v.ims.1 - Bump version

Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons

.gitignore

@@ -1 +1,11 @@
 /frr-7.1.tar.gz
+/frr-7.2.tar.gz
+/frr-7.3.tar.gz
+/remove-babeld-ldpd.sh
+/frr-7.3.1.tar.gz
+/frr-7.4.tar.gz
+/frr-7.5.tar.gz
+/frr-7.5.1.tar.gz
+/frr-8.0.1.tar.gz
+/frr-8.2.tar.gz
+/frr-8.2.2.tar.gz

0000-remove-babeld-and-ldpd.patch

@@ -12,9 +12,9 @@ index 5be3264..33abc1d 100644
  include sharpd/subdir.am
  include pimd/subdir.am
 @@ -182,7 +180,6 @@ EXTRA_DIST += \
+ 	snapcraft/defaults \
  	snapcraft/helpers \
  	snapcraft/snap \
- 	\
 -	babeld/Makefile \
  	bgpd/Makefile \
  	bgpd/rfp-example/librfp/Makefile \

0001-use-python3.patch

@@ -1,10 +0,0 @@
-diff --git a/tools/frr-reload.py b/tools/frr-reload.py
-index 208fb11..0692adc 100755
---- a/tools/frr-reload.py
-+++ b/tools/frr-reload.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- # Frr Reloader
- # Copyright (C) 2014 Cumulus Networks, Inc.
- #

0002-enable-openssl.patch

@@ -0,0 +1,78 @@
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 0b7af18..0533e24 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/log.c \
+ 	lib/log_filter.c \
+ 	lib/log_vty.c \
+-	lib/md5.c \
+ 	lib/memory.c \
+ 	lib/mlag.c \
+ 	lib/module.c \
+@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/routemap_northbound.c \
+ 	lib/sbuf.c \
+ 	lib/seqlock.c \
+-	lib/sha256.c \
+ 	lib/sigevent.c \
+ 	lib/skiplist.c \
+ 	lib/sockopt.c \
+@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
+ 	lib/link_state.h \
+ 	lib/log.h \
+ 	lib/log_vty.h \
+-	lib/md5.h \
+ 	lib/memory.h \
+ 	lib/module.h \
+ 	lib/monotime.h \
+@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
+ 	lib/route_opaque.h \
+ 	lib/sbuf.h \
+ 	lib/seqlock.h \
+-	lib/sha256.h \
+ 	lib/sigevent.h \
+ 	lib/skiplist.h \
+ 	lib/smux.h \
+diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
+index 1991666..2e4fe55 100644
+--- a/isisd/isis_lsp.c
++++ b/isisd/isis_lsp.c
+@@ -35,7 +35,9 @@
+ #include "hash.h"
+ #include "if.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "table.h"
+ #include "srcdest_table.h"
+ #include "lib_errors.h"
+diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
+index 9c63311..7cf594c 100644
+--- a/isisd/isis_pdu.c
++++ b/isisd/isis_pdu.c
+@@ -33,7 +33,9 @@
+ #include "prefix.h"
+ #include "if.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "lib_errors.h"
+ 
+ #include "isisd/isis_constants.h"
+diff --git a/isisd/isis_te.c b/isisd/isis_te.c
+index 4ea6c2c..72ff0d2 100644
+--- a/isisd/isis_te.c
++++ b/isisd/isis_te.c
+@@ -38,7 +38,9 @@
+ #include "if.h"
+ #include "vrf.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "sockunion.h"
+ #include "network.h"
+ #include "sbuf.h"

