Re: [dpdk-users] Sequence Number /More info on the Subject

[Shyam Shrivastav <shrivastav.shyam@gmail.com>]

One obvious error that I can see in reply tcp segment is

th-⁠>recv_ack = htonl(client_send_seq + ntohs(iphdr-⁠>total_length));


You need to acknowledge just the tcp payload which is   { send seq +
iphdr-⁠>total_length - (IP header len) - (TCP header len) }







On Wed, Aug 15, 2018 at 7:47 PM, Konstantinos Schoinas <ece8537@upnet.gr>
wrote:

> Στις 2018-08-15 12:22, Konstantinos Schoinas έγραψε:
>
>> -------- Αρχικό μήνυμα --------
>> Θέμα: Sequence Number
>> Ημερομηνία: 2018-08-15 12:21
>> Αποστολέας: Konstantinos Schoinas <ece8537@upnet.gr>
>> Παραλήπτης: users <users-bounces@dpdk.org>
>>
>> Hello,
>>
>> I am building an application blocks TLS session if i find a sepcific
>> forbidden Server Name Indication.
>> According to RFC i must make a response with Fatal Error (2)
>> unrecognized name(112).
>>
>> When i receive the Client Hello and after i Extract the SNI and check
>> it against a black list i do process the client hello in order to
>> response to client and terminate the session.
>>
>> Although i am getting a lot of retransmit packets on wireshark so i
>> suppose i am doing something wrong.
>>
>> I think i mights have seq and ack number wrong or something.If anyone
>> could help i would appreciate.
>> Here is the process of the packet after i check for the forbidden SNI:
>>
>> uint32_t client_receive_ack = ntohl(th-⁠>recv_ack);
>> uint32_t client_send_seq = ntohl(th-⁠>sent_seq);
>>
>> th-⁠>sent_seq = th-⁠>recv_ack;
>> th-⁠>recv_ack = htonl(client_send_seq + ntohs(iphdr-⁠>total_length));
>>
>>
>> uint16_t l = ntohs(ssl-⁠>length)-⁠0x02;
>> uint16_t ip_l = ntohs(iphdr-⁠>total_length) -⁠ l;
>>
>> rte_pktmbuf_trim(m,l);
>> iphdr-⁠>total_length = htons(ip_l);
>> ssl-⁠>length = htons(2);
>>
>> alert = (struct Alert *)((uint8_t *)ssl + 5);
>>
>>
>> iphdr-⁠>src_addr = dst_ip;
>> iphdr-⁠>dst_addr = src_ip;
>> th-⁠>src_port = dst_port;
>> th-⁠>dst_port = src_port;
>> ssl-⁠>type = 21; //alert message
>> alert-⁠>type = 2; // fatal error
>> alert-⁠>description = 112; // Unrecognized name
>>
>> iphdr-⁠>hdr_checksum = 0;
>> th-⁠>cksum = 0;
>> iphdr-⁠>hdr_checksum = rte_ipv4_cksum(iphdr);
>>
>> th-⁠>cksum = rte_ipv4_udptcp_cksum(iphdr,th);
>>
>>
>>
>>
>> Thanks for your time
>>
>
>
>
>
> I wanted to give some more information on the subject.I am adding a
> picture of wireshark with the mail to give more info.The problem of the
> retransmitted packet is that it doesnt end the TLS session even though i am
> sending a fatal-error alert with dpdk.
>
> I believe that i do something wrong with the process of client hello so it
> doesnt have the right format in order to get recognized by the client and
> end the tls Session.
>
> If you see my code above i change the source ,dest ip and port the seq and
> ack value.In addition i am cutting from SSL Record the data that it had and
> i am adding the alert message according to RFC.
>
> Is there any field i must change according to dpdk?
>
>
>
>
>