Re: [dpdk-users] Sequence Number /More info on the Subject

[Konstantinos Schoinas <ece8537@upnet.gr>]

Στις 2018-08-15 12:22, Konstantinos Schoinas έγραψε:
> -------- Αρχικό μήνυμα --------
> Θέμα: Sequence Number
> Ημερομηνία: 2018-08-15 12:21
> Αποστολέας: Konstantinos Schoinas <ece8537@upnet.gr>
> Παραλήπτης: users <users-bounces@dpdk.org>
> 
> Hello,
> 
> I am building an application blocks TLS session if i find a sepcific
> forbidden Server Name Indication.
> According to RFC i must make a response with Fatal Error (2)
> unrecognized name(112).
> 
> When i receive the Client Hello and after i Extract the SNI and check
> it against a black list i do process the client hello in order to
> response to client and terminate the session.
> 
> Although i am getting a lot of retransmit packets on wireshark so i
> suppose i am doing something wrong.
> 
> I think i mights have seq and ack number wrong or something.If anyone
> could help i would appreciate.
> Here is the process of the packet after i check for the forbidden SNI:
> 
> uint32_t client_receive_ack = ntohl(th-⁠>recv_ack);
> uint32_t client_send_seq = ntohl(th-⁠>sent_seq);
> 
> th-⁠>sent_seq = th-⁠>recv_ack;
> th-⁠>recv_ack = htonl(client_send_seq + ntohs(iphdr-⁠>total_length));
> 
> 
> uint16_t l = ntohs(ssl-⁠>length)-⁠0x02;
> uint16_t ip_l = ntohs(iphdr-⁠>total_length) -⁠ l;
> 
> rte_pktmbuf_trim(m,l);
> iphdr-⁠>total_length = htons(ip_l);
> ssl-⁠>length = htons(2);
> 
> alert = (struct Alert *)((uint8_t *)ssl + 5);
> 
> 
> iphdr-⁠>src_addr = dst_ip;
> iphdr-⁠>dst_addr = src_ip;
> th-⁠>src_port = dst_port;
> th-⁠>dst_port = src_port;
> ssl-⁠>type = 21; //alert message
> alert-⁠>type = 2; // fatal error
> alert-⁠>description = 112; // Unrecognized name
> 
> iphdr-⁠>hdr_checksum = 0;
> th-⁠>cksum = 0;
> iphdr-⁠>hdr_checksum = rte_ipv4_cksum(iphdr);
> 
> th-⁠>cksum = rte_ipv4_udptcp_cksum(iphdr,th);
> 
> 
> 
> 
> Thanks for your time




I wanted to give some more information on the subject.I am adding a 
picture of wireshark with the mail to give more info.The problem of the 
retransmitted packet is that it doesnt end the TLS session even though i 
am sending a fatal-error alert with dpdk.

I believe that i do something wrong with the process of client hello so 
it doesnt have the right format in order to get recognized by the client 
and end the tls Session.

If you see my code above i change the source ,dest ip and port the seq 
and ack value.In addition i am cutting from SSL Record the data that it 
had and i am adding the alert message according to RFC.

Is there any field i must change according to dpdk?