import frr-7.0-5.el8

SOURCES/0002-enable-openssl.patch

@@ -0,0 +1,333 @@
+diff --git a/configure.ac b/configure.ac
+index 9f8b31b..38781da 100755
+--- a/configure.ac
++++ b/configure.ac
+@@ -529,6 +529,20 @@ AC_ARG_ENABLE([thread-sanitizer],
+   AS_HELP_STRING([--enable-thread-sanitizer], [enable ThreadSanitizer support for detecting data races]))
+ AC_ARG_ENABLE([memory-sanitizer],
+   AS_HELP_STRING([--enable-memory-sanitizer], [enable MemorySanitizer support for detecting uninitialized memory reads]))
++AC_ARG_WITH([crypto],
++  AS_HELP_STRING([--with-crypto=<internal|openssl>], [choose between different implementations of cryptographic functions(default value is --with-crypto=internal)]))
++
++#if openssl, else use internal as default
++AS_IF([test x"${with_crypto}" = x"openssl"], [
++  AC_CHECK_LIB([crypto], [EVP_DigestInit], [LIBS="$LIBS -lcrypto"], [], [])
++  if test "$ac_cv_lib_crypto_EVP_DigestInit" = no; then
++    AC_MSG_ERROR([build with openssl has been specified but openssl library was not found on your system])
++  else
++    AC_DEFINE([CRYPTO_OPENSSL], [1], [Compile with openssl support])
++  fi
++], [test x"${with_crypto}" = x"internal" || test x"${with_crypto}" = x"" ], [AC_DEFINE([CRYPTO_INTERNAL], [1], [Compile with internal cryptographic implementation])
++], [AC_MSG_ERROR([Unknown value for --with-crypto])]
++)
+ 
+ AS_IF([test "${enable_clippy_only}" != "yes"], [
+ AC_CHECK_HEADERS([json-c/json.h])
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 0b7af18..0533e24 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/libfrr.c \
+ 	lib/linklist.c \
+ 	lib/log.c \
+-	lib/md5.c \
+ 	lib/memory.c \
+ 	lib/memory_vty.c \
+ 	lib/module.c \
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 0533e24..b3d3700 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
+ 	lib/libospf.h \
+ 	lib/linklist.h \
+ 	lib/log.h \
+-	lib/md5.h \
+ 	lib/memory.h \
+ 	lib/memory_vty.h \
+ 	lib/module.h \
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 53f7115..cea866f 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/ringbuf.c \
+ 	lib/routemap.c \
+ 	lib/sbuf.c \
+-	lib/sha256.c \
+ 	lib/sigevent.c \
+ 	lib/skiplist.c \
+ 	lib/sockopt.c \
+@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
+ 	lib/ringbuf.h \
+ 	lib/routemap.h \
+ 	lib/sbuf.h \
+-	lib/sha256.h \
+ 	lib/sigevent.h \
+ 	lib/skiplist.h \
+ 	lib/smux.h \
+diff --git a/lib/zebra.h b/lib/zebra.h
+index 22239f8e60..a308d46cc9 100644
+--- a/lib/zebra.h
++++ b/lib/zebra.h
+@@ -134,6 +134,11 @@ typedef unsigned char uint8_t;
+ #endif
+ #endif
+ 
++#ifdef CRYPTO_OPENSSL
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#endif
++
+ #include "openbsd-tree.h"
+ 
+ #include <netinet/in.h>
+diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
+index 6bc8c25153..b951e94ae6 100644
+--- a/ospfd/ospf_packet.c
++++ b/ospfd/ospf_packet.c
+@@ -33,7 +33,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#if  !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
+ #include "md5.h"
++#endif
+ #include "vrf.h"
+ #include "lib_errors.h"
+ 
+@@ -332,7 +334,11 @@ static unsigned int ospf_packet_max(struct ospf_interface *oi)
+ static int ospf_check_md5_digest(struct ospf_interface *oi,
+ 				 struct ospf_header *ospfh)
+ {
++#ifdef CRYPTO_OPENSSL
++	EVP_MD_CTX *ctx;
++#else
+ 	MD5_CTX ctx;
++#endif
+ 	unsigned char digest[OSPF_AUTH_MD5_SIZE];
+ 	struct crypt_key *ck;
