push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(PortProxy/SNI): Refactor SNI extraction in PortProxy to use the dedicated SniHandler class

Browse Source
This commit is contained in:
Philipp Kunz
2025-03-11 17:01:07 +00:00
parent d81cf94876
commit 87d26c86a1
5 changed files with 354 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

212
ts/classes.portproxy.ts
View File

@@ -1,5 +1,6 @@
import * as plugins from './plugins.js';
import { NetworkProxy } from './classes.networkproxy.js';
import { SniHandler } from './classes.snihandler.js';
/** Domain configuration with per-domain allowed port ranges */
export interface IDomainConfig {
@@ -117,192 +118,8 @@ interface IConnectionRecord {
domainSwitches?: number; // Number of times the domain has been switched on this connection
}
/**
* Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
* Enhanced for robustness and detailed logging.
* @param buffer - Buffer containing the TLS ClientHello.
* @param enableLogging - Whether to enable detailed logging.
* @returns The server name if found, otherwise undefined.
*/
function extractSNI(buffer: Buffer, enableLogging: boolean = false): string | undefined {
try {
// Check if buffer is too small for TLS
if (buffer.length < 5) {
if (enableLogging) console.log('Buffer too small for TLS header');
return undefined;
}
// Check record type (has to be handshake - 22)
const recordType = buffer.readUInt8(0);
if (recordType !== 22) {
if (enableLogging) console.log(`Not a TLS handshake. Record type: ${recordType}`);
return undefined;
}
// Check TLS version (has to be 3.1 or higher)
const majorVersion = buffer.readUInt8(1);
const minorVersion = buffer.readUInt8(2);
if (enableLogging) console.log(`TLS Version: ${majorVersion}.${minorVersion}`);
// Check record length
const recordLength = buffer.readUInt16BE(3);
if (buffer.length < 5 + recordLength) {
if (enableLogging)
console.log(
`Buffer too small for TLS record. Expected: ${5 + recordLength}, Got: ${buffer.length}`
);
return undefined;
}
let offset = 5;
const handshakeType = buffer.readUInt8(offset);
if (handshakeType !== 1) {
if (enableLogging) console.log(`Not a ClientHello. Handshake type: ${handshakeType}`);
return undefined;
}
offset += 4; // Skip handshake header (type + length)
// Client version
const clientMajorVersion = buffer.readUInt8(offset);
const clientMinorVersion = buffer.readUInt8(offset + 1);
if (enableLogging) console.log(`Client Version: ${clientMajorVersion}.${clientMinorVersion}`);
offset += 2 + 32; // Skip client version and random
// Session ID
const sessionIDLength = buffer.readUInt8(offset);
if (enableLogging) console.log(`Session ID Length: ${sessionIDLength}`);
offset += 1 + sessionIDLength; // Skip session ID
// Cipher suites
if (offset + 2 > buffer.length) {
if (enableLogging) console.log('Buffer too small for cipher suites length');
return undefined;
}
const cipherSuitesLength = buffer.readUInt16BE(offset);
if (enableLogging) console.log(`Cipher Suites Length: ${cipherSuitesLength}`);
offset += 2 + cipherSuitesLength; // Skip cipher suites
// Compression methods
if (offset + 1 > buffer.length) {
if (enableLogging) console.log('Buffer too small for compression methods length');
return undefined;
}
const compressionMethodsLength = buffer.readUInt8(offset);
if (enableLogging) console.log(`Compression Methods Length: ${compressionMethodsLength}`);
offset += 1 + compressionMethodsLength; // Skip compression methods
// Extensions
if (offset + 2 > buffer.length) {
if (enableLogging) console.log('Buffer too small for extensions length');
return undefined;
}
const extensionsLength = buffer.readUInt16BE(offset);
if (enableLogging) console.log(`Extensions Length: ${extensionsLength}`);
offset += 2;
const extensionsEnd = offset + extensionsLength;
if (extensionsEnd > buffer.length) {
if (enableLogging)
console.log(
`Buffer too small for extensions. Expected end: ${extensionsEnd}, Buffer length: ${buffer.length}`
);
return undefined;
}
// Parse extensions
while (offset + 4 <= extensionsEnd) {
const extensionType = buffer.readUInt16BE(offset);
const extensionLength = buffer.readUInt16BE(offset + 2);
if (enableLogging)
console.log(`Extension Type: 0x${extensionType.toString(16)}, Length: ${extensionLength}`);
offset += 4;
if (extensionType === 0x0000) {
// SNI extension
if (offset + 2 > buffer.length) {
if (enableLogging) console.log('Buffer too small for SNI list length');
return undefined;
}
const sniListLength = buffer.readUInt16BE(offset);
if (enableLogging) console.log(`SNI List Length: ${sniListLength}`);
offset += 2;
const sniListEnd = offset + sniListLength;
if (sniListEnd > buffer.length) {
if (enableLogging)
console.log(
`Buffer too small for SNI list. Expected end: ${sniListEnd}, Buffer length: ${buffer.length}`
);
return undefined;
}
