v.ims.1 - Bump version

nhrp: configure strongswan vici path
Fix for CVE-2022-16126
2022-04-29 20:48:25 +02:00 · 2022-04-29 20:48:14 +02:00 · 2022-04-11 12:04:50 +02:00 · 2022-03-15 14:55:03 +01:00 · 2022-03-10 12:55:15 +01:00 · 2022-01-20 17:26:31 +01:00
18 changed files with 812 additions and 1046 deletions
--- a/.fmf/version
+++ b/.fmf/version
@@ -1 +0,0 @@
-1
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +0,0 @@
-*.tar.gz filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@@ -6,14 +6,6 @@
 /frr-7.4.tar.gz
 /frr-7.5.tar.gz
 /frr-7.5.1.tar.gz
-/frr-8.0.tar.gz
 /frr-8.0.1.tar.gz
 /frr-8.2.tar.gz
 /frr-8.2.2.tar.gz
-/frr-8.3.1.tar.gz
-/frr-8.4.tar.gz
-/frr-8.4.1.tar.gz
-/frr-8.4.2.tar.gz
-/frr-8.5.tar.gz
-/frr-8.5.1.tar.gz
-/frr-8.5.2.tar.gz
--- a/0000-remove-babeld-and-ldpd.patch
+++ b/0000-remove-babeld-and-ldpd.patch
@@ -0,0 +1,29 @@
+diff --git a/Makefile.am b/Makefile.am
+index 5be3264..33abc1d 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -130,8 +130,6 @@ include ospf6d/subdir.am
+ include ospfclient/subdir.am
+ include isisd/subdir.am
+ include nhrpd/subdir.am
+-include ldpd/subdir.am
+-include babeld/subdir.am
+ include eigrpd/subdir.am
+ include sharpd/subdir.am
+ include pimd/subdir.am
+@@ -182,7 +180,6 @@ EXTRA_DIST += \
+ 	snapcraft/defaults \
+ 	snapcraft/helpers \
+ 	snapcraft/snap \
+-	babeld/Makefile \
+ 	bgpd/Makefile \
+ 	bgpd/rfp-example/librfp/Makefile \
+ 	bgpd/rfp-example/rfptest/Makefile \
+@@ -193,7 +190,6 @@ EXTRA_DIST += \
+ 	fpm/Makefile \
+ 	grpc/Makefile \
+ 	isisd/Makefile \
+-	ldpd/Makefile \
+ 	lib/Makefile \
+ 	nhrpd/Makefile \
+ 	ospf6d/Makefile \
--- a/0001-remove-babeld-and-ldpd.patch
+++ b/0001-remove-babeld-and-ldpd.patch
@@ -1,68 +0,0 @@
-From 8c6e4318d2efd2314d8e9f30baefffef7de5a116 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:22:51 +0200
-Subject: [PATCH 1/5] remove babeld and ldpd
-
---
- Makefile.am           | 4 ----
- tools/etc/frr/daemons | 4 ----
- 2 files changed, 8 deletions(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index f56e1b8e0..a42811d94 100644
--- a/Makefile.am
-+++ b/Makefile.am
-@@ -196,8 +196,6 @@ include ospf6d/subdir.am
- include ospfclient/subdir.am
- include isisd/subdir.am
- include nhrpd/subdir.am
-include ldpd/subdir.am
-include babeld/subdir.am
- include eigrpd/subdir.am
- include sharpd/subdir.am
- include pimd/subdir.am
-@@ -261,7 +259,6 @@ EXTRA_DIST += \
- 	snapcraft/defaults \
- 	snapcraft/helpers \
- 	snapcraft/snap \
-	babeld/Makefile \
- 	mgmtd/Makefile \
- 	bgpd/Makefile \
- 	bgpd/rfp-example/librfp/Makefile \
-@@ -274,7 +271,6 @@ EXTRA_DIST += \
- 	fpm/Makefile \
- 	grpc/Makefile \
- 	isisd/Makefile \
-	ldpd/Makefile \
- 	lib/Makefile \
- 	nhrpd/Makefile \
- 	ospf6d/Makefile \
-diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
-index c487e7e5f..2e602901d 100644
--- a/tools/etc/frr/daemons
-+++ b/tools/etc/frr/daemons
-@@ -22,10 +22,8 @@ ripngd=no
- isisd=no
- pimd=no
- pim6d=no
-ldpd=no
- nhrpd=no
- eigrpd=no
-babeld=no
- sharpd=no
- pbrd=no
- bfdd=no
-@@ -49,10 +47,8 @@ ripngd_options=" -A ::1"
- isisd_options="  -A 127.0.0.1"
- pimd_options="   -A 127.0.0.1"
- pim6d_options="  -A ::1"
-ldpd_options="   -A 127.0.0.1"
- nhrpd_options="  -A 127.0.0.1"
- eigrpd_options=" -A 127.0.0.1"
-babeld_options=" -A 127.0.0.1"
- sharpd_options=" -A 127.0.0.1"
- pbrd_options="   -A 127.0.0.1"
- staticd_options="-A 127.0.0.1"
-- 
-2.41.0
-
--- a/0002-enable-openssl.patch
+++ b/0002-enable-openssl.patch
@@ -1,20 +1,44 @@
-From 51ec61745373caa4702604ee2d379066f90b6d60 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:19:44 +0200
-Subject: [PATCH 2/5] enable openssl
-
---
- isisd/isis_lsp.c | 2 ++
- isisd/isis_pdu.c | 2 ++
- isisd/isis_te.c  | 2 ++
- lib/subdir.am    | 4 ----
- 4 files changed, 6 insertions(+), 4 deletions(-)
-
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 0b7af18..0533e24 100644
+--- a/lib/subdir.am
+++ b/lib/subdir.am
+@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/log.c \
+ 	lib/log_filter.c \
+ 	lib/log_vty.c \
+-	lib/md5.c \
+ 	lib/memory.c \
+ 	lib/mlag.c \
+ 	lib/module.c \
+@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/routemap_northbound.c \
+ 	lib/sbuf.c \
+ 	lib/seqlock.c \
+-	lib/sha256.c \
+ 	lib/sigevent.c \
+ 	lib/skiplist.c \
+ 	lib/sockopt.c \
+@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
+ 	lib/link_state.h \
+ 	lib/log.h \
+ 	lib/log_vty.h \
+-	lib/md5.h \
+ 	lib/memory.h \
+ 	lib/module.h \
+ 	lib/monotime.h \
+@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
+ 	lib/route_opaque.h \
+ 	lib/sbuf.h \
+ 	lib/seqlock.h \
+-	lib/sha256.h \
+ 	lib/sigevent.h \
+ 	lib/skiplist.h \
+ 	lib/smux.h \
 diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
-index 950d5f359..4cd792246 100644
+index 1991666..2e4fe55 100644
 --- a/isisd/isis_lsp.c
 +++ b/isisd/isis_lsp.c
-@@ -22,7 +22,9 @@
+@@ -35,7 +35,9 @@
 #include "hash.h"
 #include "if.h"
 #include "checksum.h"
@@ -25,10 +49,10 @@ index 950d5f359..4cd792246 100644
 #include "srcdest_table.h"
 #include "lib_errors.h"
 diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
-index 0cd43a7ab..b2e114d73 100644
+index 9c63311..7cf594c 100644
 --- a/isisd/isis_pdu.c
 +++ b/isisd/isis_pdu.c
-@@ -20,7 +20,9 @@
+@@ -33,7 +33,9 @@
 #include "prefix.h"
 #include "if.h"
 #include "checksum.h"
@@ -39,10 +63,10 @@ index 0cd43a7ab..b2e114d73 100644
 