+ 	struct ospf_neighbor *nbr;
+@@ -361,11 +367,21 @@ static int ospf_check_md5_digest(struct ospf_interface *oi,
+ 	}
+ 
+ 	/* Generate a digest for the ospf packet - their digest + our digest. */
++#ifdef CRYPTO_OPENSSL
++	unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
++	ctx = EVP_MD_CTX_new();
++	EVP_DigestInit(ctx, EVP_md5());
++	EVP_DigestUpdate(ctx, ospfh, length);
++	EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
++	EVP_DigestFinal(ctx, digest, &md5_size);
++	EVP_MD_CTX_free(ctx);
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 	MD5Update(&ctx, ospfh, length);
+ 	MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
+ 	MD5Final(digest, &ctx);
++#endif
+ 
+ 	/* compare the two */
+ 	if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) {
+@@ -389,7 +404,11 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
+ {
+ 	struct ospf_header *ospfh;
+ 	unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0};
++#ifdef CRYPTO_OPENSSL
++	EVP_MD_CTX *ctx;
++#else
+ 	MD5_CTX ctx;
++#endif
+ 	void *ibuf;
+ 	uint32_t t;
+ 	struct crypt_key *ck;
+@@ -422,11 +441,21 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
+ 	}
+ 
+ 	/* Generate a digest for the entire packet + our secret key. */
++#ifdef CRYPTO_OPENSSL
++	unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
++	ctx = EVP_MD_CTX_new();
++	EVP_DigestInit(ctx, EVP_md5());
++	EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length));
++	EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
++	EVP_DigestFinal(ctx, digest, &md5_size);
++	EVP_MD_CTX_free(ctx);
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 	MD5Update(&ctx, ibuf, ntohs(ospfh->length));
+ 	MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ 	MD5Final(digest, &ctx);
++#endif
+ 
+ 	/* Append md5 digest to the end of the stream. */
+ 	stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
+diff --git a/ripd/ripd.c b/ripd/ripd.c
+index e0ff0430f8..b311ac5717 100644
+--- a/ripd/ripd.c
++++ b/ripd/ripd.c
+@@ -37,7 +37,9 @@
+ #include "if_rmap.h"
+ #include "plist.h"
+ #include "distribute.h"
++#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "privs.h"
+ #include "lib_errors.h"
+@@ -870,7 +872,11 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
+ 	struct rip_md5_data *md5data;
+ 	struct keychain *keychain;
+ 	struct key *key;
++#ifdef CRYPTO_OPENSSL
++	EVP_MD_CTX *ctx;
++#else
+ 	MD5_CTX ctx;
++#endif
+ 	uint8_t digest[RIP_AUTH_MD5_SIZE];
+ 	uint16_t packet_len;
+ 	char auth_str[RIP_AUTH_MD5_SIZE];
+@@ -934,11 +940,21 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
+ 		return 0;
+ 
+ 	/* MD5 digest authentication. */
++#ifdef CRYPTO_OPENSSL
++	unsigned int md5_size = RIP_AUTH_MD5_SIZE;
++	ctx = EVP_MD_CTX_new();
++	EVP_DigestInit(ctx, EVP_md5());
++	EVP_DigestUpdate(ctx, packet, packet_len + RIP_HEADER_SIZE);
++	EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
++	EVP_DigestFinal(ctx, digest, &md5_size);
++	EVP_MD_CTX_free(ctx);
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 	MD5Update(&ctx, packet, packet_len + RIP_HEADER_SIZE);
+ 	MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ 	MD5Final(digest, &ctx);
++#endif
+ 
+ 	if (memcmp(md5data->digest, digest, RIP_AUTH_MD5_SIZE) == 0)
+ 		return packet_len;
+@@ -1063,7 +1078,11 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
+ 			     size_t doff, char *auth_str, int authlen)
+ {
