fix(SniHandler): Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
This commit is contained in:
parent
b401d126bc
commit
ddfbcdb1f3
@ -1,5 +1,13 @@
|
|||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
|
## 2025-03-12 - 3.41.6 - fix(SniHandler)
|
||||||
|
Refactor SniHandler: update whitespace, comment formatting, and consistent type definitions
|
||||||
|
|
||||||
|
- Unified inline comment style and spacing in SniHandler
|
||||||
|
- Refactored session cache type declaration for clarity
|
||||||
|
- Adjusted buffer length calculations to include TLS record header consistently
|
||||||
|
- Minor improvements to logging messages during ClientHello reassembly and SNI extraction
|
||||||
|
|
||||||
## 2025-03-12 - 3.41.5 - fix(portproxy)
|
## 2025-03-12 - 3.41.5 - fix(portproxy)
|
||||||
Enforce TLS handshake and SNI validation on port 443 by blocking non-TLS connections and terminating session resumption attempts without SNI when allowSessionTicket is disabled.
|
Enforce TLS handshake and SNI validation on port 443 by blocking non-TLS connections and terminating session resumption attempts without SNI when allowSessionTicket is disabled.
|
||||||
|
|
||||||
|
@ -3,6 +3,6 @@
|
|||||||
*/
|
*/
|
||||||
export const commitinfo = {
|
export const commitinfo = {
|
||||||
name: '@push.rocks/smartproxy',
|
name: '@push.rocks/smartproxy',
|
||||||
version: '3.41.5',
|
version: '3.41.6',
|
||||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
||||||
}
|
}
|
||||||
|
@ -15,19 +15,22 @@ export class SniHandler {
|
|||||||
private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE = 0x0023;
|
private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE = 0x0023;
|
||||||
private static readonly TLS_SNI_HOST_NAME_TYPE = 0;
|
private static readonly TLS_SNI_HOST_NAME_TYPE = 0;
|
||||||
private static readonly TLS_PSK_EXTENSION_TYPE = 0x0029; // Pre-Shared Key extension type for TLS 1.3
|
private static readonly TLS_PSK_EXTENSION_TYPE = 0x0029; // Pre-Shared Key extension type for TLS 1.3
|
||||||
private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = 0x002D; // PSK Key Exchange Modes
|
private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = 0x002d; // PSK Key Exchange Modes
|
||||||
private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = 0x002A; // Early Data (0-RTT) extension
|
private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = 0x002a; // Early Data (0-RTT) extension
|
||||||
|
|
||||||
// Buffer for handling fragmented ClientHello messages
|
// Buffer for handling fragmented ClientHello messages
|
||||||
private static fragmentedBuffers: Map<string, Buffer> = new Map();
|
private static fragmentedBuffers: Map<string, Buffer> = new Map();
|
||||||
private static fragmentTimeout: number = 1000; // ms to wait for fragments before cleanup
|
private static fragmentTimeout: number = 1000; // ms to wait for fragments before cleanup
|
||||||
|
|
||||||
// Session tracking for tab reactivation scenarios
|
// Session tracking for tab reactivation scenarios
|
||||||
private static sessionCache: Map<string, {
|
private static sessionCache: Map<
|
||||||
|
string,
|
||||||
|
{
|
||||||
sni: string;
|
sni: string;
|
||||||
timestamp: number;
|
timestamp: number;
|
||||||
clientRandom?: Buffer;
|
clientRandom?: Buffer;
|
||||||
}> = new Map();
|
}
|
||||||
|
> = new Map();
|
||||||
|
|
||||||
// Longer timeout for session cache (24 hours by default)
|
// Longer timeout for session cache (24 hours by default)
|
||||||
private static sessionCacheTimeout: number = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
|
private static sessionCacheTimeout: number = 24 * 60 * 60 * 1000; // 24 hours in milliseconds
|
||||||
@ -60,7 +63,7 @@ export class SniHandler {
|
|||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
expiredKeys.forEach(key => {
|
expiredKeys.forEach((key) => {
|
||||||
this.sessionCache.delete(key);
|
