Blame SOURCES/0004-fips-mode.patch

c0b7e4
diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c
c0b7e4
index 631465f..e084ff3 100644
c0b7e4
--- a/ospfd/ospf_vty.c
c0b7e4
+++ b/ospfd/ospf_vty.c
c0b7e4
@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink,
c0b7e4
 
c0b7e4
 	if (argv_find(argv, argc, "message-digest", &idx)) {
c0b7e4
 		/* authentication message-digest */
c0b7e4
+		if(FIPS_mode())
c0b7e4
+		{
c0b7e4
+			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
c0b7e4
+			return CMD_WARNING_CONFIG_FAILED;
c0b7e4
+		}
c0b7e4
 		vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
c0b7e4
 	} else if (argv_find(argv, argc, "null", &idx)) {
c0b7e4
 		/* "authentication null" */
c0b7e4
@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest,
c0b7e4
 				  ? OSPF_AUTH_NULL
c0b7e4
 				  : OSPF_AUTH_CRYPTOGRAPHIC;
c0b7e4
 
c0b7e4
+	if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC)
c0b7e4
+	{
c0b7e4
+		if(FIPS_mode())
c0b7e4
+		{
c0b7e4
+			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
c0b7e4
+			return CMD_WARNING_CONFIG_FAILED;
c0b7e4
+		}
c0b7e4
+	}
c0b7e4
+
c0b7e4
 	return CMD_SUCCESS;
c0b7e4
 }
c0b7e4
 
c0b7e4
@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args,
c0b7e4
 
c0b7e4
 	/* Handle message-digest authentication */
c0b7e4
 	if (argv[idx_encryption]->arg[0] == 'm') {
c0b7e4
+		if(FIPS_mode())
c0b7e4
+		{
c0b7e4
+			vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
c0b7e4
+			return CMD_WARNING_CONFIG_FAILED;
c0b7e4
+		}
c0b7e4
 		SET_IF_PARAM(params, auth_type);
c0b7e4
 		params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC;
c0b7e4
 		return CMD_SUCCESS;
c0b7e4
@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key,
c0b7e4
        "The OSPF password (key)\n"
c0b7e4
        "Address of interface\n")
c0b7e4
 {
c0b7e4
+	if(FIPS_mode())
c0b7e4
+	{
c0b7e4
+		vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n");
c0b7e4
+		return CMD_WARNING_CONFIG_FAILED;
c0b7e4
+	}
c0b7e4
 	VTY_DECLVAR_CONTEXT(interface, ifp);
c0b7e4
 	struct crypt_key *ck;
c0b7e4
 	uint8_t key_id;
c0b7e4
diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c
c0b7e4
index 81b4b39..cce33d9 100644
c0b7e4
--- a/isisd/isis_circuit.c
c0b7e4
+++ b/isisd/isis_circuit.c
c0b7e4
@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit,
c0b7e4
 		return ferr_code_bug(
c0b7e4
 			"circuit password too long (max 254 chars)");
c0b7e4
 
c0b7e4
+	//When in FIPS mode, the password never gets set in MD5
c0b7e4
+	if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode())
c0b7e4
+		return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
c0b7e4
+
c0b7e4
 	circuit->passwd.len = len;
c0b7e4
 	strncpy((char *)circuit->passwd.passwd, passwd, 255);
c0b7e4
 	circuit->passwd.type = passwd_type;
c0b7e4
diff --git a/isisd/isisd.c b/isisd/isisd.c
c0b7e4
index 419127c..a6c36af 100644
c0b7e4
--- a/isisd/isisd.c
c0b7e4
+++ b/isisd/isisd.c
c0b7e4
@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level,
c0b7e4
 		if (len > 254)
c0b7e4
 			return -1;
c0b7e4
 
c0b7e4
+		//When in FIPS mode, the password never get set in MD5
c0b7e4
+		if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode()))
c0b7e4
+			return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled");
c0b7e4
+
c0b7e4
 		modified.len = len;
c0b7e4
 		strncpy((char *)modified.passwd, passwd, 255);
c0b7e4
 		modified.type = passwd_type;
c0b7e4
diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c
c0b7e4
index 5bb81ef..02a09ef 100644
c0b7e4
--- a/ripd/rip_cli.c
c0b7e4
+++ b/ripd/rip_cli.c
c0b7e4
@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode,
c0b7e4
 			value = "20";
c0b7e4
 	}
c0b7e4
 
c0b7e4
+	if(strmatch(mode, "md5") && FIPS_mode())
c0b7e4
+	{
c0b7e4
+		vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n");
c0b7e4
+		return CMD_WARNING_CONFIG_FAILED;
c0b7e4
+	}
c0b7e4
+
c0b7e4
 	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
c0b7e4
 			      strmatch(mode, "md5") ? "md5" : "plain-text");
c0b7e4
 	nb_cli_enqueue_change(vty, "./authentication-scheme/md5-auth-length",