Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| f304cc67b4 | |||
| 0e12706176 | |||
| 6daf4c914d | |||
| 36e4341315 | |||
| 474134d29c | |||
| 43378becd2 | |||
| 5ba8eb778f | |||
| 87d26c86a1 |
32
changelog.md
32
changelog.md
@ -1,5 +1,37 @@
|
||||
# Changelog
|
||||
|
||||
## 2025-03-11 - 3.38.0 - feat(SniHandler)
|
||||
Enhance SNI extraction to support fragmented ClientHello messages, TLS 1.3 early data, and improved PSK parsing
|
||||
|
||||
- Added isTlsApplicationData method for detecting TLS application data packets
|
||||
- Implemented handleFragmentedClientHello to buffer and reassemble fragmented ClientHello messages
|
||||
- Extended extractSNIWithResumptionSupport to accept connection information and use reassembled data
|
||||
- Added detection for TLS 1.3 early data (0-RTT) in the ClientHello, supporting session resumption scenarios
|
||||
- Improved logging and heuristics for handling potential connection racing in modern browsers
|
||||
|
||||
## 2025-03-11 - 3.37.3 - fix(snihandler)
|
||||
Enhance SNI extraction to support TLS 1.3 PSK-based session resumption by adding a dedicated extractSNIFromPSKExtension method and improved logging for session resumption indicators.
|
||||
|
||||
- Defined TLS_PSK_EXTENSION_TYPE and TLS_PSK_KE_MODES_EXTENSION_TYPE constants.
|
||||
- Added extractSNIFromPSKExtension method to handle ClientHello messages containing PSK identities.
|
||||
- Improved logging to indicate when session resumption indicators (ticket or PSK) are present but no standard SNI is found.
|
||||
- Enhanced extractSNIWithResumptionSupport to attempt PSK extraction if standard SNI extraction fails.
|
||||
|
||||
## 2025-03-11 - 3.37.2 - fix(PortProxy)
|
||||
Improve buffering and data handling during connection setup in PortProxy to prevent data loss
|
||||
|
||||
- Added a safeDataHandler and processDataQueue to buffer incoming data reliably during the TLS handshake phase
|
||||
- Introduced a queue with pause/resume logic to avoid exceeding maxPendingDataSize and ensure all pending data is flushed before piping begins
|
||||
- Refactored the piping setup to install the renegotiation handler only after proper data flushing
|
||||
|
||||
## 2025-03-11 - 3.37.1 - fix(PortProxy/SNI)
|
||||
Refactor SNI extraction in PortProxy to use the dedicated SniHandler class
|
||||
|
||||
- Removed local SNI extraction and handshake detection functions from classes.portproxy.ts
|
||||
- Introduced a standalone SniHandler class in ts/classes.snihandler.ts for robust SNI extraction and improved logging
|
||||
- Replaced inlined calls to isTlsHandshake and extractSNI with calls to SniHandler methods
|
||||
- Ensured consistency in handling TLS ClientHello messages across the codebase
|
||||
|
||||
## 2025-03-11 - 3.37.0 - feat(portproxy)
|
||||
Add ACME certificate management options to PortProxy, update ACME settings handling, and bump dependency versions
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@push.rocks/smartproxy",
|
||||
"version": "3.37.0",
|
||||
"version": "3.38.0",
|
||||
"private": false,
|
||||
"description": "A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.",
|
||||
"main": "dist_ts/index.js",
|
||||
|
||||
@ -3,6 +3,6 @@
|
||||
*/
|
||||
export const commitinfo = {
|
||||
name: '@push.rocks/smartproxy',
|
||||
version: '3.37.0',
|
||||
version: '3.38.0',
|
||||
description: 'A powerful proxy package that effectively handles high traffic, with features such as SSL/TLS support, port proxying, WebSocket handling, dynamic routing with authentication options, and automatic ACME certificate management.'
|
||||
}
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
import * as plugins from './plugins.js';
|
||||
import { NetworkProxy } from './classes.networkproxy.js';
|
||||
import { SniHandler } from './classes.snihandler.js';
|
||||
|
||||
/** Domain configuration with per-domain allowed port ranges */
|
||||
export interface IDomainConfig {
|
||||
@ -117,192 +118,8 @@ interface IConnectionRecord {
|
||||
domainSwitches?: number; // Number of times the domain has been switched on this connection
|
||||
}
|
||||
|
||||
/**
|
||||
* Extracts the SNI (Server Name Indication) from a TLS ClientHello packet.
|
||||
* Enhanced for robustness and detailed logging.
|
||||
* @param buffer - Buffer containing the TLS ClientHello.
|
||||
* @param enableLogging - Whether to enable detailed logging.
|
||||
* @returns The server name if found, otherwise undefined.
|
||||
*/
|
||||
function extractSNI(buffer: Buffer, enableLogging: boolean = false): string | undefined {
|
||||
try {
|
||||
// Check if buffer is too small for TLS
|
||||
if (buffer.length < 5) {
|
||||
if (enableLogging) console.log('Buffer too small for TLS header');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Check record type (has to be handshake - 22)
|
||||
const recordType = buffer.readUInt8(0);
|
||||
if (recordType !== 22) {
|
||||
if (enableLogging) console.log(`Not a TLS handshake. Record type: ${recordType}`);
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Check TLS version (has to be 3.1 or higher)
|
||||
const majorVersion = buffer.readUInt8(1);
|
||||
const minorVersion = buffer.readUInt8(2);
|
||||
if (enableLogging) console.log(`TLS Version: ${majorVersion}.${minorVersion}`);
|
||||
|
||||
// Check record length
|
||||
const recordLength = buffer.readUInt16BE(3);
|
||||
if (buffer.length < 5 + recordLength) {
|
||||
if (enableLogging)
|
||||
console.log(
|
||||
`Buffer too small for TLS record. Expected: ${5 + recordLength}, Got: ${buffer.length}`
|
||||
);
|
||||
return undefined;
|
||||
}
|
||||
|
||||
let offset = 5;
|
||||
const handshakeType = buffer.readUInt8(offset);
|
||||
if (handshakeType !== 1) {
|
||||
if (enableLogging) console.log(`Not a ClientHello. Handshake type: ${handshakeType}`);
|
||||
return undefined;
|
||||
}
|
||||
|
||||
offset += 4; // Skip handshake header (type + length)
|
||||
|
||||
// Client version
|
||||
const clientMajorVersion = buffer.readUInt8(offset);
|
||||
const clientMinorVersion = buffer.readUInt8(offset + 1);
|
||||
if (enableLogging) console.log(`Client Version: ${clientMajorVersion}.${clientMinorVersion}`);
|
||||
|
||||
offset += 2 + 32; // Skip client version and random
|
||||
|
||||
// Session ID
|
||||
const sessionIDLength = buffer.readUInt8(offset);
|