+ 	unsigned long len;
++#ifdef CRYPTO_OPENSSL
++	EVP_MD_CTX *ctx;
++#else
+ 	MD5_CTX ctx;
++#endif
+ 	unsigned char digest[RIP_AUTH_MD5_SIZE];
+ 
+ 	/* Make it sure this interface is configured as MD5
+@@ -1092,11 +1111,21 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
+ 	stream_putw(s, RIP_AUTH_DATA);
+ 
+ 	/* Generate a digest for the RIP packet. */
++#ifdef CRYPTO_OPENSSL
++	unsigned int md5_size = RIP_AUTH_MD5_SIZE;
++	ctx = EVP_MD_CTX_new();
++	EVP_DigestInit(ctx, EVP_md5());
++	EVP_DigestUpdate(ctx, STREAM_DATA(s), stream_get_endp(s));
++	EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
++	EVP_DigestFinal(ctx, digest, &md5_size);
++	EVP_MD_CTX_free(ctx);
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 	MD5Update(&ctx, STREAM_DATA(s), stream_get_endp(s));
+ 	MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ 	MD5Final(digest, &ctx);
++#endif
+ 
+ 	/* Copy the digest to the packet. */
+ 	stream_write(s, digest, RIP_AUTH_MD5_SIZE);
+diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
+index 488dfedae4..862d675e84 100644
+--- a/isisd/isis_tlvs.c
++++ b/isisd/isis_tlvs.c
+@@ -22,7 +22,9 @@
+  */
+ #include <zebra.h>
+ 
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "memory.h"
+ #include "stream.h"
+ #include "sbuf.h"
+@@ -2770,8 +2772,13 @@ static void update_auth_hmac_md5(struct isis_auth *auth, struct stream *s,
+ 		safe_auth_md5(s, &checksum, &rem_lifetime);
+ 
+ 	memset(STREAM_DATA(s) + auth->offset, 0, 16);
++#ifdef CRYPTO_OPENSSL
++	uint8_t* result = (uint8_t*)HMAC(EVP_md5(), auth->passwd, auth->plength, STREAM_DATA(s), stream_get_endp(s), NULL, NULL);
++	memcpy(digest, result, 16);
++#elif  CRYPTO_INTERNAL
+ 	hmac_md5(STREAM_DATA(s), stream_get_endp(s), auth->passwd,
+ 		 auth->plength, digest);
++#endif
+ 	memcpy(auth->value, digest, 16);
+ 	memcpy(STREAM_DATA(s) + auth->offset, digest, 16);
+ 
+@@ -3310,8 +3317,13 @@ static bool auth_validator_hmac_md5(struct isis_passwd *passwd,
+ 		safe_auth_md5(stream, &checksum, &rem_lifetime);
+ 
+ 	memset(STREAM_DATA(stream) + auth->offset, 0, 16);
++#ifdef CRYPTO_OPENSSL
++	uint8_t* result = (uint8_t*)HMAC(EVP_md5(), passwd->passwd, passwd->len, STREAM_DATA(stream), stream_get_endp(stream), NULL, NULL);
++	memcpy(digest, result, 16);
++#elif  CRYPTO_INTERNAL
+ 	hmac_md5(STREAM_DATA(stream), stream_get_endp(stream), passwd->passwd,
+ 		 passwd->len, digest);
++#endif
+ 	memcpy(STREAM_DATA(stream) + auth->offset, auth->value, 16);
+ 
+ 	bool rv = !memcmp(digest, auth->value, 16);
+diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
+index 1991666..2e4fe55 100644
+--- a/isisd/isis_lsp.c
++++ b/isisd/isis_lsp.c
+@@ -35,7 +35,9 @@
+ #include "hash.h"
+ #include "if.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "table.h"
+ #include "srcdest_table.h"
+ #include "lib_errors.h"
+diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
+index 9c63311..7cf594c 100644
+--- a/isisd/isis_pdu.c
++++ b/isisd/isis_pdu.c
+@@ -33,7 +33,9 @@
+ #include "prefix.h"
+ #include "if.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "lib_errors.h"
+ 
+ #include "isisd/dict.h"
+diff --git a/isisd/isis_te.c b/isisd/isis_te.c
+index 4ea6c2c..72ff0d2 100644
+--- a/isisd/isis_te.c
++++ b/isisd/isis_te.c
+@@ -38,7 +38,9 @@
+ #include "if.h"
+ #include "vrf.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "sockunion.h"
+ #include "network.h"
+ #include "sbuf.h"