0003-disable-eigrp-crypto.patch

@@ -0,0 +1,252 @@
+diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
+index bedaf15..8dc09bf 100644
+--- a/eigrpd/eigrp_packet.c
++++ b/eigrpd/eigrp_packet.c
+@@ -40,8 +40,10 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+ #include "sha256.h"
++#endif
+ #include "lib_errors.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	struct key *key = NULL;
+ 	struct keychain *keychain;
+ 
++
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	uint8_t *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_MD5_Authentication_Type *auth_TLV;
+@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 		return EIGRP_AUTH_TYPE_NONE;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++//TBD when this is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
+-
++#endif
+ 	/* Append md5 digest to the end of the stream. */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
+ 
+@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s,
+ 			   struct TLV_MD5_Authentication_Type *authTLV,
+ 			   struct eigrp_neighbor *nbr, uint8_t flags)
+ {
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	struct key *key = NULL;
+@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s,
+ 		return 0;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
++#endif
+ 
+ 	/* compare the two */
+ 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
+@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
+ 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	HMAC_SHA256_CTX ctx;
++#endif
+ 	void *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_SHA256_Authentication_Type *auth_TLV;
+@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 
+ 	inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	buffer[0] = '\n';
+ 	memcpy(buffer + 1, key, strlen(key->string));
+@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 			  1 + strlen(key->string) + strlen(source_ip));
+ 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
+ 	HMAC__SHA256_Final(digest, &ctx);
+-
++#endif
+ 
+ 	/* Put hmac-sha256 digest to it's place */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
+diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
+index 93eed94..f1c7347 100644
+--- a/eigrpd/eigrp_filter.c
++++ b/eigrpd/eigrp_filter.c
+@@ -47,7 +47,9 @@
+ #include "if_rmap.h"
+ #include "plist.h"
+ #include "distribute.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "privs.h"
+ #include "vrf.h"
+diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
+index dacd5ca..b232cc5 100644
+--- a/eigrpd/eigrp_hello.c
++++ b/eigrpd/eigrp_hello.c
+@@ -43,7 +43,9 @@
+ #include "sockopt.h"
+ #include "checksum.h"
+ #include "vty.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ 
+ #include "eigrpd/eigrp_structs.h"
+ #include "eigrpd/eigrpd.h"
+diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
+index 84dcf5e..a2575e3 100644
+--- a/eigrpd/eigrp_query.c
++++ b/eigrpd/eigrp_query.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
+index ccf0496..2902365 100644
+--- a/eigrpd/eigrp_reply.c
++++ b/eigrpd/eigrp_reply.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "keychain.h"
+ #include "plist.h"
+diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
+index ff38325..09b9369 100644
+--- a/eigrpd/eigrp_siaquery.c
++++ b/eigrpd/eigrp_siaquery.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
+index d3dd123..f6a2bd6 100644
+--- a/eigrpd/eigrp_siareply.c
++++ b/eigrpd/eigrp_siareply.c
+@@ -37,7 +37,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
+index 21c9238..cfb8890 100644
+--- a/eigrpd/eigrp_snmp.c
++++ b/eigrpd/eigrp_snmp.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "smux.h"
+ 
+diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
+index 8db4903..2a4f0bb 100644
+--- a/eigrpd/eigrp_update.c
++++ b/eigrpd/eigrp_update.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "plist.h"
+ #include "plist_int.h"
+diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c
+index a93d4c8..b01e121 100644
+--- a/eigrpd/eigrp_cli.c
++++ b/eigrpd/eigrp_cli.c
+@@ -25,6 +25,7 @@
+ #include "lib/command.h"
+ #include "lib/log.h"
+ #include "lib/northbound_cli.h"
++#include "lib/libfrr.h"
+ 
+ #include "eigrp_structs.h"
+ #include "eigrpd.h"
+@@ -726,6 +726,20 @@ DEFPY(
+ 	"Keyed message digest\n"
+ 	"HMAC SHA256 algorithm \n")
+ {
++	//EIGRP authentication is currently broken in FRR
++	switch (frr_get_cli_mode()) {
++	case FRR_CLI_CLASSIC:
++		vty_out(vty, "%% Eigrp Authentication is disabled\n\n");
++		break;
++	case FRR_CLI_TRANSACTIONAL:
++		vty_out(vty,
++			"%% Failed to edit candidate configuration - "
++			"Eigrp Authentication is disabled.\n\n");
++		break;
++	}
++
++	return CMD_WARNING_CONFIG_FAILED;
++
+ 	char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64];
+ 
+ 	snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']",

