v.ims.1 - Bump version

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(07/27/2023 11:26:31.692:622) : proctitle=/usr/libexec/frr/bfdd -d -F traditional -A 127.0.0.1
type=SOCKADDR msg=audit(07/27/2023 11:26:31.692:622) : saddr={ saddr_fam=packet (unsupported) }
type=SYSCALL msg=audit(07/27/2023 11:26:31.692:622) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7ffeb8c5a000 a2=0x14 a3=0x7ffeb8c59ff0 items=0 ppid=7818 pid=7903 auid=unset uid=frr gid=frr euid=frr suid=frr fsuid=frr egid=frr sgid=frr fsgid=frr tty=(none) ses=unset comm=bfdd exe=/usr/libexec/frr/bfdd subj=system_u:system_r:frr_t:s0 key=(null)
type=AVC msg=audit(07/27/2023 11:26:31.692:622) : avc:  denied  { bind } for  pid=7903 comm=bfdd scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:frr_t:s0 tclass=packet_socket permissive=0

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2216912

.gitattributes

@@ -1 +0,0 @@
-*.tar.gz filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -17,3 +17,4 @@
 /frr-8.5.tar.gz
 /frr-8.5.1.tar.gz
 /frr-8.5.2.tar.gz
+/frr-8.5.3.tar.gz

0000-remove-babeld-and-ldpd.patch

@@ -1,18 +1,8 @@
-From 8c6e4318d2efd2314d8e9f30baefffef7de5a116 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:22:51 +0200
-Subject: [PATCH 1/5] remove babeld and ldpd
-
----
- Makefile.am           | 4 ----
- tools/etc/frr/daemons | 4 ----
- 2 files changed, 8 deletions(-)
-
 diff --git a/Makefile.am b/Makefile.am
-index f56e1b8e0..a42811d94 100644
+index 5be3264..33abc1d 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -196,8 +196,6 @@ include ospf6d/subdir.am
+@@ -130,8 +130,6 @@ include ospf6d/subdir.am
  include ospfclient/subdir.am
  include isisd/subdir.am
  include nhrpd/subdir.am
@@ -21,15 +11,15 @@ index f56e1b8e0..a42811d94 100644
  include eigrpd/subdir.am
  include sharpd/subdir.am
  include pimd/subdir.am
-@@ -261,7 +259,6 @@ EXTRA_DIST += \
+@@ -182,7 +180,6 @@ EXTRA_DIST += \
  	snapcraft/defaults \
  	snapcraft/helpers \
  	snapcraft/snap \
 -	babeld/Makefile \
- 	mgmtd/Makefile \
  	bgpd/Makefile \
  	bgpd/rfp-example/librfp/Makefile \
-@@ -274,7 +271,6 @@ EXTRA_DIST += \
+ 	bgpd/rfp-example/rfptest/Makefile \
+@@ -193,7 +190,6 @@ EXTRA_DIST += \
  	fpm/Makefile \
  	grpc/Makefile \
  	isisd/Makefile \
@@ -38,7 +28,7 @@ index f56e1b8e0..a42811d94 100644
  	nhrpd/Makefile \
  	ospf6d/Makefile \
 diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons
-index c487e7e5f..2e602901d 100644
+index 8aa0887..c92dcca 100644
 --- a/tools/etc/frr/daemons
 +++ b/tools/etc/frr/daemons
 @@ -22,10 +22,8 @@ ripngd=no
@@ -52,7 +42,7 @@ index c487e7e5f..2e602901d 100644
  sharpd=no
  pbrd=no
  bfdd=no
-@@ -49,10 +47,8 @@ ripngd_options=" -A ::1"
+@@ -48,10 +46,8 @@ ripngd_options=" -A ::1"
  isisd_options="  -A 127.0.0.1"
  pimd_options="   -A 127.0.0.1"
  pim6d_options="  -A ::1"
@@ -63,6 +53,3 @@ index c487e7e5f..2e602901d 100644
  sharpd_options=" -A 127.0.0.1"
  pbrd_options="   -A 127.0.0.1"
  staticd_options="-A 127.0.0.1"
--- 
-2.41.0
-

