pfSense

On pfSense Plus 23.01, Plus 23.05 snapshots, and CE 2.7.0 snapshots, it appears that the CARP password is not being respected.

On 22.05 and earlier releases, changing a CARP VIP password on the secondary node would cause both nodes to take over MASTER status since they were not able to authenticate messages from their peer. On FreeBSD 14-based builds, the two nodes continue to act as if they have a matching password, taking MASTER and BACKUP roles as circumstances require.

A packet capture shows both old and new builds have "authlen" set when parsed as CARP.

It's not clear if it's related, but when looking at the keying material with ifconfig -k, older releases printed the actual password while FreeBSD 14 builds print junk data:

22.05:

: ifconfig -k igb1
igb1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
[...]
    inet 198.51.100.16 netmask 0xffffff00 broadcast 198.51.100.255
    inet 198.51.100.210 netmask 0xffffff00 broadcast 198.51.100.255 vhid 210
    carp: MASTER vhid 210 advbase 1 advskew 1 key "aaaaaa" 
[...]

Builds based on FreeBSD 14 print junk for the key:

: ifconfig -k vtnet1
vtnet1: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
[...]
    inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
    inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 vhid 1
    carp: MASTER vhid 1 advbase 1 advskew 1 key "���" 
          peer 224.0.0.18 peer6 ff02::12
[...]