Upgrade frr to version 10.5.0 (#15879)

Author: realsdx

SPECS/frr/0001-enable-openssl.patch

@@ -1,44 +1,8 @@
-diff --git a/lib/subdir.am b/lib/subdir.am
-index 0b7af18..0533e24 100644
---- a/lib/subdir.am
-+++ b/lib/subdir.am
-@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/log.c \
- 	lib/log_filter.c \
- 	lib/log_vty.c \
--	lib/md5.c \
- 	lib/memory.c \
- 	lib/mgmt_be_client.c \
- 	lib/mgmt_fe_client.c \
-@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \
- 	lib/routemap_northbound.c \
- 	lib/sbuf.c \
- 	lib/seqlock.c \
--	lib/sha256.c \
- 	lib/sigevent.c \
- 	lib/skiplist.c \
- 	lib/sockopt.c \
-@@ -170,7 +170,6 @@ pkginclude_HEADERS += \
- 	lib/link_state.h \
- 	lib/log.h \
- 	lib/log_vty.h \
--	lib/md5.h \
- 	lib/memory.h \
- 	lib/mgmt.pb-c.h \
- 	lib/mgmt_be_client.h \
-@@ -191,7 +190,6 @@ pkginclude_HEADERS += \
- 	lib/route_opaque.h \
- 	lib/sbuf.h \
- 	lib/seqlock.h \
--	lib/sha256.h \
- 	lib/sigevent.h \
- 	lib/skiplist.h \
- 	lib/smux.h \
 diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c
-index 1991666..2e4fe55 100644
+index e3e4916..04118dd 100644
 --- a/isisd/isis_lsp.c
 +++ b/isisd/isis_lsp.c
-@@ -35,7 +35,9 @@
+@@ -22,7 +22,9 @@
  #include "hash.h"
  #include "if.h"
  #include "checksum.h"
@@ -49,10 +13,10 @@ index 1991666..2e4fe55 100644
  #include "srcdest_table.h"
  #include "lib_errors.h"
 diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c
-index 9c63311..7cf594c 100644
+index 1a3142e..7e7aba3 100644
 --- a/isisd/isis_pdu.c
 +++ b/isisd/isis_pdu.c
-@@ -33,7 +33,9 @@
+@@ -20,7 +20,9 @@
  #include "prefix.h"
  #include "if.h"
  #include "checksum.h"
@@ -63,10 +27,10 @@ index 9c63311..7cf594c 100644
 
  #include "isisd/isis_constants.h"
 diff --git a/isisd/isis_te.c b/isisd/isis_te.c
-index 4ea6c2c..72ff0d2 100644
+index cf92ae4..91c21b7 100644
 --- a/isisd/isis_te.c
 +++ b/isisd/isis_te.c
-@@ -38,7 +38,9 @@
+@@ -24,7 +24,9 @@
  #include "if.h"
  #include "vrf.h"
  #include "checksum.h"
@@ -76,3 +40,39 @@ index 4ea6c2c..72ff0d2 100644
  #include "sockunion.h"
  #include "network.h"
  #include "sbuf.h"
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 44090e6..a598fe4 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -70,7 +70,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/log_filter.c \
+ 	lib/log_nb.c \
+ 	lib/log_vty.c \
+-	lib/md5.c \
+ 	lib/memory.c \
+ 	lib/mgmt_be_client.c \
+ 	lib/mgmt_fe_client.c \
+@@ -105,7 +104,6 @@ lib_libfrr_la_SOURCES = \
+ 	lib/routemap_northbound.c \
+ 	lib/sbuf.c \
+ 	lib/seqlock.c \
+-	lib/sha256.c \
+ 	lib/sigevent.c \
+ 	lib/skiplist.c \
+ 	lib/sockopt.c \
+@@ -257,7 +255,6 @@ nobase_pkginclude_HEADERS += \
+ 	lib/link_state.h \
+ 	lib/log.h \
+ 	lib/log_vty.h \
+-	lib/md5.h \
+ 	lib/memory.h \
+ 	lib/mgmt_be_client.h \
+ 	lib/mgmt_defines.h \
+@@ -292,7 +289,6 @@ nobase_pkginclude_HEADERS += \
+ 	lib/route_opaque.h \
+ 	lib/sbuf.h \
+ 	lib/seqlock.h \
+-	lib/sha256.h \
+ 	lib/sigevent.h \
+ 	lib/skiplist.h \
+ 	lib/smux.h \