SOURCES/0003-disable-eigrp-crypto.patch

@@ -0,0 +1,253 @@
+diff --git a/eigrpd/eigrp_vty.c b/eigrpd/eigrp_vty.c
+index fc5bdbd..56ebac6 100644
+--- a/eigrpd/eigrp_vty.c
++++ b/eigrpd/eigrp_vty.c
+@@ -968,6 +968,9 @@ DEFUN (eigrp_authentication_mode,
+        "Keyed message digest\n"
+        "HMAC SHA256 algorithm \n")
+ {
++	vty_out(vty, " EIGRP Authentication is disabled\n");
++	return CMD_WARNING_CONFIG_FAILED;
++
+ 	VTY_DECLVAR_CONTEXT(interface, ifp);
+ 	struct eigrp_interface *ei = ifp->info;
+ 	struct eigrp *eigrp;
+@@ -1003,6 +1006,9 @@ DEFUN (no_eigrp_authentication_mode,
+        "Keyed message digest\n"
+        "HMAC SHA256 algorithm \n")
+ {
++	vty_out(vty, " EIGRP Authentication is disabled\n");
++	return CMD_WARNING_CONFIG_FAILED;
++
+ 	VTY_DECLVAR_CONTEXT(interface, ifp);
+ 	struct eigrp_interface *ei = ifp->info;
+ 	struct eigrp *eigrp;
+@@ -1034,6 +1040,9 @@ DEFPY (eigrp_authentication_keychain,
+        "Autonomous system number\n"
+        "Name of key-chain\n")
+ {
++	vty_out(vty, " EIGRP Authentication is disabled\n");
++	return CMD_WARNING_CONFIG_FAILED;
++
+ 	VTY_DECLVAR_CONTEXT(interface, ifp);
+ 	struct eigrp_interface *ei = ifp->info;
+ 	struct eigrp *eigrp;
+diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
+index bedaf15..8dc09bf 100644
+--- a/eigrpd/eigrp_packet.c
++++ b/eigrpd/eigrp_packet.c
+@@ -40,8 +40,10 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+ #include "sha256.h"
++#endif
+ #include "lib_errors.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	struct key *key = NULL;
+ 	struct keychain *keychain;
+ 
++
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	uint8_t *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_MD5_Authentication_Type *auth_TLV;
+@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 		return EIGRP_AUTH_TYPE_NONE;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++//TBD when this is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
+-
++#endif
+ 	/* Append md5 digest to the end of the stream. */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
+ 
+@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s,
+ 			   struct TLV_MD5_Authentication_Type *authTLV,
+ 			   struct eigrp_neighbor *nbr, uint8_t flags)
+ {
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	struct key *key = NULL;
+@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s,
+ 		return 0;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
++#endif
+ 
+ 	/* compare the two */
+ 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
+@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
+ 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	HMAC_SHA256_CTX ctx;
++#endif
+ 	void *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_SHA256_Authentication_Type *auth_TLV;
+@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 
+ 	inet_ntop(AF_INET, &ei->address->u.prefix4, source_ip, PREFIX_STRLEN);
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	buffer[0] = '\n';
+ 	memcpy(buffer + 1, key, strlen(key->string));
+@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 			  1 + strlen(key->string) + strlen(source_ip));
+ 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
+ 	HMAC__SHA256_Final(digest, &ctx);
+-
++#endif
+ 
+ 	/* Put hmac-sha256 digest to it's place */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
+diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
+index 93eed94..f1c7347 100644
+--- a/eigrpd/eigrp_filter.c
++++ b/eigrpd/eigrp_filter.c
+@@ -47,7 +47,9 @@
+ #include "if_rmap.h"
+ #include "plist.h"
+ #include "distribute.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "privs.h"
+ #include "vrf.h"
+diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
+index dacd5ca..b232cc5 100644
+--- a/eigrpd/eigrp_hello.c
++++ b/eigrpd/eigrp_hello.c
+@@ -43,7 +43,9 @@
+ #include "sockopt.h"
+ #include "checksum.h"
+ #include "vty.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ 
+ #include "eigrpd/eigrp_structs.h"
+ #include "eigrpd/eigrpd.h"
+diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
+index 84dcf5e..a2575e3 100644
+--- a/eigrpd/eigrp_query.c
++++ b/eigrpd/eigrp_query.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
+index ccf0496..2902365 100644
+--- a/eigrpd/eigrp_reply.c
++++ b/eigrpd/eigrp_reply.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "keychain.h"
+ #include "plist.h"
+diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
+index ff38325..09b9369 100644
+--- a/eigrpd/eigrp_siaquery.c
++++ b/eigrpd/eigrp_siaquery.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
+index d3dd123..f6a2bd6 100644
+--- a/eigrpd/eigrp_siareply.c
++++ b/eigrpd/eigrp_siareply.c
+@@ -37,7 +37,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
+index 21c9238..cfb8890 100644
+--- a/eigrpd/eigrp_snmp.c
++++ b/eigrpd/eigrp_snmp.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "smux.h"
+ 
+diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
+index 8db4903..2a4f0bb 100644
+--- a/eigrpd/eigrp_update.c
++++ b/eigrpd/eigrp_update.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "plist.h"
+ #include "plist_int.h"