||||
if (enableLogging) console.log(`Session ID Length: ${sessionIDLength}`);
|
||||
offset += 1 + sessionIDLength; // Skip session ID
|
||||
|
||||
// Cipher suites
|
||||
if (offset + 2 > buffer.length) {
|
||||
if (enableLogging) console.log('Buffer too small for cipher suites length');
|
||||
return undefined;
|
||||
}
|
||||
const cipherSuitesLength = buffer.readUInt16BE(offset);
|
||||
if (enableLogging) console.log(`Cipher Suites Length: ${cipherSuitesLength}`);
|
||||
offset += 2 + cipherSuitesLength; // Skip cipher suites
|
||||
|
||||
// Compression methods
|
||||
if (offset + 1 > buffer.length) {
|
||||
if (enableLogging) console.log('Buffer too small for compression methods length');
|
||||
return undefined;
|
||||
}
|
||||
const compressionMethodsLength = buffer.readUInt8(offset);
|
||||
if (enableLogging) console.log(`Compression Methods Length: ${compressionMethodsLength}`);
|
||||
offset += 1 + compressionMethodsLength; // Skip compression methods
|
||||
|
||||
// Extensions
|
||||
if (offset + 2 > buffer.length) {
|
||||
if (enableLogging) console.log('Buffer too small for extensions length');
|
||||
return undefined;
|
||||
}
|
||||
const extensionsLength = buffer.readUInt16BE(offset);
|
||||
if (enableLogging) console.log(`Extensions Length: ${extensionsLength}`);
|
||||
offset += 2;
|
||||
const extensionsEnd = offset + extensionsLength;
|
||||
|
||||
if (extensionsEnd > buffer.length) {
|
||||
if (enableLogging)
|
||||
console.log(
|
||||
`Buffer too small for extensions. Expected end: ${extensionsEnd}, Buffer length: ${buffer.length}`
|
||||
);
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Parse extensions
|
||||
while (offset + 4 <= extensionsEnd) {
|
||||
const extensionType = buffer.readUInt16BE(offset);
|
||||
const extensionLength = buffer.readUInt16BE(offset + 2);
|
||||
|
||||
if (enableLogging)
|
||||
console.log(`Extension Type: 0x${extensionType.toString(16)}, Length: ${extensionLength}`);
|
||||
|
||||
offset += 4;
|
||||
|
||||
if (extensionType === 0x0000) {
|
||||
// SNI extension
|
||||
if (offset + 2 > buffer.length) {
|
||||
if (enableLogging) console.log('Buffer too small for SNI list length');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
const sniListLength = buffer.readUInt16BE(offset);
|
||||
if (enableLogging) console.log(`SNI List Length: ${sniListLength}`);
|
||||
offset += 2;
|
||||
const sniListEnd = offset + sniListLength;
|
||||
|
||||
if (sniListEnd > buffer.length) {
|
||||
if (enableLogging)
|
||||
console.log(
|
||||
`Buffer too small for SNI list. Expected end: ${sniListEnd}, Buffer length: ${buffer.length}`
|
||||
);
|
||||
return undefined;
|
||||
}
|
||||
|
||||
while (offset + 3 < sniListEnd) {
|
||||
const nameType = buffer.readUInt8(offset++);
|
||||
const nameLen = buffer.readUInt16BE(offset);
|
||||
offset += 2;
|
||||
|
||||
if (enableLogging) console.log(`Name Type: ${nameType}, Name Length: ${nameLen}`);
|
||||
|
||||
if (nameType === 0) {
|
||||
// host_name
|
||||
if (offset + nameLen > buffer.length) {
|
||||
if (enableLogging)
|
||||
console.log(
|
||||
`Buffer too small for hostname. Expected: ${offset + nameLen}, Got: ${
|
||||
buffer.length
|
||||
}`
|
||||
);
|
||||
return undefined;
|
||||
}
|
||||
|
||||
const serverName = buffer.toString('utf8', offset, offset + nameLen);
|
||||
if (enableLogging) console.log(`Extracted SNI: ${serverName}`);
|
||||
return serverName;
|
||||
}
|
||||
|
||||
offset += nameLen;
|
||||
}
|
||||
break;
|
||||
} else {
|
||||
offset += extensionLength;
|
||||
}
|
||||
}
|
||||
|
||||
if (enableLogging) console.log('No SNI extension found');
|
||||
return undefined;
|
||||
} catch (err) {
|
||||
console.log(`Error extracting SNI: ${err}`);
|
||||
return undefined;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a TLS record is a proper ClientHello message (more accurate than just checking record type)
|
||||
* @param buffer - Buffer containing the TLS record
|
||||
* @returns true if the buffer contains a proper ClientHello message
|
||||
*/
|
||||
function isClientHello(buffer: Buffer): boolean {
|
||||
try {
|
||||
if (buffer.length < 9) return false; // Too small for a proper ClientHello
|
||||
|
||||
// Check record type (has to be handshake - 22)
|
||||
if (buffer.readUInt8(0) !== 22) return false;
|
||||
|
||||
// After the TLS record header (5 bytes), check the handshake type (1 for ClientHello)
|
||||
if (buffer.readUInt8(5) !== 1) return false;
|
||||
|
||||
// Basic checks passed, this appears to be a ClientHello
|
||||
return true;
|
||||
} catch (err) {
|
||||
console.log(`Error checking for ClientHello: ${err}`);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
// SNI functions are now imported from SniHandler class
|
||||
// No need for wrapper functions
|
||||
|
||||
// Helper: Check if a port falls within any of the given port ranges
|
||||
const isPortInRanges = (port: number, ranges: Array<{ from: number; to: number }>): boolean => {
|
||||
@ -346,10 +163,7 @@ const generateConnectionId = (): string => {
|
||||
return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
|
||||
};
|
||||
|
||||
// Helper: Check if a buffer contains a TLS handshake
|
||||
const isTlsHandshake = (buffer: Buffer): boolean => {
|
||||
return buffer.length > 0 && buffer[0] === 22; // ContentType.handshake
|
||||
};
|
||||
// SNI functions are now imported from SniHandler class
|
||||
|
||||
// Helper: Ensure timeout values don't exceed Node.js max safe integer
|
||||
const ensureSafeTimeout = (timeout: number): number => {
|
||||
@ -752,44 +566,104 @@ export class PortProxy {
|
||||
connectionOptions.localAddress = record.remoteIP.replace('::ffff:', '');
|
||||
}
|
||||
|
||||
// Create a safe queue for incoming data using a Buffer array
|
||||
// We'll use this to ensure we don't lose data during handler transitions
|
||||
const dataQueue: Buffer[] = [];
|
||||
let queueSize = 0;
|
||||
let processingQueue = false;
|
||||
let drainPending = false;
|
||||
|
||||
// Flag to track if we've switched to the final piping mechanism
|
||||
// Once this is true, we no longer buffer data in dataQueue
|
||||
let pipingEstablished = false;
|
||||
|
||||
// Pause the incoming socket to prevent buffer overflows
|
||||
// This ensures we control the flow of data until piping is set up
|
||||
socket.pause();
|
||||
|
