm \n")
{
+ vty_out(vty, " EIGRP Authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+
VTY_DECLVAR_CONTEXT(interface, ifp);
struct eigrp_interface *ei = ifp->info;
struct eigrp *eigrp;
@@ -1034,6 +1040,9 @@ DEFPY (eigrp_authentication_keychain,
"Autonomous system number\n"
"Name of key-chain\n")
{
+ vty_out(vty, " EIGRP Authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+
VTY_DECLVAR_CONTEXT(interface, ifp);
struct eigrp_interface *ei = ifp->info;
struct eigrp *eigrp;
diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
index bedaf15..8dc09bf 100644
--- a/eigrpd/eigrp_packet.c
+++ b/eigrpd/eigrp_packet.c
@@ -40,8 +40,10 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
#include "sha256.h"
+#endif
#include "lib_errors.h"
#include "eigrpd/eigrp_structs.h"
@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
struct key *key = NULL;
struct keychain *keychain;
+
unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
MD5_CTX ctx;
+#endif
uint8_t *ibuf;
size_t backup_get, backup_end;
struct TLV_MD5_Authentication_Type *auth_TLV;
@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
return EIGRP_AUTH_TYPE_NONE;
}
+#ifdef CRYPTO_OPENSSL
+//TBD when this is fixed in upstream
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
}
MD5Final(digest, &ctx);
-
+#endif
/* Append md5 digest to the end of the stream. */
memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s,
struct TLV_MD5_Authentication_Type *authTLV,
struct eigrp_neighbor *nbr, uint8_t flags)
{
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
MD5_CTX ctx;
+#endif
unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
struct key *key = NULL;
@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s,
return 0;
}
+#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s,
}
MD5Final(digest, &ctx);
+#endif
/* compare the two */
if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
+#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
HMAC_SHA256_CTX ctx;
+#endif
void *ibuf;
size_t backup_get, backup_end;
struct TLV_SHA256_Authentication_Type *auth_TLV;
@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
inet_ntop(AF_INET, &ei->address->u.prefix4, source_ip, PREFIX_STRLEN);
+#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
buffer[0] = '\n';
memcpy(buffer + 1, key, strlen(key->string));
@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
1 + strlen(key->string) + strlen(source_ip));
HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
HMAC__SHA256_Final(digest, &ctx);
-
+#endif
/* Put hmac-sha256 digest to it's place */
memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
index 93eed94..f1c7347 100644
--- a/eigrpd/eigrp_filter.c
+++ b/eigrpd/eigrp_filter.c
@@ -47,7 +47,9 @@
#include "if_rmap.h"
#include "plist.h"
#include "distribute.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "keychain.h"
#include "privs.h"
#include "vrf.h"
diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
index dacd5ca..b232cc5 100644
--- a/eigrpd/eigrp_hello.c
+++ b/eigrpd/eigrp_hello.c
@@ -43,7 +43,9 @@
#include "sockopt.h"
#include "checksum.h"
#include "vty.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "eigrpd/eigrp_structs.h"
#include "eigrpd/eigrpd.h"
diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
index 84dcf5e..a2575e3 100644
--- a/eigrpd/eigrp_query.c
+++ b/eigrpd/eigrp_query.c
@@ -38,7 +38,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
index ccf0496..2902365 100644
--- a/eigrpd/eigrp_reply.c
+++ b/eigrpd/eigrp_reply.c
@@ -42,7 +42,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "keychain.h"
#include "plist.h"
diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
index ff38325..09b9369 100644
--- a/eigrpd/eigrp_siaquery.c
+++ b/eigrpd/eigrp_siaquery.c
@@ -38,7 +38,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
index d3dd123..f6a2bd6 100644
--- a/eigrpd/eigrp_siareply.c
+++ b/eigrpd/eigrp_siareply.c
@@ -37,7 +37,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
index 21c9238..cfb8890 100644
--- a/eigrpd/eigrp_snmp.c
+++ b/eigrpd/eigrp_snmp.c
@@ -42,7 +42,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "keychain.h"
#include "smux.h"
diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
index 8db4903..2a4f0bb 100644
--- a/eigrpd/eigrp_update.c
+++ b/eigrpd/eigrp_update.c
@@ -42,7 +42,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "plist.h"
#include "plist_int.h"

View File

@ -0,0 +1,103 @@
diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
