cloudflared-mirror/vendor/github.com/google/gopacket/layers/tls.go

// Copyright 2018 The GoPacket Authors. All rights reserved.
//
// Use of this source code is governed by a BSD-style license
// that can be found in the LICENSE file in the root of the source
// tree.

package layers

import (
	"encoding/binary"
	"errors"

	"github.com/google/gopacket"
)

// TLSType defines the type of data after the TLS Record
type TLSType uint8

// TLSType known values.
const (
	TLSChangeCipherSpec TLSType = 20
	TLSAlert            TLSType = 21
	TLSHandshake        TLSType = 22
	TLSApplicationData  TLSType = 23
	TLSUnknown          TLSType = 255
)

// String shows the register type nicely formatted
func (tt TLSType) String() string {
	switch tt {
	default:
		return "Unknown"
	case TLSChangeCipherSpec:
		return "Change Cipher Spec"
	case TLSAlert:
		return "Alert"
	case TLSHandshake:
		return "Handshake"
	case TLSApplicationData:
		return "Application Data"
	}
}

// TLSVersion represents the TLS version in numeric format
type TLSVersion uint16

// Strings shows the TLS version nicely formatted
func (tv TLSVersion) String() string {
	switch tv {
	default:
		return "Unknown"
	case 0x0200:
		return "SSL 2.0"
	case 0x0300:
		return "SSL 3.0"
	case 0x0301:
		return "TLS 1.0"
	case 0x0302:
		return "TLS 1.1"
	case 0x0303:
		return "TLS 1.2"
	case 0x0304:
		return "TLS 1.3"
	}
}

// TLS is specified in RFC 5246
//
//  TLS Record Protocol
//  0  1  2  3  4  5  6  7  8
//  +--+--+--+--+--+--+--+--+
//  |     Content Type      |
//  +--+--+--+--+--+--+--+--+
//  |    Version (major)    |
//  +--+--+--+--+--+--+--+--+
//  |    Version (minor)    |
//  +--+--+--+--+--+--+--+--+
//  |        Length         |
//  +--+--+--+--+--+--+--+--+
//  |        Length         |
//  +--+--+--+--+--+--+--+--+

// TLS is actually a slide of TLSrecord structures
type TLS struct {
	BaseLayer

	// TLS Records
	ChangeCipherSpec []TLSChangeCipherSpecRecord
	Handshake        []TLSHandshakeRecord
	AppData          []TLSAppDataRecord
	Alert            []TLSAlertRecord
}

// TLSRecordHeader contains all the information that each TLS Record types should have
type TLSRecordHeader struct {
	ContentType TLSType
	Version     TLSVersion
	Length      uint16
}

// LayerType returns gopacket.LayerTypeTLS.
func (t *TLS) LayerType() gopacket.LayerType { return LayerTypeTLS }

// decodeTLS decodes the byte slice into a TLS type. It also
// setups the application Layer in PacketBuilder.
func decodeTLS(data []byte, p gopacket.PacketBuilder) error {
	t := &TLS{}
	err := t.DecodeFromBytes(data, p)
	if err != nil {
		return err
	}
	p.AddLayer(t)
	p.SetApplicationLayer(t)
	return nil
}

// DecodeFromBytes decodes the slice into the TLS struct.
func (t *TLS) DecodeFromBytes(data []byte, df gopacket.DecodeFeedback) error {
	t.BaseLayer.Contents = data
	t.BaseLayer.Payload = nil

	t.ChangeCipherSpec = t.ChangeCipherSpec[:0]
	t.Handshake = t.Handshake[:0]
	t.AppData = t.AppData[:0]
	t.Alert = t.Alert[:0]

	return t.decodeTLSRecords(data, df)
}

func (t *TLS) decodeTLSRecords(data []byte, df gopacket.DecodeFeedback) error {
	if len(data) < 5 {
		df.SetTruncated()
		return errors.New("TLS record too short")
	}

	// since there are no further layers, the baselayer's content is
	// pointing to this layer
	// TODO: Consider removing this
	t.BaseLayer = BaseLayer{Contents: data[:len(data)]}

	var h TLSRecordHeader
	h.ContentType = TLSType(data[0])
	h.Version = TLSVersion(binary.BigEndian.Uint16(data[1:3]))
	h.Length = binary.BigEndian.Uint16(data[3:5])

	if h.ContentType.String() == "Unknown" {
		return errors.New("Unknown TLS record type")
	}

	hl := 5 // header length
	tl := hl + int(h.Length)
	if len(data) < tl {
		df.SetTruncated()
		return errors.New("TLS packet length mismatch")
	}