||||
// Temporary handler to collect data during connection setup
|
||||
const tempDataHandler = (chunk: Buffer) => {
|
||||
// Track bytes received
|
||||
record.bytesReceived += chunk.length;
|
||||
// Function to safely process the data queue without losing events
|
||||
const processDataQueue = () => {
|
||||
if (processingQueue || dataQueue.length === 0 || pipingEstablished) return;
|
||||
|
||||
processingQueue = true;
|
||||
|
||||
try {
|
||||
// Process all queued chunks with the current active handler
|
||||
while (dataQueue.length > 0) {
|
||||
const chunk = dataQueue.shift()!;
|
||||
queueSize -= chunk.length;
|
||||
|
||||
// Once piping is established, we shouldn't get here,
|
||||
// but just in case, pass to the outgoing socket directly
|
||||
if (pipingEstablished && record.outgoing) {
|
||||
record.outgoing.write(chunk);
|
||||
continue;
|
||||
}
|
||||
|
||||
// Track bytes received
|
||||
record.bytesReceived += chunk.length;
|
||||
|
||||
// Check for TLS handshake
|
||||
if (!record.isTLS && isTlsHandshake(chunk)) {
|
||||
record.isTLS = true;
|
||||
// Check for TLS handshake
|
||||
if (!record.isTLS && SniHandler.isTlsHandshake(chunk)) {
|
||||
record.isTLS = true;
|
||||
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
|
||||
);
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] TLS handshake detected in tempDataHandler, ${chunk.length} bytes`
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
// Check if adding this chunk would exceed the buffer limit
|
||||
const newSize = record.pendingDataSize + chunk.length;
|
||||
|
||||
if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
|
||||
console.log(
|
||||
`[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
|
||||
);
|
||||
socket.end(); // Gracefully close the socket
|
||||
this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
|
||||
return;
|
||||
}
|
||||
|
||||
// Buffer the chunk and update the size counter
|
||||
record.pendingData.push(Buffer.from(chunk));
|
||||
record.pendingDataSize = newSize;
|
||||
this.updateActivity(record);
|
||||
}
|
||||
} finally {
|
||||
processingQueue = false;
|
||||
|
||||
// If there's a pending drain and we've processed everything,
|
||||
// signal we're ready for more data if we haven't established piping yet
|
||||
if (drainPending && dataQueue.length === 0 && !pipingEstablished) {
|
||||
drainPending = false;
|
||||
socket.resume();
|
||||
}
|
||||
}
|
||||
|
||||
// Check if adding this chunk would exceed the buffer limit
|
||||
const newSize = record.pendingDataSize + chunk.length;
|
||||
|
||||
if (this.settings.maxPendingDataSize && newSize > this.settings.maxPendingDataSize) {
|
||||
console.log(
|
||||
`[${connectionId}] Buffer limit exceeded for connection from ${record.remoteIP}: ${newSize} bytes > ${this.settings.maxPendingDataSize} bytes`
|
||||
);
|
||||
socket.end(); // Gracefully close the socket
|
||||
return this.initiateCleanupOnce(record, 'buffer_limit_exceeded');
|
||||
}
|
||||
|
||||
// Buffer the chunk and update the size counter
|
||||
record.pendingData.push(Buffer.from(chunk));
|
||||
record.pendingDataSize = newSize;
|
||||
this.updateActivity(record);
|
||||
};
|
||||
|
||||
// Add the temp handler to capture all incoming data during connection setup
|
||||
socket.on('data', tempDataHandler);
|
||||
// Unified data handler that safely queues incoming data
|
||||
const safeDataHandler = (chunk: Buffer) => {
|
||||
// If piping is already established, just let the pipe handle it
|
||||
if (pipingEstablished) return;
|
||||
|
||||
// Add to our queue for orderly processing
|
||||
dataQueue.push(Buffer.from(chunk)); // Make a copy to be safe
|
||||
queueSize += chunk.length;
|
||||
|
||||
// If queue is getting large, pause socket until we catch up
|
||||
if (this.settings.maxPendingDataSize && queueSize > this.settings.maxPendingDataSize * 0.8) {
|
||||
socket.pause();
|
||||
drainPending = true;
|
||||
}
|
||||
|
||||
// Process the queue
|
||||
processDataQueue();
|
||||
};
|
||||
|
||||
// Add our safe data handler
|
||||
socket.on('data', safeDataHandler);
|
||||
|
||||
// Add initial chunk to pending data if present
|
||||
if (initialChunk) {
|
||||
@ -962,56 +836,32 @@ export class PortProxy {
|
||||
// Add the normal error handler for established connections
|
||||
targetSocket.on('error', this.handleError('outgoing', record));
|
||||
|
||||
// Remove temporary data handler
|
||||
socket.removeListener('data', tempDataHandler);
|
||||
|
||||
// Flush all pending data to target
|
||||
if (record.pendingData.length > 0) {
|
||||
const combinedData = Buffer.concat(record.pendingData);
|
||||
targetSocket.write(combinedData, (err) => {
|
||||
if (err) {
|
||||
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
||||
return this.initiateCleanupOnce(record, 'write_error');
|
||||
}
|
||||
|
||||
// Now set up piping for future data and resume the socket
|
||||
socket.pipe(targetSocket);
|
||||
targetSocket.pipe(socket);
|
||||
socket.resume(); // Resume the socket after piping is established
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
|
||||
`${
|
||||
serverName
|
||||
? ` (SNI: ${serverName})`
|
||||
: domainConfig
|
||||
? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
|
||||
: ''
|
||||
}` +
|
||||
` TLS: ${record.isTLS ? 'Yes' : 'No'}, Keep-Alive: ${
|
||||
record.hasKeepAlive ? 'Yes' : 'No'
|
||||
}`
|
||||
);
|
||||
} else {
|
||||
console.log(
|
||||
`Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
|
||||
`${
|
||||
serverName
|
||||
? ` (SNI: ${serverName})`
|
||||
: domainConfig
|
||||
? ` (Port-based for domain: ${domainConfig.domains.join(', ')})`
|
||||
: ''
|
||||
}`
|
||||
);
|
||||
}
|
||||
});
|
||||
} else {
|
||||
// No pending data, so just set up piping
|
||||
// Process any remaining data in the queue before switching to piping
|
||||
processDataQueue();
|
||||
|
||||
// Setup function to establish piping - we'll use this after flushing data
|
||||
const setupPiping = () => {
|
||||
// Mark that we're switching to piping mode
|
||||
pipingEstablished = true;
|
||||
|
||||
// Setup piping in both directions
|
||||
socket.pipe(targetSocket);
|
||||
targetSocket.pipe(socket);
|
||||
socket.resume(); // Resume the socket after piping is established
|
||||
|
||||
|
||||
// Resume the socket to ensure data flows
|
||||
