sasyncd.conf parser bug - "no shared key specified"

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sasyncd.conf parser bug - "no shared key specified"

Andrew Daugherity
>Synopsis:      sasyncd.conf parse error - "no shared key specified"
>Category:      user
>Environment:
        System      : OpenBSD 6.4
        Details     : OpenBSD 6.4 (GENERIC.MP) #7: Thu Feb 28 18:56:25 CET 2019

[hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:
Having an sasyncd.conf with the specific order of:
   (1) peer (one or more)
   (2) # a comment line, immediately followed by
   (3) a blank line
   (4) sharedkey

Causes this error:
config: no shared key specified, cannot continue

>How-To-Repeat:
Using the example sasyncd.conf, uncomment all its directives to make it valid:
root@obsd-amd64:~# sed -e 's/^#\([a-z]\)/\1/'
/etc/examples/sasyncd.conf > /tmp/sasyncd.conf
root@obsd-amd64:~# sasyncd -n -c /tmp/sasyncd.conf
configuration OK

Now, comment out the last 'peer' setting and it fails:
root@obsd-amd64:~# sed -i -e 's/\(.*10\.0\.0\.4\)/#\1/' /tmp/sasyncd.conf
root@obsd-amd64:~# sasyncd -n -c /tmp/sasyncd.conf
config: no shared key specified, cannot continue

Alternatively, leave the peer lines alone and insert a blank line
between the comment "# Shared AES key..." and the "sharedkey 0x..."
line and it will fail in the same way.  However, add -dvv and we see a
slight difference:
root@obsd-amd64:~# sasyncd -ndvv -c /tmp/sasyncd.conf
config: add peer 10.0.0.2
config: add peer 10.0.0.3
config: add peer 10.0.0.4
config: interface carp1
config: no shared key specified, cannot continue

In the "comment out peer 10.0.0.4" scenario, two lines are not printed:
root@obsd-amd64:~# sasyncd -ndvv -c /tmp/sasyncd.conf
config: add peer 10.0.0.2
config: add peer 10.0.0.3
config: no shared key specified, cannot continue

Through further testing with -dvv and reordering the file, it seems
that having a comment followed by a blank line anywhere after a peer
directive causes the rest of the file to be ignored; it's just that
sharedkey is the first thing it will complain about.  Comments
followed by blank lines _before_ any peer lines are fine.

>Fix:
        Unknown.

Workaround: don't have a comment followed by a blank line between
after any "peer" settings in your sasyncd.conf, which apparently
causes the rest of the file to be ignored.  Verify that the output of
sasyncd -ndvv matches what you expect.

I only encountered this by happening to comment out the last peer in
the list, which was followed by a blank line.  (I wasn't sure -- and
still am not, even after RTFMing several times -- whether or not to
include the server's own IP address in the list of peers.  If so, you
could use the same config file on all peers...)

Reply | Threaded
Open this post in threaded view
|

Re: sasyncd.conf parser bug - "no shared key specified"

Otto Moerbeek
On Tue, Mar 19, 2019 at 05:32:11PM -0500, Andrew Daugherity wrote:

> >Synopsis:      sasyncd.conf parse error - "no shared key specified"
> >Category:      user
> >Environment:
>         System      : OpenBSD 6.4
>         Details     : OpenBSD 6.4 (GENERIC.MP) #7: Thu Feb 28 18:56:25 CET 2019
>
> [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>         Architecture: OpenBSD.amd64
>         Machine     : amd64
> >Description:
> Having an sasyncd.conf with the specific order of:
>    (1) peer (one or more)
>    (2) # a comment line, immediately followed by
>    (3) a blank line
>    (4) sharedkey
>
> Causes this error:
> config: no shared key specified, cannot continue
>
> >How-To-Repeat:
> Using the example sasyncd.conf, uncomment all its directives to make it valid:
> root@obsd-amd64:~# sed -e 's/^#\([a-z]\)/\1/'
> /etc/examples/sasyncd.conf > /tmp/sasyncd.conf
> root@obsd-amd64:~# sasyncd -n -c /tmp/sasyncd.conf
> configuration OK
>
> Now, comment out the last 'peer' setting and it fails:
> root@obsd-amd64:~# sed -i -e 's/\(.*10\.0\.0\.4\)/#\1/' /tmp/sasyncd.conf
> root@obsd-amd64:~# sasyncd -n -c /tmp/sasyncd.conf
> config: no shared key specified, cannot continue
>
> Alternatively, leave the peer lines alone and insert a blank line
> between the comment "# Shared AES key..." and the "sharedkey 0x..."
> line and it will fail in the same way.  However, add -dvv and we see a
> slight difference:
> root@obsd-amd64:~# sasyncd -ndvv -c /tmp/sasyncd.conf
> config: add peer 10.0.0.2
> config: add peer 10.0.0.3
> config: add peer 10.0.0.4
> config: interface carp1
> config: no shared key specified, cannot continue
>
> In the "comment out peer 10.0.0.4" scenario, two lines are not printed:
> root@obsd-amd64:~# sasyncd -ndvv -c /tmp/sasyncd.conf
> config: add peer 10.0.0.2
> config: add peer 10.0.0.3
> config: no shared key specified, cannot continue
>
> Through further testing with -dvv and reordering the file, it seems
> that having a comment followed by a blank line anywhere after a peer
> directive causes the rest of the file to be ignored; it's just that
> sharedkey is the first thing it will complain about.  Comments
> followed by blank lines _before_ any peer lines are fine.
>
> >Fix:
>         Unknown.
>
> Workaround: don't have a comment followed by a blank line between
> after any "peer" settings in your sasyncd.conf, which apparently
> causes the rest of the file to be ignored.  Verify that the output of
> sasyncd -ndvv matches what you expect.
>
> I only encountered this by happening to comment out the last peer in
> the list, which was followed by a blank line.  (I wasn't sure -- and
> still am not, even after RTFMing several times -- whether or not to
> include the server's own IP address in the list of peers.  If so, you
> could use the same config file on all peers...)
>

There's a diff on tech@ fixing this (and a few other things).

