rpms/frr
7
0
Fork 0
Code Issues Pull Requests Releases Activity
a762237e7b
frr/0002-enable-openssl.patch
Michal Ruprich 1924a87e88 New way of finding python version during build 
Replacing crypto of all routing daemons with openssl
Disabling EIGRP crypto because it is broken
Disabling crypto in FIPS mode
2019-09-13 16:38:56 +02:00

326 lines
9.7 KiB
Diff
Raw Blame History

diff --git a/configure.ac b/configure.ac
index 9f8b31b..38781da 100755
--- a/configure.ac
+++ b/configure.ac
@@ -529,6 +529,20 @@ AC_ARG_ENABLE([thread-sanitizer],
AS_HELP_STRING([--enable-thread-sanitizer], [enable ThreadSanitizer support for detecting data races]))
AC_ARG_ENABLE([memory-sanitizer],
AS_HELP_STRING([--enable-memory-sanitizer], [enable MemorySanitizer support for detecting uninitialized memory reads]))
+AC_ARG_WITH([crypto],
+ AS_HELP_STRING([--with-crypto=<internal|openssl>], [choose between different implementations of cryptographic functions(default value is --with-crypto=internal)]))
+
+#if openssl, else use internal as default
+AS_IF([test x"${with_crypto}" = x"openssl"], [
+ AC_CHECK_LIB([crypto], [EVP_DigestInit], [LIBS="$LIBS -lcrypto"], [], [])
+ if test "$ac_cv_lib_crypto_EVP_DigestInit" = no; then
+ AC_MSG_ERROR([build with openssl has been specified but openssl library was not found on your system])
+ else
+ AC_DEFINE([CRYPTO_OPENSSL], [1], [Compile with openssl support])
+ fi
+], [test x"${with_crypto}" = x"internal" || test x"${with_crypto}" = x"" ], [AC_DEFINE([CRYPTO_INTERNAL], [1], [Compile with internal cryptographic implementation])
+], [AC_MSG_ERROR([Unknown value for --with-crypto])]
+)
AS_IF([test "${enable_clippy_only}" != "yes"], [
AC_CHECK_HEADERS([json-c/json.h])
diff --git a/lib/subdir.am b/lib/subdir.am
index 0b7af18..0533e24 100644
--- a/lib/subdir.am
+++ b/lib/subdir.am
@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
lib/libfrr.c \
lib/linklist.c \
lib/log.c \
- lib/md5.c \
lib/memory.c \
lib/memory_vty.c \
lib/mlag.c \
@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
lib/routemap.c \
lib/sbuf.c \
lib/seqlock.c \
- lib/sha256.c \
lib/sigevent.c \
lib/skiplist.c \
lib/sockopt.c \
@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
lib/libospf.h \
lib/linklist.h \
lib/log.h \
- lib/md5.h \
lib/memory.h \
lib/memory_vty.h \
lib/module.h \
@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
lib/routemap.h \
lib/sbuf.h \
lib/seqlock.h \
- lib/sha256.h \
lib/sigevent.h \
lib/skiplist.h \
lib/smux.h \
diff --git a/lib/zebra.h b/lib/zebra.h
index 22239f8e60..a308d46cc9 100644
--- a/lib/zebra.h
+++ b/lib/zebra.h
@@ -134,6 +134,11 @@ typedef unsigned char uint8_t;
#endif
#endif
+#ifdef CRYPTO_OPENSSL
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#endif
+
#include "openbsd-tree.h"
#include <netinet/in.h>
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 6bc8c25153..b951e94ae6 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -33,7 +33,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
#include "md5.h"
+#endif
#include "vrf.h"
#include "lib_errors.h"
@@ -332,7 +334,11 @@ static unsigned int ospf_packet_max(struct ospf_interface *oi)
static int ospf_check_md5_digest(struct ospf_interface *oi,
struct ospf_header *ospfh)
{
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
unsigned char digest[OSPF_AUTH_MD5_SIZE];
struct crypt_key *ck;
struct ospf_neighbor *nbr;
@@ -361,11 +367,21 @@ static int ospf_check_md5_digest(struct ospf_interface *oi,
}
/* Generate a digest for the ospf packet - their digest + our digest. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ospfh, length);
+ EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, ospfh, length);
MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* compare the two */
if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) {
@@ -389,7 +404,11 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
{
struct ospf_header *ospfh;
unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0};
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
void *ibuf;
uint32_t t;
struct crypt_key *ck;
@@ -422,11 +441,21 @@ static int ospf_make_md5_digest(struct ospf_interface *oi,
}
/* Generate a digest for the entire packet + our secret key. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = OSPF_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length));
+ EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, ibuf, ntohs(ospfh->length));
MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* Append md5 digest to the end of the stream. */
stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE);
