rpms-fedora-extras/frr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
frr-9.0.0
frr/0003-disable-eigrp-crypto.patch
Zoran Peričić b1a9148fbe v9.0.1
2023-11-12 17:20:08 +01:00

274 lines
7.3 KiB
Diff
Raw Permalink Blame History

From 8ec9ddca959618ea6091711cd446ebac5b730147 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
Date: Sun, 8 Oct 2023 11:23:48 +0200
Subject: [PATCH 3/5] disable eigrp crypto
---
eigrpd/eigrp_cli.c | 15 +++++++++++++++
eigrpd/eigrp_filter.c | 2 ++
eigrpd/eigrp_hello.c | 2 ++
eigrpd/eigrp_packet.c | 27 +++++++++++++++++++++++++--
eigrpd/eigrp_query.c | 2 ++
eigrpd/eigrp_reply.c | 2 ++
eigrpd/eigrp_siaquery.c | 2 ++
eigrpd/eigrp_siareply.c | 2 ++
eigrpd/eigrp_snmp.c | 2 ++
eigrpd/eigrp_update.c | 2 ++
10 files changed, 56 insertions(+), 2 deletions(-)
diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c
index 213834afc..73647937d 100644
--- a/eigrpd/eigrp_cli.c
+++ b/eigrpd/eigrp_cli.c
@@ -11,6 +11,7 @@
#include "lib/command.h"
#include "lib/log.h"
#include "lib/northbound_cli.h"
+#include "lib/libfrr.h"
#include "eigrp_structs.h"
#include "eigrpd.h"
@@ -716,6 +717,20 @@ DEFPY_YANG(
"Keyed message digest\n"
"HMAC SHA256 algorithm \n")
{
+ //EIGRP authentication is currently broken in FRR
+ switch (frr_get_cli_mode()) {
+ case FRR_CLI_CLASSIC:
+ vty_out(vty, "%% Eigrp Authentication is disabled\n\n");
+ break;
+ case FRR_CLI_TRANSACTIONAL:
+ vty_out(vty,
+ "%% Failed to edit candidate configuration - "
+ "Eigrp Authentication is disabled.\n\n");
+ break;
+ }
+
+ return CMD_WARNING_CONFIG_FAILED;
+
char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64];
snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']",
diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c
index eceef6b8a..1d194be14 100644
--- a/eigrpd/eigrp_filter.c
+++ b/eigrpd/eigrp_filter.c
@@ -32,7 +32,9 @@
#include "if_rmap.h"
#include "plist.h"
#include "distribute.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "keychain.h"
#include "privs.h"
#include "vrf.h"
diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c
index 662c750e9..a3a5ec822 100644
--- a/eigrpd/eigrp_hello.c
+++ b/eigrpd/eigrp_hello.c
@@ -28,7 +28,9 @@
#include "sockopt.h"
#include "checksum.h"
#include "vty.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "eigrpd/eigrp_structs.h"
#include "eigrpd/eigrpd.h"
diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c
index 963d229bc..587eb422e 100644
--- a/eigrpd/eigrp_packet.c
+++ b/eigrpd/eigrp_packet.c
@@ -25,8 +25,10 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
#include "sha256.h"
+#endif
#include "lib_errors.h"
#include "eigrpd/eigrp_structs.h"
@@ -88,8 +90,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
struct key *key = NULL;
struct keychain *keychain;
+
unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
MD5_CTX ctx;
+#endif
uint8_t *ibuf;
size_t backup_get, backup_end;
struct TLV_MD5_Authentication_Type *auth_TLV;
@@ -112,6 +118,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
return EIGRP_AUTH_TYPE_NONE;
}
+#ifdef CRYPTO_OPENSSL
+//TBD when this is fixed in upstream
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
@@ -139,7 +148,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s,
}
MD5Final(digest, &ctx);
-
+#endif
/* Append md5 digest to the end of the stream. */
memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN);
@@ -155,7 +164,10 @@ int eigrp_check_md5_digest(struct stream *s,
struct TLV_MD5_Authentication_Type *authTLV,
struct eigrp_neighbor *nbr, uint8_t flags)
{
+#ifdef CRYPTO_OPENSSL
+#elif CRYPTO_INTERNAL
MD5_CTX ctx;
+#endif
unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN];
unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN];
struct key *key = NULL;
@@ -196,6 +208,9 @@ int eigrp_check_md5_digest(struct stream *s,
return 0;
}
+#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
MD5Init(&ctx);
@@ -223,6 +238,7 @@ int eigrp_check_md5_digest(struct stream *s,
}
MD5Final(digest, &ctx);
+#endif
/* compare the two */
if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) {
@@ -247,7 +263,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN];
unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0};
+#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
HMAC_SHA256_CTX ctx;
+#endif
void *ibuf;
size_t backup_get, backup_end;
struct TLV_SHA256_Authentication_Type *auth_TLV;
@@ -276,6 +296,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN);
+#ifdef CRYPTO_OPENSSL
+ //TBD when eigrpd crypto is fixed in upstream
+#elif CRYPTO_INTERNAL
memset(&ctx, 0, sizeof(ctx));
buffer[0] = '\n';
memcpy(buffer + 1, key, strlen(key->string));
@@ -284,7 +307,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s,
1 + strlen(key->string) + strlen(source_ip));
HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf));
HMAC__SHA256_Final(digest, &ctx);
-
+#endif
/* Put hmac-sha256 digest to it's place */
memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN);
diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c
index 0e206cded..4b3f4e082 100644
--- a/eigrpd/eigrp_query.c
+++ b/eigrpd/eigrp_query.c
@@ -23,7 +23,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c
index aae89e832..1fb1f404d 100644
--- a/eigrpd/eigrp_reply.c
+++ b/eigrpd/eigrp_reply.c
@@ -27,7 +27,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "keychain.h"
#include "plist.h"
diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c
index 71486a1f6..430e8ce71 100644
--- a/eigrpd/eigrp_siaquery.c
+++ b/eigrpd/eigrp_siaquery.c
@@ -23,7 +23,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c
index 6c8c1ef58..b16e0fcfc 100644
--- a/eigrpd/eigrp_siareply.c
+++ b/eigrpd/eigrp_siareply.c
@@ -22,7 +22,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "eigrpd/eigrp_structs.h"
diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c
index 492ef3e71..5618c3f2b 100644
--- a/eigrpd/eigrp_snmp.c
+++ b/eigrpd/eigrp_snmp.c
@@ -27,7 +27,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "keychain.h"
#include "smux.h"
diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c
index a056267bf..3dc8d0e56 100644
--- a/eigrpd/eigrp_update.c
+++ b/eigrpd/eigrp_update.c
@@ -27,7 +27,9 @@
#include "log.h"
#include "sockopt.h"
#include "checksum.h"
+#ifdef CRYPTO_INTERNAL
#include "md5.h"
+#endif
#include "vty.h"
#include "plist.h"
#include "plist_int.h"
--
2.41.0
Reference in New Issue View Git Blame Copy Permalink