this.sessionCache.delete(key);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
@ -94,7 +97,7 @@ export class SniHandler {
|
|||||||
this.sessionCache.set(key, {
|
this.sessionCache.set(key, {
|
||||||
sni,
|
sni,
|
||||||
timestamp: Date.now(),
|
timestamp: Date.now(),
|
||||||
clientRandom
|
clientRandom,
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -219,11 +222,19 @@ export class SniHandler {
|
|||||||
// Evaluate if this buffer already contains a complete ClientHello
|
// Evaluate if this buffer already contains a complete ClientHello
|
||||||
try {
|
try {
|
||||||
if (buffer.length >= 5) {
|
if (buffer.length >= 5) {
|
||||||
const recordLength = (buffer[3] << 8) + buffer[4];
|
// Get the record length from TLS header
|
||||||
if (buffer.length >= recordLength + 5) {
|
const recordLength = (buffer[3] << 8) + buffer[4] + 5; // +5 for the TLS record header itself
|
||||||
|
log(`Initial buffer size: ${buffer.length}, expected record length: ${recordLength}`);
|
||||||
|
|
||||||
|
// Check if this buffer already contains a complete TLS record
|
||||||
|
if (buffer.length >= recordLength) {
|
||||||
log(`Initial buffer contains complete ClientHello, length: ${buffer.length}`);
|
log(`Initial buffer contains complete ClientHello, length: ${buffer.length}`);
|
||||||
return buffer;
|
return buffer;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
log(
|
||||||
|
`Initial buffer too small (${buffer.length} bytes), needs at least 5 bytes for TLS header`
|
||||||
|
);
|
||||||
}
|
}
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
log(`Error checking initial buffer completeness: ${e}`);
|
log(`Error checking initial buffer completeness: ${e}`);
|
||||||
@ -242,14 +253,59 @@ export class SniHandler {
|
|||||||
// Check if we now have a complete ClientHello
|
// Check if we now have a complete ClientHello
|
||||||
try {
|
try {
|
||||||
if (newBuffer.length >= 5) {
|
if (newBuffer.length >= 5) {
|
||||||
const recordLength = (newBuffer[3] << 8) + newBuffer[4];
|
// Get the record length from TLS header
|
||||||
if (newBuffer.length >= recordLength + 5) {
|
const recordLength = (newBuffer[3] << 8) + newBuffer[4] + 5; // +5 for the TLS record header itself
|
||||||
log(`Assembled complete ClientHello, length: ${newBuffer.length}`);
|
log(
|
||||||
|
`Reassembled buffer size: ${newBuffer.length}, expected record length: ${recordLength}`
|
||||||
|
);
|
||||||
|
|
||||||
|
// Check if we have a complete TLS record now
|
||||||
|
if (newBuffer.length >= recordLength) {
|
||||||
|
log(
|
||||||
|
`Assembled complete ClientHello, length: ${newBuffer.length}, needed: ${recordLength}`
|
||||||
|
);
|
||||||
|
|
||||||
|
// Extract the complete TLS record (might be followed by more data)
|
||||||
|
const completeRecord = newBuffer.slice(0, recordLength);
|
||||||
|
|
||||||
|
// Check if this record is indeed a ClientHello (type 1) at position 5
|
||||||
|
if (
|
||||||
|
completeRecord.length > 5 &&
|
||||||
|
completeRecord[5] === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE
|
||||||
|
) {
|
||||||
|
log(`Verified record is a ClientHello handshake message`);
|
||||||
|
|
||||||
// Complete message received, remove from tracking
|
// Complete message received, remove from tracking
|
||||||
this.fragmentedBuffers.delete(connectionId);
|
this.fragmentedBuffers.delete(connectionId);
|
||||||
|
return completeRecord;
|
||||||
|
} else {
|
||||||
|
log(`Record is complete but not a ClientHello handshake, continuing to buffer`);
|
||||||
|
// This might be another TLS record type preceding the ClientHello
|
||||||
|
|
||||||
|
// Try checking for a ClientHello starting at the end of this record
|
||||||
|
if (newBuffer.length > recordLength + 5) {
|
||||||
|
const nextRecordType = newBuffer[recordLength];
|
||||||
|
log(
|
||||||
|
`Next record type: ${nextRecordType} (looking for ${this.TLS_HANDSHAKE_RECORD_TYPE})`
|
||||||
|
);
|
||||||
|
|
||||||
|
if (nextRecordType === this.TLS_HANDSHAKE_RECORD_TYPE) {