0004-fips-mode.patch

@@ -0,0 +1,103 @@
+diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
+index 631465f..e084ff3 100644
+--- a/ospfd/ospf_vty.c
++++ b/ospfd/ospf_vty.c
+@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
+ 
+ 	if (argv_find(argv, argc, "message-digest", &idx)) {
+ 		/* authentication message-digest */
++		if(FIPS_mode())
++		{
++			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++			return CMD_WARNING_CONFIG_FAILED;
++		}
+ 		vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
+ 	} else if (argv_find(argv, argc, "null", &idx)) {
+ 		/* "authentication null" */
+@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
+ 				  ? OSPF_AUTH_NULL
+ 				  : OSPF_AUTH_CRYPTOGRAPHIC;
+ 
++	if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC)
++	{
++		if(FIPS_mode())
++		{
++			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++			return CMD_WARNING_CONFIG_FAILED;
++		}
++	}
++
+ 	return CMD_SUCCESS;
+ }
+ 
+@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
+ 
+ 	/* Handle message-digest authentication */
+ 	if (argv[idx_encryption]->arg[0] == 'm') {
++		if(FIPS_mode())
++		{
++			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++			return CMD_WARNING_CONFIG_FAILED;
++		}
+ 		SET_IF_PARAM(params, auth_type);
+ 		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
+ 		return CMD_SUCCESS;
+@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
+        "The OSPF password (key)\n"
+        "Address of interface\n")
+ {
++	if(FIPS_mode())
++	{
++		vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
++		return CMD_WARNING_CONFIG_FAILED;
++	}
+ 	VTY_DECLVAR_CONTEXT(interface, ifp);
+ 	struct crypt_key *ck;
+ 	uint8_t key_id;
+diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
+index 81b4b39..cce33d9 100644
+--- a/isisd/isis_circuit.c
++++ b/isisd/isis_circuit.c
+@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
+ 		return ferr_code_bug(
+ 			"circuit password too long (max 254 chars)");
+ 
++	//When in FIPS mode, the password never gets set in MD5
++	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
++		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 	circuit->passwd.len = len;
+ 	strlcpy((char *)circuit->passwd.passwd, passwd,
+ 		sizeof(circuit->passwd.passwd));
+diff --git a/isisd/isisd.c b/isisd/isisd.c
+index 419127c..a6c36af 100644
+--- a/isisd/isisd.c
++++ b/isisd/isisd.c
+@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
+ 		if (len > 254)
+ 			return -1;
+ 
++		//When in FIPS mode, the password never get set in MD5
++		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
++			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 		modified.len = len;
+ 		strlcpy((char *)modified.passwd, passwd,
+ 			sizeof(modified.passwd));
+diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
+index 5bb81ef..02a09ef 100644
+--- a/ripd/rip_cli.c
++++ b/ripd/rip_cli.c
+@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
+ 			value = "20";
+ 	}
+ 
++	if(strmatch(mode, "md5") && FIPS_mode())
++	{
++		vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n");
++		return CMD_WARNING_CONFIG_FAILED;
++	}
++
+ 	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
+ 			      strmatch(mode, "md5") ? "md5" : "plain-text");
+ 	if (strmatch(mode, "md5"))

0005-remove-grpc-test.patch

@@ -0,0 +1,23 @@
+diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
+index 7b5eaa4..5c82f69 100644
+--- a/tests/lib/subdir.am
++++ b/tests/lib/subdir.am
+@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
+ EXTRA_DIST += tests/lib/test_frrscript.py
+ 
+ 
+-##############################################################################
+-GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
+-
+-if GRPC
+-check_PROGRAMS += tests/lib/test_grpc
+-endif
+-tests_lib_test_grpc_CXXFLAGS = $(WERROR) $(TESTS_CXXFLAGS)
+-tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
+-tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
+-tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
+-
+-
+ ##############################################################################
+ if ZEROMQ
+ check_PROGRAMS += tests/lib/test_zmq