SPECS/frr/0003-fips-mode.patch

@@ -1,115 +1,147 @@
+diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
+index 22ef39f..a31ccc5 100644
+--- a/isisd/isis_circuit.c
++++ b/isisd/isis_circuit.c
+@@ -13,6 +13,10 @@
+ #include <netinet/if_ether.h>
+ #endif
+ 
++#ifdef CRYPTO_OPENSSL
++#include <openssl/evp.h>
++#endif
++
+ #include "log.h"
+ #include "memory.h"
+ #include "vrf.h"
+@@ -1536,6 +1540,10 @@ ferr_r isis_circuit_passwd_set(struct isis_circuit *circuit,
+ 		return ferr_code_bug(
+ 			"circuit password too long (max 254 chars)");
+ 
++
++	//When in FIPS mode, the password never gets set in MD5
++	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && EVP_default_properties_is_fips_enabled(NULL))
++		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+ 	circuit->passwd.len = len;
+ 	strlcpy((char *)circuit->passwd.passwd, passwd,
+ 		sizeof(circuit->passwd.passwd));
+diff --git a/isisd/isisd.c b/isisd/isisd.c
+index 78fbbe1..b7cf6fb 100644
+--- a/isisd/isisd.c
++++ b/isisd/isisd.c
+@@ -9,6 +9,10 @@
+ 
+ #include <zebra.h>
+ 
++
++#ifdef CRYPTO_OPENSSL
++#include <openssl/evp.h>
++#endif
+ #include "frrevent.h"
+ #include "vty.h"
+ #include "command.h"
+@@ -3087,6 +3091,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
+ 		if (len > 254)
+ 			return -1;
+ 
++
++		//When in FIPS mode, the password never get set in MD5
++		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (EVP_default_properties_is_fips_enabled(NULL)))
++			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
+ 		modified.len = len;
+ 		strlcpy((char *)modified.passwd, passwd,
+ 			sizeof(modified.passwd));
 diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
-index 631465f..e084ff3 100644
+index 26b3949..f27e6b6 100644
 --- a/ospfd/ospf_vty.c
 +++ b/ospfd/ospf_vty.c
-@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
+@@ -7,6 +7,10 @@
+ #include <zebra.h>
+ #include <string.h>
+ 
++#ifdef CRYPTO_OPENSSL
++#include <openssl/evp.h>
++#endif
++
+ #include "printfrr.h"
+ #include "monotime.h"
+ #include "memory.h"
+@@ -1105,6 +1109,11 @@ DEFUN (ospf_area_vlink,
  		vl_config.keychain = argv[idx+1]->arg;
  	} else if (argv_find(argv, argc, "message-digest", &idx)) {
  		/* authentication message-digest */
-+		if(FIPS_mode())
++		if(EVP_default_properties_is_fips_enabled(NULL))
 +		{
 +			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
 +			return CMD_WARNING_CONFIG_FAILED;
 +		}
  		vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
  	} else if (argv_find(argv, argc, "null", &idx)) {
  		/* "authentication null" */
-@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
+@@ -2024,6 +2033,15 @@ DEFUN (ospf_area_authentication_message_digest,
  				  ? OSPF_AUTH_NULL
  				  : OSPF_AUTH_CRYPTOGRAPHIC;
 
++
 +	if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC)
 +	{
-+		if(FIPS_mode())
++		if(EVP_default_properties_is_fips_enabled(NULL))
 +		{
 +			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
 +			return CMD_WARNING_CONFIG_FAILED;
 +		}
 +	}
-+
  	return CMD_SUCCESS;
  }
 
-@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
+@@ -7446,6 +7464,11 @@ DEFUN (ip_ospf_authentication_args,
 
