From fd7136f9de8355651edb7879043d79d50ecfced4 Mon Sep 17 00:00:00 2001 From: Packit Service Date: Dec 09 2020 13:39:25 +0000 Subject: Prepare for a new update Reverting patches so we can apply the latest update and changes can be seen in the spec file and sources. --- diff --git a/Makefile.am b/Makefile.am index 5d70ded..ee1a48e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -136,6 +136,8 @@ include ospf6d/subdir.am include ospfclient/subdir.am include isisd/subdir.am include nhrpd/subdir.am +include ldpd/subdir.am +include babeld/subdir.am include eigrpd/subdir.am include sharpd/subdir.am include pimd/subdir.am @@ -190,6 +192,7 @@ EXTRA_DIST += \ snapcraft/helpers \ snapcraft/snap \ \ + babeld/Makefile \ bgpd/Makefile \ bgpd/rfp-example/librfp/Makefile \ bgpd/rfp-example/rfptest/Makefile \ @@ -200,6 +203,7 @@ EXTRA_DIST += \ eigrpd/Makefile \ fpm/Makefile \ isisd/Makefile \ + ldpd/Makefile \ lib/Makefile \ nhrpd/Makefile \ ospf6d/Makefile \ diff --git a/configure.ac b/configure.ac index e5ad944..97559ac 100755 --- a/configure.ac +++ b/configure.ac @@ -521,20 +521,6 @@ AC_ARG_ENABLE([thread-sanitizer], AS_HELP_STRING([--enable-thread-sanitizer], [enable ThreadSanitizer support for detecting data races])) AC_ARG_ENABLE([memory-sanitizer], AS_HELP_STRING([--enable-memory-sanitizer], [enable MemorySanitizer support for detecting uninitialized memory reads])) -AC_ARG_WITH([crypto], - AS_HELP_STRING([--with-crypto=], [choose between different implementations of cryptographic functions(default value is --with-crypto=internal)])) - -#if openssl, else use internal as default -AS_IF([test x"${with_crypto}" = x"openssl"], [ - AC_CHECK_LIB([crypto], [EVP_DigestInit], [LIBS="$LIBS -lcrypto"], [], []) - if test "$ac_cv_lib_crypto_EVP_DigestInit" = no; then - AC_MSG_ERROR([build with openssl has been specified but openssl library was not found on your system]) - else - AC_DEFINE([CRYPTO_OPENSSL], [1], [Compile with openssl support]) - fi -], [test x"${with_crypto}" = x"internal" || test x"${with_crypto}" = x"" ], [AC_DEFINE([CRYPTO_INTERNAL], [1], [Compile with internal cryptographic implementation]) -], [AC_MSG_ERROR([Unknown value for --with-crypto])] -) AS_IF([test "${enable_clippy_only}" != "yes"], [ AC_CHECK_HEADERS([json-c/json.h]) diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c index f1c7347..93eed94 100644 --- a/eigrpd/eigrp_filter.c +++ b/eigrpd/eigrp_filter.c @@ -47,9 +47,7 @@ #include "if_rmap.h" #include "plist.h" #include "distribute.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "keychain.h" #include "privs.h" #include "vrf.h" diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c index e4c9a8a..413a35f 100644 --- a/eigrpd/eigrp_hello.c +++ b/eigrpd/eigrp_hello.c @@ -43,9 +43,7 @@ #include "sockopt.h" #include "checksum.h" #include "vty.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "eigrpd/eigrp_structs.h" #include "eigrpd/eigrpd.h" diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c index 0b0b119..f3b583a 100644 --- a/eigrpd/eigrp_packet.c +++ b/eigrpd/eigrp_packet.c @@ -40,10 +40,8 @@ #include "log.h" #include "sockopt.