0006-cve-2022-26126.patch

@@ -0,0 +1,461 @@
+From ac3133450de12ba86c051265fc0f1b12bc57b40c Mon Sep 17 00:00:00 2001
+From: whichbug <whichbug@github.com>
+Date: Thu, 10 Feb 2022 22:49:41 -0500
+Subject: [PATCH] isisd: fix #10505 using base64 encoding
+
+Using base64 instead of the raw string to encode
+the binary data.
+
+Signed-off-by: whichbug <whichbug@github.com>
+---
+ isisd/isis_nb_notifications.c |  16 +--
+ lib/base64.c                  | 193 ++++++++++++++++++++++++++++++++++
+ lib/base64.h                  |  45 ++++++++
+ lib/subdir.am                 |   2 +
+ lib/yang_wrappers.c           |  59 +++++++++++
+ lib/yang_wrappers.h           |   7 ++
+ 6 files changed, 314 insertions(+), 8 deletions(-)
+ create mode 100644 lib/base64.c
+ create mode 100644 lib/base64.h
+
+diff --git a/isisd/isis_nb_notifications.c b/isisd/isis_nb_notifications.c
+index f219632acf7..fd7b1b3159a 100644
+--- a/isisd/isis_nb_notifications.c
++++ b/isisd/isis_nb_notifications.c
+@@ -245,7 +245,7 @@ void isis_notif_max_area_addr_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, max_area_addrs);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_max_area_addr_mismatch, circuit, max_area_addrs,
+@@ -270,7 +270,7 @@ void isis_notif_authentication_type_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_type_failure, circuit, raw_pdu,
+@@ -294,7 +294,7 @@ void isis_notif_authentication_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_failure, circuit, raw_pdu,
+@@ -361,7 +361,7 @@ void isis_notif_reject_adjacency(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, reason);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_reject_adjacency, circuit, raw_pdu, raw_pdu_len);
+@@ -384,7 +384,7 @@ void isis_notif_area_mismatch(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_area_mismatch, circuit, raw_pdu, raw_pdu_len);
+@@ -467,7 +467,7 @@ void isis_notif_id_len_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, rcv_id_len);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_id_len_mismatch, circuit, rcv_id_len, raw_pdu,
+@@ -495,7 +495,7 @@ void isis_notif_version_skew(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, version);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_version_skew, circuit, version, raw_pdu,
+@@ -525,7 +525,7 @@ void isis_notif_lsp_error(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, rawlspid_print(lsp_id));
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 	/* ignore offset and tlv_type which cannot be set properly */
+ 
+diff --git a/lib/base64.c b/lib/base64.c
+new file mode 100644
+index 00000000000..e3f238969b3
+--- /dev/null
++++ b/lib/base64.c
+@@ -0,0 +1,193 @@
++/*
++ * This is part of the libb64 project, and has been placed in the public domain.
++ * For details, see http://sourceforge.net/projects/libb64
++ */
++
++#include "base64.h"
++
++static const int CHARS_PER_LINE = 72;
++static const char *ENCODING =
++	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
++
++void base64_init_encodestate(struct base64_encodestate *state_in)
++{
++	state_in->step = step_A;
++	state_in->result = 0;
++	state_in->stepcount = 0;
++}
++
++char base64_encode_value(char value_in)
++{
++	if (value_in > 63)
++		return '=';
++	return ENCODING[(int)value_in];
++}
++
++int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
++			struct base64_encodestate *state_in)
++{
++	const char *plainchar = plaintext_in;
++	const char *const plaintextend = plaintext_in + length_in;
++	char *codechar = code_out;
++	char result;
++	char fragment;
++
++	result = state_in->result;
++
++	switch (state_in->step) {
++		while (1) {
++			case step_A:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_A;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result = (fragment & 0x0fc) >> 2;
++				*codechar++ = base64_encode_value(result);
++				result = (fragment & 0x003) << 4;
++				/* fall through */
++			case step_B:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_B;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result |= (fragment & 0x0f0) >> 4;
++				*codechar++ = base64_encode_value(result);
++				result = (fragment & 0x00f) << 2;
++				/* fall through */
++			case step_C:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_C;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result |= (fragment & 0x0c0) >> 6;
++				*codechar++ = base64_encode_value(result);
++				result  = (fragment & 0x03f) >> 0;
++				*codechar++ = base64_encode_value(result);
++
++				++(state_in->stepcount);
++				if (state_in->stepcount == CHARS_PER_LINE/4) {
++					*codechar++ = '\n';
++					state_in->stepcount = 0;
++				}
++		}
++	}
++	/* control should not reach here */
++	return codechar - code_out;
++}
++
++int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in)
++{
++	char *codechar = code_out;
++
++	switch (state_in->step) {
++	case step_B:
++		*codechar++ = base64_encode_value(state_in->result);
++		*codechar++ = '=';
++		*codechar++ = '=';
++		break;
++	case step_C:
++		*codechar++ = base64_encode_value(state_in->result);
++		*codechar++ = '=';
++		break;
++	case step_A:
++		break;
++	}
++	*codechar++ = '\n';
++
++	return codechar - code_out;
++}
++
++
++signed char base64_decode_value(signed char value_in)
++{
++	static const signed char decoding[] = {
++		62, -1, -1, -1, 63, 52, 53, 54,
++		55, 56, 57, 58, 59, 60, 61, -1,
++		-1, -1, -2, -1, -1, -1, 0, 1,
++		2,  3, 4, 5, 6, 7, 8, 9,
++		10, 11, 12, 13, 14, 15, 16, 17,
++		18, 19, 20, 21, 22, 23, 24, 25,
++		-1, -1, -1, -1, -1, -1, 26, 27,
++		28, 29, 30, 31, 32, 33, 34, 35,
++		36, 37, 38, 39, 40, 41, 42, 43,
++		44, 45, 46, 47, 48, 49, 50, 51
++	};
++	value_in -= 43;
++	if (value_in < 0 || value_in >= 80)
++		return -1;
++	return decoding[(int)value_in];