0002-enable-openssl.patch

@@ -1,20 +1,44 @@
-From 51ec61745373caa4702604ee2d379066f90b6d60 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:19:44 +0200
-Subject: [PATCH 2/5] enable openssl
-
----
- isisd/isis_lsp.c | 2 ++
- isisd/isis_pdu.c | 2 ++
- isisd/isis_te.c  | 2 ++
- lib/subdir.am    | 4 ----
- 4 files changed, 6 insertions(+), 4 deletions(-)
-
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 0b7af18..0533e24 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/log.c \
+ 	lib/log_filter.c \
+ 	lib/log_vty.c \
+-	lib/md5.c \
+ 	lib/memory.c \
+ 	lib/mlag.c \
+ 	lib/module.c \
+@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/routemap_northbound.c \
+ 	lib/sbuf.c \
+ 	lib/seqlock.c \
+-	lib/sha256.c \
+ 	lib/sigevent.c \
+ 	lib/skiplist.c \
+ 	lib/sockopt.c \
+@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
+ 	lib/link_state.h \
+ 	lib/log.h \
+ 	lib/log_vty.h \
+-	lib/md5.h \
+ 	lib/memory.h \
+ 	lib/module.h \
+ 	lib/monotime.h \
+@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
+ 	lib/route_opaque.h \
+ 	lib/sbuf.h \
+ 	lib/seqlock.h \
+-	lib/sha256.h \
+ 	lib/sigevent.h \
+ 	lib/skiplist.h \
+ 	lib/smux.h \
 diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
-index 950d5f359..4cd792246 100644
+index 1991666..2e4fe55 100644
 --- a/isisd/isis_lsp.c
 +++ b/isisd/isis_lsp.c
-@@ -22,7 +22,9 @@
+@@ -35,7 +35,9 @@
  #include "hash.h"
  #include "if.h"
  #include "checksum.h"
@@ -25,10 +49,10 @@ index 950d5f359..4cd792246 100644
  #include "srcdest_table.h"
  #include "lib_errors.h"
 diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
-index 0cd43a7ab..b2e114d73 100644
+index 9c63311..7cf594c 100644
 --- a/isisd/isis_pdu.c
 +++ b/isisd/isis_pdu.c
-@@ -20,7 +20,9 @@
+@@ -33,7 +33,9 @@
  #include "prefix.h"
  #include "if.h"
  #include "checksum.h"
@@ -39,10 +63,10 @@ index 0cd43a7ab..b2e114d73 100644
  
  #include "isisd/isis_constants.h"
 diff --git a/isisd/isis_te.c b/isisd/isis_te.c
-index 90b53c540..9d98c16e7 100644
+index 4ea6c2c..72ff0d2 100644
 --- a/isisd/isis_te.c
 +++ b/isisd/isis_te.c
-@@ -24,7 +24,9 @@
+@@ -38,7 +38,9 @@
  #include "if.h"
  #include "vrf.h"
  #include "checksum.h"
@@ -52,42 +76,3 @@ index 90b53c540..9d98c16e7 100644
  #include "sockunion.h"
  #include "network.h"
  #include "sbuf.h"
-diff --git a/lib/subdir.am b/lib/subdir.am
-index d7b28ffbd..b2ee32168 100644
---- a/lib/subdir.am
-+++ b/lib/subdir.am
-@@ -63,7 +63,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/log.c \
- 	lib/log_filter.c \
- 	lib/log_vty.c \
--	lib/md5.c \
- 	lib/memory.c \
- 	lib/mgmt_be_client.c \
- 	lib/mgmt_fe_client.c \
-@@ -95,7 +94,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/routemap_northbound.c \
- 	lib/sbuf.c \
- 	lib/seqlock.c \
--	lib/sha256.c \
- 	lib/sigevent.c \
- 	lib/skiplist.c \
- 	lib/sockopt.c \
-@@ -248,7 +246,6 @@ pkginclude_HEADERS += \
- 	lib/link_state.h \
- 	lib/log.h \
- 	lib/log_vty.h \
--	lib/md5.h \
- 	lib/memory.h \
- 	lib/mgmt.pb-c.h \
- 	lib/mgmt_be_client.h \
-@@ -283,7 +280,6 @@ pkginclude_HEADERS += \
- 	lib/route_opaque.h \
- 	lib/sbuf.h \
- 	lib/seqlock.h \
--	lib/sha256.h \
- 	lib/sigevent.h \
- 	lib/skiplist.h \
- 	lib/smux.h \
--- 
-2.41.0
-

