From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cormorant.upnet.gr (cormorant.upnet.gr [150.140.129.7]) by dpdk.org (Postfix) with ESMTP id AFA261E2F for ; Wed, 15 Aug 2018 16:17:48 +0200 (CEST) Received: (qmail 18615 invoked from network); 15 Aug 2018 14:17:42 -0000 Received: from xmail1.upnet.gr (HELO mail1.upnet.gr) ([150.140.129.42]) (envelope-sender ) by cormorant.upnet.gr (qmail-ldap-1.03) with SMTP for ; 15 Aug 2018 14:17:42 -0000 MIME-Version: 1.0 Date: Wed, 15 Aug 2018 17:17:48 +0300 From: Konstantinos Schoinas To: users@dpdk.org In-Reply-To: <0d5ad82171cc381f5b5a8efd6a9f0f91@upnet.gr> References: <259d01f7a94e1c4eadf9e57fe89be7cc@upnet.gr> <0d5ad82171cc381f5b5a8efd6a9f0f91@upnet.gr> Message-ID: X-Sender: ece8537@upnet.gr User-Agent: Roundcube Webmail/1.1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Subject: Re: [dpdk-users] Sequence Number /More info on the Subject X-BeenThere: users@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK usage discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2018 14:17:49 -0000 Στις 2018-08-15 12:22, Konstantinos Schoinas έγραψε: > -------- Αρχικό μήνυμα -------- > Θέμα: Sequence Number > Ημερομηνία: 2018-08-15 12:21 > Αποστολέας: Konstantinos Schoinas > Παραλήπτης: users > > Hello, > > I am building an application blocks TLS session if i find a sepcific > forbidden Server Name Indication. > According to RFC i must make a response with Fatal Error (2) > unrecognized name(112). > > When i receive the Client Hello and after i Extract the SNI and check > it against a black list i do process the client hello in order to > response to client and terminate the session. > > Although i am getting a lot of retransmit packets on wireshark so i > suppose i am doing something wrong. > > I think i mights have seq and ack number wrong or something.If anyone > could help i would appreciate. > Here is the process of the packet after i check for the forbidden SNI: > > uint32_t client_receive_ack = ntohl(th-⁠>recv_ack); > uint32_t client_send_seq = ntohl(th-⁠>sent_seq); > > th-⁠>sent_seq = th-⁠>recv_ack; > th-⁠>recv_ack = htonl(client_send_seq + ntohs(iphdr-⁠>total_length)); > > > uint16_t l = ntohs(ssl-⁠>length)-⁠0x02; > uint16_t ip_l = ntohs(iphdr-⁠>total_length) -⁠ l; > > rte_pktmbuf_trim(m,l); > iphdr-⁠>total_length = htons(ip_l); > ssl-⁠>length = htons(2); > > alert = (struct Alert *)((uint8_t *)ssl + 5); > > > iphdr-⁠>src_addr = dst_ip; > iphdr-⁠>dst_addr = src_ip; > th-⁠>src_port = dst_port; > th-⁠>dst_port = src_port; > ssl-⁠>type = 21; //alert message > alert-⁠>type = 2; // fatal error > alert-⁠>description = 112; // Unrecognized name > > iphdr-⁠>hdr_checksum = 0; > th-⁠>cksum = 0; > iphdr-⁠>hdr_checksum = rte_ipv4_cksum(iphdr); > > th-⁠>cksum = rte_ipv4_udptcp_cksum(iphdr,th); > > > > > Thanks for your time I wanted to give some more information on the subject.I am adding a picture of wireshark with the mail to give more info.The problem of the retransmitted packet is that it doesnt end the TLS session even though i am sending a fatal-error alert with dpdk. I believe that i do something wrong with the process of client hello so it doesnt have the right format in order to get recognized by the client and end the tls Session. If you see my code above i change the source ,dest ip and port the seq and ack value.In addition i am cutting from SSL Record the data that it had and i am adding the alert message according to RFC. Is there any field i must change according to dpdk?