index 631465f..e084ff3 100644
--- a/ospfd/ospf_vty.c
+++ b/ospfd/ospf_vty.c
@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
if (argv_find(argv, argc, "message-digest", &idx)) {
/* authentication message-digest */
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
} else if (argv_find(argv, argc, "null", &idx)) {
/* "authentication null" */
@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
? OSPF_AUTH_NULL
: OSPF_AUTH_CRYPTOGRAPHIC;
+ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC)
+ {
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
+ }
+
return CMD_SUCCESS;
}
@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
/* Handle message-digest authentication */
if (argv[idx_encryption]->arg[0] == 'm') {
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
SET_IF_PARAM(params, auth_type);
params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
return CMD_SUCCESS;
@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
"The OSPF password (key)\n"
"Address of interface\n")
{
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
VTY_DECLVAR_CONTEXT(interface, ifp);
struct crypt_key *ck;
uint8_t key_id;
diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
index 81b4b39..cce33d9 100644
--- a/isisd/isis_circuit.c
+++ b/isisd/isis_circuit.c
@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
return ferr_code_bug(
"circuit password too long (max 254 chars)");
+ //When in FIPS mode, the password never gets set in MD5
+ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
circuit->passwd.len = len;
strncpy((char *)circuit->passwd.passwd, passwd, 255);
circuit->passwd.type = passwd_type;
diff --git a/isisd/isisd.c b/isisd/isisd.c
index 419127c..a6c36af 100644
--- a/isisd/isisd.c
+++ b/isisd/isisd.c
@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
if (len > 254)
return -1;
+ //When in FIPS mode, the password never get set in MD5
+ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
modified.len = len;
strncpy((char *)modified.passwd, passwd, 255);
modified.type = passwd_type;
diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
index 5bb81ef..02a09ef 100644
--- a/ripd/rip_cli.c
+++ b/ripd/rip_cli.c
@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
value = "20";
}
+ if(strmatch(mode, "md5") && FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
+
nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
strmatch(mode, "md5") ? "md5" : "plain-text");
nb_cli_enqueue_change(vty, "./authentication-scheme/md5-auth-length",

230
SPECS/frr.spec Normal file
View File

@ -0,0 +1,230 @@
%global frr_uid 92
%global frr_gid 92
%global vty_group frrvty
%global vty_gid 85
%global frrversion 7.0
%global frr_libdir /usr/lib/frr
%global _hardened_build 1
Name: frr
Version: 7.0
Release: 5%{?checkout}%{?dist}
Summary: Routing daemon
License: GPLv2+
URL: http://www.frrouting.org
Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz
BuildRequires: perl-generators
BuildRequires: systemd
BuildRequires: gcc
BuildRequires: net-snmp-devel
BuildRequires: texinfo libcap-devel texi2html autoconf automake libtool patch groff
BuildRequires: readline readline-devel ncurses ncurses-devel
BuildRequires: git pam-devel c-ares-devel
BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML
BuildRequires: python3-devel python3-sphinx python3-pytest
BuildRequires: systemd systemd-devel
BuildRequires: libyang-devel
Requires: net-snmp ncurses
Requires(post): systemd /sbin/install-info
Requires(preun): systemd /sbin/install-info
Requires(postun): systemd
Provides: routingdaemon = %{version}-%{release}
Obsoletes: frr-sysvinit quagga
Patch0000: 0000-remove-babeld-and-ldpd.patch
Patch0001: 0001-use-python3.patch
Patch0002: 0002-enable-openssl.patch
Patch0003: 0003-disable-eigrp-crypto.patch
Patch0004: 0004-fips-mode.patch
%description
FRRouting is free software that manages TCP/IP based routing protocols. It takes
a multi-server and multi-threaded approach to resolve the current complexity
of the Internet.
FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
FRRouting is a fork of Quagga.
%package contrib
Summary: Contrib tools for frr
Requires: %{name}%{?_isa} = %{version}-%{release}
%description contrib
Contributed/3rd party tools which may be of use with frr.
%package devel
Summary: Header and object files for frr development
Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel
The frr-devel package contains the header and object files necessary for
developing OSPF-API and frr applications.
