[Openvpn-devel,29/28] Add workaround for Softether server dropping P_ACK_V1 with >= 5 acks

Message ID 20220831134140.913337-2-arne@rfc2549.org
State New
Headers show
Series Stateless three-way handshake and control channel improvements | expand

Commit Message

Arne Schwabe Aug. 31, 2022, 1:41 p.m. UTC
Softether had the number of ACKs in ANY OpenVPN packet limited to 4 and
dropped packets with more than 4 ACKs. This leads to Softether dropping
P_ACK_V1 packets with more than 4 ACKs as invalid. As the recent change
of always acking as many packets as possible, this leads to Softether
server not being able to successfully establish a connection anymore as
it never registers the ACKs.

This behaviour has been fixed on the Softether side with commit 37aa1ba5
but in order to allow clients to connect to older Softether servers, this
commit implements a workaround for the case that the peer might be a
Softether server (no tls-auth/tls-crypt and no other advanced protocol
feature) and limits ACKs to 4 in this case.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_pkt.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

Gert Doering Aug. 31, 2022, 1:54 p.m. UTC | #1
Hi,

On Wed, Aug 31, 2022 at 03:41:40PM +0200, Arne Schwabe wrote:
> This behaviour has been fixed on the Softether side with commit 37aa1ba5
[..]
> +     * in a packet (see commit a14d812dcbc in Softether) */

The code seems to do what the commit says, but seeing two different commit
IDs here confuses me.

gert

Patch

diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c
index e86fbc1b8..9b180cbf4 100644
--- a/src/openvpn/ssl_pkt.c
+++ b/src/openvpn/ssl_pkt.c
@@ -177,6 +177,15 @@  write_control_auth(struct tls_session *session,
 {
     uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
 
+    /* Workaround for Softether servers. Softether has a bug that it only
+     * allows 4 ACks in packets and drops packets if more ACKs are contained
+     * in a packet (see commit a14d812dcbc in Softether) */
+    if (session->tls_wrap.mode == TLS_WRAP_NONE && !session->opt->server
+        && !(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT))
+    {
+        max_ack = min_int(max_ack, 4);
+    }
+
     ASSERT(link_socket_actual_defined(&ks->remote_addr));
     ASSERT(reliable_ack_write
                (ks->rec_ack, ks->lru_acks, buf, &ks->session_id_remote,