0003-disable-eigrp-crypto.patch

@@ -1,26 +1,227 @@
-From 8ec9ddca959618ea6091711cd446ebac5b730147 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:23:48 +0200
-Subject: [PATCH 3/5] disable eigrp crypto
-
----
- eigrpd/eigrp_cli.c      | 15 +++++++++++++++
- eigrpd/eigrp_filter.c   |  2 ++
- eigrpd/eigrp_hello.c    |  2 ++
- eigrpd/eigrp_packet.c   | 27 +++++++++++++++++++++++++--
- eigrpd/eigrp_query.c    |  2 ++
- eigrpd/eigrp_reply.c    |  2 ++
- eigrpd/eigrp_siaquery.c |  2 ++
- eigrpd/eigrp_siareply.c |  2 ++
- eigrpd/eigrp_snmp.c     |  2 ++
- eigrpd/eigrp_update.c   |  2 ++
- 10 files changed, 56 insertions(+), 2 deletions(-)
-
+diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
+index bedaf15..8dc09bf 100644
+--- a/eigrpd/eigrp_packet.c
++++ b/eigrpd/eigrp_packet.c
+@@ -40,8 +40,10 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
+ #include "sha256.h"
++#endif
+ #include "lib_errors.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	struct key *key = NULL;
+ 	struct keychain *keychain;
+ 
++
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	uint8_t *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_MD5_Authentication_Type *auth_TLV;
+@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 		return EIGRP_AUTH_TYPE_NONE;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++//TBD when this is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
+-
++#endif
+ 	/* Append md5 digest to the end of the stream. */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
+ 
+@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s,
+ 			   struct TLV_MD5_Authentication_Type *authTLV,
+ 			   struct eigrp_neighbor *nbr, uint8_t flags)
+ {
++#ifdef CRYPTO_OPENSSL
++#elif CRYPTO_INTERNAL
+ 	MD5_CTX ctx;
++#endif
+ 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
+ 	struct key *key = NULL;
+@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s,
+ 		return 0;
+ 	}
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	MD5Init(&ctx);
+ 
+@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s,
+ 	}
+ 
+ 	MD5Final(digest, &ctx);
++#endif
+ 
+ 	/* compare the two */
+ 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
+@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
+ 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	HMAC_SHA256_CTX ctx;
++#endif
+ 	void *ibuf;
+ 	size_t backup_get, backup_end;
+ 	struct TLV_SHA256_Authentication_Type *auth_TLV;
+@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 
+ 	inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
+ 
++#ifdef CRYPTO_OPENSSL
++	//TBD when eigrpd crypto is fixed in upstream
++#elif CRYPTO_INTERNAL
+ 	memset(&ctx, 0, sizeof(ctx));
+ 	buffer[0] = '\n';
+ 	memcpy(buffer + 1, key, strlen(key->string));
+@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
+ 			  1 + strlen(key->string) + strlen(source_ip));
+ 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
+ 	HMAC__SHA256_Final(digest, &ctx);
+-
++#endif
+ 
+ 	/* Put hmac-sha256 digest to it's place */
+ 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
+diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
+index 93eed94..f1c7347 100644
+--- a/eigrpd/eigrp_filter.c
++++ b/eigrpd/eigrp_filter.c
+@@ -47,7 +47,9 @@
+ #include "if_rmap.h"
+ #include "plist.h"
+ #include "distribute.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "privs.h"
+ #include "vrf.h"
+diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
+index dacd5ca..b232cc5 100644
+--- a/eigrpd/eigrp_hello.c
++++ b/eigrpd/eigrp_hello.c
+@@ -43,7 +43,9 @@
+ #include "sockopt.h"
+ #include "checksum.h"
+ #include "vty.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ 
+ #include "eigrpd/eigrp_structs.h"
+ #include "eigrpd/eigrpd.h"
+diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
+index 84dcf5e..a2575e3 100644
+--- a/eigrpd/eigrp_query.c
++++ b/eigrpd/eigrp_query.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
+index ccf0496..2902365 100644
+--- a/eigrpd/eigrp_reply.c
++++ b/eigrpd/eigrp_reply.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "keychain.h"
+ #include "plist.h"
+diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
+index ff38325..09b9369 100644
+--- a/eigrpd/eigrp_siaquery.c
++++ b/eigrpd/eigrp_siaquery.c
+@@ -38,7 +38,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
+index d3dd123..f6a2bd6 100644
+--- a/eigrpd/eigrp_siareply.c
++++ b/eigrpd/eigrp_siareply.c
+@@ -37,7 +37,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ 
+ #include "eigrpd/eigrp_structs.h"
+diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
+index 21c9238..cfb8890 100644
+--- a/eigrpd/eigrp_snmp.c
++++ b/eigrpd/eigrp_snmp.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "keychain.h"
+ #include "smux.h"
+ 
+diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
+index 8db4903..2a4f0bb 100644
+--- a/eigrpd/eigrp_update.c
++++ b/eigrpd/eigrp_update.c
+@@ -42,7 +42,9 @@
+ #include "log.h"
+ #include "sockopt.h"
+ #include "checksum.h"
++#ifdef CRYPTO_INTERNAL
+ #include "md5.h"
++#endif
+ #include "vty.h"
+ #include "plist.h"
+ #include "plist_int.h"
 diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c
-index 213834afc..73647937d 100644
+index a93d4c8..b01e121 100644
 --- a/eigrpd/eigrp_cli.c
 +++ b/eigrpd/eigrp_cli.c
-@@ -11,6 +11,7 @@
+@@ -25,6 +25,7 @@
  #include "lib/command.h"
  #include "lib/log.h"
  #include "lib/northbound_cli.h"
@@ -28,7 +229,7 @@ index 213834afc..73647937d 100644
  
