Re: [dpdk-users] Sequence Number /More info on the Subject

[Stephen Hemminger <stephen@networkplumber.org>]

On Wed, 15 Aug 2018 17:17:48 +0300
Konstantinos Schoinas <ece8537@upnet.gr> wrote:

> Στις 2018-08-15 12:22, Konstantinos Schoinas έγραψε:
> > -------- Αρχικό μήνυμα --------
> > Θέμα: Sequence Number
> > Ημερομηνία: 2018-08-15 12:21
> > Αποστολέας: Konstantinos Schoinas <ece8537@upnet.gr>
> > Παραλήπτης: users <users-bounces@dpdk.org>
> > 
> > Hello,
> > 
> > I am building an application blocks TLS session if i find a sepcific
> > forbidden Server Name Indication.
> > According to RFC i must make a response with Fatal Error (2)
> > unrecognized name(112).
> > 
> > When i receive the Client Hello and after i Extract the SNI and check
> > it against a black list i do process the client hello in order to
> > response to client and terminate the session.
> > 
> > Although i am getting a lot of retransmit packets on wireshark so i
> > suppose i am doing something wrong.
> > 
> > I think i mights have seq and ack number wrong or something.If anyone
> > could help i would appreciate.
> > Here is the process of the packet after i check for the forbidden SNI:
> > 
> > uint32_t client_receive_ack = ntohl(th-⁠>recv_ack);
> > uint32_t client_send_seq = ntohl(th-⁠>sent_seq);
> > 
> > th-⁠>sent_seq = th-⁠>recv_ack;
> > th-⁠>recv_ack = htonl(client_send_seq + ntohs(iphdr-⁠>total_length));
> > 
> > 
> > uint16_t l = ntohs(ssl-⁠>length)-⁠0x02;
> > uint16_t ip_l = ntohs(iphdr-⁠>total_length) -⁠ l;
> > 
> > rte_pktmbuf_trim(m,l);
> > iphdr-⁠>total_length = htons(ip_l);
> > ssl-⁠>length = htons(2);
> > 
> > alert = (struct Alert *)((uint8_t *)ssl + 5);
> > 
> > 
> > iphdr-⁠>src_addr = dst_ip;
> > iphdr-⁠>dst_addr = src_ip;
> > th-⁠>src_port = dst_port;
> > th-⁠>dst_port = src_port;
> > ssl-⁠>type = 21; //alert message
> > alert-⁠>type = 2; // fatal error
> > alert-⁠>description = 112; // Unrecognized name
> > 
> > iphdr-⁠>hdr_checksum = 0;
> > th-⁠>cksum = 0;
> > iphdr-⁠>hdr_checksum = rte_ipv4_cksum(iphdr);
> > 
> > th-⁠>cksum = rte_ipv4_udptcp_cksum(iphdr,th);
> > 
> > 
> > 
> > 
> > Thanks for your time  
> 
> 
> 
> 
> I wanted to give some more information on the subject.I am adding a 
> picture of wireshark with the mail to give more info.The problem of the 
> retransmitted packet is that it doesnt end the TLS session even though i 
> am sending a fatal-error alert with dpdk.
> 
> I believe that i do something wrong with the process of client hello so 
> it doesnt have the right format in order to get recognized by the client 
> and end the tls Session.
> 
> If you see my code above i change the source ,dest ip and port the seq 
> and ack value.In addition i am cutting from SSL Record the data that it 
> had and i am adding the alert message according to RFC.
> 
> Is there any field i must change according to dpdk?
> 
> 
> 
> 

With wireshark, the easiest thing to attach is a pcap file with the flow
in question.