keychain with md5 doesn't work on newer Linux
mwinter-osr opened this issue · comments
See on latest master as of May 3, 2024 (git sha 53820a5)
The topotest test_keychain fails on Debian 12 and Ubuntu 24.04 (It does work on Debian 10 and Ubuntu 18.04, unknown on others):
test_keychain: test_send_accept
AssertionError: assert False
+ where False = is_key_active(<lib.topogen.TopoRouter object at 0x7fb3f89a50>, 'kc', 1, 0)
E AssertionError: assert False
+ where False = is_key_active(<lib.topogen.TopoRouter object at 0x7fb3f89a50>, 'kc', 1, 0)
The issue can be seen in the router logs of the topotest:
r1# conf t
r1(config)# key chain kc
r1(config-keychain)# key 1
r1(config-keychain-key)# key-string theSecret
r1(config-keychain-key)# crypto-algorithm md5
% Unknown command: crypto-algorithm md5
r1(config-keychain-key)# exit
r1(config-keychain)# exit
r1(config)#
My guess (not verified) is that the lib used doesn't support md5 anymore on newer systems.
This is probably related to #8443
cryptographic_algorithm,
cryptographic_algorithm_cmd,
"cryptographic-algorithm "
"<md5|hmac-sha-1|hmac-sha-256|hmac-sha-384|hmac-sha-512>$algo",
"Cryptographic-algorithm\n"
"Use MD5 algorithm\n"
"Use HMAC-SHA-1 algorithm\n"
"Use HMAC-SHA-256 algorithm\n"
"Use HMAC-SHA-384 algorithm\n"
"Use HMAC-SHA-512 algorithm\n")
{
nb_cli_enqueue_change(vty, "./crypto-algorithm", NB_OP_CREATE, algo);
return nb_cli_apply_changes(vty, NULL);
}```
Seems to work just fine on Ubuntu 24.04 LTS with the official FRR 10.0 package (for Ubuntu 22.04) from deb.frrouting.org.
@mwinter-osr shouldn't be cryptographic-algorithm md5
?
Not sure why this test is failing on Ubuntu 24.04 this may be a red-herring. The configuration error has always been present; however, the test is not actually testing the hash algorithm, but when the keys are enabled which still functioned correctly.