	switch h.ContentType {
	default:
		return errors.New("Unknown TLS record type")
	case TLSChangeCipherSpec:
		var r TLSChangeCipherSpecRecord
		e := r.decodeFromBytes(h, data[hl:tl], df)
		if e != nil {
			return e
		}
		t.ChangeCipherSpec = append(t.ChangeCipherSpec, r)
	case TLSAlert:
		var r TLSAlertRecord
		e := r.decodeFromBytes(h, data[hl:tl], df)
		if e != nil {
			return e
		}
		t.Alert = append(t.Alert, r)
	case TLSHandshake:
		var r TLSHandshakeRecord
		e := r.decodeFromBytes(h, data[hl:tl], df)
		if e != nil {
			return e
		}
		t.Handshake = append(t.Handshake, r)
	case TLSApplicationData:
		var r TLSAppDataRecord
		e := r.decodeFromBytes(h, data[hl:tl], df)
		if e != nil {
			return e
		}
		t.AppData = append(t.AppData, r)
	}

	if len(data) == tl {
		return nil
	}
	return t.decodeTLSRecords(data[tl:len(data)], df)
}

// CanDecode implements gopacket.DecodingLayer.
func (t *TLS) CanDecode() gopacket.LayerClass {
	return LayerTypeTLS
}

// NextLayerType implements gopacket.DecodingLayer.
func (t *TLS) NextLayerType() gopacket.LayerType {
	return gopacket.LayerTypeZero
}

// Payload returns nil, since TLS encrypted payload is inside TLSAppDataRecord
func (t *TLS) Payload() []byte {
	return nil
}

// SerializeTo writes the serialized form of this layer into the
// SerializationBuffer, implementing gopacket.SerializableLayer.
func (t *TLS) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeOptions) error {
	totalLength := 0
	for _, record := range t.ChangeCipherSpec {
		if opts.FixLengths {
			record.Length = 1
		}
		totalLength += 5 + 1 // length of header + record
	}
	for range t.Handshake {
		totalLength += 5
		// TODO
	}
	for _, record := range t.AppData {
		if opts.FixLengths {
			record.Length = uint16(len(record.Payload))
		}
		totalLength += 5 + len(record.Payload)
	}
	for _, record := range t.Alert {
		if len(record.EncryptedMsg) == 0 {
			if opts.FixLengths {
				record.Length = 2
			}
			totalLength += 5 + 2
		} else {
			if opts.FixLengths {
				record.Length = uint16(len(record.EncryptedMsg))
			}
			totalLength += 5 + len(record.EncryptedMsg)
		}
	}
	data, err := b.PrependBytes(totalLength)
	if err != nil {
		return err
	}
	off := 0
	for _, record := range t.ChangeCipherSpec {
		off = encodeHeader(record.TLSRecordHeader, data, off)
		data[off] = byte(record.Message)
		off++
	}
	for _, record := range t.Handshake {
		off = encodeHeader(record.TLSRecordHeader, data, off)
		// TODO
	}
	for _, record := range t.AppData {
		off = encodeHeader(record.TLSRecordHeader, data, off)
		copy(data[off:], record.Payload)
		off += len(record.Payload)
	}
	for _, record := range t.Alert {
		off = encodeHeader(record.TLSRecordHeader, data, off)
		if len(record.EncryptedMsg) == 0 {
			data[off] = byte(record.Level)
			data[off+1] = byte(record.Description)
			off += 2
		} else {
			copy(data[off:], record.EncryptedMsg)
			off += len(record.EncryptedMsg)
		}
	}
	return nil
}

func encodeHeader(header TLSRecordHeader, data []byte, offset int) int {
	data[offset] = byte(header.ContentType)
	binary.BigEndian.PutUint16(data[offset+1:], uint16(header.Version))
	binary.BigEndian.PutUint16(data[offset+3:], header.Length)

	return offset + 5
}
TUN-6666: Define packet package This package defines IP and ICMP packet, decoders, encoder and flow 2022-08-17 15:46:49 +00:00			`// Copyright 2018 The GoPacket Authors. All rights reserved.`
			`//`
			`// Use of this source code is governed by a BSD-style license`
			`// that can be found in the LICENSE file in the root of the source`
			`// tree.`

			`package layers`

			`import (`
			`"encoding/binary"`
			`"errors"`

			`"github.com/google/gopacket"`
			`)`

			`// TLSType defines the type of data after the TLS Record`
			`type TLSType uint8`

