From 8ec9ddca959618ea6091711cd446ebac5b730147 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
Date: Sun, 8 Oct 2023 11:23:48 +0200
Subject: [PATCH 3/5] disable eigrp crypto

---
 eigrpd/eigrp_cli.c      | 15 +++++++++++++++
 eigrpd/eigrp_filter.c   |  2 ++
 eigrpd/eigrp_hello.c    |  2 ++
 eigrpd/eigrp_packet.c   | 27 +++++++++++++++++++++++++--
 eigrpd/eigrp_query.c    |  2 ++
 eigrpd/eigrp_reply.c    |  2 ++
 eigrpd/eigrp_siaquery.c |  2 ++
 eigrpd/eigrp_siareply.c |  2 ++
 eigrpd/eigrp_snmp.c     |  2 ++
 eigrpd/eigrp_update.c   |  2 ++
 10 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c
index 213834afc..73647937d 100644
--- a/eigrpd/eigrp_cli.c
+++ b/eigrpd/eigrp_cli.c
@@ -11,6 +11,7 @@
 #include "lib/command.h"
 #include "lib/log.h"
 #include "lib/northbound_cli.h"
+#include "lib/libfrr.h"
 
 #include "eigrp_structs.h"
 #include "eigrpd.h"
@@ -716,6 +717,20 @@ DEFPY_YANG(
 	"Keyed message digest\n"
 	"HMAC SHA256 algorithm \n")
 {
+	//EIGRP authentication is currently broken in FRR
+	switch (frr_get_cli_mode()) {
+	case FRR_CLI_CLASSIC:
+		vty_out(vty, "%% Eigrp Authentication is disabled\n\n");
+		break;
+	case FRR_CLI_TRANSACTIONAL:
+		vty_out(vty,
+			"%% Failed to edit candidate configuration - "
+			"Eigrp Authentication is disabled.\n\n");
+		break;
+	}
+
+	return CMD_WARNING_CONFIG_FAILED;
+
 	char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64];
 
 	snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']",
diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
index eceef6b8a..1d194be14 100644
--- a/eigrpd/eigrp_filter.c
+++ b/eigrpd/eigrp_filter.c
@@ -32,7 +32,9 @@
 #include "if_rmap.h"
 #include "plist.h"
 #include "distribute.h"
+#ifdef CRYPTO_INTERNAL
 #include "md5.h"
+#endif
 #include "keychain.h"
 #include "privs.h"
 #include "vrf.h"
diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
index 662c750e9..a3a5ec822 100644
--- a/eigrpd/eigrp_hello.c
+++ b/eigrpd/eigrp_hello.c
@@ -28,7 +28,9 @@
 #include "sockopt.h"
 #include "checksum.h"
 #include "vty.h"
+#ifdef CRYPTO_INTERNAL
 #include "md5.h"
+#endif
 
 #include "eigrpd/eigrp_structs.h"
 #include "eigrpd/eigrpd.h"
diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
index 963d229bc..587eb422e 100644
--- a/eigrpd/eigrp_packet.c
+++ b/eigrpd/eigrp_packet.c
@@ -25,8 +25,10 @@
 #include "log.h"
 #include "sockopt.h"
 #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
 #include "md5.h"
 #include "sha256.h"
+#endif
 #include "lib_errors.h"
 
 #include "eigrpd/eigrp_structs.h"
@@ -88,8 +90,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
 	struct key *key = NULL;
 	struct keychain *keychain;
 
+
 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
 	MD5_CTX ctx;
+#endif
 	uint8_t *ibuf;
 	size_t backup_get, backup_end;
 	struct TLV_MD5_Authentication_Type *auth_TLV;
@@ -112,6 +118,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
 		return EIGRP_AUTH_TYPE_NONE;
 	}
 
+#ifdef CRYPTO_OPENSSL
+//TBD when this is fixed in upstream
+#elif CRYPTO_INTERNAL
 	memset(&ctx, 0, sizeof(ctx));
 	MD5Init(&ctx);
 