 #include "isisd/isis_constants.h"
 diff --git a/isisd/isis_te.c b/isisd/isis_te.c
-index 90b53c540..9d98c16e7 100644
+index 4ea6c2c..72ff0d2 100644
 --- a/isisd/isis_te.c
 +++ b/isisd/isis_te.c
-@@ -24,7 +24,9 @@
+@@ -38,7 +38,9 @@
 #include "if.h"
 #include "vrf.h"
 #include "checksum.h"
@@ -52,42 +76,3 @@ index 90b53c540..9d98c16e7 100644
 #include "sockunion.h"
 #include "network.h"
 #include "sbuf.h"
-diff --git a/lib/subdir.am b/lib/subdir.am
-index d7b28ffbd..b2ee32168 100644
--- a/lib/subdir.am
-+++ b/lib/subdir.am
-@@ -63,7 +63,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/log.c \
- 	lib/log_filter.c \
- 	lib/log_vty.c \
-	lib/md5.c \
- 	lib/memory.c \
- 	lib/mgmt_be_client.c \
- 	lib/mgmt_fe_client.c \
-@@ -95,7 +94,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/routemap_northbound.c \
- 	lib/sbuf.c \
- 	lib/seqlock.c \
-	lib/sha256.c \
- 	lib/sigevent.c \
- 	lib/skiplist.c \
- 	lib/sockopt.c \
-@@ -248,7 +246,6 @@ pkginclude_HEADERS += \
- 	lib/link_state.h \
- 	lib/log.h \
- 	lib/log_vty.h \
-	lib/md5.h \
- 	lib/memory.h \
- 	lib/mgmt.pb-c.h \
- 	lib/mgmt_be_client.h \
-@@ -283,7 +280,6 @@ pkginclude_HEADERS += \
- 	lib/route_opaque.h \
- 	lib/sbuf.h \
- 	lib/seqlock.h \
-	lib/sha256.h \
- 	lib/sigevent.h \
- 	lib/skiplist.h \
- 	lib/smux.h \
-- 
-2.41.0
-
--- a/0003-disable-eigrp-crypto.patch
+++ b/0003-disable-eigrp-crypto.patch
@@ -1,26 +1,227 @@
-From 8ec9ddca959618ea6091711cd446ebac5b730147 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:23:48 +0200
-Subject: [PATCH 3/5] disable eigrp crypto
-
---
- eigrpd/eigrp_cli.c      | 15 +++++++++++++++
- eigrpd/eigrp_filter.c   |  2 ++
- eigrpd/eigrp_hello.c    |  2 ++
- eigrpd/eigrp_packet.c   | 27 +++++++++++++++++++++++++--
- eigrpd/eigrp_query.c    |  2 ++
- eigrpd/eigrp_reply.c    |  2 ++
- eigrpd/eigrp_siaquery.c |  2 ++
- eigrpd/eigrp_siareply.c |  2 ++
- eigrpd/eigrp_snmp.c     |  2 ++
- eigrpd/eigrp_update.c   |  2 ++
- 10 files changed, 56 insertions(+), 2 deletions(-)
-
+diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
+index bedaf15..8dc09bf 100644
+--- a/eigrpd/eigrp_packet.c
+++ b/eigrpd/eigrp_packet.c
+@@ -40,8 +40,10 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+ #include "sha256.h"
+#endif
+ #include "lib_errors.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	struct key *key = NULL;
+ 	struct keychain *keychain;
+ 
+
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
+#endif
+ 	uint8_t *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_MD5_Authentication_Type *auth_TLV;
+@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 		return EIGRP_AUTH_TYPE_NONE;
+ 	}
+ 
+#ifdef CRYPTO_OPENSSL
+//TBD when this is fixed in upstream
+#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
+-
+#endif
+ 	/* Append md5 digest to the end of the stream. */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
+ 
+@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s,
+ 			   struct TLV_MD5_Authentication_Type *authTLV,
+ 			   struct eigrp_neighbor *nbr, uint8_t flags)
+ {
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
+#endif
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	struct key *key = NULL;
+@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s,
+ 		return 0;
+ 	}
+ 
+#ifdef CRYPTO_OPENSSL
+	//TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
+#endif
+ 
+ 	/* compare the two */
+ 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
+@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
+ 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
+ 
+#ifdef CRYPTO_OPENSSL
+	//TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
+ 	HMAC_SHA256_CTX ctx;
+#endif
+ 	void *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_SHA256_Authentication_Type *auth_TLV;
+@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 
+ 	inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
+ 
+#ifdef CRYPTO_OPENSSL
+	//TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	buffer[0] = '\n';
+ 	memcpy(buffer + 1, key, strlen(key->string));
+@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 			  1 + strlen(key->string) + strlen(source_ip));
+ 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
+ 	HMAC__SHA256_Final(digest, &ctx);
+-
+#endif
+ 
+ 	/* Put hmac-sha256 digest to it's place */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
+diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
+index 93eed94..f1c7347 100644
+--- a/eigrpd/eigrp_filter.c
+++ b/eigrpd/eigrp_filter.c
+@@ -47,7 +47,9 @@
+ #include "if_rmap.h"
+ #include "plist.h"
+ #include "distribute.h"
+#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+#endif
+ #include "keychain.h"
+ #include "privs.h"
+ #include "vrf.h"
+diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
+index dacd5ca..b232cc5 100644
+--- a/eigrpd/eigrp_hello.c
+++ b/eigrpd/eigrp_hello.c
+@@ -43,7 +43,9 @@
+ #include "sockopt.h"
+ #include "checksum.h"
+ #include "vty.h"
+#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+#endif
+ 
+ #include "eigrpd/eigrp_structs.h"
+ #include "eigrpd/eigrpd.h"
+diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
+index 84dcf5e..a2575e3 100644
+--- a/eigrpd/eigrp_query.c
+++ b/eigrpd/eigrp_query.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
+index ccf0496..2902365 100644
+--- a/eigrpd/eigrp_reply.c
+++ b/eigrpd/eigrp_reply.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+#endif
+ #include "vty.h"
+ #include "keychain.h"
+ #include "plist.h"
+diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
+index ff38325..09b9369 100644
+--- a/eigrpd/eigrp_siaquery.c
+++ b/eigrpd/eigrp_siaquery.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
+index d3dd123..f6a2bd6 100644
+--- a/eigrpd/eigrp_siareply.c
+++ b/eigrpd/eigrp_siareply.c
+@@ -37,7 +37,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
+index 21c9238..cfb8890 100644
+--- a/eigrpd/eigrp_snmp.c
+++ b/eigrpd/eigrp_snmp.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+#endif
+ #include "keychain.h"
+ #include "smux.h"
+ 
+diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
+index 8db4903..2a4f0bb 100644
+--- a/eigrpd/eigrp_update.c
+++ b/eigrpd/eigrp_update.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+#endif
+ #include "vty.h"
+ #include "plist.h"
+ #include "plist_int.h"
 diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c
-index 213834afc..73647937d 100644
+index a93d4c8..b01e121 100644
 --- a/eigrpd/eigrp_cli.c
 +++ b/eigrpd/eigrp_cli.c
-@@ -11,6 +11,7 @@
+@@ -25,6 +25,7 @@
 #include "lib/command.h"
 #include "lib/log.h"
 #include "lib/northbound_cli.h"
@@ -28,7 +229,7 @@ index 213834afc..73647937d 100644
 