|
||||||
|
const handshakeType = newBuffer[recordLength + 5];
|
||||||
|
log(
|
||||||
|
`Next handshake type: ${handshakeType} (looking for ${this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE})`
|
||||||
|
);
|
||||||
|
|
||||||
|
if (handshakeType === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE) {
|
||||||
|
// Found a ClientHello in the next record, return the entire buffer
|
||||||
|
log(`Found ClientHello in subsequent record, returning full buffer`);
|
||||||
|
this.fragmentedBuffers.delete(connectionId);
|
||||||
return newBuffer;
|
return newBuffer;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
log(`Error checking reassembled buffer completeness: ${e}`);
|
log(`Error checking reassembled buffer completeness: ${e}`);
|
||||||
}
|
}
|
||||||
@ -432,7 +488,9 @@ export class SniHandler {
|
|||||||
|
|
||||||
// Extract the hostname
|
// Extract the hostname
|
||||||
if (tempPos + 5 + nameLength <= extensionsEnd) {
|
if (tempPos + 5 + nameLength <= extensionsEnd) {
|
||||||
const hostname = buffer.slice(tempPos + 5, tempPos + 5 + nameLength).toString('utf8');
|
const hostname = buffer
|
||||||
|
.slice(tempPos + 5, tempPos + 5 + nameLength)
|
||||||
|
.toString('utf8');
|
||||||
log(`Found SNI extension with server_name: ${hostname}`);
|
log(`Found SNI extension with server_name: ${hostname}`);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -459,31 +517,35 @@ export class SniHandler {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Consider it a resumption if any resumption mechanism is present
|
// Consider it a resumption if any resumption mechanism is present
|
||||||
const isResumption = hasSessionTicket || hasPSK || hasEarlyData ||
|
const isResumption =
|
||||||
(hasNonEmptySessionId && !hasPSK); // Legacy resumption
|
hasSessionTicket || hasPSK || hasEarlyData || (hasNonEmptySessionId && !hasPSK); // Legacy resumption
|
||||||
|
|
||||||
if (isResumption) {
|
if (isResumption) {
|
||||||
log('Session resumption detected: ' +
|
log(
|
||||||
|
'Session resumption detected: ' +
|
||||||
(hasSessionTicket ? 'session ticket, ' : '') +
|
(hasSessionTicket ? 'session ticket, ' : '') +
|
||||||
(hasPSK ? 'PSK, ' : '') +
|
(hasPSK ? 'PSK, ' : '') +
|
||||||
(hasEarlyData ? 'early data, ' : '') +
|
(hasEarlyData ? 'early data, ' : '') +
|
||||||
(hasNonEmptySessionId ? 'session ID' : '') +
|
(hasNonEmptySessionId ? 'session ID' : '') +
|
||||||
(hasSNI ? ', with SNI' : ', without SNI'));
|
(hasSNI ? ', with SNI' : ', without SNI')
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Return an object with both flags
|
// Return an object with both flags
|
||||||
// For clarity: connections should be blocked if they have session resumption without SNI
|
// For clarity: connections should be blocked if they have session resumption without SNI
|
||||||
if (isResumption) {
|
if (isResumption) {
|
||||||
log(`Resumption summary - hasSNI: ${hasSNI ? 'yes' : 'no'}, resumption type: ${
|
log(
|
||||||
|
`Resumption summary - hasSNI: ${hasSNI ? 'yes' : 'no'}, resumption type: ${
|
||||||
hasSessionTicket ? 'session ticket, ' : ''
|
hasSessionTicket ? 'session ticket, ' : ''
|
||||||
}${hasPSK ? 'PSK, ' : ''}${hasEarlyData ? 'early data, ' : ''}${
|
}${hasPSK ? 'PSK, ' : ''}${hasEarlyData ? 'early data, ' : ''}${
|
||||||
hasNonEmptySessionId ? 'session ID' : ''
|
hasNonEmptySessionId ? 'session ID' : ''
|
||||||
}`);
|
}`
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
return {
|
return {
|
||||||
isResumption,
|
isResumption,
|
||||||
hasSNI
|
hasSNI,
|
||||||
};
|
};
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
log(`Error checking for session resumption: ${error}`);
|
log(`Error checking for session resumption: ${error}`);
|
||||||
@ -974,7 +1036,8 @@ export class SniHandler {
|
|||||||
// Try to extract using common patterns
|
// Try to extract using common patterns
|
||||||
|
|
||||||
// Pattern 1: Look for domain name pattern