  #include "eigrp_structs.h"
  #include "eigrpd.h"
-@@ -716,6 +717,20 @@ DEFPY_YANG(
+@@ -726,6 +726,20 @@ DEFPY(
  	"Keyed message digest\n"
  	"HMAC SHA256 algorithm \n")
  {
@@ -49,225 +250,3 @@ index 213834afc..73647937d 100644
  	char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64];
  
  	snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']",
-diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
-index eceef6b8a..1d194be14 100644
---- a/eigrpd/eigrp_filter.c
-+++ b/eigrpd/eigrp_filter.c
-@@ -32,7 +32,9 @@
- #include "if_rmap.h"
- #include "plist.h"
- #include "distribute.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "keychain.h"
- #include "privs.h"
- #include "vrf.h"
-diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
-index 662c750e9..a3a5ec822 100644
---- a/eigrpd/eigrp_hello.c
-+++ b/eigrpd/eigrp_hello.c
-@@ -28,7 +28,9 @@
- #include "sockopt.h"
- #include "checksum.h"
- #include "vty.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- 
- #include "eigrpd/eigrp_structs.h"
- #include "eigrpd/eigrpd.h"
-diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
-index 963d229bc..587eb422e 100644
---- a/eigrpd/eigrp_packet.c
-+++ b/eigrpd/eigrp_packet.c
-@@ -25,8 +25,10 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
- #include "sha256.h"
-+#endif
- #include "lib_errors.h"
- 
- #include "eigrpd/eigrp_structs.h"
-@@ -88,8 +90,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
- 	struct key *key = NULL;
- 	struct keychain *keychain;
- 
-+
- 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
-+#ifdef CRYPTO_OPENSSL
-+#elif CRYPTO_INTERNAL
- 	MD5_CTX ctx;
-+#endif
- 	uint8_t *ibuf;
- 	size_t backup_get, backup_end;
- 	struct TLV_MD5_Authentication_Type *auth_TLV;
-@@ -112,6 +118,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
- 		return EIGRP_AUTH_TYPE_NONE;
- 	}
- 
-+#ifdef CRYPTO_OPENSSL
-+//TBD when this is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	memset(&ctx, 0, sizeof(ctx));
- 	MD5Init(&ctx);
- 
-@@ -139,7 +148,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
- 	}
- 
- 	MD5Final(digest, &ctx);
--
-+#endif
- 	/* Append md5 digest to the end of the stream. */
- 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
- 
-@@ -155,7 +164,10 @@ int eigrp_check_md5_digest(struct stream *s,
- 			   struct TLV_MD5_Authentication_Type *authTLV,
- 			   struct eigrp_neighbor *nbr, uint8_t flags)
- {
-+#ifdef CRYPTO_OPENSSL
-+#elif CRYPTO_INTERNAL
- 	MD5_CTX ctx;
-+#endif
- 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
- 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
- 	struct key *key = NULL;
-@@ -196,6 +208,9 @@ int eigrp_check_md5_digest(struct stream *s,
- 		return 0;
- 	}
- 
-+#ifdef CRYPTO_OPENSSL
-+	//TBD when eigrpd crypto is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	memset(&ctx, 0, sizeof(ctx));
- 	MD5Init(&ctx);
- 
-@@ -223,6 +238,7 @@ int eigrp_check_md5_digest(struct stream *s,