 #include "eigrp_structs.h"
 #include "eigrpd.h"
-@@ -716,6 +717,20 @@ DEFPY_YANG(
+@@ -726,6 +726,20 @@ DEFPY(
 	"Keyed message digest\n"
 	"HMAC SHA256 algorithm \n")
 {
@@ -49,225 +250,3 @@ index 213834afc..73647937d 100644
 	char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64];
 
 	snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']",
-diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
-index eceef6b8a..1d194be14 100644
--- a/eigrpd/eigrp_filter.c
-+++ b/eigrpd/eigrp_filter.c
-@@ -32,7 +32,9 @@
- #include "if_rmap.h"
- #include "plist.h"
- #include "distribute.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "keychain.h"
- #include "privs.h"
- #include "vrf.h"
-diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
-index 662c750e9..a3a5ec822 100644
--- a/eigrpd/eigrp_hello.c
-+++ b/eigrpd/eigrp_hello.c
-@@ -28,7 +28,9 @@
- #include "sockopt.h"
- #include "checksum.h"
- #include "vty.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- 
- #include "eigrpd/eigrp_structs.h"
- #include "eigrpd/eigrpd.h"
-diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
-index 963d229bc..587eb422e 100644
--- a/eigrpd/eigrp_packet.c
-+++ b/eigrpd/eigrp_packet.c
-@@ -25,8 +25,10 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
- #include "sha256.h"
-+#endif
- #include "lib_errors.h"
- 
- #include "eigrpd/eigrp_structs.h"
-@@ -88,8 +90,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
- 	struct key *key = NULL;
- 	struct keychain *keychain;
- 
-+
- 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
-+#ifdef CRYPTO_OPENSSL
-+#elif CRYPTO_INTERNAL
- 	MD5_CTX ctx;
-+#endif
- 	uint8_t *ibuf;
- 	size_t backup_get, backup_end;
- 	struct TLV_MD5_Authentication_Type *auth_TLV;
-@@ -112,6 +118,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
- 		return EIGRP_AUTH_TYPE_NONE;
- 	}
- 
-+#ifdef CRYPTO_OPENSSL
-+//TBD when this is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	memset(&ctx, 0, sizeof(ctx));
- 	MD5Init(&ctx);
- 
-@@ -139,7 +148,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
- 	}
- 
- 	MD5Final(digest, &ctx);
-
-+#endif
- 	/* Append md5 digest to the end of the stream. */
- 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
- 
-@@ -155,7 +164,10 @@ int eigrp_check_md5_digest(struct stream *s,
- 			   struct TLV_MD5_Authentication_Type *authTLV,
- 			   struct eigrp_neighbor *nbr, uint8_t flags)
- {
-+#ifdef CRYPTO_OPENSSL
-+#elif CRYPTO_INTERNAL
- 	MD5_CTX ctx;
-+#endif
- 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
- 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
- 	struct key *key = NULL;
-@@ -196,6 +208,9 @@ int eigrp_check_md5_digest(struct stream *s,
- 		return 0;
- 	}
- 
-+#ifdef CRYPTO_OPENSSL
-+	//TBD when eigrpd crypto is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	memset(&ctx, 0, sizeof(ctx));
- 	MD5Init(&ctx);
- 
-@@ -223,6 +238,7 @@ int eigrp_check_md5_digest(struct stream *s,
- 	}
- 
- 	MD5Final(digest, &ctx);
-+#endif
- 
- 	/* compare the two */
- 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
-@@ -247,7 +263,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
- 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
- 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
- 
-+#ifdef CRYPTO_OPENSSL
-+	//TBD when eigrpd crypto is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	HMAC_SHA256_CTX ctx;
-+#endif
- 	void *ibuf;
- 	size_t backup_get, backup_end;
- 	struct TLV_SHA256_Authentication_Type *auth_TLV;
-@@ -276,6 +296,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
- 
- 	inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
- 
-+#ifdef CRYPTO_OPENSSL
-+	//TBD when eigrpd crypto is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	memset(&ctx, 0, sizeof(ctx));
- 	buffer[0] = '\n';
- 	memcpy(buffer + 1, key, strlen(key->string));
-@@ -284,7 +307,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
- 			  1 + strlen(key->string) + strlen(source_ip));
- 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
- 	HMAC__SHA256_Final(digest, &ctx);
-
-+#endif
- 
- 	/* Put hmac-sha256 digest to it's place */
- 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
-diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
-index 0e206cded..4b3f4e082 100644
--- a/eigrpd/eigrp_query.c
-+++ b/eigrpd/eigrp_query.c
-@@ -23,7 +23,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- 
- #include "eigrpd/eigrp_structs.h"
-diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
-index aae89e832..1fb1f404d 100644
--- a/eigrpd/eigrp_reply.c
-+++ b/eigrpd/eigrp_reply.c
-@@ -27,7 +27,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- #include "keychain.h"
- #include "plist.h"
-diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
-index 71486a1f6..430e8ce71 100644
--- a/eigrpd/eigrp_siaquery.c
-+++ b/eigrpd/eigrp_siaquery.c
-@@ -23,7 +23,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- 
- #include "eigrpd/eigrp_structs.h"
-diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
-index 6c8c1ef58..b16e0fcfc 100644
--- a/eigrpd/eigrp_siareply.c
-+++ b/eigrpd/eigrp_siareply.c
-@@ -22,7 +22,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- 
- #include "eigrpd/eigrp_structs.h"
-diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
-index 492ef3e71..5618c3f2b 100644
--- a/eigrpd/eigrp_snmp.c
-+++ b/eigrpd/eigrp_snmp.c
-@@ -27,7 +27,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "keychain.h"
- #include "smux.h"
- 
-diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
-index a056267bf..3dc8d0e56 100644
--- a/eigrpd/eigrp_update.c
-+++ b/eigrpd/eigrp_update.c
-@@ -27,7 +27,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- #include "plist.h"
- #include "plist_int.h"
-- 
-2.41.0
-
--- a/0004-fips-mode.patch
+++ b/0004-fips-mode.patch
@@ -1,63 +1,8 @@
-From 730598d8a4c1bd32d0e4fc0e76be926314a6f57b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:24:43 +0200
-Subject: [PATCH 4/5] fips mode
-
---
- isisd/isis_circuit.c |  4 ++++
- isisd/isisd.c        |  4 ++++
- lib/zebra.h          |  1 +
- ospfd/ospf_vty.c     | 24 ++++++++++++++++++++++++
- ripd/rip_cli.c       |  6 ++++++
- 5 files changed, 39 insertions(+)
-
-diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
-index feab45123..f02bae968 100644
--- a/isisd/isis_circuit.c
-+++ b/isisd/isis_circuit.c
-@@ -1542,6 +1542,10 @@ ferr_r isis_circuit_passwd_set(struct isis_circuit *circuit,
- 		return ferr_code_bug(
- 			"circuit password too long (max 254 chars)");
- 
-+	//When in FIPS mode, the password never gets set in MD5
-+	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
-+		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 	circuit->passwd.len = len;
- 	strlcpy((char *)circuit->passwd.passwd, passwd,
- 		sizeof(circuit->passwd.passwd));
-diff --git a/isisd/isisd.c b/isisd/isisd.c
-index ea304ba5e..67f6e253a 100644
--- a/isisd/isisd.c
-+++ b/isisd/isisd.c
-@@ -3036,6 +3036,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
- 		if (len > 254)
- 			return -1;
- 
-+		//When in FIPS mode, the password never get set in MD5
-+		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
-+			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 		modified.len = len;
- 		strlcpy((char *)modified.passwd, passwd,
- 			sizeof(modified.passwd));
-diff --git a/lib/zebra.h b/lib/zebra.h
-index ecc87f58f..5cb716759 100644
--- a/lib/zebra.h
-+++ b/lib/zebra.h
-@@ -90,6 +90,7 @@
- #ifdef CRYPTO_OPENSSL
- #include <openssl/evp.h>
- #include <openssl/hmac.h>
-+#include <openssl/fips.h>
- #endif
- 
- #include "openbsd-tree.h"
 diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
-index 5cd70c7c2..0b8dbaa73 100644
+index 631465f..e084ff3 100644
 --- a/ospfd/ospf_vty.c
 +++ b/ospfd/ospf_vty.c
-@@ -1069,6 +1069,11 @@ DEFUN (ospf_area_vlink,
+@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
 
 	if (argv_find(argv, argc, "message-digest", &idx)) {
 		/* authentication message-digest */
@@ -69,7 +14,7 @@ index 5cd70c7c2..0b8dbaa73 100644
 		vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
 	} else if (argv_find(argv, argc, "null", &idx)) {
 		/* "authentication null" */
-@@ -1974,6 +1979,15 @@ DEFUN (ospf_area_authentication_message_digest,
+@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
 				  ? OSPF_AUTH_NULL
 				  : OSPF_AUTH_CRYPTOGRAPHIC;
 