socket.resume();
|
||||
|
||||
// Process any data that might be queued in the interim
|
||||
if (dataQueue.length > 0) {
|
||||
// Write any remaining queued data directly to the target socket
|
||||
for (const chunk of dataQueue) {
|
||||
targetSocket.write(chunk);
|
||||
}
|
||||
// Clear the queue
|
||||
dataQueue.length = 0;
|
||||
queueSize = 0;
|
||||
}
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(
|
||||
`[${connectionId}] Connection established: ${record.remoteIP} -> ${targetHost}:${connectionOptions.port}` +
|
||||
@ -1038,6 +888,23 @@ export class PortProxy {
|
||||
}`
|
||||
);
|
||||
}
|
||||
};
|
||||
|
||||
// Flush all pending data to target
|
||||
if (record.pendingData.length > 0) {
|
||||
const combinedData = Buffer.concat(record.pendingData);
|
||||
targetSocket.write(combinedData, (err) => {
|
||||
if (err) {
|
||||
console.log(`[${connectionId}] Error writing pending data to target: ${err.message}`);
|
||||
return this.initiateCleanupOnce(record, 'write_error');
|
||||
}
|
||||
|
||||
// Establish piping now that we've flushed the buffered data
|
||||
setupPiping();
|
||||
});
|
||||
} else {
|
||||
// No pending data, just establish piping immediately
|
||||
setupPiping();
|
||||
}
|
||||
|
||||
// Clear the buffer now that we've processed it
|
||||
@ -1045,14 +912,15 @@ export class PortProxy {
|
||||
record.pendingDataSize = 0;
|
||||
|
||||
// Add the renegotiation handler for SNI validation with strict domain enforcement
|
||||
// This will be called after we've established piping
|
||||
if (serverName) {
|
||||
// Define a handler for checking renegotiation with improved detection
|
||||
const renegotiationHandler = (renegChunk: Buffer) => {
|
||||
// Only process if this looks like a TLS ClientHello
|
||||
if (isClientHello(renegChunk)) {
|
||||
if (SniHandler.isClientHello(renegChunk)) {
|
||||
try {
|
||||
// Extract SNI from ClientHello
|
||||
const newSNI = extractSNI(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
const newSNI = SniHandler.extractSNIWithResumptionSupport(renegChunk, this.settings.enableTlsDebugLogging);
|
||||
|
||||
// Skip if no SNI was found
|
||||
if (!newSNI) return;
|
||||
@ -1081,8 +949,13 @@ export class PortProxy {
|
||||
// Store the handler in the connection record so we can remove it during cleanup
|
||||
record.renegotiationHandler = renegotiationHandler;
|
||||
|
||||
// Add the listener
|
||||
// The renegotiation handler is added when piping is established
|
||||
// Making it part of setupPiping ensures proper sequencing of event handlers
|
||||
socket.on('data', renegotiationHandler);
|
||||
|
||||
if (this.settings.enableDetailedLogging) {
|
||||
console.log(`[${connectionId}] TLS renegotiation handler installed for SNI domain: ${serverName}`);
|
||||
}
|
||||
}
|
||||
|
||||
// Set connection timeout with simpler logic
|
||||
@ -1242,13 +1115,16 @@ export class PortProxy {
|
||||
const bytesReceived = record.bytesReceived;
|
||||
const bytesSent = record.bytesSent;
|
||||
|
||||
// Remove the renegotiation handler if present
|
||||
if (record.renegotiationHandler && record.incoming) {
|
||||
// Remove all data handlers (both standard and renegotiation) to make sure we clean up properly
|
||||
if (record.incoming) {
|
||||
try {
|
||||
record.incoming.removeListener('data', record.renegotiationHandler);
|
||||
// Remove our safe data handler
|
||||
record.incoming.removeAllListeners('data');
|
||||
|
||||
// Reset the handler references
|
||||
record.renegotiationHandler = undefined;
|
||||
} catch (err) {
|
||||
console.log(`[${record.id}] Error removing renegotiation handler: ${err}`);
|
||||
console.log(`[${record.id}] Error removing data handlers: ${err}`);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1644,7 +1520,7 @@ export class PortProxy {
|
||||
connectionRecord.hasReceivedInitialData = true;
|
||||
|
||||
// Check if this looks like a TLS handshake
|
||||
if (isTlsHandshake(chunk)) {
|
||||
if (SniHandler.isTlsHandshake(chunk)) {
|
||||
connectionRecord.isTLS = true;
|
||||
|
||||
// Forward directly to NetworkProxy without SNI processing
|
||||
@ -1706,7 +1582,7 @@ export class PortProxy {
|
||||
this.updateActivity(connectionRecord);
|
||||
|
||||
// Check for TLS handshake if this is the first chunk
|
||||
if (!connectionRecord.isTLS && isTlsHandshake(chunk)) {
|
||||
if (!connectionRecord.isTLS && SniHandler.isTlsHandshake(chunk)) {
|
||||
connectionRecord.isTLS = true;
|
||||
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
@ -1714,7 +1590,7 @@ export class PortProxy {
|
||||
`[${connectionId}] TLS handshake detected from ${remoteIP}, ${chunk.length} bytes`
|
||||
);
|
||||
// Try to extract SNI and log detailed debug info
|
||||
extractSNI(chunk, true);
|
||||
SniHandler.extractSNIWithResumptionSupport(chunk, true);
|
||||
}
|
||||
}
|
||||
});
|
||||
@ -1743,7 +1619,7 @@ export class PortProxy {
|
||||
connectionRecord.hasReceivedInitialData = true;
|
||||
|
||||
// Check if this looks like a TLS handshake
|
||||
const isTlsHandshakeDetected = initialChunk && isTlsHandshake(initialChunk);
|
||||
const isTlsHandshakeDetected = initialChunk && SniHandler.isTlsHandshake(initialChunk);
|
||||
if (isTlsHandshakeDetected) {
|
||||
connectionRecord.isTLS = true;
|
||||
|
||||
@ -1912,7 +1788,7 @@ export class PortProxy {
|
||||
// Try to extract SNI
|
||||
let serverName = '';
|
||||
|
||||
if (isTlsHandshake(chunk)) {
|
||||
if (SniHandler.isTlsHandshake(chunk)) {
|
||||
connectionRecord.isTLS = true;
|
||||
|
||||
if (this.settings.enableTlsDebugLogging) {
|
||||
@ -1921,7 +1797,7 @@ export class PortProxy {
|
||||
);
|
||||
}
|
||||
|
||||
serverName = extractSNI(chunk, this.settings.enableTlsDebugLogging) || '';
|
||||
serverName = SniHandler.extractSNIWithResumptionSupport(chunk, this.settings.enableTlsDebugLogging) || '';
|
||||
}
|
||||
|
||||
// Lock the connection to the negotiated SNI.
|
||||
|
||||
836
ts/classes.snihandler.ts
Normal file
836
ts/classes.snihandler.ts
Normal file
@ -0,0 +1,836 @@
|
||||
import { Buffer } from 'buffer';
|
||||
|
||||
/**
|
||||
* SNI (Server Name Indication) handler for TLS connections.
|
||||
* Provides robust extraction of SNI values from TLS ClientHello messages
|
||||
* with support for fragmented packets, TLS 1.3 resumption, and Chrome-specific
|
||||
* connection behaviors.
