Since the new version 9.1, RFC 5709 OSPFv2 HMAC-SHA Cryptographic Authentication can be used - https://github.com/FRRouting/frr/pull/14398. It works well, but in the standard release the package is built without the --with-crypto=openssl parameter and therefore HMAC-SHA-384 and HMAC-SHA-512 cannot be used.
So I built my own build with --with-crypto=openssl, but then HMAC doesn't work at all.
To Reproduce
Use the current version of Debian 12.
Create a Frr package with the parameter --with-crypto=openssl
Try applying for example:
root@apu2:~# vtysh
Hello, this is FRRouting (version 9.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
apu2# show running-config
Building configuration...
Current configuration:
!
frr version 9.1
frr defaults traditional
hostname apu2
log syslog informational
service integrated-vtysh-config
!
key chain mypass
key 1
cryptographic-algorithm hmac-sha-256
key-string fsdfsdfsdfsdgsdg
exit
exit
!
interface enp0s3
ip ospf authentication key-chain mypass
exit
!
router ospf
ospf router-id 10.20.30.6
network 10.20.30.0/26 area 0.0.0.0
exit
!
end
Result
OSPF will crash ... if you want to enable ip ospf authentication via vtysh, so:
apu2(config-if)# ip ospf authentication key-chain mypass
apu2(config-if)# exit
apu2(config)# exit
Warning: closing connection to ospfd because of an I/O error!
Warning: connecting to ospfd...failed!
Note
I could be wrong, and if I am, I apologize in advance. Another oddity is that I use --with-crypto=openssl on Arch Linux and everything works fine there: HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-512. So it looks like a Debian based problem.
This issue is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this issue closed.
Describe the bug
Since the new version 9.1, RFC 5709 OSPFv2 HMAC-SHA Cryptographic Authentication can be used - https://github.com/FRRouting/frr/pull/14398. It works well, but in the standard release the package is built without the --with-crypto=openssl parameter and therefore HMAC-SHA-384 and HMAC-SHA-512 cannot be used.
So I built my own build with --with-crypto=openssl, but then HMAC doesn't work at all.
To Reproduce
Result
OSPF will crash ... if you want to enable ip ospf authentication via vtysh, so:
Versions FRR 9.1 build from git - stable/9.1 - 0e022f37cc97f87d8ac79f95f85d5d07f386d4d3. Debian 12 - 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
Note I could be wrong, and if I am, I apologize in advance. Another oddity is that I use --with-crypto=openssl on Arch Linux and everything works fine there:
HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-512
. So it looks like a Debian based problem.