- 	}
- 
- 	MD5Final(digest, &ctx);
-+#endif
- 
- 	/* compare the two */
- 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
-@@ -247,7 +263,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
- 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
- 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
- 
-+#ifdef CRYPTO_OPENSSL
-+	//TBD when eigrpd crypto is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	HMAC_SHA256_CTX ctx;
-+#endif
- 	void *ibuf;
- 	size_t backup_get, backup_end;
- 	struct TLV_SHA256_Authentication_Type *auth_TLV;
-@@ -276,6 +296,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
- 
- 	inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
- 
-+#ifdef CRYPTO_OPENSSL
-+	//TBD when eigrpd crypto is fixed in upstream
-+#elif CRYPTO_INTERNAL
- 	memset(&ctx, 0, sizeof(ctx));
- 	buffer[0] = '\n';
- 	memcpy(buffer + 1, key, strlen(key->string));
-@@ -284,7 +307,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
- 			  1 + strlen(key->string) + strlen(source_ip));
- 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
- 	HMAC__SHA256_Final(digest, &ctx);
--
-+#endif
- 
- 	/* Put hmac-sha256 digest to it's place */
- 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
-diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
-index 0e206cded..4b3f4e082 100644
---- a/eigrpd/eigrp_query.c
-+++ b/eigrpd/eigrp_query.c
-@@ -23,7 +23,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- 
- #include "eigrpd/eigrp_structs.h"
-diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
-index aae89e832..1fb1f404d 100644
---- a/eigrpd/eigrp_reply.c
-+++ b/eigrpd/eigrp_reply.c
-@@ -27,7 +27,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- #include "keychain.h"
- #include "plist.h"
-diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
-index 71486a1f6..430e8ce71 100644
---- a/eigrpd/eigrp_siaquery.c
-+++ b/eigrpd/eigrp_siaquery.c
-@@ -23,7 +23,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- 
- #include "eigrpd/eigrp_structs.h"
-diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
-index 6c8c1ef58..b16e0fcfc 100644
---- a/eigrpd/eigrp_siareply.c
-+++ b/eigrpd/eigrp_siareply.c
-@@ -22,7 +22,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- 
- #include "eigrpd/eigrp_structs.h"
-diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
-index 492ef3e71..5618c3f2b 100644
---- a/eigrpd/eigrp_snmp.c
-+++ b/eigrpd/eigrp_snmp.c
-@@ -27,7 +27,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "keychain.h"
- #include "smux.h"
- 
-diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
-index a056267bf..3dc8d0e56 100644
---- a/eigrpd/eigrp_update.c
-+++ b/eigrpd/eigrp_update.c
-@@ -27,7 +27,9 @@
- #include "log.h"
- #include "sockopt.h"
- #include "checksum.h"
-+#ifdef CRYPTO_INTERNAL
- #include "md5.h"
-+#endif
- #include "vty.h"
- #include "plist.h"
- #include "plist_int.h"
--- 
-2.41.0
-