while (offset + 3 < sniListEnd) {
const nameType = buffer.readUInt8(offset++);
const nameLen = buffer.readUInt16BE(offset);
offset += 2;
if (enableLogging) console.log(`Name Type: ${nameType}, Name Length: ${nameLen}`);
if (nameType === 0) {
// host_name
if (offset + nameLen > buffer.length) {
if (enableLogging)
console.log(
`Buffer too small for hostname. Expected: ${offset + nameLen}, Got: ${
buffer.length
}`
);
return undefined;
}
const serverName = buffer.toString('utf8', offset, offset + nameLen);
if (enableLogging) console.log(`Extracted SNI: ${serverName}`);
return serverName;
}
offset += nameLen;
}
break;
} else {
offset += extensionLength;
}
}
if (enableLogging) console.log('No SNI extension found');
return undefined;
} catch (err) {
console.log(`Error extracting SNI: ${err}`);
return undefined;
}
}
/**
* Checks if a TLS record is a proper ClientHello message (more accurate than just checking record type)
* @param buffer - Buffer containing the TLS record
* @returns true if the buffer contains a proper ClientHello message
*/
function isClientHello(buffer: Buffer): boolean {
try {
if (buffer.length < 9) return false; // Too small for a proper ClientHello
// Check record type (has to be handshake - 22)
if (buffer.readUInt8(0) !== 22) return false;
// After the TLS record header (5 bytes), check the handshake type (1 for ClientHello)
if (buffer.readUInt8(5) !== 1) return false;
// Basic checks passed, this appears to be a ClientHello
return true;
} catch (err) {
console.log(`Error checking for ClientHello: ${err}`);
return false;
}
}
// SNI functions are now imported from SniHandler class
// No need for wrapper functions
// Helper: Check if a port falls within any of the given port ranges
const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
@@ -346,10 +163,7 @@ const generateConnectionId = (): string => {
return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
};
// Helper: Check if a buffer contains a TLS handshake
const isTlsHandshake = (buffer: Buffer): boolean => {
return buffer.length > 0 && buffer[0] === 22; // ContentType.handshake
};
// SNI functions are now imported from SniHandler class
// Helper: Ensure timeout values don't exceed Node.js max safe integer
const ensureSafeTimeout = (timeout: number): number => {
@@ -761,7 +575,7 @@ export class PortProxy {
record.bytesReceived += chunk.length;
// Check for TLS handshake
if (!record.isTLS && isTlsHandshake(chunk)) {
if (!record.isTLS && SniHandler.isTlsHandshake(chunk)) {
record.isTLS = true;
if (this.settings.enableTlsDebugLogging) {
@@ -1049,10 +863,10 @@ export class PortProxy {
// Define a handler for checking renegotiation with improved detection
const renegotiationHandler = (renegChunk: Buffer) => {
// Only process if this looks like a TLS ClientHello
if (isClientHello(renegChunk)) {
if (SniHandler.isClientHello(renegChunk)) {
try {
// Extract SNI from ClientHello
const newSNI = extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, this.settings.enableTlsDebugLogging);
// Skip if no SNI was found
if (!newSNI) return;
@@ -1644,7 +1458,7 @@ export class PortProxy {
connectionRecord.hasReceivedInitialData = true;
// Check if this looks like a TLS handshake
if (isTlsHandshake(chunk)) {
if (SniHandler.isTlsHandshake(chunk)) {
connectionRecord.isTLS = true;
// Forward directly to NetworkProxy without SNI processing
@@ -1706,7 +1520,7 @@ export class PortProxy {
this.updateActivity(connectionRecord);
// Check for TLS handshake if this is the first chunk
if (!connectionRecord.isTLS && isTlsHandshake(chunk)) {
if (!connectionRecord.isTLS && SniHandler.isTlsHandshake(chunk)) {
connectionRecord.isTLS = true;
if (this.settings.enableTlsDebugLogging) {
@@ -1714,7 +1528,7 @@ export class PortProxy {
`[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
);
// Try to extract SNI and log detailed debug info
extractSNI(chunk, true);
SniHandler.extractSNIWithResumptionSupport(chunk, true);
}
}
});
@@ -1743,7 +1557,7 @@ export class PortProxy {
connectionRecord.hasReceivedInitialData = true;
// Check if this looks like a TLS handshake
const isTlsHandshakeDetected = initialChunk && isTlsHandshake(initialChunk);
const isTlsHandshakeDetected = initialChunk && SniHandler.isTlsHandshake(initialChunk);
if (isTlsHandshakeDetected) {
connectionRecord.isTLS = true;
@@ -1912,7 +1726,7 @@ export class PortProxy {
// Try to extract SNI
let serverName = '';
if (isTlsHandshake(chunk)) {
if (SniHandler.isTlsHandshake(chunk)) {
connectionRecord.isTLS = true;
if (this.settings.enableTlsDebugLogging) {
@@ -1921,7 +1735,7 @@ export class PortProxy {
);
}
serverName = extractSNI(chunk, this.settings.enableTlsDebugLogging) || '';
serverName = SniHandler.extractSNIWithResumptionSupport(chunk, this.settings.enableTlsDebugLogging) || '';
}
// Lock the connection to the negotiated SNI.