// Copyright 2017 Google, Inc. All rights reserved.
//
// Use of this source code is governed by a BSD-style license
// that can be found in the LICENSE file in the root of the source
// tree.
//

package layers

import (
	"encoding/binary"
	"errors"

	"github.com/google/gopacket"
)

// BFD Control Packet Format
// -------------------------
// The current version of BFD's RFC (RFC 5880) contains the following
// diagram for the BFD Control packet format:
//
//      0                   1                   2                   3
//      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |Vers |  Diag   |Sta|P|F|C|A|D|M|  Detect Mult  |    Length     |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                       My Discriminator                        |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                      Your Discriminator                       |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                    Desired Min TX Interval                    |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                   Required Min RX Interval                    |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                 Required Min Echo RX Interval                 |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
//     An optional Authentication Section MAY be present:
//
//      0                   1                   2                   3
//      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |   Auth Type   |   Auth Len    |    Authentication Data...     |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
//
//     Simple Password Authentication Section Format
//     ---------------------------------------------
//      0                   1                   2                   3
//      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |   Auth Type   |   Auth Len    |  Auth Key ID  |  Password...  |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                              ...                              |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
//
//     Keyed MD5 and Meticulous Keyed MD5 Authentication Section Format
//     ----------------------------------------------------------------
//      0                   1                   2                   3
//      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |   Auth Type   |   Auth Len    |  Auth Key ID  |   Reserved    |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                        Sequence Number                        |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                      Auth Key/Digest...                       |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                              ...                              |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
//
//     Keyed SHA1 and Meticulous Keyed SHA1 Authentication Section Format
//     ------------------------------------------------------------------
//      0                   1                   2                   3
//      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |   Auth Type   |   Auth Len    |  Auth Key ID  |   Reserved    |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                        Sequence Number                        |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                       Auth Key/Hash...                        |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//     |                              ...                              |
//     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
//
//     From https://tools.ietf.org/rfc/rfc5880.txt
const bfdMinimumRecordSizeInBytes int = 24

// BFDVersion represents the version as decoded from the BFD control message
type BFDVersion uint8

// BFDDiagnostic represents diagnostic infomation about a BFD session
type BFDDiagnostic uint8

// constants that define BFDDiagnostic flags
const (
	BFDDiagnosticNone               BFDDiagnostic = 0 // No Diagnostic
	BFDDiagnosticTimeExpired        BFDDiagnostic = 1 // Control Detection Time Expired
	BFDDiagnosticEchoFailed         BFDDiagnostic = 2 // Echo Function Failed
	BFDDiagnosticNeighborSignalDown BFDDiagnostic = 3 // Neighbor Signaled Session Down
	BFDDiagnosticForwardPlaneReset  BFDDiagnostic = 4 // Forwarding Plane Reset
	BFDDiagnosticPathDown           BFDDiagnostic = 5 // Path Down
	BFDDiagnosticConcatPathDown     BFDDiagnostic = 6 // Concatenated Path Down
	BFDDiagnosticAdminDown          BFDDiagnostic = 7 // Administratively Down
	BFDDiagnosticRevConcatPathDown  BFDDiagnostic = 8 // Reverse Concatenated Path Dow
)

// String returns a string version of BFDDiagnostic
func (bd BFDDiagnostic) String() string {
	switch bd {
	default:
		return "Unknown"
	case BFDDiagnosticNone:
		return "None"
	case BFDDiagnosticTimeExpired:
		return "Control Detection Time Expired"
	case BFDDiagnosticEchoFailed:
		return "Echo Function Failed"
	case BFDDiagnosticNeighborSignalDown:
		return "Neighbor Signaled Session Down"
	case BFDDiagnosticForwardPlaneReset:
		return "Forwarding Plane Reset"
	case BFDDiagnosticPathDown:
		return "Path Down"
	case BFDDiagnosticConcatPathDown:
		return "Concatenated Path Down"
	case BFDDiagnosticAdminDown:
		return "Administratively Down"
	case BFDDiagnosticRevConcatPathDown:
		return "Reverse Concatenated Path Down"
	}
}

// BFDState represents the state of a BFD session
type BFDState uint8

// constants that define BFDState
const (
	BFDStateAdminDown BFDState = 0
	BFDStateDown      BFDState = 1
	BFDStateInit      BFDState = 2
	BFDStateUp        BFDState = 3
)

// String returns a string version of BFDState
func (s BFDState) String() string {
	switch s {
	default:
		return "Unknown"
	case BFDStateAdminDown:
		return "Admin Down"
	case BFDStateDown:
		return "Down"
	case BFDStateInit:
		return "Init"
	case BFDStateUp:
		return "Up"
	}
}

