From 90d09b061feae5e39a88c0ae51f880e82d82bb18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= Date: Sun, 8 Oct 2023 11:24:43 +0200 Subject: [PATCH 4/5] fips mode --- isisd/isis_circuit.c | 4 ++++ isisd/isisd.c | 4 ++++ lib/zebra.h | 1 + ospfd/ospf_vty.c | 24 ++++++++++++++++++++++++ ripd/rip_cli.c | 6 ++++++ 5 files changed, 39 insertions(+) diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c index ffa6ad3e40..8c28b17eb2 100644 --- a/isisd/isis_circuit.c +++ b/isisd/isis_circuit.c @@ -1543,6 +1543,10 @@ ferr_r isis_circuit_passwd_set(struct isis_circuit *circuit, return ferr_code_bug( "circuit password too long (max 254 chars)"); + //When in FIPS mode, the password never gets set in MD5 + if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode()) + return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); + circuit->passwd.len = len; strlcpy((char *)circuit->passwd.passwd, passwd, sizeof(circuit->passwd.passwd)); diff --git a/isisd/isisd.c b/isisd/isisd.c index b1064d8941..fbcd097f72 100644 --- a/isisd/isisd.c +++ b/isisd/isisd.c @@ -3040,6 +3040,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level, if (len > 254) return -1; + //When in FIPS mode, the password never get set in MD5 + if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode())) + return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); + modified.len = len; strlcpy((char *)modified.passwd, passwd, sizeof(modified.passwd)); diff --git a/lib/zebra.h b/lib/zebra.h index ecc87f58f1..5cb7167598 100644 --- a/lib/zebra.h +++ b/lib/zebra.h @@ -90,6 +90,7 @@ #ifdef CRYPTO_OPENSSL #include #include +#include #endif #include "openbsd-tree.h" diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c index 740ecb518b..d094b205b3 100644 --- a/ospfd/ospf_vty.c +++ b/ospfd/ospf_vty.c @@ -1085,6 +1085,11 @@ DEFUN (ospf_area_vlink, vl_config.keychain = argv[idx+1]->arg; } else if (argv_find(argv, argc, "message-digest", &idx)) { /* authentication message-digest */ + if(FIPS_mode()) + { + vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); + return CMD_WARNING_CONFIG_FAILED; + } vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC; } else if (argv_find(argv, argc, "null", &idx)) { /* "authentication null" */ @@ -1997,6 +2002,15 @@ DEFUN (ospf_area_authentication_message_digest, ? OSPF_AUTH_NULL : OSPF_AUTH_CRYPTOGRAPHIC; + if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC) + { + if(FIPS_mode()) + { + vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); + return CMD_WARNING_CONFIG_FAILED; + } + } + return CMD_SUCCESS; } @@ -7621,6 +7635,11 @@ DEFUN (ip_ospf_authentication_args, /* Handle message-digest authentication */ if (argv[idx_encryption]->arg[0] == 'm') { + if(FIPS_mode()) + { + vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); + return CMD_WARNING_CONFIG_FAILED; + } SET_IF_PARAM(params, auth_type); params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC; UNSET_IF_PARAM(params, keychain_name); @@ -7949,6 +7968,11 @@ DEFUN (ip_ospf_message_digest_key, "The OSPF password (key)\n" "Address of interface\n") { + if(FIPS_mode()) + { + vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); + return CMD_WARNING_CONFIG_FAILED; + } VTY_DECLVAR_CONTEXT(interface, ifp); struct crypt_key *ck; uint8_t key_id; diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c index 097c708ab1..854a16e4e0 100644 --- a/ripd/rip_cli.c +++ b/ripd/rip_cli.c @@ -876,6 +876,12 @@ DEFPY_YANG (ip_rip_authentication_mode, value = "20"; } + if(strmatch(mode, "md5") && FIPS_mode()) + { + vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n"); + return CMD_WARNING_CONFIG_FAILED; + } + nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, strmatch(mode, "md5") ? "md5" : "plain-text"); if (strmatch(mode, "md5")) -- 2.41.0