INCOMING: ERR_INVALID_PACKET_SIZE

kittoku / Open-SSTP-Client

Open SSTP Client for Android

MIT License

402 stars 104 forks source link

INCOMING: ERR_INVALID_PACKET_SIZE #134

Closed rstefko closed 5 months ago

rstefko commented 5 months ago

Trying to get the app running with MikroTik. I use my own certificate using IP address. Verify Hostname is disabled and custom Trusted Certificates folder is used.

PAP auth is enabled on MikroTik. Auth works but after that I immediatelly receive the following error:

[2024-06-10 15:34:38.285] Establish VPN connection
[2024-06-10 15:34:39.888] INCOMING: ERR_INVALID_PACKET_SIZE
[2024-06-10 15:34:39.901] Terminate VPN connection

I have attached debugger to the Android Studio. The variable size in this case is 28519 bytes. I will continue debugging, but any advice would be appretiated.

rstefko commented 5 months ago

It happens only with PAP auth. With MS-CHAPv2 connection works.

kittoku commented 5 months ago

The next step to take would be finding where 28519(0x6F67) was read. Using a packet analyzer like Wireshark is a nice way.

If you cannot use packet analyzers for some reasons, kittoku.osc.extension.toHexString provides a primitive way to see what the app received.

For example: toHexString

I hope you will find a solution.

rstefko commented 5 months ago

It gives me 08 4C 6F 67 69 6E 20 6F 6B, so something like "Login ok"?

kittoku commented 5 months ago

Maybe it is a fragmented Authenticate-Ack. 08 seems to be Msg-Length.

rstefko commented 5 months ago

Yes. I looked into PAPAuthenticateAcknowledgement, message is empty so length equals headerSize and remaining is 0. I tried to execute the following code in that case. I don't receive ERR_INVALID_PACKET_SIZE error anymore, but instead I get PAP: ERR_TIMEOUT.

val messageLength = buffer.get().toIntAsUByte()
message = ByteArray(messageLength).also { buffer.get(it) }

I have working environment with MS-CHAPv2.

Do you recommend any changes that I should try to make PAP work with MikroTik? I don't need it, but it may help other users.

kittoku commented 5 months ago

Thank you for your investigation, @rstefko. So MikroTik produces Authenticate-Acks which DO NOT follow RFC(Length == 4, but Msg-Length and Message are still included)?

rstefko commented 5 months ago

Yes, message with code 2 is sent if that is what you ask. I am not sure why Msg-Length and Message is problem, they are also mentioned in the RFC.

kittoku commented 5 months ago

Of cource, Msg-Length and Message are accepted, but Length must be equal to the whole packet size. In your case, Length should be 13(=4+1+8). This limitation, which is defined in RFC, is necessary to parse packetes properly.

Maybe I could modify the souce codes for MicroTik, but it will make a little bit complicated codes. Also, the side effects should be carefully concerened. Furthermore, you already showed a workaround of using MS-CHAPv2 (which is more secure than PAP!). So I'm not much motivated to make some changes.

I recommend that you report this bug to MicroTik developers.