@@ -85,7 +30,7 @@ index 5cd70c7c2..0b8dbaa73 100644
 	return CMD_SUCCESS;
 }
 
-@@ -7419,6 +7433,11 @@ DEFUN (ip_ospf_authentication_args,
+@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
 
 	/* Handle message-digest authentication */
 	if (argv[idx_encryption]->arg[0] == 'm') {
@@ -97,7 +42,7 @@ index 5cd70c7c2..0b8dbaa73 100644
 		SET_IF_PARAM(params, auth_type);
 		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
 		return CMD_SUCCESS;
-@@ -7725,6 +7744,11 @@ DEFUN (ip_ospf_message_digest_key,
+@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
        "The OSPF password (key)\n"
        "Address of interface\n")
 {
@@ -109,11 +54,41 @@ index 5cd70c7c2..0b8dbaa73 100644
 	VTY_DECLVAR_CONTEXT(interface, ifp);
 	struct crypt_key *ck;
 	uint8_t key_id;
+diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
+index 81b4b39..cce33d9 100644
+--- a/isisd/isis_circuit.c
+++ b/isisd/isis_circuit.c
+@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
+ 		return ferr_code_bug(
+ 			"circuit password too long (max 254 chars)");
+ 
+	//When in FIPS mode, the password never gets set in MD5
+	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
+		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
+ 	circuit->passwd.len = len;
+ 	strlcpy((char *)circuit->passwd.passwd, passwd,
+ 		sizeof(circuit->passwd.passwd));
+diff --git a/isisd/isisd.c b/isisd/isisd.c
+index 419127c..a6c36af 100644
+--- a/isisd/isisd.c
+++ b/isisd/isisd.c
+@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
+ 		if (len > 254)
+ 			return -1;
+ 
+		//When in FIPS mode, the password never get set in MD5
+		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
+			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
+ 		modified.len = len;
+ 		strlcpy((char *)modified.passwd, passwd,
+ 			sizeof(modified.passwd));
 diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
-index 097c708ab..854a16e4e 100644
+index 5bb81ef..02a09ef 100644
 --- a/ripd/rip_cli.c
 +++ b/ripd/rip_cli.c
-@@ -876,6 +876,12 @@ DEFPY_YANG (ip_rip_authentication_mode,
+@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
 			value = "20";
 	}
 
@@ -126,6 +101,3 @@ index 097c708ab..854a16e4e 100644
 	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
 			      strmatch(mode, "md5") ? "md5" : "plain-text");
 	if (strmatch(mode, "md5"))
-- 
-2.41.0
-
--- a/0005-remove-grpc-test.patch
+++ b/0005-remove-grpc-test.patch
@@ -1,19 +1,10 @@
-From a41d8382ba6b5ba0edf1887e65bbd21676ca9be4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:26:25 +0200
-Subject: [PATCH 5/5] remove grpc test
-
---
- tests/lib/subdir.am | 11 -----------
- 1 file changed, 11 deletions(-)
-
 diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
-index 6c1be5020..2ac3d508e 100644
+index 7b5eaa4..5c82f69 100644
 --- a/tests/lib/subdir.am
 +++ b/tests/lib/subdir.am
-@@ -24,17 +24,6 @@ copy_script: tests/lib/script1.lua
- 	test -e tests/lib/script1.lua || \
- 	$(INSTALL_SCRIPT) $< tests/lib/script1.lua
+@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
+ EXTRA_DIST += tests/lib/test_frrscript.py
+ 
 