diff --git a/ripd/ripd.c b/ripd/ripd.c
index e0ff0430f8..b311ac5717 100644
--- a/ripd/ripd.c
+++ b/ripd/ripd.c
@@ -37,7 +37,9 @@
#include "if_rmap.h"
#include "plist.h"
#include "distribute.h"
+#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE)
#include "md5.h"
+#endif
#include "keychain.h"
#include "privs.h"
#include "lib_errors.h"
@@ -870,7 +872,11 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
struct rip_md5_data *md5data;
struct keychain *keychain;
struct key *key;
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
uint8_t digest[RIP_AUTH_MD5_SIZE];
uint16_t packet_len;
char auth_str[RIP_AUTH_MD5_SIZE] = {};
@@ -934,11 +940,21 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from,
return 0;
/* MD5 digest authentication. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = RIP_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, packet, packet_len + RIP_HEADER_SIZE);
+ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, packet, packet_len + RIP_HEADER_SIZE);
MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
if (memcmp(md5data->digest, digest, RIP_AUTH_MD5_SIZE) == 0)
return packet_len;
@@ -1063,7 +1078,11 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
size_t doff, char *auth_str, int authlen)
{
unsigned long len;
+#ifdef CRYPTO_OPENSSL
+ EVP_MD_CTX *ctx;
+#else
MD5_CTX ctx;
+#endif
unsigned char digest[RIP_AUTH_MD5_SIZE];
/* Make it sure this interface is configured as MD5
@@ -1092,11 +1111,21 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri,
stream_putw(s, RIP_AUTH_DATA);
/* Generate a digest for the RIP packet. */
+#ifdef CRYPTO_OPENSSL
+ unsigned int md5_size = RIP_AUTH_MD5_SIZE;
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_md5());
+ EVP_DigestUpdate(ctx, STREAM_DATA(s), stream_get_endp(s));
+ EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE);
+ EVP_DigestFinal(ctx, digest, &md5_size);
+ EVP_MD_CTX_free(ctx);
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
MD5Update(&ctx, STREAM_DATA(s), stream_get_endp(s));
MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE);
MD5Final(digest, &ctx);
+#endif
/* Copy the digest to the packet. */
stream_write(s, digest, RIP_AUTH_MD5_SIZE);
diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index 488dfedae4..862d675e84 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -22,7 +22,9 @@
*/
#include <zebra.h>
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "memory.h"
#include "stream.h"
#include "sbuf.h"
@@ -2770,8 +2772,13 @@ static void update_auth_hmac_md5(struct isis_auth *auth, struct stream *s,
safe_auth_md5(s, &checksum, &rem_lifetime);
memset(STREAM_DATA(s) + auth->offset, 0, 16);
+#ifdef CRYPTO_OPENSSL
+ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), auth->passwd, auth->plength, STREAM_DATA(s), stream_get_endp(s), NULL, NULL);
+ memcpy(digest, result, 16);
+#elif CRYPTO_INTERNAL
hmac_md5(STREAM_DATA(s), stream_get_endp(s), auth->passwd,
auth->plength, digest);
+#endif
memcpy(auth->value, digest, 16);
memcpy(STREAM_DATA(s) + auth->offset, digest, 16);
@@ -3310,8 +3317,13 @@ static bool auth_validator_hmac_md5(struct isis_passwd *passwd,
safe_auth_md5(stream, &checksum, &rem_lifetime);
memset(STREAM_DATA(stream) + auth->offset, 0, 16);
+#ifdef CRYPTO_OPENSSL
+ uint8_t* result = (uint8_t*)HMAC(EVP_md5(), passwd->passwd, passwd->len, STREAM_DATA(stream), stream_get_endp(stream), NULL, NULL);
+ memcpy(digest, result, 16);
+#elif CRYPTO_INTERNAL
hmac_md5(STREAM_DATA(stream), stream_get_endp(stream), passwd->passwd,
passwd->len, digest);
+#endif
memcpy(STREAM_DATA(stream) + auth->offset, auth->value, 16);
bool rv = !memcmp(digest, auth->value, 16);
diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
index 1991666..2e4fe55 100644
--- a/isisd/isis_lsp.c
+++ b/isisd/isis_lsp.c
@@ -35,7 +35,9 @@
#include "hash.h"
#include "if.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "table.h"
#include "srcdest_table.h"
#include "lib_errors.h"
diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
index 9c63311..7cf594c 100644
--- a/isisd/isis_pdu.c
+++ b/isisd/isis_pdu.c
@@ -33,7 +33,9 @@
#include "prefix.h"
#include "if.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "lib_errors.h"
#include "isisd/isis_constants.h"
diff --git a/isisd/isis_te.c b/isisd/isis_te.c
index 4ea6c2c..72ff0d2 100644
--- a/isisd/isis_te.c
+++ b/isisd/isis_te.c
@@ -38,7 +38,9 @@
#include "if.h"
#include "vrf.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "sockunion.h"
#include "network.h"
#include "sbuf.h"
Reference in New Issue View Git Blame Copy Permalink