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" #include "sha256.h" -#endif #include "lib_errors.h" #include "eigrpd/eigrp_structs.h" @@ -97,12 +95,8 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, struct key *key = NULL; struct keychain *keychain; - unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; -#ifdef CRYPTO_OPENSSL -#elif CRYPTO_INTERNAL MD5_CTX ctx; -#endif uint8_t *ibuf; size_t backup_get, backup_end; struct TLV_MD5_Authentication_Type *auth_TLV; @@ -125,9 +119,6 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, return EIGRP_AUTH_TYPE_NONE; } -#ifdef CRYPTO_OPENSSL -//TBD when this is fixed in upstream -#elif CRYPTO_INTERNAL memset(&ctx, 0, sizeof(ctx)); MD5Init(&ctx); @@ -155,7 +146,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, } MD5Final(digest, &ctx); -#endif + /* Append md5 digest to the end of the stream. */ memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN); @@ -171,10 +162,7 @@ int eigrp_check_md5_digest(struct stream *s, struct TLV_MD5_Authentication_Type *authTLV, struct eigrp_neighbor *nbr, uint8_t flags) { -#ifdef CRYPTO_OPENSSL -#elif CRYPTO_INTERNAL MD5_CTX ctx; -#endif unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN]; struct key *key = NULL; @@ -215,9 +203,6 @@ int eigrp_check_md5_digest(struct stream *s, return 0; } -#ifdef CRYPTO_OPENSSL - //TBD when eigrpd crypto is fixed in upstream -#elif CRYPTO_INTERNAL memset(&ctx, 0, sizeof(ctx)); MD5Init(&ctx); @@ -245,7 +230,6 @@ int eigrp_check_md5_digest(struct stream *s, } MD5Final(digest, &ctx); -#endif /* compare the two */ if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) { @@ -270,11 +254,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN]; unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0}; -#ifdef CRYPTO_OPENSSL - //TBD when eigrpd crypto is fixed in upstream -#elif CRYPTO_INTERNAL HMAC_SHA256_CTX ctx; -#endif void *ibuf; size_t backup_get, backup_end; struct TLV_SHA256_Authentication_Type *auth_TLV; @@ -303,9 +283,6 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, inet_ntop(AF_INET, &ei->address->u.prefix4, source_ip, PREFIX_STRLEN); -#ifdef CRYPTO_OPENSSL - //TBD when eigrpd crypto is fixed in upstream -#elif CRYPTO_INTERNAL memset(&ctx, 0, sizeof(ctx)); buffer[0] = '\n'; memcpy(buffer + 1, key, strlen(key->string)); @@ -314,7 +291,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, 1 + strlen(key->string) + strlen(source_ip)); HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf)); HMAC__SHA256_Final(digest, &ctx); -#endif + /* Put hmac-sha256 digest to it's place */ memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN); diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c index a2575e3..84dcf5e 100644 --- a/eigrpd/eigrp_query.c +++ b/eigrpd/eigrp_query.c @@ -38,9 +38,7 @@ #include "log.h" #include "sockopt.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "vty.h" #include "eigrpd/eigrp_structs.h" diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c index 2902365..ccf0496 100644 --- a/eigrpd/eigrp_reply.c +++ b/eigrpd/eigrp_reply.c @@ -42,9 +42,7 @@ #include "log.h" #include "sockopt.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "vty.h" #include "keychain.h" #include "plist.h" diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c index 09b9369..ff38325 100644 --- a/eigrpd/eigrp_siaquery.c +++ b/eigrpd/eigrp_siaquery.c @@ -38,9 +38,7 @@ #include "log.h" #include "sockopt.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "vty.h" #include "eigrpd/eigrp_structs.h" diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c index f6a2bd6..d3dd123 100644 --- a/eigrpd/eigrp_siareply.c +++ b/eigrpd/eigrp_siareply.c @@ -37,9 +37,7 @@ #include "log.h" #include "sockopt.