rpms-fedora-extras/frr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
frr-9.1.0
frr/0004-fips-mode.patch
Zoran Peričić 5815fa2a24 v9.1.0
2024-01-24 10:51:16 +01:00

132 lines
4.1 KiB
Diff
Raw Permalink Blame History

From 90d09b061feae5e39a88c0ae51f880e82d82bb18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
Date: Sun, 8 Oct 2023 11:24:43 +0200
Subject: [PATCH 4/5] fips mode
---
isisd/isis_circuit.c | 4 ++++
isisd/isisd.c | 4 ++++
lib/zebra.h | 1 +
ospfd/ospf_vty.c | 24 ++++++++++++++++++++++++
ripd/rip_cli.c | 6 ++++++
5 files changed, 39 insertions(+)
diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
index ffa6ad3e40..8c28b17eb2 100644
--- a/isisd/isis_circuit.c
+++ b/isisd/isis_circuit.c
@@ -1543,6 +1543,10 @@ ferr_r isis_circuit_passwd_set(struct isis_circuit *circuit,
return ferr_code_bug(
"circuit password too long (max 254 chars)");
+ //When in FIPS mode, the password never gets set in MD5
+ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
circuit->passwd.len = len;
strlcpy((char *)circuit->passwd.passwd, passwd,
sizeof(circuit->passwd.passwd));
diff --git a/isisd/isisd.c b/isisd/isisd.c
index b1064d8941..fbcd097f72 100644
--- a/isisd/isisd.c
+++ b/isisd/isisd.c
@@ -3040,6 +3040,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
if (len > 254)
return -1;
+ //When in FIPS mode, the password never get set in MD5
+ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+
modified.len = len;
strlcpy((char *)modified.passwd, passwd,
sizeof(modified.passwd));
diff --git a/lib/zebra.h b/lib/zebra.h
index ecc87f58f1..5cb7167598 100644
--- a/lib/zebra.h
+++ b/lib/zebra.h
@@ -90,6 +90,7 @@
#ifdef CRYPTO_OPENSSL
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include <openssl/fips.h>
#endif
#include "openbsd-tree.h"
diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
index 740ecb518b..d094b205b3 100644
--- a/ospfd/ospf_vty.c
+++ b/ospfd/ospf_vty.c
@@ -1085,6 +1085,11 @@ DEFUN (ospf_area_vlink,
vl_config.keychain = argv[idx+1]->arg;
} else if (argv_find(argv, argc, "message-digest", &idx)) {
/* authentication message-digest */
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
} else if (argv_find(argv, argc, "null", &idx)) {
/* "authentication null" */
@@ -1997,6 +2002,15 @@ DEFUN (ospf_area_authentication_message_digest,
? OSPF_AUTH_NULL
: OSPF_AUTH_CRYPTOGRAPHIC;
+ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC)
+ {
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
+ }
+
return CMD_SUCCESS;
}
@@ -7621,6 +7635,11 @@ DEFUN (ip_ospf_authentication_args,
/* Handle message-digest authentication */
if (argv[idx_encryption]->arg[0] == 'm') {
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
SET_IF_PARAM(params, auth_type);
params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
UNSET_IF_PARAM(params, keychain_name);
@@ -7949,6 +7968,11 @@ DEFUN (ip_ospf_message_digest_key,
"The OSPF password (key)\n"
"Address of interface\n")
{
+ if(FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
VTY_DECLVAR_CONTEXT(interface, ifp);
struct crypt_key *ck;
uint8_t key_id;
diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
index 097c708ab1..854a16e4e0 100644
--- a/ripd/rip_cli.c
+++ b/ripd/rip_cli.c
@@ -876,6 +876,12 @@ DEFPY_YANG (ip_rip_authentication_mode,
value = "20";
}
+ if(strmatch(mode, "md5") && FIPS_mode())
+ {
+ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n");
+ return CMD_WARNING_CONFIG_FAILED;
+ }
+
nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
strmatch(mode, "md5") ? "md5" : "plain-text");
if (strmatch(mode, "md5"))
--
2.41.0
Reference in New Issue View Git Blame Copy Permalink