 -##############################################################################
 -GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
@@ -26,9 +17,7 @@ index 6c1be5020..2ac3d508e 100644
 -tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
 -tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
 -
- 
+-
 ##############################################################################
 if ZEROMQ
-- 
-2.41.0
-
+ check_PROGRAMS += tests/lib/test_zmq
--- a/0006-cve-2022-26126.patch
+++ b/0006-cve-2022-26126.patch
@@ -0,0 +1,461 @@
+From ac3133450de12ba86c051265fc0f1b12bc57b40c Mon Sep 17 00:00:00 2001
+From: whichbug <whichbug@github.com>
+Date: Thu, 10 Feb 2022 22:49:41 -0500
+Subject: [PATCH] isisd: fix #10505 using base64 encoding
+
+Using base64 instead of the raw string to encode
+the binary data.
+
+Signed-off-by: whichbug <whichbug@github.com>
+---
+ isisd/isis_nb_notifications.c |  16 +--
+ lib/base64.c                  | 193 ++++++++++++++++++++++++++++++++++
+ lib/base64.h                  |  45 ++++++++
+ lib/subdir.am                 |   2 +
+ lib/yang_wrappers.c           |  59 +++++++++++
+ lib/yang_wrappers.h           |   7 ++
+ 6 files changed, 314 insertions(+), 8 deletions(-)
+ create mode 100644 lib/base64.c
+ create mode 100644 lib/base64.h
+
+diff --git a/isisd/isis_nb_notifications.c b/isisd/isis_nb_notifications.c
+index f219632acf7..fd7b1b3159a 100644
+--- a/isisd/isis_nb_notifications.c
+++ b/isisd/isis_nb_notifications.c
+@@ -245,7 +245,7 @@ void isis_notif_max_area_addr_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, max_area_addrs);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_max_area_addr_mismatch, circuit, max_area_addrs,
+@@ -270,7 +270,7 @@ void isis_notif_authentication_type_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_type_failure, circuit, raw_pdu,
+@@ -294,7 +294,7 @@ void isis_notif_authentication_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_failure, circuit, raw_pdu,
+@@ -361,7 +361,7 @@ void isis_notif_reject_adjacency(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, reason);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_reject_adjacency, circuit, raw_pdu, raw_pdu_len);
+@@ -384,7 +384,7 @@ void isis_notif_area_mismatch(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_area_mismatch, circuit, raw_pdu, raw_pdu_len);
+@@ -467,7 +467,7 @@ void isis_notif_id_len_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, rcv_id_len);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_id_len_mismatch, circuit, rcv_id_len, raw_pdu,
+@@ -495,7 +495,7 @@ void isis_notif_version_skew(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, version);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_version_skew, circuit, version, raw_pdu,
+@@ -525,7 +525,7 @@ void isis_notif_lsp_error(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, rawlspid_print(lsp_id));
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 	/* ignore offset and tlv_type which cannot be set properly */
+ 
+diff --git a/lib/base64.c b/lib/base64.c
+new file mode 100644
+index 00000000000..e3f238969b3
+--- /dev/null
+++ b/lib/base64.c
+@@ -0,0 +1,193 @@
+/*
+ * This is part of the libb64 project, and has been placed in the public domain.
+ * For details, see http://sourceforge.net/projects/libb64
+ */
+
+#include "base64.h"
+
+static const int CHARS_PER_LINE = 72;
+static const char *ENCODING =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+void base64_init_encodestate(struct base64_encodestate *state_in)
+{
+	state_in->step = step_A;
+	state_in->result = 0;
+	state_in->stepcount = 0;
+}
+
+char base64_encode_value(char value_in)
+{
+	if (value_in > 63)
+		return '=';
+	return ENCODING[(int)value_in];
+}
+
+int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
+			struct base64_encodestate *state_in)
+{
+	const char *plainchar = plaintext_in;
+	const char *const plaintextend = plaintext_in + length_in;
+	char *codechar = code_out;
+	char result;
+	char fragment;
+
+	result = state_in->result;
+
+	switch (state_in->step) {
+		while (1) {
+			case step_A:
+				if (plainchar == plaintextend) {
+					state_in->result = result;
+					state_in->step = step_A;
+					return codechar - code_out;
+				}
+				fragment = *plainchar++;
+				result = (fragment & 0x0fc) >> 2;
+				*codechar++ = base64_encode_value(result);
+				result = (fragment & 0x003) << 4;
+				/* fall through */
+			case step_B:
+				if (plainchar == plaintextend) {
+					state_in->result = result;
+					state_in->step = step_B;
+					return codechar - code_out;
+				}
+				fragment = *plainchar++;
+				result |= (fragment & 0x0f0) >> 4;
+				*codechar++ = base64_encode_value(result);
+				result = (fragment & 0x00f) << 2;
+				/* fall through */
+			case step_C:
+				if (plainchar == plaintextend) {
+					state_in->result = result;
+					state_in->step = step_C;
+					return codechar - code_out;
+				}
+				fragment = *plainchar++;
+				result |= (fragment & 0x0c0) >> 6;
+				*codechar++ = base64_encode_value(result);
+				result  = (fragment & 0x03f) >> 0;
+				*codechar++ = base64_encode_value(result);
+
+				++(state_in->stepcount);
+				if (state_in->stepcount == CHARS_PER_LINE/4) {
+					*codechar++ = '\n';
+					state_in->stepcount = 0;
+				}
+		}
+	}
+	/* control should not reach here */
+	return codechar - code_out;
+}
+
+int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in)
+{
+	char *codechar = code_out;
+
+	switch (state_in->step) {
+	case step_B:
+		*codechar++ = base64_encode_value(state_in->result);
+		*codechar++ = '=';
+		*codechar++ = '=';
+		break;
+	case step_C:
+		*codechar++ = base64_encode_value(state_in->result);
+		*codechar++ = '=';
+		break;
+	case step_A:
+		break;
+	}
+	*codechar++ = '\n';
+
+	return codechar - code_out;
+}
+
+
+signed char base64_decode_value(signed char value_in)
+{
+	static const signed char decoding[] = {
+		62, -1, -1, -1, 63, 52, 53, 54,
+		55, 56, 57, 58, 59, 60, 61, -1,
+		-1, -1, -2, -1, -1, -1, 0, 1,
+		2,  3, 4, 5, 6, 7, 8, 9,
+		10, 11, 12, 13, 14, 15, 16, 17,
+		18, 19, 20, 21, 22, 23, 24, 25,
+		-1, -1, -1, -1, -1, -1, 26, 27,
+		28, 29, 30, 31, 32, 33, 34, 35,
+		36, 37, 38, 39, 40, 41, 42, 43,
+		44, 45, 46, 47, 48, 49, 50, 51
+	};
+	value_in -= 43;
+	if (value_in < 0 || value_in >= 80)
+		return -1;
+	return decoding[(int)value_in];
+}
+
+void base64_init_decodestate(struct base64_decodestate *state_in)
+{
+	state_in->step = step_a;
+	state_in->plainchar = 0;
+}
+
+int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
+			struct base64_decodestate *state_in)
+{
+	const char *codec = code_in;
+	char *plainc = plaintext_out;
+	signed char fragmt;
+
+	*plainc = state_in->plainchar;
+
+	switch (state_in->step) {
+		while (1) {
+			case step_a:
+				do {
+					if (codec == code_in+length_in) {
+						state_in->step = step_a;
+						state_in->plainchar = *plainc;
+						return plainc - plaintext_out;
+					}
+					fragmt = base64_decode_value(*codec++);
+				} while (fragmt < 0);
+				*plainc = (fragmt & 0x03f) << 2;
+				/* fall through */
+			case step_b:
+				do {
+					if (codec == code_in+length_in) {
+						state_in->step = step_b;
+						state_in->plainchar = *plainc;
+						return plainc - plaintext_out;
+					}
+					fragmt = base64_decode_value(*codec++);
+				} while (fragmt < 0);
+				*plainc++ |= (fragmt & 0x030) >> 4;
+				*plainc = (fragmt & 0x00f) << 4;
+				/* fall through */
+			case step_c:
+				do {
+					if (codec == code_in+length_in) {
+						state_in->step = step_c;
+						state_in->plainchar = *plainc;
+						return plainc - plaintext_out;
+					}
+					fragmt = base64_decode_value(*codec++);
+				} while (fragmt < 0);
+				*plainc++ |= (fragmt & 0x03c) >> 2;
+				*plainc = (fragmt & 0x003) << 6;
+				/* fall through */
+			case step_d:
+				do {
+					if (codec == code_in+length_in) {
+						state_in->step = step_d;
+						state_in->plainchar = *plainc;
+						return plainc - plaintext_out;
+					}
+					fragmt = base64_decode_value(*codec++);
+				} while (fragmt < 0);
+				*plainc++   |= (fragmt & 0x03f);
+		}
+	}
+	/* control should not reach here */
+	return plainc - plaintext_out;
+}
+diff --git a/lib/base64.h b/lib/base64.h
+new file mode 100644
+index 00000000000..3dc1559aa48
+--- /dev/null
+++ b/lib/base64.h
+@@ -0,0 +1,45 @@
+/*
+ * This is part of the libb64 project, and has been placed in the public domain.
+ * For details, see http://sourceforge.net/projects/libb64
+ */
+
+#ifndef _BASE64_H_
+#define _BASE64_H_
+
+enum base64_encodestep {
+	step_A, step_B, step_C
+};
+
+struct base64_encodestate {
+	enum base64_encodestep step;
+	char result;
+	int stepcount;
+};
+
+void base64_init_encodestate(struct base64_encodestate *state_in);
+
+char base64_encode_value(char value_in);
+