			`// TLSType known values.`
			`const (`
			`TLSChangeCipherSpec TLSType = 20`
			`TLSAlert TLSType = 21`
			`TLSHandshake TLSType = 22`
			`TLSApplicationData TLSType = 23`
			`TLSUnknown TLSType = 255`
			`)`

			`// String shows the register type nicely formatted`
			`func (tt TLSType) String() string {`
			`switch tt {`
			`default:`
			`return "Unknown"`
			`case TLSChangeCipherSpec:`
			`return "Change Cipher Spec"`
			`case TLSAlert:`
			`return "Alert"`
			`case TLSHandshake:`
			`return "Handshake"`
			`case TLSApplicationData:`
			`return "Application Data"`
			`}`
			`}`

			`// TLSVersion represents the TLS version in numeric format`
			`type TLSVersion uint16`

			`// Strings shows the TLS version nicely formatted`
			`func (tv TLSVersion) String() string {`
			`switch tv {`
			`default:`
			`return "Unknown"`
			`case 0x0200:`
			`return "SSL 2.0"`
			`case 0x0300:`
			`return "SSL 3.0"`
			`case 0x0301:`
			`return "TLS 1.0"`
			`case 0x0302:`
			`return "TLS 1.1"`
			`case 0x0303:`
			`return "TLS 1.2"`
			`case 0x0304:`
			`return "TLS 1.3"`
			`}`
			`}`

			`// TLS is specified in RFC 5246`
			`//`
			`// TLS Record Protocol`
			`// 0 1 2 3 4 5 6 7 8`
			`// +--+--+--+--+--+--+--+--+`
			`// \| Content Type \|`
			`// +--+--+--+--+--+--+--+--+`
			`// \| Version (major) \|`
			`// +--+--+--+--+--+--+--+--+`
			`// \| Version (minor) \|`
			`// +--+--+--+--+--+--+--+--+`
			`// \| Length \|`
			`// +--+--+--+--+--+--+--+--+`
			`// \| Length \|`
			`// +--+--+--+--+--+--+--+--+`

			`// TLS is actually a slide of TLSrecord structures`
			`type TLS struct {`
			`BaseLayer`

			`// TLS Records`
			`ChangeCipherSpec []TLSChangeCipherSpecRecord`
			`Handshake []TLSHandshakeRecord`
			`AppData []TLSAppDataRecord`
			`Alert []TLSAlertRecord`
			`}`

			`// TLSRecordHeader contains all the information that each TLS Record types should have`
			`type TLSRecordHeader struct {`
			`ContentType TLSType`
			`Version TLSVersion`
			`Length uint16`
			`}`

			`// LayerType returns gopacket.LayerTypeTLS.`
			`func (t *TLS) LayerType() gopacket.LayerType { return LayerTypeTLS }`

			`// decodeTLS decodes the byte slice into a TLS type. It also`
			`// setups the application Layer in PacketBuilder.`
			`func decodeTLS(data []byte, p gopacket.PacketBuilder) error {`
			`t := &TLS{}`
			`err := t.DecodeFromBytes(data, p)`
			`if err != nil {`
			`return err`
			`}`
			`p.AddLayer(t)`
			`p.SetApplicationLayer(t)`
			`return nil`
			`}`

			`// DecodeFromBytes decodes the slice into the TLS struct.`
			`func (t *TLS) DecodeFromBytes(data []byte, df gopacket.DecodeFeedback) error {`
			`t.BaseLayer.Contents = data`
			`t.BaseLayer.Payload = nil`

			`t.ChangeCipherSpec = t.ChangeCipherSpec[:0]`
			`t.Handshake = t.Handshake[:0]`
			`t.AppData = t.AppData[:0]`
			`t.Alert = t.Alert[:0]`

			`return t.decodeTLSRecords(data, df)`
			`}`

			`func (t *TLS) decodeTLSRecords(data []byte, df gopacket.DecodeFeedback) error {`
			`if len(data) < 5 {`
			`df.SetTruncated()`
			`return errors.New("TLS record too short")`
			`}`

			`// since there are no further layers, the baselayer's content is`
			`// pointing to this layer`
			`// TODO: Consider removing this`
			`t.BaseLayer = BaseLayer{Contents: data[:len(data)]}`

			`var h TLSRecordHeader`
			`h.ContentType = TLSType(data[0])`
			`h.Version = TLSVersion(binary.BigEndian.Uint16(data[1:3]))`
			`h.Length = binary.BigEndian.Uint16(data[3:5])`

			`if h.ContentType.String() == "Unknown" {`
			`return errors.New("Unknown TLS record type")`
			`}`

			`hl := 5 // header length`
			`tl := hl + int(h.Length)`
			`if len(data) < tl {`
			`df.SetTruncated()`
			`return errors.New("TLS packet length mismatch")`
			`}`