%prep
%autosetup -S git
%build
autoreconf -ivf
%configure \
--sbindir=%{frr_libdir} \
--sysconfdir=%{_sysconfdir}/frr \
--libdir=%{_libdir}/frr \
--libexecdir=%{_libexecdir}/frr \
--localstatedir=%{_localstatedir}/run/frr \
--enable-snmp=agentx \
--enable-multipath=64 \
--enable-vtysh=yes \
--enable-ospfclient=no \
--enable-ospfapi=no \
--enable-user=frr \
--enable-group=frr \
--enable-vty-group=%vty_group \
--enable-rtadv \
--disable-exampledir \
--enable-systemd=yes \
--enable-static=no \
--disable-ldpd \
--disable-babeld \
--with-moduledir=%{_libdir}/frr/modules \
--with-crypto=openssl \
--enable-fpm
%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
pushd doc
make info
popd
%install
mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
%{buildroot}/var/log/frr %{buildroot}%{_infodir} \
%{buildroot}%{_unitdir}
mkdir -p -m 0755 %{buildroot}%{_libdir}/frr
%make_install
# Remove this file, as it is uninstalled and causes errors when building on RH9
rm -rf %{buildroot}/usr/share/info/dir
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/daemons %{buildroot}/etc/frr/daemons
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.service %{buildroot}%{_unitdir}/frr.service
install -p -m 755 %{_builddir}/%{name}-%{frrversion}/redhat/frr.init %{buildroot}%{frr_libdir}/frr
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr
install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr
install -d -m 775 %{buildroot}/run/frr
rm %{buildroot}%{_libdir}/frr/*.la
rm %{buildroot}%{_libdir}/frr/modules/*.la
%pre
getent group %vty_group >/dev/null 2>&1 || groupadd -r %vty_group >/dev/null 2>&1 || :
getent group frr >/dev/null 2>&1 || groupadd -g frr >/dev/null 2>&1 || :
getent passwd frr >/dev/null 2>&1 || useradd -M -r -s /sbin/nologin \
-c "FRRouting suite" -d %{_localstatedir}/run/frr frr || :
usermod -aG %vty_group frr
%post
%systemd_post frr.service
if [ -f %{_infodir}/%{name}.inf* ]; then
install-info %{_infodir}/frr.info %{_infodir}/dir || :
fi
# Create dummy files if they don't exist so basic functions can be used.
if [ ! -e %{_sysconfdir}/frr/zebra.conf ]; then
echo "hostname `hostname`" > %{_sysconfdir}/frr/zebra.conf
chown frr:frr %{_sysconfdir}/frr/zebra.conf
chmod 640 %{_sysconfdir}/frr/zebra.conf
fi
if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
touch %{_sysconfdir}/frr/vtysh.conf
chmod 640 %{_sysconfdir}/frr/vtysh.conf
chown frr:%{vty_group} %{_sysconfdir}/frr/vtysh.conf
fi
%postun
%systemd_postun_with_restart frr.service
#only when removing the package
if [ $1 -ge 0 ]; then
if [ -f %{_infodir}/%{name}.inf* ]; then
install-info --delete %{_infodir}/frr.info %{_infodir}/dir || :
fi
fi
%preun
%systemd_preun frr.service
%check
make check PYTHON=%{__python3}
%files
%defattr(-,root,root)
%license COPYING
%doc zebra/zebra.conf.sample
%doc isisd/isisd.conf.sample
%doc ripd/ripd.conf.sample
%doc bgpd/bgpd.conf.sample*
%doc ospfd/ospfd.conf.sample
%doc ospf6d/ospf6d.conf.sample
%doc ripngd/ripngd.conf.sample
%doc pimd/pimd.conf.sample
%doc doc/mpls
%dir %attr(755,frr,frr) %{_sysconfdir}/frr
%dir %attr(755,frr,frr) /var/log/frr
%dir %attr(755,frr,frr) /run/frr
%{_infodir}/*info*
%{_mandir}/man*/*
%{frr_libdir}/*
%{_bindir}/*
%dir %{_libdir}/frr
%{_libdir}/frr/*.so.*
%{_libdir}/frr/modules/*
%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr
%config(noreplace) /etc/frr/daemons
%config(noreplace) /etc/pam.d/frr
%{_unitdir}/*.service
/usr/share/yang/*.yang
#%%{_libdir}/frr/frr/libyang_plugins/*
%files contrib
%defattr(-,root,root)
%doc COPYING
%doc %attr(0644,root,root) tools/frrinit.sh
%doc %attr(0644,root,root) tools/watchfrr.sh
%doc %attr(0644,root,root) tools/zebra.el
%doc %attr(0644,root,root) tools/rrcheck.pl
%doc %attr(0644,root,root) tools/rrlookup.pl
%files devel
%defattr(-,root,root)
%doc COPYING
%dir %{_libdir}/frr/
%{_libdir}/frr/*.so
%dir %{_includedir}/frr
%{_includedir}/frr/*.h
%dir %{_includedir}/frr/ospfd
%{_includedir}/frr/ospfd/*.h
%dir %{_includedir}/frr/eigrpd
%{_includedir}/frr/eigrpd/*.h
%changelog
* Tue Sep 03 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-5
- Resolves: #1719465 - Removal of component Frr or its crypto
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-4
- Related: #1657029 - frr-contrib is back, it is breaking the rpmdeplint test
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-3
- Related: #1657029 - more cleanup, removed frr-contrib, frrvt changed to frrvty
* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2
- Related: #1657029 - cleaning specfile, adding Requires on libyang-devel
* Wed May 29 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-1
- Resolves: #1657029 - Add FRR as a replacement of Quagga in RHEL 8