From patchwork Fri Nov 19 17:44:58 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 4849
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HwkbF48tXz3wsg
	for <patchwork@web04.haj.ipfire.org>; Fri, 19 Nov 2021 17:45:29 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Hwkb33K64z37S;
	Fri, 19 Nov 2021 17:45:19 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Hwkb22sr6z30HJ;
	Fri, 19 Nov 2021 17:45:18 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Hwkb12PPXz2yXQ
 for <development@lists.ipfire.org>; Fri, 19 Nov 2021 17:45:17 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4Hwkb11B6yz15N;
 Fri, 19 Nov 2021 17:45:17 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1637343917;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=NZqJI0k1Z7V1p0oz/l12kwk1Tu0Cz+eQsYEhLuO+P1o=;
 b=Dchm4cfmvKtk0tYyfxtrZJfnUt9YvzyhAIDIgi9fVUodW0lfXiLpPSzyYXh2hxqObDGVeo
 3p+XhwH4amCmqxDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1637343917;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=NZqJI0k1Z7V1p0oz/l12kwk1Tu0Cz+eQsYEhLuO+P1o=;
 b=QN4e11TtqZ0rcfKujoT29tDvSFZkVVrfDNqiP3TeWUlfd1W8d9hz6TtY1uhc2m1Jm/ZcLT
 EedBVdFVgiKxlb/vSww1q+/ezwoUq24YXoM2muf3iq8rdX0wiguPQbQ3lhfeEhGKRe2UYv
 RTU7nWptZSkE+W34ux9B8Jz0eQ81z64sqy5OgyoRrtTvRkCKo3qi1bMEsSF1thrKUmDkQf
 7hS4JoDFINGfEUwtDJOlbyZOh5ESgp4vSaoTjJ31LftPW0C6QPqWXvDknwDrOgNuFyQDXC
 v+MMYI7nmUBGxn6sq8TKsp39ie8+txsMj7CtKEU7mh3hF7dPs8tC5RbFhQaCww==
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 7/7] suricata: Handle retransmitted SYN with TSval
Date: Fri, 19 Nov 2021 17:44:58 +0000
Message-Id: <20211119174458.789486-7-michael.tremer@ipfire.org>
In-Reply-To: <20211119174458.789486-1-michael.tremer@ipfire.org>
References: <20211119174458.789486-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Read more in the patch.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/suricata                                  |  1 +
 ...-Handle-retransmitted-SYN-with-TSval.patch | 55 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch

diff --git a/lfs/suricata b/lfs/suricata
index 38289962f..b54a038c3 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
 	cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
 		--prefix=/usr \
 		--sysconfdir=/etc \
diff --git a/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
new file mode 100644
index 000000000..fcea77cfa
--- /dev/null
+++ b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
@@ -0,0 +1,55 @@
+From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer@ipfire.org>
+Date: Fri, 19 Nov 2021 17:17:47 +0000
+Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval
+
+For connections that use TCP timestamps for which the first SYN packet
+does not reach the server, any replies to retransmitted SYNs will be
+tropped.
+
+This is happening in StateSynSentValidateTimestamp, where the timestamp
+value in a SYN-ACK packet must match the one from the SYN packet.
+However, since the server never received the first SYN packet, it will
+respond with an updated timestamp from any of the following SYN packets.
+
+The timestamp value inside suricata is not being updated at any time
+which should happen. This patch fixes that problem.
+
+This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318.
+
+Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
+---
+ src/stream-tcp.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/stream-tcp.c b/src/stream-tcp.c
+index 1cff19fa5..af681760b 100644
+--- a/src/stream-tcp.c
++++ b/src/stream-tcp.c
+@@ -1643,6 +1643,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
+                     "ssn->client.last_ack %"PRIu32"", ssn,
+                     ssn->client.isn, ssn->client.next_seq,
+                     ssn->client.last_ack);
++        } else if (PKT_IS_TOSERVER(p)) {
++            /*
++	     * On retransmitted SYN packets, the timestamp value must be updated,
++	     * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN
++	     * with an updated timestamp in StateSynSentValidateTimestamp.
++	     */
++            if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) {
++                uint32_t ts_val = TCP_GET_TSVAL(p);
++
++                // Check whether packets have been received in the correct order (only ever update)
++                if (ssn->client.last_ts < ts_val) {
++                    ssn->client.last_ts = ts_val;
++                    ssn->client.last_pkt_ts = p->ts.tv_sec;
++                }
++
++                SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt);
++            }
+         }
+ 
+         /** \todo check if it's correct or set event */
+-- 
+2.30.2
+