			`switch h.ContentType {`
			`default:`
			`return errors.New("Unknown TLS record type")`
			`case TLSChangeCipherSpec:`
			`var r TLSChangeCipherSpecRecord`
			`e := r.decodeFromBytes(h, data[hl:tl], df)`
			`if e != nil {`
			`return e`
			`}`
			`t.ChangeCipherSpec = append(t.ChangeCipherSpec, r)`
			`case TLSAlert:`
			`var r TLSAlertRecord`
			`e := r.decodeFromBytes(h, data[hl:tl], df)`
			`if e != nil {`
			`return e`
			`}`
			`t.Alert = append(t.Alert, r)`
			`case TLSHandshake:`
			`var r TLSHandshakeRecord`
			`e := r.decodeFromBytes(h, data[hl:tl], df)`
			`if e != nil {`
			`return e`
			`}`
			`t.Handshake = append(t.Handshake, r)`
			`case TLSApplicationData:`
			`var r TLSAppDataRecord`
			`e := r.decodeFromBytes(h, data[hl:tl], df)`
			`if e != nil {`
			`return e`
			`}`
			`t.AppData = append(t.AppData, r)`
			`}`

			`if len(data) == tl {`
			`return nil`
			`}`
			`return t.decodeTLSRecords(data[tl:len(data)], df)`
			`}`

			`// CanDecode implements gopacket.DecodingLayer.`
			`func (t *TLS) CanDecode() gopacket.LayerClass {`
			`return LayerTypeTLS`
			`}`

			`// NextLayerType implements gopacket.DecodingLayer.`
			`func (t *TLS) NextLayerType() gopacket.LayerType {`
			`return gopacket.LayerTypeZero`
			`}`

			`// Payload returns nil, since TLS encrypted payload is inside TLSAppDataRecord`
			`func (t *TLS) Payload() []byte {`
			`return nil`
			`}`

			`// SerializeTo writes the serialized form of this layer into the`
			`// SerializationBuffer, implementing gopacket.SerializableLayer.`
			`func (t *TLS) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeOptions) error {`
			`totalLength := 0`
			`for _, record := range t.ChangeCipherSpec {`
			`if opts.FixLengths {`
			`record.Length = 1`
			`}`
			`totalLength += 5 + 1 // length of header + record`
			`}`
			`for range t.Handshake {`
			`totalLength += 5`
			`// TODO`
			`}`
			`for _, record := range t.AppData {`
			`if opts.FixLengths {`
			`record.Length = uint16(len(record.Payload))`
			`}`
			`totalLength += 5 + len(record.Payload)`
			`}`
			`for _, record := range t.Alert {`
			`if len(record.EncryptedMsg) == 0 {`
			`if opts.FixLengths {`
			`record.Length = 2`
			`}`
			`totalLength += 5 + 2`
			`} else {`
			`if opts.FixLengths {`
			`record.Length = uint16(len(record.EncryptedMsg))`
			`}`
			`totalLength += 5 + len(record.EncryptedMsg)`
			`}`
			`}`
			`data, err := b.PrependBytes(totalLength)`
			`if err != nil {`
			`return err`
			`}`
			`off := 0`
			`for _, record := range t.ChangeCipherSpec {`
			`off = encodeHeader(record.TLSRecordHeader, data, off)`
			`data[off] = byte(record.Message)`
			`off++`
			`}`
			`for _, record := range t.Handshake {`
			`off = encodeHeader(record.TLSRecordHeader, data, off)`
			`// TODO`
			`}`
			`for _, record := range t.AppData {`
			`off = encodeHeader(record.TLSRecordHeader, data, off)`
			`copy(data[off:], record.Payload)`
			`off += len(record.Payload)`
			`}`
			`for _, record := range t.Alert {`
			`off = encodeHeader(record.TLSRecordHeader, data, off)`
			`if len(record.EncryptedMsg) == 0 {`
			`data[off] = byte(record.Level)`
			`data[off+1] = byte(record.Description)`
			`off += 2`
			`} else {`
			`copy(data[off:], record.EncryptedMsg)`
			`off += len(record.EncryptedMsg)`
			`}`
			`}`
			`return nil`
			`}`

			`func encodeHeader(header TLSRecordHeader, data []byte, offset int) int {`
			`data[offset] = byte(header.ContentType)`
			`binary.BigEndian.PutUint16(data[offset+1:], uint16(header.Version))`
			`binary.BigEndian.PutUint16(data[offset+3:], header.Length)`

			`return offset + 5`
			`}`