From c9623b5ccdfe915eab4cb8ec8223ffb1bf245f5e Mon Sep 17 00:00:00 2001
From: luwenpeng <luwenpeng@geedgenetworks.com>
Date: Wed, 15 Nov 2023 18:18:23 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=AD=A3Decrypted=20Traffic=20TCP=20h?=
 =?UTF-8?q?anshake=20Packet=E7=9A=84TCP=20Option?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 common/src/tfe_tcp_restore.cpp | 73 ++++++++++++++++++++++------------
 1 file changed, 48 insertions(+), 25 deletions(-)

diff --git a/common/src/tfe_tcp_restore.cpp b/common/src/tfe_tcp_restore.cpp
index 0282845..d07a788 100644
--- a/common/src/tfe_tcp_restore.cpp
+++ b/common/src/tfe_tcp_restore.cpp
@@ -6,11 +6,27 @@
 #include <arpa/inet.h>
 #include <linux/tcp.h>
 #include <net/if.h>
+#include <stdlib.h>
 #include <netinet/ether.h>
 #include <tfe_utils.h>
 #include <tfe_tcp_restore.h>
 #include <packet_construct.h>
 
+static uint16_t tfe_get_ipid()
+{
+	static __thread uint16_t ipid = 0;
+	if (ipid == 0)
+	{
+		ipid = random();
+	}
+	else
+	{
+		ipid++;
+	}
+
+	return ipid;
+}
+
 void tfe_tcp_restore_info_dump(const struct tcp_restore_info *info)
 {
 	char str_client_addr[64] = {0};
@@ -325,7 +341,7 @@ int tfe_tcp_restore_syn_packet(struct tcp_restore_info *restore_info, struct eth
 	 * +---------+---------+---------+
 	 *      1         1         2
 	 */
-	if (client->mss && server->mss)
+	if (client->mss)
 	{
 		struct tcp_option_mss *option = (struct tcp_option_mss *)(tcp_option_buff + tcp_option_len);
 		option->kind = 2;
@@ -341,7 +357,7 @@ int tfe_tcp_restore_syn_packet(struct tcp_restore_info *restore_info, struct eth
 	 * +---------+---------+---------+
 	 *      1         1         1
 	 */
-	if (client->wscale_perm && server->wscale_perm)
+	if (client->wscale_perm)
 	{
 		// padding
 		memset(tcp_option_buff + tcp_option_len, 1, 1);
@@ -361,7 +377,7 @@ int tfe_tcp_restore_syn_packet(struct tcp_restore_info *restore_info, struct eth
 	 * +---------+---------+
 	 *      1         1
 	 */
-	if (client->sack_perm && server->sack_perm)
+	if (client->sack_perm)
 	{
 		// padding
 		memset(tcp_option_buff + tcp_option_len, 1, 2);
@@ -380,7 +396,7 @@ int tfe_tcp_restore_syn_packet(struct tcp_restore_info *restore_info, struct eth
 	 * +---------+---------+-----+-----+
 	 *      1         1       4     4
 	 */
-	if (client->timestamp_perm && server->timestamp_perm)
+	if (client->timestamp_perm)
 	{
 		// padding
 		memset(tcp_option_buff + tcp_option_len, 1, 2);
@@ -419,11 +435,11 @@ int tfe_tcp_restore_syn_packet(struct tcp_restore_info *restore_info, struct eth
 
 		// C -> S
 		length = tcp_packet_v4_construct(
-			buffer,																		 // buffer
-			client_mac, server_mac, 0, ETH_P_IP,										 // Ether
-			&sk_client->sin_addr, &sk_server->sin_addr, 0, TFE_FAKE_C_DEFAULT_TTL, 0x11, // IPv4
-			port_client, port_server, c_seq, 0, TCP_SYN_FLAG, client->window,			 // TCP Header
-			tcp_option_buff, tcp_option_len,											 // TCP Options
+			buffer,																				   // buffer
+			client_mac, server_mac, 0, ETH_P_IP,												   // Ether
+			&sk_client->sin_addr, &sk_server->sin_addr, 0, TFE_FAKE_C_DEFAULT_TTL, tfe_get_ipid(), // IPv4
+			port_client, port_server, c_seq, 0, TCP_SYN_FLAG, client->window,					   // TCP Header
+			tcp_option_buff, tcp_option_len,													   // TCP Options
 			NULL, 0);
 	}
 