0004-fips-mode.patch

@@ -1,63 +1,8 @@
-From 730598d8a4c1bd32d0e4fc0e76be926314a6f57b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:24:43 +0200
-Subject: [PATCH 4/5] fips mode
-
----
- isisd/isis_circuit.c |  4 ++++
- isisd/isisd.c        |  4 ++++
- lib/zebra.h          |  1 +
- ospfd/ospf_vty.c     | 24 ++++++++++++++++++++++++
- ripd/rip_cli.c       |  6 ++++++
- 5 files changed, 39 insertions(+)
-
-diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
-index feab45123..f02bae968 100644
---- a/isisd/isis_circuit.c
-+++ b/isisd/isis_circuit.c
-@@ -1542,6 +1542,10 @@ ferr_r isis_circuit_passwd_set(struct isis_circuit *circuit,
- 		return ferr_code_bug(
- 			"circuit password too long (max 254 chars)");
- 
-+	//When in FIPS mode, the password never gets set in MD5
-+	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
-+		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 	circuit->passwd.len = len;
- 	strlcpy((char *)circuit->passwd.passwd, passwd,
- 		sizeof(circuit->passwd.passwd));
-diff --git a/isisd/isisd.c b/isisd/isisd.c
-index ea304ba5e..67f6e253a 100644
---- a/isisd/isisd.c
-+++ b/isisd/isisd.c
-@@ -3036,6 +3036,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
- 		if (len > 254)
- 			return -1;
- 
-+		//When in FIPS mode, the password never get set in MD5
-+		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
-+			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 		modified.len = len;
- 		strlcpy((char *)modified.passwd, passwd,
- 			sizeof(modified.passwd));
-diff --git a/lib/zebra.h b/lib/zebra.h
-index ecc87f58f..5cb716759 100644
---- a/lib/zebra.h
-+++ b/lib/zebra.h
-@@ -90,6 +90,7 @@
- #ifdef CRYPTO_OPENSSL
- #include <openssl/evp.h>
- #include <openssl/hmac.h>
-+#include <openssl/fips.h>
- #endif
- 
- #include "openbsd-tree.h"
 diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
-index 5cd70c7c2..0b8dbaa73 100644
+index 631465f..e084ff3 100644
 --- a/ospfd/ospf_vty.c
 +++ b/ospfd/ospf_vty.c
-@@ -1069,6 +1069,11 @@ DEFUN (ospf_area_vlink,
+@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
  
  	if (argv_find(argv, argc, "message-digest", &idx)) {
  		/* authentication message-digest */
@@ -69,7 +14,7 @@ index 5cd70c7c2..0b8dbaa73 100644
  		vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
  	} else if (argv_find(argv, argc, "null", &idx)) {
  		/* "authentication null" */
-@@ -1974,6 +1979,15 @@ DEFUN (ospf_area_authentication_message_digest,
+@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
  				  ? OSPF_AUTH_NULL
  				  : OSPF_AUTH_CRYPTOGRAPHIC;
  
@@ -85,7 +30,7 @@ index 5cd70c7c2..0b8dbaa73 100644
  	return CMD_SUCCESS;
  }
  
-@@ -7419,6 +7433,11 @@ DEFUN (ip_ospf_authentication_args,
+@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
  