++}
++
++void base64_init_decodestate(struct base64_decodestate *state_in)
++{
++	state_in->step = step_a;
++	state_in->plainchar = 0;
++}
++
++int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
++			struct base64_decodestate *state_in)
++{
++	const char *codec = code_in;
++	char *plainc = plaintext_out;
++	signed char fragmt;
++
++	*plainc = state_in->plainchar;
++
++	switch (state_in->step) {
++		while (1) {
++			case step_a:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_a;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc = (fragmt & 0x03f) << 2;
++				/* fall through */
++			case step_b:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_b;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++ |= (fragmt & 0x030) >> 4;
++				*plainc = (fragmt & 0x00f) << 4;
++				/* fall through */
++			case step_c:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_c;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++ |= (fragmt & 0x03c) >> 2;
++				*plainc = (fragmt & 0x003) << 6;
++				/* fall through */
++			case step_d:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_d;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++   |= (fragmt & 0x03f);
++		}
++	}
++	/* control should not reach here */
++	return plainc - plaintext_out;
++}
+diff --git a/lib/base64.h b/lib/base64.h
+new file mode 100644
+index 00000000000..3dc1559aa48
+--- /dev/null
++++ b/lib/base64.h
+@@ -0,0 +1,45 @@
++/*
++ * This is part of the libb64 project, and has been placed in the public domain.
++ * For details, see http://sourceforge.net/projects/libb64
++ */
++
++#ifndef _BASE64_H_
++#define _BASE64_H_
++
++enum base64_encodestep {
++	step_A, step_B, step_C
++};
++
++struct base64_encodestate {
++	enum base64_encodestep step;
++	char result;
++	int stepcount;
++};
++
++void base64_init_encodestate(struct base64_encodestate *state_in);
++
++char base64_encode_value(char value_in);
++
++int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
++			struct base64_encodestate *state_in);
++
++int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in);
++
++
++enum base64_decodestep {
++	step_a, step_b, step_c, step_d
++};
++
++struct base64_decodestate {
++	enum base64_decodestep step;
++	char plainchar;
++};
++
++void base64_init_decodestate(struct base64_decodestate *state_in);
++
++signed char base64_decode_value(signed char value_in);
++
++int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
++			struct base64_decodestate *state_in);
++
++#endif /* _BASE64_H_ */
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 648ab7f14a1..f8f82f2766f 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -8,6 +8,7 @@ lib_libfrr_la_LIBADD = $(LIBCAP) $(UNWIND_LIBS) $(LIBYANG_LIBS) $(LUA_LIB) $(UST
+ lib_libfrr_la_SOURCES = \
+ 	lib/agg_table.c \
+ 	lib/atomlist.c \
++	lib/base64.c \
+ 	lib/bfd.c \
+ 	lib/buffer.c \
+ 	lib/checksum.c \
+@@ -177,6 +178,7 @@ clippy_scan += \
+ pkginclude_HEADERS += \
+ 	lib/agg_table.h \
+ 	lib/atomlist.h \
++	lib/base64.h \
+ 	lib/bfd.h \
+ 	lib/bitfield.h \
+ 	lib/buffer.h \
+diff --git a/lib/yang_wrappers.c b/lib/yang_wrappers.c
+index 85aa003db72..bee76c6e0f5 100644
+--- a/lib/yang_wrappers.c
++++ b/lib/yang_wrappers.c
+@@ -19,6 +19,7 @@
+ 
+ #include <zebra.h>
+ 
++#include "base64.h"
+ #include "log.h"
+ #include "lib_errors.h"
+ #include "northbound.h"
+@@ -676,6 +677,64 @@ void yang_get_default_string_buf(char *buf, size_t size, const char *xpath_fmt,
+ 			  xpath);
+ }
+ 
++/*
++ * Primitive type: binary.
++ */
++struct yang_data *yang_data_new_binary(const char *xpath, const char *value,
++				       size_t len)
++{
++	char *value_str;
++	struct base64_encodestate s;
++	int cnt;
++	char *c;
++	struct yang_data *data;
++
++	value_str = (char *)malloc(len * 2);
++	base64_init_encodestate(&s);
++	cnt = base64_encode_block(value, len, value_str, &s);
++	c = value_str + cnt;
++	cnt = base64_encode_blockend(c, &s);
++	c += cnt;
++	*c = 0;
++	data = yang_data_new(xpath, value_str);
++	free(value_str);
++	return data;
++}
++
++size_t yang_dnode_get_binary_buf(char *buf, size_t size,
++				 const struct lyd_node *dnode,
++				 const char *xpath_fmt, ...)
++{
++	const char *canon;
++	size_t cannon_len;
++	size_t decode_len;
++	size_t ret_len;
++	size_t cnt;
++	char *value_str;
++	struct base64_decodestate s;
++
++	canon = YANG_DNODE_XPATH_GET_CANON(dnode, xpath_fmt);
++	cannon_len = strlen(canon);
++	decode_len = cannon_len;
++	value_str = (char *)malloc(decode_len);
++	base64_init_decodestate(&s);
++	cnt = base64_decode_block(canon, cannon_len, value_str, &s);
++
++	ret_len = size > cnt ? cnt : size;
++	memcpy(buf, value_str, ret_len);
++	if (size < cnt) {
++		char xpath[XPATH_MAXLEN];
++
++		yang_dnode_get_path(dnode, xpath, sizeof(xpath));
++		flog_warn(EC_LIB_YANG_DATA_TRUNCATED,
++			  "%s: value was truncated [xpath %s]", __func__,
++			  xpath);
++	}
++	free(value_str);
++	return ret_len;
++}
++
++
+ /*
+  * Primitive type: empty.
+  */
+diff --git a/lib/yang_wrappers.h b/lib/yang_wrappers.h
+index d781dfb1e42..56b314876f2 100644
+--- a/lib/yang_wrappers.h
++++ b/lib/yang_wrappers.h
+@@ -118,6 +118,13 @@ extern const char *yang_get_default_string(const char *xpath_fmt, ...);
+ extern void yang_get_default_string_buf(char *buf, size_t size,
+ 					const char *xpath_fmt, ...);
+ 
++/* binary */
++extern struct yang_data *yang_data_new_binary(const char *xpath,
++					      const char *value, size_t len);
++extern size_t yang_dnode_get_binary_buf(char *buf, size_t size,
++					const struct lyd_node *dnode,
++					const char *xpath_fmt, ...);
++
+ /* empty */
+ extern struct yang_data *yang_data_new_empty(const char *xpath);
+ extern bool yang_dnode_get_empty(const struct lyd_node *dnode,