|
||||
*/
|
||||
export class SniHandler {
|
||||
// TLS record types and constants
|
||||
private static readonly TLS_HANDSHAKE_RECORD_TYPE = 22;
|
||||
private static readonly TLS_APPLICATION_DATA_TYPE = 23; // TLS Application Data record type
|
||||
private static readonly TLS_CLIENT_HELLO_HANDSHAKE_TYPE = 1;
|
||||
private static readonly TLS_SNI_EXTENSION_TYPE = 0x0000;
|
||||
private static readonly TLS_SESSION_TICKET_EXTENSION_TYPE = 0x0023;
|
||||
private static readonly TLS_SNI_HOST_NAME_TYPE = 0;
|
||||
private static readonly TLS_PSK_EXTENSION_TYPE = 0x0029; // Pre-Shared Key extension type for TLS 1.3
|
||||
private static readonly TLS_PSK_KE_MODES_EXTENSION_TYPE = 0x002D; // PSK Key Exchange Modes
|
||||
private static readonly TLS_EARLY_DATA_EXTENSION_TYPE = 0x002A; // Early Data (0-RTT) extension
|
||||
|
||||
// Buffer for handling fragmented ClientHello messages
|
||||
private static fragmentedBuffers: Map<string, Buffer> = new Map();
|
||||
private static fragmentTimeout: number = 1000; // ms to wait for fragments before cleanup
|
||||
|
||||
/**
|
||||
* Checks if a buffer contains a TLS handshake message (record type 22)
|
||||
* @param buffer - The buffer to check
|
||||
* @returns true if the buffer starts with a TLS handshake record type
|
||||
*/
|
||||
public static isTlsHandshake(buffer: Buffer): boolean {
|
||||
return buffer.length > 0 && buffer[0] === this.TLS_HANDSHAKE_RECORD_TYPE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a buffer contains TLS application data (record type 23)
|
||||
* @param buffer - The buffer to check
|
||||
* @returns true if the buffer starts with a TLS application data record type
|
||||
*/
|
||||
public static isTlsApplicationData(buffer: Buffer): boolean {
|
||||
return buffer.length > 0 && buffer[0] === this.TLS_APPLICATION_DATA_TYPE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a connection ID based on source/destination information
|
||||
* Used to track fragmented ClientHello messages across multiple packets
|
||||
*
|
||||
* @param connectionInfo - Object containing connection identifiers (IP/port)
|
||||
* @returns A string ID for the connection
|
||||
*/
|
||||
public static createConnectionId(connectionInfo: {
|
||||
sourceIp?: string;
|
||||
sourcePort?: number;
|
||||
destIp?: string;
|
||||
destPort?: number;
|
||||
}): string {
|
||||
const { sourceIp, sourcePort, destIp, destPort } = connectionInfo;
|
||||
return `${sourceIp}:${sourcePort}-${destIp}:${destPort}`;
|
||||
}
|
||||
|
||||
/**
|
||||
* Handles potential fragmented ClientHello messages by buffering and reassembling
|
||||
* TLS record fragments that might span multiple TCP packets.
|
||||
*
|
||||
* @param buffer - The current buffer fragment
|
||||
* @param connectionId - Unique identifier for the connection
|
||||
* @param enableLogging - Whether to enable logging
|
||||
* @returns A complete buffer if reassembly is successful, or undefined if more fragments are needed
|
||||
*/
|
||||
public static handleFragmentedClientHello(
|
||||
buffer: Buffer,
|
||||
connectionId: string,
|
||||
enableLogging: boolean = false
|
||||
): Buffer | undefined {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[SNI Fragment] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
// Check if we've seen this connection before
|
||||
if (!this.fragmentedBuffers.has(connectionId)) {
|
||||
// New connection, start with this buffer
|
||||
this.fragmentedBuffers.set(connectionId, buffer);
|
||||
|
||||
// Set timeout to clean up if we don't get a complete ClientHello
|
||||
setTimeout(() => {
|
||||
if (this.fragmentedBuffers.has(connectionId)) {
|
||||
this.fragmentedBuffers.delete(connectionId);
|
||||
log(`Connection ${connectionId} timed out waiting for complete ClientHello`);
|
||||
}
|
||||
}, this.fragmentTimeout);
|
||||
|
||||
// Evaluate if this buffer already contains a complete ClientHello
|
||||
try {
|
||||
if (buffer.length >= 5) {
|
||||
const recordLength = (buffer[3] << 8) + buffer[4];
|
||||
if (buffer.length >= recordLength + 5) {
|
||||
log(`Initial buffer contains complete ClientHello, length: ${buffer.length}`);
|
||||
return buffer;
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
log(`Error checking initial buffer completeness: ${e}`);
|
||||
}
|
||||
|
||||
log(`Started buffering connection ${connectionId}, initial size: ${buffer.length}`);
|
||||
return undefined; // Need more fragments
|
||||
} else {
|
||||
// Existing connection, append this buffer
|
||||
const existingBuffer = this.fragmentedBuffers.get(connectionId)!;
|
||||
const newBuffer = Buffer.concat([existingBuffer, buffer]);
|
||||
this.fragmentedBuffers.set(connectionId, newBuffer);
|
||||
|
||||
log(`Appended to buffer for ${connectionId}, new size: ${newBuffer.length}`);
|
||||
|
||||
// Check if we now have a complete ClientHello
|
||||
try {
|
||||
if (newBuffer.length >= 5) {
|
||||
const recordLength = (newBuffer[3] << 8) + newBuffer[4];
|
||||
if (newBuffer.length >= recordLength + 5) {
|
||||
log(`Assembled complete ClientHello, length: ${newBuffer.length}`);
|
||||
// Complete message received, remove from tracking
|
||||
this.fragmentedBuffers.delete(connectionId);
|
||||
return newBuffer;
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
log(`Error checking reassembled buffer completeness: ${e}`);
|
||||
}
|
||||
|
||||
return undefined; // Still need more fragments
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a buffer contains a TLS ClientHello message
|
||||
* @param buffer - The buffer to check
|
||||
* @returns true if the buffer appears to be a ClientHello message
|
||||
*/
|
||||
public static isClientHello(buffer: Buffer): boolean {
|
||||
// Minimum ClientHello size (TLS record header + handshake header)
|
||||
if (buffer.length < 9) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check record type (must be TLS_HANDSHAKE_RECORD_TYPE)
|
||||
if (buffer[0] !== this.TLS_HANDSHAKE_RECORD_TYPE) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Skip version and length in TLS record header (5 bytes total)
|
||||
// Check handshake type at byte 5 (must be CLIENT_HELLO)
|
||||
return buffer[5] === this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Extracts the SNI (Server Name Indication) from a TLS ClientHello message.
|
||||
* Implements robust parsing with support for session resumption edge cases.
