You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
148 lines
4.0 KiB
148 lines
4.0 KiB
4 weeks ago
|
diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
|
||
|
index 631465f..e084ff3 100644
|
||
|
--- a/ospfd/ospf_vty.c
|
||
|
+++ b/ospfd/ospf_vty.c
|
||
|
@@ -7,6 +7,10 @@
|
||
|
#include <zebra.h>
|
||
|
#include <string.h>
|
||
|
|
||
|
+#ifdef CRYPTO_OPENSSL
|
||
|
+#include <openssl/fips.h>
|
||
|
+#endif
|
||
|
+
|
||
|
#include "printfrr.h"
|
||
|
#include "monotime.h"
|
||
|
#include "memory.h"
|
||
|
@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
|
||
|
vl_config.keychain = argv[idx+1]->arg;
|
||
|
} else if (argv_find(argv, argc, "message-digest", &idx)) {
|
||
|
/* authentication message-digest */
|
||
|
+ if(FIPS_mode())
|
||
|
+ {
|
||
|
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
|
||
|
+ return CMD_WARNING_CONFIG_FAILED;
|
||
|
+ }
|
||
|
vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
|
||
|
} else if (argv_find(argv, argc, "null", &idx)) {
|
||
|
/* "authentication null" */
|
||
|
@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
|
||
|
? OSPF_AUTH_NULL
|
||
|
: OSPF_AUTH_CRYPTOGRAPHIC;
|
||
|
|
||
|
+ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC)
|
||
|
+ {
|
||
|
+ if(FIPS_mode())
|
||
|
+ {
|
||
|
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
|
||
|
+ return CMD_WARNING_CONFIG_FAILED;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
return CMD_SUCCESS;
|
||
|
}
|
||
|
|
||
|
@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
|
||
|
|
||
|
/* Handle message-digest authentication */
|
||
|
if (argv[idx_encryption]->arg[0] == 'm') {
|
||
|
+ if(FIPS_mode())
|
||
|
+ {
|
||
|
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
|
||
|
+ return CMD_WARNING_CONFIG_FAILED;
|
||
|
+ }
|
||
|
SET_IF_PARAM(params, auth_type);
|
||
|
params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
|
||
|
UNSET_IF_PARAM(params, keychain_name);
|
||
|
@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
|
||
|
"The OSPF password (key)\n"
|
||
|
"Address of interface\n")
|
||
|
{
|
||
|
+ if(FIPS_mode())
|
||
|
+ {
|
||
|
+ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
|
||
|
+ return CMD_WARNING_CONFIG_FAILED;
|
||
|
+ }
|
||
|
VTY_DECLVAR_CONTEXT(interface, ifp);
|
||
|
struct crypt_key *ck;
|
||
|
uint8_t key_id;
|
||
|
diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
|
||
|
index 81b4b39..cce33d9 100644
|
||
|
--- a/isisd/isis_circuit.c
|
||
|
+++ b/isisd/isis_circuit.c
|
||
|
@@ -13,6 +13,10 @@
|
||
|
#include <netinet/if_ether.h>
|
||
|
#endif
|
||
|
|
||
|
+#ifdef CRYPTO_OPENSSL
|
||
|
+#include <openssl/fips.h>
|
||
|
+#endif
|
||
|
+
|
||
|
#include "log.h"
|
||
|
#include "memory.h"
|
||
|
#include "vrf.h"
|
||
|
@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
|
||
|
return ferr_code_bug(
|
||
|
"circuit password too long (max 254 chars)");
|
||
|
|
||
|
+ //When in FIPS mode, the password never gets set in MD5
|
||
|
+ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
|
||
|
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
|
||
|
+
|
||
|
circuit->passwd.len = len;
|
||
|
strlcpy((char *)circuit->passwd.passwd, passwd,
|
||
|
sizeof(circuit->passwd.passwd));
|
||
|
diff --git a/isisd/isisd.c b/isisd/isisd.c
|
||
|
index 419127c..a6c36af 100644
|
||
|
--- a/isisd/isisd.c
|
||
|
+++ b/isisd/isisd.c
|
||
|
@@ -9,6 +9,10 @@
|
||
|
|
||
|
#include <zebra.h>
|
||
|
|
||
|
+#ifdef CRYPTO_OPENSSL
|
||
|
+#include <openssl/fips.h>
|
||
|
+#endif
|
||
|
+
|
||
|
#include "frrevent.h"
|
||
|
#include "vty.h"
|
||
|
#include "command.h"
|
||
|
@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
|
||
|
if (len > 254)
|
||
|
return -1;
|
||
|
|
||
|
+ //When in FIPS mode, the password never get set in MD5
|
||
|
+ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
|
||
|
+ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
|
||
|
+
|
||
|
modified.len = len;
|
||
|
strlcpy((char *)modified.passwd, passwd,
|
||
|
sizeof(modified.passwd));
|
||
|
diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
|
||
|
index 5bb81ef..02a09ef 100644
|
||
|
--- a/ripd/rip_cli.c
|
||
|
+++ b/ripd/rip_cli.c
|
||
|
@@ -7,6 +7,10 @@
|
||
|
|
||
|
#include <zebra.h>
|
||
|
|
||
|
+#ifdef CRYPTO_OPENSSL
|
||
|
+#include <openssl/fips.h>
|
||
|
+#endif
|
||
|
+
|
||
|
#include "if.h"
|
||
|
#include "if_rmap.h"
|
||
|
#include "vrf.h"
|
||
|
@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
|
||
|
value = "20";
|
||
|
}
|
||
|
|
||
|
+ if(strmatch(mode, "md5") && FIPS_mode())
|
||
|
+ {
|
||
|
+ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n");
|
||
|
+ return CMD_WARNING_CONFIG_FAILED;
|
||
|
+ }
|
||
|
+
|
||
|
nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
|
||
|
strmatch(mode, "md5") ? "md5" : "plain-text");
|
||
|
if (strmatch(mode, "md5"))
|