From 79dbfba4d42dc4675b407f3cd42f69b4a47d95f2 Mon Sep 17 00:00:00 2001
From: Max Lamprecht <max.lamprecht@mail.schwarz>
Date: Tue, 20 Aug 2024 18:24:45 +0200
Subject: [PATCH] fix: tls-passthrough if ClientHello is fragmented

We need to read the entire length of the ClientHello packet in order
to get the SNI field for proper tls passthrough.
---
 pkg/tcpproxy/tcp.go | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/pkg/tcpproxy/tcp.go b/pkg/tcpproxy/tcp.go
index fba4d21be8..ff34896860 100644
--- a/pkg/tcpproxy/tcp.go
+++ b/pkg/tcpproxy/tcp.go
@@ -40,6 +40,11 @@ type TCPProxy struct {
 	Default    *TCPServer
 }
 
+var (
+	tlsHeaderLength     = 5
+	tlsMaxMessageLength = 16384
+)
+
 // Get returns the TCPServer to use for a given host.
 func (p *TCPProxy) Get(host string) *TCPServer {
 	if p.ServerList == nil {
@@ -59,15 +64,37 @@ func (p *TCPProxy) Get(host string) *TCPServer {
 // and open a connection to the passthrough server.
 func (p *TCPProxy) Handle(conn net.Conn) {
 	defer conn.Close()
-	// See: https://www.ibm.com/docs/en/ztpf/1.1.0.15?topic=sessions-ssl-record-format
-	data := make([]byte, 16384)
-
-	length, err := conn.Read(data)
+	// It appears that the ClientHello must fit into *one* TLSPlaintext message:
+	// When a client first connects to a server, it is REQUIRED to send the ClientHello as its first TLS message.
+	// Source: https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2
+
+	// length:  The length (in bytes) of the following TLSPlaintext.fragment. The length MUST NOT exceed 2^14 bytes.
+	// An endpoint that receives a record that exceeds this length MUST terminate the connection with a "record_overflow" alert.
+	// Source: https://datatracker.ietf.org/doc/html/rfc8446#section-5.1
+	// bytes 0  : content type
+	// bytes 1-2: legacy version
+	// bytes 3-4: length
+	// bytes 5+ : message
+	// https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_record
+	// Thus, we need to allocate 5 + 16384 bytes
+	data := make([]byte, tlsHeaderLength+tlsMaxMessageLength)
+
+	length, err := io.ReadAtLeast(conn, data, tlsHeaderLength)
 	if err != nil {
 		klog.V(4).ErrorS(err, "Error reading data from the connection")
 		return
 	}
 
+	// otherwise, ReadAtLeast may produce an index out of bounds
+	clientHelloLength := min(int(data[3])<<8+int(data[4]), tlsMaxMessageLength)
+
+	bLength, err := io.ReadAtLeast(conn, data[length:], tlsHeaderLength+clientHelloLength-length)
+	if err != nil {
+		klog.V(4).ErrorS(err, fmt.Sprintf("Error reading ClientHello of length %d from the connection", clientHelloLength))
+		return
+	}
+	length += bLength
+
 	proxy := p.Default
 	hostname, err := parser.GetHostname(data)
 	if err == nil {