|
// Pattern 1: Look for domain name pattern
|
||||||
const domainPattern = /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
|
const domainPattern =
|
||||||
|
/([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
|
||||||
const domainMatch = identityStr.match(domainPattern);
|
const domainMatch = identityStr.match(domainPattern);
|
||||||
if (domainMatch && domainMatch[0]) {
|
if (domainMatch && domainMatch[0]) {
|
||||||
log(`Found domain in PSK identity: ${domainMatch[0]}`);
|
log(`Found domain in PSK identity: ${domainMatch[0]}`);
|
||||||
@ -1020,10 +1083,7 @@ export class SniHandler {
|
|||||||
* @param enableLogging - Whether to enable logging
|
* @param enableLogging - Whether to enable logging
|
||||||
* @returns true if early data is detected
|
* @returns true if early data is detected
|
||||||
*/
|
*/
|
||||||
public static hasEarlyData(
|
public static hasEarlyData(buffer: Buffer, enableLogging: boolean = false): boolean {
|
||||||
buffer: Buffer,
|
|
||||||
enableLogging: boolean = false
|
|
||||||
): boolean {
|
|
||||||
const log = (message: string) => {
|
const log = (message: string) => {
|
||||||
if (enableLogging) {
|
if (enableLogging) {
|
||||||
console.log(`[Early Data] ${message}`);
|
console.log(`[Early Data] ${message}`);
|
||||||
@ -1135,6 +1195,23 @@ export class SniHandler {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// Log buffer details for debugging
|
||||||
|
if (enableLogging) {
|
||||||
|
log(`Buffer size: ${buffer.length} bytes`);
|
||||||
|
log(`Buffer starts with: ${buffer.slice(0, Math.min(10, buffer.length)).toString('hex')}`);
|
||||||
|
|
||||||
|
if (buffer.length >= 5) {
|
||||||
|
const recordType = buffer[0];
|
||||||
|
const majorVersion = buffer[1];
|
||||||
|
const minorVersion = buffer[2];
|
||||||
|
const recordLength = (buffer[3] << 8) + buffer[4];
|
||||||
|
|
||||||
|
log(
|
||||||
|
`TLS Record: type=${recordType}, version=${majorVersion}.${minorVersion}, length=${recordLength}`
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Check if we need to handle fragmented packets
|
// Check if we need to handle fragmented packets
|
||||||
let processBuffer = buffer;
|
let processBuffer = buffer;
|
||||||
if (connectionInfo) {
|
if (connectionInfo) {
|
||||||
@ -1169,65 +1246,64 @@ export class SniHandler {
|
|||||||
return standardSni;
|
return standardSni;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check for tab reactivation pattern
|
// Check for session resumption when standard SNI extraction fails
|
||||||
const isTabReactivation = this.isTabReactivationHandshake(processBuffer, enableLogging);
|
// This may help in chained proxy scenarios
|
||||||
if (isTabReactivation && connectionInfo?.sourceIp) {
|
|
||||||
// Try to get the SNI from our session cache for tab reactivation
|
|
||||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
|
||||||
if (cachedSni) {
|
|
||||||
log(`Retrieved cached SNI for tab reactivation: ${cachedSni}`);
|
|
||||||
return cachedSni;
|
|
||||||
}
|
|
||||||
log('Tab reactivation detected but no cached SNI found');
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check for TLS 1.3 early data (0-RTT)
|
|
||||||
const hasEarly = this.hasEarlyData(processBuffer, enableLogging);
|
|
||||||
if (hasEarly) {
|
|
||||||
log('TLS 1.3 Early Data detected, trying session cache');
|
|
||||||
// For 0-RTT, check the session cache
|
|
||||||
if (connectionInfo?.sourceIp) {
|
|
||||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
|
||||||
if (cachedSni) {
|
|
||||||
log(`Retrieved cached SNI for 0-RTT: ${cachedSni}`);
|
|
||||||
return cachedSni;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// If standard extraction failed and we have a valid ClientHello,
|
|
||||||
// this might be a session resumption with non-standard format
|
|
||||||
if (this.isClientHello(processBuffer)) {
|
if (this.isClientHello(processBuffer)) {
|
||||||