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "vty.h" #include "eigrpd/eigrp_structs.h" diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c index cfb8890..21c9238 100644 --- a/eigrpd/eigrp_snmp.c +++ b/eigrpd/eigrp_snmp.c @@ -42,9 +42,7 @@ #include "log.h" #include "sockopt.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "keychain.h" #include "smux.h" diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c index 2a4f0bb..8db4903 100644 --- a/eigrpd/eigrp_update.c +++ b/eigrpd/eigrp_update.c @@ -42,9 +42,7 @@ #include "log.h" #include "sockopt.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "vty.h" #include "plist.h" #include "plist_int.h" diff --git a/eigrpd/eigrp_vty.c b/eigrpd/eigrp_vty.c index ca036a9..474f683 100644 --- a/eigrpd/eigrp_vty.c +++ b/eigrpd/eigrp_vty.c @@ -918,9 +918,6 @@ DEFUN (eigrp_authentication_mode, "Keyed message digest\n" "HMAC SHA256 algorithm \n") { - vty_out(vty, " EIGRP Authentication is disabled\n"); - return CMD_WARNING_CONFIG_FAILED; - VTY_DECLVAR_CONTEXT(interface, ifp); struct eigrp_interface *ei = ifp->info; struct eigrp *eigrp; @@ -956,9 +953,6 @@ DEFUN (no_eigrp_authentication_mode, "Keyed message digest\n" "HMAC SHA256 algorithm \n") { - vty_out(vty, " EIGRP Authentication is disabled\n"); - return CMD_WARNING_CONFIG_FAILED; - VTY_DECLVAR_CONTEXT(interface, ifp); struct eigrp_interface *ei = ifp->info; struct eigrp *eigrp; @@ -990,9 +984,6 @@ DEFPY (eigrp_authentication_keychain, "Autonomous system number\n" "Name of key-chain\n") { - vty_out(vty, " EIGRP Authentication is disabled\n"); - return CMD_WARNING_CONFIG_FAILED; - VTY_DECLVAR_CONTEXT(interface, ifp); struct eigrp_interface *ei = ifp->info; struct eigrp *eigrp; diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c index fec98b6..81b4b39 100644 --- a/isisd/isis_circuit.c +++ b/isisd/isis_circuit.c @@ -1318,10 +1318,6 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit, return ferr_code_bug( "circuit password too long (max 254 chars)"); - //When in FIPS mode, the password never gets set in MD5 - if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode()) - return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); - circuit->passwd.len = len; strncpy((char *)circuit->passwd.passwd, passwd, 255); circuit->passwd.type = passwd_type; diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c index 17180c2..b56a56f 100644 --- a/isisd/isis_lsp.c +++ b/isisd/isis_lsp.c @@ -35,9 +35,7 @@ #include "hash.h" #include "if.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "table.h" #include "srcdest_table.h" #include "lib_errors.h" diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c index 3c74879..330da9b 100644 --- a/isisd/isis_pdu.c +++ b/isisd/isis_pdu.c @@ -33,9 +33,7 @@ #include "prefix.h" #include "if.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "lib_errors.h" #include "isisd/dict.h" diff --git a/isisd/isis_te.c b/isisd/isis_te.c index 10ba6f1..a69c95c 100644 --- a/isisd/isis_te.c +++ b/isisd/isis_te.c @@ -38,9 +38,7 @@ #include "if.h" #include "vrf.h" #include "checksum.h" -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "sockunion.h" #include "network.h" #include "sbuf.h" diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c index e1a763d..5a6c7bc 100644 --- a/isisd/isis_tlvs.c +++ b/isisd/isis_tlvs.c @@ -22,9 +22,7 @@ */ #include -#ifdef CRYPTO_INTERNAL #include "md5.h" -#endif #include "memory.h" #include "stream.h" #include "sbuf.h" @@ -2755,13 +2753,8 @@ static void update_auth_hmac_md5(struct isis_auth *auth, struct stream *s, safe_auth_md5(s, &checksum, &rem_lifetime); memset(STREAM_DATA(s) + auth->offset, 0, 16); -#ifdef CRYPTO_OPENSSL - uint8_t* result = (uint8_t*)HMAC(EVP_md5(), auth->passwd, auth->plength, STREAM_DATA(s), stream_get_endp(s), NULL, NULL); - memcpy(digest, result, 16); -#elif CRYPTO_INTERNAL hmac_md5(STREAM_DATA(s), stream_get_endp(s), auth->passwd, auth->plength, digest); -#endif memcpy(auth->value, digest, 16); memcpy(STREAM_DATA(s) + auth->offset, digest, 16); @@ -3294,13 +3287,8 @@ static bool auth_validator_hmac_md5(struct isis_passwd *passwd, safe_auth_md5(stream, &checksum, &rem_lifetime); memset(STREAM_DATA(stream) + auth->offset, 0, 16); -#ifdef CRYPTO_OPENSSL - uint8_t* result = (uint8_t*)HMAC(EVP_md5(), passwd->passwd, passwd->len, STREAM_DATA(stream), stream_get_endp(stream), NULL, NULL); - memcpy(digest, result, 16); -#elif CRYPTO_INTERNAL hmac_md5(STREAM_DATA(stream), stream_get_endp(stream), passwd->passwd, passwd->len, digest); -#endif memcpy(STREAM_DATA(stream) + auth->offset, auth->value, 16); bool rv = !memcmp(digest, auth->value, 16); diff --git a/isisd/isisd.c b/isisd/isisd.c index d8698fa..419127c 100644 --- a/isisd/isisd.c +++ b/isisd/isisd.c @@ -1638,10 +1638,6 @@ static int isis_area_passwd_set(struct isis_area *area, int level, if (len > 254) return -1; - //When in FIPS mode, the password never get set in MD5 - if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode())) - return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); - modified.len = len; strncpy((char *)modified.passwd, passwd, 255); modified.type = passwd_type; diff --git a/lib/subdir.am b/lib/subdir.am index cea866f..41da1ad 100644 --- a/lib/subdir.am +++ b/lib/subdir.am @@ -41,6 +41,7 @@ lib_libfrr_la_SOURCES = \ lib/libfrr.c \ lib/linklist.c \ lib/log.c \ + lib/md5.c \ lib/memory.c \ lib/memory_vty.c \ lib/module.c \ @@ -64,6 +65,7 @@ lib_libfrr_la_SOURCES = \ lib/ringbuf.c \ lib/routemap.c \ lib/sbuf.c \ + lib/sha256.c \ lib/sigevent.c \ lib/skiplist.c \ lib/sockopt.c \ @@ -165,6 +167,7 @@ pkginclude_HEADERS += \ lib/libospf.h \ lib/linklist.h \ lib/log.h \ + lib/md5.h \ lib/memory.h \ lib/memory_vty.h \ lib/module.h \ @@ -190,6 +193,7 @@ pkginclude_HEADERS += \ lib/ringbuf.h \ lib/routemap.h \ lib/sbuf.h \ + lib/sha256.h \ lib/sigevent.h \ lib/skiplist.h \ lib/smux.h \ diff --git a/lib/zebra.h b/lib/zebra.h index 20a9df7..0911595 100644 --- a/lib/zebra.h +++ b/lib/zebra.h @@ -134,11 +134,6 @@ typedef unsigned char uint8_t; #endif #endif -#ifdef CRYPTO_OPENSSL -#include -#include -#endif - #include "openbsd-tree.h" #include diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 2b1c769..032b12b 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -33,9 +33,7 @@ #include "log.h" #include "sockopt.h" #include "checksum.h" -#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE) #include "md5.h" -#endif #include "vrf.h" #include "lib_errors.h" @@ -334,11 +332,7 @@ static unsigned int ospf_packet_max(struct ospf_interface *oi) static int ospf_check_md5_digest(struct ospf_interface *oi, struct ospf_header *ospfh) { -#ifdef CRYPTO_OPENSSL - EVP_MD_CTX *ctx; -#else MD5_CTX ctx; -#endif unsigned char digest[OSPF_AUTH_MD5_SIZE]; struct crypt_key *ck; struct ospf_neighbor *nbr; @@ -367,21 +361,11 @@ static int ospf_check_md5_digest(struct ospf_interface *oi, } /* Generate a digest for the ospf packet - their digest + our digest. */ -#ifdef CRYPTO_OPENSSL - unsigned int md5_size = OSPF_AUTH_MD5_SIZE; - ctx = EVP_MD_CTX_new(); - EVP_DigestInit(ctx, EVP_md5()); - EVP_DigestUpdate(ctx, ospfh, length); - EVP_DigestUpdate(ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); - EVP_DigestFinal(ctx, digest, &md5_size); - EVP_MD_CTX_free(ctx); -#elif CRYPTO_INTERNAL memset(&ctx, 0, sizeof(ctx)); MD5Init(&ctx); MD5Update(&ctx, ospfh, length); MD5Update(&ctx, ck->auth_key, OSPF_AUTH_MD5_SIZE); MD5Final(digest, &ctx); -#endif /* compare the two */ if (memcmp((caddr_t)ospfh + length, digest, OSPF_AUTH_MD5_SIZE)) { @@ -405,11 +389,7 @@ static int ospf_make_md5_digest(struct ospf_interface *oi, { struct ospf_header *ospfh; unsigned char digest[OSPF_AUTH_MD5_SIZE] = {0}; -#ifdef CRYPTO_OPENSSL - EVP_MD_CTX *ctx; -#else MD5_CTX ctx; -#endif void *ibuf; uint32_t t; struct crypt_key *ck; @@ -442,21 +422,11 @@ static int ospf_make_md5_digest(struct ospf_interface *oi, } /* Generate a digest for the entire packet + our secret key. */ -#ifdef CRYPTO_OPENSSL - unsigned int md5_size = OSPF_AUTH_MD5_SIZE; - ctx = EVP_MD_CTX_new(); - EVP_DigestInit(ctx, EVP_md5()); - EVP_DigestUpdate(ctx, ibuf, ntohs(ospfh->length)); - EVP_DigestUpdate(ctx, auth_key, OSPF_AUTH_MD5_SIZE); - EVP_DigestFinal(ctx, digest, &md5_size); - EVP_MD_CTX_free(ctx); -#elif CRYPTO_INTERNAL memset(&ctx, 0, sizeof(ctx)); MD5Init(&ctx); MD5Update(&ctx, ibuf, ntohs(ospfh->length)); MD5Update(&ctx, auth_key, OSPF_AUTH_MD5_SIZE); MD5Final(digest, &ctx); -#endif /* Append md5 digest to the end of the stream. */ stream_put(op->s, digest, OSPF_AUTH_MD5_SIZE); diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c index 2cf0d32..c1dc1f0 100644 --- a/ospfd/ospf_vty.c +++ b/ospfd/ospf_vty.c @@ -1135,11 +1135,6 @@ DEFUN (ospf_area_vlink, if (argv_find(argv, argc, "message-digest", &idx)) { /* authentication message-digest */ - if(FIPS_mode()) - { - vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); - return CMD_WARNING_CONFIG_FAILED; - } vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC; } else if (argv_find(argv, argc, "null", &idx)) { /* "authentication null" */ @@ -1999,15 +1994,6 @@ DEFUN (ospf_area_authentication_message_digest, ? OSPF_AUTH_NULL : OSPF_AUTH_CRYPTOGRAPHIC; - if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC) - { - if(FIPS_mode()) - { - vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); - return CMD_WARNING_CONFIG_FAILED; - } - } - return CMD_SUCCESS; } @@ -6680,11 +6666,6 @@ DEFUN (ip_ospf_authentication_args, /* Handle message-digest authentication */ if (argv[idx_encryption]->arg[0] == 'm') { - if(FIPS_mode()) - { - vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); - return CMD_WARNING_CONFIG_FAILED; - } SET_IF_PARAM(params, auth_type); params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC; return CMD_SUCCESS; @@ -6992,11 +6973,6 @@ DEFUN (ip_ospf_message_digest_key, "The OSPF password (key)\n" "Address of interface\n") { - if(FIPS_mode()) - { - vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); - return CMD_WARNING_CONFIG_FAILED; - } VTY_DECLVAR_CONTEXT(interface, ifp); struct crypt_key *ck; uint8_t key_id; diff --git a/redhat/daemons b/redhat/daemons index 9159e49..7f3ff36 100644 --- a/redhat/daemons +++ b/redhat/daemons @@ -44,9 +44,11 @@ ospf6d=no ripd=no ripngd=no isisd=no +ldpd=no pimd=no nhrpd=no eigrpd=no +babeld=no sharpd=no pbrd=no staticd=no @@ -63,9 +65,11 @@ ospf6d_options=("-A ::1") ripd_options=("-A 127.0.0.1") ripngd_options=("-A ::1") isisd_options=("-A 127.0.0.1") +ldpd_options=("-A 127.0.0.1") pimd_options=("-A 