@@ -139,7 +148,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
 	}
 
 	MD5Final(digest, &ctx);
-
+#endif
 	/* Append md5 digest to the end of the stream. */
 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
 
@@ -155,7 +164,10 @@ int eigrp_check_md5_digest(struct stream *s,
 			   struct TLV_MD5_Authentication_Type *authTLV,
 			   struct eigrp_neighbor *nbr, uint8_t flags)
 {
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
 	MD5_CTX ctx;
+#endif
 	unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
 	unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
 	struct key *key = NULL;
@@ -196,6 +208,9 @@ int eigrp_check_md5_digest(struct stream *s,
 		return 0;
 	}
 
+#ifdef CRYPTO_OPENSSL
+	//TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
 	memset(&ctx, 0, sizeof(ctx));
 	MD5Init(&ctx);
 
@@ -223,6 +238,7 @@ int eigrp_check_md5_digest(struct stream *s,
 	}
 
 	MD5Final(digest, &ctx);
+#endif
 
 	/* compare the two */
 	if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
@@ -247,7 +263,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
 	unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
 	unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
 
+#ifdef CRYPTO_OPENSSL
+	//TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
 	HMAC_SHA256_CTX ctx;
+#endif
 	void *ibuf;
 	size_t backup_get, backup_end;
 	struct TLV_SHA256_Authentication_Type *auth_TLV;
@@ -276,6 +296,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
 
 	inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
 
+#ifdef CRYPTO_OPENSSL
+	//TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
 	memset(&ctx, 0, sizeof(ctx));
 	buffer[0] = '\n';
 	memcpy(buffer + 1, key, strlen(key->string));
@@ -284,7 +307,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
 			  1 + strlen(key->string) + strlen(source_ip));
 	HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
 	HMAC__SHA256_Final(digest, &ctx);
-
+#endif
 
 	/* Put hmac-sha256 digest to it's place */
 	memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
index 0e206cded..4b3f4e082 100644
--- a/eigrpd/eigrp_query.c
+++ b/eigrpd/eigrp_query.c
@@ -23,7 +23,9 @@
 #include "log.h"
 #include "sockopt.h"
 #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
 #include "md5.h"
+#endif
 #include "vty.h"
 
 #include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
index aae89e832..1fb1f404d 100644
--- a/eigrpd/eigrp_reply.c
+++ b/eigrpd/eigrp_reply.c
@@ -27,7 +27,9 @@
 #include "log.h"
 #include "sockopt.h"
 #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
 #include "md5.h"
+#endif
 #include "vty.h"
 #include "keychain.h"
 #include "plist.h"
diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
index 71486a1f6..430e8ce71 100644
--- a/eigrpd/eigrp_siaquery.c
+++ b/eigrpd/eigrp_siaquery.c
@@ -23,7 +23,9 @@
 #include "log.h"
 #include "sockopt.h"
 #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
 #include "md5.h"
+#endif
 #include "vty.h"
 
 #include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
index 6c8c1ef58..b16e0fcfc 100644
--- a/eigrpd/eigrp_siareply.c
+++ b/eigrpd/eigrp_siareply.c
@@ -22,7 +22,9 @@
 #include "log.h"
 #include "sockopt.h"
 #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
 #include "md5.h"
+#endif
 #include "vty.h"
 
 #include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
index 492ef3e71..5618c3f2b 100644
--- a/eigrpd/eigrp_snmp.c
+++ b/eigrpd/eigrp_snmp.c
@@ -27,7 +27,9 @@
 #include "log.h"
 #include "sockopt.h"
 #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
 #include "md5.h"
+#endif
 #include "keychain.h"
 #include "smux.h"
 
diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
index a056267bf..3dc8d0e56 100644
--- a/eigrpd/eigrp_update.c
+++ b/eigrpd/eigrp_update.c
@@ -27,7 +27,9 @@
 #include "log.h"
 #include "sockopt.h"
 #include "checksum.h"
+#ifdef CRYPTO_INTERNAL
 #include "md5.h"
+#endif
 #include "vty.h"
 #include "plist.h"
 #include "plist_int.h"
-- 
2.41.0