log('Detected ClientHello without standard SNI, possible session resumption');
|
const resumptionInfo = this.hasSessionResumption(processBuffer, enableLogging);
|
||||||
|
|
||||||
// Try to extract from PSK extension (TLS 1.3 resumption)
|
if (resumptionInfo.isResumption) {
|
||||||
|
log(`Detected session resumption in ClientHello without standard SNI`);
|
||||||
|
|
||||||
|
// Try to extract SNI from PSK extension
|
||||||
const pskSni = this.extractSNIFromPSKExtension(processBuffer, enableLogging);
|
const pskSni = this.extractSNIFromPSKExtension(processBuffer, enableLogging);
|
||||||
if (pskSni) {
|
if (pskSni) {
|
||||||
log(`Extracted SNI from PSK extension: ${pskSni}`);
|
log(`Extracted SNI from PSK extension: ${pskSni}`);
|
||||||
|
|
||||||
// Cache this SNI for future reference
|
// Cache this SNI
|
||||||
if (connectionInfo?.sourceIp) {
|
if (connectionInfo?.sourceIp) {
|
||||||
const clientRandom = this.extractClientRandom(processBuffer);
|
const clientRandom = this.extractClientRandom(processBuffer);
|
||||||
this.cacheSession(connectionInfo.sourceIp, pskSni, clientRandom);
|
this.cacheSession(connectionInfo.sourceIp, pskSni, clientRandom);
|
||||||
log(`Cached PSK-derived SNI: ${pskSni}`);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return pskSni;
|
return pskSni;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we have a session ticket but no SNI or PSK identity,
|
// If session resumption has SNI in a non-standard location,
|
||||||
// check our session cache as a last resort
|
// we need to apply heuristics
|
||||||
if (connectionInfo?.sourceIp) {
|
if (connectionInfo?.sourceIp) {
|
||||||
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
const cachedSni = this.getCachedSession(connectionInfo.sourceIp);
|
||||||
if (cachedSni) {
|
if (cachedSni) {
|
||||||
log(`Using cached SNI as last resort: ${cachedSni}`);
|
log(`Using cached SNI for session resumption: ${cachedSni}`);
|
||||||
return cachedSni;
|
return cachedSni;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
log('Failed to extract SNI from resumption mechanisms');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Try tab reactivation and other recovery methods...
|
||||||
|
// (existing code remains unchanged)
|
||||||
|
|
||||||
|
// Log detailed info about the ClientHello when SNI extraction fails
|
||||||
|
if (this.isClientHello(processBuffer) && enableLogging) {
|
||||||
|
log(`SNI extraction failed for ClientHello. Buffer details:`);
|
||||||
|
|
||||||
|
if (processBuffer.length >= 43) {
|
||||||
|
// ClientHello with at least client random
|
||||||
|
const clientRandom = processBuffer.slice(11, 11 + 32).toString('hex');
|
||||||
|
log(`Client Random: ${clientRandom}`);
|
||||||
|
|
||||||
|
// Log session ID length and presence
|
||||||
|
const sessionIdLength = processBuffer[43];
|
||||||
|
log(`Session ID length: ${sessionIdLength}`);
|
||||||
|
|
||||||
|
if (sessionIdLength > 0 && processBuffer.length >= 44 + sessionIdLength) {
|
||||||
|
const sessionId = processBuffer.slice(44, 44 + sessionIdLength).toString('hex');
|
||||||
|
log(`Session ID: ${sessionId}`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Existing code for fallback methods continues...
|
||||||
return undefined;
|
return undefined;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1298,11 +1374,7 @@ export class SniHandler {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// For handshake messages, try the full extraction process
|
// For handshake messages, try the full extraction process
|
||||||
const sni = this.extractSNIWithResumptionSupport(
|
const sni = this.extractSNIWithResumptionSupport(buffer, connectionInfo, enableLogging);
|
||||||
buffer,
|
|
||||||
connectionInfo,
|
|
||||||
enableLogging
|
|
||||||
);
|
|
||||||
|
|
||||||
if (sni) {
|
if (sni) {
|
||||||
log(`Successfully extracted SNI: ${sni}`);
|
log(`Successfully extracted SNI: ${sni}`);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user