v9.0.1

2023-11-12 17:20:08 +01:00
parent 67a7261f02
commit b1a9148fbe
6 changed files with 404 additions and 327 deletions
--- a/0004-fips-mode.patch
+++ b/0004-fips-mode.patch
@@ -1,8 +1,63 @@
+From 730598d8a4c1bd32d0e4fc0e76be926314a6f57b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
+Date: Sun, 8 Oct 2023 11:24:43 +0200
+Subject: [PATCH 4/5] fips mode
+
+---
+ isisd/isis_circuit.c |  4 ++++
+ isisd/isisd.c        |  4 ++++
+ lib/zebra.h          |  1 +
+ ospfd/ospf_vty.c     | 24 ++++++++++++++++++++++++
+ ripd/rip_cli.c       |  6 ++++++
+ 5 files changed, 39 insertions(+)
+
+diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
+index feab45123..f02bae968 100644
+--- a/isisd/isis_circuit.c
+++ b/isisd/isis_circuit.c
+@@ -1542,6 +1542,10 @@ ferr_r isis_circuit_passwd_set(struct isis_circuit *circuit,
+ 		return ferr_code_bug(
+ 			"circuit password too long (max 254 chars)");
+ 
+	//When in FIPS mode, the password never gets set in MD5
+	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
+		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
+ 	circuit->passwd.len = len;
+ 	strlcpy((char *)circuit->passwd.passwd, passwd,
+ 		sizeof(circuit->passwd.passwd));
+diff --git a/isisd/isisd.c b/isisd/isisd.c
+index ea304ba5e..67f6e253a 100644
+--- a/isisd/isisd.c
+++ b/isisd/isisd.c
+@@ -3036,6 +3036,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
+ 		if (len > 254)
+ 			return -1;
+ 
+		//When in FIPS mode, the password never get set in MD5
+		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
+			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
+ 		modified.len = len;
+ 		strlcpy((char *)modified.passwd, passwd,
+ 			sizeof(modified.passwd));
+diff --git a/lib/zebra.h b/lib/zebra.h
+index ecc87f58f..5cb716759 100644
+--- a/lib/zebra.h
+++ b/lib/zebra.h
+@@ -90,6 +90,7 @@
+ #ifdef CRYPTO_OPENSSL
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
+#include <openssl/fips.h>
+ #endif
+ 
+ #include "openbsd-tree.h"
 diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
-index 631465f..e084ff3 100644
+index 5cd70c7c2..0b8dbaa73 100644
 --- a/ospfd/ospf_vty.c
 +++ b/ospfd/ospf_vty.c
-@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
+@@ -1069,6 +1069,11 @@ DEFUN (ospf_area_vlink,
 
 	if (argv_find(argv, argc, "message-digest", &idx)) {
 		/* authentication message-digest */
@@ -14,7 +69,7 @@ index 631465f..e084ff3 100644
 		vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
 	} else if (argv_find(argv, argc, "null", &idx)) {
 		/* "authentication null" */
-@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
+@@ -1974,6 +1979,15 @@ DEFUN (ospf_area_authentication_message_digest,
 				  ? OSPF_AUTH_NULL
 				  : OSPF_AUTH_CRYPTOGRAPHIC;
 
@@ -30,7 +85,7 @@ index 631465f..e084ff3 100644
 	return CMD_SUCCESS;
 }
 
-@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
+@@ -7419,6 +7433,11 @@ DEFUN (ip_ospf_authentication_args,
 
 	/* Handle message-digest authentication */
 	if (argv[idx_encryption]->arg[0] == 'm') {
@@ -42,7 +97,7 @@ index 631465f..e084ff3 100644
 		SET_IF_PARAM(params, auth_type);
 		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
 		return CMD_SUCCESS;
-@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
+@@ -7725,6 +7744,11 @@ DEFUN (ip_ospf_message_digest_key,
        "The OSPF password (key)\n"
        "Address of interface\n")
 {
@@ -54,41 +109,11 @@ index 631465f..e084ff3 100644
 	VTY_DECLVAR_CONTEXT(interface, ifp);
 	struct crypt_key *ck;
 	uint8_t key_id;
-diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
-index 81b4b39..cce33d9 100644
--- a/isisd/isis_circuit.c
-+++ b/isisd/isis_circuit.c
-@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
- 		return ferr_code_bug(
- 			"circuit password too long (max 254 chars)");
- 
-+	//When in FIPS mode, the password never gets set in MD5
-+	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
-+		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 	circuit->passwd.len = len;
- 	strlcpy((char *)circuit->passwd.passwd, passwd,
- 		sizeof(circuit->passwd.passwd));
-diff --git a/isisd/isisd.c b/isisd/isisd.c
-index 419127c..a6c36af 100644
--- a/isisd/isisd.c
-+++ b/isisd/isisd.c
-@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
- 		if (len > 254)
- 			return -1;
- 
-+		//When in FIPS mode, the password never get set in MD5
-+		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
-+			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 		modified.len = len;
- 		strlcpy((char *)modified.passwd, passwd,
- 			sizeof(modified.passwd));
 diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
-index 5bb81ef..02a09ef 100644
+index 097c708ab..854a16e4e 100644
 --- a/ripd/rip_cli.c
 +++ b/ripd/rip_cli.c
-@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
+@@ -876,6 +876,12 @@ DEFPY_YANG (ip_rip_authentication_mode,
 			value = "20";
 	}
 
@@ -101,15 +126,6 @@ index 5bb81ef..02a09ef 100644
 	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
 			      strmatch(mode, "md5") ? "md5" : "plain-text");
 	if (strmatch(mode, "md5"))
-diff --git a/lib/zebra.h b/lib/zebra.h
-index 53ae5b4..930307f 100644
--- a/lib/zebra.h
-+++ b/lib/zebra.h
-@@ -114,6 +114,7 @@
- #ifdef CRYPTO_OPENSSL
- #include <openssl/evp.h>
- #include <openssl/hmac.h>
-+#include <openssl/fips.h>
- #endif
+-- 
+2.41.0

- #include "openbsd-tree.h"