// BFDDetectMultiplier represents the negotiated transmit interval,
// multiplied by this value, provides the Detection Time for the
// receiving system in Asynchronous mode.
type BFDDetectMultiplier uint8

// BFDDiscriminator is a unique, nonzero discriminator value used
// to demultiplex multiple BFD sessions between the same pair of systems.
type BFDDiscriminator uint32

// BFDTimeInterval represents a time interval in microseconds
type BFDTimeInterval uint32

// BFDAuthType represents the authentication used in the BFD session
type BFDAuthType uint8

// constants that define the BFDAuthType
const (
	BFDAuthTypeNone                BFDAuthType = 0 // No Auth
	BFDAuthTypePassword            BFDAuthType = 1 // Simple Password
	BFDAuthTypeKeyedMD5            BFDAuthType = 2 // Keyed MD5
	BFDAuthTypeMeticulousKeyedMD5  BFDAuthType = 3 // Meticulous Keyed MD5
	BFDAuthTypeKeyedSHA1           BFDAuthType = 4 // Keyed SHA1
	BFDAuthTypeMeticulousKeyedSHA1 BFDAuthType = 5 // Meticulous Keyed SHA1
)

// String returns a string version of BFDAuthType
func (at BFDAuthType) String() string {
	switch at {
	default:
		return "Unknown"
	case BFDAuthTypeNone:
		return "No Authentication"
	case BFDAuthTypePassword:
		return "Simple Password"
	case BFDAuthTypeKeyedMD5:
		return "Keyed MD5"
	case BFDAuthTypeMeticulousKeyedMD5:
		return "Meticulous Keyed MD5"
	case BFDAuthTypeKeyedSHA1:
		return "Keyed SHA1"
	case BFDAuthTypeMeticulousKeyedSHA1:
		return "Meticulous Keyed SHA1"
	}
}

// BFDAuthKeyID represents the authentication key ID in use for
// this packet.  This allows multiple keys to be active simultaneously.
type BFDAuthKeyID uint8

// BFDAuthSequenceNumber represents the sequence number for this packet.
// For Keyed Authentication, this value is incremented occasionally.  For
// Meticulous Keyed Authentication, this value is incremented for each
// successive packet transmitted for a session.  This provides protection
// against replay attacks.
type BFDAuthSequenceNumber uint32

// BFDAuthData represents the authentication key or digest
type BFDAuthData []byte

// BFDAuthHeader represents authentication data used in the BFD session
type BFDAuthHeader struct {
	AuthType       BFDAuthType
	KeyID          BFDAuthKeyID
	SequenceNumber BFDAuthSequenceNumber
	Data           BFDAuthData
}

// Length returns the data length of the BFDAuthHeader based on the
// authentication type
func (h *BFDAuthHeader) Length() int {
	switch h.AuthType {
	case BFDAuthTypePassword:
		return 3 + len(h.Data)
	case BFDAuthTypeKeyedMD5, BFDAuthTypeMeticulousKeyedMD5:
		return 8 + len(h.Data)
	case BFDAuthTypeKeyedSHA1, BFDAuthTypeMeticulousKeyedSHA1:
		return 8 + len(h.Data)
	default:
		return 0
	}
}

// BFD represents a BFD control message packet whose payload contains
// the control information required to for a BFD session.
//
// References
// ----------
//
// Wikipedia's BFD entry:
//     https://en.wikipedia.org/wiki/Bidirectional_Forwarding_Detection
//     This is the best place to get an overview of BFD.
//
// RFC 5880 "Bidirectional Forwarding Detection (BFD)" (2010)
//     https://tools.ietf.org/html/rfc5880
//     This is the original BFD specification.
//
// RFC 5881 "Bidirectional Forwarding Detection (BFD) for IPv4 and IPv6 (Single Hop)" (2010)
//     https://tools.ietf.org/html/rfc5881
//     Describes the use of the Bidirectional Forwarding Detection (BFD)
//     protocol over IPv4 and IPv6 for single IP hops.
type BFD struct {
	BaseLayer // Stores the packet bytes and payload bytes.

	Version                   BFDVersion          // Version of the BFD protocol.
	Diagnostic                BFDDiagnostic       // Diagnostic code for last state change
	State                     BFDState            // Current state
	Poll                      bool                // Requesting verification
	Final                     bool                // Responding to a received BFD Control packet that had the Poll (P) bit set.
	ControlPlaneIndependent   bool                // BFD implementation does not share fate with its control plane
	AuthPresent               bool                // Authentication Section is present and the session is to be authenticated
	Demand                    bool                // Demand mode is active
	Multipoint                bool                // For future point-to-multipoint extensions. Must always be zero
	DetectMultiplier          BFDDetectMultiplier // Detection time multiplier
	MyDiscriminator           BFDDiscriminator    // A unique, nonzero discriminator value
	YourDiscriminator         BFDDiscriminator    // discriminator received from the remote system.
	DesiredMinTxInterval      BFDTimeInterval     // Minimum interval, in microseconds,  the local system would like to use when transmitting BFD Control packets
	RequiredMinRxInterval     BFDTimeInterval     // Minimum interval, in microseconds, between received BFD Control packets that this system is capable of supporting
	RequiredMinEchoRxInterval BFDTimeInterval     // Minimum interval, in microseconds, between received BFD Echo packets that this system is capable of supporting
	AuthHeader                *BFDAuthHeader      // Authentication data, variable length.
}