  	/* Handle message-digest authentication */
  	if (argv[idx_encryption]->arg[0] == 'm') {
@@ -97,7 +42,7 @@ index 5cd70c7c2..0b8dbaa73 100644
  		SET_IF_PARAM(params, auth_type);
  		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
  		return CMD_SUCCESS;
-@@ -7725,6 +7744,11 @@ DEFUN (ip_ospf_message_digest_key,
+@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
         "The OSPF password (key)\n"
         "Address of interface\n")
  {
@@ -109,11 +54,41 @@ index 5cd70c7c2..0b8dbaa73 100644
  	VTY_DECLVAR_CONTEXT(interface, ifp);
  	struct crypt_key *ck;
  	uint8_t key_id;
+diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
+index 81b4b39..cce33d9 100644
+--- a/isisd/isis_circuit.c
++++ b/isisd/isis_circuit.c
+@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
+ 		return ferr_code_bug(
+ 			"circuit password too long (max 254 chars)");
+ 
++	//When in FIPS mode, the password never gets set in MD5
++	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
++		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 	circuit->passwd.len = len;
+ 	strlcpy((char *)circuit->passwd.passwd, passwd,
+ 		sizeof(circuit->passwd.passwd));
+diff --git a/isisd/isisd.c b/isisd/isisd.c
+index 419127c..a6c36af 100644
+--- a/isisd/isisd.c
++++ b/isisd/isisd.c
+@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
+ 		if (len > 254)
+ 			return -1;
+ 
++		//When in FIPS mode, the password never get set in MD5
++		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
++			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
++
+ 		modified.len = len;
+ 		strlcpy((char *)modified.passwd, passwd,
+ 			sizeof(modified.passwd));
 diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
-index 097c708ab..854a16e4e 100644
+index 5bb81ef..02a09ef 100644
 --- a/ripd/rip_cli.c
 +++ b/ripd/rip_cli.c
-@@ -876,6 +876,12 @@ DEFPY_YANG (ip_rip_authentication_mode,
+@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
  			value = "20";
  	}
  
@@ -126,6 +101,15 @@ index 097c708ab..854a16e4e 100644
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
--- 
-2.41.0
+diff --git a/lib/zebra.h b/lib/zebra.h
+index 53ae5b4..930307f 100644
+--- a/lib/zebra.h
++++ b/lib/zebra.h
+@@ -114,6 +114,7 @@
+ #ifdef CRYPTO_OPENSSL
+ #include <openssl/evp.h>
+ #include <openssl/hmac.h>
++#include <openssl/fips.h>
+ #endif
 
+ #include "openbsd-tree.h"

0005-remove-grpc-test.patch

@@ -1,19 +1,10 @@
-From a41d8382ba6b5ba0edf1887e65bbd21676ca9be4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 8 Oct 2023 11:26:25 +0200
-Subject: [PATCH 5/5] remove grpc test
-
----
- tests/lib/subdir.am | 11 -----------
- 1 file changed, 11 deletions(-)
-
 diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
-index 6c1be5020..2ac3d508e 100644
+index 7b5eaa4..5c82f69 100644
 --- a/tests/lib/subdir.am
 +++ b/tests/lib/subdir.am
-@@ -24,17 +24,6 @@ copy_script: tests/lib/script1.lua
- 	test -e tests/lib/script1.lua || \
- 	$(INSTALL_SCRIPT) $< tests/lib/script1.lua
+@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
+ EXTRA_DIST += tests/lib/test_frrscript.py
+ 
  
 -##############################################################################
 -GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
@@ -26,9 +17,7 @@ index 6c1be5020..2ac3d508e 100644
 -tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
 -tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
 -
- 
+-
  ##############################################################################
  if ZEROMQ
--- 
-2.41.0
-
+ check_PROGRAMS += tests/lib/test_zmq

frr.spec

@@ -5,14 +5,15 @@
 %global _hardened_build 1
 %global selinuxtype targeted
 %define _legacy_common_support 1
+
 %bcond grpc %{undefined rhel}
 %bcond selinux 1
 
 Name:           frr
-Version:        9.0.2
+Version:        8.5.3
 Release:        1%{?dist}
 Summary:        Routing daemon
-License:        GPLv2+
+License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
 URL:            http://www.frrouting.org
 Source0:        https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.conf
@@ -22,7 +23,7 @@ Source3:        frr.fc
 Source4:        frr.te
 Source5:        frr.if
 
-Patch0000:      0001-remove-babeld-and-ldpd.patch
+Patch0000:      0000-remove-babeld-and-ldpd.patch
 Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
@@ -60,7 +61,6 @@ BuildRequires:  readline-devel
 BuildRequires:  systemd-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  texinfo
-BuildRequires:  protobuf-c-devel
 
 Requires:       ncurses
 Requires:       net-snmp
@@ -82,17 +82,18 @@ FRRouting is free software that manages TCP/IP based routing protocols. It takes
 a multi-server and multi-threaded approach to resolve the current complexity
 of the Internet.
 
-FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
+FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR,
+EIGRP and BFD.
 
 FRRouting is a fork of Quagga.
 
 %if 0%{?with_selinux}
 %package selinux
-Summary:	Selinux policy for FRR
-BuildArch:	noarch
-Requires:	selinux-policy-%{selinuxtype}
-Requires(post):	selinux-policy-%{selinuxtype}
-BuildRequires:	selinux-policy-devel
+Summary:  Selinux policy for FRR
+BuildArch:  noarch
+Requires:  selinux-policy-%{selinuxtype}
+Requires(post):  selinux-policy-%{selinuxtype}
+BuildRequires:  selinux-policy-devel
 %{?selinux_requires}
 
 %description selinux
@@ -176,7 +177,7 @@ install -d -m 775 %{buildroot}/run/frr
 
 %if 0%{?with_selinux}
 install -D -m 644 selinux/%{name}.pp.bz2 \
-	%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+  %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
 %endif
 
@@ -276,9 +277,30 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
+* Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-1
+- New version 8.5.3
+
+* Fri Sep 01 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-4
+- Adding a couple of SELinux rules, includes fix for rhbz#2149299
+
+* Wed Aug 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.5.2-3
+- Rebuilt for abseil-cpp 20230802.0
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.5.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
 * Fri Jun 30 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.2-1
 - New version 8.5.2
-- Fixing a couple of SELinux issues
+- Fixing some rpmlint warnings
+
+* Mon Jun 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-4
+- Resolves: #2216073 - SELinux is preventing FRR-Zebra to access to network namespaces.
+
+* Mon Jun 05 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 8.5.1-3
+- Disable grpc in RHEL builds
+
+* Fri May 19 2023 Petr Pisar <ppisar@redhat.com> - 8.5.1-2
+- Rebuild against rpm-4.19 (https://fedoraproject.org/wiki/Changes/RPM-4.19)
 
 * Wed Apr 26 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.1-1
 - New version 8.5.1
@@ -286,6 +308,15 @@ rm tests/lib/*grpc*
 * Wed Apr 12 2023 Michal Ruprich <mruprich@redhat.com> - 8.5-1
 - New version 8.5
 
+* Thu Mar 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-5
+- Rebuilding for new abseil-cpp version
+
+* Wed Mar 22 2023 Michal Ruprich <mruprich@redhat.com> - 8.4.2-4
+- SPDX migration
+
+* Wed Mar 08 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.4.2-3
+- Build as C++17, required by abseil-cpp 20230125
+
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 8.4.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 

frr.te

@@ -33,7 +33,7 @@ files_pid_file(frr_var_run_t)
 #
 allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
-allow frr_t self:packet_socket { create setopt };
+allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
 allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
@@ -70,6 +70,7 @@ can_exec(frr_t, frr_exec_t)
 kernel_read_network_state(frr_t)
 kernel_rw_net_sysctls(frr_t)
 kernel_read_system_state(frr_t)
+kernel_request_load_module(frr_t)
 
 auth_use_nsswitch(frr_t)
 
@@ -100,6 +101,8 @@ sysnet_exec_ifconfig(frr_t)
 sysnet_read_ifconfig_run(frr_t)
 sysnet_watch_ifconfig_run(frr_t)
 
+ipsec_domtrans_mgmt(frr_t)
+
 userdom_read_admin_home_files(frr_t)
 
 optional_policy(`

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-8.5.2.tar.gz) = a5eadd8c88966b58ebc0e7b92311bda16b391abe727861eed772ded678f5a84d84421fbfd4b23c4a2b18ab3d2dcd5b2c9099491dab6958b63c39a9c67c4508d2
+SHA512 (frr-8.5.3.tar.gz) = 8d965670c03b4a40d880b72788b4940b8ac25953f0157419d9548672957554cfbd631707a9d6bf75cd33540c1b5af03687b2fe5f9c1df5736a52fc6524be9560
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d