|
||||
*
|
||||
* @param buffer - The buffer containing the TLS ClientHello message
|
||||
* @param enableLogging - Whether to enable detailed debug logging
|
||||
* @returns The extracted server name or undefined if not found
|
||||
*/
|
||||
public static extractSNI(buffer: Buffer, enableLogging: boolean = false): string | undefined {
|
||||
// Logging helper
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[SNI Extraction] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
try {
|
||||
// Buffer must be at least 5 bytes (TLS record header)
|
||||
if (buffer.length < 5) {
|
||||
log('Buffer too small for TLS record header');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Check record type (must be TLS_HANDSHAKE_RECORD_TYPE = 22)
|
||||
if (buffer[0] !== this.TLS_HANDSHAKE_RECORD_TYPE) {
|
||||
log(`Not a TLS handshake record: ${buffer[0]}`);
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Check TLS version
|
||||
const majorVersion = buffer[1];
|
||||
const minorVersion = buffer[2];
|
||||
log(`TLS version: ${majorVersion}.${minorVersion}`);
|
||||
|
||||
// Parse record length (bytes 3-4, big-endian)
|
||||
const recordLength = (buffer[3] << 8) + buffer[4];
|
||||
log(`Record length: ${recordLength}`);
|
||||
|
||||
// Validate record length against buffer size
|
||||
if (buffer.length < recordLength + 5) {
|
||||
log('Buffer smaller than expected record length');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Start of handshake message in the buffer
|
||||
let pos = 5;
|
||||
|
||||
// Check handshake type (must be CLIENT_HELLO = 1)
|
||||
if (buffer[pos] !== this.TLS_CLIENT_HELLO_HANDSHAKE_TYPE) {
|
||||
log(`Not a ClientHello message: ${buffer[pos]}`);
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Skip handshake type (1 byte)
|
||||
pos += 1;
|
||||
|
||||
// Parse handshake length (3 bytes, big-endian)
|
||||
const handshakeLength = (buffer[pos] << 16) + (buffer[pos + 1] << 8) + buffer[pos + 2];
|
||||
log(`Handshake length: ${handshakeLength}`);
|
||||
|
||||
// Skip handshake length (3 bytes)
|
||||
pos += 3;
|
||||
|
||||
// Check client version (2 bytes)
|
||||
const clientMajorVersion = buffer[pos];
|
||||
const clientMinorVersion = buffer[pos + 1];
|
||||
log(`Client version: ${clientMajorVersion}.${clientMinorVersion}`);
|
||||
|
||||
// Skip client version (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Skip client random (32 bytes)
|
||||
pos += 32;
|
||||
|
||||
// Parse session ID
|
||||
if (pos + 1 > buffer.length) {
|
||||
log('Buffer too small for session ID length');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
const sessionIdLength = buffer[pos];
|
||||
log(`Session ID length: ${sessionIdLength}`);
|
||||
|
||||
// Skip session ID length (1 byte) and session ID
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Check if we have enough bytes left
|
||||
if (pos + 2 > buffer.length) {
|
||||
log('Buffer too small for cipher suites length');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Parse cipher suites length (2 bytes, big-endian)
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
log(`Cipher suites length: ${cipherSuitesLength}`);
|
||||
|
||||
// Skip cipher suites length (2 bytes) and cipher suites
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Check if we have enough bytes left
|
||||
if (pos + 1 > buffer.length) {
|
||||
log('Buffer too small for compression methods length');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Parse compression methods length (1 byte)
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
log(`Compression methods length: ${compressionMethodsLength}`);
|
||||
|
||||
// Skip compression methods length (1 byte) and compression methods
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check if we have enough bytes for extensions length
|
||||
if (pos + 2 > buffer.length) {
|
||||
log('No extensions present or buffer too small');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Parse extensions length (2 bytes, big-endian)
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
log(`Extensions length: ${extensionsLength}`);
|
||||
|
||||
// Skip extensions length (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
|
||||
// Check if extensions length is valid
|
||||
if (extensionsEnd > buffer.length) {
|
||||
log('Extensions length exceeds buffer size');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Track if we found session tickets (for improved resumption handling)
|
||||
let hasSessionTicket = false;
|
||||
let hasPskExtension = false;
|
||||
|
||||
// Iterate through extensions
|
||||
while (pos + 4 <= extensionsEnd) {
|
||||
// Parse extension type (2 bytes, big-endian)
|
||||
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
log(`Extension type: 0x${extensionType.toString(16).padStart(4, '0')}`);
|
||||
|
||||
// Skip extension type (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Parse extension length (2 bytes, big-endian)
|
||||
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
log(`Extension length: ${extensionLength}`);
|
||||
|
||||
// Skip extension length (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Check if this is the SNI extension
|
||||
if (extensionType === this.TLS_SNI_EXTENSION_TYPE) {
|
||||
log('Found SNI extension');
|
||||
|
||||
// Ensure we have enough bytes for the server name list
|
||||
if (pos + 2 > extensionsEnd) {
|
||||
log('Extension too small for server name list length');
|
||||
pos += extensionLength; // Skip this extension
|
||||
continue;
|
||||
}
|
||||
|
||||
// Parse server name list length (2 bytes, big-endian)
|
||||
const serverNameListLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
log(`Server name list length: ${serverNameListLength}`);
|
||||
|
||||
// Skip server name list length (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Ensure server name list length is valid
|
||||
if (pos + serverNameListLength > extensionsEnd) {
|
||||
log('Server name list length exceeds extension size');
|
||||
break; // Exit the loop, extension parsing is broken
|
||||
}
|
||||
|
||||
// End position of server name list
|
||||
const serverNameListEnd = pos + serverNameListLength;
|
||||
|
||||
// Iterate through server names
|
||||
while (pos + 3 <= serverNameListEnd) {
|
||||
// Check name type (must be HOST_NAME_TYPE = 0 for hostname)
|
||||
const nameType = buffer[pos];
|
||||
log(`Name type: ${nameType}`);
|
||||
|
||||
if (nameType !== this.TLS_SNI_HOST_NAME_TYPE) {
|
||||
log(`Unsupported name type: ${nameType}`);
|
||||
pos += 1; // Skip name type (1 byte)
|
||||
|
||||
// Skip name length (2 bytes) and name data
|
||||
if (pos + 2 <= serverNameListEnd) {
|
||||
const nameLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + nameLength;
|
||||
} else {
|
||||
log('Invalid server name entry');
|
||||
break;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
// Skip name type (1 byte)
|
||||
pos += 1;
|
||||
|
||||
// Ensure we have enough bytes for name length
|
||||
if (pos + 2 > serverNameListEnd) {
|
||||
log('Server name entry too small for name length');
|
||||
break;
|
||||
}
|
||||
|
||||
// Parse name length (2 bytes, big-endian)
|
||||
const nameLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
log(`Name length: ${nameLength}`);
|
||||
|
||||
// Skip name length (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Ensure we have enough bytes for the name
|
||||
if (pos + nameLength > serverNameListEnd) {
|
||||
log('Name length exceeds server name list size');
|
||||
break;
|
||||
}
|
||||
|
||||
// Extract server name (hostname)
|
||||
const serverName = buffer.slice(pos, pos + nameLength).toString('utf8');
|
||||
log(`Extracted server name: ${serverName}`);
|
||||
return serverName;
|
||||
}
|
||||
} else if (extensionType === this.TLS_SESSION_TICKET_EXTENSION_TYPE) {
|
||||
// If we encounter a session ticket extension, mark it for later
|
||||
log('Found session ticket extension');
|
||||
hasSessionTicket = true;
|
||||
pos += extensionLength; // Skip this extension
|
||||
} else if (extensionType === this.TLS_PSK_EXTENSION_TYPE) {
|
||||
// TLS 1.3 PSK extension - mark for resumption support
|
||||
log('Found PSK extension (TLS 1.3 resumption indicator)');
|
||||
hasPskExtension = true;
|
||||
// We'll skip the extension here and process it separately if needed
|
||||
pos += extensionLength;
|
||||
} else {
|
||||
// Skip this extension
|
||||
pos += extensionLength;
|
||||
}
|
||||
}
|
||||
|
||||
// Log if we found session resumption indicators but no SNI
|
||||
if (hasSessionTicket || hasPskExtension) {
|
||||
log('Session resumption indicators present but no SNI found');
|
||||
}
|
||||
|
||||
log('No SNI extension found in ClientHello');
|
||||
return undefined;
|
||||
} catch (error) {
|
||||
log(`Error parsing SNI: ${error instanceof Error ? error.message : String(error)}`);
|
||||
return undefined;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempts to extract SNI from the PSK extension in a TLS 1.3 ClientHello.
|
||||
*
|
||||
* In TLS 1.3, when a client attempts to resume a session, it may include
|
||||
* the server name in the PSK identity hint rather than in the SNI extension.