frr-sysusers.conf

@@ -0,0 +1,4 @@
+#Type Name   ID     GECOS                        Home directory  Shell
+g     frrvty -
+u     frr    -      "FRRouting routing suite"    /var/run/frr    /sbin/nologin
+m     frr    frrvty

frr-tmpfiles.conf

@@ -0,0 +1 @@
+d /run/frr 0755 frr frr -

frr.spec

@@ -1,35 +1,67 @@
-%global frrversion	7.1
-%global frr_libdir /usr/lib/frr
+%global dist .ims.1%{?dist}
+
+%global frr_libdir %{_libexecdir}/frr
 
 %global _hardened_build 1
+%define _legacy_common_support 1
 
 Name:           frr
-Version: 7.1
-Release: 2%{?checkout}%{?dist}
+Version:        8.2.2
+Release:        2%{?dist}
 Summary:        Routing daemon
 License:        GPLv2+
 URL:            http://www.frrouting.org
-Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{frrversion}/%{name}-%{frrversion}.tar.gz
-BuildRequires: perl-generators
-BuildRequires: systemd
-BuildRequires: gcc
-BuildRequires: net-snmp-devel
-BuildRequires: texinfo libcap-devel texi2html autoconf automake libtool patch groff
-BuildRequires: readline readline-devel ncurses ncurses-devel
-BuildRequires: git pam-devel c-ares-devel
-BuildRequires: json-c-devel bison >= 2.7 flex perl-XML-LibXML
-BuildRequires: python3-devel python3-sphinx python3-pytest
-BuildRequires: systemd systemd-devel
-BuildRequires: libyang-devel >= 0.16.74
-Requires: net-snmp ncurses
-Requires(post): systemd /sbin/install-info
-Requires(preun): systemd /sbin/install-info
-Requires(postun): systemd
-Provides: routingdaemon = %{version}-%{release}
-Conflicts: quagga
+Source0:        https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source1:        %{name}-tmpfiles.conf
+Source2:        %{name}-sysusers.conf
 
 Patch0000:      0000-remove-babeld-and-ldpd.patch
-Patch0001: 0001-use-python3.patch
+Patch0002:      0002-enable-openssl.patch
+Patch0003:      0003-disable-eigrp-crypto.patch
+Patch0004:      0004-fips-mode.patch
+Patch0005:      0005-remove-grpc-test.patch
+Patch0006:      0006-cve-2022-26126.patch
+
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  bison >= 2.7
+BuildRequires:  c-ares-devel
+BuildRequires:  flex
+BuildRequires:  gcc
+BuildRequires:  gcc-c++
+BuildRequires:  git-core
+BuildRequires:  groff
+BuildRequires:  grpc-devel
+BuildRequires:  grpc-plugins
+BuildRequires:  json-c-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libtool
+BuildRequires:  libyang-devel >= 0.16.74
+BuildRequires:  make
+BuildRequires:  ncurses
+BuildRequires:  ncurses-devel
+BuildRequires:  net-snmp-devel
+BuildRequires:  pam-devel
+BuildRequires:  patch
+BuildRequires:  perl-XML-LibXML
+BuildRequires:  perl-generators
+BuildRequires:  python3-devel
+BuildRequires:  python3-pytest
+BuildRequires:  python3-sphinx
+BuildRequires:  readline-devel
+BuildRequires:  systemd-devel
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  texinfo
+
+Requires:       ncurses
+Requires:       net-snmp
+Requires(post): hostname
+%{?sysusers_requires_compat}
+Requires(post): systemd
+Requires(postun): systemd
+Requires(preun): systemd
+Conflicts:      quagga
+Provides:       routingdaemon = %{version}-%{release}
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -67,57 +99,56 @@ autoreconf -ivf
     --disable-ldpd \
     --disable-babeld \
     --with-moduledir=%{_libdir}/frr/modules \
-    --enable-fpm
+    --with-crypto=openssl \
+    --with-vici-socket=/run/strongswan/charon.vici \
+    --enable-fpm \
+    --enable-grpc
 
