One obvious error that I can see in reply tcp segment is
th->recv_ack = htonl(client_send_seq + ntohs(iphdr->total_length));
You need to acknowledge just the tcp payload which is { send seq +
iphdr->total_length - (IP header len) - (TCP header len) }
On Wed, Aug 15, 2018 at 7:47 PM, Konstantinos Schoinas <ece8...@upnet.gr>
wrote:
> Στις 2018-08-15 12:22, Konstantinos Schoinas έγραψε:
>
>> -------- Αρχικό μήνυμα --------
>> Θέμα: Sequence Number
>> Ημερομηνία: 2018-08-15 12:21
>> Αποστολέας: Konstantinos Schoinas <ece8...@upnet.gr>
>> Παραλήπτης: users <users-boun...@dpdk.org>
>>
>> Hello,
>>
>> I am building an application blocks TLS session if i find a sepcific
>> forbidden Server Name Indication.
>> According to RFC i must make a response with Fatal Error (2)
>> unrecognized name(112).
>>
>> When i receive the Client Hello and after i Extract the SNI and check
>> it against a black list i do process the client hello in order to
>> response to client and terminate the session.
>>
>> Although i am getting a lot of retransmit packets on wireshark so i
>> suppose i am doing something wrong.
>>
>> I think i mights have seq and ack number wrong or something.If anyone
>> could help i would appreciate.
>> Here is the process of the packet after i check for the forbidden SNI:
>>
>> uint32_t client_receive_ack = ntohl(th->recv_ack);
>> uint32_t client_send_seq = ntohl(th->sent_seq);
>>
>> th->sent_seq = th->recv_ack;
>> th->recv_ack = htonl(client_send_seq + ntohs(iphdr->total_length));
>>
>>
>> uint16_t l = ntohs(ssl->length)-0x02;
>> uint16_t ip_l = ntohs(iphdr->total_length) - l;
>>
>> rte_pktmbuf_trim(m,l);
>> iphdr->total_length = htons(ip_l);
>> ssl->length = htons(2);
>>
>> alert = (struct Alert *)((uint8_t *)ssl + 5);
>>
>>
>> iphdr->src_addr = dst_ip;
>> iphdr->dst_addr = src_ip;
>> th->src_port = dst_port;
>> th->dst_port = src_port;
>> ssl->type = 21; //alert message
>> alert->type = 2; // fatal error
>> alert->description = 112; // Unrecognized name
>>
>> iphdr->hdr_checksum = 0;
>> th->cksum = 0;
>> iphdr->hdr_checksum = rte_ipv4_cksum(iphdr);
>>
>> th->cksum = rte_ipv4_udptcp_cksum(iphdr,th);
>>
>>
>>
>>
>> Thanks for your time
>>
>
>
>
>
> I wanted to give some more information on the subject.I am adding a
> picture of wireshark with the mail to give more info.The problem of the
> retransmitted packet is that it doesnt end the TLS session even though i am
> sending a fatal-error alert with dpdk.
>
> I believe that i do something wrong with the process of client hello so it
> doesnt have the right format in order to get recognized by the client and
> end the tls Session.
>
> If you see my code above i change the source ,dest ip and port the seq and
> ack value.In addition i am cutting from SSL Record the data that it had and
> i am adding the alert message according to RFC.
>
> Is there any field i must change according to dpdk?
>
>
>
>
>