|
||||
*
|
||||
* @param buffer - The buffer containing the TLS ClientHello message
|
||||
* @param enableLogging - Whether to enable detailed debug logging
|
||||
* @returns The extracted server name or undefined if not found
|
||||
*/
|
||||
public static extractSNIFromPSKExtension(
|
||||
buffer: Buffer,
|
||||
enableLogging: boolean = false
|
||||
): string | undefined {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[PSK-SNI Extraction] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
try {
|
||||
// Ensure this is a ClientHello
|
||||
if (!this.isClientHello(buffer)) {
|
||||
log('Not a ClientHello message');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Find the start position of extensions
|
||||
let pos = 5; // Start after record header
|
||||
|
||||
// Skip handshake type (1 byte)
|
||||
pos += 1;
|
||||
|
||||
// Skip handshake length (3 bytes)
|
||||
pos += 3;
|
||||
|
||||
// Skip client version (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Skip client random (32 bytes)
|
||||
pos += 32;
|
||||
|
||||
// Skip session ID
|
||||
if (pos + 1 > buffer.length) return undefined;
|
||||
const sessionIdLength = buffer[pos];
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Skip cipher suites
|
||||
if (pos + 2 > buffer.length) return undefined;
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Skip compression methods
|
||||
if (pos + 1 > buffer.length) return undefined;
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check if we have extensions
|
||||
if (pos + 2 > buffer.length) {
|
||||
log('No extensions present');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Get extensions length
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
if (extensionsEnd > buffer.length) return undefined;
|
||||
|
||||
// Look for PSK extension
|
||||
while (pos + 4 <= extensionsEnd) {
|
||||
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
if (extensionType === this.TLS_PSK_EXTENSION_TYPE) {
|
||||
log('Found PSK extension');
|
||||
|
||||
// PSK extension structure:
|
||||
// 2 bytes: identities list length
|
||||
if (pos + 2 > extensionsEnd) break;
|
||||
const identitiesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
// End of identities list
|
||||
const identitiesEnd = pos + identitiesLength;
|
||||
if (identitiesEnd > extensionsEnd) break;
|
||||
|
||||
// Process each PSK identity
|
||||
while (pos + 2 <= identitiesEnd) {
|
||||
// Identity length (2 bytes)
|
||||
if (pos + 2 > identitiesEnd) break;
|
||||
const identityLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
if (pos + identityLength > identitiesEnd) break;
|
||||
|
||||
// Try to extract hostname from identity
|
||||
// Chrome often embeds the hostname in the PSK identity
|
||||
// This is a heuristic as there's no standard format
|
||||
if (identityLength > 0) {
|
||||
const identity = buffer.slice(pos, pos + identityLength);
|
||||
|
||||
// Skip identity bytes
|
||||
pos += identityLength;
|
||||
|
||||
// Skip obfuscated ticket age (4 bytes)
|
||||
pos += 4;
|
||||
|
||||
// Try to parse the identity as UTF-8
|
||||
try {
|
||||
const identityStr = identity.toString('utf8');
|
||||
log(`PSK identity: ${identityStr}`);
|
||||
|
||||
// Check if the identity contains hostname hints
|
||||
// Chrome often embeds the hostname in a known format
|
||||
// Try to extract using common patterns
|
||||
|
||||
// Pattern 1: Look for domain name pattern
|
||||
const domainPattern = /([a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?/i;
|
||||
const domainMatch = identityStr.match(domainPattern);
|
||||
if (domainMatch && domainMatch[0]) {
|
||||
log(`Found domain in PSK identity: ${domainMatch[0]}`);
|
||||
return domainMatch[0];
|
||||
}
|
||||
|
||||
// Pattern 2: Chrome sometimes uses a specific format with delimiters
|
||||
// This is a heuristic approach since the format isn't standardized
|
||||
const parts = identityStr.split('|');
|
||||
if (parts.length > 1) {
|
||||
for (const part of parts) {
|
||||
if (part.includes('.') && !part.includes('/')) {
|
||||
const possibleDomain = part.trim();
|
||||
if (/^[a-z0-9.-]+$/i.test(possibleDomain)) {
|
||||
log(`Found possible domain in PSK delimiter format: ${possibleDomain}`);
|
||||
return possibleDomain;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
log('Failed to parse PSK identity as UTF-8');
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// Skip this extension
|
||||
pos += extensionLength;
|
||||
}
|
||||
}
|
||||
|
||||
log('No hostname found in PSK extension');
|
||||
return undefined;
|
||||
} catch (error) {
|
||||
log(`Error parsing PSK: ${error instanceof Error ? error.message : String(error)}`);
|
||||
return undefined;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the buffer contains TLS 1.3 early data (0-RTT)
|
||||
* @param buffer - The buffer to check
|
||||
* @param enableLogging - Whether to enable logging
|
||||
* @returns true if early data is detected
|
||||
*/
|
||||
public static hasEarlyData(
|
||||
buffer: Buffer,
|
||||
enableLogging: boolean = false
|
||||
): boolean {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[Early Data] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
try {
|
||||
// Check if this is a valid ClientHello first
|
||||
if (!this.isClientHello(buffer)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Find the extensions section
|
||||
let pos = 5; // Start after record header
|
||||
|
||||
// Skip handshake type (1 byte)
|
||||
pos += 1;
|
||||
|
||||
// Skip handshake length (3 bytes)
|
||||
pos += 3;
|
||||
|
||||
// Skip client version (2 bytes)
|
||||
pos += 2;
|
||||
|
||||
// Skip client random (32 bytes)
|
||||
pos += 32;
|
||||
|
||||
// Skip session ID
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
const sessionIdLength = buffer[pos];
|
||||
pos += 1 + sessionIdLength;
|
||||
|
||||
// Skip cipher suites
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
const cipherSuitesLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2 + cipherSuitesLength;
|
||||
|
||||
// Skip compression methods
|
||||
if (pos + 1 > buffer.length) return false;
|
||||
const compressionMethodsLength = buffer[pos];
|
||||
pos += 1 + compressionMethodsLength;
|
||||
|
||||
// Check if we have extensions
|
||||
if (pos + 2 > buffer.length) return false;
|
||||
|
||||
// Get extensions length
|
||||
const extensionsLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
// Extensions end position
|
||||
const extensionsEnd = pos + extensionsLength;
|
||||
if (extensionsEnd > buffer.length) return false;
|
||||
|
||||
// Look for early data extension
|
||||
while (pos + 4 <= extensionsEnd) {
|
||||
const extensionType = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
const extensionLength = (buffer[pos] << 8) + buffer[pos + 1];
|
||||
pos += 2;
|
||||
|
||||
if (extensionType === this.TLS_EARLY_DATA_EXTENSION_TYPE) {
|
||||
log('Early Data (0-RTT) extension detected');
|
||||
return true;
|
||||
}
|
||||
|
||||
// Skip to next extension
|
||||
pos += extensionLength;
|
||||
}
|
||||
|
||||
return false;
|
||||
} catch (error) {
|
||||
log(`Error checking for early data: ${error}`);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempts to extract SNI from an initial ClientHello packet and handles
|
||||
* session resumption edge cases more robustly than the standard extraction.
|
||||
*
|
||||
* This method handles:
|
||||
* 1. Standard SNI extraction
|
||||
* 2. TLS 1.3 PSK-based resumption (Chrome, Firefox, etc.)