// Length returns the data length of a BFD Control message which
// changes based on the presence and type of authentication
// contained in the message
func (d *BFD) Length() int {
	if d.AuthPresent && (d.AuthHeader != nil) {
		return bfdMinimumRecordSizeInBytes + d.AuthHeader.Length()
	}

	return bfdMinimumRecordSizeInBytes
}

// LayerType returns the layer type of the BFD object, which is LayerTypeBFD.
func (d *BFD) LayerType() gopacket.LayerType {
	return LayerTypeBFD
}

// decodeBFD analyses a byte slice and attempts to decode it as a BFD
// control packet
//
// If it succeeds, it loads p with information about the packet and returns nil.
// If it fails, it returns an error (non nil).
//
// This function is employed in layertypes.go to register the BFD layer.
func decodeBFD(data []byte, p gopacket.PacketBuilder) error {

	// Attempt to decode the byte slice.
	d := &BFD{}
	err := d.DecodeFromBytes(data, p)
	if err != nil {
		return err
	}

	// If the decoding worked, add the layer to the packet and set it
	// as the application layer too, if there isn't already one.
	p.AddLayer(d)
	p.SetApplicationLayer(d)

	return nil
}

// DecodeFromBytes analyses a byte slice and attempts to decode it as a BFD
// control packet.
//
// Upon succeeds, it loads the BFD object with information about the packet
// and returns nil.
// Upon failure, it returns an error (non nil).
func (d *BFD) DecodeFromBytes(data []byte, df gopacket.DecodeFeedback) error {

	// If the data block is too short to be a BFD record, then return an error.
	if len(data) < bfdMinimumRecordSizeInBytes {
		df.SetTruncated()
		return errors.New("BFD packet too short")
	}

	pLen := uint8(data[3])
	if len(data) != int(pLen) {
		return errors.New("BFD packet length does not match")
	}

	// BFD type embeds type BaseLayer which contains two fields:
	//    Contents is supposed to contain the bytes of the data at this level.
	//    Payload is supposed to contain the payload of this level.
	// Here we set the baselayer to be the bytes of the BFD record.
	d.BaseLayer = BaseLayer{Contents: data[:len(data)]}

	// Extract the fields from the block of bytes.
	// To make sense of this, refer to the packet diagram
	// above and the section on endian conventions.

	// The first few fields are all packed into the first 32 bits. Unpack them.
	d.Version = BFDVersion(((data[0] & 0xE0) >> 5))
	d.Diagnostic = BFDDiagnostic(data[0] & 0x1F)
	data = data[1:]

	d.State = BFDState((data[0] & 0xC0) >> 6)
	d.Poll = data[0]&0x20 != 0
	d.Final = data[0]&0x10 != 0
	d.ControlPlaneIndependent = data[0]&0x08 != 0
	d.AuthPresent = data[0]&0x04 != 0
	d.Demand = data[0]&0x02 != 0
	d.Multipoint = data[0]&0x01 != 0
	data = data[1:]

	data, d.DetectMultiplier = data[1:], BFDDetectMultiplier(data[0])
	data, _ = data[1:], uint8(data[0]) // Consume length

	// The remaining fields can just be copied in big endian order.
	data, d.MyDiscriminator = data[4:], BFDDiscriminator(binary.BigEndian.Uint32(data[:4]))
	data, d.YourDiscriminator = data[4:], BFDDiscriminator(binary.BigEndian.Uint32(data[:4]))
	data, d.DesiredMinTxInterval = data[4:], BFDTimeInterval(binary.BigEndian.Uint32(data[:4]))
	data, d.RequiredMinRxInterval = data[4:], BFDTimeInterval(binary.BigEndian.Uint32(data[:4]))
	data, d.RequiredMinEchoRxInterval = data[4:], BFDTimeInterval(binary.BigEndian.Uint32(data[:4]))

	if d.AuthPresent && (len(data) > 2) {
		d.AuthHeader = &BFDAuthHeader{}
		data, d.AuthHeader.AuthType = data[1:], BFDAuthType(data[0])
		data, _ = data[1:], uint8(data[0]) // Consume length
		data, d.AuthHeader.KeyID = data[1:], BFDAuthKeyID(data[0])