@@ -449,7 +465,7 @@ int tfe_tcp_restore_synack_packet(struct tcp_restore_info *restore_info, struct
 	 * +---------+---------+---------+
 	 *      1         1         2
 	 */
-	if (client->mss && server->mss)
+	if (server->mss)
 	{
 		struct tcp_option_mss *option = (struct tcp_option_mss *)(tcp_option_buff + tcp_option_len);
 		option->kind = 2;
@@ -465,7 +481,7 @@ int tfe_tcp_restore_synack_packet(struct tcp_restore_info *restore_info, struct
 	 * +---------+---------+---------+
 	 *      1         1         1
 	 */
-	if (client->wscale_perm && server->wscale_perm)
+	if (server->wscale_perm)
 	{
 		// padding
 		memset(tcp_option_buff + tcp_option_len, 1, 1);
@@ -485,7 +501,7 @@ int tfe_tcp_restore_synack_packet(struct tcp_restore_info *restore_info, struct
 	 * +---------+---------+
 	 *      1         1
 	 */
-	if (client->sack_perm && server->sack_perm)
+	if (server->sack_perm)
 	{
 		// padding
 		memset(tcp_option_buff + tcp_option_len, 1, 2);
@@ -504,7 +520,7 @@ int tfe_tcp_restore_synack_packet(struct tcp_restore_info *restore_info, struct
 	 * +---------+---------+-----+-----+
 	 *      1         1       4     4
 	 */
-	if (client->timestamp_perm && server->timestamp_perm)
+	if (server->timestamp_perm)
 	{
 		// padding
 		memset(tcp_option_buff + tcp_option_len, 1, 2);
@@ -514,7 +530,7 @@ int tfe_tcp_restore_synack_packet(struct tcp_restore_info *restore_info, struct
 		option->kind = 8;
 		option->length = 10;
 		option->tsval = htonl(server->ts_val);
-		option->tsecr = htonl(client->ts_val);
+		option->tsecr = client->timestamp_perm ? htonl(client->ts_val) : htonl(0);
 		tcp_option_len += sizeof(struct tcp_option_time_stamp);
 	}
 
@@ -547,11 +563,11 @@ int tfe_tcp_restore_synack_packet(struct tcp_restore_info *restore_info, struct
 
 		// S -> C
 		length = tcp_packet_v4_construct(
-			buffer,																				 // buffer
-			server_mac, client_mac, 0, ETH_P_IP,												 // Ether
-			&sk_server->sin_addr, &sk_client->sin_addr, 0, TFE_FAKE_S_DEFAULT_TTL, 0x12,		 // IPv4
-			port_server, port_client, s_seq, c_seq, TCP_SYN_FLAG | TCP_ACK_FLAG, server->window, // TCP Header
-			tcp_option_buff, tcp_option_len,													 // TCP Options
+			buffer,																				   // buffer
+			server_mac, client_mac, 0, ETH_P_IP,												   // Ether
+			&sk_server->sin_addr, &sk_client->sin_addr, 0, TFE_FAKE_S_DEFAULT_TTL, tfe_get_ipid(), // IPv4
+			port_server, port_client, s_seq, c_seq, TCP_SYN_FLAG | TCP_ACK_FLAG, server->window,   // TCP Header
+			tcp_option_buff, tcp_option_len,													   // TCP Options
 			NULL, 0);
 	}
 
@@ -570,6 +586,7 @@ int tfe_tcp_restore_ack_packet(struct tcp_restore_info *restore_info, struct eth
 
 	uint32_t c_seq = client->seq - 1;
 	uint32_t s_seq = server->seq - 1;
+	uint16_t ack_window = 0;
 
 	/*
 	 * Time Stamp option: Kind: 8, Length: 10
@@ -592,6 +609,12 @@ int tfe_tcp_restore_ack_packet(struct tcp_restore_info *restore_info, struct eth
 		tcp_option_len += sizeof(struct tcp_option_time_stamp);
 	}
 
+	ack_window = MIN(client->window, server->window);
+	if (client->wscale_perm && server->wscale_perm)
+	{
+		ack_window = ack_window / (1 << server->wscale);
+	}
+
 	if (client->addr.ss_family == AF_INET6)
 	{
 		struct sockaddr_in6 *sk_client = (struct sockaddr_in6 *)&client->addr;
@@ -607,7 +630,7 @@ int tfe_tcp_restore_ack_packet(struct tcp_restore_info *restore_info, struct eth
 			buffer,																  // buffer
 			client_mac, server_mac, 0, ETH_P_IPV6,								  // Ether
 			&sk_client->sin6_addr, &sk_server->sin6_addr, TFE_FAKE_C_DEFAULT_TTL, // IPv6
-			port_client, port_server, c_seq, s_seq, TCP_ACK_FLAG, client->window, // TCP Header
+			port_client, port_server, c_seq, s_seq, TCP_ACK_FLAG, ack_window,	  // TCP Header
 			tcp_option_buff, tcp_option_len,									  // TCP Options
 			NULL, 0);															  // Payload
 	}
@@ -623,11 +646,11 @@ int tfe_tcp_restore_ack_packet(struct tcp_restore_info *restore_info, struct eth
 
 		// C -> S
 		length = tcp_packet_v4_construct(
-			buffer,																		 // buffer
-			client_mac, server_mac, 0, ETH_P_IP,										 // Ether
-			&sk_client->sin_addr, &sk_server->sin_addr, 0, TFE_FAKE_C_DEFAULT_TTL, 0x13, // IPv4
-			port_client, port_server, c_seq, s_seq, TCP_ACK_FLAG, client->window,		 // TCP Header
-			tcp_option_buff, tcp_option_len,											 // TCP Options
+			buffer,																				   // buffer
+			client_mac, server_mac, 0, ETH_P_IP,												   // Ether
+			&sk_client->sin_addr, &sk_server->sin_addr, 0, TFE_FAKE_C_DEFAULT_TTL, tfe_get_ipid(), // IPv4
+			port_client, port_server, c_seq, s_seq, TCP_ACK_FLAG, ack_window,					   // TCP Header
+			tcp_option_buff, tcp_option_len,													   // TCP Options
 			NULL, 0);
 	}