 %make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}
 
-pushd doc
-make info
-popd
+# Build info documentation
+%make_build -C doc info
 
 %install
-mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
-         %{buildroot}/var/log/frr %{buildroot}%{_infodir} \
+mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
+         %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \
          %{buildroot}%{_unitdir}
 
 mkdir -p -m 0755 %{buildroot}%{_libdir}/frr
+mkdir -p %{buildroot}%{_tmpfilesdir}
+mkdir -p %{buildroot}%{_sysusersdir}
 
 %make_install
 
 # Remove this file, as it is uninstalled and causes errors when building on RH9
-rm -rf %{buildroot}/usr/share/info/dir
+rm -rf %{buildroot}%{_infodir}/dir
 
-install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/etc/frr/daemons %{buildroot}/etc/frr/daemons
-install -p -m 644 %{_builddir}/%{name}-%{frrversion}/tools/frr.service %{buildroot}%{_unitdir}/frr.service
-install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
-install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
-install -p -m 755 %{_builddir}/%{name}-%{frrversion}/tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
+install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -p -m 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -p -m 644 tools/etc/frr/daemons %{buildroot}%{_sysconfdir}/frr/daemons
+install -p -m 644 tools/frr.service %{buildroot}%{_unitdir}/frr.service
+install -p -m 755 tools/frrinit.sh %{buildroot}%{frr_libdir}/frr
+install -p -m 755 tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh
+install -p -m 755 tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh
 
-install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr
-install -p -m 644 %{_builddir}/%{name}-%{frrversion}/redhat/frr.pam %{buildroot}/etc/pam.d/frr
+install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr
+install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
 install -d -m 775 %{buildroot}/run/frr
 
-rm %{buildroot}%{_libdir}/frr/*.la
-rm %{buildroot}%{_libdir}/frr/modules/*.la
+# Delete libtool archives
+find %{buildroot} -type f -name "*.la" -delete -print
 
 #Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed
 rm %{buildroot}%{_libdir}/frr/*.so
 rm -r %{buildroot}%{_includedir}/frr/
 
 %pre
-getent group frrvty >/dev/null 2>&1 || groupadd -r frrvty >/dev/null 2>&1 || :
-getent group frr >/dev/null 2>&1 || groupadd -r frr >/dev/null 2>&1 || :
-getent passwd frr >/dev/null 2>&1 || useradd -M -r -g frr -s /sbin/nologin \
- -c "FRRouting routing suite" -d %{_localstatedir}/run/frr frr || :
-usermod -aG frrvty frr
+%sysusers_create_compat %{SOURCE2}
+
 
 %post
 %systemd_post frr.service
 
-if [ -f %{_infodir}/%{name}.inf* ]; then
-    install-info %{_infodir}/frr.info %{_infodir}/dir || :
-fi
-
 # Create dummy files if they don't exist so basic functions can be used.
 if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then
     echo "hostname `hostname`" > %{_sysconfdir}/frr/frr.conf
@@ -125,52 +156,158 @@ if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then
     chmod 640 %{_sysconfdir}/frr/frr.conf
 fi
 
+#still used by vtysh, this way no error is produced when using vtysh
+if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then
+    touch %{_sysconfdir}/frr/vtysh.conf
+    chmod 640 %{_sysconfdir}/frr/vtysh.conf
+    chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf
+fi
+
 %postun
 %systemd_postun_with_restart frr.service
 
 %preun
 %systemd_preun frr.service
 
-#only when removing frr
-if [ $1 -eq 0 ]; then
-	if [ -f %{_infodir}/%{name}.inf* ]; then
-    	install-info --delete %{_infodir}/frr.info %{_infodir}/dir || :
-	fi
-fi
-
 %check
-make check PYTHON=%{__python3}
+#this should be temporary, the grpc test is just badly designed
+rm tests/lib/*grpc*
+%make_build check PYTHON=%{__python3}
 