		switch d.AuthHeader.AuthType {
		case BFDAuthTypePassword:
			d.AuthHeader.Data = BFDAuthData(data)
		case BFDAuthTypeKeyedMD5, BFDAuthTypeMeticulousKeyedMD5:
			// Skipped reserved byte
			data, d.AuthHeader.SequenceNumber = data[5:], BFDAuthSequenceNumber(binary.BigEndian.Uint32(data[1:5]))
			d.AuthHeader.Data = BFDAuthData(data)
		case BFDAuthTypeKeyedSHA1, BFDAuthTypeMeticulousKeyedSHA1:
			// Skipped reserved byte
			data, d.AuthHeader.SequenceNumber = data[5:], BFDAuthSequenceNumber(binary.BigEndian.Uint32(data[1:5]))
			d.AuthHeader.Data = BFDAuthData(data)
		}
	}

	return nil
}

// SerializeTo writes the serialized form of this layer into the
// SerializationBuffer, implementing gopacket.SerializableLayer.
// See the docs for gopacket.SerializableLayer for more info.
func (d *BFD) SerializeTo(b gopacket.SerializeBuffer, opts gopacket.SerializeOptions) error {
	data, err := b.PrependBytes(bfdMinimumRecordSizeInBytes)
	if err != nil {
		return err
	}

	// Pack the first few fields into the first 32 bits.
	data[0] = byte(byte(d.Version<<5) | byte(d.Diagnostic))
	h := uint8(0)
	h |= (uint8(d.State) << 6)
	h |= (uint8(bool2uint8(d.Poll)) << 5)
	h |= (uint8(bool2uint8(d.Final)) << 4)
	h |= (uint8(bool2uint8(d.ControlPlaneIndependent)) << 3)
	h |= (uint8(bool2uint8(d.AuthPresent)) << 2)
	h |= (uint8(bool2uint8(d.Demand)) << 1)
	h |= uint8(bool2uint8(d.Multipoint))
	data[1] = byte(h)
	data[2] = byte(d.DetectMultiplier)
	data[3] = byte(d.Length())

	// The remaining fields can just be copied in big endian order.
	binary.BigEndian.PutUint32(data[4:], uint32(d.MyDiscriminator))
	binary.BigEndian.PutUint32(data[8:], uint32(d.YourDiscriminator))
	binary.BigEndian.PutUint32(data[12:], uint32(d.DesiredMinTxInterval))
	binary.BigEndian.PutUint32(data[16:], uint32(d.RequiredMinRxInterval))
	binary.BigEndian.PutUint32(data[20:], uint32(d.RequiredMinEchoRxInterval))

	if d.AuthPresent && (d.AuthHeader != nil) {
		auth, err := b.AppendBytes(int(d.AuthHeader.Length()))
		if err != nil {
			return err
		}

		auth[0] = byte(d.AuthHeader.AuthType)
		auth[1] = byte(d.AuthHeader.Length())
		auth[2] = byte(d.AuthHeader.KeyID)

		switch d.AuthHeader.AuthType {
		case BFDAuthTypePassword:
			copy(auth[3:], d.AuthHeader.Data)
		case BFDAuthTypeKeyedMD5, BFDAuthTypeMeticulousKeyedMD5:
			auth[3] = byte(0)
			binary.BigEndian.PutUint32(auth[4:], uint32(d.AuthHeader.SequenceNumber))
			copy(auth[8:], d.AuthHeader.Data)
		case BFDAuthTypeKeyedSHA1, BFDAuthTypeMeticulousKeyedSHA1:
			auth[3] = byte(0)
			binary.BigEndian.PutUint32(auth[4:], uint32(d.AuthHeader.SequenceNumber))
			copy(auth[8:], d.AuthHeader.Data)
		}
	}

	return nil
}

// CanDecode returns a set of layers that BFD objects can decode.
// As BFD objects can only decide the BFD layer, we can return just that layer.
// Apparently a single layer type implements LayerClass.
func (d *BFD) CanDecode() gopacket.LayerClass {
	return LayerTypeBFD
}

// NextLayerType specifies the next layer that GoPacket should attempt to
// analyse after this (BFD) layer. As BFD packets do not contain any payload
// bytes, there are no further layers to analyse.
func (d *BFD) NextLayerType() gopacket.LayerType {
	return gopacket.LayerTypeZero
}

// Payload returns an empty byte slice as BFD packets do not carry a payload
func (d *BFD) Payload() []byte {
	return nil
}

// bool2uint8 converts a bool to uint8
func bool2uint8(b bool) uint8 {
	if b {
		return 1
	}
	return 0
}