+int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
+			struct base64_encodestate *state_in);
+
+int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in);
+
+
+enum base64_decodestep {
+	step_a, step_b, step_c, step_d
+};
+
+struct base64_decodestate {
+	enum base64_decodestep step;
+	char plainchar;
+};
+
+void base64_init_decodestate(struct base64_decodestate *state_in);
+
+signed char base64_decode_value(signed char value_in);
+
+int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
+			struct base64_decodestate *state_in);
+
+#endif /* _BASE64_H_ */
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 648ab7f14a1..f8f82f2766f 100644
+--- a/lib/subdir.am
+++ b/lib/subdir.am
+@@ -8,6 +8,7 @@ lib_libfrr_la_LIBADD = $(LIBCAP) $(UNWIND_LIBS) $(LIBYANG_LIBS) $(LUA_LIB) $(UST
+ lib_libfrr_la_SOURCES = \
+ 	lib/agg_table.c \
+ 	lib/atomlist.c \
+	lib/base64.c \
+ 	lib/bfd.c \
+ 	lib/buffer.c \
+ 	lib/checksum.c \
+@@ -177,6 +178,7 @@ clippy_scan += \
+ pkginclude_HEADERS += \
+ 	lib/agg_table.h \
+ 	lib/atomlist.h \
+	lib/base64.h \
+ 	lib/bfd.h \
+ 	lib/bitfield.h \
+ 	lib/buffer.h \
+diff --git a/lib/yang_wrappers.c b/lib/yang_wrappers.c
+index 85aa003db72..bee76c6e0f5 100644
+--- a/lib/yang_wrappers.c
+++ b/lib/yang_wrappers.c
+@@ -19,6 +19,7 @@
+ 
+ #include <zebra.h>
+ 
+#include "base64.h"
+ #include "log.h"
+ #include "lib_errors.h"
+ #include "northbound.h"
+@@ -676,6 +677,64 @@ void yang_get_default_string_buf(char *buf, size_t size, const char *xpath_fmt,
+ 			  xpath);
+ }
+ 
+/*
+ * Primitive type: binary.
+ */
+struct yang_data *yang_data_new_binary(const char *xpath, const char *value,
+				       size_t len)
+{
+	char *value_str;
+	struct base64_encodestate s;
+	int cnt;
+	char *c;
+	struct yang_data *data;
+
+	value_str = (char *)malloc(len * 2);
+	base64_init_encodestate(&s);
+	cnt = base64_encode_block(value, len, value_str, &s);
+	c = value_str + cnt;
+	cnt = base64_encode_blockend(c, &s);
+	c += cnt;
+	*c = 0;
+	data = yang_data_new(xpath, value_str);
+	free(value_str);
+	return data;
+}
+
+size_t yang_dnode_get_binary_buf(char *buf, size_t size,
+				 const struct lyd_node *dnode,
+				 const char *xpath_fmt, ...)
+{
+	const char *canon;
+	size_t cannon_len;
+	size_t decode_len;
+	size_t ret_len;
+	size_t cnt;
+	char *value_str;
+	struct base64_decodestate s;
+
+	canon = YANG_DNODE_XPATH_GET_CANON(dnode, xpath_fmt);
+	cannon_len = strlen(canon);
+	decode_len = cannon_len;
+	value_str = (char *)malloc(decode_len);
+	base64_init_decodestate(&s);
+	cnt = base64_decode_block(canon, cannon_len, value_str, &s);
+
+	ret_len = size > cnt ? cnt : size;
+	memcpy(buf, value_str, ret_len);
+	if (size < cnt) {
+		char xpath[XPATH_MAXLEN];
+
+		yang_dnode_get_path(dnode, xpath, sizeof(xpath));
+		flog_warn(EC_LIB_YANG_DATA_TRUNCATED,
+			  "%s: value was truncated [xpath %s]", __func__,
+			  xpath);
+	}
+	free(value_str);
+	return ret_len;
+}
+
+
+ /*
+  * Primitive type: empty.
+  */
+diff --git a/lib/yang_wrappers.h b/lib/yang_wrappers.h
+index d781dfb1e42..56b314876f2 100644
+--- a/lib/yang_wrappers.h
+++ b/lib/yang_wrappers.h
+@@ -118,6 +118,13 @@ extern const char *yang_get_default_string(const char *xpath_fmt, ...);
+ extern void yang_get_default_string_buf(char *buf, size_t size,
+ 					const char *xpath_fmt, ...);
+ 
+/* binary */
+extern struct yang_data *yang_data_new_binary(const char *xpath,
+					      const char *value, size_t len);
+extern size_t yang_dnode_get_binary_buf(char *buf, size_t size,
+					const struct lyd_node *dnode,
+					const char *xpath_fmt, ...);
+
+ /* empty */
+ extern struct yang_data *yang_data_new_empty(const char *xpath);
+ extern bool yang_dnode_get_empty(const struct lyd_node *dnode,
--- a/frr-9.0.2.tar.gz
+++ b/frr-9.0.2.tar.gz
--- a/frr.fc
+++ b/frr.fc
@@ -1,29 +0,0 @@
-/usr/libexec/frr/(.*)?              gen_context(system_u:object_r:frr_exec_t,s0)
-
-/usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
-
-/etc/frr(/.*)?                  gen_context(system_u:object_r:frr_conf_t,s0)
-
-/var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
-/var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
-
-/var/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/eigrpd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/fabricd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/isisd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/nhrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ospf6d     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ospfd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/pbrd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/pimd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ripd       --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/ripngd     --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/staticd    --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/zebra      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/vrrpd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-/var/lock/subsys/pathd      --  gen_context(system_u:object_r:frr_lock_t,s0)
-
-/var/run/frr(/.*)?              gen_context(system_u:object_r:frr_var_run_t,s0)
-
-/usr/bin/vtysh              --  gen_context(system_u:object_r:frr_exec_t,s0)
--- a/frr.if
+++ b/frr.if
@@ -1,215 +0,0 @@
-## <summary>policy for frr</summary>
-
-########################################
-## <summary>
-##	Execute frr_exec_t in the frr domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`frr_domtrans',`
-	gen_require(`
-		type frr_t, frr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, frr_exec_t, frr_t)
-')
-
-######################################
-## <summary>
-##	Execute frr in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_exec',`
-	gen_require(`
-		type frr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, frr_exec_t)
-')
-
-########################################
-## <summary>
-##	Read frr's log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`frr_read_log',`
-	gen_require(`
-		type frr_log_t;
-	')
-
-	read_files_pattern($1, frr_log_t, frr_log_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-')
-
-########################################
-## <summary>
-##	Append to frr log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_append_log',`
-	gen_require(`
-		type frr_log_t;
-	')
-
-	append_files_pattern($1, frr_log_t, frr_log_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-')
-
-########################################
-## <summary>
-##	Manage frr log files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_manage_log',`
-	gen_require(`
-		type frr_log_t;
-	')
-
-	manage_dirs_pattern($1, frr_log_t, frr_log_t)
-	manage_files_pattern($1, frr_log_t, frr_log_t)
-	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-')
-
-########################################
-## <summary>
-##	Read frr PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_read_pid_files',`
-	gen_require(`
-		type frr_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to administrate
-##	an frr environment
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_admin',`
-	gen_require(`
-		type frr_t;
-		type frr_log_t;
-		type frr_var_run_t;
-	')
-
-	allow $1 frr_t:process { signal_perms };
-	ps_process_pattern($1, frr_t)
-
-	tunable_policy(`deny_ptrace',`',`
-		allow $1 frr_t:process ptrace;
-	')
-
-	admin_pattern($1, frr_log_t)
-
-	files_search_pids($1)
-	admin_pattern($1, frr_var_run_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-	optional_policy(`
-		systemd_passwd_agent_exec($1)
-		systemd_read_fifo_file_passwd_run($1)
-	')
-')
-
-########################################
-#
-# Interface compatibility blocks
-#
-# The following definitions ensure compatibility with distribution policy
-# versions that do not contain given interfaces (epel, or older Fedora
-# releases).
-# Each block tests for existence of given interface and defines it if needed.
-#
-
-######################################
-## <summary>
-##	Watch ifconfig_var_run_t directories
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-ifndef(`sysnet_watch_ifconfig_run',`
-	interface(`sysnet_watch_ifconfig_run',`
-		gen_require(`
-			type ifconfig_var_run_t;
-		')
-
-		watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-	')
-')
-
-########################################
-## <summary>
-##	Read ifconfig_var_run_t files and link files
-## </summary>
-## <param name="domain">
-##	<summary>
-##      Domain allowed access.
-##	</summary>
-## </param>
-#
-ifndef(`sysnet_read_ifconfig_run',`
-	interface(`sysnet_read_ifconfig_run',`
-		gen_require(`
-			type ifconfig_var_run_t;
-		')
-
-		list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-		read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
-	')
-')
-
--- a/frr.spec
+++ b/frr.spec
@@ -3,30 +3,24 @@
 %global frr_libdir %{_libexecdir}/frr