 %files
-%defattr(-,root,root)
 %license COPYING
-%doc zebra/zebra.conf.sample
-%doc isisd/isisd.conf.sample
-%doc ripd/ripd.conf.sample
-%doc bgpd/bgpd.conf.sample*
-%doc ospfd/ospfd.conf.sample
-%doc ospf6d/ospf6d.conf.sample
-%doc ripngd/ripngd.conf.sample
-%doc pimd/pimd.conf.sample
 %doc doc/mpls
-%dir %attr(755,frr,frr) %{_sysconfdir}/frr
-%dir %attr(755,frr,frr) /var/log/frr
+%dir %attr(750,frr,frr) %{_sysconfdir}/frr
+%dir %attr(755,frr,frr) %{_localstatedir}/log/frr
 %dir %attr(755,frr,frr) /run/frr
 %{_infodir}/*info*
 %{_mandir}/man*/*
+%dir %{frr_libdir}/
 %{frr_libdir}/*
 %{_bindir}/*
 %dir %{_libdir}/frr
 %{_libdir}/frr/*.so.*
+%dir %{_libdir}/frr/modules
 %{_libdir}/frr/modules/*
-%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr
-/etc/frr/daemons
-%config(noreplace) /etc/pam.d/frr
+%config(noreplace) %attr(644,root,root) %{_sysconfdir}/logrotate.d/frr
+%config(noreplace) %attr(644,frr,frr) %{_sysconfdir}/frr/daemons
+%config(noreplace) %{_sysconfdir}/pam.d/frr
 %{_unitdir}/*.service
-/usr/share/yang/*.yang
-#%%{_libdir}/frr/frr/libyang_plugins/*
+%dir %{_datadir}/yang
+%{_datadir}/yang/*.yang
+%{_tmpfilesdir}/%{name}.conf
+%{_sysusersdir}/%{name}.conf
 
 %changelog
+* Mon Apr 11 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
+- Fix for CVE-2022-16126
+
+* Tue Mar 15 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
+- New version 8.2.2
+
+* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
+- New version 8.2 (rhbz#2020439)
+- Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons
+
+* Thu Jan 20 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
+- Rebasing to 8.0.1 due to newer libyang library
+
+* Wed Aug 04 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-9
+- Rebuild for grpc 1.39
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jul 20 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
+- Resolves: #1983278 - ospfd crashes in route_node_delete with assertion fail
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 7.5.1-6
+- Rebuild for versioned symbols in json-c
+
+* Wed Jul 07 2021 Neal Gompa <ngompa@datto.com> - 7.5.1-5
+- Clean up the spec file for legibility and modern spec standards
+- Remove unneeded info scriptlets
+- Use systemd-sysusers for frr user and frrvty group
+- Use git-core instead of git for applying patches
+- Drop redundant build dependencies
+
+* Wed Jul 07 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
+- Rebuild for newer abseil-cpp
+
+* Tue May 11 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-3
+- Rebuild for grpc 1.37
+
+* Fri Apr 23 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-2
+- Fixing permissions on config files in /etc/frr
+- Enabling integrated configuration option for frr
+
+* Fri Mar 12 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1
+- New version 7.5.1
+- Enabling grpc, adding hostname for post scriptlet
+- Moving files to libexec due to selinux issues
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7.5-4
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Tue Feb 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-3
+- Fixing FTBS - icc options are confusing the new gcc
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 01 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-1
+- New version 7.5
+
+* Mon Sep 21 2020 Michal Ruprich <mruprich@redhat.com> - 7.4-1
+- New version 7.4
+
+* Thu Aug 27 2020 Josef Řídký <jridky@redhat.com> - 7.3.1-4
+- Rebuilt for new net-snmp release
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Jun 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3.1-1
+- New version 7.3.1
+- Fixes a couple of bugs(#1832259, #1835039, #1830815, #1830808, #1830806, #1830800, #1830798, #1814773)
+
+* Tue May 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-6
+- Removing texi2html, it is not available in Rawhide anymore
+
+* Mon May 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-5
+- Rebuild for new version of libyang
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-4
+- Rebuild (json-c)
+
+* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-3
+- Update json-c-0.14 patch with a solution from upstream
+
+* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-2
+- Add support for upcoming json-c 0.14.0
+
+* Wed Feb 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-1
+- New version 7.3
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Dec 16 2019 Michal Ruprich <mruprich@redhat.com> - 7.2-1
+- New version 7.2
+
+* Tue Nov 12 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-5
+- Rebuilding for new version of libyang
+
+* Mon Oct 07 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-4
+- Adding noreplace to the /etc/frr/daemons file
+
+* Fri Sep 13 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-3
+- New way of finding python version during build
+- Replacing crypto of all routing daemons with openssl
+- Disabling EIGRP crypto because it is broken
+- Disabling crypto in FIPS mode
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
@@ -179,4 +316,3 @@ make check PYTHON=%{__python3}
 
 * Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2
 - Initial build
-

sources

@@ -1 +1,2 @@
-SHA512 (frr-7.1.tar.gz) = ee0be872a96737e45dd841b936f66c394db2bcd857c28437dfeeeabf70cf420e69212b4b744569cc1c9f6038e7ca66211c6294ec2e94855ed8131833985e32b0
+SHA512 (frr-8.2.2.tar.gz) = 2a3e189d8de09bd66bc4a49147bec681d48626d8cb268dc03f42b58064c066b35082114ff97d7333ae4029f759b78e216c8460c2611df7f6659675dc5f9b69b2
+SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d