|
||||
* 3. Session ticket-based resumption
|
||||
* 4. Fragmented ClientHello messages
|
||||
* 5. TLS 1.3 Early Data (0-RTT)
|
||||
* 6. Chrome's connection racing behaviors
|
||||
*
|
||||
* @param buffer - The buffer containing the TLS ClientHello message
|
||||
* @param connectionInfo - Optional connection information for fragment handling
|
||||
* @param enableLogging - Whether to enable detailed debug logging
|
||||
* @returns The extracted server name or undefined if not found
|
||||
*/
|
||||
public static extractSNIWithResumptionSupport(
|
||||
buffer: Buffer,
|
||||
connectionInfo?: {
|
||||
sourceIp?: string;
|
||||
sourcePort?: number;
|
||||
destIp?: string;
|
||||
destPort?: number;
|
||||
},
|
||||
enableLogging: boolean = false
|
||||
): string | undefined {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[SNI Extraction] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
// Check if we need to handle fragmented packets
|
||||
let processBuffer = buffer;
|
||||
if (connectionInfo) {
|
||||
const connectionId = this.createConnectionId(connectionInfo);
|
||||
const reassembledBuffer = this.handleFragmentedClientHello(
|
||||
buffer,
|
||||
connectionId,
|
||||
enableLogging
|
||||
);
|
||||
|
||||
if (!reassembledBuffer) {
|
||||
log(`Waiting for more fragments on connection ${connectionId}`);
|
||||
return undefined; // Need more fragments to complete ClientHello
|
||||
}
|
||||
|
||||
processBuffer = reassembledBuffer;
|
||||
log(`Using reassembled buffer of length ${processBuffer.length}`);
|
||||
}
|
||||
|
||||
// First try the standard SNI extraction
|
||||
const standardSni = this.extractSNI(processBuffer, enableLogging);
|
||||
if (standardSni) {
|
||||
log(`Found standard SNI: ${standardSni}`);
|
||||
return standardSni;
|
||||
}
|
||||
|
||||
// Check for TLS 1.3 early data (0-RTT)
|
||||
const hasEarly = this.hasEarlyData(processBuffer, enableLogging);
|
||||
if (hasEarly) {
|
||||
log('TLS 1.3 Early Data detected, using special handling');
|
||||
// In 0-RTT, Chrome often relies on server remembering the SNI from previous sessions
|
||||
// We could implement session tracking here if necessary
|
||||
}
|
||||
|
||||
// If standard extraction failed and we have a valid ClientHello,
|
||||
// this might be a session resumption with non-standard format
|
||||
if (this.isClientHello(processBuffer)) {
|
||||
log('Detected ClientHello without standard SNI, possible session resumption');
|
||||
|
||||
// Try to extract from PSK extension (TLS 1.3 resumption)
|
||||
const pskSni = this.extractSNIFromPSKExtension(processBuffer, enableLogging);
|
||||
if (pskSni) {
|
||||
log(`Extracted SNI from PSK extension: ${pskSni}`);
|
||||
return pskSni;
|
||||
}
|
||||
|
||||
// Special handling for Chrome connection racing
|
||||
// Chrome often opens multiple connections in parallel with different
|
||||
// characteristics to improve performance
|
||||
// Here we would look for specific patterns in ClientHello that indicate
|
||||
// it's part of a connection race
|
||||
|
||||
// Detect if this is likely a secondary connection in a race
|
||||
// by examining the cipher suites and extensions
|
||||
// This would require session state tracking across connections
|
||||
|
||||
log('Failed to extract SNI from resumption mechanisms');
|
||||
}
|
||||
|
||||
return undefined;
|
||||
}
|
||||
|
||||
/**
|
||||
* Main entry point for SNI extraction that handles all edge cases.
|
||||
* This should be called for each TLS packet received from a client.
|
||||
*
|
||||
* The method uses connection tracking to handle fragmented ClientHello
|
||||
* messages and various TLS 1.3 behaviors, including Chrome's connection
|
||||
* racing patterns.
|
||||
*
|
||||
* @param buffer - The buffer containing TLS data
|
||||
* @param connectionInfo - Connection metadata (IPs and ports)
|
||||
* @param enableLogging - Whether to enable detailed debug logging
|
||||
* @param cachedSni - Optional cached SNI from previous connections (for racing detection)
|
||||
* @returns The extracted server name or undefined if not found or more data needed
|
||||
*/
|
||||
public static processTlsPacket(
|
||||
buffer: Buffer,
|
||||
connectionInfo: {
|
||||
sourceIp: string;
|
||||
sourcePort: number;
|
||||
destIp: string;
|
||||
destPort: number;
|
||||
timestamp?: number;
|
||||
},
|
||||
enableLogging: boolean = false,
|
||||
cachedSni?: string
|
||||
): string | undefined {
|
||||
const log = (message: string) => {
|
||||
if (enableLogging) {
|
||||
console.log(`[TLS Packet] ${message}`);
|
||||
}
|
||||
};
|
||||
|
||||
// Add timestamp if not provided
|
||||
if (!connectionInfo.timestamp) {
|
||||
connectionInfo.timestamp = Date.now();
|
||||
}
|
||||
|
||||
// Check if this is a TLS handshake
|
||||
if (!this.isTlsHandshake(buffer) && !this.isTlsApplicationData(buffer)) {
|
||||
log('Not a TLS handshake or application data packet');
|
||||
return undefined;
|
||||
}
|
||||
|
||||
// Create connection ID for tracking
|
||||
const connectionId = this.createConnectionId(connectionInfo);
|
||||
log(`Processing TLS packet for connection ${connectionId}, buffer length: ${buffer.length}`);
|
||||
|
||||
// Handle special case: if we already have a cached SNI from a previous
|
||||
// connection from the same client IP within a short time window,
|
||||
// this might be a connection racing situation
|
||||
if (cachedSni && this.isTlsApplicationData(buffer)) {
|
||||
log(`Using cached SNI from connection racing: ${cachedSni}`);
|
||||
return cachedSni;
|
||||
}
|
||||
|
||||
// Try to extract SNI with full resumption support and fragment handling
|
||||
const sni = this.extractSNIWithResumptionSupport(
|
||||
buffer,
|
||||
connectionInfo,
|
||||
enableLogging
|
||||
);
|
||||
|
||||
if (sni) {
|
||||
log(`Successfully extracted SNI: ${sni}`);
|
||||
return sni;
|
||||
}
|
||||
|
||||
// If we couldn't extract an SNI, check if this is a valid ClientHello
|
||||
// If it is, but we couldn't get an SNI, it might be a fragment or
|
||||
// a connection race situation
|
||||
if (this.isClientHello(buffer)) {
|
||||
log('Valid ClientHello detected, but no SNI extracted - might need more data');
|
||||
}
|
||||
|
||||
return undefined;
|
||||
}
|
||||
}
|
||||
@ -3,3 +3,4 @@ export * from './classes.networkproxy.js';
|
||||
export * from './classes.portproxy.js';
|
||||
export * from './classes.port80handler.js';
|
||||
export * from './classes.sslredirect.js';
|
||||
export * from './classes.snihandler.js';
|
||||
|
||||
Reference in New Issue
Block a user