  	/* Handle message-digest authentication */
  	if (argv[idx_encryption]->arg[0] == 'm') {
-+		if(FIPS_mode())
++		if(EVP_default_properties_is_fips_enabled(NULL))
 +		{
 +			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
 +			return CMD_WARNING_CONFIG_FAILED;
 +		}
  		SET_IF_PARAM(params, auth_type);
  		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
  		UNSET_IF_PARAM(params, keychain_name);
-@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
+@@ -7776,6 +7799,11 @@ DEFUN (ip_ospf_message_digest_key,
         "The OSPF password (key)\n"
         "Address of interface\n")
  {
-+	if(FIPS_mode())
++	if(EVP_default_properties_is_fips_enabled(NULL))
 +	{
 +		vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
 +		return CMD_WARNING_CONFIG_FAILED;
 +	}
  	VTY_DECLVAR_CONTEXT(interface, ifp);
  	struct crypt_key *ck;
  	uint8_t key_id;
-diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
-index 81b4b39..cce33d9 100644
---- a/isisd/isis_circuit.c
-+++ b/isisd/isis_circuit.c
-@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
- 		return ferr_code_bug(
- 			"circuit password too long (max 254 chars)");
- 
-+	//When in FIPS mode, the password never gets set in MD5
-+	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
-+		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 	circuit->passwd.len = len;
- 	strlcpy((char *)circuit->passwd.passwd, passwd,
- 		sizeof(circuit->passwd.passwd));
-diff --git a/isisd/isisd.c b/isisd/isisd.c
-index 419127c..a6c36af 100644
---- a/isisd/isisd.c
-+++ b/isisd/isisd.c
-@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
- 		if (len > 254)
- 			return -1;
- 
-+		//When in FIPS mode, the password never get set in MD5
-+		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
-+			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
-+
- 		modified.len = len;
- 		strlcpy((char *)modified.passwd, passwd,
- 			sizeof(modified.passwd));
 diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
-index 5bb81ef..02a09ef 100644
+index 7540f98..a010b64 100644
 --- a/ripd/rip_cli.c
 +++ b/ripd/rip_cli.c
-@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
+@@ -7,6 +7,10 @@
+ 
+ #include <zebra.h>
+ 
++
++#ifdef CRYPTO_OPENSSL
++#include <openssl/evp.h>
++#endif
+ #include "if.h"
+ #include "if_rmap.h"
+ #include "vrf.h"
+@@ -903,6 +907,12 @@ DEFPY_YANG (ip_rip_authentication_mode,
  			value = "20";
  	}
 
-+	if(strmatch(mode, "md5") && FIPS_mode())
++
++	if(strmatch(mode, "md5") && EVP_default_properties_is_fips_enabled(NULL))
 +	{
 +		vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n");
 +		return CMD_WARNING_CONFIG_FAILED;
 +	}
-+
  	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
  			      strmatch(mode, "md5") ? "md5" : "plain-text");
  	if (strmatch(mode, "md5"))
-diff --git a/lib/zebra.h b/lib/zebra.h
-index 53ae5b4..930307f 100644
---- a/lib/zebra.h
-+++ b/lib/zebra.h
-@@ -114,6 +114,7 @@
- #ifdef CRYPTO_OPENSSL
- #include <openssl/evp.h>
- #include <openssl/hmac.h>
-+#include <openssl/fips.h>
- #endif
-
- #include "openbsd-tree.h"

SPECS/frr/0004-remove-grpc-test.patch

@@ -1,13 +1,12 @@
 diff --git a/tests/lib/subdir.am b/tests/lib/subdir.am
-index 7b5eaa4..5c82f69 100644
+index ca74306..9b0980f 100644
 --- a/tests/lib/subdir.am
 +++ b/tests/lib/subdir.am
-@@ -18,18 +18,6 @@ tests_lib_test_frrscript_SOURCES = tests/lib/test_frrscript.c
- 	test -e tests/lib/script1.lua || \
+@@ -25,20 +25,6 @@ copy_script: tests/lib/script1.lua
  	$(INSTALL_SCRIPT) $< tests/lib/script1.lua
 
--##############################################################################
--GRPC_TESTS_LDADD = staticd/libstatic.a grpc/libfrrgrpc_pb.la -lgrpc++ -lprotobuf $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
+ ##############################################################################
+-GRPC_TESTS_LDADD = mgmtd/libmgmt_be_nb.la staticd/libstatic.a grpc/libfrrgrpc_pb.la $(GRPC_LIBS) $(ALL_TESTS_LDADD) $(LIBYANG_LIBS) -lm
 -
 -if GRPC
 -check_PROGRAMS += tests/lib/test_grpc
@@ -16,8 +15,11 @@ index 7b5eaa4..5c82f69 100644
 -tests_lib_test_grpc_CPPFLAGS = $(TESTS_CPPFLAGS)
 -tests_lib_test_grpc_LDADD = $(GRPC_TESTS_LDADD)
 -tests_lib_test_grpc_SOURCES = tests/lib/test_grpc.cpp
+-nodist_tests_lib_test_grpc_SOURCES = \
+-	yang/frr-bfdd.yang.c \
+-	yang/frr-staticd.yang.c \
+-	# end
 -
--
+ 
  ##############################################################################
  if ZEROMQ
- check_PROGRAMS += tests/lib/test_zmq