127.0.0.1") nhrpd_options=("-A 127.0.0.1") eigrpd_options=("-A 127.0.0.1") +babeld_options=("-A 127.0.0.1") sharpd_options=("-A 127.0.0.1") pbrd_options=("-A 127.0.0.1") staticd_options=("-A 127.0.0.1") diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c index 02a09ef..5bb81ef 100644 --- a/ripd/rip_cli.c +++ b/ripd/rip_cli.c @@ -796,12 +796,6 @@ DEFPY (ip_rip_authentication_mode, value = "20"; } - if(strmatch(mode, "md5") && FIPS_mode()) - { - vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n"); - return CMD_WARNING_CONFIG_FAILED; - } - nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, strmatch(mode, "md5") ? "md5" : "plain-text"); nb_cli_enqueue_change(vty, "./authentication-scheme/md5-auth-length", diff --git a/ripd/ripd.c b/ripd/ripd.c index a9856b6..0ce5324 100644 --- a/ripd/ripd.c +++ b/ripd/ripd.c @@ -37,9 +37,7 @@ #include "if_rmap.h" #include "plist.h" #include "distribute.h" -#if !defined(CRYPTO_OPENSSL) && !defined(HAVE_NETTLE) #include "md5.h" -#endif #include "keychain.h" #include "privs.h" #include "lib_errors.h" @@ -850,11 +848,7 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from, struct rip_md5_data *md5data; struct keychain *keychain; struct key *key; -#ifdef CRYPTO_OPENSSL - EVP_MD_CTX *ctx; -#else MD5_CTX ctx; -#endif uint8_t digest[RIP_AUTH_MD5_SIZE]; uint16_t packet_len; char auth_str[RIP_AUTH_MD5_SIZE]; @@ -920,21 +914,11 @@ static int rip_auth_md5(struct rip_packet *packet, struct sockaddr_in *from, return 0; /* MD5 digest authentication. */ -#ifdef CRYPTO_OPENSSL - unsigned int md5_size = RIP_AUTH_MD5_SIZE; - ctx = EVP_MD_CTX_new(); - EVP_DigestInit(ctx, EVP_md5()); - EVP_DigestUpdate(ctx, packet, packet_len + RIP_HEADER_SIZE); - EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE); - EVP_DigestFinal(ctx, digest, &md5_size); - EVP_MD_CTX_free(ctx); -#elif CRYPTO_INTERNAL memset(&ctx, 0, sizeof(ctx)); MD5Init(&ctx); MD5Update(&ctx, packet, packet_len + RIP_HEADER_SIZE); MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE); MD5Final(digest, &ctx); -#endif if (memcmp(md5data->digest, digest, RIP_AUTH_MD5_SIZE) == 0) return packet_len; @@ -1059,11 +1043,7 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri, size_t doff, char *auth_str, int authlen) { unsigned long len; -#ifdef CRYPTO_OPENSSL - EVP_MD_CTX *ctx; -#else MD5_CTX ctx; -#endif unsigned char digest[RIP_AUTH_MD5_SIZE]; /* Make it sure this interface is configured as MD5 @@ -1092,21 +1072,11 @@ static void rip_auth_md5_set(struct stream *s, struct rip_interface *ri, stream_putw(s, RIP_AUTH_DATA); /* Generate a digest for the RIP packet. */ -#ifdef CRYPTO_OPENSSL - unsigned int md5_size = RIP_AUTH_MD5_SIZE; - ctx = EVP_MD_CTX_new(); - EVP_DigestInit(ctx, EVP_md5()); - EVP_DigestUpdate(ctx, STREAM_DATA(s), stream_get_endp(s)); - EVP_DigestUpdate(ctx, auth_str, RIP_AUTH_MD5_SIZE); - EVP_DigestFinal(ctx, digest, &md5_size); - EVP_MD_CTX_free(ctx); -#elif CRYPTO_INTERNAL memset(&ctx, 0, sizeof(ctx)); MD5Init(&ctx); MD5Update(&ctx, STREAM_DATA(s), stream_get_endp(s)); MD5Update(&ctx, auth_str, RIP_AUTH_MD5_SIZE); MD5Final(digest, &ctx); -#endif /* Copy the digest to the packet. */ stream_write(s, digest, RIP_AUTH_MD5_SIZE); diff --git a/tools/frr-reload.py b/tools/frr-reload.py index 80597ed..c48c8b9 100755 --- a/tools/frr-reload.py +++ b/tools/frr-reload.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 +#!/usr/bin/python # Frr Reloader # Copyright (C) 2014 Cumulus Networks, Inc. #