Support sha-256/sha-512 based HMAC algorithms for OSPF authentication

[nmaludy]

Describe the Feature
We've been doing a POC of FRR and noticed that the only supported HMAC algorithm for OSPF authentication is MD5. Unfortunately MD5 is not allowed and disabled by the kernel when enabling FIPS mode on RHEL systems: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

Alternatively, sha-256 and sha-512 are supported HMAC algorithsm when FIPS mode is enabled. My feature request is to add support for these HMAC algorithms for OSPF authentication.

Thanks!

Versions

• OS Version: RHEL 8
• Kernel: 4.18.0-294.el8.x86_64
• FRR Version: 7.5.1

[jbrown8380]

I'd like to second this request.

As an alternative, would it be possible to configure/build FRR such that it implements its own internal MD5 function? This way it doesn't attempt to pass the task down to the kernel to perform the verification.

Another idea could be to implement the same kind of workaround that FreeRADIUS provides. They implement an override by editing the radiusd.service. Their solution involves the following steps:

~# mkdir /etc/systemd/system/radiusd.service.d

~# cat /etc/systemd/system/radiusd.service.d/fips.conf
[Service]
Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1

~# systemd daemon-reload
~# systemd start radiusd.service

This allows FreeRADIUS to support MD5 authentication even when FIPS has been enabled on the machine.

[mdidomenico4]

tagging along, i also bumped into this today

[choppsv1]

More algorithms are now supported in versions 9.1 stable and beyond

  hmac-sha-1    Use HMAC-SHA-1 algorithm
  hmac-sha-256  Use HMAC-SHA-256 algorithm
  hmac-sha-384  Use HMAC-SHA-384 algorithm
  hmac-sha-512  Use HMAC-SHA-512 algorithm
  md5           Use MD5 algorithm