SOURCES/0004-fips-mode.patch

@@ -0,0 +1,103 @@
+diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
+index 631465f..e084ff3 100644
+--- a/ospfd/ospf_vty.c
++++ b/ospfd/ospf_vty.c
+@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
+ 
+ 	if (argv_find(argv, argc, "message-digest", &idx)) {
+ 		/* authentication message-digest */
++		if(FIPS_mode())
++		{
++			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++			return CMD_WARNING_CONFIG_FAILED;
++		}
+ 		vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
+ 	} else if (argv_find(argv, argc, "null", &idx)) {
+ 		/* "authentication null" */
+@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
+ 				  ? OSPF_AUTH_NULL
+ 				  : OSPF_AUTH_CRYPTOGRAPHIC;
+ 
++	if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC)
++	{
++		if(FIPS_mode())
++		{
++			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++			return CMD_WARNING_CONFIG_FAILED;
++		}
++	}
++
+ 	return CMD_SUCCESS;
+ }
+ 
+@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
+ 
+ 	/* Handle message-digest authentication */
+ 	if (argv[idx_encryption]->arg[0] == 'm') {
++		if(FIPS_mode())
++		{
++			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++			return CMD_WARNING_CONFIG_FAILED;
++		}
+ 		SET_IF_PARAM(params, auth_type);
+ 		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
+ 		return CMD_SUCCESS;
+@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
+        "The OSPF password (key)\n"
+        "Address of interface\n")
+ {
++	if(FIPS_mode())
++	{
++		vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++		return CMD_WARNING_CONFIG_FAILED;
++	}
+ 	VTY_DECLVAR_CONTEXT(interface, ifp);
+ 	struct crypt_key *ck;
+ 	uint8_t key_id;
+diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
+index 81b4b39..cce33d9 100644
+--- a/isisd/isis_circuit.c
++++ b/isisd/isis_circuit.c
+@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
+ 		return ferr_code_bug(
+ 			"circuit password too long (max 254 chars)");
+ 
++	//When in FIPS mode, the password never gets set in MD5
++	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
++		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 	circuit->passwd.len = len;
+ 	strncpy((char *)circuit->passwd.passwd, passwd, 255);
+ 	circuit->passwd.type = passwd_type;
+diff --git a/isisd/isisd.c b/isisd/isisd.c
+index 419127c..a6c36af 100644
+--- a/isisd/isisd.c
++++ b/isisd/isisd.c
+@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
+ 		if (len > 254)
+ 			return -1;
+ 
++		//When in FIPS mode, the password never get set in MD5
++		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
++			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 		modified.len = len;
+ 		strncpy((char *)modified.passwd, passwd, 255);
+ 		modified.type = passwd_type;
+diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
+index 5bb81ef..02a09ef 100644
+--- a/ripd/rip_cli.c
++++ b/ripd/rip_cli.c
+@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
+ 			value = "20";
+ 	}
+ 
++	if(strmatch(mode, "md5") && FIPS_mode())
++	{
++		vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n");
++		return CMD_WARNING_CONFIG_FAILED;
++	}
++
+ 	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
+ 			      strmatch(mode, "md5") ? "md5" : "plain-text");
+ 	nb_cli_enqueue_change(vty, "./authentication-scheme/md5-auth-length",

SPECS/frr.spec

@@ -9,7 +9,7 @@
 
 Name: frr
 Version: 7.0
-Release: 4%{?checkout}%{?dist}
+Release: 5%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@@ -25,7 +25,7 @@ BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML
 BuildRequires: python3-devel python3-sphinx python3-pytest
 BuildRequires: systemd systemd-devel
 BuildRequires: libyang-devel
-Requires: net-snmp ncurses libyang-devel
+Requires: net-snmp ncurses
 Requires(post): systemd /sbin/install-info
 Requires(preun): systemd /sbin/install-info
 Requires(postun): systemd
@@ -34,6 +34,9 @@ Obsoletes: frr-sysvinit quagga
 
 Patch0000: 0000-remove-babeld-and-ldpd.patch
 Patch0001: 0001-use-python3.patch
+Patch0002: 0002-enable-openssl.patch
+Patch0003: 0003-disable-eigrp-crypto.patch
+Patch0004: 0004-fips-mode.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -86,6 +89,7 @@ autoreconf -ivf
     --disable-ldpd \
     --disable-babeld \
     --with-moduledir=%{_libdir}/frr/modules \
+    --with-crypto=openssl \
     --enable-fpm
 
 %make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
@@ -182,7 +186,7 @@ make check PYTHON=%{__python3}
 %{_libdir}/frr/*.so.*
 %{_libdir}/frr/modules/*
 %config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr
-/etc/frr/daemons
+%config(noreplace) /etc/frr/daemons
 %config(noreplace) /etc/pam.d/frr
 %{_unitdir}/*.service
 /usr/share/yang/*.yang
@@ -210,6 +214,9 @@ make check PYTHON=%{__python3}
 %{_includedir}/frr/eigrpd/*.h
 
 %changelog
+* Tue Sep 03 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-5
+- Resolves: #1719465 - Removal of component Frr or its crypto
+
 * Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-4
 - Related: #1657029 - frr-contrib is back, it is breaking the rpmdeplint test