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: sasyncd.conf parser bug - "no shared key specified"

Otto Moerbeek
On Wed, Mar 20, 2019 at 07:01:26AM +0100, Otto Moerbeek wrote:

> On Tue, Mar 19, 2019 at 05:32:11PM -0500, Andrew Daugherity wrote:
>
> > >Synopsis:      sasyncd.conf parse error - "no shared key specified"
> > >Category:      user
> > >Environment:
> >         System      : OpenBSD 6.4
> >         Details     : OpenBSD 6.4 (GENERIC.MP) #7: Thu Feb 28 18:56:25 CET 2019
> >
> > [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >         Architecture: OpenBSD.amd64
> >         Machine     : amd64
> > >Description:
> > Having an sasyncd.conf with the specific order of:
> >    (1) peer (one or more)
> >    (2) # a comment line, immediately followed by
> >    (3) a blank line
> >    (4) sharedkey
> >
> > Causes this error:
> > config: no shared key specified, cannot continue
> >
> > >How-To-Repeat:
> > Using the example sasyncd.conf, uncomment all its directives to make it valid:
> > root@obsd-amd64:~# sed -e 's/^#\([a-z]\)/\1/'
> > /etc/examples/sasyncd.conf > /tmp/sasyncd.conf
> > root@obsd-amd64:~# sasyncd -n -c /tmp/sasyncd.conf
> > configuration OK
> >
> > Now, comment out the last 'peer' setting and it fails:
> > root@obsd-amd64:~# sed -i -e 's/\(.*10\.0\.0\.4\)/#\1/' /tmp/sasyncd.conf
> > root@obsd-amd64:~# sasyncd -n -c /tmp/sasyncd.conf
> > config: no shared key specified, cannot continue
> >
> > Alternatively, leave the peer lines alone and insert a blank line
> > between the comment "# Shared AES key..." and the "sharedkey 0x..."
> > line and it will fail in the same way.  However, add -dvv and we see a
> > slight difference:
> > root@obsd-amd64:~# sasyncd -ndvv -c /tmp/sasyncd.conf
> > config: add peer 10.0.0.2
> > config: add peer 10.0.0.3
> > config: add peer 10.0.0.4
> > config: interface carp1
> > config: no shared key specified, cannot continue
> >
> > In the "comment out peer 10.0.0.4" scenario, two lines are not printed:
> > root@obsd-amd64:~# sasyncd -ndvv -c /tmp/sasyncd.conf
> > config: add peer 10.0.0.2
> > config: add peer 10.0.0.3
> > config: no shared key specified, cannot continue
> >
> > Through further testing with -dvv and reordering the file, it seems
> > that having a comment followed by a blank line anywhere after a peer
> > directive causes the rest of the file to be ignored; it's just that
> > sharedkey is the first thing it will complain about.  Comments
> > followed by blank lines _before_ any peer lines are fine.
> >
> > >Fix:
> >         Unknown.
> >
> > Workaround: don't have a comment followed by a blank line between
> > after any "peer" settings in your sasyncd.conf, which apparently
> > causes the rest of the file to be ignored.  Verify that the output of
> > sasyncd -ndvv matches what you expect.
> >
> > I only encountered this by happening to comment out the last peer in
> > the list, which was followed by a blank line.  (I wasn't sure -- and
> > still am not, even after RTFMing several times -- whether or not to
> > include the server's own IP address in the list of peers.  If so, you
> > could use the same config file on all peers...)
> >
>
> There's a diff on tech@ fixing this (and a few other things).
>
> -Otto
>

In the meantime a fix has been committed that wil be included in the
upcoming 6.5 release.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: sasyncd.conf parser bug - "no shared key specified"

Andrew Daugherity
On Thu, Mar 21, 2019 at 8:05 AM Otto Moerbeek <[hidden email]> wrote:
> >
> > There's a diff on tech@ fixing this (and a few other things).
> >
> >       -Otto
>
> In the meantime a fix has been committed that wil be included in the
> upcoming 6.5 release.
>
>         -Otto

Thanks, I've verified that both versions (the larger proposed diff and
the smaller just-committed one) do fix the parser bug.  Also thanks to
that discussion thread, I learned to NOT include the local machine in
the peer list, at least until that larger diff lands.  The proposed
version does print "skip local peer" if I do include it, so that part
seems to be working, at least for IPv4.

Now to figure out why my ipsec flows aren't activating -- sasyncd
notifies iked, which prints "config_getmode: mode passive -> active"
but nothing happens.  iked worked fine in active mode before I
introduced sasyncd into the equation; that's beyond the scope of this
bug though...

-Andrew