 %global _hardened_build 1
-%global selinuxtype targeted
 %define _legacy_common_support 1
-%bcond grpc %{undefined rhel}
-%bcond selinux 1

 Name:           frr
-Version:        9.0.2
-Release:        1%{?dist}
+Version:        8.2.2
+Release:        2%{?dist}
 Summary:        Routing daemon
 License:        GPLv2+
 URL:            http://www.frrouting.org
 Source0:        https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.conf
 Source2:        %{name}-sysusers.conf
-#Decentralized SELinux policy
-Source3:        frr.fc
-Source4:        frr.te
-Source5:        frr.if

-Patch0000:      0001-remove-babeld-and-ldpd.patch
+Patch0000:      0000-remove-babeld-and-ldpd.patch
 Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
 Patch0005:      0005-remove-grpc-test.patch
+Patch0006:      0006-cve-2022-26126.patch

 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -37,14 +31,12 @@ BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  git-core
 BuildRequires:  groff
-%if %{with grpc}
 BuildRequires:  grpc-devel
 BuildRequires:  grpc-plugins
-%endif
 BuildRequires:  json-c-devel
 BuildRequires:  libcap-devel
 BuildRequires:  libtool
-BuildRequires:  libyang-devel >= 2.0.0
+BuildRequires:  libyang-devel >= 0.16.74
 BuildRequires:  make
 BuildRequires:  ncurses
 BuildRequires:  ncurses-devel
@@ -60,7 +52,6 @@ BuildRequires:  readline-devel
 BuildRequires:  systemd-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  texinfo
-BuildRequires:  protobuf-c-devel

 Requires:       ncurses
 Requires:       net-snmp
@@ -69,12 +60,7 @@ Requires(post): hostname
 Requires(post): systemd
 Requires(postun): systemd
 Requires(preun): systemd
-
-%if 0%{?with_selinux}
-Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
-%endif
-
-Obsoletes:      quagga < 1.2.4-17
+Conflicts:      quagga
 Provides:       routingdaemon = %{version}-%{release}

 %description
@@ -86,27 +72,8 @@ FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP

 FRRouting is a fork of Quagga.

-%if 0%{?with_selinux}
-%package selinux
-Summary:	Selinux policy for FRR
-BuildArch:	noarch
-Requires:	selinux-policy-%{selinuxtype}
-Requires(post):	selinux-policy-%{selinuxtype}
-BuildRequires:	selinux-policy-devel
-%{?selinux_requires}
-
-%description selinux
-SELinux policy modules for FRR package
-
-%endif
-
 %prep
 %autosetup -S git
-#Selinux
-mkdir selinux
-cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux
-# C++14 or later needed for abseil-cpp 20230125; string_view needs C++17:
-sed -r -i 's/(AX_CXX_COMPILE_STDCXX\(\[)11(\])/\117\2/' configure.ac

 %build
 autoreconf -ivf
@@ -116,7 +83,7 @@ autoreconf -ivf
    --sysconfdir=%{_sysconfdir}/frr \
    --libdir=%{_libdir}/frr \
    --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=/run/frr \
+    --localstatedir=%{_localstatedir}/run/frr \
    --enable-multipath=64 \
    --enable-vtysh=yes \
    --disable-ospfclient \
@@ -135,19 +102,13 @@ autoreconf -ivf
    --with-crypto=openssl \
    --with-vici-socket=/run/strongswan/charon.vici \
    --enable-fpm \
-    %{?with_grpc:--enable-grpc}
+    --enable-grpc

 %make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3}

 # Build info documentation
 %make_build -C doc info

-#SELinux policy
-%if 0%{?with_selinux}
-make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp
-bzip2 -9 selinux/%{name}.pp
-%endif
-
 %install
 mkdir -p %{buildroot}%{_sysconfdir}/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \
         %{buildroot}%{_localstatedir}/log/frr %{buildroot}%{_infodir} \
@@ -174,12 +135,6 @@ install -p -m 644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fr
 install -p -m 644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
 install -d -m 775 %{buildroot}/run/frr

-%if 0%{?with_selinux}
-install -D -m 644 selinux/%{name}.pp.bz2 \
-	%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
-install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
-%endif
-
 # Delete libtool archives
 find %{buildroot} -type f -name "*.la" -delete -print

@@ -190,6 +145,7 @@ rm -r %{buildroot}%{_includedir}/frr/
 %pre
 %sysusers_create_compat %{SOURCE2}

+
 %post
 %systemd_post frr.service

@@ -213,28 +169,6 @@ fi
 %preun
 %systemd_preun frr.service

-#SELinux
-%if 0%{?with_selinux}
-%pre selinux
-%selinux_relabel_pre -s %{selinuxtype}
-
-%post selinux
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
-%selinux_relabel_post -s %{selinuxtype}
-#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
-if [ $1 == 2 ]; then
-    %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
-    %{_sbindir}/restorecon -R /var/run/frr &> /dev/null
-fi
-
-%postun selinux
-if [ $1 -eq 0 ]; then
-    %selinux_modules_uninstall -s %{selinuxtype} %{name}
-    %selinux_relabel_post -s %{selinuxtype}
-fi
-
-%endif
-
 %check
 #this should be temporary, the grpc test is just badly designed
 rm tests/lib/*grpc*
@@ -247,14 +181,10 @@ rm tests/lib/*grpc*
 %dir %attr(755,frr,frr) %{_localstatedir}/log/frr
 %dir %attr(755,frr,frr) /run/frr
 %{_infodir}/*info*
-%{_mandir}/man1/frr.1*
-%{_mandir}/man1/vtysh.1*
-%{_mandir}/man8/frr-*.8*
-%{_mandir}/man8/mtracebis.8*
+%{_mandir}/man*/*
 %dir %{frr_libdir}/
 %{frr_libdir}/*
-%{_bindir}/mtracebis
-%{_bindir}/vtysh
+%{_bindir}/*
 %dir %{_libdir}/frr
 %{_libdir}/frr/*.so.*
 %dir %{_libdir}/frr/modules
@@ -268,129 +198,19 @@ rm tests/lib/*grpc*
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/%{name}.conf

-%if 0%{?with_selinux}
-%files selinux
-%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.*
-%{_datadir}/selinux/devel/include/distributed/%{name}.if
-%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
-%endif
-
 %changelog
-* Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-1
- New version 8.5.2
- Fixing a couple of SELinux issues
-
-* Wed Apr 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-1
- New version 8.5.1
-
-* Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
- New version 8.5
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Thu Jan 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-1
- New version 8.4.2
-
-* Fri Nov 25 2022 Michal Ruprich <mruprich@redhat.com> - 8.4.1-1
- New version 8.4.1
- Fix for rhbz #2140705
-
-* Thu Nov 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.4-1
- New version 8.4
-
-* Fri Sep 16 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
- Adding SELinux rule to enable zebra to write to sysctl_net_t
- Adding SELinux rule to enable bgpd to call name_connect to bgp_port_t
-
-* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4
- Fixing an error in post scriptlet
-
-* Fri Sep 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3
- Resolves: #2124254 - frr can no longer update routes
-
-* Wed Sep 07 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2
- Resolves: #2124253 - SELinux is preventing zebra from setattr access on the directory frr
- Better handling FRR files during upgrade
-
-* Tue Sep 06 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1
- New version 8.3.1
-
-* Mon Aug 22 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-10
- Rebuilding for new abseil-cpp and grpc updates
-
-* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-9
- Adding vrrpd and pathd as daemons to the policy
-
-* Wed Aug 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-8
- Finalizing SELinux policy
-
-* Tue Aug 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-7
- Fixing wrong path for vtysh in frr.fc
-
-* Fri Jul 29 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 8.2.2-6
- Rebuild with abseil-cpp-20211102.0-4.fc37 (RHBZ#2108658)
-
-* Wed Jul 27 2022 Michal Ruprich - 8.2.2-5
- Packaging SELinux policy for FRR
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.2.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Tue May 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3
- Rebuild for grpc-1.46.1
-
 * Mon Apr 11 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2
 - Fix for CVE-2022-16126

 * Tue Mar 15 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1
 - New version 8.2.2

-* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-2
- Rebuild for abseil-cpp 20211102.0
-
-* Wed Mar 09 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
+* Thu Mar 10 2022 Michal Ruprich <mruprich@redhat.com> - 8.2-1
 - New version 8.2 (rhbz#2020439)
 - Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons

-* Tue Feb 01 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-11
- Rebuilding for FTBFS in Rawhide(rhbz#2045399)
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 8.0.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Sat Jan 08 2022 Miro Hrončok <mhroncok@redhat.com> - 8.0.1-9
- Rebuilt for libre2.so.9
-
-* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-8
- Rebuilt for protobuf 3.19.0
-
-* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 8.0.1-7
- Rebuilt for protobuf 3.18.1
-
-* Fri Oct 15 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-6
- Obsoleting quagga so that it may be retired
-
-* Thu Oct 07 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-5
- Rebuilding for grpc 1.41
-
-* Thu Sep 30 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-4
- Rebuild for new version of libyang
-
-* Sat Sep 18 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 8.0.1-3
- Rebuild for grpc 1.40
-
-* Thu Sep 16 2021 Sahana Prasad <sahana@redhat.com> - 8.0.1-2
- Rebuilt with OpenSSL 3.0.0
-
-* Thu Sep 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
- New version 8.0.1
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 8.0-2
- Rebuilt with OpenSSL 3.0.0
-
-* Wed Aug 11 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1
- New version 8.0
+* Thu Jan 20 2022 Michal Ruprich <mruprich@redhat.com> - 8.0.1-1
+- Rebasing to 8.0.1 due to newer libyang library

 * Wed Aug 04 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 7.5.1-9
 - Rebuild for grpc 1.39
--- a/frr.te
+++ b/frr.te
@@ -1,122 +0,0 @@
-policy_module(frr, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type frr_t;
-type frr_exec_t;
-init_daemon_domain(frr_t, frr_exec_t)
-
-type frr_log_t;
-logging_log_file(frr_log_t)
-
-type frr_tmp_t;
-files_tmp_file(frr_tmp_t)
-
-type frr_lock_t;
-files_lock_file(frr_lock_t)
-
-type frr_conf_t;
-files_config_file(frr_conf_t)
-
-type frr_unit_file_t;
-systemd_unit_file(frr_unit_file_t)
-
-type frr_var_run_t;
-files_pid_file(frr_var_run_t)
-
-########################################
-#
-# frr local policy
-#
-allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
-allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
-allow frr_t self:packet_socket { create setopt };
-allow frr_t self:process { setcap setpgid };
-allow frr_t self:rawip_socket create_socket_perms;
-allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
-allow frr_t self:udp_socket create_socket_perms;
-allow frr_t self:unix_stream_socket connectto;
-
-allow frr_t frr_conf_t:dir list_dir_perms;
-manage_files_pattern(frr_t, frr_conf_t, frr_conf_t)
-read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t)
-
-manage_dirs_pattern(frr_t, frr_log_t, frr_log_t)
-manage_files_pattern(frr_t, frr_log_t, frr_log_t)
-manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
-logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
-
-allow frr_t frr_tmp_t:file map;
-manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
-manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
-files_tmp_filetrans(frr_t, frr_tmp_t, { file dir })
-
-manage_files_pattern(frr_t, frr_lock_t, frr_lock_t)
-manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t)
-files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file })
-
-manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t)
-manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
-manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
-manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t)
-files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file })
-
-allow frr_t frr_exec_t:dir search_dir_perms;
-can_exec(frr_t, frr_exec_t)
-
-kernel_read_network_state(frr_t)
-kernel_rw_net_sysctls(frr_t)
-kernel_read_system_state(frr_t)
-
-auth_use_nsswitch(frr_t)
-
-corecmd_exec_bin(frr_t)
-
-corenet_tcp_bind_appswitch_emp_port(frr_t)
-corenet_udp_bind_bfd_control_port(frr_t)
-corenet_udp_bind_bfd_echo_port(frr_t)
-corenet_udp_bind_bfd_multi_port(frr_t)
-corenet_tcp_bind_bgp_port(frr_t)
-corenet_tcp_connect_bgp_port(frr_t)
-corenet_tcp_bind_cmadmin_port(frr_t)
-corenet_udp_bind_cmadmin_port(frr_t)
-corenet_tcp_bind_firepower_port(frr_t)
-corenet_tcp_bind_generic_port(frr_t)
-corenet_tcp_bind_priority_e_com_port(frr_t)
-corenet_udp_bind_router_port(frr_t)
-corenet_tcp_bind_qpasa_agent_port(frr_t)
-corenet_tcp_bind_smntubootstrap_port(frr_t)
-corenet_tcp_bind_versa_tek_port(frr_t)
-corenet_tcp_bind_zebra_port(frr_t)
-
-domain_use_interactive_fds(frr_t)
-
-fs_read_nsfs_files(frr_t)
-
-sysnet_exec_ifconfig(frr_t)
-sysnet_read_ifconfig_run(frr_t)
-sysnet_watch_ifconfig_run(frr_t)
-
-userdom_read_admin_home_files(frr_t)
-
-optional_policy(`
-	logging_send_syslog_msg(frr_t)
-')
-
-optional_policy(`
-	modutils_exec_kmod(frr_t)
-	modutils_getattr_module_deps(frr_t)
-	modutils_read_module_config(frr_t)
-	modutils_read_module_deps_files(frr_t)
-')
-
-optional_policy(`
-	networkmanager_read_state(frr_t)
-')
-
-optional_policy(`
-	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
-')
--- a/gating.yaml
+++ b/gating.yaml
@@ -1,16 +0,0 @@
--- !Policy
-product_versions:
-  - fedora-*
-decision_contexts: [bodhi_update_push_testing]
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
- 
-#gating rawhide
--- !Policy
-product_versions:
-  - fedora-*
-decision_contexts: [bodhi_update_push_stable]
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
--- a/plans/all.fmf
+++ b/plans/all.fmf
@@ -1,6 +0,0 @@
-summary: Test plan with all Fedora tests
-discover:
-       how: fmf
-       url: https://src.fedoraproject.org/tests/frr.git
-execute:
-       how: tmt
--- a/2
+++ b/2
@@ -1,2 +1,2 @@
-SHA512 (frr-8.5.2.tar.gz) = a5eadd8c88966b58ebc0e7b92311bda16b391abe727861eed772ded678f5a84d84421fbfd4b23c4a2b18ab3d2dcd5b2c9099491dab6958b63c39a9c67c4508d2
+SHA512 (frr-8.2.2.tar.gz) = 2a3e189d8de09bd66bc4a49147bec681d48626d8cb268dc03f42b58064c066b35082114ff97d7333ae4029f759b78e216c8460c2611df7f6659675dc5f9b69b2
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d
Author	SHA1	Message	Date
Zoran Peričić	0dc6476d4c	v.ims.1 - Bump version	2022-04-29 20:48:25 +02:00
Zoran Peričić	03e52ccf90	nhrp: configure strongswan vici path	2022-04-29 20:48:14 +02:00
Michal Ruprich	bbc433902a	Fix for CVE-2022-16126	2022-04-11 12:04:50 +02:00
Michal Ruprich	ec562bc168	New version 8.2.2	2022-03-15 14:55:03 +01:00
Michal Ruprich	5a7e2d0610	New version 8.2 (rhbz#2020439) Resolves: #2011868 - systemctl frr reload does not stop daemons that are not enabled in /etc/frr/daemons	2022-03-10 12:55:15 +01:00
Michal Ruprich	cecd9d7fd4	Rebasing to 8.0.1 due to newer libyang library	2022-01-20 17:26:31 +01:00
				`@@ -1 +0,0 @@`
				`*.tar.gz filter=lfs diff=lfs merge=lfs -text`